How critical US sectors are coping with rising cyberattacks

·5 min read

The rise in cyberattacks this year has forced many companies in critical sectors to make improvements to their cyber defenses in an effort to secure their networks from hacks.

Such companies are increasing their investments in cybersecurity and seeking to hire more cyber professionals — a task proving to be challenging amid a shortage of cyber workers across industries.

The Hill spoke to several security experts and industry leaders in the financial, health care and energy sectors to gauge how those critical industries are seeking to keep their networks secure amid the growing number of cyberattacks.

In the health care sector, which has seen a spike in ransomware this year targeting hospitals and other health care facilities, Christopher Plummer, a senior cybersecurity architect at Dartmouth Health, said having a cybersecurity program is crucial for hospitals, as they hold sensitive information — including patient data.

But he estimated that only about 10 to 20 percent of the nation’s hospitals have a dedicated cybersecurity program.

A recent report from Kroll, an investigation and risk consulting firm, found a 90 percent increase in the number of attacks against health care organizations in the second quarter of this year compared to the first quarter.

With cyberattacks increasing, the sector has had to increase its resources to fund cybersecurity programs and hire more cyber professionals to work on securing its networks and systems from attacks.

“I think many HDOs [health delivery organizations] just don’t know exactly where they’re supposed to be in terms of human resources when it comes to cybersecurity — they just know they need people,” Plummer said.

The pandemic has also put a strain on a sector that “was already in a very tough place with respect to security resources,” said Plummer.

The surge in attacks has also led lawmakers to urge the Biden administration to strengthen the federal government’s cyber defenses in the sector.

In a letter addressed to the Department of Health and Human Services, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) last month urged the agency to better protect the health care and public health sector from the growing number of cyber threats.

“Ransomware attacks on the [health care and public health] sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” the lawmakers said in the letter.

“We remain concerned, however, about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources. With cyber threats growing exponentially, we must prioritize addressing the HPH sector’s cybersecurity gaps.”

By comparison, the financial industry has traditionally been ahead of other sectors when it comes to having a robust cybersecurity system.

“Given that financial services rely on customer trust for its business and has long been highly regulated, the sector is more mature than many others in terms of cybersecurity and preparedness,” said Teresa Walsh, the global head of intelligence for the Financial Services Information Sharing and Analysis Center.

But the industry has also recently faced a wave of cyberattacks: In particular, the cryptocurrency sector has been a high interest target this year as hackers found ways to steal millions of dollars in virtual currency.

Over the summer, two crypto firms said hackers stole more than $100 million worth of digital currency. The companies said at the time that they were partnering up with law enforcement to try to track down the hackers and retrieve the stolen funds.

The hacks also led the Treasury Department to impose sanctions in August against cryptocurrency mixer Tornado Cash for helping hackers launder more than $7 billion worth of virtual currency.

The agency said Tornado Cash allowed cyber groups, including North Korean-backed hackers, to use its platform to launder the proceeds of cybercrimes.

Amid such attacks, David Roque, senior vice president at USI Insurance Services, an insurance brokerage and consulting firm, said he’s seen “clients allocating higher funds for security.”

Roque added that financial services, particularly those in the crypto sector, are also looking to purchase cyber insurance to cover costs associated with data breaches and other types of cyberattacks.

“There’s been a heightened amount of interest from a lot of our clients when it comes to cyber liability,” Roque said, adding that many of his clients in the crypto sector were previously uninsured before onboarding at the firm.

Walsh said that more resources in the industry are also being invested in business continuity, disaster recovery and other resilience practices.

“As in many industries, the thinking has broadened from focusing primarily on cybersecurity and defense to include strategic focus on cyber resilience or ensuring continuity of operations even in the face of an attack,” Walsh said.

According to a 2020 Deloitte study, financial services spent about 10 percent of their annual IT budget on cybersecurity, with such spending amounting to about $2,700 per full-time employee.

Walsh added that like many other sectors, the financial industry is facing a cybersecurity talent shortage. She said one way to fix the talent gap is for companies to broaden the pool of candidates they consider. Instead of only focusing on specific backgrounds and the number of years of experience, she said employers should also look into more diverse candidates and promising entry-level applicants.

Along with the financial and health care industries, the energy sector has also faced rising cyber threats.

Last year, the Colonial Pipeline was hit by a disruptive ransomware attack forcing it to shut down operations for nearly a week. The incident caused gas shortages in several states as fuel prices spiked.

“This is a huge challenge worldwide,” said Suzanne Lemieux, director of operations security and emergency response at the American Petroleum Industry, referring to the rise of cyberattacks.

Lemieux added that the oil and gas industry has made significant investments to shore up its cyber defenses following the Colonial Pipeline attack.

Investments were also made in education as well as cross-training cyber workers so they can learn different skill sets, allowing them to be more flexible in the type of work they do.

Lemieux said cross-training also helps with retention, which is beneficial, especially in an industry that has a labor shortage of cyber workers.

“In this market today, if you’re not cyber secure you’re not going to be in the market for long,” Lemieux said.

Updated Sept. 6 at 9:17 p.m.

For the latest news, weather, sports, and streaming video, head to The Hill.