BLACK HAT – Las Vegas – A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.
That’s the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He took to the stage at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.
Krebs was fired from CISA for insisting the 2020 election was secure and fraudless (“We insist that we were successful – it was a singularly important moment in American history,” he said at Black Hat. “And I think we did a pretty damn good job”). In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.
“I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people,” he said.
In addition to geopolitical headwinds, Krebs noted that digital transformation, and ever-increasing cyber-offensive capabilities from the bad guys should have both the public and the private sectors on notice – or they risk falling hopelessly behind.
Taiwan Looms as Geopolitical Pressures Accelerate
In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks – and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, Taiwan is a hotspot to watch.
“Leaders need to plan out beyond the next two quarters,” he noted. “You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around what’s happening in the Taiwan Strait.”
A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.
“Political headwinds have big effects and you have to game these things out,” Krebs noted. “I don’t know if it’s going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, they’re pretty confident that’s going to come to a head between China and Taiwan.”
He added, “And if you want to be in a position to de-risk your operations, you have to start that yesterday.”
While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.
“Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance,” he warned. “And yeah, they’re also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future.”
Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.
“You have to have a set of principles,” he said. “You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, we’re not impacted by sanctions, so we’re good, we don’t really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, you’re going to have a problem. You’re continuing to support the Russian war machine.”
Insecurity in the Cloud, by Design
Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products far outweigh the downsides.
“That’s because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market,” he explained. “So we’re building more products that are insecure by design because of the market pressures.”
Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see what’s happening across their infrastructure.
“We’ve made it more complex, and we’ve also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there,” Krebs said. “Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors, and how you interact with it?”
Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.
Further complicating matters is the ongoing proliferation of connected things, which all come with potentially insecure cloud apps.
“I think we all agree there’s going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly,” he said. “Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and it’s becoming more complex, not less.”
He noted that William Gibson had this reality pegged when he released Neuromancer in 1984.
“He coined the term ‘cyberspace,'” Krebs said. “But it’s how he described cyberspace that was so captivating – the unthinkable complexity of cyberspace. We’re there right now.”
Public Sector Concerns: Security Work to Do
The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.
“We see an overreliance on checklists and compliance rather than performance-based outcomes, so we’re not getting the security-related outcomes we want,” he noted, adding that to boot, what oversight does exist isn’t implemented well.
“Congress needs to figure it out as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch,” Krebs said. “We have 101 civilian agencies and every single one of them is running their own email service. So, we’ve got to fix that.”
On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called “the right moves.”
“They’re going more aggressively at the adversary at the command-and-control level,” he explained. “But we need to shift from longer-term investigations towards more disruptive actions aimed at imposing costs and eliminating ransomware’s ability to extract value from companies here in the US.
Ransomware has become professionalized, he noted, and cyberattackers’ capabilities just keep getting better and better.
“The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation states,” he said. “They’re profiting and it’s not costing them anything, they’re getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to.”
Workforce Challenges Continue
When it comes to the infamous lack of qualified people to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.
“The first thing is, it’s fun. Second, is it’s lucrative,” he noted. “We get paid pretty well in this industry. And third relatedly it’s durable; we’re going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission we’re doing is incredibly important.”
That said, the US workforce over all is becoming increasingly tech-native, which he’s optimistic about.
“We’re getting critical thinking skills coming along with the technology savviness that we’re looking for,” he said.
While there’s much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.
“As evidenced by Black Hat USA at 25, we have a maturing industry,” he said. “We’re producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure.”