Chris Krebs, the first director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), believes that information security will get worse before it gets better. Krebs, now a founding partner of the consulting firm Krebs Stamos Group, kicked off the information security conference Black Hat USA 2022 with a keynote address on August 10.
Looking ahead to the present and future of the security landscape, Krebs asks three main questions: Why is it so bad now? Why is it getting worse? What can stakeholders do to improve the outlook?
Why is it so bad?
Krebs identified four major factors influencing today’s cybersecurity challenges.
1. Technology : “Safety is seen as friction,” Krebs explained. Right now, software is vulnerable because the focus is on productivity and first-to-market rather than slowing down to be safe.
The COVID-19 pandemic has accelerated cloud adoption with undeniable benefits. But it also reduces transparency and adds complexity. “We’re integrating more and more unsafe products into use cases,” Krebs said. “We make risk management more complex.”
2. Bad Actors : As the variety of products and the complexity of use cases increase, so does the attack surface. Cybercriminals exploit vulnerabilities for profit through attacks such as ransomware.
3. Government : According to Krebs, the U.S. government struggles to balance the need for effective regulation with the desire to innovate. Existing regulations are not necessarily effective. “We’re seeing an over-reliance on checklists and compliance rather than performance-based results,” he said.
4. People : Cybersecurity faces leadership and workforce challenges. “Few CEOs understand cyber risk as a business risk,” Krebs said. He also said more education is needed to open doors earlier to prepare more people to enter the workforce.
Why does it get worse?
Krebs has spent time talking to network leaders and asking them for their views on the short- and long-term outlook for information security. The collective reaction is bearish in the short term and bullish in the long term.
In the short term, the complexity challenge will only grow. More and more things will be connected to the Internet, generating more and more data. “Technology vendors are addressing some potential vulnerabilities, but is it happening at the rate we want?” Krebs asked.
While security solutions try to catch up, bad actors continue to win. “Until we make meaningful consequences and impose costs on them, they’re here to stay,” Krebs asserted.
Krebs also said the government needs to rethink the way it interacts with technology. “I’m ready to make the argument that the digital environment around us has changed so dramatically over the past 25 years, and our government has not kept pace,” he said. Making large-scale government changes takes time.
While the Colonial Pipeline cyberattack in 2021 may have sounded alarm bells for some leaders, Krebs spoke about the need for more leadership to view cybersecurity as a board-level issue and plan several years, not dorms, in advance.
He gave a concrete example of the need for long-term planning. While the certainty and timing of a Chinese invasion of Taiwan is unclear, Krebs suggested that organizations start considering the possibility now. “If you want to physically segment your network in Taiwan, you have to start now. We need forward-thinking organizations,” he said.
How will security be improved?
While the current security environment is full of obstacles, Krebs is optimistic about the future. He urged technology vendors to focus on more than just creating products for the edge. “We have to address ongoing pain points. It can impact the bottom line of your security services business, but it’s more important to address underlying challenges than band-aids on the fringes,” Krebs said.
Krebs also argued for escalating consequences for cybercriminals “We need to move from long-term investigations to more destructive actions,” he said. He pointed to the sanctions on virtual currency mixer Tornado Cash as a step in the right direction.
On the government side, CISA continues to receive funding, which is a positive sign, but Krebs wants to see more progress. “Continue to invest and build CISA; to make it easier and simpler for organizations to work with governments,” he said.
Cybersecurity still faces a talent shortage, but Krebs is optimistic about the workforce. “Every day, our workforce is becoming more and more technical,” he said.
Ultimately, Krebs believes in a brighter future for security. “I haven’t been naive enough to think that the tech vendors [and] the government are going to figure this out on their own… It’s going to come down to the people in this room. This community. It’s going to take us as leaders to do what we want to see to change.”
What to read next:
How cyber attackers develop new tactics and Reconfiguring Classic Tactics
July 2022 Global Technology Policy Bulletin: From Biden’s Chip Victory to Post-Roe Data Privacy
Quick Learning: Cyber Resilience and Risk