NSA Warns Companies China Is Exploiting 25 Unpatched Vulnerabilities

ALBUQUERQUE: In a warning sent Tuesday, the National Security Agency warned companies that 25 already known exploits were being used by state-based intelligence services, including China’s, and should be patched as soon as possible. The announcement highlights a fundamental limitation of the NSA’s ability to effectively protect the vast array of commercial and industrial internet infrastructure.

The NSA can lead companies to patch vulnerabilities, but it cannot actually make those companies install the patches.

“While these [Common Vulnerabilities and Exploits] s are already publicly known,” reads the warning, it goes on to say that the NSA is specifically sharing knowledge that these pathways into networks are being actively exploited, specifically by “Chinese state-sponsored malicious cyber actors.” The message is an unsubtle reminder for the Pentagon, and the industry on which it depends, to make sure their systems are in fact protected against these threats.

“If you’ve got an active, mature vulnerability management program, you’ve probably mediated these issues — [but] that’s a very small minority in my experience,” said Eric Noonan, CEO of security firm CyberSheath. Noonan noted that, in particular, the network security of defense contractors can lag behind that of more commercial companies. “So,” he warned “while the vulnerabilities were known knowns, I wouldn’t be surprised if many companies hadn’t already addressed them.”

The listed vulnerabilities include some made public as recently as August 2020 and others first publicized in April 2015. They include software written by Adobe, Microsoft, Oracle, and others. The exploits generally rely on weak or absent security in novel entry points to bypass existing security, and give intruders network access, which in turn can be used to bypass other, more secure systems.

“I’m glad that the NSA has issued this. Publishing this report reinforces the work that companies need to do to secure their intellectual property, and pushes them to make the patches and maintenance they need to do,” said Chloé Messdaghi, VP of Strategy for Point3 Security.

The government’s interest in protecting industry from hostile cyber intrusion is further reinforced by the new National Strategy for Critical And Emerging Technologies, published October 15. To protect a technology advantage, the second “pillar’ of the strategy says the US must “Ensure that competitors do not use illicit means to acquire United States intellectual property, research, development, or technologies.”

“Many CISOs are resource starved or exhausted that their organization isn’t putting security first – because organizations are putting more dollars into Sales & Marketing instead,” said Messdaghi. “But the reality is there’s no private sector products or public services that are reliable if the environment isn’t secure.”

The NSA cannot mandate patching on its own, but the rules of the Defense Department’s new Cybersecurity Maturity Model Certification (CMMC) mean that the Pentagon could impose penalties on companies in its supply chain that fail to adequately protect their own networks.

“I would call the NSA’s approach the carrot, there’s guidance and we think you should do this. [With CMMC,] DoD has really transitioned to a stick approach. You will not do business with the Department of Defense if you do not meet cybersecurity minimums,” said Noonan. “Literally, you will not be eligible for a contract award from DoD if you haven’t met these minimums, which is very different from the self -certification model that’s been in place prior to this.”

For the defense industrial base, at least, this kind of pressure can add a dollar figure to the cost of not doing security, That could change cybersecurity compliance from a nice-to-have feature companies want but don’t prioritize, to one they simply must adopt if they are going to be able to stay competitive for contracts.