Dive Brief:
- Water, hospitals and K-12 schools will be the primary area of focus for the Cybersecurity and Infrastructure Security Agency over the next year, CISA Director Jen Easterly said Thursday at Mandiant’s mWISE Conference.
- Healthcare and water are among 16 critical infrastructure sectors CISA and other federal agencies have identified as “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” While schools are not considered critical infrastructure, they represent a soft target that is frequently hit by debilitating ransomware attacks.
- CISA, in a bid to prioritize risk management and cyber resilience guidance across critical services, is placing higher emphasis, at least initially, on what Easterly describes as “target-rich, resource-poor entities.”
Dive Insight:
Hospitals and schools, in particular, are among the most heavily targeted sectors in part because resources are scant and their attack surfaces are so broad.
Two of the most high-profile ransomware attacks since September hit the Los Angeles Unified School District, the nation’s second-largest school system, and CommonSpirit Health, one of the country’s largest health systems.
Those attacks, the impacts of which are still unfolding, signify how even the more resource-rich organizations can fall prey to cybercriminals.
Easterly applauded the Los Angeles school system for contacting federal authorities quickly and being transparent about what it knew amid ongoing investigations and recovery and response efforts.
Many schools, hospitals and water facilities don’t have large security teams, and few have the ability to invest millions of billions of dollars like some organizations have done in finance or energy, Easterly said.
“We have to figure out how to connect all of these entities together in a way that we can get information out that is useful to them, that is tailored to their ability to understand it and absorb it, and then to drive down risks to all of our national critical functions,” she said.
CISA intends to be more collaborative and nuanced in how it conveys threats by sector and region, according to Easterly. This should allow it to better calibrate the level of vigilance and specific guidance organizations need to mitigate and reduce risks.
“We've talked so much about threats and how we're so worried about this very complex, dynamic cyberthreat environment, nation-state actors and cybercriminals,” she said. “But I think it sometimes downplays the fact that as defenders, we have enormous power if we can work together collaboratively, and if we each take accountability and responsibility for our ability to defend cyberspace.”
The goal, Easterly said, is to work together to enrich the threat picture so something can be about it proactively.