CISA's Krebs: 2016 US Elections Were Cyber 'Sputnik' MomentCybersecurity Agency Ranks Election Security and Ransomware as Biggest Threats
The 2016 U.S. president election served as a wake-up call for American lawmakers and the public of the threat that cyberattackers can pose to the very foundation of a democratic society, says Christopher Krebs, director of the U.S. Cybersecurity Infrastructure and Security Agency.
See Also: Redefining Security Analytics
Speaking at the RSA 2020 conference in San Francisco on Tuesday, he detailed how his young agency is now preparing for the 2020 elections in November, as well as tackling a range of cybersecurity issues that face the U.S., including the increasing scale and severity of ransomware attacks targeting local governments and schools.
Krebs said the 2016 U.S. elections served as a "Sputnik" moment for America, referencing the launch of the Russian satellite in 1957, which alerted lawmakers and the American public to the threat posed by Moscow - namely, that it possessed a working intercontinental ballistic missile able to deliver offensive payloads across oceans. In 2016, the fact that Russian online trolls could spread disinformation via social media made clear a rising threat in the cyber realm, which is that malicious forces could potentially impact the outcome of U.S. elections or public perception of those results.
"It's not about a single outcome of an individual race; it's about a broader destabilizing of the public, of Congress and our [electoral] system," Krebs said. "That's what was so shocking about 2016. ... It was the first time for elected officials and the American public to understand that cyber could destabilize a democracy."
Speaking Tuesday morning in an on-stage keynote interview conducted by Heather Dahl, executive director and CEO of the Sovrin Foundation, Krebs described how his agency has been working to improve election security in America since its founding on Nov. 16, 2018. But he notably did not address some recent concerns voiced by lawmakers, government watchdogs and local cybersecurity officials that his agency needs to do more to help them before the November elections - and time is quickly running out (see: States Press for Federal Resources to Fight Cyberthreats).
2020 Elections Loom
Last week, CISA, which is part of the Department of Homeland Security, released its cybersecurity plan for the run-up to the 2020 presidential election, outlining the agency's role as a facilitator that will assist federal, state and local agencies in protecting critical election infrastructure. The document also calls for more information sharing between different government agencies.
One challenge, however, is that vote-gathering in the U.S. remains a highly decentralized process. The Constitution gives states the authority to set many rules for how and when they conduct federal, state and local elections. As a result, Krebs said, his agency is now attempting to positively influence the efforts of 8,800 voting districts across the country.
Another challenge concerns state districts' voter databases, because the data they store is highly centralized and network-accessible, making these repositories vulnerable to hacking and ransomware attacks - not just by nation-state actors but also cybercrime gangs looking for an easy payday, Krebs said.
While achieving 100 percent security is not possible, Krebs said his agency is working with local and state officials to conduct vulnerability management assessments and harden voter registration databases, make them more resilient to attacks, as well as ensuring effective back-up systems are in place in case data gets wiped or crypto-locked.
"You have an offline back up that you test with and practice with and you have a plan," Krebs said.
Ransomware: Lessons Learned
Although much of CISA's focus since its launch has been to prepare for the 2020 elections, Krebs said that another major online threat to the U.S. involves the seemingly nonstop increase in ransomware attacks, especially against local and state governments, as well as school districts and healthcare organizations (see: Ryuk Eyed as Culprit in New Orleans Ransomware Outbreak).
But many industries remain in attackers' crosshairs. CISA, for example, recently issued an alert that described a ransomware attack that targeted a natural gas facility and caused a three-day shutdown. The agency said it was issuing the alert to share best practices and lessons learned for other organization that may face a similar situation (see: Ransomware Attack Hit US Natural Gas Facility).
Recommendation: Prepare, Don't Pay
One upside of ransomware, so to speak, has been that it's opened the public's eyes to the need to practice proper information security hygiene, Krebs said. Unless individuals and organizations put in place basic security practices, including maintaining offline backups, using strong two-factor authentication, patching vulnerable systems and software, and having a well-rehearsed and ready incident-response plan, they remain at risk.
For organizations that do fall victim, however, Krebs said his agency always urges them to never pay ransomware attackers. "One, if you pay, you are validating the business model," he said. "Second, the keys don't always work - there's only a 20 to 50 percent chance that a de-encryption key is going to work. And third, what are you going to do if it doesn't work? Are you going to sue them?"
Since the start of 2020, CISA has issued multiple warnings about ransomware, in part due to heightened geopolitical tensions following President Donald Trump ordering a drone strike that killed a top Iranian general. In response, Iran vowed to retaliate, and many believed this would take the form of a nation-state cyberattack, possibly using wiper malware, which looks a lot like ransomware (see: US Conflict With Iran Sparks Cybersecurity Concerns).
While that threat appears to have died down, Krebs noted that if Iran had wanted to attack immediately, it likely already had access to numerous critical systems across the U.S., meaning it would have been too late for any organization that hadn't already prepared. Even so, CISA remains on heightened alert.
Never Waste a Good Crisis
"Never let a good crisis go to waste" might be an old adage, but Krebs said his agency opted to use the threat posed by Iran as a way to try to bootstrap cybersecurity practices across all U.S. organizations (see: Cybersecurity Coordinator: Don't 'Waste a Crisis').
"When everything died down at the end of the following week [after the drone strike], we didn't want to take our foot off the gas: We had the nation's attention; we had leadership's attention," Krebs said.
So what was his message? "Iran is a threat and they are capable of a data-destruction attack and this looks a lot like ransomware," he said. "So let's go ahead and defend against these ransomware capabilities and if Iran comes back six months from now, we are in a better position."
(Executive Editor Mathew Schwartz contributed to this story.)