Chris Krebs knows a thing or two about cybersecurity. As the former director of the US Cybersecurity and Infrastructure Security Agency (CISA), he has been privy to threats and vulnerability insights at both an enterprise and nation-state level.
A trained lawyer, Krebs is realistic about the way we all use data in our everyday lives. He is known for his solid realism in terms of the way he expresses the state of the global IT nation. “Everybody works from imperfect information,” said Krebs, at a CTISummit in early 2021.
Pointing out that as much as 85% of critical infrastructure is owned by the private sector in many developed nations, Krebs highlights the fact that this means cybersecurity itself as a practice is left up to the individual organisations that make up this figure. What this means in practice is that ransomware is now targeting not just enterprises, but also large organisations like hospitals.
A Democratisation of Cyber-Competencies
Krebs calls for a democratisation of cybersecurity competencies, not just at the software tools and information level, but also at the insights, skills and competencies level. “Preparation, commitment, and follow through are key to addressing complex problems,” said Krebs.
Krebs has now left his public sector positions and can now be found on the IT conference speaker circuit while also running Krebs Stamos Group, a cybersecurity consultancy based in Washington DC.
Speaking at the Qualys QSC 2021 conference in Las Vegas in November this year, his keynote showcased some interesting trends and was entitled ‘Defend Today, Secure Tomorrow’.
Thinking about how today’s cyber threat landscape now stretches out in the UK and other westernised democracies, Krebs says he’s constantly being asked about who the bad guys actually are and what are governments actually doing about them and their activities.
“If we look at the installed base of technologies out there, it is a wild and scary space. If you think about where we are going to be in just five years into the future and the amount of unthinkable complexity that will exist with all the devices in our homes and in our office and even in the our bodies, I think we can all agree that there will be more of everything,” said Krebs.
But in the backdrop, secure-by-design is not always the template that organisations are building the future for these new technologies upon. Krebs says that the problem in the real world is that there are so many bad actors out there that don’t harbour the respectable values relating to privacy and security that most of us have.
As we now look to how personally identifiable data is being compromised by nations, organisations do need to think on a more macro level. Krebs called out the Russians, Chinese, Iran and North Korea as key protagonists and said specifically that North Korea is now a cybercriminal state.
“Digital risk is here to stay, there will only be more attack surfaces going forwards. Nation states are building global on-demand surveillance infrastructures. The Russians and the Chinese are developing capabilities to collect information in real time. When operatives working for these countries get to their desk, they have a shopping list of targets,” said Krebs.
Why Do You Rob Banks?
When they asked the famous outlaw Willie Sutton why he robbed banks, he said “because that’s where the money is” right? The same logic holds out for why cyber-minded nations are building strategies and infrastructures to access our information networks in the UK and the West at large, it’s because “that’s where the money is” now that we have digital banking and more.
As cryptocurrencies now develop, Krebs says that the anti-money laundering systems of old won’t work because a new and more permissive system exists. He thinks that ransomware exists today in the form that it does because bad actors in non-western governments have almost built an income from it into their actual GDP.
Krebs says that today we have adversaries that know parts of our national infrastructures better than we (the UK and the West) do. As we now move to a future where governmental use of IT is further expanding, he says that the public sector’s relationship with IT itself exists on four tiers:
- As a consumer
- As an enforcer
- As a defender
- As an enabler
The enforcer element means that governments have to be a regulator and also act as law enforcers. Krebs insists that more regulation is coming to most developed nations’ economies and public sector contractors. Among those responsible for implementation will be the federal government in the US and the UK Information Commissioner’s Office (ICO).
As we look forward to governments working as defenders, Krebs says it’s all about putting what he calls ‘sand and friction in the operations’ of bad actors.
What Do We Do About it All?
Krebs is open about the fact that despite his proximity to the American power swagger that emanates from the Pentagon, the NSA and more, no single organisation is going to be the sole solution provider.
There is now the emergence of zero-trust architectures as the over-arching concept driving the way cybersecurity products are being built. This has helped increase the perception of the problem in boardrooms. If there is something of an ordered operational template that describes the route for chief information security officers (CISOs) to follow looking forward, Krebs suggests the following:
- Identity Management
- Asset Management
- Incident Response
“We have to make it easier for everyone to be secure and to reduce the opportunity space for the bad guys – it’s about removing the ‘stupid human’ risk factors. In the increasingly perimeterless environment of the future with working from home in the COVID-19 aftermath, identity management will be fundamental,” said Krebs.
As enterprise organisations now work to provide not just identity management but higher-level asset management to provide observability, we can think about creating incident response systems that will work for real world operations.
Everybody Has a Bad Day
As a closing thought, Krebs says it’s all about realising that everyone (by which he means every organisation) is going to have a bad day, so building a basic protection structure around these principles will enable the best route to recovery for future operations.
“The only people that really understand how bad the ransomware threat is out there are the bad guys,” said Krebs in a closing Q&A… so in summary, we can perhaps take this discussion as a call to action to drive an even more sophisticated cyber command and intelligence community in all democratised developed nations.
Do you feel safer now that you know more? If not, that’s probably exactly the point.