Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs pledged today that there is no issue drawing more focus and attention at the Federal government level than election security leading up to the 2020 elections later this year.
“There is no issue with as much clarity of purpose at the Federal level,” Krebs said today during a speech at the RSA security conference in San Francisco.
The current level of Federal attention has come a long way since the 2016 election cycle, when the Russian government undertook an active role in interfering with the process through a variety of means including social media campaigns and hacking into Democratic National Committee systems.
“2016 was a wake-up call,” Krebs said today. “Before 2016, I’m not sure [election security] was on anyone’s radar for strategic risk,” he said.
Interference in that election cycle, he said, “was the first time for the public to truly understand that cyber could destabilize a democracy.”
Since then, he said, the Federal government and CISA have provided assistance to state and local governments to harden election infrastructure “as much as possible,” and particularly around larger system assets that handle voter registrations. CISA also focuses on promoting infrastructure resilience – urging data and system backups – in the event of an attack, and shares threat data with states and localities through information sharing and analysis centers (ISACs).
Asked about the impact of “fake news” disinformation campaigns on elections versus attacks that harm physical infrastructure, Krebs said it would be very difficult to conduct an attack that ultimately changed vote totals, but much easier to sow distrust through the spread of bogus information. “We have to understand the threat … It’s about a broader destabilization of the public,” he said.
Speaking about CISA’s broader roles outside of election security, Krebs said, “We are the nation’s risk advisor, that’s how we see it … We take intelligence and fuse together the bigger picture.”
He reminded that CISA provides liability protection to parties that share threat data with the agency, and anonymizes information that it shares with the public. “What we are trying to do is understand the threat landscape … so the next potential victim” can be better prepared.
“I’m not a big fan of security by obscurity,” he said when asked how widely and quickly threat data should be shared by the agency. “We have to get ahead of the curve” on sharing current threat data, and “with rapid threat sharing, we can improve collective defense.”
“We facilitate intelligence transfers between the haves and have-nots,” Krebs said.
After years of focusing on nation-state threats from what he called the “big four” – China, Russia, Iran, and North Korea – Krebs said CISA had “been a little late to the game on ransomware.” Since ransomware attacks against U.S. business and government targets began to spike over the past two years, he said the agency has become more involved.
He counseled ransomware victims to avoid paying off their attackers to regain access to their hijacked data, saying that payments only “serve to validate the business model.” And, he said, up to half of the time data recovery keys provided by attackers don’t work anyway. “What are you going to do then, sue them?” he asked.