The executive order acknowledges that our greatest cybersecurity tool 'is the power of the purse,' says Chris Krebs, who was fired by President Trump for saying the 2020 election was legitimate.
Heading up the government’s information-security efforts while the SolarWinds attacks went undetected, and then getting fired by President Trump for telling the truth about the integrity of the 2020 election, might make somebody pessimistic about the future of infosec. But Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA) director, sounded surprisingly optimistic during a talk this week in D.C.
Speaking at the Hack the Capitol conference via video (because his wife had come down with COVID), Krebs pointed to President Biden’s May 2021 executive order on cybersecurity as one reason for that hope—not because of its consumer provisions like security labels for smart-home gadgets, but because of its tougher requirements for federal IT contractors.
“It finally realizes the key point, probably the greatest point of leverage, that the United States federal government has in cybersecurity, and that is the power of the purse,” Krebs told his interviewer, Scythe founder and CEO Bryson Bort.
The order mandates such upgrades from IT vendors as providing a software bill of materials for their products and participating in vulnerability-disclosure programs; telling them “you must be this tall to ride the federal government procurement process,” as Krebs phrased it.
“It’s going to raise the standard,” he predicted. “Software companies are not going to bifurcate their code base for the federal government and for everyone else.”
Krebs did, however, suggest that Congress needs to stop scattering cybersecurity oversight among various subcommittees, a key recommendation of the March 2022 report of the government’s Cyberspace Solarium Commission. “We have to consolidate and streamline congressional oversight,” he said.
Krebs’ conversation with Bort also turned to the question of whether IT vendors should be held liable for vulnerabilities.
Krebs counseled against that, saying “software is incredibly complex,” but suggested that a pattern of egregious carelessness might be fair game: “I do think we can take a harder look at the negligence standards.”
As for the private sector, Krebs suggested worrying less about nation-state attackers that aim at specific, high-profile targets. Instead, he advised bearing down on the problem of indiscriminate attacks like ransomware, which he described in business-model terms as a successful monetization of vulnerabilities and “stupid human tricks” that increase the exposure of businesses.
“If you are connected to the internet,” Krebs said, “you are on the playing field for that threat.”
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
Your subscription has been confirmed. Keep an eye on your inbox!
Rob Pegoraro writes about interesting problems and possibilities in computers, gadgets, apps, services, telecom, and other things that beep or blink. He’s covered such developments as the evolution of the cell phone from 1G to 5G, the fall and rise of Apple, Google’s growth from obscure Yahoo rival to verb status, and the transformation of social media from CompuServe forums to Facebook’s billions of users. Pegoraro has met most of the founders of the internet and once received a single-word email reply from Steve Jobs.
PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
© 1996-2022 Ziff Davis. PCMag Digital Group
PCMag, PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.