Ex-CISA Chief: Biden Cybersecurity EO ‘Raises the Standard’ on IT Vendors

Heading up the government’s information-security efforts while the SolarWinds attacks went undetected, and then getting fired by President Trump for telling the truth about the integrity of the 2020 election, might make somebody pessimistic about the future of infosec. But Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA) director, sounded surprisingly optimistic during a talk this week in D.C.

Speaking at the Hack the Capitol conference via video (because his wife had come down with COVID), Krebs pointed to President Biden’s May 2021 executive order on cybersecurity as one reason for that hope—not because of its consumer provisions like security labels for smart-home gadgets, but because of its tougher requirements for federal IT contractors.

"It finally realizes the key point, probably the greatest point of leverage, that the United States federal government has in cybersecurity, and that is the power of the purse,” Krebs told his interviewer, Scythe founder and CEO Bryson Bort.

The order mandates such upgrades from IT vendors as providing a software bill of materials for their products and participating in vulnerability-disclosure programs; telling them “you must be this tall to ride the federal government procurement process,” as Krebs phrased it.

"It's going to raise the standard,” he predicted. "Software companies are not going to bifurcate their code base for the federal government and for everyone else." 

Krebs did, however, suggest that Congress needs to stop scattering cybersecurity oversight among various subcommittees, a key recommendation of the March 2022 report of the government’s Cyberspace Solarium Commission. "We have to consolidate and streamline congressional oversight,” he said. 

Krebs’ conversation with Bort also turned to the question of whether IT vendors should be held liable for vulnerabilities.

Krebs counseled against that, saying “software is incredibly complex,” but suggested that a pattern of egregious carelessness might be fair game: "I do think we can take a harder look at the negligence standards.”

As for the private sector, Krebs suggested worrying less about nation-state attackers that aim at specific, high-profile targets. Instead, he advised bearing down on the problem of indiscriminate attacks like ransomware, which he described in business-model terms as a successful monetization of vulnerabilities and “stupid human tricks” that increase the exposure of businesses. 

"If you are connected to the internet,” Krebs said, “you are on the playing field for that threat.”

Comments are closed.