Second, ransomware could impact critical health and hospital care. From 2017 to 2019, half of all ransomware attacks were in the healthcare sector. When lives are on the line and timing is critical, that’s someone who’s more likely to pay the ransom.
But the newer issue, just in the last three months or so, is that foreign intelligence services and nation-state adversaries have been targeting medical research and pharmaceutical research to understand how we are approaching a vaccine and how we are approaching treatment. That is an espionage threat. China in particular has a long history of industrial espionage, so it’s no surprise that they have focused their efforts on pharmaceutical companies, and so that’s been a major focus of ours.
We will be concerned about different kinds of supply chain risks, and ransomware always rears its head with the potential to impact or disrupt the manufacturing process. Those are things that we are planning for right now.
READ MORE: How are feds approaching zero trust?
FEDTECH: Explain how Project Taken works.
Ware: The original idea came from the movie Taken with Liam Neeson, where he says that he has a “particular set of skills.” So the idea was that CISA would try to develop a broad understanding of the various kind of threats and risks faced by all the healthcare stakeholders, and CISA would lead the charge by providing a particular set of skills in enhanced cybersecurity services — security offerings to pharmaceutical companies and hospitals and so forth. But we would also coordinate with defense and law enforcement, so that when we saw malicious activities, we enabled our colleagues to exact consequences, to deter an adversary or to go after an adversary that was interfering with our COVID response.
Many of these companies are very, very sophisticated from a cybersecurity perspective, but companies versus nation-states is not a fair fight, right? As the U.S. government, we can come in and provide them with additional protection and additional assistance.
LEARN MORE: Find out how agencies can shift away from perimeter-based defenses.
FEDTECH: On a nonpandemic topic, CISA is part of the Office of Management and Budget’s new Quality Services Management Office program. Can you explain the agency’s role?
Ware: We have been designated as the QSMO [pronounced cue-smo] for cybersecurity. What does this do? Our approach is to define the products, services and capabilities that, if a department or agency were to implement that stack, they would know they were secure. We at CISA would be able to get data from that stack, and that would allow us to have visibility across dot-gov and ensure that we understood the security posture at large.
It’s a storefront; it’s a marketplace. It allows us to search for the best products and capabilities, and negotiate with those vendors on behalf of the whole U.S. government. There are some cost efficiencies there, but we are also making sure that they conform to standards and best practices, and that they integrate and work well together. Then we provide those products and services through the QSMO storefront to every department and agency, and we’re going to work to be go beyond that, so state and local governments can also buy the best-practice products and services that the U.S. government is using. I think of QSMO mostly as a business model change, an enhancement of the way that we’ve delivered services.
One of the first pilots that we’re doing under the QSMO is called Protective DNS, services that offer protection around the Domain Name System. So imagine all of the hundred or so federal executive agencies going out and trying to buy their own protective DNS solution. What we’re able to do is work with our partners in the intelligence community and in defense that have done pilots, that have built systems and that have best practices to understand fully how to scope out what we need in a protective DNS solution. We negotiate and hold a procurement where we try to buy the best-of-breed solution that exists in the market based on all the information we’ve gotten from all these interagency partners, and then provide it to the whole government. We’re trying to use our expertise to define and acquire the most capable solution.
FEDTECH: Would most of this be commercial off-the-shelf products?
Ware: Yes, but not only commercial. We’re also looking at security operations center pilots right now, where large departments and agencies have their own SOC. Can we provide a SOC through the QSMO for other, smaller departments and agencies so they don’t have to build their own? I hope what we’re able to do through the QSMO is identify where there isn’t a product, and where there’s a need but not a product, and give that information to industry to spur innovation, to bring things forward that will address the kind of systemic risks that we see across dot-gov and beyond. I look at 2021 as the year of piloting, working out the business model, getting feedback from departments or agencies and putting pedal to the metal as we head into fiscal year 2022.
EXPLORE: How are agencies approaching cybersecurity automation?
FEDTECH: DHS collects immense amounts of data. What strategies are you looking to use to better collect and analyze data, especially in the context of a pandemic?
Ware: Our focus right now is trying to understand the data that we have, and to make the data we have available across the CISA mission set. We collect data sometimes within programs, and we do really smart things within that program, but we don’t necessarily tie it to another operational need. If you think about the strategy we have going forward, it is all about more data. And it’s not just more data, it’s better data. It’s better visibility. Where we want to get to is automating insight, and then enabling us through that cloud infrastructure, through that data infrastructure, to do virtual hunts, virtual incident responses, and be much more agile, much more analytical — not only to get savings and speed up our ability to deploy and engage, but also to get better analytical outcomes as well.
FEDTECH: Do you need new technology for that or just a better way of using what you’ve got?
Ware: We do need new technology, and the big emphasis right now is investing heavily in our cloud capabilities. We’re working with all the major cloud providers to best understand how to maximize the way that their systems are built and to give them the feedback. But we’re building a lot of cloud infrastructure right now. We have deployed a number of good commercial solutions in that space and then, of course, we’re learning from our interagency partners that have blazed that trail ahead of us. We take advantage of all that they’ve learned, and we don’t reinvent the wheel.
MORE FROM FEDTECH: What is FedRAMP and how does it aid cloud security?
FEDTECH: Are domestic threats more difficult to watch for than foreign nation-state threats
Ware: There’s a big part of our effort that’s just trying to improve security practices. We want to understand how those kinds of attacks took place and how they can be mitigated, and fix it across the board. That’s a really big part of what we do — try to find a vulnerability we see in one place, write it up, show how to detect and mitigate it, and proliferate that across government industry and our international partners. Every one of those that comes up is a lesson for us, because what happened to one company could happen to another. It could happen to a government agency.
FEDTECH: Are there any particular cyberthreats CISA will be looking for this fall and winter?
Ware: There are always so many things to be watching out for. There are so many vulnerabilities that provide myriad opportunities for adversaries. But I would say that we’re watching the behavior of our most sophisticated adversaries and things that are happening in the geopolitical environment right now. We know that the Russians have been agitators in elections, but not just elections. They’re agitators in sowing discord in America through social media and other foreign influence campaigns. I expect we’re going to see that continued agitation from them to affect not just elections, but other geopolitics.
I think that the U.S. government has been taking a much more aggressive posture with China, really calling them out on espionage and IT theft and other things. That increased posture with China may cause them to have some more aggressive moves in cyberspace that we want to be very mindful of. I think that national security tension between the countries — it’s not a trade tension right now, it’s a national security tension — I think could present some new cybersecurity challenges.
Then, not to be outdone, we see the tensions in the Middle East, proxies using cyber effects and offensive cyber techniques, and we have to be mindful of those and look at how we might have some of those same vulnerabilities. We should be prepared for some of those scenarios to kind of boil over outside the Middle East and affect U.S. companies, whether they’re shipping companies or oil and gas companies or others that have that nexus to the kind of the risks that we see in the Middle East.