All the primary federal government and private sector entities involved in the government's effort to develop, produce and distribute vaccines for COVID-19 are receiving cyber security services from the Department of Homeland Security and the intelligence community, a DHS official said on Wednesday.
Once the Trump administration established Operation Warp Speed (OWS) in response to the ongoing pandemic, the Cybersecurity and Infrastructure Security Agency (CISA) "quickly began working with the Department of Health and Human Services, the Department of Defense, and the pharmaceutical industry to identify these entities and ensure they directly received necessary additional cyber security support, such as vulnerability scanning services, information sharing, and incident response," Brandon Wales, acting director of CISA, told a Senate panel.
Wales said that 62 percent of the "most important" entities involved in OWS have adopted CISA's Cyber Hygiene service, which performs regular scans of an organization's public facing web address for known vulnerabilities and automatically reports results to the entity. He said 100 percent of OWS prime entities responsible for delivering COVID-19 vaccines have adopted Cyber Hygiene.
The same percentages of adoption hold true for these entities receiving a service from CISA and the intelligence community called Overwatch that monitors threats involving organization names, domains and internet protocol addresses, Wales said.
At the outset of the pandemic, 5 percent of the OWS entities were receiving Cyber Hygiene services and none the Overwatch services, he said in his written testimony to the Homeland Security and Governmental Affairs Subcommittee on Federal Spending Oversight and Emergency Management.
OWS stood up in May. Since then, CISA has conducted six incident investigations, published two cyber advisory alerts about threats targeting OWS entities, provided notifications of eight critical vulnerabilities, provided four advanced warnings of state-sponsored cyber threats, and provided six notifications to entities regarding critical vulnerabilities, threat targeting or compromise, Wales said.
"Through our cyber security defensive services, our vulnerability scanning, and our information sharing mechanisms, we are engaging with these critical organizations to assist them in establishing a strong defense today as well as a culture of resilience moving forward," Wales said. "In addition, we continue to assess the national critical functions, which allows us to identify and mitigate risk before it impacts critical infrastructure."