Dive Brief:
- National Cyber Director Harry Coker Jr. said the administration is taking new actions to strengthen key critical infrastructure sectors, including healthcare and water utilities, and will pursue additional steps to fight ransomware and boost resilience, in a keynote speech Wednesday at Auburn University’s McCrary Institute in Washington, D.C.
- The Department of Health and Human Services will implement its cybersecurity strategy for the healthcare sector, which includes raising baseline standards for hospitals and working with Congress to get additional aid to small, rural and critical care facilities. The agency has been dealing with a series of catastrophic cyberattacks impacting patient care and access to medications.
- The Environmental Protection Agency will provide more technical assistance for public water systems and the Department of Agriculture will invest in a circuit rider program to integrate cybersecurity programs for rural water utilities that are considered vulnerable.
Dive Insight:
Coker highlighted ongoing threats to the nation’s critical infrastructure, and said additional work was necessary to boost resilience and strengthen sector management under the second phase of the national cybersecurity strategy implementation plan.
Two weeks ago, the administration previewed its plans to improve the resilience of additional sectors as it unveiled a report on the nation’s cyber readiness.
“However, it’s clear that a reactive posture cannot keep pace with fast evolving cyber threats and a dynamic technology landscape,” Coker said Wednesday. “It’s also clear that just managing the worst effects of cyber incidents is no longer sufficient to ensure our national security, our economic prosperity and our democratic values.”
Plans for the next implementation phase are a positive step, but funding for key sector risk management agencies is “woefully inadequate” said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
The proposed Biden budget includes $12 million for additional cybersecurity capacity for strategic preparedness at HHS, $25 million for additional sector risk management agency capacity, and $25 million for a first-ever cyber grant for water utilities, according to Coker.
Coker highlighted plans to crack down on criminal ransomware and an effort to better understand open source security risks.
A 2023 report from the Cyber Safety Review Board found the Lapsus$ ransomware group was recruiting teens to take advantage of their potentially short jail terms and ability to infiltrate organizations.
“Frankly this is terrifying – it’s terrifying to think that our children are being recruited to commit crimes,” Coker said. “It shows a clear gap in our policy and a horrific opportunity for our adversaries.”
At the recommendation of the CSRB, the Department of Justice plans to develop a program to deter juveniles away from cybercrime, Coker said.
The Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology are assessing the feasibility of a security risk assessment center for open source software, as the CSRB recommended in its 2022 investigation into the Log4j vulnerability crisis, Coker said.