Don’t count on government, tech vendors to fix security woes, former CISA chief Krebs says

Chris Krebs has been “wandering in the wilderness” the last 18 months, asking questions of individuals in technology and all levels of government. The general sentiment he’s gathered: “Things are going to get worse before they get better.”

Much of the progress enabled by digitization, software and cloud infrastructure has also come at a collective cost, a founding partner at Krebs Stamos Group and the former founding director of the Cybersecurity and Infrastructure Security Agency, said Wednesday during his opening keynote at the Black Hat USA conference in Las Vegas.

He, and almost everyone else, wants to know: “Why is it so bad right now? What do you mean it’s going to get worse?” And, most importantly: “what are we going to do about it?”

Technology, bad actors, government and individuals are largely responsible for this state of affairs, he said.

Some of these factors operate in direct conflict.

Security is perceived as a point of friction in an era of ever-expanding pools of software, services and tools focused on reducing friction, Krebs said.

With the integration of more insecure products, organizations are making it more complicated to manage risk, he said.

The cloud represents a clear example of this: As flexibility, elasticity, productivity and efficiency have made gains in the cloud, transparency has waned.

“You can’t see what’s happening on the backplane of the cloud,” Krebs said.

A deeper understanding remains lacking in how the cloud works across various hyperscale vendors, how organizations interact with it, and the level of visibility that affords them, he said.

Core problems persist

Technology vendors and the cybersecurity community at large are striving to solve some of these problems, but greater emphasis needs to be placed on core infrastructure, Krebs said.

“We’re doing a great job at the edge,” but “we have to solve the hard problems that continue to persist,” he said. “Yes, it may impact the bottom line of your security services business, but it’s more important to solve the underlying challenges rather than the Band-Aid on the edge.”

Ransomware, which Krebs described as “the biggest, perhaps collective falling down of government, of industry,” embodies the real and present danger confronting every organization.

Ransomware is prevalent, professionalized and the barriers to entry have dropped to a point where threat actors have access to exploits that were the remit of nation states a few years ago, he said.

Vendors and technology providers need to realize their mission is oriented around national security outcomes, according to Krebs.

The core of today’s internet isn’t exclusive to tech giants. It’s stitched together by many threads.

Mid-market technology companies and software providers have become systemically important because of their elevated privileges within networks and their ability to access sensitive information, he said.

The relentless cycle of vulnerability discoveries, disclosures and the patching requirements that imposes on organizations exemplifies the risks consistently introduced by large and small vendors alike.

Technology vendors and the government aren’t going to fix any of this on their own, Krebs said. Ultimately, it’s going to come down to people in the cybersecurity community.

“We’re going to be dealing with these challenges for the rest of our lives and perhaps the rest of human history. There will be digital and technologically related risk issues that we’re going to have to solve,” he said.

Despite a relatively forlorn view shared by many and evidenced by continued losses, Krebs maintains matters of cybersecurity are not hopeless.

“I’m confident that we can fix this,” he said.