Federal IT has played a critical role in sustaining delivery of critical services to citizens during the COVID-19 pandemic. As the government and the nation take the first steps toward recovery, MeriTalk is chronicling the untold stories – and lessons – of Federal IT operations during three months of pandemic. In this latest chapter of CIO Crossroads, we explore cybersecurity operations at the Cybersecurity and Infrastructure Security Agency (CISA).
Protecting Healthcare in the Storm – CIO Q&A
CISA, a component agency of the Department of Homeland Security (DHS), protects Federal civilian executive branch and U.S. critical infrastructure from physical and cyber threats. It also works closely with organizations in the 16 critical infrastructure sectors to support their priorities.
In an exclusive interview with MeriTalk, Bryan Ware, Assistant Director for Cybersecurity at CISA, reveals the agency’s massive efforts to protect the pharmaceutical, hospital, and public health agency sectors as the pandemic gathered force and slammed into the U.S. With more than 1.8 million COVID cases reported nationwide since late February, and 107,000 deaths from the virus, CISA’s focus on healthcare cyber threats was right on the mark.
The threats to the healthcare sector that CISA has uncovered are downright alarming. The agency has identified and targeted 10,000 critical vulnerabilities, taken action to block 7,000 malware domains, and worked with the Department of Health and Human Services (HHS) to take down another 10,000 fraudulent domains. CISA has notified more than 100 organizations that they are active threat targets, and offered help.
And while the world waits desperately for a COVID-19 vaccine, CISA is beating back efforts by Chinese, Russian, and Iranian government hackers to steal U.S.-based research on vaccine development. The battle is far from over, but CISA’s cyber defenders are taking every measure to make sure that the war is won.
MeriTalk: Tell us about some of your largest priorities and successes during this pandemic.
Ware: The first priority going back to February was to take everything that the Cybersecurity Directorate normally does, look at it through a different lens, and ask, “How can we use all of our assets, tools, capabilities, and knowledge to protect our nation’s COVID response from a cybersecurity perspective?”
My colleagues at CISA’s National Risk Management Center (NRMC) did some really early work to that would get us through the pandemic. We then created the critical infrastructure workers guidance that all the states adopted, to determine who could go to work even when their offices were shut down.
We used that product to focus our outreach to pharmaceutical companies, hospitals, and public health agencies to offer them cyber scanning services. We’ve had those services for a while; they just hadn’t been specifically focused on COVID response. Beyond the scanning, we’ve done threat and vulnerability briefings for industry, and we’ve published products that are specific to the healthcare sector and COVID-related threats. Healthcare became our number-one focus.
Second, I’ve been focused on a strategy, which sets out where we think the world is going to be in five years and what we need to do to modernize this agency and improve our capabilities. We’ve been able to develop and communicate that strategy potentially better while working remotely than in the office – just because we’ve removed meetings and other distractions and can spend some more time on it.
Finally, we’ve kept up with the other important missions that we’re entrusted with, in particular protecting Federal networks and bolstering government cybersecurity. We haven’t stopped doing anything, but we have been able to prioritize and focus uniquely on driving long-term strategy and protecting our nation’s COVID response, while getting the core mission done.
MeriTalk: Can you provide some metrics to illustrate the success of CISA’s cybersecurity work during the pandemic?
Ware: We’re now scanning a couple hundred new IP ranges. These are Internet-connected IPs for pharmaceutical companies, hospitals, and public health agencies. We’re up to 10,000 or so critical vulnerabilities identified through Internet scans. They are serious vulnerabilities in the parts of industry that we’re particularly concerned about.
We don’t just want to scan and tell the companies about a vulnerability and write a report on it. We do those things, but we’ve also been engaging directly with those organizations to address the vulnerabilities. At this point, we’ve closed the majority of the vulnerabilities we’ve identified. This is one of the ways we’ve tailored an existing program and capability to focus on protecting our COVID response.
In addition, we work with our intelligence community (IC) and industry partners in different collaboration mechanisms. Together, we’ve been able to block several thousand malicious domains from government networks. That number is in the 7,000 range, and is expected to grow.
We’ve also worked with HHS to take down close to 10,000 fraudulent domains. These are domains focused on credential harvesting or something along those lines, using COVID as the lure. They are fraud – not malware – but still malicious.
We’ve done a number of target notifications as well. This is a refinement of existing processes where we work with our IC partners when we see an entity targeted by an adversary. We notify that targeted entity and work with them if incident response or technical assistance is needed. We’ve had well over 100 target notifications to COVID response companies in the last two months.
MeriTalk: Can you provide some general insights on increased cybersecurity threats during the pandemic, expanded attack surfaces associated with telework, and your activities to counter them?
Ware: This is a really important topic because the threat landscape has changed. It is not the same threat picture that we saw in January.
First, we’ve seen a lot of phishing and malicious websites, the same criminal activities that were always there. It’s just that the tactic has shifted to use COVID as the lure. We’ve seen a number of malware incidents originating from emails that look like they’re coming from the Director General of the World Health Organization, but it’s an impersonation. We’ve seen others claiming to offer Personal Protective Equipment (PPE).
We’ve also seen ransomware – another very typical activity. Criminal actors often use ransomware in times of crisis, because they think they’re more likely to get paid when lives are on the line. We’ve been really concerned about this from the beginning. We didn’t want to see a ransomware event in the United States that compromises healthcare. We have seen that happen in the Czech Republic and with a German company. There have been some isolated ransomware impacts on health operations in the U.S., but thankfully we haven’t seen anything significant. We’re working with our law enforcement and intelligence colleagues to do everything we can to prevent that.
Two threats are really concerning and important. One is that we’re seeing our adversaries – in particular China, Russia, and Iran – targeting our pharmaceutical labs’ research and development for COVID vaccines, antivirals, and various medical technology. It’s in China’s playbook to steal intellectual property and transfer that technology to its manufacturers and labs. They’ve been doing it for decades, but we’re now seeing a focus on vaccines.
Second, every enterprise has increased its use of cloud and teleworking products, and some of those may be hastily configured and deployed. We are seeing targeting of the home work environment with all of the threats that I just mentioned. Vulnerabilities have existed for a long time in many of the products we use to work remotely, and now those have increased the risk to the enterprise.
We published an insightful paper recently on the top 10 vulnerabilities that adversaries are exploiting. We covered two periods of time – 2017 to 2019, and 2020 so far. In 2020, we are seeing targeting of VPN vulnerabilities. We’ve been writing and talking about this for a long time, but of course VPNs are the only way that many workers can work remotely. In the Top 10 Vulnerabilities alert, we link to the specific vulnerability and how to mitigate it, so if you’re a CIO or CISO, you can take action. Also with the FBI, we have written a few publications on the way the Chinese are targeting our research institutions and pharmaceutical research.
The other major theme this year is a misconfiguration issue with Office 365 and other teleworking products that were hastily deployed. We’re not talking about Zoom bombing like we were a few weeks ago, but I think we all know that hasty deployments of tools present cybersecurity risks.
MeriTalk: Do you have any metrics on downloads of your new reports or their use within government?
Ware: We have seen the most visitors in the history of our CISA websites. We’ve seen that across the board with our COVID-related products. We’ve gotten a lot of really good community feedback on the paper about the most-exploited vulnerabilities. People have never seen a product like it. We have a unique vantage point, and we don’t always write enough about it. I think the paper tying nation-state adversaries to exploitation of existing vulnerabilities is a really useful new product.
MeriTalk: Can you talk about how CISA’s Quality Services Management Office (QSMO) works with other agencies?
Ware: QSMO will be the storefront for cybersecurity products and services for the U.S. government and potentially beyond the U.S. government. It builds on the foundation that CDM has set over many years, but it takes a different approach than having an integrator acquire, assemble, integrate, and deploy products. That model is still very important. QSMO ensures that every best-of-breed product is available to the U.S. government and that we ensure those products do what they say they do, meet government needs, and work well in our environments. The products need to work together, at least to some degree, so we get the visibility and control on the backside.
As an integrated buyer, we expect we’ll be able to drive standardization, features, and cost efficiencies by buying once instead of buying 100 times. We can be cost-reimbursable, so an agency can buy from QSMO or we can provide a QSMO service through our funding to a department or agency. We envision that every agency within the executive branch will take services from QSMO. We’ll work overtime as well to extend into state and local government agencies when and where we can do so.
MeriTalk: How does QSMO engage with the CDM program?
Ware: Right now, they’re going to run side by side. CDM is going strong. With QSMO, we’re just getting started and piloting. Assuming we are successful with our QSMO ambitions, CDM will be about the delivery of services to departments and agencies. QSMO will be the off-the-shelf marketplace. Configuration and integration is going to be a QSMO product inside of a department or agency. Some QSMO products may not require that. They may be self-serve and have a very low touch from an integration standpoint.
MeriTalk: What are your longer-term thoughts on the future requirements for agile cybersecurity as promoted by CISA?
Ware: I want us to focus on speed, embracing modern architectures and implementations, and being much more customer-service oriented. We don’t just produce a product or deliver a capability. We need to understand who our customers are, what their needs are, and if we’re meeting those needs. It means analyzing trends using our data holdings, and then working with the customers and users to ask, “Why can’t we close these vulnerabilities? Can we do a better job of delivering a product or capability to close that vulnerability?”
Month over month historically, we’re losing visibility into what’s happening on the network. We are all constrained by budgets, but we’re really constrained by a workforce. The skill sets we need are in short supply. It’s a very competitive market, and it’s hard to attract people to come to government. When we don’t have the visibility or control we need, we have a hard time upskilling and building our workforce. In the meantime, our adversaries are finding cyber means to effectively accomplish their objectives.
MeriTalk: What are your bigger-picture goals for CISA?
Ware: Strategically, we’re going to push very hard to get more visibility. We need to see where the adversary is; we need to see what the vulnerabilities are. As we get more visibility, we’re going to have to mature our use of the cloud so we can work across all that data. If we want to see the traffic as the other agencies and departments are moving to the cloud and leveraging SaaS services, we have to be there, too.
We’re not only going be able to deliver efficiencies through cloud, but also leverage analytics, so we can scale up our services in a very analytically driven way. That way, we’re not reacting to an incident, but constantly analyzing data that’s flowing from our sensors through cloud telemetry. Based on that analysis, we’re triggering either automated actions or our analysts to hunt in an agency network to see what an adversary may be doing. We’re going to have to build that on top of cloud infrastructure. Cloud infrastructure will support our QSMO offering, too. If you think about QSMO as being a virtual storefront for cybersecurity needs, the front is where the departments and agencies come to a website and pull down the products they need, and the back end is where the data comes through those products. We want that data for that department or agency’s CISO, and also in our cloud environment so we can correlate it with data across the .gov.
MeriTalk: What is your greatest lesson learned since the pandemic began?
Ware: We’ve figured out that we can do just about all of our mission from home. That is a profound awareness – that maybe we can allow a lot more telework, and maybe we don’t need a geographically focused workforce in the National Capital Region. I’ve been blown away by how well prepared we were for teleworking as an agency. We went on a test telework day and never came back. I’ve been impressed with our workforce’s use of our technology. Also, even though a lot of our mission is done in the highest levels of classification, the vast majority of what we’re doing is unclassified and can be done from a remote office.
MeriTalk: How would you grade intergovernmental collaboration and cooperation at this time?
Ware: I’m collaborating better with my IC partners. We’re collaborating very effectively with the department and agency CIOs and CISOs. The only challenge is that our schedules are all a little wonky. Once we connect, the effectiveness of that connection is better than it was before this started.
MeriTalk: Would you like to give any shout outs within CISA or across the Federal government?
Ware: I want to recognize and applaud the NRMC inside of CISA. Before I came into CISA six months ago, I thought they were going to do wonky analytical risk assessments and publish them in books that no one would read. But when COVID happened, they were the first ones to identify our critical industries: food producers, grocery stores, and PPE makers. They’re not the industries that we thought were critical years ago. Almost every state adopted its risk analysis, some of them verbatim.
In this challenging environment, they’ve been at the tip of the spear in trying to figure out how supply chains fit together and what’s important. From a cybersecurity perspective, once I know what’s important, I know how to deliver my cybersecurity services to it. That’s the hard part: identifying it and then communicating it. Bob Kolasky, Assistant Director for the NRMC, has led that initiative. I think it’s been superb.
MeriTalk: Any thoughts about the CIO Council collaboration?
Ware: Our integration with them continues to be a strong spot for us. All of the initial QSMO pilots – all of the product categories – came from the CIO Council. The CIOs are telling us where to start, rather than us going to the lab and doing what we think is important. I value the advice, the feedback, and the sounding board they provide to us.
MeriTalk: How are you going to survive and work without conferences? What does that mean for industry interaction?
Ware: I love the happy hour that follows the conference. I’ve missed that like you wouldn’t believe. It feels different than these screen-to-screen interactions we’re doing. What’s interesting, though, is the social media impact of virtual conferences. It seems greater than when we had physical conferences. It’s probably because you have to promote them a little bit more, and it’s probably because that’s all we have. In some ways, we might be getting our message out more broadly than when we had only in-person meetings.
Read other Federal success stories from the COVID-19 pandemic.