The U.S. government holds tremendous power and potential to better defend against and prevent cyberthreats, but bureaucratic morass and myopic thinking are getting in the way, Chris Krebs, a founding partner at Krebs Stamos Group, said Wednesday at the Black Hat USA conference in Las Vegas.
The U.S. government has struggled to establish regulation because it’s leery of stifling innovation, he said. And it’s still difficult for organizations to work with the government, let alone figure out which agency should be engaged.
Slight course corrections won’t suffice.
“The digital environment has changed so dramatically in the last 25 years while our government hasn’t kept up pace,” Krebs, the former founding director of the Cybersecurity and Infrastructure Security Agency, said.
A massive government reorganization is in order, he said. This should include the establishment of a digital agency focused on empowering better digital risk management across cyber, privacy, trust and safety.
“We’re not where we need to be and we’re falling behind, he said, "and Americans are suffering as a result.”
Separate CISA from Homeland Security
Absent an extensive government agency overhaul, CISA could be pulled out of the Department of Homeland Security as a sub-cabinet agency, he said.
“Instead of going to five or six different agencies, make the front door clearly visible and as I see it that’s CISA,” Krebs said.
This push for a reorganization, or at least further empowerment of CISA, comes as the threat landscape and group of adversaries continues to expand.
Ransomware has become such a prevalent and costly threat that it’s distracting the national security community from primarily focusing on threats from China, Russia and Iran, Krebs said. Intelligence officials have broadened their view of threat actors to include cybercriminals.
“We’ve kind of fetishized the advanced persistent threat” and overemphasized the threats posed by nation states, Krebs said.
Meanwhile, “cybercriminals have been eating our lunch,” proving that this was the threat model for every organization all along, he said.
Any product being shipped or hosted is a target and threat actors exploit points of weakness in these dependencies and trust connections organizations have in software and technology platforms, according to Krebs.
“If you’re on the internet, you’re on the playing field for them.”