Expect more nation-state cyberattacks, Krebs says
Attacks from China, Russia, Iran and North Korea will likely continue “until the leadership has decided that it cannot tolerate further behavior," former CISA Director Chris Krebs told the House Homeland Security Committee.
Was the SolarWinds attack a preview of coming attractions? Possibly, according to a former top cybersecurity official.
Attacks from China, Russia, Iran and North Korea will likely continue “until the leadership has decided that it cannot tolerate further behavior," Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, told the House Homeland Security Committee at a Feb. 10 hearing.
Rep. Lou Correa (D-Calif.) asked the former CISA chief about how the U.S. can prevent further attacks, which "should in all sense and purposes constitute a declaration of war on the United States."
When Krebs suggested the government could prevent attacks by levying financial sanctions on adversarial nations and certain oligarchs, Correa noted that suggestion had been pushed forward before but never acted upon.
The U.S. has used financial sanctions, Krebs said, but those penalties must be matched by other international allies. He cautioned committee members to recognize that "there are certain behaviors that, unfortunately, are within the realm of acceptable cyber behavior" such as espionage against a federal government.
The question of whether or not the SolarWinds hack constitutes an "act of war" has been raised often among elected officials. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.
Testifying alongside Krebs were Sue Gordon, the former principal deputy director of national intelligence, Michael Daniel, president and CEO of Cyber Threat Alliance, and Dmitri Alperovitch, co-founder and a former Crowdstrike executive.
"So far, all of the information that is available about this intrusion indicates that it is espionage," Daniel said.
Gordon told Correa flatly that the government cannot stop all attacks, but lawmakers can clearly define what kinds of attacks and impacts -- such as knocking out an electrical grid -- would warrant a response. She also said lawmakers should not limit responses to a cyberattack with a "cyber response."
Since December when the initial hack was discovered, CISA has become the government's primary agency for responding to the damage caused by the breach. That role has called into question whether CISA has sufficient funding and staffing.
Asked about funding by Rep. Jim Langevin (D-R.I.), Krebs said his agency had a $2.2 billion budget, but only $1.2 billion of that were put toward cybersecurity programs.
"However, of that $1.2 billion, about $800 million was focused on two programs," he said, referring to the National Cyber Protection System and the Continuous Diagnostics and Mitigation program. "That leaves several hundred million dollars for incident response and actually very little frankly for broader engagement with the critical infrastructure community."
Krebs said his biggest regret is that he could not put more funding toward engaging state and local governments and other critical infrastructure entities.
In his opening remarks, Alperovitch recommended CISA be given the authorities and resources to effectively become the government's chief information security officer.
Asked about that idea, Krebs explained that the current federal CISO, which is part of the White House's Office of Management and Budget, is in a policy setting position, while CISA focuses on policy enforcement. Additional funding for CISA to help agencies improve their security would leave the federal government "in a much better place," he said.
This article was first posted to FCW, a sibling site to GCN.