Black Hat It’s time to reorganize the US government and create a new agency focused solely on on digital risk management services, according to former CISA director Chris Krebs.
“And I’m ready to lead that charge,” he said, during the Black Hat USA infosec conference’s opening keynote on Wednesday.
Or, if that’s too ambitious for Uncle Sam, Krebs proposed to at least pull CISA out of the Department of Homeland Security and make it a sub-cabinet agency that’s allowed to operate independently.
Krebs, of course, served as the first director of the CISA, which was created in 2018 largely as a response to Russia and other nation states from interfering in US elections. He was famously fired in 2020 via tweet by President Donald Trump for disputing the lame-duck president’s Big Lie over the 2020 US election results.
We’ve kind of fetishized the advanced persistent threat
Krebs then co-founded a security consulting firm with Facebook’s former chief security officer Alex Stamos with SolarWinds as the firm’s first client.
“I’m ready to make the argument that the digital environment around us has changed so dramatically in the last 25 years, while our government hasn’t kept up,” he said on stage in Las Vegas. “It’s time to rethink the way government interacts with technology.”
The Aspen Institute, a homeland security policy think-tank where Krebs is a commissioner, will tackle this issue, too. Krebs said it will examine different ways in which the government could do a better job at managing digital risk.
“We could see, from a far end of the spectrum: a heavy package of establishing a US digital agency that could take elements of CISA, elements of NIST and NTIA, the Department of Energy and the National Labs, maybe bits and pieces of the FTC and the FCC,” Krebs said.
This risk-management agency’s scope would extend beyond cybersecurity, he added. “I’m not just talking about cyber, I’m talking about privacy, talking about trust and safety issues,” Krebs said. “We’re not where we need to be. We’re falling behind and Americans are suffering as a result.”
However, he also acknowledged that US lawmakers’ leadership on this issue is – ahem – sorely lacking.
“So we’re gonna have to look at different possible outcomes,” Krebs said, noting that making CISA’s its own sub-cabinet agency is one such possibility. But this effort also requires private security company buy-in, plus the larger researcher community that has descended on Vegas this week for summer camp.
Ransomware: industry, government’s ‘biggest collective fail’
Krebs also chastised both government and the private sector for the rise of ransomware over the past couple of years, which he said represents the “biggest collective falling down of government, of industry.”
“What is ransomware? It is a bad guy that’s figured out how to monetize a vulnerability or misconfigured system,” Krebs said.
In other words: overly complex and interconnected software and security environments makes it easier for the criminals to find holes to exploit, and the rise of cryptocurrency makes it easier for them to launder their gains without fear of prosecution from safe-harbor nations like Russia, China and North Korea, among others.
“What that’s done in the meantime, is distracting our intelligence community, our national security community that was five years ago focused on the highest sort of threat,” such as Russia’s GRU, China’s MSS and other nation-state cyber threats, Krebs said. “Now they have to broaden their view of threat actors to include cyber criminals.”
“My take here is that we’ve kind of fetishized the advanced persistent threat,” instead of considering the opportunistic nature of most cybercriminals, state-sponsored or not, and viewing the connected nature of the internet and software itself as the threat model, he said.
“Companies that are shipping products are shipping targets,” Krebs said, quoting his business partner Stamos.
“If you’re hosting a service, you’re the target,” he added, referring to the supply chain attacks (like SolarWinds) against internet and managed services providers that allow miscreants to find one vulnerability and use it to breach multiple organizations.
Criminals “understand the dependencies and the trust connections that we have on our software services and technology providers,” Krebs said. “And they’re working up the ladder through the supply chain.”
Plus, when organizations are hit by ransomware or another cyberattack, the government doesn’t make it easy for them to get help from the Feds — or even to know which agency should be their starting point for their reporting and recovery efforts.
“Is it the FBI? Is it CISA? Is the Department of Energy? Is it Treasury. It’s still just too hard to work with government, and the value prop isn’t as clear as it needs to be,” Krebs said. “We’ve got to fix that.” ®