WASHINGTON: Former top government cybersecurity official Chris Krebs said today that it’s likely just a matter of time before one or more of America’s adversaries turn to more “destructive” cyberattacks, an ominous warning whose manifestation would significantly escalate tensions in cyberspace and between nation-states.
Krebs, the former chief of the Cybersecurity and Infrastructure Security Agency, did not provide specifics, but he alluded to the usual suspects Russia and China, as well as a widening group of cyber-capable adversaries.
“It’s a really scary environment when every single country has the ability to develop cyberespionage and domestic surveillance and destructive [cyber] capabilities,” Krebs said.
Krebs noted that, right now, the US has “a significant advantage over every adversary, so what will they do?” He said they will likely, at some point, leverage “destructive capabilities” as an asymmetric tactic.
Krebs expressed general concerns about the “permissible environment” afforded by “incredibly complex infrastructure” and inadequate cybersecurity. He specifically referred to energy pipelines, alluding not only to the Colonial Pipeline incident in May but also to a joint CISA-FBI advisory published in July.
“There’s one line [in that CISA-FBI advisory] that should scare the hell out of everyone everywhere,” Krebs said, and that’s “They’re going after our infrastructure to hold us hostage. …Part of how you win a war is to make someone not want to fight. [Adversaries are] putting us in a position where the homeland is no longer a sanctuary.”
The CISA-FBI advisory Krebs alluded to specifically addressed Chinese activities against US energy pipelines from 2011 to 2013 and followed another advisory on the same topic issued in February 2020 and then the Colonial Pipeline ransomware attack in May. The lines in the advisory Krebs appeared to reference are, “CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”
Krebs’s comments came during the 2021 CyberwarCon event, which happened to coincide with the third anniversary of CISA’s founding and at the one-year mark of his firing as CISA director by former President Donald Trump during the fallout from the 2020 election.
Krebs now runs a private consulting firm and said he has spent the past year “traveling around to hear what folks are worried about.” During these talks, he said he gets three main questions: Why is it so bad, what is the government doing about it, and what should industry be doing about it?
Krebs said these conversations have led to him to focus on two trends, in addition to energy pipelines. One trend is SolarWinds-like supply chain hacks that allow “capable adversaries to develop real-time espionage.” Krebs noted that the government’s moves around defining and defending critical software are a welcome step in the right direction.
The other trend is ransomware and disinformation. To the former, Krebs again mentioned the problem of “permissible environments” and said that until that problem is addressed, the attacks will continue. To the latter, he said the government needs to adjust its approach.
“If you continue to tap government leaders with a background in cyber, you’re going to get the expected results. We need experts in disinformation and a more strategic approach to countering disinformation,” he said.
These three trends, in turn, led Krebs to note three themes that currently permeate cyberspace in his view. The first is that cyberspace is a “contested environment,” echoing other government leaders.
The second is a “permissible environment” for cyberattacks, noting the “unthinkable complexity” (channeling sci-fi writer William Gibson’s classic novel Neuromancer) that “the human brain struggles with.” To deal with the complexity, Krebs said the US has to “focus on the technology that matters.”
“It’s the only way we’re going to get out of this,” he said, because “for the rest of human history, we’re going to have a complex digital infrastructure.” The US government and businesses need to develop “a real-time dynamic assessment of what’s critical,” he added.
The third theme is the combination of a dilution of resources and the distraction caused by adversaries. Here, Krebs emphasized that “the number of attacks is exhausting” and that they are stretching the government’s and organizations’ “limited resources.” This includes attacks from low-skilled “chuckleheads” who peddle “shitware,” he observed.
He also harkened back to 2020, while he was still at CISA, saying “in the run-up to the election, we were facing a government denial of service” because resources were stretched so thin. He added, “throwing money is not going to solve the problem.”
So, what to do, Krebs asked rhetorically in closing. To his own question, he answered, “Regulation is inevitable, and it’s also inevitable we’ll probably get it wrong.” But, he said, “We have to change the decision calculus across public-private partnerships.”
In response to an audience question about how to attract and retain cybersecurity experts in government, Krebs said, “I don’t think it’s a bad thing when there’s a revolving door, from a cyber perspective. It keeps refreshing talent and tools. [But the government needs to] cut out the crap, the bureaucracy. It takes a year to get hired. We need to make it easier to come in.”
Acknowledging the difference between private and public sector salaries and the resulting challenge for government to retain talent, Krebs noted, “I wouldn’t undersell the mission piece. I think there are people who are just drawn to it,” echoing what US Cyber Command and National Security Agency chief Gen. Paul Nakasone has said in the past.
The talk ended on a lighter note, with one of the conference organizers bemoaning the inability to play the “Top Gun” movie theme song as he gave Krebs a flight jacket, the back of which read “Fired by Tweet.”