Chris Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA), a part of the US Department of Homeland Security, believes that information security will get worse before it gets better. Krebs, now a founding partner of consulting firm Krebs Stamos Group, opened information security conference Black Hat USA 2022 with a keynote speech on August 10.
Looking to the present and future of the security landscape, Krebs posed three main questions: Why is it so bad right now? Why will it get worse? What can stakeholders do to improve the outlook?
Why Is It So Bad?
Krebs identified four main factors that are shaping today’s cybersecurity challenges.
1. Technology: “Security is seen as friction,” Krebs explained. Right now, software is vulnerable because the focus is on improving productivity and being first to market, rather than slowing down to ensure security.
The COVID-19 pandemic accelerated adoption of the cloud, which has come with undeniable benefits. But it also has reduced transparency and increased complexity. “We are integrating more and more insecure products into use cases,” said Krebs. “We are making it more complicated to manage risk.”
2. Bad actors: As the diversity of products and complexity of use cases grows, so does the attack surface. Cybercriminals are monetizing vulnerabilities through attacks like ransomware.
3. Government: The US government struggles to balance the need for effective regulation with the desire for innovation, according to Krebs. And the regulation that is in place isn’t necessarily effective. “We see an overreliance on checklists and compliance rather than performance-based outcomes,” he said.
4. People: Cybersecurity faces leadership and workforce challenges. “The CEO that understands cyber risk as business risk is few and far between,” Krebs said. He also expressed the need for more education, opening the door earlier and preparing more people to enter the workforce.
Why Will It Get Worse?
Krebs has spent time talking to network leaders, asking their take on the short-term and long-term outlook for information security. The collective response has been a bearish in the near-term and bullish in the long-term.
In the near-term, the challenge of complexity will only grow. More and more things will be connected to the internet, generating more and more data. “Technology vendors are addressing some of the underlying vulnerabilities, but it is happening at the pace we want?” Krebs asked.
While security solutions try to catch up, bad actors are continuing to rack up wins. “Until we make meaningful consequences and impose costs on them, they will continue,” Krebs asserted.
Krebs also expressed the need for the government to rethink the way it interacts with technology. “I am ready to make the argument that the digital environment around us has changed so dramatically the last 25 years while our government hasn’t kept up pace,” he said. Making large governmental changes take time.
While the Colonial Pipeline cyberattack that took place in 2021 may have been a wakeup call for some leaders, Krebs talked about the need for more leadership to recognize cybersecurity as a boardroom-level issue and to plan years, rather than quarters, in advance.
He offered a specific example of the need for long-term planning. While the certainty and timing of a Chinese invasion of Taiwan is unclear, Krebs advised organizations to begin thinking about the possibility now. “If you want to physically segment your networks in Taiwan, you have to start that now. We need organizations thinking forward,” he said.
How Will Security Improve?
While the current security environment is fraught with obstacles, Krebs is optimistic for the future. He urged technology vendors to focus on more than creating products for the edge. “We have to solve the hard problems that continue to persist. It may impact the bottom line of your security services business, but it is more important to solve the underlying challenges, rather than the band-aid on the edge,” Krebs said.
Krebs also advocated for escalating consequences for cybercriminals “We need to shift from longer term investigations to more disruptive actions,” he said. He pointed to the sanction of virtual currency mixer Tornado Cash as a step in the right direction.
On the government side, CISA has continued to receive funding, a positive indication, but Krebs wants to see more progress. “Continue to invest and build CISA out; make it easier and less complex for organizations to work with the government,” he said.
Cybersecurity is still faced with a talent shortage, but Krebs is optimistic about the workforce. “Every day that goes by, our workforce becomes increasingly tech-native,” he said.
Ultimately, Krebs placed his faith in people to bring about a brighter future for security. “I am not naïve enough to think that technology vendors [and] the government on their own are going to fix this…It will come down to the people in this room. This community. It is going to take us as leaders to make the changes we want to see.”