Consumer Electronics Daily was a Warren News publication.
‘Biggest Concern’

Krebs: DHS Cyber Agency Lacks Funds for Incident Response

The Cybersecurity and Infrastructure Security Agency lacks funding for incident response and engagement with the critical infrastructure community, despite its $2 billion budget, the agency's former Director Chris Krebs told the House Homeland Security Committee Wednesday. “My biggest regret was that we were not able to plow additional resources into the ability to get out there into the field and engage critical infrastructure and engage state and local actors,” he said during a hearing on the SolarWinds attack (see 2102090076). Chairman Bennie Thompson, D-Miss., said the attack is “dominating the cyber conversation.” CISA is part of the Department of Homeland Security.

CISA’s budget of about $2.2 billion when Krebs led the agency seems like “a significant amount,” he said. But about $1.2 billion was earmarked for cybersecurity programs, including about $800 million for two programs, he said. That left several hundred million for incident response and very little for engagement with the critical infrastructure community, he said. Krebs was responding to House Armed Services Subcommittee on Intelligence and Emerging Threats Chairman James Langevin, D-R.I., who asked if CISA ever had to forgo any efforts or tasks because it didn’t have proper resources.

Congress needs to figure out how to “mature” U.S. defenses to match adversaries' capabilities, said Thompson, calling SolarWinds a “sophisticated supply chain compromise.” The U.S. is “struggling against the highly sophisticated and routine” attacks, said ranking member John Katko, R-N.Y. He called for legislative efforts to give CISA the resources it needs to “fully protect” the U.S. He and Thompson cited a recent attack on a water treatment facility in Florida, which was reportedly an attempt to poison the water for thousands of residents.

The country can’t stop every attack, but it can address the most “common risks” and make “the bad guys work harder,” said Krebs. He wants more centralized authority within the federal government. Federal agencies aren’t in a position to secure themselves individually, he added. There should be a comprehensive, federal civilian cybersecurity agency because now there are 101 different approaches on federal cybersecurity, he said.

Former Principal Deputy Director of National Intelligence Sue Gordon questioned whether SolarWinds understood its responsibilities when selling its products to the Treasury Department. She asked if it's time for the government and private sector to explore generally accepted security principles, similar to action the SEC took as a result of the 1929 stock market crash.

SolarWinds is a new normal for Russian cyber strategy, testified Silverado Policy Accelerator Executive Chairman Dmitri Alperovitch. China is likely evaluating the same model, he said: using private networks to gain access to high-value networks through the supply chain and go undetected for long periods of time. Any system connected to the internet is a target, testified Cyber Threat Alliance CEO Michael Daniel. Daniel noted water treatment plants aren’t something people immediately think about when considering cyberthreats.

Discussing the Jan. 6 riot at the Capitol, Rep. Emanuel Cleaver, D-Mo., asked if domestic terrorism is one of the top cybersecurity threats facing the U.S. It’s not in the top five, said Krebs, who said ransomware attacks targeting small- and medium-sized businesses top the list. Agencies can contact and apprehend domestic actors, which can’t be said about remote ransomware attackers in Russia, Eastern Europe and elsewhere, said Krebs, calling it a natural advantage on the domestic front. Gordon agreed with Krebs about the natural advantage but said foreign actors can potentially collaborate with domestic actors and share their tools.