CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats
CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats
CISA 要求美国联邦机构在 AI 威胁下于 3 天内修复安全漏洞
With new generations of AI models fueling both rapid software vulnerability discovery and the potential for faster exploitation by malicious hackers, the United States Cybersecurity and Infrastructure Security Agency released a new directive on Wednesday that requires more rapid and efficient software patching by federal civilian agencies. The “binding operational directive” (BOD) lays out a rubric for how quickly bugs must be fixed based on four assessments of urgency, with a turnaround time in critical cases of just three days.
随着新一代人工智能模型推动了软件漏洞的快速发现,并增加了恶意黑客更快进行攻击的可能性,美国网络安全与基础设施安全局(CISA)于周三发布了一项新指令,要求联邦民事机构更迅速、更高效地进行软件补丁修复。这项“约束性操作指令”(BOD)制定了一套评估标准,根据四个紧急程度维度来规定漏洞修复的时限,在最关键的情况下,修复时限仅为三天。
Chris Butera, CISA’s acting executive assistant director for cybersecurity, told reporters on Wednesday that the goal of the directive is to help agencies prioritize, so they can address the most problematic vulnerabilities first while taking more time to remediate bugs that pose a less-pressing risk. The directive comes as private companies and governments have been scrambling to assess the extent of the cybersecurity reckoning that AI vulnerability and exploit development capabilities could unleash.
CISA 网络安全代理执行助理局长 Chris Butera 周三对记者表示,该指令的目标是帮助各机构确定优先级,以便优先处理最棘手的漏洞,同时为风险较低的漏洞预留更多修复时间。目前,私营企业和各国政府正竞相评估人工智能在漏洞挖掘和攻击开发能力方面可能引发的网络安全危机。
“Prioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in [federal] assets,” Butera said on Wednesday. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.”
“鉴于人工智能的进步,威胁行为者能够借此发现并利用(联邦)资产中的漏洞,因此现在将 IT 和安全运营的注意力集中在风险最高的资产上尤为重要,”Butera 周三说道。“防御者无法承受花费数周时间去修补那些可能被大规模自动攻击的系统。”
The CISA directive’s criteria for evaluating patch urgency includes looking at whether a vulnerability is in a system that is publicly exposed, whether the bug is listed in CISA’s Known Exploited Vulnerabilities Catalog, whether an attacker could automate all of the steps to exploit the vulnerability, and how much access an attacker would get to the target if the bug were exploited. A vulnerability where all four points apply must be fixed within three days, according to the new directive, and the agency must also execute a “forensic triage” process to determine whether systems have already been compromised.
CISA 指令中评估补丁紧急程度的标准包括:漏洞所在的系统是否暴露在公网中、该漏洞是否被列入 CISA 的“已知被利用漏洞目录”(KEV)、攻击者是否可以自动化执行所有攻击步骤,以及一旦漏洞被利用,攻击者能获得多大的目标访问权限。根据新指令,如果一个漏洞符合上述所有四点,则必须在三天内修复;同时,相关机构还必须执行“取证分流”流程,以确定系统是否已经遭到入侵。
The directive supersedes two previous CISA orders related to patching timelines for urgent vulnerabilities—one from 2019 and one from 2021. Those established a framework in which the most critical bugs had to be patched within 15 days of detection and another class of high-urgency vulnerability had to be remediated within 30 days. And both encouraged faster patching for severe flaws when possible. Even before the AI era, in 2021, CISA wrote that “threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited [vulnerabilities], 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.”
该指令取代了 CISA 此前关于紧急漏洞修复时限的两项命令(分别发布于 2019 年和 2021 年)。此前的框架规定,最关键的漏洞必须在发现后 15 天内修复,另一类高紧急程度的漏洞必须在 30 天内修复,且两者均鼓励在可能的情况下加快对严重缺陷的修复。即使在 AI 时代之前,CISA 就在 2021 年指出:“威胁行为者利用其目标漏洞的速度极快:在已知被利用的漏洞中,42% 在披露当天就被利用;50% 在 2 天内被利用;75% 在 28 天内被利用。”
US federal cybersecurity has improved significantly over the past decade, but it still often lags, thanks to funding shortfalls and competing priorities. CISA’s Butera said that the agency developed the new assessment rubric and the directive more broadly with these limitations in mind. He noted, for example, that the three-day deadline for the most urgent vulnerabilities isn’t, say, 24 hours, because such a short timeframe would not be feasible for most agencies.
过去十年,美国联邦网络安全水平有了显著提高,但由于资金短缺和优先事项的冲突,往往仍显滞后。CISA 的 Butera 表示,该机构在制定新的评估标准和指令时,充分考虑了这些局限性。例如,他指出,最紧急漏洞的修复期限设定为三天而非 24 小时,是因为对于大多数机构而言,如此短的时间框架是不可行的。
New AI capabilities are already changing the landscape of vulnerability detection and bug hunting. And as this spurs new urgency in patching, many researchers have started to conclude, essentially, that no amount of patching will be enough—and that the software development community globally must work to adopt new, architectural or systemic approaches to invalidating whole classes of vulnerabilities at a time.
新的人工智能能力正在改变漏洞检测和漏洞挖掘的格局。随着这促使补丁修复变得更加紧迫,许多研究人员开始得出结论:单纯依靠补丁修复是远远不够的。全球软件开发社区必须致力于采用新的架构或系统性方法,从根本上一次性消除整类漏洞。
“CISA’s directive has its heart in the right place, but it only tackles half the challenge,” says Emily Long, CEO of the cloud security firm Edera. “If your architecture doesn’t limit what an attacker can reach after a breach, you’re just running faster on the same treadmill. Patching will always be important, but we should be talking more about containment by design.”
“CISA 的指令初衷是好的,但它只解决了问题的一半,”云安全公司 Edera 的首席执行官 Emily Long 表示。“如果你的架构不能限制攻击者在入侵后所能触及的范围,你只是在同一台跑步机上跑得更快而已。补丁修复固然重要,但我们应该更多地讨论‘设计即遏制’(containment by design)。”
CISA’s Butera seemed to acknowledge this evolution on Wednesday. The new directive “is an initial step to counter the increased capabilities of emerging AI models,” he says. “Yet there is still more work to do.”
CISA 的 Butera 周三似乎也认可了这种演变。他表示,这项新指令“是应对新兴 AI 模型能力增强的初步举措,但仍有更多工作要做。”