LAS VEGAS — Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs warned that small improvements to the government’s cyber operations are not enough to stave off growing threats.
Krebs’ keynote during Black Hat 2022 on Wednesday kicked off the security conference here with reflections on his time in government, as well as predictions and hopes for the future. Some of the more notable sections of his speech were critiques and recommendations for improving the U.S. government’s cyber posture.
Krebs discussed how threat actors have evolved and how they operate and said the U.S. has “struggled” in responding to the evolving threat landscape — particularly with ransomware.
“It’s still difficult to work with the U.S. government. It’s still difficult for private sector organizations to know who to work with. Is it the FBI? Is it CISA? Is it Department of Energy? Is it Treasury?” he said. “It’s still just too hard to work with government, and the value prop isn’t as clear as it needs to be. Got to fix that.”
Krebs served as the first director of the Cybersecurity and Infrastructure Security Agency (CISA) when it was founded in 2018; he was ultimately fired from his post via a tweet by former U.S. President Donald Trump shortly after the November 2020 presidential election. Krebs now leads cyber consultancy Krebs Stamos Group with Alex Stamos, former CSO at Facebook.
Government’s roles in security
Later in the talk, Krebs gave recommendations for how the government can shape the future. Within the digital ecosystem, he said, the government has four main roles: consumer, enforcer, defender and enabler. Recommendations were divided among those four aspects.
The consumer aspect refers to the U.S. Department of Defense, which Krebs said is “likely the largest customer of most of the big tech firms.” He advocated for the government to use its massive funds to invest more aggressively in private sector tools.
“They have incredible purchasing power. They need to use it. They have to set the bar higher,” Krebs said. “The lowest price technically acceptable cannot be the procurement and acquisition model. You have to move faster. You have to fail faster. You have to continue moving forward.”
Enforcer refers to regulation and law enforcement. He didn’t provide specifics around regulations in the keynote, outside of references to “smarter regulations” based on outcomes, as opposed to more of them. Krebs said he has seen “the right kind of movements” from the Department of Justice and FBI — namely, moving aggressively against the command-and-control infrastructure of cybercriminals.
“We need to shift from longer-term investigations toward more disruptive actions in preventing their ability, imposing costs and eliminating their ability to extract value from companies here in the U.S.,” he said.
As a defender, the U.S. intelligence community should continue “pushing out [and] moving forward.” One example Krebs provided was the U.S. intelligence community’s work prior to the 2020 election in exposing nation-state actors that were trying to target election and voting registration databases. These insights allowed state and local election officials to better harden their defenses in preparation.
Lastly, Krebs said the government should further enable CISA and give it the resources it needs to make it easier for organizations to work with the government.
“Continue to invest in and build CISA out. Make it easier and less complex for organizations to work with the government and get value out of it,” he said. “Instead of going to five or six different agencies, make the front door clearly visible.”
Krebs emphasized that small tweaks to policy and procedure likely won’t suffice.
“I’m not naive enough to think that slight course corrections of individual agencies are going to be enough,” Krebs said. “I’m ready to make the argument that the digital environment around us has changed so dramatically in the last 25 years, while our government hasn’t kept up pace, has lagged, is slow. The slope lines don’t have the same trajectory. I think it’s time to rethink the way government interacts with technology.”
The former CISA director followed this with a reference to work he was doing with international nonprofit think tank The Aspen Institute to develop recommendations for a “smarter, more efficient, more organized government.” One piece of this is a new “U.S. digital agency” focused on risk management that goes beyond cybersecurity and into privacy, trust and safety issues.
Alexander Culafi is a writer, journalist and podcaster based in Boston.