How to stop handing our cybersecurity keys to hackers
On Wednesday, I return to Capitol Hill, at least virtually, to testify in front of Congress, this time in front of the House of Representatives Committee on Homeland Security. The committee is holding a timely hearing on cyber threats to American businesses and government agencies and what we can do to improve our collective security and resilience. I was the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from November 2018 to November 2020. Although I am testifying in my personal capacity, my new venture, Krebs Stamos Group, now represents SolarWinds, the company whose software was hijacked by Russian government cyberspies as a part of a broad campaign targeting U.S. government and private sector systems that resulted in compromises at multiple federal agencies and at private companies.
Leading the CISA and its predecessor organization for the last four years helped to shape my view of the various cyber actors looking to compromise our nation’s digital infrastructure. The cyber threat landscape is more complicated than ever, with foreign governments and criminal gangs alike building capabilities that enable everything from run-of-the-mill cybercrime, information operations, intellectual property theft, destructive attacks and operations with kinetic effects. The bulk of the malicious cyber activity targeting the United States emanates from four countries — Russia, China, Iran and North Korea.
Even in those countries, the difference between state action and criminal activity increasingly is blurred, as contracted or proxy cyber actors support or act on behalf of state-directed operations. Conversely, state actors sometimes moonlight as cybercriminals after-hours to earn additional income. And in other cases, non-state cyber actors operate with the tacit approval of the home state, if the actors do not target their own domestic organizations — in other words, “anyone but us.” New actors enter and leave the playing field daily. Agencies reorganize, break up and consolidate. Criminal gangs are busted, go dark or give up the life of crime. All of this creates an ever-shifting landscape of behavior that is ultimately detrimental to the stability of the internet. As long as the tools are available, vulnerabilities exist, money and secrets are to be had, and a lack of meaningful consequences persist, there will be malicious cyber actors
Complicating matters, we make it far too easy for the bad guys.
Monday’s revelation that a bad actor appeared to remotely access and change the chemistry at a Florida water treatment facility is one more reminder of just how dire the nation’s cybersecurity challenge is. Unfortunately, that water treatment facility is the rule rather than the exception. When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach. Even then, the purpose of information technology (IT) is to make things easier to manage, so it is almost counterintuitive that managing a system over the internet might be a bad thing.
In other words, we have a dilemma on our hands. But all is not lost, assuming we understand a few rules of the game.
First, the federal government is not going to save you, but it is an essential partner. Second, cybersecurity competency requires leadership buy-in. Third, improving cybersecurity takes investment, yet access to funds is not always there. Fourth, good guys and bad guys alike make mistakes — but how fast you find both makes a difference. Fifth, corporate mistakes are likely going to become public regardless of what company leadership does to contain and conceal the damage, so the faster you protect your customers, the better off everyone will be. And sixth, everyone has bad days, and only preparation will determine how bad that day is.
In my testimony, I provide a series of recommendations that accept these truisms and can put us on a collective path towards greater security and a more resilient economy. Are we going to stop every attack? No, but we can take care of the most common risks and make the bad guys work that much harder and can limit their success. To get there, we must make three strategic shifts. We need stronger cybersecurity leadership in industry and government. We must allocate more and smarter investments into private-sector capabilities and to all levels of government. Lastly, industry and government must come together to collectively democratize cybersecurity, increase capacity and work in a meaningful way beyond information-sharing
The parts are in place for our nation to dramatically improve our cybersecurity defenses. As a society, we need to accept that that every organization in the country, whether in the private sector or in government, can be targeted by a cyber actor. The government cannot stop all attacks, but there is much that industry can do on its end. Companies have a responsibility to customers, stakeholders and, depending on where they sit in the economy, a responsibility to the country.
The key ingredients to a more cybersecure nation are leadership awareness and commitment in the private sector, along with a bolder vision from government. This alone will not immediately solve the problem, but with when these two pieces are folded together, investment will follow, defenses will improve, and organizational and economic resilience will increase. Cybersecurity is an ever-evolving discipline, and threat actors are motivated by a variety of incentives that we may never fully comprehend. Meaningful progress will take time and we may never see a finish line. But change for the better is possible. We need to stop waiting for that change to happen to us and, instead, employ the courage and resolve that have driven American innovation throughout our national history.
Christopher Krebs was director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from November 2018 to November 2020. He now is a principal at Krebs Stamos Group, which represents SolarWinds. He previously was a senior counselor to the Homeland Security secretary, was assistant secretary for infrastructure protection and under secretary of Homeland Security, and worked as cybersecurity policy director for Microsoft.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.