Homeland Security officials ensured on May 15 that federal information technology systems have not been compromised by a massive cyberattack sweeping the globe.
But Sen. Mark Warner, D-Va., is asking the Office of Management and Budget to clarify what steps have been taken to guard against the WannaCry ransomware attacks, which crippled the United Kingdom's National Health Service and has affected computers in 150 countries so far.
Warner, vice chairman of the Senate Select Committee on Intelligence, sent a May 15 letter to OMB Director Mick Mulvaney and Secretary of Homeland Security John Kelly, requesting information on what steps the agencies have taken to secure and patch vulnerabilities in agency and contractor IT systems.
"While appropriate policy responses will depend on a fuller accounting of this outbreak’s attribution, an inescapable conclusion is that we must immediately address the insecurities embedded in commercial software," Warner said in the letter.
"As you know, Microsoft issued a security update to remediate this vulnerability two months ago. Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however."
The WannaCry ransomware outbreak originated in Europe on Friday and has affected 300,000 computers across the world, but White House homeland security adviser Tom Bossert told reporters on May 15 that only a few businesses in the U.S. were impacted by the attack.
But Warner noted that a 2016 Government Accountability Office reportoutlined that some agencies had not developed effective software patch management strategies, leaving them vulnerable to these kinds of malware attacks.
"For example, for one system at one agency, 34 critical patches were missing for the three servers and four workstations tested," the report said. "One of the missing server patches was initially released in May 2012, and one of the missing workstation patches (occurring on 3 of the 4 servers) was released in April 2011."
Warner requested that OMB and DHS provide information on the following by May 29:
- What steps did you take to ensure that the critical security update issued for the Microsoft Windows SMB vulnerability was implemented on all federal information systems?
- As you know, [Federal Information Security Management Act] requires agencies to ensure security for information and systems maintained by or behalf of agencies by contractors. What steps have you taken to ensure that the critical security update was implemented by relevant federal contractors?
- To the extent that any federal information systems continue to use end-of-life software, including operating systems, have your agencies ensured that patches available for those products have been implemented?
- Has DHS worked with private sector critical infrastructure providers to assess the threat of the WannaCry ransomware (in its current form, and anticipating potential variants) posed to sensitive, life-critical, and/or critical systems?
Modernizing the government’s IT has been a hot-button topic for both Congress and the White House, which have backed legislation and executive branch action to upgrade systems against cyberattacks.
