Before CISA was established, there was no civilian cyber security agency, at least not one that had that mission on the nameplate, according to the new Agency’s biggest advocate and first director, Christopher Krebs.
Now, one of Krebs’ jobs is to get to know C-suite leaders across the country and to both educate and support them in their mission to defend U.S. companies from cyber threat actors. He also has a mission to inform the public about cyber risk and to provide context to help make better risk decisions.
The Cipher Brief sat down with the new director to talk about what he hopes to accomplish in the next few months and why it’s so important that CISA gets it right.
(This is an edited version of a podcast conversation between Cipher Brief Publisher & CEO Suzanne Kelly and CISA Director Christopher Krebs. This version was edited for length and clarity. You can listen to the full conversation here. CISA Director Christopher Krebs will also be engaging with experts at The Cipher Brief’s 2019 Threat Conference in Sea Island, GA March 24-26th.)
The Cipher Brief: Why push for the creation of a new agency?
Krebs: A couple of years after 9/11, it was al Qaeda and its offshoots and successors that were the focus. Now, and in particular over the last eight or nine years, we have a significantly different threat environment. We have those traditional terrorist actor sets and ISIS and that will continue moving forward, but we also have very active nation state actors, particularly in the cyber security world, and we've traditionally called those the Big Four: China, Russia, Iran and North Korea. So, it is the budget and it's the mission space, and as the capabilities grew and coalesced around a broader critical infrastructure risk management mission within the old NPPD - which I've made the joke in the past, sounds like Soviet-era military intelligence-
it was important to have this standalone agency with a really refined mission. So, in passing this act, there are parts of the old NPPD that will spin out and go to other parts of the department. One of them is a biometric identity management component that will go to the Secretary’s Management Director. And then we also have the Federal Protective Service which is a law enforcement agency. Unfortunately, I don't currently carry a gun or wear a badge, but they will also transition.
Christopher Krebs, Director, Cybersecurity ad Infrastructure Security Agency
"It was important to have a standalone agency that would allow us to more effectively engage our stakeholders: to be able to say we are the U.S. cyber security agency."
When you think about our mission, we tend to think of ourselves as the nation's risk advisor. In very limited cases are we actually able to get in and push buttons and change configurations on a network, or actually get in and deploy some sort of security measure on a physical site. Instead, we work with the owners and operators of critical infrastructure, which is principally the private sector in the U.S., and help them understand what the risk is. So, we work closely with the intelligence community and then put context around that information in terms of where the vulnerabilities are in the systems and understanding what the consequences are of a successful exploitation of a vulnerability.
The most recent example of our work in this space is, over the last couple years, working with the election community and election infrastructure communities and state and local election officials after the events of the 2016 election where the Russians attempted to interfere with the election. There were three avenues of that attack: One was hacking and launching leak campaigns against political candidates, the second was the social media and disinformation, campaigns. The third piece was active attempts to get on the networks and create disruptions. In limited cases, they were able to actually get into voter registration databases, and exfiltrate some data.
Going forward to the 2018 midterms, we put a significant amount of work into understanding what state and local election officials needed from a security support perspective and we provided those capabilities, generally in three work streams. One is information and intelligence exchange, working with the intelligence community to understand what bad guys were trying to do, and then making sure that the network defenders, the people who actually own those networks can make the changes they need to secure their systems. The second is technical assistance: providing traditional cyber security assistance, penetration testing, vulnerability scanning, those sorts of things that help them understand where the gaps in their systems are.
And then lastly is partnership building. And really that's the catch-all term for doing things like training, exercises, the governance of bringing everybody together so we can talk about what our common objectives and strategies are.
The Cipher Brief: How big of a task is that?
When we think about the number of voting jurisdictions in the United States, it's somewhere around 10,000. Fortunately, there are 50 states that we can start to work with and in the run up to the 2018 election, we did work with all 50 states and about 1400 local jurisdictions which was, in terms of the pace at which we were able to pull all that together over about six or seven months, we set up the Information Sharing and Analysis Centers (ISACs).
Christopher Krebs, Director, Cybersecurity and Infrastructure Security Agency
"But there's a lot more to do. When we think about what getting ready for 2020, we need to extend our ability to work with local jurisdictions. One of the things we did in 2018 was to get out to every precinct that we possibly could. And we worked with 26 states on this and 19 of them really implemented it in every county, in every jurisdiction."
Sometimes it was something as simple as a poster that said, "Here are the best practices for cyber security. Here are the things you need to be on the lookout for, and if you see something, here are the numbers to call to say something, and then here are the specifics to your jurisdiction: Here's the kind of equipment you use, here are the number of voting machines." That sort of thing.
The Cipher Brief: What else do you hope to do?
Krebs: As a team, we identified five strategic priorities that are generally either mission opportunities or mission risks. First and foremost, China's supply chain and 5G, so that is one strategic priority for us. We need to make sure we have full understanding and context around the risk posed to domestic infrastructure from a cybersecurity and intellectual property theft perspective, that China poses. What are the risks posed from the supply chain particularly with respect to China and then, the risks association with the 5G build-out.
Our second priority, which we’ve talked about, is election security, particularly in the run up to the 2020 election, so that is one of our top priorities.
Third is protecting federal government networks. That's more of a mission risk and a budgetary risk. Over 50% of our agency budget is dedicated to federal government cyber security, so it’s a huge risk for us, if we don't get it right.
Fourth is industrial control systems. Industrial control systems is an emerging space and you can probably append IoT to that, but we're trying to be clear on that hard infrastructure side.
Finally, and this is more on the physical security space, but soft target security, and that includes school safety, places of worship, stadiums, but also emerging threats and emerging tech. Those are areas where we have a distinct and unique capability and ability to engage our partners.
The Cipher Brief: What about the technical side of the private sector? If I'm a private sector company, it’s sometimes tough to know where the one place is that I can call when I start to see things that I don't understand. What’s your role in that?
Krebs: Historically, this agency has been prioritizing and really focusing on the technical community, the network defenders, the folks that can actually do something about the risks we find. And they speak the language. So, you know, we issue technical alerts and other products that really put them in a position to act, but the problem is the general public doesn't understand that and can't use that information effectively.
Christopher Krebs, Director, Cybersecurity and Infrastructure Security Agency
"Sometimes executives in the C-Suite also can't really contextualize what that means. They don't work in networks all day. So, what we are prioritizing going forward is a couple of different lines of effort and engagement, but we’re really trying to hit the C-Suite and general counsels and boards of directors, those who drive top-down risk management, so that they understand the bigger picture."
The threat posed by China right now is a great example of this. We know enough about China, which strategic sectors they're interested in, their techniques and how they're trying to get to the information they want, that we can then turn around and share that with executives to say "If you're in one of these sectors, especially high tech, advanced manufacturing, fuel cell research, you're a target. If you operate or you do business with China, you're an even bigger target if you do business in China, you're a huge target, but you know what? If you're in those sectors, and you might just be operating in one state or just with Europe, you're still a target.” Now, that's the sort of information that we try to share.
The Cipher Brief: So, let’s say you only have 12 to 18 months in this role. What is the one thing you want to get done and you want to be known for in leading this new agency?
Krebs: When I came in March of 2017 to DHS from the private sector, it was my top priority to get the agency established. It took probably 18 months, a little bit longer than I had hoped, but nonetheless, we got it done. That does not mean that I’m sitting back on my laurels. What I want is when I walk out of this role, for the agency to have a clear and cemented role in the federal space. But most importantly, a clear value not just offered to the private sector, but understood by the private sector. That they really understand and get something out of our pure existence because at the end of the day, we are paid for by the American taxpayers, so we've got to make sure that whatever we're doing is valuable, and it's actually changing the risk calculus. But we don't own the critical infrastructure in the United States, so I've got to do something that's unique, that fills the gap and brings the full horsepower of the federal government in support of our critical infrastructure partners in a collective defense model.
Listen to the full conversation on the State Secrets Podcast… and engage with CISA Director Christopher Krebs March 24-26 at The Cipher Brief Threat Conference.
