Mandatory Patching of Serious Vulnerabilities in Government Systems

Photo by Mati Mango on Pexels.com

The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for building national capacity to defend American infrastructure and cybersecurity assets. In the past year they have been tasked with receiving information about American government agencies’ progress (or lack thereof) in implementing elements of Executive Order 14028: Improving the Nation’s Cybersecurity and have been involved in responses to a number of events, including Solar Winds, the Colonial Pipeline ransomware attack, and others. The Executive Order required that CISA first collect a large volume of information from government agencies and vendors alike to assess the threats towards government infrastructure and, subsequently, to provide guidance concerning cloud services, track the adoption of multi factor authentication and seek ways of facilitating its implementation, establish a framework to respond to security incidents, enhance CISA’s threat hunting abilities in government networks, and more.1

Today, CISA promulgated a binding operational directive that will require American government agencies to adopt more aggressive patch tempos for vulnerabilities. In addition to requiring agencies to develop formal policies for remediating vulnerabilities it establishes a requirement that vulnerabilities with a common vulnerabilities and exposure ID be remediated within 6 months, and all others with two weeks. Vulnerabilities to be patched/remediated are found in CISA’s “Known Exploited Vulnerabilities Catalogue.”

It’s notable that while patching is obviously preferred, the CISA directive doesn’t mandate patching but that ‘remediation’ take place.2 As such, organizations may be authorized to deploy defensive measures that will prevent the vulnerability from being exploited but not actually patch the underlying vulnerability, so as to avoid a patch having unintended consequences for either the application in question or for other applications/services that currently rely on either outdated or bespoke programming interfaces.

In the Canadian context, there aren’t equivalent levels of requirements that can be placed on Canadian federal departments. While Shared Services Canada can strongly encourage departments to patch, and the Treasury Board Secretariat has published a “Patch Management Guidance” document, and Canada’s Canadian Centre for Cyber Security has a suggested patch deployment schedule,3 final decisions are still made by individual departments by their respective deputy minister under the Financial Administration Act.

The Biden administration is moving quickly to accelerate its ability to identify and remediate vulnerabilities while simultaneously lettings its threat intelligence staff track adversaries in American networks. That last element is less of an issue in the Canadian context but the first two remain pressing and serious challenges.

While its positive to see the Americans moving quickly to improve their security positions I can only hope that the Canadian federal, and provincial, governments similarly clear long-standing logjams that delegate security decisions to parties who may be ill-suited to make optimal decisions, either out of ignorance or because patching systems is seen as secondary to fulfilling a given department’s primary service mandate.


  1. For a discussion of the Executive Order, see: “Initial Thoughts on Biden’s Executive Order on Improving the Nation’s Cybersecurity” or “Everything You Need to Know About the New Executive Order on Cybersecurity.” ↩︎
  2. For more, see CISA’s “Vulnerability Remediation Requirements“. ↩︎
  3. “CCCS’s deployment schedule only suggests timelines for deployment. In actuality, an organization should take into consideration risk tolerance and exposure to a given vulnerability and associated attack vector(s) as part of a risk‑based approach to patching, while also fully considering their individual threat profile. Patch management tools continue to improve the efficiency of the process and enable organizations to hasten the deployment schedule.” Source: “Patch Management Guidance↩︎

The Roundup for December 1-31, 2019 Edition

Alone Amongst Ghosts by Christopher Parsons

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


This month’s update is late, accounting for holidays and my generally re-thinking how to move forward (or not) with these kinds of posts. I find them really valuable, but the actual interface of using my current client (Ulysses) to draft elements of them is less than optimal. So expect some sort of changes as I muddle through how to improve workflow and/or consider the kinds of content that make the most sense to post.


Inspiring Quotation

Be intensely yourself. Don’t try to be outstanding; don’t try to be a success; don’t try to do pictures for others to look at—just please yourself.

  • Ralph Steiner

Great Photography Shots

Natalia Elena Massi’s photographs of Venice, flooded, are exquisite insofar as they are objectively well shot while, simultaneously, reminding us of the consequences of climate change. I dream of going to Venice to shoot photos at some point and her work only further inspires those dreams.

Music I’m Digging

I spent a lot of the month listening to my ‘Best of 2019’ playlist, and so my Songs I Liked in December playlist is a tad threadbare. That said, it’s more diverse in genre and styles than most monthly lists, though not a lot of the tracks made the grade to get onto my best of 2019 list.

  • Beck-Guero // I spent a lot of time re-listening to Beck’s corpus throughout December. I discovered that I really like his music: it’s moody, excitable,and catchy, and always evolving from album to album.
  • Little V.-Spoiler (Cyberpunk 2077) (Single) // Cyberpunk 2077 is one of the most hyped video games for 2020, and if all of the music is as solid and genre-fitting as this track, then the ambiance for the game is going to be absolutely stellar.

Neat Podcast Episodes

  • 99% Invisible-Racoon Resistance // As a Torontonian I’m legally obligated to share this. Racoons are a big part of the city’s identity, and in recent years new organic garbage containers were (literally) rolled out that were designed such that racoons couldn’t get into them. Except that some racoons could! The good news is that racoons are not ‘social learners’ and, thus, those who can open the bins are unlikely to teach all the others. But with the sheer number of trash pandas in the city it’s almost a certainty that a number of them will naturally be smart enough and, thus, garbage will continue to litter our sidewalks and laneways.

Good Reads

  • America’s Dark History of Killing Its Own Troops With Cluster Munitions // Ismay’s longform piece on cluster munitions is not a happy article, nor does the reader leave with a sense that this deadly weapon is likely to be less used. His writing–and especially the tragedies associated with the use of these weapons–is poignant and painful. And yet it’s also critically important to read given the barbarity of cluster munitions and their deadly consequences to friends, foes, and civilians alike. No civilized nation should use these weapons and all which do use them cannot claim to respect the lives of civilians stuck in conflict situations.
  • Project DREAD: White House Veterans Helped Gulf Monarchy Build Secret Surveillance Unit // The failure or unwillingness of the principals, their deputies, or staff to acknowledge they created a surveillance system that has systematically been used to hunt down illegitimate targets—human rights defenders, civil society advocates, and the like—is disgusting. What’s worse is that democratizing these surveillance capabilities and justifying the means by which the program was orchestrated almost guarantees that American signals intelligence employees will continue to spread American surveillance know-how to the detriment of the world for a pay check, the consequences be damned (if even ever considered in the first place).
  • The War That Continues to Shape Russia, 25 Years Later // The combination of the (re)telling of the first Russia-Chechen War and photographs from the conflict serve as reminders of what it looks like when well-armed nation-states engage in fullscale destruction, the human costs, and the lingering political consequences of wars-now-past.
  • A New Kind of Spy: How China obtains American technological secrets // Bhattacharjee’s 2014 article on Chinese spying continues to strike me as memorable, and helpful in understanding how the Chinese government recruits agents to facilitate its technological objectives. Reading the piece helps to humanize why Chinese-Americans may spy for the Chinese government and, also, the breadth and significance of such activities for advancing China’s interests to the detriment of America’s own.
  • Below the Asphalt Lies the Beach: There is still much to learn from the radical legacy of critical theory // Benhabib’s essay showcasing how the history of European political philosophy over the past 60 years or so are in the common service of critique, and the role(s) of Habermasian political theory in both taking account of such critique whilst offering thoughts on how to proceed in a world of imperfect praxis, is an exciting consideration of political philosophy today. She mounts a considered defense of Habermas and, in particular, the claims that his work is overly Eurocentric. Her drawing a line between the need to seek emancipation while standing to confront and overcome the xenophobia, authoritarianism, and racism that is sweeping the world writ large is deeply grounded on the need for subjects like human rights to orient and ground critique. While some may oppose such universalism on the same grounds as they would reject the Habermasian project there is a danger: in doing so, not only might we do a disservice to the intellectual depth that undergirds the concept of human rights but, also, we run the risk of losing the core means by which we can (re)orient the world towards enabling the conditions of freedom itself.
  • Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai // This very curious article explores the recent problem of ships’ GPS transponders being significantly affected while transiting the Yangtze in China. Specifically, transponders are routinely misplacing the location of ships, sometimes with dangerous and serious implications. The cause, however, remains unknown: it could be a major step up in the (effective) electronic warfare capabilities of sand thieves who illegally dredge the river, and who seek to escape undetected, or could be the Chinese government itself testing electronic warfare capabilities on the shipping lane in preparation of potentially deploying it elsewhere in the region. Either way, threats such as this to critical infrastructure pose serious risks to safe navigation and, also, to the potential for largely civilian infrastructures to be potentially targeted by nation-state adversaries.
  • A Date I Still Think About // These beautiful stories of memorable and special dates speak to just how much joy exists in the world, and how it unexpectedly erupts into our lives. In an increasingly dark time, stories like this are a kind of nourishment for the soul.

Cool Things

  • The Deep Sea // This interactive website that showcases the sea life we know exists, and the depths at which it lives, is simple and spectacular.
  • 100 Great Works Of Dystopian Fiction // A pretty terrific listing of books that have defined the genre.