LAS VEGAS–Chris Krebs, the founding director of the government’s Cybersecurity and Infrastructure Security Agency (CISA), came to the Black Hat information-security conference here with three questions on his mind:
“Why is it so bad right now?"
"What do you mean it's going to get worse?
"What are we going to do about it?"
Krebs attempted to answer those questions, which he says he’s heard repeatedly from government leaders over the last 18 months, in the keynote that opened Black Hat on Wednesday morning. The short version of his answer to all three: "It isn't hopeless."
The longer version of it began with Krebs unpacking the systemic issues he says he sees in the US approach to information security. At the level of technology, Krebs says we’ve taken the existing problem of companies viewing security as a cost center and a brake and compounded it with the increasing migration of key corporate services to various cloud vendors.
“You can't see what's happening on the backplane of the cloud,” he says.
Krebs also criticized the US for focusing too much on sophisticated nation-state attackers instead of grappling with the less exciting problem of ransomware, or the "the biggest collective falling-down of government and industry,” as he puts it.
"We've kind of fetishized the advanced persistent threat,” Krebs says. "Cyber criminals have been eating our lunch in the meantime."
Government agencies need to upgrade from asking companies to comply with cybersecurity checklists to making outcome-based assessments, he says. And they need to simplify lines of communication. "It's still difficult for a private-sector organization to know who to work with."
CISA’s founding in 2018 was meant to bring some of that simplicity. Krebs
Read more on pcmag.com