Oct 07 2020

Q&A: CISA’s Bryan Ware on the Pandemic's Effects on Cybersecurity

CISA found its territory vastly expanded as the COVID-19 pandemic escalated. Assistant Director for Cybersecurity Bryan Ware explains how the agency adapted as a nation turned to telework.

Editor’s note: Bryan Ware left his job at CISA on Nov. 13. This interview was conducted while he was still with the agency.

Less than a month after Bryan Ware joined the Cybersecurity and Infrastructure Security Agency, the White House declared the worldwide COVID-19 outbreak — still in its early phases in the U.S. — a national emergency on Jan. 31 The new assistant director for cybersecurity soon found his agency handling more than just the usual nation-state threats and the expected election security issues as many of the nation’s workers and students took their jobs home with them.

Even CISA employees were performing their duties remotely. As the nation’s endpoints expanded, so did CISA’s work. From his home, Ware discussed the agency’s role during this unusual year with FedTech.

FEDTECH: How did cybersecurity concerns evolve as mass telework became the norm?

Ware: There’s a statistic that says 60 percent of Americans that are working are teleworking. When you move all of these functions to the telework environment, it creates new risks, and those things have made us very busy. We’re leveraging new technologies that have inherent vulnerabilities; agencies are rushing to deploy new cloud services, so there’s misconfigurations that present vulnerabilities. Our adversaries seemingly haven’t had degraded performance with this pandemic, and they’ve refocused their efforts on our teleworking infrastructure. That’s a new vector for them, so there are some things that we didn’t have to pay as much attention to before that are now really, really important.

FEDTECH: What priorities have risen to the top of your list?

Ware: The one we think about most is the virtual private network. There are known VPN vulnerabilities that continue to be exploited, continue to be vulnerable, even when patches are available. In the January time frame, if you were a CIO or CISO, you had so many vulnerabilities and so many priorities that maybe VPN wasn’t your first one, and you hadn’t gotten to it yet. By late March, almost everyone’s workforce was working remotely through a VPN connection. Paying extra attention to vulnerabilities that have now become mission critical is one of the areas where we’re trying to do a lot of education.

The other thing is that, by necessity, businesses, departments and agencies have leveraged commercial videoconferencing solutions — Zoom, Microsoft Teams, Cisco Webex — in ways that are much more significant than they may have been before. Those have some inherent security and privacy risks that are associated with them, many of which are just configuration choices that end users make without knowing the best practices. So we’ve had to learn all the products and work with the vendors, and try to develop best practices and guidance for how to use those products most effectively.

This is an area in which almost everything that we are writing, everything that we’re seeing, everything that we’re encouraging the federal departments and agencies to do, is 100 percent applicable to our other customer bases — state and local, critical infrastructure and so forth. They have the same vulnerabilities, and they have the same risks.

LEARN MORE: How can next-gen endpoint security protect users at home?

FEDTECH: How much attention are you giving the healthcare sector compared with before the pandemic?

Ware: Very early on in February, as we were watching the pandemic, we started to ask ourselves, “Well, what’s going to be impacted in the United States as this emerges?” We started a program called Project Taken in March to address the risks of any disruption to the COVID response, not just for healthcare but also for certain parts of the supply chain. Think about personal protective equipment and medical devices and lab companies that do testing. And then as we went into May and June, that focus also included — and is now our primary focus — the vaccine manufacturers, the anti-viral manufacturers, those that are going to be responsible for getting us a vaccine for COVID.

Traditionally, the healthcare and pharma sectors haven’t been at the top of our list of critical infrastructure. Not that we’ve ignored it, but we’ve been very focused on pipelines and the energy sector, the financial sector and so forth. Well, this year, right there with elections infrastructure, healthcare infrastructure is a major priority, and a really new priority for us.

FEDTECH: What’s the primary risk for the healthcare sector?

Ware: The healthcare sector has the same risks that every other sector has. All of a sudden, we’re doing so many more things online, remotely and via telework. All of those teleworking vulnerabilities apply to the healthcare sector, and maybe more so in the sense of telemedicine.

Brian Ware, Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency
Almost everything that we are writing, everything that we’re seeing, everything that we’re encouraging the federal departments and agencies to do, is 100 percent applicable to our other customer bases.”

Brian Ware Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency

Second, ransomware could impact critical health and hospital care. From 2017 to 2019, half of all ransomware attacks were in the healthcare sector. When lives are on the line and timing is critical, that’s someone who’s more likely to pay the ransom.

But the newer issue, just in the last three months or so, is that foreign intelligence services and nation-state adversaries have been targeting medical research and pharmaceutical research to understand how we are approaching a vaccine and how we are approaching treatment. That is an espionage threat. China in particular has a long history of industrial espionage, so it’s no surprise that they have focused their efforts on pharmaceutical companies, and so that’s been a major focus of ours.

We will be concerned about different kinds of supply chain risks, and ransomware always rears its head with the potential to impact or disrupt the manufacturing process. Those are things that we are planning for right now.

READ MORE: How are feds approaching zero trust?

FEDTECH: Explain how Project Taken works.

Ware: The original idea came from the movie Taken with Liam Neeson, where he says that he has a “particular set of skills.” So the idea was that CISA would try to develop a broad understanding of the various kind of threats and risks faced by all the healthcare stakeholders, and CISA would lead the charge by providing a particular set of skills in enhanced cybersecurity services — security offerings to pharmaceutical companies and hospitals and so forth. But we would also coordinate with defense and law enforcement, so that when we saw malicious activities, we enabled our colleagues to exact consequences, to deter an adversary or to go after an adversary that was interfering with our COVID response.

Many of these companies are very, very sophisticated from a cybersecurity perspective, but companies versus nation-states is not a fair fight, right? As the U.S. government, we can come in and provide them with additional protection and additional assistance.

LEARN MORE: Find out how agencies can shift away from perimeter-based defenses.

FEDTECH: On a nonpandemic topic, CISA is part of the Office of Management and Budget’s new Quality Services Management Office program. Can you explain the agency’s role?

Ware: We have been designated as the QSMO [pronounced cue-smo] for cybersecurity. What does this do? Our approach is to define the products, services and capabilities that, if a department or agency were to implement that stack, they would know they were secure. We at CISA would be able to get data from that stack, and that would allow us to have visibility across dot-gov and ensure that we understood the security posture at large.

It’s a storefront; it’s a marketplace. It allows us to search for the best products and capabilities, and negotiate with those vendors on behalf of the whole U.S. government. There are some cost efficiencies there, but we are also making sure that they conform to standards and best practices, and that they integrate and work well together. Then we provide those products and services through the QSMO storefront to every department and agency, and we’re going to work to be go beyond that, so state and local governments can also buy the best-practice products and services that the U.S. government is using. I think of QSMO mostly as a business model change, an enhancement of the way that we’ve delivered services.

One of the first pilots that we’re doing under the QSMO is called Protective DNS, services that offer protection around the Domain Name System. So imagine all of the hundred or so federal executive agencies going out and trying to buy their own protective DNS solution. What we’re able to do is work with our partners in the intelligence community and in defense that have done pilots, that have built systems and that have best practices to understand fully how to scope out what we need in a protective DNS solution. We negotiate and hold a procurement where we try to buy the best-of-breed solution that exists in the market based on all the information we’ve gotten from all these interagency partners, and then provide it to the whole government. We’re trying to use our expertise to define and acquire the most capable solution.

FEDTECH: Would most of this be commercial off-the-shelf products?

Ware: Yes, but not only commercial. We’re also looking at security operations center pilots right now, where large departments and agencies have their own SOC. Can we provide a SOC through the QSMO for other, smaller departments and agencies so they don’t have to build their own? I hope what we’re able to do through the QSMO is identify where there isn’t a product, and where there’s a need but not a product, and give that information to industry to spur innovation, to bring things forward that will address the kind of systemic risks that we see across dot-gov and beyond. I look at 2021 as the year of piloting, working out the business model, getting feedback from departments or agencies and putting pedal to the metal as we head into fiscal year 2022.

EXPLORE: How are agencies approaching cybersecurity automation? 

FEDTECH: DHS collects immense amounts of data. What strategies are you looking to use to better collect and analyze data, especially in the context of a pandemic?

Ware: Our focus right now is trying to understand the data that we have, and to make the data we have available across the CISA mission set. We collect data sometimes within programs, and we do really smart things within that program, but we don’t necessarily tie it to another operational need. If you think about the strategy we have going forward, it is all about more data. And it’s not just more data, it’s better data. It’s better visibility. Where we want to get to is automating insight, and then enabling us through that cloud infrastructure, through that data infrastructure, to do virtual hunts, virtual incident responses, and be much more agile, much more analytical — not only to get savings and speed up our ability to deploy and engage, but also to get better analytical outcomes as well.

FEDTECH: Do you need new technology for that or just a better way of using what you’ve got?

Ware: We do need new technology, and the big emphasis right now is investing heavily in our cloud capabilities. We’re working with all the major cloud providers to best understand how to maximize the way that their systems are built and to give them the feedback. But we’re building a lot of cloud infrastructure right now. We have deployed a number of good commercial solutions in that space and then, of course, we’re learning from our interagency partners that have blazed that trail ahead of us. We take advantage of all that they’ve learned, and we don’t reinvent the wheel.

MORE FROM FEDTECH: What is FedRAMP and how does it aid cloud security? 

FEDTECH: Are domestic threats more difficult to watch for than foreign nation-state threats

Ware: There’s a big part of our effort that’s just trying to improve security practices. We want to understand how those kinds of attacks took place and how they can be mitigated, and fix it across the board. That’s a really big part of what we do — try to find a vulnerability we see in one place, write it up, show how to detect and mitigate it, and proliferate that across government industry and our international partners. Every one of those that comes up is a lesson for us, because what happened to one company could happen to another. It could happen to a government agency.

FEDTECH: Are there any particular cyberthreats CISA will be looking for this fall and winter?

Ware: There are always so many things to be watching out for. There are so many vulnerabilities that provide myriad opportunities for adversaries. But I would say that we’re watching the behavior of our most sophisticated adversaries and things that are happening in the geopolitical environment right now. We know that the Russians have been agitators in elections, but not just elections. They’re agitators in sowing discord in America through social media and other foreign influence campaigns. I expect we’re going to see that continued agitation from them to affect not just elections, but other geopolitics. 

I think that the U.S. government has been taking a much more aggressive posture with China, really calling them out on espionage and IT theft and other things. That increased posture with China may cause them to have some more aggressive moves in cyberspace that we want to be very mindful of. I think that national security tension between the countries — it’s not a trade tension right now, it’s a national security tension — I think could present some new cybersecurity challenges.

Then, not to be outdone, we see the tensions in the Middle East, proxies using cyber effects and offensive cyber techniques, and we have to be mindful of those and look at how we might have some of those same vulnerabilities. We should be prepared for some of those scenarios to kind of boil over outside the Middle East and affect U.S. companies, whether they’re shipping companies or oil and gas companies or others that have that nexus to the kind of the risks that we see in the Middle East.

Photography by Ryan Donnell