Security news that informs and inspires

Krebs: ‘Business Risk and Geopolitical Risk Are Intertwined’

By

SAN FRANCISCO - Businesses navigating cybersecurity risks are dealing with the dual challenges of the exploding threat actor landscape, and technology that’s inherently not secure and that by design must be deployed in an extremely complex way.

The overarching concern on the backend of these issues is the increasingly intertwined nature of business risk and geopolitical risks, said Chris Krebs, chief intelligence and public policy officer with SentinelOne and the former director of the Cybersecurity and Infrastructure Security Agency (CISA), speaking at the RSA Conference on Tuesday with Jen Easterly, the current director of CISA. One very relevant example of this entanglement is the targeting by Volt Typhoon attackers of critical infrastructure entities in the U.S., not solely for espionage purposes but to burrow in the organizations’ networks to launch disruptive attacks in the event of a major conflict.

“You think about the threat landscape, and... the range of threats we’re dealing with,” said Easterly. “This is a different threat, and it's why we’re talking so much about resilience and about secure by design... [The threat actors] largely take advantage of known flaws and defects. Why? Because for 40-plus years, the technology that's been created, and that now underpins the infrastructure that Americans rely on every hour of every day, is inherently insecure. It was not created to put security first.”

In order to get ahead of these types of threats, Easterly pointed to CISA’s Secure By Design initiative, which the agency has heavily been promoting as a way to push manufacturers to build in various safety and security measures and processes starting in the development phase of their products. This week, over 60 companies are signing a voluntary pledge committing to taking steps toward Secure by Design, said Easterly,

“It is a voluntary pledge, but we have a platform to advance radical transparency,” said Easterly. “This is a major effort we’re undertaking. It’s the only way we can make ransomware and cyberattacks a shocking anomaly - to make sure the technology is secure.”

There are other means of improving security at the manufacturing and business level beyond voluntary efforts, including civil litigation, said Krebs, citing the SEC’s lawsuit against SolarWinds after its 2020 breach. There are also regulatory actions and legislative measures, such as the SEC’s cyber rules introduced last year for publicly traded companies. Another significant factor is “an awakening of realizing that [security issues] will drive customers away,” said Krebs, pointing to Microsoft’s recent Secure Future Initiative that it launched after its intrusion last year by a Chinese state-affiliated threat group and an ensuing report by the Cyber Safety Review Board outlining a number of security failures made by the company. Last week, Microsoft CEO Satya Nadella shared a memo highlighting the importance of “prioritizing security above all else,” which among other measures said that senior executives’ compensations will be tied to progress in meeting security milestones.

While the public and private sectors are moving the needle in these areas, the industry isn't standing still, stressed Krebs. New technologies are emerging that are creating more risks in real time for enterprises, including the general availability of generative AI in 2022. Right now the defensive applications for AI - like use cases related to threat hunting - appear to be outweighing the uses by threat actors around social engineering or translation purposes, but “we have to take a step back and look at what the risk picture looks like with AI,” said Krebs.

“We don’t fully grok where the chinks in the armor are,” said Krebs. “There’s safety, there’s privacy, regulatory, legal, business operations."