LAS VEGAS–Chris Krebs, the founding director of the government’s Cybersecurity and Infrastructure Security Agency (CISA), came to the Black Hat information-security conference here with three questions on his mind:
“Why is it so bad right now?”
“What do you mean it’s going to get worse?
“What are we going to do about it?”
Krebs attempted to answer those questions, which he says he’s heard repeatedly from government leaders over the last 18 months, in the keynote that opened Black Hat on Wednesday morning. The short version of his answer to all three: “It isn’t hopeless.”
The longer version of it began with Krebs unpacking the systemic issues he says he sees in the US approach to information security. At the level of technology, Krebs says we’ve taken the existing problem of companies viewing security as a cost center and a brake and compounded it with the increasing migration of key corporate services to various cloud vendors.
“You can’t see what’s happening on the backplane of the cloud,” he says.
Krebs also criticized the US for focusing too much on sophisticated nation-state attackers instead of grappling with the less exciting problem of ransomware, or the “the biggest collective falling-down of government and industry,” as he puts it.
“We’ve kind of fetishized the advanced persistent threat,” Krebs says. “Cyber criminals have been eating our lunch in the meantime.”
Government agencies need to upgrade from asking companies to comply with cybersecurity checklists to making outcome-based assessments, he says. And they need to simplify lines of communication. “It’s still difficult for a private-sector organization to know who to work with.”
CISA’s founding in 2018 was meant to bring some of that simplicity. Krebs headed up the agency, a branch of the Department of Homeland Security, from then until President Trump fired him in November 2020 for confirming that the 2020 election was held securely.
The issues Krebs sees in the US approach to “infosec” extend to grade schools that ought to teach the basics but don’t. He notes that although his five kids are in what he calls a good school system, “there aren’t opportunities for them to experience coding.”
Krebs pronounced himself pessimistic in the short term because businesses haven’t fully priced in cyber risks while attackers don’t feel enough pain. And we keep expanding our collective attack surface by putting more devices online: “We all have a pathological need to have things connected to the internet.”
Recommended by Our Editors
But, Krebs is optimistic about the longer term, starting with the trend that “every day that goes by, our workforce becomes increasingly tech-native.”
He points to recent moves to step up government-industry collaboration (for example, last month’s “Cyber Workforce and Education Summit”(Opens in a new window) at the White House) and go after the financial infrastructure of attackers (this week’s move by the Treasury Department to sanction the cryptocurrency-mixing firm Tornado Cash for helping North Korea launder ill-gotten gains).
He urges business leaders to make cybersecurity a boardroom priority and plan farther ahead, citing the potential risk of China invading Taiwan. “If you want to physically segment your networks in Taiwan, you’ve gotta start that now,” he advises.
As for government, Kreb both endorses existing moves to use its procurement power to push security upgrades and suggests a broader reformation is necessary. “I think it’s time to rethink the way government interacts with technology,” he argues, though he didn’t elaborate much.
After admitting moments later that “I also don’t have a whole lot of confidence that this Congress can get that done,” Krebs offered his closing counsel to the researchers and developers in the room. That left the keynote sounding a bit like a self-help seminar as Krebs urged attendees to ground their work on ethical principles and find and stick with people who will support them. This line got the most applause: “Life’s too short to work for assholes. So don’t.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Visits: 0