Former U.S. Department of Homeland Security cybersecurity leader Christopher Krebs laughed off the question without comment at the IT Symposium hosted by research firm Gartner this week:
“How would you prefer to be fired, in-person or via Twitter?”
Krebs was famously fired by Donald Trump for disagreeing with claims of election fraud following the 2020 election.
He did, however, mention the election protection efforts of the U.S. government several times as a relative success story. Krebs participated in that work as head of Homeland Security’s Cybersecurity & Infrastructure Security Agency, a public-private partnership.
“That was an example of having a clear set of objectives and a clear set of timelines, and of course everyone was pulling in the same direction of protecting democracy,” he said. Many government agencies were involved, including U.S. Cyber Command members “forward-deployed in Eastern Europe” who spotted early warning signs of election subversion efforts and helped nullify them.
More broadly, Krebs discussed the role the U.S. government can play in improving cybersecurity for both government itself and the private sector. Cybersecurity has become one of the most vexing challenges for IT decision-makers across industries. These executives are seeking to build sophisticated data infrastructures, but these are constant attacks by bad actors, a trend that has gotten worse during the pandemic.
The ‘power of the purse’ and cybersecurity standards
One of the best things the Biden administration is doing right now is using “the power of the purse,” or its procurement power, to push for even higher security standards, Krebs said. The standards the government published in May for security and networking equipment should result in higher quality products for everyone, he said, because the government is such a big customer.
The federal government also boosts cybersecurity R&D through agencies such as the Defense Advance Research Projects Agency (DARPA). But those efforts shouldn’t be just for the defense establishment, Krebs said. “If you look at China, when they invest in their tech sector, they’re doing it for geo-economic reasons.” Self-sufficiency in semiconductors is one area where the government should be investing “much, much more,” he said.
As an enforcer, the government can influence better cybersecurity practices through many of its agencies, including the Securities and Exchange Commission and regulators overseeing banking, energy, and other industries. Based on recent experience with ransomware, he expects compliance requirements to be tightened but hopes they will not be just “a checklist exercise.”
The government can also be an advisor to private industry, Krebs said, pointing to his former agency’s recent publication of bad practices guidelines to help organizations understand what not to do, like failing to patch VPN software. “The reason we are where we are is that the installed base is so incredibly vulnerable,” he said, meaning that networking and security products are often deployed with significant configuration errors.
The one good thing about the severity of recent ransomware attacks, like the one on Colonial Pipeline that disrupted fuel shipments across the eastern U.S., is that they showed business leaders just how dramatically their businesses can be disrupted, with the possibility of getting hauled before Congress to explain how they were breached. “That’s going to wake up most any executive,” Krebs said, and should make it easier for cybersecurity leaders to argue they need more resources.
At the center of security hacks
Krebs appeared in a keynote interview conducted by video conference with Neil MacDonald, a top Gartner analyst. MacDonald challenged Krebs to defend one government intervention, the Justice Department’s decision to have the FBI effectively hack into corporate networks and proactively patch their Exchange servers against a web shell vulnerability the government said was being exploited by multiple hacking groups.
“As far as I can tell, this was a wildly successful operation with no collateral damage,” Krebs said, clarifying that by “collateral damage” he meant no crashing of the corporate systems affected. Although this is the kind of authority watchdog groups have worried the government would abuse, Krebs said its application to date has been “very targeted and discrete.”
Krebs also briefly commented on Solarwinds, the network management company that found itself at the center of a security hack last year that affected its many governments and private sector customers. Krebs subsequently worked with the firm through Krebs Stamos Group, the consultancy he created with former Facebook executive Alex Stamos. The way hackers were able to insert themselves into the software supply chain shows the amount of third-party risk all organizations face, Krebs said.
Referencing Willie Sutton’s line about why he robbed banks, Krebs said, “Why are they going after software companies? Because that’s where the access is.”
The Gartner Symposium/ITxpo began October 18 and runs through Thursday, October 21.