CISA Directors Talk Geopolitical Threats, Election Security – Source: www.databreachtoday.com

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Government

Explosion in Threat Actors, Poorly Configured Technology Compound the Risk

Mathew J. Schwartz (euroinfosec) •
May 8, 2024    

Geopolitical events increasingly pose risks to organizations’ cybersecurity posture, current and former government cybersecurity czars warned at this year’s RSA Conference in San Francisco.

See Also: Critical Infrastructure Cybersecurity & Risk Monitoring: Elections Infrastructure

Chris Krebs, chief intelligence and public policy officer at SentinelOne, told conference goers that “it seems as if, at least in our lifetimes, that there is some geopolitical conflagration in every corner of the globe.”

These flare-ups – such as Russia’s war of conquest against Ukraine and, potentially, China’s much-previewed invasion of Taiwan – include notable cybersecurity components.

Krebs’ thesis is that CISOs must track geopolitical threats – and not just in their neck of the woods, given the potential risk such events pose to enterprise networks.

“Unlike even a decade ago, technology, cyber information operations, disinformation is an integral part to conflict, to military doctrine,” he said. “Business risk and geopolitical risk are intertwined.”

The explosion in the number of threat actors, as well as the ongoing problem of the private sector shipping products configured in ways that don’t minimize risk, exacerbate the risk. Artificial intelligence only compounds the complexity of cyberspace, he added.

“Around every corner, it seems that there’s some sort of risk that we’re facing not just today, but frankly, for the rest of our lifetimes,” said Krebs, who formerly led the U.S. Cybersecurity and Infrastructure Security Agency.

CISA’s current leader, Jen Easterly, who said that “we could talk forever on threats,” opted to highlight these two: ransomware and the massive profits attackers are earning at victims’ expense, as well as the increased targeting of critical infrastructure, including by China via its Volt Typhoon campaign.

Volt Typhoon, she said, is “why we’re talking so much about resilience and why we’re talking about security by design” (see: US CISA Urges Security by Design for AI).

As with ransomware, Chinese attackers seeking ways to infiltrate critical infrastructure “largely take advantage of known public flaws and defects.” To try and complicate such efforts, CISA maintains and promotes its Known Exploited Vulnerabilities Catalog. To combat both nation-state attacks and cybercrime, CISA recommends all organizations patch KEV flaws as quickly as possible (see: Tracking Data Breaches: Targeting of Vulnerabilities Surges).

The agency is also attempting to learn from major breaches and details lessons learned from the industry.

Easterly announced that Monday, CISA appointed Krebs to its Cyber Safety Review Board. The board most recently released a report that probes the massive Chinese hack against Microsoft – where Krebs worked as the government liaison before running CISA – and shows that the company’s security culture failed to block an espionage attack that “was preventable and should never have occurred” (see: Microsoft Overhauls Security Practices After Major Breaches).

Artificial intelligence loomed large at this year’s RSAC, which carries the tagline “the art of the possible.” Easterly pointed to that exuberant-sounding theme and said that “AI has captured the world’s imagination, but it’s the responsibility of leaders to leverage that power of imagination but avoid the failure of imagination.”

CISA is part of the Department of Homeland Security. DHS Secretary Alejandro Mayorkas, in a Tuesday morning keynote at the conference, highlighted government efforts to facilitate the secure use and development of AI. In particular, he highlighted the first-ever meeting Monday of a 22-member board created by President Joe Biden to advise the White House on measures needed to promote “the safe, secure and responsible implementation of AI in our nation’s critical infrastructure.”

He said the board is laying down principles, to be followed by actionable roles and responsibilities, after which “we’re going to, hopefully, establish guidelines for the safe and secure implementation of AI and really develop a national plan.”

Speaking during conference session, Easterly also focused on the various risks posed by AI, including against critical infrastructure.

“AI will exacerbate the threats that exist to our elections, whether that’s spear-phishing, whether that’s foreign influence or disinformation,” Easterly said, although “it will not fundamentally change those threats.”

In 2017, the U.S. government designated election infrastructure as a piece of critical infrastructure, and CISA has been tasked with protecting it, working closely with state and local election officials.

Easterly said there’s been “extensive progress in improving the security and resilience of the nation’s election infrastructure, working to support the state and local election officials who serve on the frontlines of our democracy administering, managing and defending our election infrastructure.”

Krebs famously tweeted in 2020 that the year’s presidential election was the most secure on record and that after extensive review by security experts, all claims of fraud “either have been unsubstantiated or are technically incoherent.” In response, the loser of that election, then-President Donald Trump, fired Krebs – via a tweet.

Thanks to efforts driven by CISA, local and state election officials “ran secure elections in 2018, in 2020 and 2022,” Easterly said, backed by paper ballots for increased auditability. “As we know, there is no evidence that malicious actors had any impact on the elections.”

Easterly said 2024 is on track to also deliver secure and accurate elections. “In this job, I’ve had the privilege to spend a lot of time as you did with chief election officials across the country, and I know how hard they work to ensure that their citizens’ votes are counted as cast,” she said. “Those election officials know that while elections are political, election security is not, and that’s why I have confidence in the integrity of our elections and why the American people should as well.”