The Cybersecurity and Infrastructure Security Agency has come a long way in maturing the federal government’s cyber-threat sharing capabilities with the private sector over the past few years.
And with the coronavirus pandemic changing aspects of the threat landscape, CISA Director Chris Krebs said Monday that the agency hasn’t just seen an increase in the overall scope of threats, but a “dramatic shift” in the consequences of a successful breach.
Hospitals, for example, have long been a data-rich target for ransomware attacks, but bringing down a health care provider’s network during the pandemic would have devastating consequences.
“If you lost a hospital in New York City this time last year, it would not be the end of the world. What I mean is you could shift patients or transfer them to other medical care facilities. But in the deepest, darkest point of New York City’s response, if you lost a hospital due to a ransomware attack or something like that, no joke, people would die,” Krebs said during a virtual keynote hosted by the Wilson Center.
Since March, CISA has played a supporting role in the country’s pandemic response, including protecting Operation Warp Speed, the federal government-led effort to develop a COVID-19 vaccine, which has become a major vector for cyber attacks.
CISA’s effort, which also extends to personal protective equipment manufacturers, hospitals and other aspects of the pandemic-response supply chain, has been dubbed by Krebs as “Project Taken.”
“It was just like the Liam Neeson character in the movie Taken. We were going to send a message very clearly to our adversary that you don’t mess with this, and if you do, then we’ll come and find you,” Krebs said.
Over the past two years, CISA’s National Risk Management Center has built inroads with companies that operate the 16 industrial sectors of the U.S.’s critical infrastructure.
As part of standing up that organization, Krebs said the agency has seen more success with industry when both parties can “share information with a purpose, that has the right context around it.” Instances include major events such as national elections or Operation Warp Speed.
“When it’s general and people can’t say, ‘Maybe that thing’s important, I need to share that thing,’ you don’t make the progress, you don’t get as many people involved. But when you figure out a specific objective, when you decide we’re going to defend the 2020 election from foreign hackers, OK that’s scopeable, I can scale my resources to address that issue,” Krebs said.
Meanwhile, a few weeks after CISA issued its last emergency directive, Krebs said the agency has seen patch times cut in half. And in the event of a major cyber incident, agencies have a much more coordinated response than before.
“We have that interagency template, that playbook for how to work together seamlessly – the intelligence community is over there looking to detect bad guys that want to do bad things. The Department of Defense is over there looking to disrupt bad guys that are going to do bad things. The FBI is here and abroad as well looking, again, to disrupt and prosecute. And then we’re helping protect. That’s the name of the game right now, and I think we’ve made dramatic improvements,” Krebs said.
CISA rethinks criteria to apply for cyber jobs
Meanwhile, CISA is thinking beyond the General Schedule approach to hiring in the federal government, which prioritizes experience in a professional setting, as well as degrees and certifications. Instead, Krebs said the agency is focusing on a younger demographic but with the hands-on experience needed in cybersecurity.
Prospective hires include recent college graduates and those in post-graduate programs with a few years of experience under their belts, as well as younger applicants that are digital natives.
“I’m getting 17 [and] 18 year-olds that apply for jobs that have six years of practical, operational experience in security research because they’ve been online white-hat hackers since they could turn on a computer,” Krebs said. “What we’ve got to do is reconfigure the way that we think about hiring talent pool and maximize those approaches.”
“That’s a nihilistic approach, as I look at it. If we can make stuff more secure by design and deployment, we won’t have all those cybersecurity openings, but that’s just going to put more pressure on the technology job on the front end,” Krebs said.