The US CISA has swiftly reversed course on a planned overhaul of its public cybersecurity advisory system, just days after its initial announcement sparked significant concern within the infosec community. The agency’s proposal to discontinue standard updates on its “Cybersecurity Alerts & Advisories” webpage in favor of email and social media distribution met with immediate pushback from security professionals and operational stakeholders, forcing a rapid reassessment.
On Tuesday, May 13th, CISA declared its intention to centralize routine updates through its email subscription service and X handle, @CISACyber. The agency positioned this shift as a strategic move to prioritize urgent alerts and declutter the information landscape for defenders. However, this rationale failed to assuage the anxieties of many who rely on CISA’s publicly accessible resources.
“We have paused immediate changes while we reassess the best approach to sharing with our stakeholders,” CISA stated, acknowledging the confusion and apprehension the announcement had generated.
While the timeline for any revised communication strategy remains unclear, this episode has ignited a crucial debate surrounding transparency and the accessibility of vital threat intelligence within the cybersecurity ecosystem.
A central pillar of threat intelligence under threat?
Historically, CISA’s public advisories have functioned as a neutral and vital repository for information concerning critical vulnerabilities and active threats. The agency’s Known Exploited Vulnerabilities (KEV) catalog, launched in 2021, quickly became an indispensable tool for security teams worldwide, enabling them to track and prioritize remediation efforts for actively exploited weaknesses. The availability of this data through easily integrable formats like RSS feeds and GitHub repositories streamlined automation within security operations centers.
The now-paused changes threatened to disrupt or diminish several key services, including:
- Web-based alerts and advisories: The central webpage serves as a single point of reference for the latest security guidance.
- Automated ingestion pipelines: Many organizations have built automated workflows that rely on the consistent availability of data from CISA’s advisory page.
- KEV JSON, CSV and RSS feeds: These formats are crucial for automated ingestion of vulnerability data into security tools.
- Public GitHub repositories: These provide a transparent and accessible platform for tracking and analyzing threat information.
Concerns swiftly emerged that restricting access to this information behind email subscriptions and social media platforms could severely impede visibility, particularly for smaller organizations and teams lacking dedicated threat intelligence resources. Security analysts also voiced worries that an increased reliance on social media could complicate the archiving, parsing, and automated processing of critical threat data.
Echoes of past procurement issues
This incident arrives on the heels of another significant development involving CISA: the abrupt cancellation of a $2.4 billion cybersecurity procurement. The agency withdrew its offer to government contractor Leidos for the “Agile Cybersecurity Technical Solutions” (ACTS) program, intended to modernize the “Einstein” intrusion detection and prevention system.
In a filing with the U.S. Court of Federal Claims, CISA stated that its “requirements with respect to its IT and cybersecurity service needs have significantly changed in light of organizational changes and changes in priorities.” This decision came after a protest filed by Leidos’ competitor, Nightwing, alleging a flawed evaluation process.
The Einstein system, while a long-standing component of US federal cybersecurity, has faced criticism regarding its effectiveness. A 2016 Government Accountability Office analysis indicated that the system was “partially, but not fully, meeting its stated systems objectives.” CISA had planned to supplement Einstein with a more contemporary “Cyber Analytics and Data System,” incorporating a “Joint Collaboration Environment.”
The cancellation of the ACTS procurement and the subsequent backtracking on the advisory system overhaul raise questions about CISA’s strategic direction and communication efficacy. For financial institutions in the UK and US, who are increasingly targeted by sophisticated cyber threats, timely and easily accessible threat intelligence is paramount. Any move that could potentially hinder the flow of such information is a cause for concern.
Implications for the financial sector
The financial services industry is a prime target for cybercriminals, facing constant threats ranging from ransomware attacks to sophisticated phishing campaigns and supply chain compromises. Access to timely and reliable threat intelligence, such as that provided by CISA’s KEV catalog, is crucial for:
- Vulnerability Management: Prioritizing the patching of actively exploited vulnerabilities significantly reduces the attack surface.
- Threat Detection and Response: Understanding prevalent attack vectors and exploited weaknesses enhances the ability to detect and respond to incidents.
- Risk Assessment: Incorporating threat intelligence into risk assessments allows financial institutions to make informed decisions about security investments and mitigation strategies.
The potential disruption to established channels of information dissemination from a key agency like CISA could have tangible negative consequences for financial institutions’ security posture. While email subscriptions and social media can play a role in communication, they may not offer the same level of reliability, accessibility, and ease of integration into existing security workflows as dedicated webpages and data feeds.
Moving forward
As CISA re-evaluates its approach, it is crucial that the agency prioritizes the needs of the cybersecurity community, particularly those in critical sectors like finance. Transparency regarding the rationale behind proposed changes and open communication with stakeholders are essential to maintain trust and ensure the effective dissemination of vital threat intelligence.
The incident serves as a potent reminder of the importance of accessible and reliable sources of cybersecurity information. For financial institutions in the UK and US, staying informed about evolving threats and vulnerabilities is a continuous battle. They rely on timely and easily digestible intelligence to protect their assets and customers. CISA’s next steps in refining its communication strategy will be closely watched by the global cybersecurity community, with the hope that a more transparent and user-centric approach will prevail.
