The ongoing COVID-19 pandemic has more clearly revealed the significance of some critical infrastructures to the nation than previously thought, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to take a closer look at what the consequences of a cyber event might mean for the nation, the agency’s director said on Thursday.
A year ago, certain entities within the healthcare sector were certainly thought of as critical as were the functions they perform but amid the COVID response they’re now seen as “much, much more” so, Chris Krebs, said during a virtual meeting of the president’s National Infrastructure Advisory Council (NIAC). The NIAC members include representatives from various critical infrastructure sectors and former government officials that examine cross-sector security and resilience issues and make recommendations to the president.
During the pandemic, CISA has been working to understand the shift in the risk landscape, protecting the response and securing the digital transformation, Krebs said.
Of the three variables making up the risk formula—vulnerability, consequence and threat—it’s the consequence variable that has seen the most dramatic shift. Historically, the most important critical infrastructures have been “fairly steady state” but now with “the shift in consequences, we’re taking a new look,” he said. “Okay, maybe there are additional organizations in the healthcare sector that are developing vaccines, those that are manufacturing PPE, maybe we need to take a fresh look.” PPE refers to personal protective equipment.
Two other factors associated with the shift in the risk landscape include understanding the “external drivers that could disrupt that [critical] function” and cyber security risk, Krebs said. External drivers are things such as commodity shortages, workforce absenteeism, and demand increases or decreases, he said.
As for protecting the response, Krebs said CISA is working to engage these organizations of “heightened significance” and “provide them additional support and resources from a cyber security perspective, from a physical security perspective,” adding that it could be a cyber event or something like increased demand that disrupts a function. This work also involves supply chain analysis, he said.
Ahead of the pandemic, a lot of organizations were struggling with transforming their digital infrastructure but by mid-March most had it figured out, Krebs said, highlighting the impact of a crisis in helping to get things done. CISA will be generating its own lessons learned from its digital transformation as well as its partners’ to be a “one-stop shop for digital transformation,” he said.
Currently, 93 percent of CISA employees are teleworking and the agency has remained productive and “so we want to keep this going as long as we possibly can,” Krebs said.
The agency is reviewing all of its “digital transformations,” including how it secures telework and video conferencing, and what its partners at the National Security Agency, the National Institute of Standards and Technology, the United Kingdom’s Cyber Security Centre, and private sector partners and others have learned to create the one-stop shop, he said.