The Department of Defense’s (DoD) Vulnerability Disclosure Program (VDP) is turning to artificial intelligence (AI) and machine learning tech to streamline vulnerability assessments and improve cyber defense across the defense industrial base (DIB).
Melissa Vice, VDP director at the DoD Cyber Crime Center (DC3), offered insights during a May 22 Nextgov/FCW and Route Fifty webinar into how the program is scaling its operations efficiently while addressing the growing volume of software flaws and configuration issues that put systems at risk.
Launched in June of last year, the VDP is designed to help secure the vast network of nearly 300,000 DIB companies by working directly with system owners to identify and address vulnerabilities efficiently.
“We could use some AI and now machine learning to enable the onboarding of these organizations and be able to become very scalable for a lower amount of investment,” Vice explained.
She added that AI and machine learning help automate repetitive tasks and streamline the onboarding and vulnerability assessment processes – freeing up skilled human resources to focus on more complex and critical cybersecurity functions.
Vice particularly pointed to “Narrow AI,” which she said is proving useful in areas “where there will still be a human in the loop somewhere,” especially in sensitive or military-specific contexts.
Vice underlined that many vulnerabilities stem not just from flaws in software, but from misconfigurations – how the software is installed and interacts with other systems.
“I don’t think we’ve gotten to the point where we’re just saying: “Go through this [AI tool], and done,” Vice said. “We’re still allowing a stop point where a human is there, saying, ‘Does this make sense? Okay, yeah, go get it. Go for it.’ But it does allow for a lot of rapid processing information that otherwise would slow down and require multiple interfaces with a lot of different people.”
Vice also emphasized the need to address all types of vulnerabilities, and warned against the common practice of focusing only on high and critical ones.
“Folks tend to think that they only need to look at the critical … But what we’ve seen over the years is that adversaries are crafty. They’re very clever, and they will daisy chain some of those low level findings together to pull them up to a critical and high so you can’t just focus on the big ticket, hot items,” Vice warned.
She emphasized that by ignoring medium and low-level vulnerabilities, organizations may inadvertently leave open doors for sophisticated attackers, who often exploit these seemingly minor issues in combination to gain unauthorized access or cause significant damage.