Although the government got through the WannaCry ransomware attack in May unscathed, federal IT security leaders are not letting the guard down.
To ensure that agencies are adequately prepared to defend against and respond to ransomware attacks — malware designed to encrypt files and only decrypt them if the victim pays a ransom, usually in the digital currency bitcoin — agencies need to work with their private sector partners, federal officials said.
Speaking on Wednesday at the CyberScoop CyberTalks event in Washington, D.C., officials from the Defense and Health and Human Services Departments said that robust information sharing is critical if agencies want to stay ahead of adversaries using ransomware.
Mitchell Komaroff, the Defense Department’s principal adviser for cybersecurity strategy, planning and oversight, said that the DOD’s cybersecurity infrastructure and processes were adequate enough to keep WannaCry off of the agency’s systems. However, some of the DOD’s commercial partners were infected by the ransomware, which presented a “mission risk” to the department.
The DOD has long recognized that American adversaries and competitors might try to gain an “asymmetric advantage” against that Pentagon’s formidable military technology via attacks on the agency’s supply chain and the intellectual property of the country’s defense industrial base, Komaroff said.
“WannaCry was kind of unique in that it really represented a more criminal-oriented exploit that still was able to impact commercial partners,” he said. “Our approach to try to manage both risks to our intellectual property and to managing these kinds of problems have been built around an engagement with industry.”
That includes being clearer about cybersecurity requirements in contracts and sharing lots of information with the industry on threats, he said.
The Importance of Information Sharing to Combat Ransomware
Christopher Wlaschin, CISO of the Health and Human Services Department, said that the U.S. “dodged a bullet” with the WannaCry attack, but it had “terrible implications” in the European Union, he said.
Increased attention to the importance of using up-to-date software patches, workforce awareness and organizations’ willingness to align cybersecurity risks with business risks helped limit the fallout in the United States, he said.
At HHS, Wlaschin said, the agency works with the National Health Information Sharing and Analysis Center, a nonprofit that is the official healthcare information sharing and analysis center, and the HITRUST Alliance, another nonprofit information-sharing and analysis organization, as well as other organizations, to alert the healthcare sector about cybersecurity threats such as WannaCry.
“Imagine a public health emergency not generated by a hurricane or wildfires, but by a cyber incident where a large watch of medical devices could not be used, and patients had to be turned away or scheduled somewhere else for service,” he said. “Imagine a radiologist not being able to read critical CT scans or other images and having to delay care to a large portion of the population. That’s what worries me about ransomware.”
The Food and Drug Administration, the National Institutes of Health, the Centers for Disease Control and Prevention and other HHS components are working with the department’s strategic vendor partners to “illuminate the problem, to align it with business risks and then to take meaningful actions to prevent it.”
Komaroff said that the DOD has developed a “multipronged approach” to sharing information about threats with its commercial partners. That includes sharing threat information via the Defense Cyber Crimes Center, which analyzes cybersecurity threat signatures and serves as a clearinghouse for threat information produced by the DOD and its private sector partners. Defense contractors also voluntarily provide classified threat context that explains threat signatures.
Additionally, Komaroff said, the DOD requires its contractors to meet certain cybersecurity requirements to protect controlled unclassified information. The Pentagon also has voluntary and mandatory cybersecurity reporting requirements.
Contextualize Ransomware Threat Information
HHS’s Health Cybersecurity and Communications Integration Center (HCCIC) led a coordinated response to WannaCry as it was launching operations this past spring. The HCCIC, designed as a healthcare-focused cousin of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), serves as a central hub for monitoring cyberthreats to the healthcare sector and to share information with the private sector.
The HCCIC, Wlaschin said, is designed to contextualize threat information and make it meaningful to doctors, nurses and office managers who do not have advanced technology or much of an IT background.
“Automated threat indicator sharing is very valuable,” he said. “And, when consumed at machine speed by organizations that have the mature IT infrastructure or security staff to consume or take action on it, it’s very valuable. But by and large, the majority of the healthcare sector is not that way.”
HHS is working with information-sharing organizations to make sure cybersecurity threat information is sent in understandable ways to small doctors’ offices across the country, Wlaschin said.
“The collective awareness, preparedness and resilience of the healthcare sector relies on information sharing,” Wlaschin said.