The problems plaguing digital security will continue to get worse in the near term until governments and private industry can fundamentally re-organize around a new societal model for common defense, a former top federal cybersecurity official said Wednesday at the Black Hat conference in Las Vegas.
Chris Krebs, who served as the first director of the Cybersecurity and Infrastructure Security Agency until 2020, said that conversations he has had with governments and businesses around the world over the past 18 months have underscored a grim reality for the status quo in cybersecurity.
Between a software industry that still values speed and first-to-market delivery over security, governments with flawed regulatory models, and criminal and nation-state threat groups who have gotten better at understanding the interconnectivity and vulnerability of modern IT networks, society at large is getting more vulnerable and less capable of safely navigating that complexity.
“We operate inside a larger ecosystem, inside businesses that are focused on productivity, reducing friction. They tend to see us — security — as slowing things down,” said Krebs. “What’s happening is as we are integrating more and more insecure products into use cases, we’re making it more complicated to manage risk.”
As SC Media reported last year, the current state of software insecurity represents an existential crisis for the cybersecurity industry. Vendors spend billions of dollars designing products and tools to protect organizations from criminal and nation state hackers, but zero-day vulnerabilities within the software of SolarWinds, Microsoft, Kaseya and other major providers have offered adversaries a direct path to access and exploitation that can bypass all of those investments.
There is simply too much software in the world today to fix all the bugs, vulnerabilities and misconfigurations that malicious hackers leverage from software. This is true for the code and programs themselves, as well as the vast ecosystems of application programming interfaces they’re plugged into in order to talk and interact with other systems.
More recent developments like COVID, large-scale cloud migration and the outsourcing of business functions like HR, payroll and business management services to third party providers, have only compounded those trend lines. Now even mid-market service providers can occupy a systemically important role within this digital ecosystem.
Krebs said a more “vibrant” tech and security sector has been working to solve some of these core challenges around security, but not at the pace needed to keep up with the rapidly evolving threat landscape.
A larger societal reorganization around cyber defense
On the government side, Krebs said a major reorganization of government and industry is needed to address the public policy realities of this interconnectivity and interdependency. He cited as a model the 1939 Reorganization Act passed under President Franklin Roosevelt, which created the executive office of the president and helped reorganize the federal government for a more modern age.
“I think it’s time to rethink the way governments interact with technology. I think we need to take a hard look at how governments are organized,” he said.
Something similar should be considered to confront our shared digital reality. In the coming months, part of his work with organizations like the non-profit Aspen Institute will be considering what those new models might look like. One such idea: creating a new U.S. digital agency that takes on elements of responsibility from CISA, the National Institute for Standards and Technology, the National Telecommunications and Information Administration, the Department of Energy, national labs, the Federal Communications Commission and Federal Trade Commission, to handle cybersecurity, digital privacy and trust and safety issues.
Another option would be further empowering existing agencies like CISA, stripping them out of the Department of Homeland Security and allowing them to operate as their own, independent agency with a more robust mission.
Congress, meanwhile, should take seriously a recommendation by the Cyberspace Solarium Commission to establish dedicated cybersecurity committees to centralize oversight and eliminate turf battles that often slow down the government’s ability to adapt to new digital realities. While some of these options are considerably less realistic than others, he said the failure of the current model to keep pace with the threat requires a different approach.
He welcomed more aggressive pushes by CISA and other agencies to regulate the defensive cybersecurity of industry over the past year, but also acknowledged that government regulators can often focus on surface level compliance that don’t address the underlying problems and trends.
Meanwhile, the Department of Justice has been able to make an impact by switching from a model of investigating and indicting foreign cyber actors (many of whom will never actually see a U.S. court room) to disrupting and seizing adversary infrastructure. The Department of the Treasury is also hitting closer to the mark with sanctions on cryptocurrency mixers like Tornado that often act as a vehicle for ransomware gangs and other cybercriminals to process and access stolen funds.
Despite efforts in recent years to create entities like CISA and the Office of the National Cyber Director that can effectively manage the government’s approach to defensive cybersecurity, it’s still not clear to many businesses which agency they should be contacting in the wake of a breach.
In particular, the U.S. government was slow to fully recognize the national security threat posed by ransomware to critical infrastructure and a functioning society, something that has allowed the problem to metastasize. As a result, intelligence and national security agencies that had traditionally “fetishized” the threat from nation-state hacking groups have had to scramble to develop ways to slow down or disrupt those operations.
Working to create a more cohesive federal organization that can quickly move to impose costs on ransomware actors and cut off access to victim funding is essential to solving these and many other problems.
“The bad actors are getting their wins and until we make meaningful consequences and impose costs of them, they will continue,” said Krebs. “Ransomware is here and it’s so prevalent and it’s gotten professionalized, and the barriers of entry have dropped. Now they have availability or options for exploits that were the remit of nation states only a couple of years ago because the money is there, they’re profiting and it’s not costing them anything. They’re not feeling pain.”