The Cybersecurity 202: Chris Krebs sees a big future for CISA

with Aaron Schaffer

Chris Krebs, the ex-director of the Cybersecurity and Infrastructure Security Agency, envisions far broader responsibilities for his former agency in the coming years.

As cyberattacks rise against U.S. industries and increasingly threaten economic security and public safety, Krebs sees a greater role for CISA helping industries protect themselves from hackers and possibly policing minimum cybersecurity requirements in highly critical sectors.

“I think that what you're seeing is a recognition across the senior levels of government that the status quo is not working right now, given the escalation in the threat landscape,” he told me.

Krebs also advocated a funding increase for the cybersecurity agency to counter the rising threats, calling a $500 million budget boost suggested by Senate Majority Leader Chuck Schumer (D-N.Y.) and others “on track.” Krebs is now on the advisory board of cybersecurity company SentinelOne.

CISA has grown considerably during the past few years as the cyber threat has exploded.

During the first part of the Trump administration, it was a small agency little known outside the federal bureaucracy and officially still named the National Protection and Programs Directorate. By the end of President Donald Trump’s term, it was among the most visible small agencies in government and played a key role in ensuring the 2020 election was protected against foreign hackers.

Krebs played a significant role in that reputational growth, publicly advocating for better cyber protections for voting machines and for states to retire outdated machines that lacked a verified paper trail.

Trump fired Krebs by tweet soon after the election for his insistence — along with other top government officials — that the outcome was valid and free of foreign interference, despite Trump’s baseless claims his loss was fraudulent.

Yet, CISA has struggled to become the go-to agency for civilian cybersecurity in the government.

One challenge is many industry sectors that the Department of Homeland Security, CISA’s parent agency, has deemed critical for national security have regulatory relationships with other parts of the government they’re more comfortable working with. The focus on those sectors has ramped up recently with President Biden insisting to Russian President Vladimir Putin they should be off limits to hacking.

The Energy, Transportation and Health and Human Services departments, for example, have such relationships with energy, transportation and health-care firms.

Such ties might be useful when it comes to cyberthreats targeting complex sector-specific technology, such as the machines that operate dams, energy grids and some manufacturing, Krebs said. But when it comes to the commercial IT that is the target of most cyberattacks, CISA should take the lead, he said.

Ransomware attacks, such as those that upended operations at Colonial Pipeline and the meat processor JBS, for example, target computer networks that are pretty uniform across companies.

“For ransomware, we're talking Windows-based machines. And there's no difference in a Windows-based machine in an energy sector company or a bank or critical manufacturer,” Krebs said. “So I think we've got to have a center of gravity for civilian cyber security. That was always the concept behind CISA.”

Krebs praised an unfolding process in which the Transportation Security Administration will partner with CISA on improving pipeline cybersecurity.

The first phase of that program — which was developed in response to the Colonial Pipeline ransomware attack — requires companies to alert CISA within 12 hours if a cyberattack disrupts their computer networks. Future phases probably will mandate that pipeline companies verifiably meet minimum cybersecurity requirements.

Such minimum requirements could be mandated in other critical industries as well, Krebs said, provided it’s done in a nimble way such that the protections keep up with the threat.

“It's reasonable, I think, to conclude that the market has failed,” he said. “I suspect there will be others to come that have to have a certain set of performance [standards]. The challenge is going to be whether these minimum standards are actually going to generate the security outcomes we want, or is it just going to become a compliance exercise? The devil's in the details here.”

Krebs has continued since leaving government to defend top officials’ conclusion the 2020 election was not undermined by foreign interference.

That has included a regular stream of tweets combating claims by Trump supporters that President Biden’s victory was illegitimate.

He declined to speculate on whether such false claims would damage faith in the outcomes of the 2022 and 2024 contests.

He pushed, however, for more government investment in election security, including ensuring almost all voting machines have voter-verified paper trails by 2022. Such paper trails make it highly unlikely hackers could change votes undetected.

More than 90 percent of votes in 2020 were cast with a paper record — up from about 80 percent in 2016. That percentage was artificially raised, however, because many people voted by mail during the pandemic in districts where in-person voting was still conducted on machines that lacked paper records.

The keys

House Democrats added $500 million in election security grants to an appropriations bill, renewing a fight with the GOP.

The proposal could face substantial opposition from House Republicans who opposed most election security legislation in advance of the 2020 contest — especially bills mandating particular security measures for state and local governments.

The House bill would require the money be spent only on voting machines that produce verifiable paper trails. That requirement is supported by the vast majority of cybersecurity and election security experts, but Republicans have argued any mandates unfairly infringe on states’ rights to run elections.

Congress ultimately approved more than $800 million for election security grants since 2018 with no mandates attached. The money in the latest proposal would be distributed to U.S. states and territories by the Election Assistance Commission and gives the commission 45 days to do so.

The proposal comes on the heels of Senate Republicans blocking a far broader measure designed to revamp voting rights, campaign financing, government ethics and congressional redistricting.

A top cybersecurity official’s confirmation is being held up by a Republican senator.

Sen. Rick Scott (R-Fla.) objected to a vote to unanimously confirm Jen Easterly as CISA director, arguing that Vice President Harris must visit the U.S.-Mexico border before any nominees for DHS posts get confirmed in such an expedited manner.

Harris plans to visit the border on Friday.

“This isn’t about Ms. Easterly. This isn’t about cybersecurity,” Scott said, later arguing in a statement that “the American people deserve better than just another political stunt.”

Krebs stressed the importance of the Senate confirming Easterly as quickly as possible.

“There's a team over there that has been without a confirmed director for over seven months now and I think that's something we need to address,” he said.

Anti-virus pioneer John McAfee’s death in a Spanish prison elicited a mix of praise and criticism from the cybersecurity community.

McAfee was found dead in a prison cell hours after a Spanish court issued a ruling advancing his extradition to the United States on tax evasion charges, Glenn Rifkin writes in a must-read obituary. McAfee styled himself as an outlaw, living a life of bizarre, often allegedly criminal pursuits.

“I’m a madman to some people because I don’t follow the normal rules,” McAfee told ABC’s “20/20” in 2017. “You know, the drummer that leads me is an odd drummer, but I follow the sound.”

Chat room

The McAfee discussion ran the gamut from mourning to criticism. Sophos Labs’s Sean Gallagher:

I had empathy for John, like I do for all human beings. I could see the story he was trying to write for himself. He was frequently brilliant and insightful. He could tell a story. He was a pirate, determined to live his life outside the bounds of the establishment. And he had $.
— Sean Gallagher (электрическая крыса) (@thepacketrat) June 23, 2021

Others criticized his business schemes and irresponsible behavior. Luta Security CEO Katie Moussouris:

A tale of 2 security industries.
One wishing peace & regretting never meeting him or seeing him again.
The other futilely reminding people this guy kept underaged girlfriends at his compound (confirmed), as well as was accused of murder.

Tell me again about hiring pipelines tho. pic.twitter.com/BTyywAyMJL
— Katie Moussouris (she/her) is fully vaccinated (@k8em0) June 23, 2021

The Electronic Frontier Foundation’s Eva Galperin:

Infosec has a habit of indulging and elevating grifters and con artists, defending them as "controversial" or "eccentric." I look forward to the day when we put an end to that.
— Eva (@evacide) June 23, 2021

Bloomberg’s William Turton recalled what happened after he wrote an article about McAfee:

After I wrote this article in 2016, John McAfee embarked on a weekslong harassment campaign which included hacking my voicemail and leaving me threatening messages. https://t.co/mIdJur6K1W
— William Turton (@WilliamTurton) June 23, 2021

Daybook

The House Small Business Committee holds a hearing on CMMC cybersecurity implementation today at 10 a.m.
Cybersecurity and Infrastructure Security Agency officials discuss ransomware at an Infosec webinar today at noon.
The Cyber Threat Alliance holds a webinar on botnets and cybersecurity labeling today at 11 a.m.
John Sherman, the Pentagon’s acting chief information officer, testifies before a House Armed Services subcommittee on June 29 at 2 p.m.

Secure log off

Brace yourself (for your own safety) pic.twitter.com/4FF9XBEqhG
— Washington Post TikTok Guy (@davejorgenson) June 23, 2021