Published on August 11th, 2022 📆 | 4659 Views ⚑
0Why Cybersecurity Is Going to Get Worse Before It Gets Better
Chris Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA), a part of the US Department of Homeland Security, believes that information security will get worse before it gets better. Krebs, now a founding partner of consulting firm Krebs Stamos Group, opened information security conference Black Hat USA 2022 with a keynote speech on August 10.
Looking to the present and future of the security landscape, Krebs posed three main questions: âWhy is it so bad right now?â Why will it get worse? What can stakeholders do to improve the outlook?
Why Is It So Bad?
Krebs identified four main factors that are shaping todayâs cybersecurity challenges.
1. Technology: âSecurity is seen as friction,â Krebs explained. Right now, software is vulnerable because the focus is on improving productivity and being first-to-market, rather than slowing down to ensure security.
The COVID-19 pandemic accelerated adoption of the cloud, which has come with undeniable benefits. But it also has reduced transparency and increased complexity. âWe are integrating more and more insecure products into use cases,â said Krebs. âWe are making it more complicated to manage risk.â
2. Bad actors: As the diversity of products and complexity of use cases grows, so does the attack surface. Cybercriminals are monetizing vulnerabilities through attacks like ransomware.
3. Government: The US government struggles to balance the need for effective regulation with the desire for innovation, according to Krebs. And the regulation that is in place isnât necessarily effective. âWe see an overreliance on checklists and compliance rather than performance-based outcomes,â he said.
4. People: Cybersecurity faces leadership and workforce challenges. âThe CEO that understands cyber risk as business risk is few and far between,â Krebs said. He also expressed the need for more education, opening the door earlier and preparing more people to enter the workforce.
Why Will It Get Worse?
Krebs has spent time talking to network leaders, asking their take on the short-term and long-term outlook for information security. The collective response has been a bearish in the near-term and bullish in the long-term.
In the near-term, the challenge of complexity will only grow. More and more things will be connected to the internet, generating more and more data. âTechnology vendors are addressing some of the underlying vulnerabilities, but it is happening at the pace we want?â Krebs asked.
While security solutions try to catch up, bad actors are continuing to rack up wins. âUntil we make meaningful consequences and impose costs on them, they will continue,â Krebs asserted.
Krebs also expressed the need for the government to rethink the way it interacts with technology. âI am ready to make the argument that the digital environment around us has changed so dramatically the last 25 years while our government hasnât kept up pace,â he said. Making large governmental changes take time.
While the Colonial Pipeline cyberattack that took place in 2021 may have been a wakeup call for some leaders, Krebs talked about the need for more leadership to recognize cybersecurity as a boardroom-level issue and to plan years, rather than quarters, in advance.
He offered a specific example of the need for long-term planning. While the certainty and timing of a Chinese invasion of Taiwan is unclear, Krebs advised organizations to begin thinking about the possibility now. âIf you want to physically segment your networks in Taiwan, you have to start that now. We need organizations thinking forward,â he said.
How Will Security Improve?
While the current security environment is fraught with obstacles, Krebs is optimistic for the future. He urged technology vendors to focus on more than creating products for the edge. âWe have to solve the hard problems that continue to persist. It may impact the bottom line of your security services business, but it is more important to solve the underlying challenges, rather than the band-aid on the edge,â Krebs said.
Krebs also advocated for escalating consequences for cybercriminals âWe need to shift from longer term investigations to more disruptive actions,â he said. He pointed to the sanction of virtual currency mixer Tornado Cash as a step in the right direction.
On the government side, CISA has continued to receive funding, a positive indication, but Krebs wants to see more progress. âContinue to invest and build CISA out; make it easier and less complex for organizations to work with the government,â he said.
Cybersecurity is still faced with a talent shortage, but Krebs is optimistic about the workforce. âEvery day that goes by, our workforce becomes increasingly tech-native,â he said.
Ultimately, Krebs placed his faith in people to bring about a brighter future for security. âI am not naĂŻve enough to think that technology vendors [and] the government on their own are going to fix thisâŚIt will come down to the people in this room. This community. It is going to take us as leaders to make the changes we want to see.â
What to Read Next:
How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits
July 2022 Global Tech Policy Bulletin: From Bidenâs Chip Victory to Data Privacy Post-Roe
Quick Study: Cyber Resiliency and Risk
Published on August 11th, 2022 📆 | 1874 Views ⚑
0Why Cybersecurity Is Going to Get Worse Before It Gets Better
Chris Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA), a part of the US Department of Homeland Security, believes that information security will get worse before it gets better. Krebs, now a founding partner of consulting firm Krebs Stamos Group, opened information security conference Black Hat USA 2022 with a keynote speech on August 10.
Looking to the present and future of the security landscape, Krebs posed three main questions: âWhy is it so bad right now?â Why will it get worse? What can stakeholders do to improve the outlook?
Why Is It So Bad?
Krebs identified four main factors that are shaping todayâs cybersecurity challenges.
1. Technology: âSecurity is seen as friction,â Krebs explained. Right now, software is vulnerable because the focus is on improving productivity and being first-to-market, rather than slowing down to ensure security.
The COVID-19 pandemic accelerated adoption of the cloud, which has come with undeniable benefits. But it also has reduced transparency and increased complexity. âWe are integrating more and more insecure products into use cases,â said Krebs. âWe are making it more complicated to manage risk.â
2. Bad actors: As the diversity of products and complexity of use cases grows, so does the attack surface. Cybercriminals are monetizing vulnerabilities through attacks like ransomware.
3. Government: The US government struggles to balance the need for effective regulation with the desire for innovation, according to Krebs. And the regulation that is in place isnât necessarily effective. âWe see an overreliance on checklists and compliance rather than performance-based outcomes,â he said.
4. People: Cybersecurity faces leadership and workforce challenges. âThe CEO that understands cyber risk as business risk is few and far between,â Krebs said. He also expressed the need for more education, opening the door earlier and preparing more people to enter the workforce.
Why Will It Get Worse?
Krebs has spent time talking to network leaders, asking their take on the short-term and long-term outlook for information security. The collective response has been a bearish in the near-term and bullish in the long-term.
In the near-term, the challenge of complexity will only grow. More and more things will be connected to the internet, generating more and more data. âTechnology vendors are addressing some of the underlying vulnerabilities, but it is happening at the pace we want?â Krebs asked.
While security solutions try to catch up, bad actors are continuing to rack up wins. âUntil we make meaningful consequences and impose costs on them, they will continue,â Krebs asserted.
Krebs also expressed the need for the government to rethink the way it interacts with technology. âI am ready to make the argument that the digital environment around us has changed so dramatically the last 25 years while our government hasnât kept up pace,â he said. Making large governmental changes take time.
While the Colonial Pipeline cyberattack that took place in 2021 may have been a wakeup call for some leaders, Krebs talked about the need for more leadership to recognize cybersecurity as a boardroom-level issue and to plan years, rather than quarters, in advance.
He offered a specific example of the need for long-term planning. While the certainty and timing of a Chinese invasion of Taiwan is unclear, Krebs advised organizations to begin thinking about the possibility now. âIf you want to physically segment your networks in Taiwan, you have to start that now. We need organizations thinking forward,â he said.
How Will Security Improve?
While the current security environment is fraught with obstacles, Krebs is optimistic for the future. He urged technology vendors to focus on more than creating products for the edge. âWe have to solve the hard problems that continue to persist. It may impact the bottom line of your security services business, but it is more important to solve the underlying challenges, rather than the band-aid on the edge,â Krebs said.
Krebs also advocated for escalating consequences for cybercriminals âWe need to shift from longer term investigations to more disruptive actions,â he said. He pointed to the sanction of virtual currency mixer Tornado Cash as a step in the right direction.
On the government side, CISA has continued to receive funding, a positive indication, but Krebs wants to see more progress. âContinue to invest and build CISA out; make it easier and less complex for organizations to work with the government,â he said.
Cybersecurity is still faced with a talent shortage, but Krebs is optimistic about the workforce. âEvery day that goes by, our workforce becomes increasingly tech-native,â he said.
Ultimately, Krebs placed his faith in people to bring about a brighter future for security. âI am not naĂŻve enough to think that technology vendors [and] the government on their own are going to fix thisâŚIt will come down to the people in this room. This community. It is going to take us as leaders to make the changes we want to see.â
What to Read Next:
How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits
July 2022 Global Tech Policy Bulletin: From Bidenâs Chip Victory to Data Privacy Post-Roe
Quick Study: Cyber Resiliency and Risk
Gloss