Ex-CISA Director Talks Private Sector Benefits, Agency Needs
The Cybersecurity and Infrastructure Security Agency's former director highlighted the benefits of moving into the private sector and discussed what his former agency can do better to attract industry collaboration. Speaking Wednesday at the Black Hat cybersecurity conference in Las Vegas, Chris Krebs said moving into private practice has been “lucrative.” The last 18 months “for me have probably been the most fun in my career. Yes, I had fun at CISA. I’m having more fun now. ... We get paid pretty well in this industry.” Krebs said he ran compensation models at CISA trying to figure out why government isn’t attracting the necessary talent: “When you look at pay in this industry, it’s pretty illuminating.”
Krebs founded the cybersecurity consultancy Krebs Stamos Group with Stanford University professor and former Facebook chief security officer Alex Stamos. SolarWinds, the victim of one of the most high profile cyberattacks in recent years, hired Krebs Stamos as an independent consultant.
The most significant, collective failure of industry and government has been addressing “professionalized” ransomware attacks, said Krebs: The financial incentive is there, and it’s not costing actors anything, he said. Alternatively, the private sector doesn’t have the right incentives to ensure products are secure, he said: Software remains vulnerable because the benefits of insecure products far outweigh the downsides. Software security won’t improve unless that changes, he said: “We don’t have a system that changes that balance of the value of secure products.”
House Commerce Committee leaders sent letters Wednesday requesting briefings on how the federal government is responding to network security from NTIA, and the departments of Commerce, Energy, and Health and Human Services. Chairman Frank Pallone, D-N.J., and ranking member Cathy McMorris Rodgers, R-Wash., led a bipartisan group seeking information about the open-source software vulnerability, Apache Log4j, which has been used in ransomware attacks. The “ubiquitous nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the U.S. government is identifying and mitigating potential compromises to its network security,” they wrote. They cited comments from CISA Director Jen Easterly describing the vulnerability as a “severe risk.” Enforcers “will only minimize potential impacts through collaborative efforts between government and the private sector,” they quoted Easterly as saying.
Krebs highlighted areas of improvement for federal agencies and Congress. “Even when the government does regulate, they don’t necessarily do it right,” he said. “They don’t do it well. We see an overreliance on checklists and compliance, rather than performance-based outcomes.” There has been some improvement, he said, noting CISA’s recently released performance guidance: “We need more of that.”
It’s “still difficult to work with the government,” Krebs said. Industry doesn’t know whom to turn to, whether it’s the FBI, CISA, DOE or Treasury, he added. “The value prop isn’t as clear as it needs to be. We’ve got to fix that.” He suggested Congress continue investing in and building up CISA so it’s easier and less complex for organizations.
The number of devices collecting data is only increasing, and it’s creating an “incredible amount of data exhaust,” said Krebs. “We have a pathological need to connect things to the internet,” which means the cyber industry is also filled with opportunity and is durable, he said: “We are going to be dealing with these challenges for the rest of our lives and perhaps the rest of human history. There will be digital, technologically related risk issues that we’re going to have to solve.”