As healthcare providers, hospitals and patients continue to reel from the impact of the Change Healthcare ransomware attack, private and public sector cybersecurity officials are pointing to the incident as a stark reminder of how interconnected systems can have widespread impacts. But mapping out and pinpointing those critical entities - and all the moving parts and pieces that make them up - is a complicated process.
During a Wednesday event hosted by the Foundation for Defense of Democracies, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said that it was important for the U.S. government to sit down with healthcare sector stakeholders and the Department of Health and Human Services, in order to get a better idea of how to highlight companies “that are much more critical than we actually were expecting.”
“That work is continuing, we will be doubling down on that work with the authorities coming out of the National Security Memorandum,” said Easterly. “But it just illuminates the fact that we have to have an understanding of global supply chains and where impacts can be felt most seriously to the American people.”
Easterly said that the government had created a list of less than 500 organizations that, if disrupted, could trigger a detrimental impact to national security, economic security or public health and safety. However, even within the individual organizations on that list, various complex layers of subsidiaries and subfunctions exist. Change Healthcare parent UnitedHealth Group, for instance, has scooped up a tangle of healthcare companies over decades, ranging from technology healthcare services company Optum to health information technology and data firm Ingenix. With all of these organizations under its belt, UnitedHealth said it works with partners and providers to support 152 million individuals - but as the Change Healthcare incident shows, pinpointing the company's specific services and their various influences on patients, providers and hospitals isn't so simple.
“When the Change Healthcare [attack] happened, I went back and looked at that list,” said Easterly. “You saw the parent company, obviously one of the biggest companies, [and that] would be something we would think about as a systemically important entity, but Change was not part of that.”
National Critical Infrastructure Observatory
Understanding the weaknesses of the U.S. critical infrastructure ecosystem was one of the focuses in the Wednesday event, which was centered on a report released last month by the President’s Council of Advisors on Science and Technology (PCAST), a federal advisory of 28 thought leaders appointed to give advice around science, technology and innovation policy. The report, “Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World,” looked in part at taking steps to improve the cybersecurity defenses across critical infrastructure sectors.
One part of the report recommended the creation of a National Critical Infrastructure Observatory to help develop what Phil Venables, CISO of Google Cloud and a PCAST member, calls a “digital twin of the U.S. critical infrastructure” that could help the government better understand the most impactful entities and the dependencies that exist between sectors.
The observatory was built on “this notion that our adversaries have a better map or understanding of our critical infrastructure than we collectively do ourselves,” said Venables during the event. “That’s a worrying place to be because… that gets us in positions where we don’t understand where our hidden dependencies are, where you get these identified critical areas that may be in a third, fourth or fifth-party dependency, dependent on some foundational thing that could have some big knock-on effect.”
This observatory could help reflect the biggest “concentration risks,” but could also help organizations better understand the impact of Log4j-level vulnerabilities in the chaotic first few months after they’re disclosed. Venables said ideally, in the long term the observatory would be able to leverage artificial intelligence to identify the multi-stage attacks around these critical infrastructure sectors in order get ahead of adversaries.
The report recommends that CISA's National Risk Management Center work with a research center that's federally funded, and with the private sector, in order to develop the "classified mapping system." Some factors for map developers to consider would include entities with risks like a high reliance on specific technologies or resources, and "single point of failure risks."
Public-Private Partnerships
The U.S. government has in the past several years been coordinating closely with critical infrastructure entities to better equip them against cyberattacks. As part of this relationship, the government has paired various critical infrastructure sector entities with federal agencies, called Sector Risk Management Agencies (SRMA), to help with tasks like identifying vulnerabilities and mitigating incidents, carrying out incident management responsibilities and providing support around various collaborative tasks. For instance, the Department of Health and Human Services is responsible for the healthcare sector, while the Department of the Treasury has been assigned to the financial services sector.
The SRMAs are a key part of the recommendations outlined in the report, which recommends that they work with CISA to create critical infrastructure performance goals, to bolster research and development efforts to better understand the weaknesses and strengths of the nation’s critical infrastructure, and to push greater industry, board and CEO accountability when it comes to cyberattacks. The report also recommends that SRMAs are better equipped in order to support the “cyber-physical resilience goals” of these critical infrastructure sectors.
The latter goal is particularly significant for Harry Coker Jr., national cyber director in the Office of the National Cyber Director, who during the event stressed that he’s been devoting his attention to SRMAs on the frontlines of public-private partnerships.
“When I look at the SRMAs, I can compare it a bit to [the days] where cybersecurity wasn’t given the level of importance that it is; too many folks looked at cybersecurity as an inconvenience, as opposed to an imperative,” said Coker. “With our SRMAs and public-private partnerships, we’re turning the corner, and frankly we can’t slow down.”