Improving the cybersecurity of the water critical infrastructure sector, K-12 schools, and healthcare sector are among the top priorities for the Cybersecurity and Infrastructure Security Agency (CISA), agency Director Jen Easterly said today during Mandiant’s mWISE conference in Washington.
In targeting those sectors, Easterly explained, the agency will focus on target-rich and resource-poor entities, such as nonprofit hospitals, small water facilities, and K-12 school districts. Those entities are part of the critical infrastructure ecosystem, but they don’t have large security teams to help mitigate cyberattacks, she said.
“They’re not investing millions and billions of dollars like some in finance and energy are. And so, we have to figure out how to connect all of these entities in a way that we can get information out that is useful to them, that is tailored to their ability to understand it and absorb it, and then to drive down risks to all of our national critical functions,” Easterly said.
Last week at a Washington Post Live event, a White House official made similar comments. Anne Neuberger, the deputy national security advisor for cyber and emerging technology in the Biden Administration, explained that the White House is targeting water and healthcare cybersecurity standards and guidance as a priority.
Easterly also said today that CISA plans to publish the final version of its cross-sector cybersecurity performance goals – which it developed with the National Institute of Standards and Technology – next week.
“[The goals] comes with a checklist that says, here’s how we’ve done it, here’s the progress, here’s what we’ve completed it. We’ve also color-coded it to show prioritization. And we’ve also detailed cost and the complexity behind each practice,” Easterly said.
The performance goals will address both information technology and control systems cybersecurity activities.
The goals aim to provide a shared understanding of the baseline cybersecurity practices critical infrastructure owners and operators can follow to protect national and economic security and public health and safety.
“For the first time, I think we’re going to be able to materially measure the reduction of risk across the most critical areas,” Easterly said.