The ‘accidental director’ on the front line of the fight for election security
Christopher Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA), is zeroing in on elections ahead of November.
CISA was created out of the former National Protection and Programs Directorate (NPPD) and signed into law by President Trump in late 2018. It is one of the primary federal agencies tasked with assisting state and local officials in bolstering election security.
“I spend at this point 40 to 50 percent of my time on election security issues,” Krebs told The Hill during an interview at CISA headquarters this month. “A top priority for us right now is protecting 2020.”
During the 2018 midterm elections, CISA hosted a situational awareness room on Election Day to continuously monitor threats across the country and worked closely with regional officials to address cyber vulnerabilities. Krebs said he saw getting through the midterms “unscathed” as part of his legacy as the first director of CISA, the newest agency in the Department of Homeland Security (DHS).
“I’m not looking at 2020 as a metric or some sort of legacy mark, but what I want my legacy to be — and I hope to be here for longer — is that CISA is a meaningful player in the national and international stage,” Krebs said.
With the 2020 elections looming, Krebs said he hopes this will be “the year of CISA.”
“We took 2019 to figure out, OK we go from NPPD to CISA, what does that process look like?” Krebs said. “It’s not just as simple as you slap a name on the building and issue new business cards and some T-shirts and socks and you’re good to go; it’s much more the internal realignments we had to make.”
Krebs’s career experience helped prepare him for the multiple roles CISA plays, which run from assisting with federal agency cybersecurity to protecting soft targets such as the Super Bowl from attacks.
Krebs served as a DHS adviser during the George W. Bush administration, working on issues including defending Defense Department networks against foreign threats, and then moved over to Microsoft to lead its policy work on cybersecurity and technology issues.
He returned to DHS in 2017, initially to serve as an adviser to former Homeland Security Secretary John Kelly. Following Kelly’s departure and the promotion of Kirstjen Nielsen to the secretary position, Krebs became what he described as the “accidental director” first of NPPD, then the newly formed CISA, with the Senate voting to confirm him in 2018.
“I didn’t anticipate necessarily being in this role, I didn’t necessarily anticipate the agency being here. I just wanted to come in and make a difference,” Krebs said.
CISA faced a significant challenge last month when cyber threats from Iran increased following the targeting and killing of Gen. Qassem Soleimani.
CISA hosted three different stakeholder calls in the week after Soleimani’s death, with Krebs estimating that more than 20,000 officials and business leaders called in, enabling CISA to give regular updates on Iranian cyber threats and steps groups could take to defend themselves.
“We’ve got the mechanisms, we can reach out and touch people when things get hot, we can do it quickly,” Krebs said.
While cyber threats from Iran and election security are key issues CISA addresses, Krebs emphasized that he sees the spread of ransomware attacks as the biggest cyber threat to Americans.
These hacks, in which the attacker locks up a system and demands payment to give the user access again, have become rampant across the nation over the past two years.
The city governments of New Orleans, Atlanta and Baltimore have suffered major impacts to operations from ransomware, and Louisiana and Texas declared states of emergency due to coordinated attacks on various entities.
Krebs cautioned that no one should pay such attackers, but often not paying can cost the victim more money due to rebuilding systems and purchasing new hardware.
“The thing that the average American’s going to have an experience with on a daily basis is ransomware,” Krebs said. “We’re putting a lot of thought into how we help people protect themselves and get in a better position.”
Other operational priorities of CISA, as outlined in a “strategic intent” plan published by the agency last year, include defending against Chinese threats to 5G networks and protecting critical industrial control systems.
“We’re trying to take a risk management approach. It’s not risk eradication — we’re not necessarily saying ‘you can’t use this drone, period’ — it’s ‘here are the risks associated with this kind of drone, here are the things you can do to mitigate it,’ ” Krebs said.
Krebs hails from Atlanta originally and holds an undergraduate degree in environmental sciences from the University of Virginia, along with a law degree from George Mason University. He now lives in the Washington, D.C., area with his wife and children, riding his bike to the office most days.
In 2018, he used his confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee to announce to his parents that his fifth kid was on the way, a video clip Krebs said he goes back and sometimes rewatches.
Krebs cited his children as being a key motivator.
“One of the reasons I’m doing this job is because I’ve got five kids and I want them to have a United States of America,” Krebs said. “I want them to be able to vote, when they get to 18, and have confidence in the process. I want [to secure] the systems and the networks that they’re going to depend upon in the future.
“I’ve got to be able to look at them every morning and say ‘I’m doing this, you know, to ensure that you’ve got something when it’s your time.’ ”