The coordinated ransomware hit on 22 Texas municipalities will yield valuable lessons for other local governments to ensure they’re not next, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency Director Chris Krebs said Thursday while unveiling the agency’s new “Strategic Intent” document.
The Texas Department of Information Resources, which is investigating the attacks in conjunction with DHS and the FBI, has been mum about the details of the attack but said Tuesday that “evidence continues to point to a single threat actor.” A department spokesman told NPR he was “not aware” of any of the cities forking over ransom money to the hackers; Keene Mayor Gary Heinrich said the hackers were demanding $2.5 million from the targeted cities, but he had no plans to pay them anything.
Krebs told an audience at Auburn University that giving in to hackers’ demands, as some cities and counties have done in other incidents, is “rife with peril.”
“Ransomware is not going anywhere; it’s only getting worse,” he said, noting that with more coordinated attacks and bigger payouts, monies are fed back into the business model. “Do you trust a criminal?” Krebs highlighted how in some cases payouts were handed over only for the victim to find that the decryption isn’t complete. “So what did you pay for?”
“If you do pay out you’re just incentivizing the ransomware actor to keep doing this,” he said. “It is not in the interest of your next-door neighbor or the next county to pay.”
“If we can divine anything from Texas, we can tell other states ‘here are thing you can do to make sure you’re not next.'”
CISA’s new strategic vision and operational priorities document lays out the guiding principles of leadership and collaboration, risk prioritization, being results-oriented, operating with respect to national values and civil liberties, and acting as a unified mission and agency. With the overall goals of “defend today, secure tomorrow,” mission support is thirdly emphasized.
“That means identifying the serious risks to critical infrastructure and evaluating whether they are being managed appropriately,” says the strategy. “If there is a gap, CISA must act as the backstop and bring options for technical assistance, help to drive policy changes, or find other creative solutions for mitigation. CISA must support critical infrastructure and other stakeholders so that they have the capabilities to manage national-level risks.”
Krebs’ operational priorities are outlined in the strategy as China, the supply chain and 5G security; election security; hardening soft targets; federal cybersecurity; and industrial control systems.
With multiple national security demands at CISA, Krebs said he spends as much as half his time lately on election security. “It is really, truly one of those things that keeps me up at night,” he said, adding that after Russia’s multi-pronged campaign influence operation in 2016 the midterm election in 2018 was the “safest, most secure election in modern history.”
“I know what the Russians did… I need to know what they’re going to try in ’20,” Krebs said.
That sort of prep involves vulnerability assessments and gleaning insight from allies weathering Russian attacks such as Ukraine and Montenegro, then bringing back pertinent information to share with partners on the state level. Preparation such as training against phishing attacks, Krebs noted, is usually “much more valuable than specific indicators of compromise” thrown out to jurisdictions such as suspect IP addresses.
While CISA is “not sitting on top of networks pushing buttons,” the agency operates as “facilitators of better cybersecurity,” he said.
“We have to be relentless in driving down risk … our job is much more community-building, more capacity-building.”
Building capacity includes drawing and maintaining the best pool of cybersecurity talent, even from the liberal arts side of campus. “We have to make sure there’s a talent base that’s security first,” Krebs said. “It’s not about getting first to market… it’s about thinking how these things can be exploited and making sure they’re secure by design and secure by deployment.”
And while “the bad guys are getting better,” the CISA director believes “the defense has the advantage if we all work together” and resist isolation in silos.
Thinking of the “system of systems” from a strategic perspective, he said, CISA also must “continue to be relentless” in engaging the oil and natural gas industry in pipeline security. “Really our role is integrating across the sectors” in ensuring timely threat information is shared among critical infrastructure.
“We are the nation’s risk adviser,” Krebs declared.