Cyber Threats Warrant a Government Reorganization, Former CISA Head Says

Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, testifies during a Senate Homeland Security and Governmental Affairs Committee hearing.

Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, testifies during a Senate Homeland Security and Governmental Affairs Committee hearing. Greg Nash-Pool/Getty Images

Inaugural CISA director Chris Krebs said the federal government should do more to respond to cybersecurity and data concerns.

The U.S. government needs to be more proactive in responding to and mitigating cyber threats, including potentially re-organizing the government to better prioritize cyber-related concerns, former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said during a keynote address at the Black Hat cybersecurity conference in Las Vegas on Wednesday. 

“I think we have to take a hard look at the way we’re organized and make a smarter, more efficient, more organized government,” said Krebs, who served as CISA’s inaugural director from 2018 until 2020 and is currently a founding partner at the Krebs Stamos Group.

Krebs—who said he’s currently working with The Aspen Institute’s digital team to examine how the government can improve its tech- and data-oriented responses—cited President Franklin Roosevelt's Reorganization Act of 1939 as the type of transformative reimagining of government that is needed to effectively respond to cyber threats, while also safeguarding privacy and addressing digital trust and safety issues. 

The boldest of Krebs’ potential remedies was having the government establish a U.S. digital agency that incorporates elements of CISA, the National Telecommunications and Information Administration and other federal agencies, which would be “focused on empowering better digital risk management services." But, citing his lack of faith in Congress’ ability to accomplish such a broad undertaking, Krebs said that a more reasonable step “could be something as simple as pulling CISA out of the Department of Homeland Security as a sub-cabinet agency.”

Regardless of the potential solution, however, Krebs said “I’m not naive enough to think that slight course corrections of individual agencies is going to be enough.” What is needed, he said, was more effective and more direct communication between the private sector and federal agencies about mitigating and responding to a variety of cyber risks and threat actors.

Krebs said that the response to rising ransomware attacks over the past several years, for example, has been one of the biggest “collective falling downs of government and industry,” since the growing frequency of these cyberattacks is “distracting our intelligence community” and forcing national security officials “to broaden their view of threat actors to include cyber criminals.” 

Krebs said the government’s ongoing struggle to balance regulations without stifling innovation has also led to a patchwork implementation of cybersecurity approaches across the public and private sectors, including “an overreliance on checklists and compliance rather than performance-based outcomes.” 

Krebs said that steps that offer more substantive performance guidance and directional awareness, such as CISA’s recently published version of its “Cloud Security Technical Reference Architecture (TRA)” to help guide federal agencies’ migration to the cloud, can promote best-practices without relying on set standards in a constantly evolving cyber environment. 

This is particularly important as threat actors increasingly attack software supply chains and cloud services that provide data-rich and opportunistic targets. Krebs said these cyber criminals “understand the dependencies and the trust connections that we have on our software services and our technology providers, and they’re working up the ladder through the supply chain.”

To help prioritize these initiatives, Krebs said that both Congress and the federal government need to place more of a priority on cyber-related risks. Krebs referenced one of the findings from the Cyberspace Solarium Commission’s March 2020 report, which said that Congress needs to figure out more effective ways of streamlining oversight and communication related to cyber threats. 

“Congress needs to establish select committees in the House and the Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch where you have 101 civilian agencies and every single one of them is running their own email service,” Krebs said. 

But the private sector can’t just wait for Congress and the federal government to chart the best path forward, which is why Krebs said that companies should proactively plan ahead and begin to address potential threats before they become an issue—such as preparing for the potential invasion of Taiwan by China in the coming years. 

“Based on conversations I’ve had with national security officials, they’re pretty confident that that’s going to come to a head between China and Taiwan,” Krebs said. “And if you want to be in a position to de-risk your operations, to manage risk to your organization, you have to start that yesterday. And if you want to physically segment your networks in Taiwan, you’ve got to start that now.”