Krebs: Taiwan, Geopolitical Headwinds Loom Large

  /     /     /  
Publicated : 23/11/2024   Category : security


Krebs: Taiwan, Geopolitical Headwinds Loom Large


During a keynote at Black Hat 2022, former CISA director Chris Krebs outlined the biggest risk areas for the public and private sectors for the next few years.



BLACK HAT USA — Las Vegas — A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.
Thats the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He
took to the stage
at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.
Krebs was
fired from CISA
for insisting the 2020 election was secure and fraudless (We insist that we were successful — it was a singularly important moment in American history, he said at Black Hat. And I think we did a pretty damn good job.) In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.
I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people, he said.
In addition to geopolitical headwinds, Krebs noted that digital transformation, along with ever-increasing cyber-offensive capabilities from the bad guys, should have both the public and the private sectors on notice — or they risk falling hopelessly behind.
Taiwan Looms as Geopolitical Pressures Accelerate
In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the
ongoing war in Ukraine
, Taiwan is a hotspot to watch.
Leaders need to plan out beyond the next two quarters, he noted. You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around whats happening in the Taiwan Strait.
A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.
Political headwinds have big effects and you have to game these things out, Krebs noted. I dont know if its going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, theyre pretty confident thats going to come to a head between China and Taiwan.
He added, And if you want to be in a position to de-risk your operations, you have to start that yesterday.
While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.
Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance, he warned. And yeah, theyre also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future.
Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.
You have to have a set of principles, he said. You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, were not impacted by sanctions, so were good, we dont really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, youre going to have a problem. Youre continuing to support the Russian war machine.
Krebs also noted that as the COVID-19 pandemic drove an acceleration to the
cloud and digital transformation
, it became clear that the benefits of insecure products far outweigh the downsides.
Thats because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market, he explained. So were building more products that are insecure by design because of the market pressures.
Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see whats happening across their infrastructure.
Weve made it more complex, and weve also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there, Krebs said. Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors and how you interact with it?
Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.
Further complicating matters is the ongoing proliferation of
connected things
, which all come with potentially insecure cloud apps.
I think we all agree theres going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly, he said. Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and its becoming more complex, not less.
He noted that William Gibson had this reality pegged when he released the book
Neuromancer
in 1984.
He coined the term cyberspace, Krebs said. But its how he described cyberspace that was so captivating — the unthinkable complexity of cyberspace. Were there right now.
The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.
We see an overreliance on checklists and compliance rather than performance-based outcomes, so were not getting the security-related outcomes we want, he noted, adding that to boot, what oversight does exist isnt implemented well.

Congress needs to figure it out
as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch, Krebs said. We have 101 civilian agencies, and every single one of them is running their own email service. So, weve got to fix that.
On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called the right moves.
Theyre going more aggressively at the adversary at the command-and-control level, he explained. But we need to shift from longer-term investigations towards more
disruptive actions
aimed at imposing costs and eliminating ransomwares ability to extract value from companies here in the US.
Ransomware has become professionalized, he noted, and cyberattackers capabilities just keep getting better and better.
The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation-states, he said.
Theyre profiting
, and its not costing them anything; theyre getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to.
When it comes to the
infamous lack of qualified people
to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.
The first thing is, its fun. Second is, its lucrative, he noted. We get paid pretty well in this industry. And third, relatedly, its durable; were going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission were doing is incredibly important.
That said, the US workforce over all is becoming increasingly tech-native, which hes optimistic about.
Were getting critical thinking skills coming along with the technology savviness that were looking for, he said.
While theres much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.
As evidenced by Black Hat USA at 25, we have a maturing industry, he said. Were producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Krebs: Taiwan, Geopolitical Headwinds Loom Large