CISA director sees an opportunity to seize on increased remote work to make the cybersecurity community more diverse.
One benefit of a global pandemic forcing workers to stay home is that it highlights geographic restrictions in the hiring process that no longer apply, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said.
Krebs participated in a virtual summit hosted by the cybersecurity company Forcepoint Wednesday where he expanded on the benefits of a more diverse workforce for getting a unique edge on U.S. adversaries and other takeaways from COVID-19, including the importance of hardening end-point security and technology that can help.
“What we have found is that it really opens up the talent pool,” Krebs said of a potential post-pandemic dynamic. “For instance, if I can have remote workers, they don’t have to be in D.C., so I can bring real talented folks into work with us, they can be living in upstate New York, anywhere … rather than hire 50 people in D.C., I can hire 50 people across the country.”
Krebs acknowledged “bigger implications in the classified workspace,” noting that a number of “quite radical” changes have been made for that scenario. But outside of that, he said hastening secure remote work environments should be seen as an opportunity to tackle the long-standing challenge of filling cybersecurity vacancies while also addressing societal disparities highlighted by the Black Lives Matter movement.
“I think that opening up the aperture on hiring is really going to change,” he said. “Particularly in the cybersecurity community, I think it’s an important point to make right now given what’s going on with a number of the protests and civil unrest across the country, making sure that we make cybersecurity, infosec, a more inclusive, diverse community.”
Krebs said building a more diverse cybersecurity workforce would deliver concrete benefits that draw from a strength that is not as easily accessible to U.S. adversaries.
“We have this opportunity, we have all these folks that are out of work, we have all these openings in cybersecurity we’ve talked about for over a decade now, we can really bring those two together, and get that advantage of U.S.-centric cybersecurity defense against what is generally adversaries that are fairly homogeneous,” he said. “We have a distinct advantage in diversifying our workforce and having a more inclusive environment and that’s going to give us perspectives our adversaries don’t have. I think innately the American experience can set us up for greater success in the cybersecurity game.”
Having a strong diverse workforce scattered across the country requires robust protection for the devices it will rely on.
Krebs said CISA has had a plan for this as part of its Continuous Diagnostics and Mitigations program but that the pandemic has severely compressed the timeline. He noted some of the tools that are helping in the interim.
“Now that we’ve distributed our employees, they’re on their devices, we’re really working through, OK, what’s the easiest way to protect the government-furnished equipment, the assets, when they’re distributed? How do we harden the actual host? How do we put more capability on the device itself, and then how do we protect the connection back? And it’s as simple as using a MiFi or JetPack to really protect the connections,” he said, emphasizing “end-point detection and response [technology] is really advantageous.”
Krebs credited both recent administrations for pushing information technology modernization.
Referring to migrations to the cloud, which enables teleconferencing services used by remote workers, he said, some visibility is lost in uploading server management to third parties and that there are “still some unknown answers” and likely unanticipated issues, but that there are also advantages.
“I think of the visibility we have through CDM,” he said. “How can we take and extract value and insights from a single agency, and deploy that insight across a broader set of agencies, and then how do I repackage that and make it publicly available to anyone out there to show these are the sorts of trends we’re seeing, these are the best practices and successful implementations.”
Krebs noted that companies having different offerings for different segments of the population can make things confusing for users and questioned whether that approach makes sense going into a future where there is more remote work.
“I do think it bears some conversation longer-term about this blend of consumer-grade skews and commercial-grade skews,” he said. “Are companies going to maintain these different product lines when the actual work and home environments are starting to mix together? It’s hard to keep in your brain separated, OK, this one I’m OK to click with abandon on, the other one, it’s not as safe.”
Generally, Krebs had a positive outlook on the cybersecurity community’s response to the pandemic and wants to sustain the energy it has mobilized for protecting critical infrastructure more broadly.
“What’s made me hopeful was the ad hoc groups that spun up to protect the response—the Cyber Threat Intelligence League, the Cyber Threat Coalition—you had groups come together, share information to protect health care facilities, to take down malicious malware-serving-up URLs,” he said. “That sort of activity, it’s something that we’ve been talking about operationalizing info sharing for years now, but in a really vague sort of environment it’s hard to do without defined objectives, but now with COVID, we’ve got a really clear target.”
Another big target where Krebs hopes the community will “keep this momentum going” is the upcoming election.
“Any way you cut it, this is going to be a challenging election,” he said. “We’re not going to have quite as many in-person voting locations, a lot of the poll workers are volunteers, they may not want to risk their health, so anybody out there that wants to get involved with the election, I really do encourage you to volunteer so go approach you local elected official and be part of defending democracy.”