One of the United States’ top cybersecurity officials noted the progress the US government has made in engaging potential domestic and international targets of cyberattacks, but argued that “information sharing is the minimum bar” the federal government should clear. According to Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, “we have to get beyond information sharing… to operationalizing information security.”
Krebs, who spoke at the eighth annual International Conference on Cyber Engagement (ICCE) in Washington, DC, on April 23, argued that more action is needed to defend US businesses and critical infrastructures as hostile nation states are ramping up their attacks on US entities.
Krebs outlined the potential threats as fitting into a “two-plus-three model.” On the high end of sophistication, “the most active nation state adversaries right now are Russia and China,” while on the low end “we also have Iran, North Korea, and then the extremist space,” he said.
Recent Russian and Chinese actions are demonstrating that both adversaries are targeting “trusted relationships with the supply chain and vendors” to make their attacks “much more efficient and much more effective in the way they target critical infrastructure,” Krebs explained. In the specific case of China, he added, cyber actors are no longer “going directly after individual companies, [but rather] are going to the points of aggregation,” such as shared managed service and cloud service providers. The massive amounts of information from a variety of different companies and sectors means that these service providers can be the weak point in the supply chain, Krebs maintained.
These shifting tactics have prompted federal authorities to change their approach to defense, which Krebs explained used to be separated in different strategies for the different affected sectors, such as energy or finance. What officials have now found, however, its that “the sameness of the attack surface far outweighs the uniqueness of the sector,” meaning that authorities should shift their focus to how adversaries are breaking into systems rather than on the individual vulnerabilities of specific industries, Krebs said.
Krebs reported that his Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security are already making this shift, and beginning to prioritize the common areas of critical infrastructure that should be prioritized in cyber defense. They are now attempting to determine “what are the things that if interrupted… would literally crater the economy,” Krebs said. The newly created National Risk Management Center, Krebs explained, is working to “identify those national critical functions—those things that are so systematically important that they have to continue on a daily, weekly, or monthly basis.” He said that the Center would release some of its findings next week, including identification of “fifty-seven national critical functions.”
In addition to adapting the United States’ internal defenses, “the international partnership space continues to grow,” Krebs said. His agency has sent analysts to embed with the National Cyber Security Centre in the United Kingdom to increase information sharing and develop a relationship between the two agencies, he said. CISA is also continuing “a day-to-day engagement with computer emergency response teams” from around the world. Krebs stressed that this cooperation is “not just [with] Europe,” but also with “South America… [and] Asia. It is all over the world.”
Krebs lauded the ability of the US government to expand its information sharing with international partners, arguing that “what we are seeing… is an increased willingness and a quicker declassification and sharing timeline than probably has ever been in the history of the intelligence community.”
He maintained that his agency remains ready to assist any potential targets of cyberattacks. “When the call comes in,” he said, “we stand there ready to [answer] and deploy anywhere on very short order. Not just domestically, but globally.”
Catherine Lotrionte, a Brent Scowcroft scholar with the Cyber Statecraft Initiative in the Atlantic Council’s Scowcroft Center for Strategy and Security, has organized ICCE since 2011. This was the first time that this conference has been hosted by the Scowcroft Center in partnership with Dentons, PKO Bank Polski, and Texas A&M University.
David A. Wemer is assistant director, editorial, at the Atlantic Council. Follow him on Twitter @DavidAWemer.