Parallax Q&A: Josh Corman on joining CISA to secure vaccines

Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. All issues are free through March 22. After that, you’ll receive one issue per week. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email: seth@the-parallax.com.

More than a year into the Covid-19 pandemic, the world is engaged in the most important race of the 21st century: Can health care professionals vaccinate enough people to stop the spread of the virus before its mutations evolve beyond the reach of current vaccines? As the clock ticks, an unexpected organization has stepped up to lend a hand in the United States: The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.

Most Americans weren’t aware of CISA, which was created in 2018, until it waded into the 2020 election disinformation swamp to help voters discern intentionally misleading news stories from legitimate stories about election security. Before leaving office, Donald Trump fired agency leader Chris Krebs, a Republican cybersecurity expert he’d appointed, for doing exactly that. The former president tweeted, without evidence, that a CISA statement asserting that the “November 3rd election was the most secure in American history” was “highly inaccurate.”

Krebs had spent the early months of 2020 recruiting top cybersecurity talent to prepare for the election, including Josh Corman, a longtime fixture of the hacker community who spent much of the 2010s working on various interconnected cybersecurity policy issues, including improving medical-device security, offering regulatory support for a software bill of materials and, through his volunteer project, I Am The Cavalry, creating sustainable guidelines for securing the Internet of Things.

CISA plays an unusual double role in the federal government. On one hand, it helps protect government agencies from cyberattacks and online threats. On the other, it helps protect critical infrastructure from physical and cyberattacks attacks.

“Critical infrastructure” is a much broader term than many people realize. It encompasses power plants and water treatment facilities, as well as emergency services, food and agriculture, critical manufacturing, health care, and public health—16 agency-labeled sectors in all.

During a fateful conversation at last February’s RSA Conference in San Francisco, Corman offered Krebs* a briefing on the state of ransomware attacks against health care organizations. Some people were wearing masks on the conference floor, and attendance was lower than the normal 40,000 souls because of flight restrictions. Two attendees were soon counted among the earliest cases of Covid-19.

A week later, the conversation Krebs asked Corman to join CISA’s efforts to help protect health care organizations during the pandemic. Krebs created an internal initiative called Project Taken—partially inspired by the Luc Besson-directed action thriller flick Taken—which would use agency funding from the $2.2 billion allocated to supporting the Cares Act to enlist top hackers and cybersecurity experts to fight Covid-19.

“CISA was already partnering with the Cyber Threat Intelligence (CTI) League and Cavalry folks. The goal was to help flatten the curve by avoiding health care downtime from ransomware risks,” says Corman, who joined CISA as its chief strategist for improving responses to the pandemic and, more broadly, health care and public safety. “The plan was cross-divisional, cross-sector, with organized Tiger Teams, and physical and cybersecurity assessments.”

Even before the coronavirus pandemic, U.S. health care organizations had been under an increasing number of cyberattacks, many of them ransomware-based hacks that would lock up computer systems and devices. As the Covid-19 crisis began killing hundreds of thousands of Americans, and hospitals groaned under the strain of millions of infections, any delay to delivering care would almost certainly result in even more lives lost.

"There’s a whole lot more we can do to prepare for future pandemics and risk."

Health care downtime continues to be a significant complication in the United States, as the chaotic, uneven, and inequitable distribution of vaccines has left people confused over whether to maintain pre-vaccine Covid-19 hygiene procedures, as well as susceptible to vaccine misinformation and coordinated disinformation.

Krebs has since formed a cybersecurity consulting company with Alex Stamos, director of the Stanford Internet Observatory and former Facebook CISO. They snagged SolarWinds as their first client. Corman and many of the other hackers hired by Krebs remain at CISA.

While Corman says health-related communication issues are best left to the Centers for Disease Control experts who have been leading government response to health crises for decades, CISA is adroitly positioned to protect the vaccine supply chain to ensure that the complicated networks needed to produce and disseminate vaccines remain resistant to hackers. What follows is an edited transcript of our conversation.

Q: When you started working at CISA in July, the pandemic had been raging for months, and there was no end in sight. What was it like getting started in the middle of that?

When I started, I wrote a problem statement for Operation Warp Speed to accelerate the development and distribution of vaccines, diagnostics, and therapeutics. I viewed it as a speed-based mission, where the consequences of elective delay would be catastrophic and complex.

There are biological consequences, where even a one-month delay could affect 3 million people—more than 4,000 Americans are dying, and nearly 100,000 infected, per day. There are geopolitical consequences for delays: Our performance on the world stage could undermine U.S. interests for 10 or even 20 years. And we’re all suffering now with the economic consequences, the deleterious impact on businesses and employment, including additional loss of life or harm because of the lack of income.

"We are the nation’s risk management adviser. We’re not law enforcement. We’re not the regulator. We’re like the fire department. We want to help you put out fires."

Part of what I was being asked to do was helping to secure reliable health care delivery. I had to identify, engage with, and deliver supply chain risk analysis. When I was doing SBOM [software bill of materials], I learned a lot about how supply chains function, especially from [supply chain theorist W. Edwards] Deming.

Ventilator supply chains, PPE supply chains—they’re all complex. One of my early partners was an infectious-disease specialist, a doctor and former hospital CEO, who helped identify small, less obvious players in the supply chain which, if disrupted, would mean no Moderna or Pfizer or AstraZeneca vaccines.

I researched the development and distribution for R&D companies, for industrial control systems, and for operational technology, and did outreach to strategic points in the supply chain to ensure that we can prevent avoidable delay and harm. To rise to this challenge, CISA made dozens of Covid hires.

Is the race to vaccinate America and the world a relay race? Or more of an obstacle course, with malicious hackers as pitfalls?

It’s a race and a relay race. Depending on a company’s stage of development and distribution, it manifests different accents and adversaries that we need to contend with. When I was recruited, the main concern was economic adversaries—nation-state adversaries targeting hospitals with ransomware. But malicious intent is not a prerequisite to harm.

Look at NotPetya. Its original intent was to hit Ukrainian businesses, but it did more than $1 billion in damage to U.S. companies. So many ball bearings and linchpins in these R&D systems can be interrupted easily by ransomware or [device vulnerability] exposures on the Internet.

Look at cold storage, a crucial part of the supply chain for the Moderna and Pfizer vaccines. The storage itself needs to keep the vaccine doses cold. You need to monitor the temperature, and the doses have to be transported in cold-storage trucks.

You wouldn’t think of them as a crucial part of the supply chain, but in November, cold-storage facilities in the U.S. were hit by ransomware. We’re asking what happens to international shipping of vaccine or cold-storage components, when dock workers get Covid. And we’re seeing evidence of espionage against biopharmaceutical companies—cyberattacks to steal vaccine-manufacturing data.

"The agency best suited to solving these issues is the least understood. At two years old as a standalone agency, our role in the pandemic is the strongest proof point in why CISA needs to realize its full potential."

We have to shift between these variables and plan contingencies fairly rapidly. The CISA task force for national intelligence planning and strategy meets every two weeks. When we had multiple vaccines that needed cold storage, we became experts in that. The next week, we had to shift to misinformation and disinformation on vaccines. And the next week was the loss of vaccines because of distribution problems.

That’s what CISA was born to do, in concept, and this is the crucible—when we’re finding out if we can accomplish what we’re meant to do.

How hard has it been to establish these essential partnerships with the private sector, when these days, there’s not a lot of trust there or with the general public?

There’s very poor knowledge that CISA exists, or of what it does, and of what protections health care organizations have. We often have to do evangelism in situ, because fear and a lack of knowledge can be a headwind.

One of my proudest moments was when I spotted a very small but critical manufacturer in the supply chain of nucleic acid candidates. They had no cybersecurity employees—if they’re disrupted, then vaccines are going to be delayed. We engaged with them and offered CISA services—including an early warning system—which they accepted right away. Later, they were placed into a higher-risk tier that provided them access to additional assistance.

We’re teaching the federal government this notion of “ball bearings,” and providing services for target-rich but resource-poor organizations like that manufacturer. We may need new authorities to buy them better cybersecurity systems, and maybe we need a plan to get them from crawl to walk to run. There’s a whole lot more we can do to prepare for future pandemics and future risk.

We are the nation’s risk management adviser. We’re not law enforcement. We’re not the regulator. We’re like the fire department. We want to help you put out fires.

Has that gotten any easier, six months into your tenure?

The agency best suited to solving these issues is the least understood. At two years old as a standalone agency, our role in the pandemic is the strongest proof point in why CISA needs to realize its full potential.

One very recent step in that direction came from the latest National Defense Authorization Act, which conferred new authorities. It shifts some agencies’ roles to more fully recognize intersectional risks.

Risk management is a big part of what we do, but also providing cybersecurity services for a designated sector or in a National Critical Function. We offer cyberhygiene services, such as scanning your IP addresses for threats. By doing that, we can get some trends on patching rates and see exploitations across multiple sectors. We also help with incident response and malware analysis.

Another supporting step is the Cyber Information Sharing Act of 2015, which shares an acronym with my employer but is not directly related. It allows data to be shared across government agencies. It helps us put out fires and translate those events into warnings for other departments and agencies.

Right now, one of the biggest categories of risk is poor information. The 2015 CISA law protects you with safe-harbor provisions, so you can share knowledge about a ransomware attack. But you can be fined under HIPAA for a ransomware attack, even if data doesn’t get lost. Confusion and uncertainty in those situations could potentially create preventable harm, and with record-high ransoms compounding the harm, we have never been in a more precarious moment. [Corman later clarified that if more organizations were familiar with CISA 2015’s information sharing safe-harbor provisions, they could better protect themselves and help other organizations.]

I know it’s still early days for the Biden administration, but have you heard from them on what CISA is doing?

I don’t think this is a spectator sport—all of us have lost a loved one. A lot of my brain is focused on how to make future responses even stronger. The inbound politicos love these ideas, and the career folks love them as well.

We’re tasked with standing up a permanent cybersecurity advisory committee. So we’re on the right path, but I wish we had done it 10 years earlier.

There’s what we’re doing now, and what we might be able to leave as a positive change on the federal government. Krebs made a significant effort to be trusted in the cybersecurity community. We might even answer the question, “What happens when you put hackers in the federal government?”

Correction on March 4 at 10:30 p.m. PST: Corman initiated communication with Krebs.

A tweet to live by:

What do you know that we don't?

Got a tip? Know somebody who does? You can reach me via email, Twitter DM, or Signal secure text: 415-730-3194.

Coming next on Friday:

Cyberattacks against the Web and mobile apps that health care organizations use are on the rise in the Covid-vaccine era. We look at what the experts are seeing, and what health care organizations can do to better secure their apps.

Thank you for subscribing to the free edition of The Parallax View! Learn more about our paid subscription options here.