"We like security so much its in our name twice," Krebs joked during a wide-ranging discussion with Heather Dahl, of the Sovrin Foundation, at this week's conference.
That conversation ended up looking at a number of prominent issues for state and local governments, namely lack of security in election systems, the threat of foreign interference in the 2020 elections, and the role CISA can play in mitigating both.
America's Risk Adviser
Since its creation by Congress in 2018, CISA has seen an ever-expanding mission and a growing list of responsibilities. Tasked with creating resilient cyber policies for the federal government's 99 civilian agencies, CISA has sought to protect the nation's most critical offices and systems.But CISA is also increasingly an adviser and a benefactor to state and local governments as well. Newly introduced legislation would, if passed, broaden and solidify that mission — creating CISA liaisons to work together with state governments, for instance, or standing up a $400 million, CISA-administered fund from which state and local entities could apply for cyber-related grants. At the same time, the agency is working hard to secure election systems across the country in the run-up to the 2020 election.
Describing CISA as the nation's "risk adviser," not its risk manager, Krebs said that the role of his agency, particularly in regards to state and local government, is more advisory than regulatory. It includes culling data from both the federal intelligence community and the private sector in an effort to put together a "bigger picture" of what the overall threat landscape looks like for America.
With this bigger picture in hand, CISA is able to reach out to and inform and assist lower levels of government where needed.
Getting Serious About Election Security
CISA's new efforts to help secure the 2020 elections have been met with a number of challenges, but a lot of those challenges are constitutionally built in, Krebs said during the talk.“The technical challenges are actually underpinned by the broader administrative challenges of elections," Krebs said. "In the United States, article 1 section 4 of the Constitution says the states will determine the time and place for conducting federal elections. And that has manifested into about 88 election jurisdictions across the country."
This isn't the easiest system to secure — and it's become one that has all sorts of vulnerabilities that can be exploited by America's enemies.
"Prior to 2016 I don’t think it was on anybody’s radar that this was in play for geopolitical risk," Krebs said, alluding to the Russian interference in the last presidential election. "What we have done over the last couple years is put a lot of attention on risk assessments across the system — everywhere from registering to vote to certification of process. We’re trying to figure out where the risk really is across these systems and I think unsurprisingly what we’ve figured out is that the areas where information is centralized and is highly networked, that’s where a lot of the risk is. And what is that? Voter registration databases."
This is all a new process, and while the federal government has scrambled since 2016 to step up its game, state and local governments are also just catching up to these issues.
"The state and local folks, they didn’t understand in 2016 that they were on the frontlines of this geopolitical conflict, and they now are all on board," he said. "We have a dedicated information sharing and analysis center for state and locals — all 50 states and about 2,500 jurisdictions are engaged. So again the American people need to understand that we are engaged on this.”
The Geopolitics of Cyberwar
The conversation about election system integrity led to a larger one about nation-state competition and the ways in which adversary nations like China and Iran are seeking to use cyberspace to lower public confidence in America's institutions.“You have to think about the strategic objectives of the adversary," Krebs said. "To be able to change the vote at scale in an undetected manner given the decentralized nature of the individual voting machines in the United States is really complicated. It’s a high investment, there’s a lot of risk with it and it’s going to be difficult to achieve."
What enemy countries will do instead, he said, falls less along the lines of actual vote manipulation than psychological warfare.
"On the other hand, what if you just targeted one or two jurisdictions in key cases and then got caught — and then you amplify that," he said. "It’s not about a single outcome of an individual race — it’s about a broader destabilizing of the public [sphere], of our confidence in the system."
This tactic is an old one, he added, referring to it as a "Sputnik moment."
“In 1957, when the Soviets put Sputnik in space, they beat us into low orbit, that was shocking enough. But the fact that their continental ballistic missile that could geographically overcome oceans and reach out and touch us, that was a big deal. 2016 was the first time for elected officials, for the American public to truly understand that cyber could destabilize a democracy.”