Who Is in Charge of Cyber Incidence Response in the Homeland?

Kelly R. M. Ihme, Patrick O’Brien Boling, Michael Zimmerman, and Timothy G. McCormick
©2025 Michael Zimmerman

ABSTRACT: This article argues that the fragmented US cybersecurity framework—marked by the absence of a lead agency, insufficient whole-of-government coordination, and inconsistent private-sector compliance—undermines national resilience to cyber threats. Unlike existing literature that often focuses on technical vulnerabilities, this piece highlights systemic governance failures through detailed case studies of the SolarWinds, Colonial Pipeline, and Change Healthcare cyberattacks. The article identifies critical gaps in cyber incident response by drawing on incident reports, policy analysis, and expert commentary and offers actionable recommendations to strengthen national cybersecurity, making it especially relevant for policymakers and military practitioners concerned with protecting critical infrastructure.

Keywords: cyber defense, homeland security, homeland defense, authorities, cybersecurity, SolarWinds, Colonial Pipeline, Change Healthcare

Characterized by overlapping jurisdictions, policy gaps, and varied guideline adherence, the fragmented US cyber incident response led to the compromised handling of three of the most significant recent cyberattacks—the 2019–20 Russian Foreign Intelligence Service attack on the software company SolarWinds, the 2021 ransomware attack on fuel supplier Colonial Pipeline, and the 2024 Change Healthcare data breach. This complex cybersecurity landscape involves various governmental agencies and private industries holding an intricate web of responsibilities. As the technological sophistication and frequency of cyberattacks continue to increase, US leadership must proactively develop defense mechanisms and strategic responses that quickly address the evolving cyber threats.

Successful incident response relies on a lead agency construct that identifies which governmental organization will manage the actions of multiple agencies following a critical event (such as a hurricane or a hazardous chemical train derailment), including the planning, coordinating, collaborating, and monitoring phases. The lead agency can shift depending on the event, allowing the most qualified agency to lead coordination. For example, the Federal Emergency Management Agency (FEMA) leads in most disaster responses, the Transportation Safety Administration (TSA) leads in physical pipeline security, and the Federal Bureau of Investigation (FBI) leads in federal criminal investigations. Since no agency for cyber incident response existed until 2023, previous cyber response efforts and post-incident research to prevent future attacks proved complicated.

The 2016 Presidential Policy Directive-41 (PPD-41) instituted “The National Cyber Incident Response Plan (NCIRP),” which apportions lead responsibilities among three principal agencies: the Department of Homeland Security (DHS), the FBI, and the Office of the Director for National Intelligence (ODNI). A DHS public forum about the plan notes, “No single federal agency possesses all the authorities, capabilities, and expertise to deal unilaterally with a significant cyber incident, so “The National Cyber Incident Response Plan,” breaks down cyber incident response into three roles: asset response, threat response, and intelligence support to both those activities.” The DHS leads for asset response (technical assistance), the FBI leads for threat response (law enforcement related to a cyber incident), and the ODNI leads for intelligence support (situational threat awareness). The Cybersecurity and Infrastructure Security Agency (CISA) also provides critical support for cyber incidents by distributing threat information, offering technical assistance, analyzing malicious capabilities, and facilitating information sharing.¹

The directive guides the formation of Cyber Unified Coordination Groups (C-UCG) to serve as the primary coordinating method following a significant attack, defined as “a cyber incident . . . likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” The threshold of whether an attack qualifies as significant is meaningful because this designation requires the formation of a Cyber Coordination Group. Two of the three case studies analyzed in this article did not meet this threshold despite the nationwide impact of the events, which significantly hampered coordination efforts.²

Existing Federal Cybersecurity Architecture

In 2004, the DHS spent $6 billion on a frontline defense cyber program called “EINSTEIN,” to detect and prevent cyber intrusions and increase awareness. Created in 2016, and updated in subsequent years, “The National Cyber Incident Response Plan” determines lead federal agencies for cyber incidents. In major cyber incidents with potential national security implications, the Department of Homeland Security via the National Cybersecurity and Communications Integration Center manages asset response; the Department of Justice, through the FBI and the National Cyber Investigative Joint Task Force, leads threat response; and, the Office of the Director for National Intelligence, through the Cyber Threat Intelligence Integration Center, heads intelligence support. Additionally, PPD-41 elevated concern for cybersecurity to the National Security Council’s (NSC) level by creating a Cyber Unified Coordination Group, when indicated, to promote unity of effort while not interfering with federal agencies’ authorities or leadership, oversight, or command responsibilities.³

The Federal Information Security Management Act of 2002 (FISMA) created a framework for agencies to develop and implement programs for information security, but the act had no enforcement authority. A 2014 Federal Information Security Management Act directed and streamlined the reporting of breaches and redefined roles, including the requirement for all federal agencies to report a cyber incident to Congress within seven days.⁴

The National Institute of Standards and Technology (NIST) is responsible for national cybersecurity standards, providing guidance and best practices. In 2014, the institute published voluntary guidelines to reduce cybersecurity risks within critical infrastructure and regularly provided multiple updates to these guidelines. By statute, federal agencies must comply with NIST standards. The government, however, does not monitor software lifecycle management (updates to software once deployed) or provide clear standards for managing federal software suites.⁵

Our analysis of three recent cyberattacks and their incident responses uncovered multiple weaknesses in US cyber incident response, including:

• Inadequate implementation of cybersecurity frameworks: failure to fully, effectively, or comprehensively put into practice the guidelines, controls, standards, and best practices outlined by cybersecurity authorities (such as NIST and CISA).
• Inadequate cyber hygiene enforcement: failure to ensure that organizational members understand and consistently adhere to established basic cybersecurity practices and policies effectively—such as using multifactor authentication, protecting access cards, or using strong passwords.
• Overbroad access controls: security policies, configurations, or practices that grant users, applications, or systems permissions to access data, networks, or functionalities exceeding the minimum necessary access required for their legitimate tasks or operational functions—such as default administrative rights to standard users.
• Ineffective incident response and recovery plans in private industry: plans that lack the necessary prevention strategies, testing, resources, or scope to respond to and minimize operational disruption, financial losses, and reputational damage while ensuring compliance with US legal and regulatory requirements.

Additionally, the Department of War (DoW) was not a listed agency to assist or respond to these cyberattacks, despite having responsibility for homeland defense, extensive resources to assist in homeland security, and authorities to assist based in US Code Title 32 for defense support to civil authorities (DSCA).⁶

In recent years, US businesses, infrastructure, and national security have sustained significant economic costs and damages to their reputations because of major cyberattacks on governmental systems, industrial control systems (ICS), health care, telecommunications, and private industry. The compromise and loss of personal private data from US citizens in cyberattacks has become a national security concern. Yet, the United States lacks a whole-of-government approach to incident response. Additionally, major holes remain in cyber hygiene enforcement, enabling threat actors to access America’s most vulnerable systems. This article’s review of the SolarWinds, Colonial Pipeline, and Change Healthcare cyberattacks demonstrates how misaligned efforts led to inefficiencies that hindered, and continue to hinder, the nation’s ability to respond swiftly and effectively to cyber incidents.

SolarWinds

In 2020 and into 2021, Russian cyber actors infiltrated the network management company SolarWinds. The espionage operation targeted US government agencies and private companies via SolarWinds software using malware distributed to customers through routine software updates. Perhaps the most concerning element of the SolarWinds attack, though, was the large amount of time between intrusion and detection—roughly nine months—despite billions of dollars allocated to cybersecurity (the EINSTEIN program) and multiple agencies and positions created to monitor, detect, and respond to cyber threats. This attack compromised communication, national defense data, sensitive information, and supply chain trust in what many experts consider the most sophisticated and impactful cyberattack against the United States.⁷

SolarWinds, an American company, develops and manages business software, networks, and information technology infrastructure, known as software as a service (SaaS). It services 33,000 international companies and US governmental entities. The US-based division handles supply chain management software, application monitoring, network configuration, and other IT-related activities. The company developed its Orion production software to pass customers routine network patches and updates. Orion software maintains total visibility of companies’ networks, providing high-level access privileges within those companies. Approximately 18,000 SolarWinds customers used Orion software, including the Department of State (DOS), the Department of Homeland Security, the National Institutes of Health, parts of the Pentagon, the Department of Energy (DOE)—including the National Nuclear Security Administration—and other high-profile private organizations.⁸

Attack Timeline

As figure 1 demonstrates, the initial infiltration occurred as early as August 6, 2019, when Russian intelligence group APT29 (Cozy Bear) inserted malicious code into SolarWinds’ Orion software updates. FireEye and Microsoft discovered the malware in November 2020 when both companies noticed unusual network activity due to the compromised SolarWinds software. FireEye notified SolarWinds of the intrusion in early December. For nine months, the attackers operated a sophisticated espionage campaign undetected. Cozy Bear/APT29’s ability to access and exploit the Orion software derived from three main areas: a failure by SolarWinds to secure remote access set-up, a lack of resilience in backend software, and an unnecessary level of access and privileges to SolarWinds and vendor data. These problems remained even after the SolarWinds CEO highlighted the Orion software as “very concerning,” and a September 2020 internal document concluded, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”⁹

The substantial economic impact of the attack resulted in recovery costs for SolarWinds estimated at $40 million in the first nine months after the attack was detected and publicized. Major reputational damage also occurred. The day before public notification of the attack, SolarWinds was valued at $7.8 billion. The day after the CISA report on the attack, the company’s worth plummeted to $4.4 billion and has hovered under $2.6 billion since October 2021. The broader costs to the US government and society, including remediation and enhanced security measures, were approximately $90 million from insurance filings.¹⁰

Figure 1. Timeline of SolarWinds attack
(Source: “SolarStorm Supply Chain Attack Timeline,” Unit 42, December 23, 2020, https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/.)

The Federal Response

On December 13, 2020, CISA issued Mitigate SolarWinds Orion Code Compromise, Emergency Directive 21-01, detailing federal mitigation requirements. The next day, SolarWinds reported the attack to the Securities and Exchange Commission. On December 16, the National Security Council deemed the attack “significant,” triggering the formation of a Cyber Unified Coordination Group to coordinate the government-wide response with members from the Cybersecurity and Infrastructure Security Agency, the FBI, the Office of the Director for National Intelligence, and the National Security Agency (NSA). The government did not identify a lead federal agency to coordinate the operational response, as there was no appointed cybersecurity adviser at that time. Multiple third-party nongovernmental agencies, including CrowdStrike, FireEye, and Microsoft, were involved in mitigating, removing, and hardening various systems.¹¹

By mid-December, CISA reported that all compromised federal systems were disconnected or disabled, and it released an “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations Alert (AA20-352A).” The NSA issued a cybersecurity advisory to guide agencies regarding detection and defense against intrusions. Microsoft released an analysis of the breach while the C-UCG members briefed Congress about the incident. Over the rest of December, CrowdStrike, Microsoft, and CISA released additional tools to detect malicious activity and identify risks.

Coordination Effects and Prolonged Response

On January 5, 2021, the C-UCG assessed that a Russian threat actor launched the attack from inside the United States, which stymied the NSA’s ability to collect intelligence because of prohibitions regarding surveilling on US soil. The incoming Biden-Harris administration appointed Anne Neuberger as deputy national security advisor for cyber and emerging technology (DNSA-CET) (a new position the NSC created in the fiscal year 2021 National Defense Authorization Act [NDAA]) and, in mid-February, designated her as the lead federal agent for the response.¹²

By February 2021, the C-UCG confirmed Russian involvement and that nine federal agencies were compromised. Simultaneously, multiple private companies reported attempted intrusions and worked to mitigate the impact on their systems. Over the next few months, Congress held hearings about the incident, and CISA assisted agencies with forensics. On April 15, 2021, the White House issued Executive Order 14024, confirming that Russia was responsible and effecting sanctions on the Russian government. The C-UCG led the response for three months to support initial surge efforts, the NSC deactivated it on April 19, 2021.¹³

SolarWinds Discussion

In December 2020, while the SolarWinds attack was ongoing but not yet detected or reported, a Government Accountability Office (GAO) report about supply chain risks revealed that none of the 23 agencies surveyed had implemented the foundational supply chain risk management practices dictated by NIST in 2015 to assess their IT supply chains. More than half had not implemented any supply chain risk management practices citing “lack of federal SCRM guidance.” This lack of adherence to known cyber standards was, perhaps, indicative of the government’s readiness (or lack thereof) to prevent or respond to an attack like SolarWinds.¹⁴

During the SolarWinds attack, the breach went undetected for months, allowing a nation-state adversary an espionage advantage not seen since the Cold War. In accordance with PPD-41, CISA led the asset response by providing technical assistance and issuing guidelines, and the FBI led the threat response to identify victims, other targets, and the threat actor. Nonetheless, once the C-UCG disbanded, no federal entity continued to coordinate the response and ensure compliance with mandatory statutes for cybersecurity. The absence of a coordinating agency stymied mitigation efforts, enabling continued cyber vulnerabilities in the national defense architecture for months after detection. Since this breach was considered an act of espionage and not an act of war, the DoW remained uninvolved in the response.¹⁵

One month after the C-UCG disbanded, most federal agencies had not conducted the FISMA-mandated reporting of SolarWinds impacts, which further delayed response and mitigation efforts. While the fiscal year 2021 NDAA created the Office of the National Cyber Director (ONCD) to advise the president about cybersecurity policy and strategy, the position was vacant until mid-2021. Therefore, the ONCD was not involved in the response from SolarWinds, leaving the government without the cyber expertise to ensure a coordinated response.¹⁶

State and local government agencies impacted by the attack reportedly had limited or no access to federal response assets, and there were no grants or established federal funding for cyber response at the time. While the National Guard maintains the expertise, training, and authorities to respond to cyberattacks, the NSC did not enlist the National Guard Bureau to respond. This failure likely stemmed from a lack of knowledge of the capabilities of or the process for engaging National Guard entities. Interestingly, during SolarWinds, National Guard units from the northeastern states were conducting their annual Cyber Yankee exercise with the FBI and CISA to test responses to and coordination during a critical infrastructure cyberattack.¹⁷

In April of 2021, FireEye CEO Kevin Mandia relayed to National Public Radio his concerns for American cybersecurity following the SolarWinds attack and his views on other potentially vulnerable systems. He prophetically stated, “I think utilities might be on that list. I think healthcare might be on that list.” This prediction was fulfilled within weeks with the Colonial Pipeline attack and multiple ransomware attacks against health-care agencies, culminating in a major attack against Change Healthcare.¹⁸

Colonial Pipeline

In May 2021, one month after disbanding the C-UCG for SolarWinds, the cybercriminal hacking group DarkSide orchestrated a ransomware attack on Colonial Pipeline, which operates the largest fuel pipeline in the United States, stretching from Houston, Texas, to New York City. DarkSide, believed to be a Russian-based group, uses ransomware attacks to extort money from companies, particularly those in health care, education, or government. The Colonial Pipeline attack remains the most significant critical infrastructure cyberattack in US history, underscoring the vulnerability of the nation’s critical fuel infrastructure.¹⁹

Attack Timeline

As table 1 shows, on May 6, 2021, Colonial Pipeline’s IT team discovered unusual activity on its network and identified it as ransomware that stole 100 gigabytes of data within hours. A threat actor, later identified as DarkSide, utilized a phishing campaign to obtain the credentials needed to infiltrate the system and then gained access to Colonial Pipeline’s network through a compromised virtual private network account that lacked multifactor authentication (MFA). DarkSide quickly stole and locked large amounts of data, kept those locks resistant to breaking, and successfully exfiltrated sensitive data with a plan for public release pending a failed ransom payment. The double extortion method DarkSide used made Colonial Pipeline’s data nearly impossible to decrypt—without the specific key provided by DarkSide—and at risk of distribution.²⁰

The attack and response disrupted the transportation of gasoline, diesel, and jet fuel from Texas to the eastern United States, approximately 5,500 miles, causing panic buying and fuel price hikes along the eastern seaboard. Within a day of detecting the intrusion, Colonial Pipeline hired Mandiant to assist with response and recovery efforts. Colonial Pipeline notified the federal government and law enforcement agencies, who responded to the incident and took the Colonial Pipeline network offline to contain the threat. Colonial Pipeline also paid $4.4 million in ransom to gain the decryption key, though paying the ransom was not fully effective and against CISA recommendations, allowing Colonial Pipeline to resume pipeline operations on May 12, 2021.²¹

Federal Response

Normally, the Department of Homeland Security serves as the lead federal agency for securing critical infrastructure from physical and cyber threats, with the Transportation Security Administration as the co-lead sector risk management agency for pipelines along with the Department of Transportation. The TSA gained responsibility for pipeline safety upon the organization’s creation in 2001. Nevertheless, this responsibility was, and is, primarily for the physical security of pipeline infrastructure, not the computer systems and business software used by private companies. Under the Cybersecurity and Infrastructure Security Agency Act of 2018, responsibility for pipeline cybersecurity falls under CISA, as one of many tasks to protect US critical infrastructure from physical and cyber threats.²²

Despite the PPD-41 guidelines and congressionally delegated authorities, the Department of Energy served as the lead agency for the Colonial Pipeline. It is unclear why the White House chose to assign lead agency status to the Department of Energy, however it is likely due to the administration’s assessment that Colonial Pipeline was addressing the cyber asset response via a third party, Mandiant. This assessment allowed the White House to prioritize fuel transportation, under the Department of Energy’s purview, to alleviate the economic impact on Americans’ livelihoods. At the House of Representatives hearing regarding this unexpected choice, multiple congressional members voiced concern about the DOE’s designation as the lead agency, noting that the DHS, specifically the TSA, already contained the authorities and oversight to lead the federal intervention. There were no DOE representatives at that hearing, leaving their role and capability to lead a cyber response in question. The agencies present, the CISA and the TSA, testified to their agencies’ specific responses and recognized gaps in response. Ultimately, the lead agency question remained unanswered.²³

Coordination Efforts

The Cybersecurity and Infrastructure Security Agency attempted to lead the intrusion response, but since Colonial Pipeline hired Mandiant to perform that function, Colonial Pipeline declined CISA’s technical assistance. As a private company, Colonial Pipeline maintained the right to address the issue without assistance from the federal government. Its choice was likely due to a failure to comply with the Transportation Security Administration, the National Institute of Standards and Technology, and the Federal Information Security Management Act cybersecurity requirements and a desire to protect proprietary information. Absent a cooperative environment, CISA still updated its threat resources, warnings, alerts, and best practices for distribution and continued to offer assistance.²⁴

The FBI led the threat response and initiated an investigation into the attack, discovering DarkSide was likely the perpetrator by June 2021, but intelligence agencies remained uninvolved due to prohibitions on surveilling US companies. On May 12, 2021, the Biden-Harris administration announced measures to protect critical infrastructure from future cyberattacks, particularly “Improving the Nation’s Cybersecurity,” Executive Order (EO) 14028, including directives to enhance federal network security, improve information sharing between the government and the private sector, and establish a Cyber Safety Review Board to analyze significant cyber incidents and make recommendations for future defenses. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 created the Joint Ransomware Task Force to coordinate ransomware response efforts.²⁵

Colonial Pipeline Discussion

The Colonial Pipeline attack underscored the economic and national security risks posed by a cyberattack on physical critical infrastructure, particularly with a nongovernmental business that refused to comply with inspections before the attack or to allow governmental coordination after the attack. Before the attack, Colonial Pipeline administrators did not engage in the TSA’s voluntary process for cybersecurity assessment, self-assessment, training, and education, with multiple rescheduled inspections; only afterward did the company agree to a virtual cybersecurity assessment from the TSA. Following the attack, the TSA issued new cybersecurity directives for pipeline operators to enhance the security of critical energy infrastructure. Cooperation with security assessments and inspections, however, remains voluntary for private businesses, which own 85 percent of critical infrastructure.²⁶

The DoW lacked the authority to intervene with a private business, though conversations about “act of war” cyber activities appeared on various media platforms following the attack. Furthermore, FISMA and NIST adherence and enforcement gaps noted during the SolarWinds response remained the same for the Colonial Pipeline attack, but additional government actions complicated the response.²⁷

While the SolarWinds incident reached “significant” status, the Colonial Pipeline attack did not receive this designation, preventing a C-UCG from forming to coordinate a federal response. Likely due to the lack of expert oversight, the White House seemingly deviated from its directives regarding cyber responses and deferred to private actors. By designating the DOE as lead, the White House seemingly prioritized ameliorating the effects of the attack (disruption of gas service) instead of addressing its cause (the ransomware attack). As with SolarWinds, the CISA and the FBI fulfilled their roles with little coordination from Colonial Pipeline to allow analysis or vulnerability detection to prevent future attacks.

Similar to SolarWinds, the Office of the National Cyber Director position remained vacant at the time of the Colonial Pipeline attack and needed a budget to hire staff. The House introduced the Cyber Incident Reporting for Critical Infrastructure Act of 2021 the (CIRCIA) in September 2021, which created the Cyber Incident Reporting Council to increase awareness and information sharing across federal agencies and the private sector. Unfortunately, the council’s first meeting did not occur until July 2022, well after the incident response to Colonial Pipeline. Thus, the agency responsible for coordinating policy and advice for cyberattacks was neither staffed nor funded at the time of the Colonial Pipeline attack. A 2022 update to CIRCIA required additional cyber incident reporting from private businesses, leading the Securities and Exchange Commission (SEC) to propose updated guidelines for all companies subject to the Securities Exchange Act of 1934. Due to the procedural processes necessary to implement and mandate those guidelines, the SEC did not establish rules and enforce compliance until December 2023.²⁸

In 2022, Trellix, a cybersecurity monitoring and reporting company, released its annual cyber readiness report, which highlighted dangerous apathy in more than 60 percent of critical infrastructure and health-care organizations regarding the implementation of cybersecurity standards and foundational protection measures and inconsistency in responding to cyber incidents. More recent reports identified increasing sophistication in cybercriminal activity involving ransomware, artificial intelligence “script kiddies,” and overall tactical changes from threat actors, with an estimated global business cost of $4.88 million per cyber breach, a 10 percent increase from 2023. As noted in figure 2, the four most targeted areas were industry, consumer services, technology, and health care.²⁹

Figure 2. Cost of a data breach by industry
(Source: Cost of a Data Breach Report 2024, IBM, n.d., accessed March 10, 2025, https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700081200149775&p5=p&p9=58700008820615591&gclid=ed217d200f2b15a05b251af1b100c1e9&gclsrc=3p.ds&.)

Change Healthcare

UnitedHealthcare is the largest health insurance company in the United States, and Change Healthcare is a subsidiary of UnitedHealthcare’s (UnitedHealthare Group) clearinghouse for medical claims. Health-care clearinghouses enable the transfer of protected health information between health-care providers and payers / insurance companies. Change Healthcare has access to a third of US-protected health information and 90 percent of pharmacy systems. BlackCat/ALPHV is a Russian cybercriminal group that targets health care, manufacturing, and professional organizations and who attacked Change Healthcare as part of a retaliatory strike against American cyber defense agencies.³⁰

Attack Timeline

On February 12, 2024, BlackCat/ALPHV deployed ransomware onto Change Healthcare’s network. BlackCat used compromised credentials to access an old Citrix portal (used for remote desktop access) that was unprotected by MFA protocol. Upon intrusion, the threat actor performed lateral movement (from one system to a connected system) to avoid detection and escalated its privileges within the network. BlackCat/ALPHV then exfiltrated sensitive data before deploying double-extortion ransomware, like the Colonial Pipeline attack, which encrypted crucial system files and rendered them inaccessible without a decryption key.³¹

Detection and Impact

On February 21, 2024, the company detected network outages and the subsequent compromise. The attack prevented billing, prescription filling, and insurance claim validation across the United States. The same day, the company and disabled the impacted systems, contacted the FBI, and enlisted technical assistance from multiple third-party nongovernmental companies, including Google, Palo Alto, Mandiant, and Microsoft. On February 23, UnitedHealth Group filed a report with the SEC about the attack, in compliance with new CIRCIA requirements enacted the previous December. Three days later, Change Healthcare confirmed that the suspected threat actor was BlackCat.³²

BlackCat took credit for the attack and revealed that it stole six terabytes of data, including personally identifiable information and protected health information, from large insurance providers, including Medicare, TRICARE (DoW insurance), MetLife, and others. Despite Change Healthcare’s published workarounds, payments and processing of medical orders, prescriptions, and insurance approvals prevented and delayed health care for weeks, causing financial distress for physicians and health-care entities. It also prevented patients from receiving prescriptions and postponed surgical and medical procedures.³³

Company Response

In early March, the situation remained unresolved, and hospital systems lost an estimated $100 million daily due to the interruptions. UnitedHealthcare accelerated more than $14 billion in claims payments and offered no-interest loans to affected providers to mitigate these impacts. This temporary provider funding proved inadequate. On March 3, 2024, BlackCat received a payment of $22 million that UnitedHealthcare did not confirm paying until May. Within a month of the initial attack, the prescription processing systems mostly returned to service, cyber professionals restored the electronic payment platform, and UnitedHealthcare suspended the need for insurance prior authorization for most outpatient services.³⁴

By the end of March, the situation remained stagnant, with an estimated $6.3 billion in delayed payments to medical providers causing extreme financial burdens to hospital systems, patients, and physicians. Additionally, Change Healthcare could not confirm the status of protected patient information, nor had it filed a required report with the Department of Health and Human Services (HHS) about a potential Health Insurance Portability and Accountability Act (HIPAA) breach.³⁵

In mid-April, a second ransomware group, RansomHub, claimed possession of the Change Healthcare data, posted snippets of data on the dark web, and demanded a ransom. UnitedHealth Group still had not formally notified HHS of the initial cyberattack or the status of protected health information (PHI) stolen from the Change Healthcare systems. By June 2024, UnitedHealth Group services were “near normal,” yet consequences continued nationwide. Additionally, the status of personally identifiable information and PHI held by RansomHub remained unknown, and UnitedHealth Group’s actions to secure that data and notify impacted Americans remained in flux as multiple agencies awaited legal opinions on which organization was responsible for notification.³⁶

Federal Response

On February 23, 2024, the day after Change Healthcare discovered the attack, the American Health Association (AHA) advised all entities relying on Change Healthcare to disconnect their systems to mitigate the damage. The AHA also contacted HHS, the FBI, and the CISA regarding the attack. On February 27, 2024, HHS issued a joint advisory with the CISA and the FBI to alert health-care organizations about future BlackCat/ALPHV attack risks.³⁷

On March 10, the AHA petitioned HHS to protect physicians, provide more support to switch clearinghouse systems, and apply for automatic hardship exemptions. The Office for Civil Rights (OCR) opened an investigation into the Change Healthcare incident and offered resources for HIPAA protections the same day. The OCR is the administrative and enforcement arm of the Health Insurance Portability and Accountability Act of 1996 within HHS, empowering it to determine if attackers breached protected patient data and whether Change Healthcare complied with the HIPAA rules, including mandatory notification within 60 days of a breach.³⁸

In mid-March, the Centers for Medicare and Medicare Services issued payment guidance to the states regarding impacted Medicaid providers and opened a financial relief application. By March 19, “a bipartisan group of nearly 100 federal lawmakers urged HHS to use its full authority to ensure payments [were] being made to hospitals, physicians and Medicare Advantage plans, along with state Medicaid program,” and to address patients’ continued inability to access medications. A March 25 letter from Maryland Representative Jamie Raskin to UnitedHealthcare lamented that the company’s lack of transparency impeded government efforts, particularly the CISA. In additional federal action, the DOS offered a $10 million reward for information about BlackCat/ALPHV actors.³⁹

Change Healthcare Discussion

The recent attacks on Change Healthcare exposed vulnerabilities in private industry cybersecurity protocols, from hiring underqualified personnel to failing to comply with government protocols for minimal cybersecurity. Ultimately, Change Healthcare’s failure to comply with cybersecurity protocols resulted in the theft and dark web exploitation of patient data and health-care operations, including the military members in the TRICARE health system. All three attacks highlight the need for private businesses to adopt comprehensive and proactive cybersecurity measures.

In late April 2024, the Congressional Research Group verified that the CISA likely did not have the necessary information to declare the attack a significant incident, which would have allowed the Office of the National Cyber Director to coordinate an interagency response. As with Colonial Pipeline, the Change Healthcare breach did not warrant “significant” status. Neither the closure of a major pipeline nor the cost impact on US Healthcare and the breach of millions of citizens’ protected information warranted this critical distinction. Multiple GAO reports since 2022 identified protecting critical infrastructure and privacy/sensitive data as two of four pillars in US cybersecurity, with 51 percent and 45 percent, respectively, of recommendations still unimplemented.⁴⁰

Neither the Department of Health and Human Services nor the American Health Association is a PPD-41–identified agency responsible for or with the authority to manage or lead a cyber-incident response. UnitedHealthcare resisted efforts at transparency, which delayed response. Despite these challenges, HHS coordinated with the FBI and the CISA for their PPD-41 assigned roles. Intelligence agencies, once again, could not assist due to intelligence oversight rules. The DoW did not respond due to the civilian targets and the criminal nature of the attack.

In May 2024, UnitedHealthcare CEO Andrew Witty sat before Congress to address his leadership failures that resulted in the company hiring an unqualified chief information systems officer and maintaining systems too old to utilize multifactor authentication protections. Senators Maggie Hassan and Marsha Blackburn demanded that the SEC hold company executives accountable for preventable cybersecurity attacks. As of December 2024, congressional leaders continue to investigate the attack. Meanwhile, Change Healthcare has issued notifications of data compromise to an estimated 190 million patients, while the fourth quarter earnings show this attack cost United HealthCare $2.3 billion.⁴¹

Recommendations

The fragmented approach to federal cyber incident response exacerbates risks to national security. Confusing authorities, policy gaps, and inconsistent adherence to federal guidelines create exploitable weaknesses that cyber criminals and nation-states continue to target. The frustration from lawmakers is understandable: A federal policy dictating response options and a lead agency for cyberattacks already exists, yet the responses to each of these attacks appear ad-hoc, driven by the effects of the attacks rather than their causes. The language of PPD-41 is clear yet vague, creating many of the issues noted in these three cyberattacks. Particularly, the statement “Whichever Federal agency first becomes aware of a cyber incident will rapidly notify other relevant Federal agencies in order to facilitate a unified Federal response.” In all three instances, the impacted companies were the first to become aware and then disclose the information differently. Once a federal agency did become involved, there was no clear guidance on who should lead. The Department of Homeland Security was not given lead status for any of these events despite having the most authorities from critical infrastructure incident response. The requirement for labeling an event as “significant” seemingly precluded the stand-up of a C-UCG to lead the response for Colonial Pipeline and Change Healthcare. Ultimately, the cascading effects of delayed government action after the SolarWinds attack set the conditions for increasing attack success and continued ineffective and disjointed responses.⁴²

To address the challenges highlighted in these case studies, the US government must take a threefold approach. First, the United States should implement a unified whole-of-government strategy that includes all agencies capable of assisting, particularly the DoW. Federal responses should consistently utilize established frameworks and the unified cyber response structures delineated in PPD-41, FISMA, and NIST. That guidance dictates information sharing, cybersecurity reporting, and roles across federal agencies like the CISA, the FBI, and the DHS. Led by the CISA, regular updates to cybersecurity policies, frameworks, and protocols aligned with international standards and best practices can ensure government systems remain resilient against evolving cyber threats. Conducting regular interagency training exercises among the cyber response agencies, such as the National Guard’s Cyber Yankee exercise, can simulate real-world cyber responses, enhance interagency coordination and communication, and promote a culture of collaboration across all levels of government that removes silos and fosters transparency. Finally, by leveraging DoW entities under Title 32 and defense support to civil authorities, the National Guard can assist state and federal governments in cyber protection, detection, and red teaming.

Second, the United States should establish a consistent lead agency for cyber incident response to bolster national cybersecurity resilience and ensure the coordinated management of cyber threats. By designating a lead agency, the government can better consolidate expertise and resources and more effectively manage responses across sectors. To enhance overall preparedness, the lead agency would oversee the development and maintenance of National Cyber Incident Response Plans (NCIRP) for private and government entities that set clear protocols for detecting, reporting, and mitigating cyber threats. Additionally, the designation and stand-up of a lead agency should not depend on significance or who finds out first. A lead agency will ensure the proper oversight and hand off of responses should multiple agencies not be necessary.

Finally, critical government and commercial sectors require urgent attention. Leadership must improve the security of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks through regular audits, risk assessments, and the deployment of advanced security measures and strengthen cybersecurity standards and employ a robust framework (like the NIST cybersecurity framework) for private industries, particularly those contracting with the federal government. The government must also ensure compliance with these frameworks and enforce penalties for noncompliance and implement Zero Trust Architecture, operating on the principle that no entity deserves automatic trust or system access—internal or external. This approach would have mitigated vulnerabilities in recent attacks where attackers exploited compromised accounts lacking MFA.⁴³

Additionally, mechanisms discouraging private businesses from paying ransoms in ransomware attacks, per the CISA and the FBI recommendations, would act as a deterrent. The relevant agencies can begin by reminding businesses that paying a ransom does not guarantee the attacker will return the stolen data, as two of the case studies demonstrate. Numerous state and federal legislation proposals seek to limit or prevent companies from paying ransoms, yet no consistent existing research shows this approach will lessen attacks.

While the United States has considerably improved its cyber defense and response capabilities, the areas noted in this article require focused attention (see table 2 for summary). By addressing these gaps through our recommendations, the United States can significantly strengthen the country’s cybersecurity posture and better protect its critical infrastructure and systems from the growing spectrum of cyber threats.

Conclusion

The December 2024 Chinese Salt Typhoon attack on US telecommunications companies, presumed to be the largest data attack in history, underscores the continued threat the United States faces in the cyber domain. Jen Easterly, the then CISA director, noted in May 2024:

[Chinese cyberattacks are not] for espionage. Not [for] data theft. Not for intellectual property theft, but specifically to launch disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits. . . [that] could well affect the safety and security of livelihoods of Americans here at home through the explosion of pipelines, the pollution of water facilities, the severing of communications, the derailing of transportation.⁴⁴

The potential national security challenge outlined above highlights the main problem with cyber incident response in the United States—as a war-fighting and criminal domain, cyberspace touches all aspects of American life and, right now, US leadership has not identified and funded an entity responsible for marshaling cyber response. Consequently, US cyber efforts remain siloed and incomplete, amplifying America’s vulnerabilities to its adversaries. No easy or obvious solution to this problem exists, but our analysis of the American response to recent cyberattacks makes a compelling case for reform.

Kelly R. M. Ihme
Lieutenant Colonel Kelly R. M. Ihme, Air National Guard, is the General Hoyt S. Vandenberg Chair of Aerospace Studies at the US Army War College, where she is an assistant professor in the Department of Distance Education. She is a board-certified psychiatric nurse and intelligence officer with a PhD in organizational psychology. Her work comprises campaign planning, holistic health and fitness, and international fellows outreach education. Her research focuses on mindfulness, artificial intelligence, and leadership. She presents at national and international conferences and has contributed publications to the field of combat behavioral health, AI integration, and military leader training. Additionally, she is the senior intelligence officer for the Pennsylvania Air National Guard.

Patrick O’Brien Boling
Lieutenant Colonel Patrick O’Brien Boling is a recent graduate of the Joint Combined Warfighting School and serves as the deputy of the J7 Plans, Exercises, and State Partnership Program Division in the Louisiana National Guard. He holds Master of Science degrees from Louisiana Tech University and the University of Phoenix and a PhD from Capella University. During his career, he served in various Joint, strategic, operational, and tactical assignments in the active Army and the National Guard as a field artillery officer and an infantry officer with functional areas in operations and information operations.

Michael Zimmerman
Commander Zimmerman is a US Navy explosive ordnance disposal officer in command of Navy Reserve Center Pearl Harbor. A graduate of San Diego State University and the University of Louisville, afloat, he was assigned to EOD Mobile Units TWELVE and ELEVEN, the Naval Surface Warfare Center, Indian Head Explosive Ordnance Disposal Technology Division Technical Support Detachment, EOD Group TWO, and Mobile Diving and Salvage Unit TWO. Ashore, he served as flag secretary to the Chief of Navy Reserve, a defense legislative fellow on Capitol Hill, and legislative director at the Office of the Chief of Navy Reserve.

Timothy G. McCormick
Lieutenant Colonel Timothy G. McCormick, US Marine Corps Reserve, is a Reserve Marine judge advocate in the Navy-Marine Corps Appellate Defense Division (Code 45). While on active duty, McCormick served as an artillery officer and a judge advocate. He also served on the Joint Staff. As a civilian, he is a partner at the law firm Christian & Barton, LLP, where he primarily practices energy and public utility law.

Disclaimer: Articles, reviews and replies, review essays, and book reviews published in Parameters are unofficial expressions of opinion. The views and opinions expressed in Parameters are those of the authors and are not necessarily those of the Department of War, the Department of the Army, the US Army War College, or any other agency of the US government. The appearance of external hyperlinks does not constitute endorsement by the Department of War of the linked websites or the information, products, or services contained therein. The Department of War does not exercise any editorial, security, or other control over the information readers may find at these locations.

Endnotes

1. “National Cyber Incident Response Plan Now Available for Public Comment,” Department of Homeland Security (DHS), September 30, 2016, https://www.dhs.gov/blog/2016/09/30/national-cyber-incident-response-plan-now-available-public-comment; Report to Congressional Addresses Cybersecurity: Federal Response to SolarWinds and Microsoft Exchange Incidents, GAO-22-104746, Report to Congress, (Government Accountability Office [GAO], January 2022), https://www.gao.gov/assets/gao-22-104746.pdf; and Cybersecurity & Infrastructure Security Agency (CISA), “Fact Sheet: Cybersecurity and Infrastructure Security Fact Sheet” (CISA, October 25, 2021), https://www.cisa.gov/resources-tools/resources/cisa-fact-sheet. Return to text.
2. Barack Obama, “United States Cyber Incident Coordination,” Presidential Policy Directive (PPD-41), July 26, 2016, https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident. Return to text.
3. DHS National Cyber Security Division and United States Computer Emergency Readiness Team (US-CERT), Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information across the Federal Civilian Government (DHS, September 2004), https://www.cisa.gov/sites/default/files/publications/privacy_pia_eisntein.pdf; Understanding and Responding to the SolarWinds Supply Chain Attack: The Federal Perspective and Prevention, Response and Recovery: Improving Federal Cybersecurity Post–SolarWinds, Hearing before the Senate Committee on Homeland Security and Governmental Affairs, 117th Cong. 4 (2021) (opening statement of Rob Portman, Ranking Member), https://www.hsgac.senate.gov/hearings/understanding-and-responding-to-the-solarwinds-supply-chain-attack-the-federal-perspective/; and “Cyber Incident Coordination,” PPD-41. Return to text.
4. Federal Information Security Modernization Act (FISMA 2014), Pub. L. No. 113-283, 128 Stat. 3073 (2014), https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf. Return to text.
5. “Update on the Cybersecurity Framework,” National Institute of Standards and Technology (NIST), December 5, 2014, https://www.nist.gov/system/files/documents/cyberframework/nist-cybersecurity-framework-update-120514.pdf; and SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains, Joint Hearing, before the House Subcommittee on Investigations and Oversight and the House Subcommittee on Science, Space, and Technology, 117th Cong., 12 and 15 (2021) (Michael Waltz, representative from Florida), https://www.congress.gov/event/117th-congress/joint-event/LC73921/text. Return to text.
6. Department of Defense (DoD), Defense Support to Civil Authorities (DSCA), DoD Directive(DoDD) 3025.18 (DoD, 2018), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/302518p.pdf; National Guard, 32 U.S.C. § 901 and, specifically, National Guard, 32 U.S.C. § 502(f) provides authority for Guard members to perform homeland defense activities to protect territory, population, or critical infrastructure in the United States. Under DoDD 3025.18, a significant cyber incident falls under the category of “domestic emergencies.” Return to text.
7. “SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response (Infographic),” WatchBlog: Following the Federal Dollar (blog), U.S. Government Accountability Office (GAO) April 22, 2021, https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic. Return to text.
8. Donald L. Buresh, “The Solar Winds Cyber-Attack, the Federal and Private Sector Response, and the Recommendations and Lessons Learned,” International Journal of Innovation Scientific Research and Review 4, no. 10 (October 2022); and “The 8 Key Lessons from the SolarWinds Attacks,” SOCRadar: Your Eyes Beyond (blog), October 31, 2023, https://socradar.io/the-8-key-lessons-from-the-solarwinds-attacks/. Return to text.
9. U.S. Securities and Exchange Commission (SEC), “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures,” news release 2023-227, October 30, 2023, https://www.sec.gov/news/press-release/2023-227. The insertion of the initial malicious code was the first proof of concept on intrusion possibility, followed by additional tests and full network access. On February 2, 2020, APT29 delivered a Cobalt Strike payload and established command-and-control links between SolarWinds and the APT29 servers, deemed SolarStorm. APT29 then used its SolarStorm to make lateral moves within the SolarWinds network, penetrate further, and collect data. Around March 2020, APT29 injected the next piece of sophisticated malware, SUNBURST, into the Orion software as a trojan horse (hidden). SolarWinds then unknowingly infected customers’ systems when those customers installed the routine Orion updates, completing the final step in this supply chain attack. APT29 now had remote access to any system that uploaded the infected Orion update and maintained this access undetected for nine months. See also “SolarStorm Supply Chain Attack Timeline,” December 23, 2020, Unit 42, https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/; Sudhakar Ramakrishna, “Lessons Learned from a Cyberattack: A Conversation with SolarWinds (Part 1 of 2),” interview by Suzanne Spaulding, Center for Strategic & International Studies (CSIS), February 22, 2021, https://www.csis.org/analysis/lessons-learned-cyberattack-conversation-solarwinds-part-1-2; and “SolarWinds Net Worth 2017–2024 | SWI,” MacroTrends, n.d., accessed June 12, 2024. Return to text.
10. “Net Worth 2017–2024”; “SolarWinds Cyberattack;” and “The SolarWinds Cyberattack: Key Takeaways,” Senate Republican Policy Committee (RPC), January 29, 2021, https://www.rpc.senate.gov/policy-papers/the-solarwinds-cyberattack. Return to text.
11. PPD-41 does not designate which agency maintains the authority to determine a cyberattack as significant but provides a definition for both “cyber incident” and “significant cyber incident.” Additionally, PPD-41 directs the Cyber Unified Coordination Group as the primary coordination entity for significant cyber incidents. Since Cyber Unified Coordination Group was established for the SolarWinds response, the significance of the cyber incident was extrapolated based on the response. See also CISA, “Joint Statement by the Federal Bureau of Investigation (FBI), the CISA, and the Office of the Director of National Intelligence (ODNI),” press release, updated January 24, 2022, https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure-security-agency. Return to text.
12. Dina Temple-Raston, “Biden Order to Require New Cybersecurity Standards in Response to SolarWinds Attack,” NPR, April 29, 2021, https://www.npr.org/2021/04/29/991333036/biden-order-to-require-new-cybersecurity-standards-in-response-to-solarwinds-att; “Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, February 17, 2021” (Biden White House Archives, February 17, 2021), https://bidenwhitehouse.archives.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021/; and Natasha Bertrand, “Biden Taps Intelligence Veteran for New White House Cybersecurity Role,” Politico, January 6, 2021, https://www.politico.com/news/2021/01/06/biden-white-house-cybersecurity-neuberger-455508. Return to text.
13. “SolarWinds Cyberattack”; Understanding and Responding (testimony of Brandon Wales, acting director of CISA), 7–9; “Russian Harmful Foreign Activities Sanctions,” Office of Foreign Asset Control, updated February 23, 2024, https://ofac.treasury.gov/faqs/topic/6626; and Buresh, “Solar Winds Cyber-Attack,” 3471. Return to text.
14. “Security and Privacy Controls for Information Systems and Organizations,” NIST Special Publication 800-53, rev. 5 (updated December 10, 2020); International Cybersecurity Standardization Working Group, Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity, NIST Report 8074, vol. 2 (US Department of Commerce/ NIST, December 2015), https://doi.org/10.6028/NIST.IR.8074v2; and CYBERSECURITY: Federal Agencies Need to Implement Recommendations to Manage Supply Chain Risks, GAO-21-594T (GAO, May 25, 2021), https://www.gao.gov/assets/720/714530.pdf. Return to text.
15. SolarWinds and Beyond (testimony of Vijay D’Souza, director of information technology and cybersecurity, GAO), 54. Return to text.
16. SolarWinds and Beyond (conversation between Frank Lucas, ranking member, and Matthew Scholl, chief, computer security division of the Information Technology Laboratory, NIST); and “Office of the National Cyber Director (ONCD),” The White House, n.d., accessed April 9, 2025, https://www.whitehouse.gov/oncd/. Return to text.
17. Understanding and Responding (conversation between Brandon Wales, acting director of CISA, and Maggie Hassan, committee member), 20; Mark Pomerleau, “New England Guardsmen Test Their Skills in Cyber Yankee 2020,” C4ISRNET, August 3, 2020, https://www.c4isrnet.com/cyber/2020/08/03/new-england-guardsmen-test-their-skills-in-cyber-yankee-2020/; and John O’Hanlon, “Army National Guard Readies for 2020 Cyber Yankee Exercise,” Technology Magazine, May 29, 2020, https://technologymagazine.com/company-reports/army-national-guard-readies-2020-cyber-yankee-exercise. Return to text.
18. Dina Temple-Raston, “A ‘Worst Nightmare’ Cyberattack: The Untold Story of the SolarWinds Hack,” NPR, April 16, 2021, https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack. Return to text.
19. “Asset Map,” Colonial Pipeline Company, 2025, https://www.colpipe.com/about-us/asset-map/; and “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” CISA, July 8, 2021, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a. Return to text.
20. Phishing is a cyberattack practice of sending e-mails or messages that appear authentic to induce targeted individuals to release sensitive information like personal information, passwords, or access to information. See also Sean Michael Kerner, “Colonial Pipeline Hack Explained: Everything You Need to Know,” TechTarget, April 26, 2022, https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know; originally reported in William Turton et al., “Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom” Bloomberg, May 13 2021, https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom; “Colonial Pipeline Cyberattack Highlights Need for Better Federal and Private Sector Preparedness (Infographic),” GAO WatchBlog: Following the Federal Dollar (blog), May 18, 2021, https://www.gao.gov/blog/colonial-pipeline-cyberattack-highlights-need-better-federal-and-private-sector-preparedness-infographic. The ransomware DarkSide can use a double-encryption method with a combination of advanced encryption standard (AES) and Rivest–Shamir–Adleman (RSA) encryption to lock files. This sophisticated hybrid method means AES symmetrically encrypts the stolen data and blocks it with a cipher. In contrast, the other RSA uses asymmetric encryption with a key. See also Ryan Robinson, “Malware Reverse Engineering – Unraveling the Secrets of Encryption in Malware,” Intezer, August 7, https://intezer.com/blog/research/unraveling-malware-encryption-secrets/; and “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” CISA, July 8, 2021, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a. Return to text.
21. Joseph Menn and Stephanie Kelly, “Colonial Pipeline Slowly Restarts as Southeast U.S. Scrambles for Fuel,” Reuters, May 12, 2021, https://www.reuters.com/business/energy/top-us-fuel-pipeline-edges-toward-reopening-gasoline-shortages-worsen-2021-05-12/; Jen Easterly and Tom Fanning, “The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done over the Past Two Years,” CISA (blog), May 7, 2023, https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years; Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure: Hearing before the Committee on Homeland Security House of Representatives, 117 Cong. (2021) (statement by Charles Carmakal, senior vice president and CTO of FireEye Mandiant), 15, https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/pdf/CHRG-117hhrg45085.pdf; Federal Response to Colonial Pipeline, (statement by Eric Goldstein, assistant director of CISA), 30; and “Media Statement Update: Colonial Pipeline System Disruption,” Colonial Pipeline Company, May 17, 2021, https://www.colpipe.com/news-insights/media-resources/post/media-statement-update-colonial-pipeline-system-disruption/. Return to text.
22. Pipeline Security Guidelines (Transportation Security Administration, March 2018, 10), https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf; and Cyber Threats in the Pipeline; and “Alert: Cybersecurity and Infrastructure Security Agency,” CISA, last updated November 20, 2018, https://www.cisa.gov/news-events/alerts/2018/11/19/cybersecurity-and-infrastructure-security-agency. Return to text.
23. Federal Response to Colonial Pipeline (conversation between Andrew R. Garbarino, representative from New York, and Eric Goldstein, assistant director of CISA), 26–27; and Federal Response to Colonial Pipeline, (statement by Bonnie Watson Coleman, chairwoman of the Subcommittee on Transportation & Maritime Security), 2. Return to text.
24. Federal Response to Colonial Pipeline, 2 (statement by Bonnie Watson); and Federal Response to Colonial Pipeline (statement by Eric Goldstein), 16. Return to text.
25. U.S. Department of Justice Archives, “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside,” press release, June 7, 2021, https://www.justice.gov/archives/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside; Colonial Pipeline Company, “Colonial Pipeline Company CEO Issues Statement following Announcement by U.S. Department of Justice on Recovery of Cryptocurrency Funds,” June 7, 2021, https://www.colpipe.com/news-insights/media-resources/post/colonial-pipeline-company-ceo-issues-statement-following-announcement-by-u-s-department-of-justice-on-recovery-of-cryptocurrency-funds/; “Executive Order on Improving the Nation’s Cybersecurity,” Exec. Order 14028, May 12, 2021, https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/; and “Joint Ransomware Task Force,” CISA, n.d., accessed May 5, 2025, https://www.cisa.gov/joint-ransomware-task-force. Return to text.
26. Cyber Threats in the Pipeline (statement by Sonya T. Proctor, assistant administrator for surface operations, Transportation Security Administration); Paul W. Parfomak, DOT’s Federal Pipeline Safety Program: Background and Issues for Congress, Congressional Research Service (CRS) Report R44201 (CRS, March 31, 2023), https://www.congress.gov/crs-product/R44201; “Critical Infrastructure Sectors,” CISA, n.d., accessed June 14, 2024, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors; and Kristen Eichensehr, “Public-Private Cybersecurity,” Texas Law Review 95, no. 467 (2017): 494, https://texaslawreview.org/wp-content/uploads/2017/03/Eichensehr.pdf. Return to text.
27. Joe R. Reeder and Tommy Hall, “Cybersecurity’s Pearl Harbor Moment: Lessons Learned from the Colonial Pipeline Ransomware Attack,” The Cyber Defense Review 6, no. 3 (Summer 2021); Liam P. Bradley, “Was the Colonial Cyberattack the First Act of Cyberwar against the U.S.? Finding the Threshold of War for Ransomware Attacks,” St. John’s Law Review 96, no. 2 (2022), https://scholarship.law.stjohns.edu/cgi/viewcontent.cgi?article=7237&context=lawreview; and “What the Ransomware Attack on Colonial Pipeline Means for the Industry,” NPR, May 11, 2021, https://www.npr.org/2021/05/11/995751028/what-the-ransomware-attack-on-colonial-pipeline-means-for-the-industry. Return to text.
28. “Office of the National Cyber Director,” The White House archives, n.d., accessed June 14, 2024, https://bidenwhitehouse.archives.gov/oncd/; Cyber Incident Reporting for Critical Infrastructure Act of 2021, H.R. Rep. 5440 (2021), https://www.congress.gov/bill/117th-congress/house-bill/5440; Dave Nyczepir, “ONCD Senior Leader Says FBI and Operational Cyber Agencies Have Improved Incident Info Sharing,” FEDSCOOP, September 21, 2022, https://fedscoop.com/agencies-improving-cyber-information-sharing; “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,” Federal Register 89, no. 66, April 4, 2024, https://www.govinfo.gov/content/pkg/FR-2024-04-04/pdf/2024-06526.pdf; J. Daniel Skees et al., “How New Cyber Incident Reporting Regulations Impact Energy Companies,” Morgan Lewis, December 21, 2023, https://www.morganlewis.com/pubs/2023/12/how-new-cyber-incident-reporting-regulations-impact-energy-companies; “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Securities and Exchange Commission, 2022, https://www.sec.gov/files/rules/proposed/2022/33-11038.pdf; and Skees et al., “Incident Reporting.” Return to text.
29. Trellix, “Trellix Report Reveals Key U.S. Critical Infrastructure Providers Lack Advanced Cyber Defenses,” news release, April 14, 2022, https://www.trellix.com/news/press-releases/trellix-report-reveals-key-us-critical-infrastructure-providers-lack-advanced-cyber-defenses/; John Fokker, “The Cyberthreat Report,” Trellix Advanced Research Center, November 2023, https://www.trellix.com/advanced-research-center/threat-reports/november-2023/; Sontan Adewale Daniel and Samuel Segun Victor, “Emerging Trends in Cybersecurity for Critical Infrastructure Protection: A Comprehensive Review,” Computer Science & IT Research Journal 5, no. 3 (March 2024), https://fepbl.com/index.php/csitrj/article/view/872/1073; Cost of a Data Breach: Report 2024 (IBM), n.d., accessed March 10, 2025; https://www.ibm.com/reports/data-breach; “Russian Threat Actors Targeting the HPH Sector,” PowerPoint training presentation, US Department of Health and Human Services [HHS] Office of Information Security / Health Sector Cybersecurity Coordination Center (virtual), February 15, 2024, https://www.hhs.gov/sites/default/files/russian-threat-actors-targeting-the-hph-sector-tlpclear.pdf; and “Uncover the Hidden Story of Ransomware Victims—They’re Not Who You Think,” Trellix Advanced Research Center (blog), July 31, 2023, https://www.trellix.com/blogs/research/uncover-the-hidden-story-of-ransomware-victims/. Return to text.
30. “Wyden Hearing Statement on Change Healthcare Cyberattack and UnitedHealth Group’s Response,” Senate Committee on Finance, May 1, 2024, https://www.finance.senate.gov/chairmans-news/wyden-hearing-statement-on-change-healthcare-cyberattack-and-unitedhealth-groups-response; “What We Learned: Change Healthcare Cyber Attack,” Energy & Commerce Chairman Brett Guthrie (blog), May 3, 2024, https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack; “White House Meets with UHG About Cyber-Attack,” National Community Pharmacists Association, March 14, 2024, https://ncpa.org/newsroom/qam/2024/03/14/white-house-meets-uhg-about-cyber-attack; and “Russian Threat Actors.” In late 2023, the FBI, the Department of Justice, and CISA intervened and disrupted the Russian cyber-criminal group BlackCat/ALPHV multiple times using a new detection tool that disrupted millions of dollars in ransom payments. The three agencies created a joint alert memo. It was released on December 19, 2023. BlackCat vowed to retaliate against the United States by targeting US health-care systems. See also “#StopRansomware: ALPHV Blackcat,” CISA, updated February 27, 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a. Return to text.
31. Brenda Robb, “The Change Healthcare Ransomware Attack: A Landmark Cybersecurity Breach,” Blackfog, August 5, 2024, https://www.blackfog.com/change-healthcare-landmark-cybersecurity-breach/; John Leyden, “Authentication Failure Blamed for Change Healthcare Ransomware Attack,” CSO, April 23, 2024, https://www.csoonline.com/article/2094609/authentication-failure-blamed-for-change-healthcare-ransomware-attack.html; Zack Whittaker, “How the Ransomware Attack at Change Healthcare Went Down: A Timeline,” TechCrunch, January 27, 2025, https://techcrunch.com/2025/01/27/how-the-ransomware-attack-at-change-healthcare-went-down-a-timeline/; Hacking America’s Health Care: Assessing U.S. the Change Healthcare Cyber Attack and What’s Next, Hearing before the U.S. Senate Committee on Finance, 118th Cong. (2024) (statement of Ron Wyden, ranking member), 3, https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next; Hacking America’s Health Care (statement of Mike Crapo, chairman); Chris Jaikaran, The Change Healthcare Cyberattack and Response Considerations for Policymakers, CRS Report IN12330 (CRS, April 24, 2024), https://crsreports.congress.gov/product/pdf/IN/IN12330; Rylee Wilson, “Lack of Transparency ‘Handcuffed’ Feds’ Change Hack Response, Lawmaker Says,” Becker’s Hospital Review, March 25, 2024, https://www.beckershospitalreview.com/legal-regulatory-issues/lack-of-transparency-handcuffed-feds-change-hack-response-lawmaker-says.html; Emily Olsen, “UnitedHealth Confirms Ransom, Compromised Health Data from Change Attack,” HealthcareDive, April 23, 2024, https://www.healthcaredive.com/news/unitedhealth-ransom-change-cyberattack-data-breach/713979/; Hacking America’s Health Care; and “#StopRansomware.” Return to text.
32. “Notice of Data Breach,” Change Healthcare, updated January 14, 2025, https://www.changehealthcare.com/hipaa-substitute-notice.html; Hacking America’s Health Care, (testimony of Andrew Witty, CEO, UnitedHealth Group), 1; and UnitedHealth Group Incorporated, Report to Securities and Exchange Commission, UnitedHealth Group, (February 21, 2024), https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm. Return to text.
33. Andrew Cass, “UnitedHealth/Change Health Proposed Class Action Lawsuit,” March 3, 2024, 1; and Jaikaran, Change Healthcare Cyberattack. Return to text.
34. Bruce Giles, “Providers Losing $100M Daily over Change Healthcare Hack: Report,” Becker’s Health IT, March 4, 2024, https://www.beckershospitalreview.com/cybersecurity/providers-losing-100m-daily-over-change-healthcare-hack-report/; Olsen, “UnitedHealth Confirms Ransom”; HHS, “HHS Statement Regarding Cyberattack on Change Healthcare,” HHS, March 5, 2024, https://www.hhs.gov/about/news/2024/03/05/hhs-statement-regarding-the-cyberattack-on-change-healthcare.html; Ron Southwick, “Feds Respond to the Change Healthcare Cyberattack; Hospitals Find It Lacking,” Chief Healthcare Executive, March 6, 2024, https://www.chiefhealthcareexecutive.com/view/feds-respond-to-change-healthcare-cyberattack-hospitals-find-it-lacking; Wilson, “Lack of Transparency”; Jakob Emerson and Rylee Wilson, “The Change Healthcare Cyberattack: A Timeline,” Becker’s Health IT, March 26, 2024, https://www.beckershospitalreview.com/cybersecurity/the-change-healthcare-cyberattack-a-timeline.html; and Editorial Staff, “Change Healthcare Cyberattack Fallout Continues,” TechTarget, n.d., updated May 2, 2024, https://healthitsecurity.com/news/change-healthcare-disconnects-system-amid-cyberattack. Return to text.
35. Emerson and Wilson, “Change Healthcare Cyberattack”; and Staff, “Cyberattack Fallout.” Return to text.
36. Staff, “Cyberattack Fallout”; “Ranking Member Cassidy Seeks Information from UnitedHealth on Change Healthcare Cyberattack,” U.S. Senate Committee on Health, Education, Labor & Pensions, May 14, 2024, https://www.help.senate.gov/ranking/newsroom/press/ranking-member-cassidy-seeks-information-from-unitedhealth-on-change-healthcare-cyberattack-1; American Medical Association (AMA), “Change Healthcare Cyberattack Impact: Key Takeaways from Informal AMA Follow-up Survey” (AMA, April 29, 2024), https://www.ama-assn.org/system/files/change-healthcare-follow-up-survey-results.pdf; “Ranking Member Cassidy Seeks”; and Steve Alder, “United Health Adopts Aggressive Approach to Recover Ransomeware Attack Loans,” The HIPAA Journal, February 19, 2025, https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/. Return to text.
37. “CISA, FBI, and HHS Release an Update to #StopRansomware Advisory on ALPHV Blackcat,” CISA, February 27, 2024, https://www.cisa.gov/news-events/alerts/2024/02/27/cisa-fbi-and-hhs-release-update-stopransomware-advisory-alphv-blackcat; and Wilson, “Lack of Transparency.” Return to text.
38. Wilson, “Lack of Transparency”; Director of Office of Civil Rights Melanie Fontes Rainer to HHS colleagues, “Re: Cyberattack on Change Healthcare,” March 13, 2024, https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf; and HHS, “HHS Statement Regarding the Cyberattack on Change Healthcare,” press release, March 5, 2024, https://public3.pagefreezer.com/browse/HHS.gov/02-01-2025T05:49/https://www.hhs.gov/about/news/2024/03/05/hhs-statement-regarding-the-cyberattack-on-change-healthcare.html. Return to text.
39. HHS, “Readout of Biden-Harris Administration Convening with Health Care Community Concerning Cyberattack on Change Healthcare,” press release, March 12, 2024, https://www.hhs.gov/about/news/2024/03/12/readout-biden-harris-administration-convening-health-care-community-concerning-cyberattack-change-healthcare.html; Staff, “Change Healthcare Cyberattack Fallout”; Emerson and Wilson, “Change Healthcare Cyberattack”; and Pierluigi Paganini, “US Gov Offers a Reward of up to $10M for Info on ALPHV/BlackCat Gang Leaders,” Security Affairs, February 16, 2024,https://securityaffairs.com/159238/cyber-crime/us-gov-reward-alphv-blackcatgang.html. Return to text.
40. Jaikaran, Change Healthcare Cyberattack. The 4 pillars are: establishing a comprehensive cybersecurity strategy and performing effective oversight, securing federal systems and information, protecting the cybersecurity of critical infrastructure, and protecting privacy and sensitive data. See also, Report to Congressional Addressees, High-Risk Series: Urgent Action Needed to Address Critical Cybersecurity Challenges Facing the Nation GAO-24-107231 (GAO, June 2024), https://www.gao.gov/assets/gao-24-107231.pdf. Return to text.
41. Senator Ron Wyden to Lina S. Khan, chair, Federal Trade Commission and Gary Gensler, chair, SEC, “Re: Cyberattack on Change Healthcare,” May 30, 2024, https://www.finance.senate.gov/imo/media/doc/wyden_letter_to_ftc_and_sec_on_uhg_cybersecuritypdf.pdf; Steve Alder, “Senators Urge UHG to Issue Notifications about Change Healthcare Ransomware Attack before June 21,” in “UnitedHealth Adopts Agressive Appraoch” The HIPAA Journal, n.d., posted February 19, 2025, https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/; Senators Margaret Wood Hassan and Marsha Blackburn, to UnitedHealth Group CEO Andrew Witty, “Re: Cyberattack on Change Healthcare,” June 7, 2024, https://www.hassan.senate.gov/imo/media/doc/letter_to_uhg.pdf; Steve Alder, “Judge Sets Deadline”; and Bruce Japsen, “UnitedHealth Group Cyberattack Costs to Hit $2.3 Billion This Year,” Forbes, July 16, 2024, https://www.forbes.com/sites/brucejapsen/2024/07/16/unitedhealth-group-cyberattack-costs-to-eclipse-23-billion-this-year/. Return to text.
42. “PPD-41. Return to text.
43. National Institute of Standards and Technology (NIST), The NIST Cybersecurity Framework (CSF 2.0) (NIST/US Department of Commerce, February 26, 2024), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf; and Scott Rose et al., Zero Trust Architecture, NIST Special Publication 800-207 (NIST/US Department of Commerce, August 2020), https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf. Return to text.
44. Joao-Pierre S. Ruth, “Mayorkas, Easterly at RSAC Talk AI, Security, and Digital Defense,” Information Week, May 8, 2024, https://www.informationweek.com/cyber-resilience/mayorkas-easterly-at-rsac-talk-ai-security-and-digital-defense. Return to text.