Amid fears of attacks against the 2020 election, the Cybersecurity and Infrastructure Security Agency (CISA) within the the Department of Homeland Security (DHS) is making progress in its efforts to gain state participation in its cybersecurity programs, according to its director.
Chris Krebs — the director of CISA, an agency charged with protecting the nation’s critical infrastructure from cyberattacks — said at the Billington Cybersecurity Summit Sept. 5 that a significant amount of agency effort is “raising awareness” on potential ransomware efforts targeting state voter registration databases, in which an attacker encrypts a database and will unlock it for a fee, usually paid in bitcoin.
“We’re over halfway there to getting every state signed up for cyber hygiene scanning,” Krebs said.
Krebs also said that he’s trying to get states to take their participation a step further.
“The last hurdle here is vulnerability disclosure programs, making sure we get as many states as possible understanding the value of a vulnerability disclosure programs so that they’re not going at it alone — they have a team of security researchers working behind them,” Krebs said.
With states in charge of their own election security, it means that critical states that could swing the election may not be prepared for threats next year. Asked if he’s prioritizing security swing states over other states, Krebs said that he is not.
“It’s who comes to us and asks for help, and then we’ll continue to refine down from there where we think the risk is,” Krebs said.
Cities, school districts and hospitals across the country have been hit by ransomware in recent weeks. Krebs told reporters that states have been coming to CISA for ransomware guidance.
“It’s been a pretty active communications pattern over the last several months,” Krebs said. 'Ransomware is not a problem that’s going away."
CISA put out ransomware guidance in late August in an effort to help states to protect themselves or recover from such an attack, but also prodded organizations not to make the payment to attackers.
“Every time a company, an agency, a jurisdiction, whatever, pays it out, it just validates the model,” Krebs said at the summit.
Moving forward, CISA is trying to “get ahead” of the cyberthreats going into 2020.
“So what we’re trying to do is just threat model here. We are trying to look at, given what we know today about what criminal actors are doing, what is the worst-case scenario a year from now? How can things get worse from where we are?” Krebs said.