19 June 2012
According to press reports, DHS is going to require federal computer contractors to scan for holes and start patching them within 72 hours. Is this feasible?
It's certainly a useful goal. It's also extremely likely that it will take some important sites or applications off the air on occasion — patches are sometimes buggy (this is just the latest instance I've noticed), or they break a (typically non-guaranteeed or even accidental) feature that some critical software depends on. Just look at the continued usage rate for Internet Explorer 6 — there are very valid reasons why it hasn't been abandoned, despite its serious deficits of functionality, standards compatibility, and security: internal corporate web sites were built to support it rather than anything else.
In other words, deciding to adopt this policy is equivalent to saying "protecting confidentiality and integrity is more important than availability". That's a perfectly valid tradeoff, and very often the right one, but it is a tradeoff, and the policy should recognize it explicitly. I imagine that there will be a waiver process (and the headline says "begin fixing" holes), but the story doesn't say — and of course, if there are too many waivers the policy is meaningless.
One more point: sometimes, hardware upgrades are required. For example, Windows XP support ends in 2014; security bugs past that point require switching to something more modern. Most older computers can't support Windows Vista or Windows 7 — will the agencies have enough budget to do that?
Oh yes: this problem of long-delayed patch installation isn't peculiar to the government. After all, the private sector is at least as far behind when it comes to, say, getting rid of IE 6. Again, there are reasons for such things to take a while, but that doesn't mean they should be allowed to drag on indefinitely.