Target Rich, Cyber Poor: Strengthening Our Nation’s Critical Infrastructure Sectors
Our nation’s critical infrastructure—the services Americans rely on every day—is under continuous threat by nation-state cyber adversaries and cybercriminal organizations around the globe. This is underscored by the events seen over the last several years. We’ve witnessed increasingly frequent and complex attacks against small and medium sized businesses, K-12 schools, water utilities and healthcare organizations, including hospitals, which were in the past considered “off-limits.”
Many small and medium sized organizations think that they’re too small to be targeted by cyber criminals. The reality is, this is simply not true. Small and medium sized businesses have valuable information that cyber criminals seek and often have fewer resources dedicated to cybersecurity. To counter our adversaries, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been focused on supporting small businesses by sharing key cybersecurity and physical resources and tips—many of which can be found on CISA’s Small and Medium Businesses webpage–so small businesses can protect their networks, operations, data and employees.
According to CISA, Small businesses aren’t our adversaries’ only focus—our nation’s critical infrastructure is a priority target as well. Despite efforts by sectors including Water and Wastewater Systems, the Education Services and Facilities Subsector (K-12 Community), and the Healthcare and Public Health (HPH) Sector to invest in additional resources for cybersecurity, they remain at elevated risk from adversaries who see them as highly profitable targets, generally “target-rich, cyber-poor.” Over the past two years, CISA has been working closely with industry partners in these sectors, along with their Sector Risk Management Agencies—Environmental Protection Agency for water, Department of Education for K-12, and the Department of Health and Human Services for hospitals—to help them understand the threats they face and increase their cyber defenses and resilience.
These partnership engagements include providing risk assessments and risk mitigation guidance; coordinating cross-sector mitigation planning; sharing information and tools to strengthen the security of critical infrastructure; and conducting exercises and simulations of cybersecurity and all hazard incidents to build preparedness and resilience.
