The head of the Cybersecurity and Infrastructure Security Agency (CISA) said today that the spate of ransomware attacks that hit school systems in Texas and Louisiana over the past month “got pretty close” to qualifying as a “large-scale cyber event,” which he said begs the need to further develop Federal doctrine about how to respond to major events.
Speaking today at CISA’s 2nd Annual National Cybersecurity Summit, CISA Director Christopher Krebs recounted numerous CISA accomplishment over the past year, but also spoke about much work that remains to be done, including establishing Federal doctrine for responses to large cyber attacks.
Unlike in a shooting war, where rules of response and engagement have been worked out, “we don’t have the same doctrine built out for a large-scale cyber event,” Krebs said.
“We got pretty close this summer” to a large-scale cyber event with the ransomware attacks, he said. “I had some sleepless nights this summer,” Krebs added.
Based on those attacks, Krebs said CISA undertook threat-modeling activities which led to conclusions including that ransomware could be used against voter registration databases. That raises the question of “what is the resilience posture” in that event, he said.
The CISA director did not elaborate on that last point, but did emphasize that one of the agency’s “greatest priorities for operations” is to protect the 2020 elections. He said CISA and the rest of the Federal government cooperated to make last year’s elections “the most secure in modern history.”
“That was the warm-up,” Krebs pronounced. “2020 is the big game.”
Elsewhere in his remarks, Krebs issued a charge to industry to “take the hysteria” out of discussions about infrastructure risk. “This is not about selling products,” he said, adding, “Fear sells, but we have more to offer.”
“We have to be more straightforward about how we talk about things,” he said. “Are there risks in infrastructure? Yes. But we have taken the hysteria out of the equation … and have a measured conversation about the risk,” he said.