For 25 years, the InfoSec community has gathered in Las Vegas to discuss the overarching cybersecurity landscape, advancements in the field, new technologies and underlying insecurities and threats. Black Hat USA — one of the biggest and most technical cybersecurity events in the world — celebrated a quarter century of existence from Aug. 6-11 at the Mandalay Bay hotel. The event featured four days of intensive trainings, while the two-day main conference offered briefings, a business hall and keynote addresses from big names in the field. The keynote that kicked off the first day of the main event featured Chris Krebs, founding partner of the Krebs Stamos Group and former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Krebs looked back at the first 25 years of Black Hat and attempted to gauge where the industry would be going in the next 25. The primary questions Krebs attempted to answer were: Is the cybersecurity field on the right track, and where do we go from here (the title of the talk)?
Though it shouldn’t come as a surprise to anyone tasked with defending information assets, Krebs assertion was that we aren’t set up for success, given society’s insatiable need to connect everything. Companies are constantly serving up more attack surfaces and cleaning up after business decisions that everyone knows will drive bad security outcomes. At the same time, factors like global market realities and shifting geopolitical dynamics often undercut carefully orchestrated business plans and national strategies in the blink of an eye.
The talk worked through today’s risk trends and what they mean for tomorrow’s network defenders. Krebs also suggested some needed shifts in both mindset and action to successfully deliver better outcomes while recognizing that we’re going to be forever operating in a contested information environment.
Through his work with CISA and beyond, Krebs said he’d been talking to governments and asking them what they’re trying to accomplish. All were orienting around three primary questions:
- Why are things so bad right now?
- What are trend lines and market forces influencing technology, government and bad actors?
- What can we do about it?
His contention is that we are fighting an uphill battle and things are going to get worse before they get better. He attributed this to four reasons: technology, bad actors, the government and “us.”
Why are things so bad?
Ultimately, software remains vulnerable because the benefits of unsecure systems far outweigh the downsides. Cybersecurity operates inside a larger ecosystem, Krebs said. Businesses are focused on productivity and being first to market. Security is often seen as friction — something that slows things down. As we integrate more insecure products, we are making it more complicated to manage risk.
This problem has only gotten worse with the accelerated pace of digital transformation and use of the cloud, which were both spurred forward by the COVID-19 pandemic. While digital transformation has increased productivity, it has reduced transparency and increased complexity. Companies have started adding on additional products and infrastructure from third-party providers, and leadership has become radically inefficient.
According to Krebs, the biggest collective falling down of government and industry is the proliferation of ransomware. Threat actors have figured out how to monetize insecurity. This process has been helped out by the rise of cryptocurrency. Krebs put it simply: “Why do you rob banks? Because that’s where the money is.”
While government used to focus on the biggest threats to society — the top of the threat hierarchy — they now have to expand their purview to include cybercriminals. The rise of third-party solutions and software-as-a-service has made it easier for hackers to work up the ladder through the supply chain and operate at scale.
Unfortunately, Krebs said, the government has struggled with balancing market interventions and regulation with the capitalistic desire to allow innovation to grow. Thus far, there has been an uneven application of regulations. Industries like banking and the electric sector are highly regulated, but it drops off after that.
Clearly, government isn’t the complete answer to more protected systems. So what is the answer? Krebs said we need more performance guidance, not just compliance. The government also needs to clean up its own act. It’s still difficult to work with, as the lines of responsibility are not always clear. Companies don’t know if they should be working with CISA, the Treasury Department, the Department of Homeland Security or someone else.
Congress also needs to “figure things out,” possibly by creating select committees to consolidate oversight. Krebs gave the example that there are 101 civilian agencies, and every one is running its own email service. That’s obviously not a tenable long-term solution.
But this problem is not just about government. Leaders are not leading, Krebs said. CEOs who understand that cyber risk is business risk are few and far between. Krebs suggested we need a tech-oriented school curriculum so we can start building cybersecurity and information security skills into our workforce.
Where are we going?
To answer the second of his three questions, Krebs reached out to a network of industry insiders, and the response was measured. Most believe things are going to get worse before they get better.
“I’m bearish in the short term; bullish in the long term,” Krebs said.
Krebs attributed this near-term skepticism to a number of factors, not the least of which is our “pathological need to connect stuff to the internet.” The landscape is getting more complex, as we generate more data and connect more things. Tech is definitely solving some of these problems, but not at the pace necessary.
Another big issue, according to Krebs, is that the bad actors are still not feeling significant pain. The money is there for the taking, and it’s not costing malicious hackers anything most of the time. Until the defenders impose meaningful costs on bad actors, the threat will not go away.
And that’s just considering non-state actors. While ransomware and other malware is proliferating, every country around the globe is looking at the digital ecosystem and developing capabilities for espionage, destruction and disruption. In other words, the threat actor set is exploding. There will be new, novel events in near future that the cybersecurity industry will need to respond to.
Krebs offered some advice for the industry as they look ahead to this increased threat. Businesses must have a set of principles and make decisions about the kind of company they are. A perfect example of this is the Russian invasion of Ukraine. Companies need to ask themselves if their technology is helping support Russian war crimes. It’s no longer acceptable to just look the other way and continue doing business as usual. Krebs said organizations need to determine their red lines.
The main tech platforms — the Googles, Amazons, Apples and Microsofts — are part of national security whether they want to be or not, and they have to take that responsibility seriously. Even midmarket tech providers are becoming become systemically important. Krebs said these companies need to develop products, but they also need the developers to help solve hard problems that continue to persist.
Krebs’ other advice included:
- The security industry needs to solve challenges, not simply put a Band-Aid on the edge.
- They need leaders to plan beyond the next two quarters. They need to look 3-4 years out.
- They need to run tabletop exercises and prepare for the growing Taiwan conflict now. How will it impact the market, IT operations, etc.? They must game these things out. It might not happen soon, but they need to be planning for it now
What can we do about the problems?
Though the government is struggling to keep pace with the threat, it can still help shape the future. Krebs points out that the Department of Defense is the largest customer of most big tech firms, information technology (IT) products and services. That means they have incredible purchasing power, which they can use to influence the industry and set the bar higher.
Regulations alone are not the answer, but they can be part of the solution. One thing Krebs said could help is to marry regulation to law enforcement. We need smarter regulations based on outcomes and not checklists. We always need to be looking at the economy and core functions, and we need a better understanding of the security posture of critical infrastructure.
In tandem, law enforcement must go after cyber criminals more aggressively by taking more disruptive actions, imposing costs and eliminating threat actors’ ability to extract value.
The defenders need to be looking forward and we need to get more, better information into their hands. Krebs said slight course corrections won’t be enough.
Because tech vendors alone can’t fix this, we also need to continue to invest and build out CISA. It should be easier for organizations to work with the government. Krebs said it’s time to rethink the way government interacts with big tech and the way it’s organized. We need an agency that’s focused on empowering better digital risk management services.
Unfortunately, Krebs said, the industry is not where it needs to be and continues to fall behind. However, this is also an industry that excels at solving tough problems. These issues are durable and are likely to be around forever in our tech-enabled world, so there is still time to turn the tables.
Krebs’ words of wisdom
Krebs concluded his talk with some principles by which cybersecurity and tech professionals should live their lives. He said he had recently been asked on a podcast to name his five guiding principles. While he was caught off guard by the question at the time, he gave it more thought and came up with these five standards.
- Define your principles. You have to know what’s important to you and live by that.
- Find your people, find your support networks.
- Life is too short to work for assholes, so don’t.
- Life is too short to eat bad food. In other words, find something you enjoy that gives you meaning outside of your day job, something that makes you feel rewarded.
- Do not read the comments. It’s not good for your mental health.