Former Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs called for significant adjustments to the U.S. government’s approach to cybersecurity on Wednesday, floating several potential changes Congress should consider.
During a keynote address at the Black Hat conference in Las Vegas, Krebs proposed the creation of a “U.S. Digital Agency,” which would incorporate elements of CISA, the National Institute of Standards and Technology, the National Telecommunications and Information Administration, the Department of Energy as well as parts of the Federal Trade Commission and the Federal Communications Commission.
“I think it’s time to rethink the way government interacts with technology. We have to make an agency that’s focused on empowering better digital risk management services,” Krebs said. “I’m not just talking about security. I’m talking about privacy. I’m talking about trust and safety issues. We’re not where we need to be and we’re falling behind and Americans are suffering as a result.”
Aware of the limited prospect of a divided Congress pushing through such sweeping changes, Krebs touted a smaller measure — pulling CISA out of the Department of Homeland Security and making it a sub-cabinet agency with its own direction.
“Cybersecurity has to be apolitical, non-political, bipartisan and nonpartisan,” Krebs told the audience.
Krebs — who was CISA’s first director and was fired in 2020 by then-President Donald Trump after saying there was no evidence of compromised voting equipment — said he plans to push for these changes through the Aspen Institute, a powerful non-profit where he is a co-chair of the Aspen Commission on Information Disorder.
Since CISA’s creation, lawmakers and experts have questioned whether the agency should be spun out of DHS, where it is often subject to political gamesmanship. Last year, the confirmation of current director Jen Easterly was held up by Senator Rick Scott because he wanted Vice President Kamala Harris to visit the U.S.-Mexico border.
While Congress has since made sure to provide CISA with significant funding and support, concerns have previously been raised about CISA-related issues being lumped into the politically fraught immigration controversies that typically swirl around DHS.
CISA as the ‘front door’ of government cybersecurity
Krebs spoke at length about the need for government cybersecurity efforts to be streamlined because of the confusion many organizations and companies face when seeking out help.
“We need organizations to work with the government and get value out of it. Instead of going to five or six different agencies, there needs to be a front door that is clearly visible,” he said. “And as I see it, that’s CISA.”
“We have 101 civilian agencies and every one of them is running their own email service. We have to fix that,” he said.
Krebs also said the government can incentivize cybersecurity improvements among technology providers through its purchasing power. Instead of focusing on the lowest prices, it could require a higher cybersecurity bar from the companies it contracts with.
Proactive law enforcement
Krebs noted that in recent months the Justice Department and FBI have been more aggressive in going after command-and-control infrastructure, which is used as a launching pad for hackers to carry out attacks, and he urged other law enforcement agencies to follow their example. Over the last year, the DOJ has announced several operations that disrupted global botnets run by the Russian military and others.
“We need to continue that. We need to shift from longer-term investigations towards more destructive, disruptive actions that prevent [hackers’] ability and impose costs. [They need to] eliminate their ability to extract value from companies here in the U.S.,” he said.
On the defender side, Krebs lauded U.S. Cyber Command for its work in advance of the 2020 U.S. elections, when it partnered with the Department of Defense and others to provide data on the tactics, capabilities and malware used by state-backed groups.
A helpful tool, he said, was a list of likely targets for bad actors, which included voter registration databases and election result reporting bodies.