Why is cybersecurity so bad right now? That is the question with which the Black Hat USA 2022 security conference got underway on August 10 in an opening keynote address from former CISA director Chris Krebs.
Krebs is currently a partner in consulting firm Krebs Stamos Group and he noted in his keynote that he often speaks to officials in the private sector and federal, state and local governments to try to understand what they're trying to accomplish. Time and again the first question he gets is – why are things so bad in cybersecurity right now and why does it seem that we're fighting an uphill battle?
In Krebs' view, there are four fundamental things that lead to bad cybersecurity outcomes: technology, bad actors, the government and people. In terms of why technology isn't measuring up to improve cybersecurity, Krebs blamed it on economic pressures.
"We operate inside a larger ecosystem, inside businesses that are focused on productivity, and reducing friction," Krebs said. "They tend to see us and security as slowing things down."
Attackers are continuing to go after technology services, because that's where the data is, while ransomware is also an opportunity to profit. The spate of supply chain security and ransomware incidents in recent years is all about attackers being opportunistic, in Krebs' view.
Looking at the government, while CISA has made strides in recent years, Krebs said that it's still often difficult for companies and individuals to work with the government to help move cybersecurity forward. Krebs is also somewhat pessimistic that CISA will get the funding and empowerment it needs from the US federal government in the future to help further improve the state of cybersecurity.
While there is work to be done, Krebs does see plenty of reasons for optimism.
"We have a maturing industry, we're producing and generating products that are solving problems," Kreb explained. "We have technology vendors that are working to solve core problems and the infrastructure, but is it happening at the pace we want and need it too?"
Bad actors continue to be successful and Krebs emphasized that until governments and companies impose meaningful consequences and costs on attackers, they will continue to persist. Krebs also wants organizations to plan ahead, and look out beyond just the next quarter or two of business operations and potential cybersecurity risks.
"We need organizations thinking for not just dealing with today's problems, but planning ahead, and starting to implement for where they want to be two to three years out," he said.
While there are constant reports about a shortage of skilled cybersecurity professionals, Krebs is also optimistic about the future of cybersecurity. In his view, cybersecurity is a well-paying, fun and rewarding career for those that choose it.
"For the rest of our lives and perhaps the rest of human history, there will be digital, technologically related risk issues that we're gonna have to solve," Krebs said.