IATC - Lessons Learned from the CISA COVID Task Force & Healthcare Attacks

as i indicated if you're in the first session the sistakova task force was designed and implemented by a bunch of cavalry folks um after chris krebs director krebs asked us to come in and serve we did not know everyone we're going to inherit many of them were very different backgrounds just by show of hands how many of the three of you consider yourself to be hackers [Laughter] sorry did i laugh out loud i would say they're all wrong they're incredible hackers but uh but the mission is to preserve trust and to save lives and these three helped ensure we do it and there's no way we could have saved the lives we did on a daily basis

but for their skills so we have an infectious disease expert on the end reverse order michelle holco uh we designed a whole new doctrine of ball bearings to find the strategically weak links in the supply chains and but for her medical expertise and reuben pasternak and others who couldn't be here we wouldn't have known who to protect um lisa young brought some steps some true risk management and data science and critical infrastructure experience and systems thinking and a voice of reason to help up level the national risk management center um kendra our my my uh she deserves a purple heart for putting up with josh uh yes um she completed me uh there there came a point where i

couldn't even read anymore we had to write and read real high consequence things together on a zoom on a you know video chat just to make sure we never stop the mission and people got tired at different points kendra never got tired every single day was right there with us trying to save lives and succeeding so kendra i don't even know what how to describe you but kendra made everything come together and ran one of the the risk management cells um and helped me hack around government bureaucracy to get the right thing done um this is a small slice of the team uh there are other govis that helped us like dominak and tom lar in the room

beau joined ion islam joined um other hackers that don't like to have their names slaunted joined some data scientists joined but we had a pretty large and growing team i think we had 100 people at our peak but i would like you to take a moment including spanky who's somewhere around here from the aerospace village there's spanky spanky i'm not going to tell you your official title um but i want you to please celebrate these heroes standing ovation please just give them a round of applause for saving lives and keeping you guys safe

[Applause] okay boy i guess that made it worth the trip out to vegas thank you josh um so what i'm going to do is i'm going to give you kind of a quick what and why of what we'll be talking about even though josh did some of that earlier this morning um and then give you an overview of our agenda for today but basically what we're doing is kind of building on josh's intro of why the i am the cavalry approach what we were doing in the covet task force within sisa primarily the the main point being that ransomware attacks indirectly contributed to factors that led to excess deaths during covet without question we looked at these cyber attacks on

hospital systems that resulted in inaccessible patient records disrupted communications delays in processing test results and we'll go into those kind of details during the presentation but due to the increased stress on the health care industry hospitals did during the time of the covered task force and continue to have kind of this increased risk of ransomware attacks the pandemic's still going on we we act like it was over we shut down the coveted task force but this is an issue we're going to continue to deal with and so cisa we were able to take the opportunity of the task force of the agility of kind of this new group that nobody even really knew who we were or where we were

and we could plead ignorance to process and and we just knew we had to get certain things done and so cisa really had this opportunity to kind of increase industry cyber preparedness and resilience both related to health care but also to broader private private sector work um through the coveted task force so to walk us through all of this uh josh already introduced it'll be michelle lisa and i michelle is going to talk a lot about the work of operation warp speed the ball bearings worked how we helped to identify who were the critical people because we couldn't get to everybody but where along the supply chain did we need to focus our efforts lisa is going to talk about the health

care portion and really the journey of the provide medical care work we did which resulted in publishing our statistics and our analysis about the impact on the health care sector and um the impact on excess deaths and then i'm going to end up with a very high level i'm not a cyber person i didn't raise my hand as a hacker but i'm going to talk about the cyber tools and the work we did which we took we took the opportunity of the task force to develop and then we're able to transition into steady state cisa we were able to give those tools to our cybersecurity division to continue to work on sharing those not just again with health care

but with broader critical infrastructure water energy everybody out there um and i am one of the few people from the koba task force who decided that the mission felt like something i should stay and do so i'm actually now a permanent guvie um and and you know i'm with this unable to continue i hope well the work of the kobe task force and what we did in the cyber area um so first just in case you haven't heard me repeat it several times a little bit about cisa and it is pronounced sisa um it's still we're really the the newest agency in the federal space we just celebrated three years and we are the nation's risk reducer we look

to lead the national effort to understand manage and reduce risk to both cyber and physical infrastructure what i think is really important to the covet effort is that sista does a lot of work at the federal level and working with the state's local tribal and territorial government and municipalities i think the covid work was a really great example of the private public partnership and how we can work with the private sector more closely in a more decentralized fashion working with smaller companies particularly working with small and medium sized um indoor enterprises so like that today's agenda we'll start with michelle kind of talking about the coveted task force what we did initially the initial work that set the

stage for everything we're doing move into health care at risk and then tackle a little bit about the um cyber threats so with that we'll turn to michelle awesome okay can you guys hear me fine okay awesome so it's nice to be here it's great to meet all of these people in person for the first time um after working together for you know over two years it's really incredible and i am absolutely not a hacker um although i can play one on tv um i'm a scientist by training i have a phd in genetics and i've worked a lot in the bioinformatics space both both for cancer biology as well as infectious diseases and actually the majority of my career

i've been in the public sector so after my post-doctoral fellowship i was a staff scientist at nih helping them with their databases and promoting reuse and re-analysis of data that have been publicly funded so again you know getting the most out of the of the data um and then i was in the private sector um as a contractor but contracted back to the government and worked at darpa in the biological technologies office um so the office was one year old at that time and one of the major thrusts was the prevent the next pandemic portfolio and i was the technical lead for a lot of the programs under that umbrella we were funding moderna at the time we were

looking at wearables and signals from wearables and how those could be useful for presymptomatic detection of infection and so there was a lot of you know like biosecurity biosafety angle to it but it was all about um you know pandemic prevention and getting left of boom so if you look at the epidemic curve whenever there's a there's an epidemic going on um you know you get a really strong growth curve and that starts really early on so the farther you can get left of that really strong exponential growth curve the better you're going to be and the um okay um so the better off we're going to be in terms of saving lives and preventing preventing

death and epidemic spread so all of that to say um then i went back into the government as a white house presidential innovation fellow and was working with the nih all of us research program when covet hit so i was working with that program from october of 2019 and then covet hit and i and you know because i had been working in the pandemic space really strongly at darpa you know and also coupled with the fact that there were very few scientists in government at that moment you might be surprised to hear um ostp was kind of a grave uh graveyard um and and lots of empty offices there um so there were very few you know federal officials that

really had the expertise um that was necessary to push forward push things forward um and so because of that i started to talk to others in other agencies and figure out like how i could help um and one of the connections um was made to um then head of the nrmc the national risk management center at cisa steve curran um and he um he and i had a conversation about you know the need to really have that kind of expertise when we think about the risks associated with the pandemic and so because of that only because of that like random connection and it was actually through one of my kids best friends in kindergarten's parents

is um steve curran's um brother-in-law or sister-in-law which is like totally random but i was just complaining to her one day that i felt like you know the work that i wasn't was doing wasn't really uh very integrated with the pandemic um made that connection and so steve brought me on board and it was literally um you know the the first few days of of that was um was challenging because this is awesome are you bringing so if anybody is not familiar we have a position here where speakers are allowed to make a outrageous speaker request for basically anything and then i get to be an evil genie if i want to and we're going here but this time i'm just

playing it straight so you've all uh been uh authorized to come grab some of these i'll just pass them around whatever uh dove promises in various different flavors

thank you so much so if you don't know well thank you thank you if you don't know the reason i made the request is you know one chocolate really but dove promises if you don't know this inside the wrapper there's a little nice saying that tells you something positive about yourself which we should have had them every day during the government task force but it's just a nice way to to remember you know you're here with the i am the cavalry session and so when you eat your dove chocolate and even if you don't like chocolate make sure you check the wrapper and just give you a nice little reminder about how special each and

every one of us is yes awesome this is fantastic um so i wanted to start by just kind of telling you the story about how this whole sisakova task force kind of came to be and it wasn't anything that was intentional initially and it really started i think on the first meeting that josh corman joined i had been there for about a month and we were in this space of trying to figure out what to do with all of these lists of companies and entities that the federal government and our international federal partners thought were important to protect during the pandemic and so this very first meeting was kind of a mess we were literally just talking about

this list um and all of these companies on the list and how were we going to prioritize this list was over a thousand companies big right and so cisa did not have the ability to provide cyber security services to all of them at the same time it's a very kind of limited team um and so we needed to figure out like who were we going to protect and how were we going to do that um and so we were talking about what does the list look like who where did the list come from there were a lot of different contributors to the list um and then we started talking about like well what's on the list and um and josh day one

was like you know i think we need to think about this from the perspective of ball bearings in world war ii and if you want a bigger description of that from josh later you know find him and buy him a drink and he'll tell you the long-winded version of that um but the concept is like instead of just taking this list at faith and trying to work our way through it we needed to figure out how to prioritize the entities and get to the ones that were the most critical and had the most potential impact first um and so that's how that all started um and it literally started on josh's day one in the government um

and you know he was um you know he was very open with sharing the fact that chris krebs had asked him to come in and to do this um

um so so anyway so all of that to say we um there was no method um that we started with it wasn't like someone said oh here here's the method to use you know to our data scientists um to prioritize the the list and so we had to come up with something um and i think one of the things that i learned throughout this process is something is better than nothing um we had nothing and we had to get to something and so and it really did cr it required this interdisciplinary approach to it you know so we had you know josh kind of at the strategic thinking level um you know i was kind of

the biotech subject matter expert we had reuben pasternak who's an md by training an emergency um emergency physician and his level of expertise um and and then one of the things that we also started to come to um and you know the the task force really came a little bit after we had kind of gotten to us a a baseline of what this was going to look like then we started to realize that we also needed to think about things um in a less narrow focus right and so we we had this slide that we're not showing you today but basically to kind of capture where the these entities were coming from in terms of prior priorities so

there were operation warp speed um entities so all of the companies that were directly funded um yeah you can leave it on the previous slide for now um so there were all of the operation warp speed entities which basically any any uh organization who got federal funding to participate in operation warp speed they were developing vaccines therapeutics and diagnostics um so all of those entities and any of their partners were all on those lists there were also kind of adjacencies to those types of products so whenever you're doing research around vaccine development you need a lot of different materials to you know do the cell cell culture and testing so things like mouse embryonic fibroblasts and um you know

bovine growth hormone or uh lots of different um lots of different you know biomedical tools um in in the that might not be directly funded but they're that are going to be really critical to being able to do that work um so there was like the operation warp speed there was the warp speed adjacent type stuff and then we started thinking about the healthcare delivery in general you know so once we got to the point where we had vaccines to deliver were we going to have enough syringes were we going to have enough gloves you know we had a huge issue with ppe early on and people not having access to ppe there was also an issue with sourcing

latex globally um and so there were all of these various types of motions that we were also trying to account for um and really expand that from that very narrow view um so anyway so the assisted coveted task force really grew out of that um that kind of initial prioritization effort where we were just kind of i mean to be blunt we were just making stuff up on the fly um and the um the what we ended up coming to and you know again not to go into tremendous detail was we um we did an assessment of all of the companies on the list um according to four different criteria so one was what is the product is it a

vaccine therapeutic or a diagnostic but also more granularly is it an mrna-based vaccine is it an immunotherapy-based therapeutic etc is it a diagnostic that can be done in the home or does it require um you know lab-based testing um another of them the criteria was how scarce is this um is there only one company able to make this um or are there other companies that can also make this thing um do we have a high supply of it or a low supply of it so things like that um we also considered um the dependency rating of the companies so a good example around dependency is for all of the nucleic acid-based vaccines they all require this same kind

of really specific phospholipid um to encapsulate them so that they can be absorbed and integrated into your biology and so those phospholipids there you know we learned that there was actually very few um sources for those phospholipids and yet all of these products were going to need them so that was kind of where the dependency came in um and then there was also a material impact potential rating that was very subjective it was basically me and reuben going through the list and thinking about you know if we had this how impactful would that be for our ability to respond to the pandemic so we went through this list um and did all of these ratings and then kind of

racked and stacked and um you know developed a metric that prioritized the list and then we took that prioritized list and we broke it up into three chunks um you know the top tier where the most important to protect to the middle tier um well we'll get to them when we have time and then the last year we're not going to worry about them so much and that in that way we were able to really prioritize um cyber security service delivery for those most critical entities and we had a couple really interesting things that um came out of that initial prioritization that gave us confidence that it was actually doing something useful um and i think that was

really the nucleus of what justified to leadership you know that we really didn't need this coveted task force that was going to not only implement this initial prioritization but as new things arose as you know shortages in ppe as um you know hacks on um you know healthcare delivery organizations as all of that continued to happen um that we were able to continue to respond um in a in a timely manner so you know a key thing to note here is that you know we are from diverse backgrounds i am not a hacker although i've gotten a lot more into cyber security and the security aspects of biotech in particular since doing this work and i think that

it really does take all of those various perspectives um you know thinking about things from a systems perspective thinking about things from a biology perspective in this case i think is really critical so yeah next slide um so one of the um the other fun things was in addition to people like myself who kind of detailed in um and reuven who detailed in and josh who detailed in we also were kind of creating a coalition of the willing in a way right and so um people were excited to contribute to this effort and um you know creating that energy um and really figuring out who was going to be um you know helpful and willing to help and almost

i mean everybody was amazing everybody that we worked with was amazing and one of the things that we did kind of early on was um we went around and and talked about who was your superhero that you identified with um and that was something that i think was was really important and mine is elastigirl i also teach yoga is one of the things that i do and i always say we bend so we don't break and i think that's a critical message around resilience is you know figuring out how we can adapt um and continue to pivot whenever new things um were arising as they were daily uh during this time um so next um

yeah so you know kind of i i think i already voice tracked this but really we had you know some cares act hires there was a hiring authority that was able to bring people in really quickly um and you know so ruben was able to come on board really quickly um in other cases like in lisa's case it wasn't so quick um but you know in in some cases it was really very quick people were able to come on board and come on board in kind of a flexible manner which is not usual for the federal government you may be surprised to know it usually takes a really long time um and there's a limit

in terms of the number of billets um and so one of the things that i'd like to suggest as you know the cavalry considers how it works um in the future going forward you know cisa as the youngest government agency really is in a an opportunity moment i think where it is influenceable more so than it will be in the next 10 years and um you know i think josh having people come in um in this kind of a flexible like fellowship kind of a way from the cavalry into sissa i think would be one really exciting way to do that so the the fellowship that i did um that brought me to cisa is this

presidential innovation fellowship that kind of does the same thing your term limited your for one year you can extend to a second year but the point is to bring people from tech companies that are going to bring in the latest and greatest from tech directly into the government in kind of a leadership role and i think that would be a great model to follow um with the cavalry going forward as one of the ways that you can continue to influence um the way that things are going um especially in the government thing um and then you know we certainly had um you know career system employees that joined um the task force um so let's go to the next slide

so operation warp speed i gave a little bit of an introduction um of that um and so basically operation warp speed was a whole of government effort to develop the vaccines therapeutics and diagnostics we needed for coven 19. there was a lot of early focus on the vaccine especially if you're if you understand infectious diseases and epidemic spread you know the sooner you have a vaccine the sooner you can really prevent things and we're we're seeing a really interesting path with covid where you know yes the vaccine is helpful but we also need the other things too and so it's good that we were funding those initially um you know but at the same time you know we had a will we had an

awareness that it's not just about those specific products you know there's a lot of adjacencies here that go into protecting the critical infrastructure that is you know provide health care and and what is what is the term for it provide medical care provide medical care um so anyway all of that to say you know i think that their operation warp speed was a way for us to um not only um hone in on what we were focusing on but also you know thinking about protecting that broader mission because the rest of operation warp speed wasn't focused on that right so one of the challenges we saw was that who is going to who's going to be a little bit more forward thinking

who's going to think more broadly about you know how we really do this in a way that that's meaningful and saves lives so that was another thing that we took on um we were very integrated with all of the operation warp speed stuff we talked to dod all the time we talked to hhs all the time um and we also got really close with the the on the government coordinating council with the hisac um there wasn't to buy isaac at the time they just launched i believe last year um but and a lot of that grew out of the need that we saw um and some of the vulnerabilities we saw in biotech um during this time um but the health

ice sac i think you know we learned a lot from the health isac and i think that's another way that these public private partnerships are really critical is even just in information sharing and awareness of the state um you know there was a very chilling i don't remember the number but there was a very chilling um number or i think it was something like 80 percent of healthcare delivery organizations or something were operating with outdated software do you remember what that that um i forget the number but anyway um it's chilling when you think about that like do you really want you know the i had a my youngest son was in the nicu for three months and i think about like

the software that was running all of his equipment and keeping him alive every day like do you really want the those hackable um or be really vulnerable to security threats so anyway that's um just uh personally um something that i think a lot about yeah next slide okay so the the goal of the the kind of ball bearing strategy was really to again a prioritization effort so that we could uh focus our secure our delivery of services to the weakest links um so finding the weakest links finding the the key targets for attack and being able to action on them um okay i think i voice track this mostly but yeah so we you know we really um

again we focused on um this kind of operation warp speed as kind of the way that we centered where we were looking but again we thought more broadly about it too um and then the output of that effort was to figure out you know who was our tier one how are we going to get this list of thousands down to a manageable number um and then work with our regional teams to actually be able to provide that support and um cyber security service delivery to these organizations and even just assess you know what their cyber security status was um you know early on one of the entities that we identified we reached out to them um and we've learned that

they didn't have any security people on staff at all they had two it people um and they were both like oh okay um wow this is interesting the government wants to talk to us about our security but we don't actually do that and one of the strategies that they used was to keep their manufacturing offline you know which is a fine strategy in some cases um and certainly for parts of their system but this this company um was quickly then acquired by a larger organization which made our outreach a lot more complicated because then we had to talk with our international partners about talking with them because it was an international company whose cyber security was in a different country than

the company's headquarters so now there are three countries three countries governments having to coordinate on you know how do we talk to this organization how do we give them the security um services they need um so that we're gonna protect this because this was one of the ball bearings um so you know i think that's a really good good example of how you know all of the this coordination not only like our team um you know but also the coordination across governments uh was really critical to to this mission um and then we also you know thought more broadly about healthcare delivery organizations and um lisa's going to talk to you more about that right okay

so so this is complicated all of this stuff up here so hang on a second because i want to make sure i don't forget anything how about that better yay okay all right so so michelle said a lot of things and the title of this is cyber security lessons learned so i'm gonna i'm gonna translate a few things uh um so remember that the ball bearing strategy was fantastically um applied because risk is always about uncertainty and it's about focus on the critical few right so in all of your organizations you should be focused on the critical few things that matter to your mission now your mission could be government industry for-profit non-profit it makes

no difference the point is all the assets that you're trying to protect need to be in service of the mission right and so the other thing that she talked about a lot you know translates into supply chain right so i'm a risk person not i mean yes i have a cyber background yes i i'm going to make a shameless plug here for for anybody who's interested in getting groomed to serve on the isc 2 board of directors so i am an ic squared uh member long term and i know that some of you are disgruntled but the point is we're doing fantastic things we're doing fantastic things there and and we need more diversity and inclusion

on the board so just fyi okay so a long story is that you know supply chain i mean when josh called me um and said you know we're putting a band together to do some some protection of the supply chain of the vaccine i was like okay i'm in he didn't tell me what we were going to be doing and actually in the end so my avatar i'm a big avatar uh uh avatar the airbender so i'm katara but the point is is that is that my i didn't have an avatar when i first started and i was the last one to join the team and so somebody i don't know if ed's here but he gave me the one called semper

gumby and the reason he gave me semper gumby is because i'm always about okay how are we going to meet people where they are and how are we going to like bring them along right and and we had to meet people as michelle indicated and canada indicated at various levels of understanding various levels of we're from the government we're here to help you know and just imagine getting a call like that right and and plus we had a mission right the operation warp suite was run by the military but the the vaccine and the other you know other things were run by by people like us um so i'm gonna talk josh gave you a lot

of statistical information but i'm gonna try to make this next section about what we learned so my background is in risk but it's also in um so i spent three years working in in automotive safety and have helping um improve the security from a coding perspective right and then i also worked in the energy i was working in energy municipal power specifically but also national rural electric cooperative association when i say two guys in a generator i mean sometimes there's only one guy in a generator in the middle of oklahoma and so i was working in in for the energy sector and and of course water was a part of that uh you know how do we

protect those things and i had a public private partnership background like how do we actually get people to fund you know people who can actually do things in the field so i'm i'm really excited i have another talk this afternoon david are you here yes about about the dumpster fire that is critical infrastructure and how we're trying to help but okay so uh next slide sorry okay so josh spoke about this but i want to be very specific so think back to the spring of 2021 i know we all have a little bit of you know trauma around this time but the vaccines had recently begun sorry i can't see the vaccines had recently begun to roll out right and the

pandemic was continuing to exacerbate existing strains on the national critical function of provide medical care hospitals were flooded with patients that needed acute care materials and ppe were in short supply and there were low vaccination rates and remember dhs's mission also had a misdis and mal information campaign that they were running that from the previous year on the election and there was a ton of you know social media targeted misdis and mal information about vaccines which created vaccine hesitancy so we were combating those threats at the same time and so the team undertook some amazing research which is on this slide and there's even more the papers that josh showed earlier with the purpose to understand not just the

functional impact at the ground truth level about what was going on in hospitals and hospital operations but the cascading impacts on other critical infrastructure sectors so as i said i was in the energy sector and and the american public power association was my customer long-term customer if you're familiar with the cyber security score card um that appa rolled out uh i was a big part of that effort there was a big team not just me but the point is we were trying to raise the bar on cyber security in the smaller municipals and rural co-ops and so that what were the cascading impacts from this um you know electric food water logistics to losing critical

infrastructure workers right because at that time we also were very much in need of personnel and when appa before vaccines right in the very beginning we were having daily and weekly calls about sequestering we sequestered all of our line operators and all of the maintenance people and some of you in this room may have been sequestered in some of the hotels that weren't being used anymore because people weren't traveling so we were putting people in you know very strategic uh locations so that if something happened to various parts of critical infrastructure we would have people who were healthy who would be able to to service that so that was pretty um that was pretty important so so unlike covet deaths

overall which generally struck those age 75 years or older the excess deaths were highest in the 25 to 44 year old ranks you know and when you think about the those are the people who are serving up our critical infrastructure by and large and you know factors included avoiding medical care because for other conditions right like such as high blood pressure diabetes or other you know things that were going on postponing elective surgeries for too long and also loss of health care because they lost their job or they lost their benefits or you know loss of income but the racial and ethnic subgroups experienced a disproportionately higher percentage increases in death during this time right with the most pronounced

effects on hispanic and black communities and so that's also in our research so you'll see that in there and that we think was you know a terrible thing in it and uh but this trend continued until um well in september 2021 there's a state of emergency that you can declare as a health care provider called uh critical i want to make sure i got it right crisis standards of care right it's known as csc and by september of 2021 there were four or five u.s based and we we were in coordination with our international partners but i can only speak about the us uh uh the point is by december of 2021 there were nine out of 50 states

operating it at crisis standards of care so this was quite um you know it was quite the trend was also happening across the globe so i'll go to the next one and the perfect storm what created the perfect storm is also the bad actors you know were opportunistic in looking to do bad things and with the health care organizations already suffering it became harder to prioritize the cyber security practices that needed attention hence the work we did on bad practices hence the work we did to make sure that we were vocal about absolutely everybody knows that certain things are just terrible right um and so don't do them but but it was hard to get the word out because of the

noise right and and i think i don't know josh and i did and many of us did many tabletop exercises with organizations and what we found out we learned through the health isac uh you know is that the majority of their members were not a cyber poor they were actually in the upper echelons and they had the time and energy to devote to to belonging to ice axe so how did we get the information out to those who needed it most right um and so many of the hospitals um you know the other thing we learned is that they did not many of them have an incident response plan of any kind of generally speaking so they hadn't really thought i

mean the fact that they weren't all patched and all the other things that you know michelle talked about you know they didn't also have the basic resources and one of the things that you know as public private partners one of the solutions is i'm most proud of is when we did the work on the cyber security scorecard the first year you know we went around and basically put together an incident response plan for municipal power companies and gave it to them now it was funded by doe which then got funded appa but the point is is that money has to trickle down to get to people who need the things and tools right um okay so

the other thing about incident response plans is even the ones that had something on paper they they hadn't tested it under some of the conditions under which they were operating so go to the next one now josh mentioned uh the ransomware event and you know it was terrible but it gave us the ability to actually look at what happens to someone when they have a ransomware event and talk about it right and so in this thing you'll see a timeline and we published a good bit of research but you know what actually happens when someone is is suffering from a ransomware attack go ahead and go to the next one because these are some of the knock-on effects

that happen right you know and even just what josh mentioned earlier not having electronic health records available and having to revert to pen and paper well then how do you get pen and paper records on someone to some to the next medical professional down the line who actually needs that information right and so uh go to the next slide because um one of the other boards i serve on is sierra and and uh for the society of information risk analyst which is a quantitative risk uh group of of non-hackers uh but the point here is that josh uh jeff who couldn't be with us today who's part of the team and dr katie uh uh webster

were you know instrumental in in asking the questions asking the tough questions and then performing the research so this talk is actually recorded um uh it was done in 20 what is this september of 2021 i think um but that was when we first i think at that point some of the research that josh spoke about hadn't been published right it hadn't been published until later we were having trouble getting the word out right doing great work but having trouble getting the word out so i'm gonna turn it back to kendra and we'll we'll finish up here go ahead okay just real quick we're gonna go through um i guess first of all i should

say my superhero was wonder woman and i feel like i spent most of my time just spinning around trying to get that magic going and so you know as josh said my contribution to the team was the glue the glue there you go um so what i want to talk about now and i'm going to talk about it at a very high level because later this afternoon tom and don who are over here with us from cisa are going to actually go into the details of some of the work we've developed in the cyber area but basically what happened is as we i'll get it oh no i can i'll just sit closer you know

so there we go um as the task force kind of moved from operation warp speed away from the vaccines our focus really was on the healthcare delivery organizations small to medium-sized businesses kind of key to the whole infrastructure of healthcare in the country and so we took a lot of the work that we had been doing we were already had and we're promoting free cyber services and we specifically went after the hdos and went out to the healthcare delivery organizations and said do you know we do this we had had a lot of practice or prep with those documents the year before during the election we had updated a lot of our documents to go

to local election boards and help them with how do you make sure your systems at your local level are secure and so here's just a list of some of the programs we have and again we had some that we started with but then for example stuff off search getting off showdown stuff off search also looking at census thingful any of the things that that are visible you know where your devices have visibility on web-based search platforms with something that we felt was important to everybody but we had a mechanism to say let's develop some products to help the hdos to help those small businesses those small entities understand what this specific risk is and this is

was just kind of the first of the examples of products we developed within the task force and then said oh wait we have this cyber security division at cisa that's here all the time doing this you know over and over and over again and so we're able to pass those off so they're now you know living documents at cisa and not just focus on the health care delivery section we also talk again about that that whole broadly broad definition of our intended audience is the target rich cyber cyber poor and so again support for the health care delivery organizations and trying to take both what we already had and then the new things we were

developing i think several people have mentioned the bad practices um i think that's when we tom was already a part of our sisakova task force as a career employee we then had to pull in don bernat because he really liked what we were doing we liked what he was doing as the head of our vulnerability management group at the time and so these are the sorts of things where again really basic help to small entities like the organization that michelle mentioned earlier who didn't even have cyber staff and yet they were producing part of the critical vaccines that we needed to get out in the country and so trying to help people with understanding you know what our

strong password practices how do you you know make sure you're installing patches that you're keeping your software up to date getting your stuff off search it really became a way for us to quickly develop and pass on information that was specific to the covid community but would have broader implications for critical infrastructure which is you know cis job so basically our premise was that what we were implementing um for the community we were focused on during the koba task force the focus on vaccine and overall patient care priorities also allowed us to start building for the future of what the agency could be doing um so when we look at kind of lessons learned i would say the first one we

kind of looked at this smaller more nimble organization within sisa that was allowed to give us that ability to to pull to do more cross-agency coordination um frankly i think i know more people across this uh than my colleagues now that i worked there full time that my colleagues within my group know across the agency i was able to work with different different branches different divisions and we were able to take that work much broader um always opportunities for improvement um but here are kind of our list of the basic um good good the bad and the ugly you know the having that karzak staff having people come in from the outside with different perspectives different mentalities

um crisis is a perfect time for piloting efforts like we didn't get a we did get pushback but we didn't always get pushed back and we were able to achieve a lot in a very short period of time um it gave us a lot of ability to reach out across the healthcare community international sharing beau especially did a lot of work overseas with our counterparts um i think with only five minutes left we're probably not going to talk about well there's always work left to be done and we have work left to be done within the agency and outside um again how cisa can help these are the kind of things i think we'll talk about

some more this afternoon um but yeah do you guys want to kind of add to any of these closing ones yes can i say one more thing so we actually uh i'm really proud of this because we won what's called a unity of effort award okay it's a really nice statue that they sent us but it wasn't that the reason that i'm really proud of it is because of what both my colleagues said and everyone here has said is that we made people talk to each other who didn't want to talk to each other so we we were all the people in different silos you know and and that for me was like a proud moment so even if i hold up that

award and you know it sits behind me on my bookshelf you know like when when uh you know we we picked up the phone and called the people we knew and called the people they knew and called people somebody else knew and so when you know when we talk about a hacker community i mean that's one of the ways we hacked the government you know is just to call people and and talk did joshua say something just since there's a break after this we could take a couple of questions even though we're one just to tag on to that one of the ways in which we did that was that was shocking to me and actually took a

really long time was the way that we talked to the fbi so regularly um because you know with the field offices there was a lack of coordination at the local level between intel and you know cisa and i think there was it was partially just because there was trust building that needed to happen there says it was new to this game we were brand new um and we were leveraging our dhs field offices and so doing that coordination with fbi it also took a really it took a lot um and i think that was one of the biggest pieces of progress that was made agreed yeah and and we did a tabletop with the fema uh folks which was super awesome

because there was like 90 fema and a lot of them are lawyers and they were like really scheming on how they could like put in some emergency uh authorizations to help people right and it was a great like it was a bright spot for me because they were just so willing to say yeah throw down let's spend some money on helping people over here and you know and we can do this and we can do that and so i was jazzed by a lot of that despite the ptsd of you know working across government uh oh we got a stop sign yeah we do that okay great [Music] try to use the mic so people on the

streaming can hear you well can you all hear me okay um first thank you for what you all did to help through a difficult critical time really appreciate y'all for that um you have this opportunity to stand up a team for a purpose and i'm just curious to see is the ctf still in place did it dissolve and how does that work continue if you pull together for something like that how do you make sure that the initiatives that you started continue after that that initiative is no longer there uh great question so the task force was formally disbanded the beginning of this year we had during the whole course of it we always had a strategy that some of us were

discussing which is we're going to spread out across the agency when we leave the task force if we embed ourselves in different divisions and different groups we will keep the dialogue going um so a couple of us stayed a few of us i think there are at least three cares act who converted there were some existing people both still with us so those of us left have tried to intentionally you know we know something the rest of the agency doesn't know there's a ton i don't know about how the agency works but what i do know is how i can reach across to different groups and i think um we've tried to leave that we've also

again how many of us from the task force are here in the room today hit oops like half half of the task force is here and so i think we developed a a passion for this this mission that turned out to be i am the cavalry like or next nexus 2 that's going to keep us kind of together in in trying to both work extending the work of of the covid task force but also the work of government how do we make government more official more efficient more relatable at a local level so and kendrick um you shared last night that um because i've since moved on but you shared last night that there's now someone who's

come to cisa to lead up like medical um which is not a domain that cisa had had coverage on from a subject matter expertise perspective which was kind of why i was brought in initially but you know so building that expert a realization that that is an important expertise to have when you're trying to protect the nation's critical infrastructure is good

while they're heading up yep one of the reasons i said we're still needed is there's a strong desire based on chris hoff's keynote of conway's law there's a strong desire for like agencies to stay out of each other's way but what we realized early is these multi-disciplinary intersectional risks require multi-disciplinary intersectional solutions so there's a almost like a battle for the soul of government of are we going to be siloed by agency or are we going to be cross-cutting and they're keeping the flame alive for the forced uncomfortable interagency collaboration even though it's the easier thing to do to stay in your silos but silos kill so go ahead can you guys all hear me yes thanks hey

um so first of all thank you i actually work for an organization that supports the defense health agency so you guys were integral to yay team awesome so thank you very much for that so my question is is in my opinion um a lot of our c-suite guys were like who's gonna hack a hospital like what what bad guy out there meanwhile everybody who's in it is screaming like literally everybody but i feel like the problem that i'm having now is a lot of people are losing the cyber security message in the pandemic they're like oh they only went after us because things were so stressful hospitals are still safe are you seeing that shift are people starting to get it

or really that makes okay i'll take it i will take the tiny little bits yeah oh wait michelle said something is better than nothing right okay so so the answer is yes we are i think there's a lot of passion around getting that message out uh so yes i hope i think so i hope so that was awesome by the way thank you so much for everything you've done i spent a lot of time in the small medium biotech space in community hospitals and places like that and i would love to hear just a little bit more of your stories about how when you called those guys up who have an i.t staff of two and

no security people how did you actually get them to do anything and what was what was tell us more about those stories yeah that would have to be that was great because yeah i think so i think we're gonna have to cover that one and there were so many really good ones and i think bo would actually probably have some things to share about that and josh too but yeah because sometimes they thought they were getting punked like you're really from the government yeah and you're calling to offer me free cyber security services well and also often times in those initial calls we had to include all of our government interagency people so we would have someone from fbi on the call

we had someone from hhs on the call we had sissa and people literally thought it was a joke initially it took a while for people to kind of trust us hi uh question for lisa um did you have any application for quantitative risk methods thank you russell if so what did you learn what were the benefits what would you advise other people so the answer is yes and to your question about do this does the suite actually pay attention to things russell is my partner in crime for for sierra and uh you know we're striving hard to stop talking about uh records and actually talk about impact to the business in what matters to them right

and records may matter if you have a data breach but the point is those costs are well known and those are easily measurable the difficulty is in the things that we don't yet have full information for and russell has done some fantastic work in impact categorization cost and the reason i said it's important for you to focus on your mission is because the mission drives what you care about right and so whatever your mission is it makes no difference and one thing i didn't say when i started this is these are all my opinions i am not here representing any employer or dhs anymore or anybody that i've worked for ever um so the point is is that quantification

gives you the ability to talk to business leaders in their terms i'll just give you a very simple example when you say server x is down because blah blah blah blah blah blah blah blah nobody really cares but if you say server x is down and it impacts our ability to accept customer payments all of a sudden people pay attention you know all of a sudden when you can put it in terms that matter to the business you know people really do listen right so to the degree that we can do that um you know the better we can do it the better it informs our ability to talk to leaderships and people making decisions

on the things that we're we're tasked with protecting all right i think we are out of time [Applause]