Former CISA Director Also Addresses Ransomware Threat, Federal Security Leadership Issues
The federal government should provide more funding to state and local agencies for IT projects that could enhance cybersecurity and help mitigate ransomware attack risks, says Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency.
Speaking at a Wednesday event, Krebs said that while the National Defense Authorization Act passed last year attempted to address many security shortcomings in the federal government, more investment is needed at the state and local level.
“I really think that it is well past time for a 21st-century digital infrastructure investment act, where we provide the equivalent of block grants to state and local [agencies], where they can modernize their IT infrastructure,” said Krebs, who now runs a security firm, The Krebs Stamos Group, with former Facebook CISO Alex Stamos.
“I think that’ll improve citizen services, and it will boost American tech companies that can then provide more high-paying tech jobs to more Americans. And yes, it will help stop ransomware; it will improve defenses by investing in cloud-based services that use multifactor authentication.”
Biden Administration Initiatives
Kreb made his pitch for more investment in digital infrastructure a week after President Joe Biden unveiled a $2 trillion infrastructure spending plan that the White House says will create new jobs and boost the economy. Some analysts faulted the administration for not offering more specific cybersecurity provisions within the plan, but others believe investments in improving infrastructure, such as modernizing the nation’s electrical grid, will translate into better security (see: Biden’s Infrastructure Plan: 3 Cybersecurity Provisions).
Congress is now considering Biden’s infrastructure plan.
The recently passed $1.9 trillion coronavirus relief package, known as the American Rescue Plan, provided $650 million to CISA for “cybersecurity risk mitigation” as well as $1 billion for the General Services Administration to spend on IT modernization projects.
Before he was fired from CISA by then President Donald Trump a few weeks after the 2020 elections, Krebs made strengthening the U.S. voting infrastructure a top priority for the agency, which included giving more support to state and local agencies that lacked funding and cyber expertise.
“I was glad to see in the 2021 National Defense Authorization Act that they included the cyber-state coordinator provision as that will provide for around 50 additional cybersecurity advisers – one in every state – to work directly with state and local agencies, CIOs and CISOs,” Krebs said.
During the event, Krebs also was asked about the issue of ransomware, which has been an ongoing problem for state and local governments as well as school districts and healthcare organizations (see: Mark of Ransomware’s Success: $370 Million in 2020 Profits).
Last month, Department of Homeland Security Secretary Alejandro Mayorkas announced the agency would conduct a 60-day “sprint” exercise focused on battling ransomware as part of the department’s effort to improve cybersecurity in the federal government as well as the local level.
“Let me be clear: ransomware now poses a national security threat,” Mayorkas said at the time.
Krebs noted that he became increasingly concerned about the ransomware threat in 2018, but the explosion of these types of security incidents in 2019 and 2020 showed how vulnerable state and local networks were to attacks (see: CISA Prepares to Use New Subpoena Power).
“What I was seeing on a daily basis was American communities were being functionally disrupted by ransomware … and that’s what the American people see,” Krebs said. “And I was concerned that there was a kind of a death by a thousand cuts coming our way, where our citizens were going to lose confidence in the ability of the government to deliver the key core services they needed.”
Speaking at the same event, Michael Daniel, White House cybersecurity coordinator during the Obama administration and current president and CEO of the Cyber Threat Alliance, added that most Americans understand the threat that ransomware poses to schools and hospitals.
“If you actually talk about what affects most Americans, they are never going to run into the Russian SVR. They’re going to run into ransomware, business email compromise and other kinds of scams,” Daniel said.
Addressing other issues, Krebs said he was skeptical about the value of the newly created position of national cyber director at the White House, which has yet to be filled. He contended that national cybersecurity leadership should be handled by the National Security Council, where Anne Neuberger serves as deputy national security adviser for cyber and emerging technology. She is coordinating the investigations into the SolarWinds supply chain attack and the attacks that targeted unpatched on-premises Microsoft Exchange email servers.
Krebs also said CISA should continue to work with state and local agencies on cyber issues as well as partner with private industry.
The former CISA director acknowledged, however, that someone at the federal level needs to have ultimate responsibility for coordinating responses to cyberthreats and developing a strategic vision of security.
“Someone has to be running some sort of god’s-eye view over cybersecurity operations within the federal government, whether it’s the intelligence community, military operations, law enforcement, defensive and civilian side – someone has to have … a daily job of coordination,” Krebs said.
Krebs also stressed the urgency of the Biden administration appointing a permanent director for CISA, which has been without Senate-confirmed leadership since November 2020. Since then, Brandon Wales has served as acting director.