FDA’s Cybersecurity and Infrastructure Operations Coordination Center (CIOCC) monitors, analyzes and investigates cybersecurity incidents against the agency. According to FDA Chief information Officer (CIO) Vid Desai, the agency has recorded a 457% increase in cyber threats against the agency during the COVID-19 pandemic.
“I would hazard a bet that if we hadn’t stabilized the environment and addressed the issues we had, I don’t think we could have contemplated Operation Warp Speed in terms of the ability to do the work that we did, to get the vaccines out, to deal with the pandemic,” Desai said during an interview with Focus. He was joined by FDA’s Chief Information Security Officer (CISO) Craig Taylor.
“I doubt we could have sent our people home and the systems would have worked,” Desai added. “We couldn’t have been able to collaborate externally, we couldn’t have been able to collaborate internally.”
Launched in the early months of the COVID-19 pandemic, Operation Warp Speed brought public and private entities together to work closer and faster to develop drugs, vaccines and diagnostics for COVID-19.
Taylor told Focus that most of the threat activity included reconnaissance and scanning FDA’s network environment, spam and phishing attempts. He said they are akin to criminals driving around the neighborhood and looking for easy targets like an unlocked car or unoccupied home. His office recorded about 2 billion instances per month in the three years prior to the pandemic, but that number skyrocketed to more than 9 billion detected per month during the pandemic.
While it’s hard to pinpoint why there’s been an increase in such attacks, Taylor notes that it may be due to a combination of factors, such as more people working from home who need to access FDA’s systems, as well as the fact that the agency has broad regulatory authority and access to market-moving information that may be attractive to cybercriminals.
“Because of the sensitive information, trillions of dollars’ worth of intellectual property, intellectual property theft being up globally, FDA is a prime target for cybercrime and cyber espionage,” said Taylor, who noted that he is sensitive toward speaking about what he and his team do because he doesn’t want to attract any unwarranted attention from hackers who may be seeking a challenge.
Taylor previously served in naval intelligence before working under the Director of National Intelligence, and is one of the many people at CIOCC with specialized skills from their backgrounds at the Department of Defense (DoD) and within the US intelligence community.
The CIOCC is based in White Flint, just miles from the agency’s White Oak headquarters in Silver Spring, Maryland. There are other command and data centers that protect FDA’s assets, including a data center in Ashburn, VA, and one at FDA’s White Oak campus.
Taylor, Desai and other executives at CIOCC are extremely careful about keeping details of their operations close to the chest.
“We’re one hack away from a headline,” said Taylor. “What we try to do is keep our mission and business up front, and we don’t want to make headlines around security… We don’t want to talk about some of the things that we do know about that happens to us globally.”
“The nefarious community that we concern ourselves with is attracted by the challenge,” said Desai. “If we start advertising the work that we’re doing or promoting it too heavily, we invite ourselves to be a target.”
Desai noted that FDA-regulated products account for roughly 20 cents of every dollar spent in the US, which has serious consequences for global markets if hackers were able to cause any significant damage to the agency.
“The information we deal with is market-changing,” he said. “A lot of people would like to manipulate that… If our sponsors don’t trust us with their information, if the public doesn’t trust us, that’s a huge deal. That’s partly why this program is so fundamentally important to the mission.”
In January 2022, President Joe Biden issued an executive order requiring all federal departments and agencies to adopt what is known as a “Zero Trust” cybersecurity posture. Under a Zero Trust framework, actors, systems, networks and services are not trusted and must be authenticated and continuously verified to operate within the security perimeter.
Desai said that FDA started having internal discussions about moving to a Zero Trust model almost two years before Biden’s order.
Even more than the increasing number of cyber threats, Desai said the thing that really concerns him is the increasing degree of sophistication of such attacks. Desai pointed to the 2020 SolarWinds hack, in which suspected nation-state hackers were able to gain access to numerous networks and systems, as an example of the increasing sophistication exhibited by hackers.
“There’s been a lot of other similar types of activities, that is the more concerning issue,” said Desai. “You’ve got devices that if they’re manufactured in China, occasionally will connect back to China and that kind of stuff.”
“We have no choice as a nation but to adopt Zero Trust,” he added. “It’s the only way we’ve got a fighting chance of securing ourselves from these types of sophisticated issues that the nefarious guys are up to nowadays.”
As part of its modernization efforts, Taylor said that FDA’s capacity to host users on its systems ramped up from 25,000 users in 2019 to 40,000 users right before the pandemic began, which allowed the agency to support its staff and other entities in a remote environment.
“The good news is when we did go remote, we were able to do it instantly. We didn’t have to ramp up, it was seamless,” he said. “We didn’t know [the pandemic] was going to come but thank heavens that we had that in place. So, when it did happen, we didn’t have some of the challenges like many of the other agencies may have had.”
While trying to stay under the radar, Desai said he also wants to highlight CIOCC’s work because he’d like to recruit more cybersecurity professionals to his team. He noted that demand for such talent is high and he hopes that talking about FDA’s work in this area may raise interest.
“We’re actually not just competitive [salary-wise] … But we are better than competitive when it comes to culture and the type of teams that Craig has put together,” Desai said. “I’ve been in the technology business for over 35 years, and I call Craig the best CISO I have ever met in the public or private sector.”
“There are lots of CISOs out there that know their technology but it’s rare to find somebody that can lead a good team and build a team that people want to come work for,” he added.
Taylor was hired by FDA in 2012, while Desai was recruited to the agency by former FDA Principal Deputy Commissioner Amy Abernethy in 2019. In 2021, the agency’s Office of Digital Transformation was elevated to the agency-level, with the CIO reporting directly to the FDA commissioner.
“I don’t think many businesses understood the strategic nature of IT or how reliant they were on IT until COVID happened and then all of a sudden the CIO was an important title,” said Desai. “Until then, I think people just took technology for granted. It was kind of like electrical power, you just expected it to work all the time.”
“In today’s world, businesses cannot function without IT. There’s no backup plan because we’ve become so dependent on technology,” he added. “When COVID started, if the technology didn’t work, if we weren’t able to get our people to work from home, things like Warp Speed and what we did for the vaccine development and therapeutic development just wouldn’t have been possible.”
Desai and Taylor note that FDA’s work in IT, data and cybersecurity modernization has led to a massive cultural shift at the agency. In 2014 and 2015, they said that FDA was more reactive about cybersecurity as it was constantly stopping attacks and addressing congressional audits. In recent years, the two said the agency has become more proactive about cybersecurity.
“The truth of the matter is we can be a lot more innovative now because we’re not putting out fires,” Taylor said.
As a result, they have seen the number of systems outages at the agency drop from the hundreds every year to only a handful in 2022, which means staff and their industry counterparts can go about their daily business uninterrupted.
“What I see happening right now is the volume of threats increasing, the sophistication of threats increasing, and it’s exponential,” Desai warned. “We’re going to need a continued source of support and investment from all sources to keep this up.”
Desai said that nefarious actors are not just going after FDA’s data but are also targeting its senior executives, who are facing an increasing number of personal attacks.
“They’re taking personal information about our executives who they don’t agree with because of something that they did, putting that information on social media for like-minded people,” said Desai. “Now we increasingly think about, how do we even keep folks secure in their homes?”
He added that while malicious hackers are often thought of as sophisticated actors, they don’t necessarily need to be backed by nation-states or even have specialized knowledge, given the ease with which someone can download hacking tools from the dark web.
“It’s making it easy for literally anybody with a grudge to cause issues for agencies like us,” said Desai. “We live in a very polarized society right now.”
Desai also said it’s not just about FDA but the entire regulatory ecosystem, which includes product developers and manufacturers who need to harden their cybersecurity abilities.
“Security is only as good as the weakest link,” said Desai. “We can be as secure as we want but if the sponsors are not secure, the supply chain is not secure, then healthcare is not secure.”
Strengthening cybersecurity requires a lot of change and funding according to Desai, and part of his mission is to reach out to industry to impress on them to take the issue seriously.
Taylor said FDA is currently in an elevated cyber threat level due to increased phishing, social engineering, exploitation attempts and other nefarious activities that targeted private and government healthcare industries.
“We established our FDA Cybersecurity Emergency Action and Liaison (CEAL) Team, Counterintelligence Cyber RECON Hunt Team and FDA Zero Trust Cybersecurity Network Defense Initiative to advance a more secure, interoperable cyber environment,” he said. “Additionally, we have expanded network visibility and situational awareness by advancing our 24/7 cybersecurity and infrastructure monitoring capabilities and attack surface management.”