There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities.
And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!
Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!
Additionally, China’s database has thousands of vulnerabilities identified that don’t appear in the U.S. version.
Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them.
Why the lag and disparity in reporting between their systems and ours?
China uses a “wider variety of sources and methods” for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources — hence, it’s a “trade-off between speed and accuracy.”
The Department of Commerce’s National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).
And the NCD is built off of a “catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp.”
Unfortunately, when it comes to cybersecurity, speed is critical.
If we don’t do vastly better, we can be cyber “dead right” before we even get the information that we were vulnerable and wrong in our cyber posture to begin with. ;-)
(Source Photo: Andy Blumenthal)