#RSAC: CISA on Election Security, Ransomware and Intelligence Sharing

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) was first established in 2018, and after its first full year of operation, its director Christopher Krebs spoke at RSA Conference about the state of cybersecurity and its achievements.

In conversation with Heather Dahl from the Sovrin Foundation, Krebs explained that CISA acts as “the nation’s risk advisor” to bring government and industry together, to issue advisories “and we work with industry partners so when we see something, they can share it with us.”

He was keen to insist on the anonymization of data breach victims, saying that the alerts are not about “company X suffered a breach,” but more about trying to understand the landscape and what the adversary may be doing so that there will not be a next victim.

Krebs said he was “not a fan of security by obscurity,” as industry and government “need to get ahead of the curve with a collective defense approach” saying if “we work together, we can get an understanding across networks and pull together a broader understanding from the ‘haves’ to the have nots.”

Moving on to the subject of ransomware, Krebs said that this is something that the average American has experienced “as we see it in schools, hospitals and municipal agencies” and the question has to be about whether or not to pay, and advise law enforcement.

Asked by Dahl what role CISA is playing in providing advice to businesses, and what resources are available, Krebs said that the aim is to get there before they have an incident, and help businesses engage and share information, to help them update their systems and have an incident response plan “and be better off and when it does happen.”

Another subject of discussion was election security, particularly in an American election year. Krebs said that what CISA has been able to do is “put attention on risk assessments from the point of registering to vote” and the risk is there from the voter being influenced, to the security of the registered voter databases, and since last year it has focused on vulnerability management for local states and jurisdictions.

“We recognize that 100% security and to be 100% resilient is not achievable,” so CISA recommends the use of offline backups, as well as analog backups. Krebs acknowledged that learnings from the 2016 election were “a wake up call” as the agency had not considered that this issue was “on the front lines of the geo political conflict” but that American people were taking this seriously.

He said that the objective of the adversary was to change voting at scale, but Dahl asked what the consideration would be if only one or two jurisdictions were targeted? Krebs said that CISA works with partners to better educate the public, as the 2016 election showed that “cyber could de-stabilize democracy.”

"Cyber could de-stabilize democracy"

Krebs admitted that the agency is not yet in a position to use mobile devices for voting, and there was not the confidence for “devices to be clean enough to be relative to vote.”

Concluding, Dahl asked Krebs if the role of government was to protect its citizens, was the role of CISA to protect personal data? He said it is about helping organizations to defend and to get to a better level of defense. Krebs added that an aim is to eventually move away from the Social Security Number as a form of identity, and “we’re working with organizations and technology companies to ensure better security by design and deployment.

“We can only do this together and achieve a common purpose,” he said.

What’s Hot on Infosecurity Magazine?