Sen. Mark Warner, D-Va., wrote to federal officials this week asking for details about how agencies patched their systems to protect against the WannaCry ransomware.
Thomas Bossert, White House homeland security adviser, told reporters during the daily briefing Monday that no federal systems had been infected, but Warner noted in his letter that despite a National Institute of Standards and Technology recommendation that security-related software updates “be installed within a defined timeframe (in many cases seven to 30 days for critical patches),” the Government Accountability Office last year found “numerous instances where agencies failed to comply with those deadlines.”
The ransomware was able to spread quickly by targeting flaws in older versions of Windows, like XP and Windows 2008, to encrypt a computer and hold it ransom for $300.
In the letter, released Monday afternoon, the Virginia senator asks Homeland Security Secretary John Kelly and Office of Management and Budget Director Mick Mulvaney what steps they took to ensure that the patch Microsoft issued in March against was promptly applied to computer networks of federal agencies and their contractors.
Shaun Waterman has more about Warner’s letter and the potential threat to federal systems on CyberScoop.