Nation’s first cybersecurity chief cites four factors enabling cyberattacks

The nation’s first cybersecurity chief is warning that the growing threat landscape will get worse as society and businesses become more digitized.

At the Black Hat USA 2022 conference, Chris Krebs, the first director of the U.S. Cybersecurity and Infrastructure Security Agency, said he spent the last 18 months gathering information. He spoke to people in the private sector as well as federal, state and local governments in the U.S. and abroad to determine what they are trying to accomplish and “what keeps them up at night.”

That journey, he said, unearthed three main questions: Why is it so bad right now? What do you mean it’s going to get worse? What do we do about it?

Krebs, founding partner of the Krebs Stamos Group, cited four main reasons why the current situation is quite challenging: Technology, bad actors, the government and people.

On technology, he referenced a quote from Daniel Miessler, author of The Real Internet of Things: “Software remains vulnerable because the benefits of insecure products far outweigh the downsides. Once that changes, software security will improve but not a moment before.”

Krebs explained that companies prioritize productivity and reducing friction – being first to market, for instance. Security is often seen as slowing things down.

Often when securing products, they become more complex. “As we are integrating more and more insecure products into use cases, we're making it more complicated to manage risk.”

The good news is that vendors are enjoying a “vibrant, robust ecosystem” and addressing some underlying vulnerabilities, Krebs said. But he questioned whether those vulnerabilities are being addressed fast enough.

One weakness stemming from more complex tech stacks is there are more surfaces to attack now by hackers. Over the last two years, the “biggest collective falling down of government, of industry, is on ransomware,” he said.

Such attacks have rapidly increased in the last few years. In the first quarter of 2022 alone, Trend Micro said it detected and blocked more than 4.4 million ransomware threats, up 37% from the previous quarter.

Figure 1:

And according to Krebs, ransomware is taking away focus from traditional national security threats from Russia, China, North Korea and Iran. “Our intelligence community or national security community that was five years ago focused on the highest sort of threat … now they have had to broaden their view of threat actors to include cybercriminals.”

“We have fetishized the advanced persistent threat. We've over-rotated on [China], we've over-rotated on [Russia] when cybercriminals have been eating our lunch in the meantime,” he added.

The former CISA director said that actors originating from nation states understand that tech systems are becoming more complex and hence see more ways to breach walled gardens. They specifically like to target the software supply chain – for access, data theft and ability to scale.

“Companies that are shipping (software) products are shipping targets,” Krebs said. Cybercriminals “understand the dependencies and the trust connections that we have on our software services and technology providers, and they’re working up the ladder through the supply chain.”

And it is not just China, Russia and other nation actors people need watch. As the world becomes more digitized and connected, every country is looking at opportunities for “disruption and destruction” in the digital space, Krebs warned.

Regulation and education

Meanwhile, the government has struggled to strike the right balance between balancing regulations and allowing innovation to grow, he said. Because of these competing objectives, what has resulted is regulatory imbalance. For example, the financial services industry is heavily regulated at the federal and state levels, but then “drops off.”

“We hear that all the time that regulation stifles innovation, and as a result, what we've had is an uneven application of market interventions or regulations,” he said. “We see an over-reliance on checklists and compliance rather than performance-based outcomes.”

One idea he proposed is that Congress needs to create select committees to consolidate oversight over various departments and agencies. “We have 101 civilian agencies. And every single one of them is running their own email service. We’ve got to fix that.”

Finally, the fourth reason for cybersecurity’s current woes is the people. “Leaders are not leading. The CEO that understands cyber risk is a business risk … (these leaders are) few and far between,” he said. However, “now it’s changing.”

The cybersecurity industry also needs more workers. He mentioned the Diana Initiative, which seeks to make the infosec workforce more diverse, but more must be done to educate the youth about industry opportunities.

“I have five kids … and they go to a pretty good school, but there aren't opportunities for them to experience coding. We don't have a technology-oriented curriculum, like some other countries, and that’s something we’ve got to fix.”

However, the former CISA director said that he was more optimistic overall as workforces are becoming increasingly tech native.