The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which has held a historical role giving its critical infrastructure partners and federal civilian agencies the data and capabilities they need to defend themselves, is now "the nation's risk adviser," said former director Chris Krebs, in a keynote talk today at Check Point's CPX 360 conference
As director, Krebs was tasked with ensuring CISA understood the risk landscape as much as possible, and provided the right information, resources, and tools to partners so they could make risk management decisions. In the world of federal civilian agencies, 101 are responsible for their own risk management decisions, just as in the private sector or infrastructure space.
At the virtual conference, Krebs explained how CISA approached the world through the lens of the risk formula: risk equals threat times vulnerability times consequence – "with a little bit of likelihood dashed on top," he noted.
"The importance of this risk formula, as we saw it, was that it did not just focus on threat actors but included vulnerabilities in the software, services, and systems that we used on a daily basis, as well as the potential consequences of a successful attack on any of these key systems or our nation's infrastructure," Krebs continued.
Over time, it became clear that attackers were focused on civilian agencies and military and intelligence-related agencies, as well as critical infrastructure. Their capabilities spanned opportunistic scanning, seeking unpatched systems and VPNs to advanced, patient, and strategic intrusions, such as what we've seen in the supply chain attack tied to SolarWinds.
That said, it's important to realize the average user, and the average organization, may not notice these sophisticated and capable nation-state actors when they arrive because they're "probably not waving their nations' flags," as Krebs put it. However, some cybercriminals and ransomware gangs make their presence known "in a very visible and damaging way."
Given this, from 2018 into 2020, CISA and its partners "dramatically reshaped" the way they engage with their stakeholders to diversify the range of threats they're concerned about.
"It's not just about the state actors, but also about the more disruptive and destructive attacks that could undermine the functions that support our economy," he explained.
This mentality manifested in CISA's approach to election security, which was based on threat modeling. Leading up to the 2020 election, Krebs said, CISA spent three-and-a-half years thinking through scenarios in which a capable and determined attacker could disrupt the election. They engaged with stakeholders early so they could secure their systems and ensure nobody could spark disruption using ransomware or other forms of malware.
"We had a wealth of understanding, a wealth of planning behind us, that we then flipped around and deconstructed to help inform our defensive strategies," Krebs explained. The threat-modeling approach helped inform the investment practices of state election officials, and helped Congress understand which resources to share with state and local election communities.
Officials began to consider other applications for the threat-modeling approach. Nearly a year ago, they used it again as the COVID-19 pandemic began to take hold.
"As COVID spread across the country and across the globe, the vulnerabilities and consequence space … in that risk formula dramatically shifted," Krebs said. They had to sort through which threats were targeting hospitals and healthcare facilities, and it didn't take long to determine that healthcare had been a prime ransomware target for at least three years prior to COVID.
Once again, it was time to engage with partners across the healthcare industry, the healthcare ISAC, and share best practices on how to secure against ransomware. As COVID-19 changed the role and operations of healthcare facilities, they had to rapidly shift in response. The key, he said, was flexibility, agility, and being constantly aware of the shifting dynamics in the space.
"It's just another example of how threat modeling, of how constantly evaluating both your internal and your external conditions, can put you in a position to be more effective in your response to any sort of threat actor," Krebs noted.
Public-Private Cooperation Is a Must-Have
Going forward, Krebs emphasized the importance of CISA's collaboration with the private sector and other aspects of government to create a more unified and coordinated response, especially as cyberthreats grow more advanced.
"If the recent supply chain compromise teaches us anything, it's that there [is] a set of very critical, systemically important enterprise software and services that we don't fully understand how they fit into the economy, how they fit into enterprises writ large," he said.
The public and private sectors must understand where these systemically important companies are, how they fit into the systems we use daily, and bring all parties together. This goes beyond sharing indicators of compromise, he noted. This is much more advanced, and more about where adversaries are going. In the run-up to the 2020 election, the Department of Defense and Cyber Command deployed teams to allies in Europe to learn where cyberattackers frequent.
"Not only did they pick up IOCs, but they also picked up intelligence on how and where cyber actors were going – what sorts of networks, what sorts of targets they were looking at," he added. This informed the country's ability to partner with election officials.
By making decisions based on imperfect information, no one organization will be successful. Operational partnerships in which organizations can come together and share risk information, and coordinate on joint collaborative defense operations – "that's going to be the key to success going forward," Krebs said.