Where Does Cybersecurity Go from Here?

I had the opportunity to hear Chris Krebs, founding partner of the Krebs Stamos Group and former director of the Cybersecurity and Infrastructure Security Agency (CISA) deliver the opening keynote at the 25th Black Hat Security Conference.

For 25 years, the InfoSec community and industry have chipped away at security vulnerabilities in technology with research and adversary insights. For 25 years, vendors and software firms have introduced new products and protection. With the last 25 years as prologue — and as we look to the next 25 years — we need to ask, “Are we on the right track?”

We aren’t set up for success given society’s insatiable and pathological need to connect everything. We’re serving up more attack surfaces to the bad guys and always cleaning up after business decisions that we know will drive bad security outcomes. All the while, factors out of our hands — namely, global market realities and shifting geopolitical dynamics — wreck carefully orchestrated business plans and national strategies. The last few years of geopolitical chaos and autocratic entrenchment might look like the halcyon days by the end of this decade.

Cybersecurity Today

Chris shared today’s risk trends and what they mean for tomorrow’s network defenders, suggesting along the way the needed shifts in mindset and action to deliver better outcomes while recognizing that we’re going to always operate in a contested information environment.

Cybersecurity professionals have an opportunity, and possibly even an obligation to be “bridge builders” who bring people together to solve problems. Chris and his team spent the last 18 months have what qualitative and quantitative research to learn enterprises and governments are trying to accomplish as well as their concerns and challenges.

Chris addresses the three main questions he’s been getting below.

Why Is It So Bad Right Now?

Clients and others in the industry want to pivot the discussion that it will get better. However, Chris believes it’s going to get worse before it gets better.

The four reasons for this are technology, bad actors, the government, and people.

Technology: Software remains vulnerable because the benefits of speed to market continue to outweigh the benefits of security. Security is seen as friction that slows development, adoption, and use.

As we integrate more insecure products into use cases, we make it more complicated to measure risk. Cloud is a great example as it provides increased flexibility, elasticity, reduced transparency, and more complexity, with more and more products added on top of the cloud platforms. We continue to see an explosion of SaaS opportunities and solutions.

Leadership has become radically efficient — as the thinking goes, “if I can’t do it well, we outsource it to someone else to do it well.” This adds complexity while reducing transparency and knowledge.

Cybercriminals Understand that more complex and more SaaS solutions provide more opportunities to extract value, get paid in crypto, and secure it in safe havens. Every enterprise and government must broaden their view of threat actors to include cybercriminals. If you’re on the internet, you’re on the playing field for hackers.

Companies shipping products are shipping targets, if your hosting services, you are a target. Similar to Willie Sutton targeting banks, cybercriminals target software suppliers because that’s where the opportunities are.

The government has struggled with balancing marketing intervention with the desire to allow innovation to grow. There has been an uneven application of market intervention of applications and we’re not getting the outcomes we want. When the government does regulate it does not do it well — with checklists rather than proactive results-oriented strategies and tactics.

It is hard to work with the government and the value proposition of doing so isn’t as clear as it needs to be. Congress needs to figure it out as well — consolidating oversight over agencies and branches of government.

Leaders are not leading. Few CEOs understand cyber risk as a business risk. We need to change the balance of the value of secure products.

Lastly, we do not have a technology-oriented curriculum like other countries. High school and college graduates are woefully unprepared to think about and handle these challenges.

What Do You Mean It’s Gonna Get Worse?

Things will get worse before they get better. There’s going to be more stuff connected to the internet. More things are collecting and generating data — cars, home, on the body, in the body. We’re generating an incredible amount of data and digital exhaust. Everything is becoming more complex, not less.

Cybersecurity is a maturing industry producing products that solve problems. It’s just not doing so at the pace we need it to. Until we are able to place meaningful consequences on bad actors it will continue. Cybercriminals have access to tools that were available to nation-states only a couple of years ago.

State actors like China, Russia, Iran, and N. Korea (and every country) are looking at cyber as the necessary domain for espionage internally and externally. There will be new events in the near future like we’ve seen with WannaCry, BadRabbit, and Russia cutting power in Ukraine.

On the positive side, as leaders are getting younger, they are getting smarter. The workforce is becoming increasingly tech native, savvier, and more discerning.

Overall, with regards to security, Chris is near-term bearish and long-term bullish.

How Do We Make the Change to Improve?

On the technology side, businesses have to have a set of principles with values, how to live their values, and what the red lines are. When images of war crimes show up on TV, you cannot continue to support the Russian war machine. You have to have principles. If you are core to the fabric of the internet, you are part of the national security. You have to take security seriously. This applies to all large companies and every tech company.

Think differently about the threat model. Develop products that solve problems. Core products and solutions have to solve the hard problems that persist. It may impact the bottom line of your security services business, but you need a long-term solution.

Leaders have to plan two to three years out around what’s happening in Taiwan straightaway.

How can it affect me and my IT operations? It’s going to come to a head between China and Taiwan. To manage risk, you have to start planning for that forthcoming reality “yesterday” by physically separating IT networks and supply chains in Taiwan.

How Can Government Shape the Future?

According to Chris, the government has four main roles: consumer, law enforcement, defender, and enabler.

The federal government is the biggest customer of most tech firms. It has incredible purchasing power. The federal government needs to use its purchasing power to set the bar higher with regard to the security of solutions and business practices. Low price should not be the determining factor if security best practices are not in place and being followed.

The federal government should be responsible for the enforcement of regulations based on outcomes rather than checklists. They need a better understanding of the security posture of every company they do business with. The DOJ and FBI need to proactively pursue adversaries and cybercriminals to impose costs on cyber criminals who extract value from companies.

As the defender against cybercriminals, federal cybercommand can continue pushing out and moving forward to understand what state actors are doing and what they are targeting, as they allowed state and local election officials to become informed about election security — whether or not they chose to use the information provided.

As a cybersecurity enabler, the federal government should continue to invest and build in CISA. Make it easier for companies to work with the government and get value when doing so. Chris suggests making CISA the front door of the government when it comes to cybersecurity.

Put information in the hands of the defenders. The digital environment has changed so much. The government needs a different way to interact with technology, and it needs to be reorganized to be smarter and more efficient.

What Can We Do to Improve the Situation?

It comes down to the people in the Black Hat community to make the changes that are needed, Chris says — they have to “lead the change.” Cybersecurity has to be apolitical. We need to be upfront, candid, and transparent about what’s going on earning the trust of those we work with.

There are three million open cybersecurity jobs. We are not closing the gap on the need for cybersecurity professionals. We need to promote careers in cybersecurity as fun, lucrative, and long-term. Cybersecurity is not going away in our lifetime, and it is inherently interesting. Our national security depends on cybersecurity — this is important work.

Parting Thoughts

We all live in a digital environment. We each need to ask ourselves, “What are the factors you live your life by to live a meaningful life online and offline?”

  • Principles: What’s important to you and what do you stand for?
  • People: Find your people and your support networks, and help each other.
  • Life is too short to work for assholes: Find the right place for you.
  • Life is too short to eat bad food: Find what gives you meaning and joy outside your job.
  • Do not read the comments: Seek constructive feedback from your people
  • Help somebody: You’ll feel better when you do.


Leave a Comment