The agency inside the Department of Homeland Security charged with protecting critical infrastructure needs to get better at assessing cyber risk rather than chasing threats, according to a top DHS official.
“We have a threat intelligence problem…because we obsess about the threat,” Christopher Krebs said Wednesday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop. “We’re running this way and that way, hunting down every little piece of threat intelligence and reacting without a lot of context.”
As an example, Krebs pointed to the Illinois voter registration system that Russian hackers breached ahead of the 2016 presidential election. Even if the hackers had been able to delete voter files, Krebs said, voters would still have been able to cast their ballots by having their registration verified through other records, meaning the risk was manageable.
Putting the risk, or lack thereof, of cyberthreats into context is a big task for DHS as it helps states prepare for the 2018 midterm elections. As another round of primaries wrapped up Tuesday, Krebs told CyberScoop that the department had yet to detect any malicious activity on state networks from “known actors tied to an existing campaign.” He contrasted that activity with the run-of-the-mill network scanning that states – like countless organizations across the internet – experience regularly.
In tackling cyber risk to critical infrastructure, DHS earlier this year established a supply chain program to provide risk assessments to critical infrastructure firms and federal agencies on products they may acquire or deploy.
Krebs, whom the Senate confirmed Tuesday evening as undersecretary of the National Protection and Programs Directorate, told CyberScoop that the program was still getting off the ground through pilot testing.
While the program will address coding, the bigger focus is on equipment itself, Krebs said. “It’s going to be very important coming up with the 5G build-out, so we’re working with the telecommunications companies,” he added.
DHS has been an enforcement arm of a U.S. government policy to clamp down on supply-chain risk from Russian and Chinese companies that U.S. officials deem a national security threat. The department last year directed all civilian agencies to remove products and services from Kaspersky Lab from their networks. The Moscow-based antivirus vendor posed an “unacceptable risk” to the U.S. government, Krebs told forum attendees.