Heartbleed, a serious and historic programming flaw in OpenSSL, left federal officials stalled on legal details and many federal computing systems “vulnerable for several days longer than necessary“, according to a recent article published on the Federal News Radio website. This delay was not caused by federal technologists inability to fix the issue, according to the report, but the lack of clarity to determine if their team had “the legal authority” to proceed.
The article indicates that because of Heartbleed’s impact and estimations that it would “affect up to two-thirds of all Web servers“, technology and security professionals around the globe, including those in federal government agencies, “scrambled in the hours after to determine whether their systems were subject to the flaw and to patch them if necessary.”
According to the report, unlike the private sector, the federal government must follow specific protocol before acting so quickly. Unfortunately, inside the walls of the federal government, this action is not so easily initiated.
As the article states, the Department of Homeland Security (DHS)- responsible for “protecting civilian agency IT systems” does not automatically possess the “clear legal authority to scan other agencies’ networks, even though it had the technical ability to do so.” Phyllis Schneck, Deputy Undersecretary for Cybersecurity at DHS, reported to the Senate Appropriations Committee this week stating, “So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases“, according to her quote in the article. The article continued to quote Schneck by noting, “The whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster.”
Read more in the full article how the response to the Heartbleed flaw played out behind the walls of the federal government and how the Department of Homeland Security aims to deal with situations like these that may come again in the future.