The US government has just reduced the official critical vulnerability remediation timeline from 30 days after a report has been issued to 15 days after detection, according to the freshly published DHS BOD 19-02.

This announcement is significant not least of all because I don’t have to explain why a 30 day response timeline to critical vulnerabilities exists on the Internet. “It’s an outlier because government” only goes so far. Wonderful to see the change, even though it’s still far from the 24 hour turnaround expected in commercial space.

Lawfare has posted a short analysis of why airstrikes to destroy a “cyber operations” facility are nothing new or special. To be precise, the analysis offers the reader two options:

Either the news is “descriptively true, but it is uninteresting” or “interesting if true, but it is not true”.

Spoiler alert…the author argues it’s the former, and therefore uninteresting.

It’s an excellent read, and the sentence that really stood out to me was characterizing a targeted facility as “civilian members of organized armed groups who have a continuous combat function“.