Blog
#ISC2CONGRESS - Chris Krebs Keynote Address: Fighting Cyber Adversaries Requires New Thinking and Approaches
The number of connected devices will continue to increase in the next five years, widening the attack surface for cyber adversaries. If we hope to have a fighting chance against them, we need a shift in thinking about defenses as well as increased cooperation between the private sector and government.
That was the message delivered by Chris Krebs in the opening keynote of (ISC)2 Security Congress 2021 , taking place virtually today through Wednesday. His keynote was the first of about 130 sessions scheduled for the three-day event. Krebs is the former director of the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security. He served in the role from November 2018 to November 2020.
Speaking about the need to rethink cyber defenses, Krebs said the past five years have been nothing short of “crazy” in terms of cybersecurity, starting with Russian interference in the 2016 election. That was the “Sputnik moment” for cybersecurity, he said, referring to the Russians’ early win in the space race. “It was a wakeup call” that showed “you could destabilize democracy through cyber capabilities.”
The hits kept coming after that, Krebs noted, citing a series of high-profile cyber incidents that followed. Those included the global Wannacry and Notpetya ransomware attacks and the Equifax breach in 2017, the SolarWinds supply chain attack last year, and this year’s Colonial Pipeline attack.
Cyber adversary teams in China and Russia have been especially active in recent years, Krebs said, although other countries such as Iran and North Korea have caused their fair share of mayhem. While Russian attackers are more focused on disruption, the Chinese have more strategic, long-term objectives.
The goal of the Chinese communist party, Krebs said, is to dominate the global market by stealing intellectual property and source code to replace and supplant them with their own technology. The cyber offensive teams in China, he said, probably outnumber all of those in Western nations combined.
Of special concern for the U.S. and its allies is their critical infrastructure, which can become a target for adversaries. We need to prioritize the creation of standards and guidelines to defend it, Krebs said.
Pressing Questions
In conversations with corporate leaders, Krebs said, three questions typically come up about cyber threats:
- Why is it so bad?
- What is the government doing about it?
- What can individual organizations do?
The reason the situation is so bad, Krebs said, is because the attack surface remains too permissive. Consider ransomware, which Krebs called “the number one threat model that every organization should defend against.”
It’s still too easy for cyber adversaries to execute and automate attacks. Another problem is that attackers haven’t suffered enough consequences for their actions. There is also an economic benefit for perpetrators because they’re using crypto currencies for extortion. Adversaries couldn’t pull off their attacks if the ransom payments were coming from the banking system, which is subject to regulations that track the movement of large sums to prevent money laundering and the financing of terrorism.
We need regulatory requirements around crypto currencies, he said. “We’ve got to make it harder for the bad guys to operate here,” he said. “We’ve got to target crypto currencies to make it harder to transfer money.”
Government Roles
Regulation is an area where the government, in its role as enforcer, can make a difference in combating ransomware, Krebs said. But he added the government also plays other roles, namely those of consumer, defender and helper.
As the largest consumer of IT products in the world, Krebs said, the U.S. government can impose requirements to strengthen security. An Executive Order issued by President Joe Biden in May was a step in the right direction, Krebs said. It instructs federal agencies to step up “efforts to identify, deter, protect against, detect and respond to” cyber threats and adversaries.
One of the order’s directives involves working toward zero trust architectures, which Krebs called “the path to greater organizational resilience.” He added: “It’s about verifying the people, the technology, the data and the transactions.”
In the role of defender, Krebs said, the U.S. government, in collaboration with our allies, can make it harder for cyber adversaries to operate by disrupting their networks and Command and Control servers. The idea is to create chaos to keep attackers focused on their own problems as opposed to creating problems for us.
When it comes to the government’s helper role, Krebs said, “I continue to see CISA as the front door for engaging with industry.” CISA has the resources to help organizations and is a “key partner” in the fight against cyber adversaries.
But while government has these roles to play, Krebs noted private organizations must do their part. CEOs must set the example for building a cybersecurity posture and recognize that “it’s about people, it’s about technology and it’s about processes. It all starts with leadership.”
(ISC)2 Security Congress continues through Wednesday, October 20. For a full agenda of sessions, please visit: https://congress.isc2.org