These focuses are timely, with the ransomware attack on Change Healthcare believed to impact personally identifiable information of potentially a third of all Americans, in just one recent example. The new plans task the Department of Health and Human Services with strengthening cybersecurity best practices across the health care and public health sector by the first quarter of 2025.
Schools also continue to wrestle with ransomware and other cyber attacks, and the plan gives the Department of Education until the end of the year to establish a mechanism to coordinate and “promote cybersecurity best practices with state, local, tribal, and territorial entities across the education facilities sub-sector.”
Both the traditional energy infrastructure and the emerging greener energy grid face cyber challenges, too. The national strategy now instructs the Department of Energy to work with state and federal regulators, private industry and others to bolster cybersecurity. The department will also work to expand participation in the Energy Threat Analysis Center program.
The strategy also calls for the federal government to maintain other efforts, including continuing to encourage the water sector to adopt cybersecurity best practices and support related state programs with training, consultations and guidance. It will also expand the Rural Water Circuit Rider Program to offer water system cybersecurity technical assistance, education and training.
But there’s only so much that resource-strapped critical infrastructure entities themselves can do. There’s plenty of opportunity to raise cybersecurity for all sectors if the major technology companies that serve them improve their own cybersecurity, said Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency during the RSA Conference. He recounted a recent incident during which pro-Russian hacktivists targeted small water utilities across the U.S. They gained access to the utilities’ operating systems for controlling water supplies — not by doing anything sophisticated, but simply by using the systems’ default passwords that the vendor had published online.
“There is a common technology base that underpins every single sector. That means that if we can invest in making that technology base more secure and resilient, we are going to lift up every single sector,” Goldstein said.
Plus, it means that the providers of these common technologies have visibility into the threats against their users. Pooling insights from them can help federal agencies better understand where threat actors like Volt Typhoon are likely to target, Goldstein said.
While federal agencies have hit some goals from the first version of the national strategy, they’re continuing progress on others. That includes pushing to see companies and others develop their software to be secure by design and by default. There’s been progress along the way, and on Thursday, “a significant” number of companies are slated to pledge to uphold such principals, Goldstein said. The White House also secured a similar pledge from K-12 educational technology vendors about a year ago, he said.
