Government and tech companies won't resolve security issues, claims ex-CISA head Krebs
In the rapidly evolving digital landscape, cybersecurity has become a paramount concern for organizations worldwide. According to Chris Krebs, the former founding director of the Cybersecurity and Infrastructure Security Agency, the current state of cybersecurity is a cause for concern.
The integration of more insecure products is making it increasingly complex to manage risk. This issue, coupled with the relentless cycle of vulnerability discoveries, disclosures, and patching requirements from both large and small vendors, poses constant risks to organizations.
Krebs emphasizes that while solving issues at the edge is important, it's more crucial to address the underlying challenges rather than applying Band-Aids. He believes that technology vendors and the government alone cannot solve these issues, and that it will ultimately come down to the cybersecurity community.
One of the primary concerns revolves around the integration of insecure products, the lack of transparency in the cloud, and the need to focus on core infrastructure. The cloud, with its focus on flexibility, elasticity, productivity, and efficiency, has resulted in a wane of transparency. A deeper understanding is lacking in how the cloud works across various hyperscale vendors, how organizations interact with it, and the level of visibility that affords them.
Mid-market technology companies and software providers have become systemically important due to their elevated privileges within networks and their ability to access sensitive information. Vendors and technology providers need to recognize their mission is oriented around national security outcomes, according to Krebs.
Ransomware is a significant threat to every organization, described by Krebs as "the biggest, perhaps collective falling down of government, of industry." The barriers to entry for ransomware have dropped, allowing threat actors to access exploits that were previously the domain of nation states.
Despite a seemingly dire outlook, Krebs remains optimistic, stating that matters of cybersecurity can be fixed. He believes that things are going to get worse before they get better, but the challenges of cybersecurity are not hopeless.
Active entities addressing cybersecurity issues include cybersecurity leaders like Moritz Anders at PwC Germany, EU member states implementing the NIS-2 directive, and national bodies such as Germany’s Federal Ministry of the Interior working on cybersecurity laws. Industry events like the IDC Cybersecurity Summit focus on innovations in security operations and AI-driven defense. Governmental agencies such as Germany’s Federal Office for the Protection of the Constitution (Bundesamt für Verfessungsschutz) emphasize international cooperation. Private organizations, legal groups, and technology firms also actively engage in raising awareness, developing strategies, and implementing technical solutions.
The core of the internet is not exclusive to tech giants; it is stitched together by many threads. Krebs underscores the importance of international cooperation in addressing these challenges. He emphasizes that while the road ahead may be challenging, the cybersecurity community has the potential to rise to the occasion and tackle these issues head-on.
In conclusion, the future of cybersecurity is a critical concern that requires the collective effort of governments, technology vendors, and the cybersecurity community. As we navigate this complex landscape, it is essential to prioritize core infrastructure, promote transparency, and work together to ensure a secure digital future for all.
