Emphasizing data privacy and cybersecurity policy at the federal level is critical to preventing future ransomware threats against both private and public industries as the U.S. transitions into increasingly digital and remote work.
Speaking at an Axios panel on Thursday on the future of data security within Congress’ legislative agenda, guests including Rep. Ted Lieu, D-Calif., and former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs discussed the pressing need for robust cybersecurity protocols and data protection, especially within the federal workforce.
“It’s pretty clear to me that we’re still way behind in terms of cybersecurity,” Lieu said.
Both he and Krebs highlighted that network security has become more important as most of the workforce pivots to full time remote operations. Lieu noted that the expansive government contracting field has potential to be exploited by hackers.
“We [the government] have private contractors make things, and so when you have all these private contractors in the supply chain, and when it comes to software and even hardware if you don’t have vulnerability disclosures, those are weak links, and people can go through these weak links and attack the federal government systems,” Lieu said.
Despite noting the public sector is still behind in terms of adequate cyber defense systems, Lieu praised the Biden administration’s tougher stance on developing a stronger cybersecurity posture within the federal sphere.
Cybersecurity and data privacy have both enjoyed broad bipartisan support following major ransomware hacks that occurred over the past 18 months. One of Lieu’s recently-introduced bills, the Space Infrastructure Act, got support from Rep. Ken Calvert, R-Calif.
The bill would bolster the security infrastructure of the U.S. ‘s satellite system––a network that is critical to Americans’ daily lives, supporting GPS, ATM, and agricultural processes. Lieu said that the burgeoning space infrastructure is part of the growing connectivity ushered in by the internet of things.
Krebs noted that protecting government networks will get more difficult as these devices and systems become more interconnected.
“It’s only going to be more complicated and complex when we’re talking about the things we are trying to defend,” Krebs said. He explained that devices used for large processes open the door to malware opportunities, primarily within the internet of things.
Following his tenure at CISA, Krebs explained to Axios future correspondent Bryan Walsh that he is wary of the threat of a large-scale cyberattack from U.S. adversaries. He recalled the series of warnings the FBI relayed against Chinese state-sponsored attacks on some American information networks, particularly within the nation’s water utilities.
The best protective measures to take against cyberattacks are to heed advice from the government and data companies, Krebs said, and to adopt defensive mentalities like assumed breach and layered defense mechanisms.
“If you have to pay, it’s too late,” Krebs stated. “What every organization needs to be doing right now is…really think through what their strategy is.”
He noted that these actions can have a positive impact until the federal government adopts more resilient cybersecurity procedures, such as outlined in the bipartisan Cyber Incident Notification Act of 2021, which was excluded from the recent draft of the National Defense Authorization Act.
While the nation’s critical networks are also vulnerable targets to ransomware attacks and cyber espionage, Krebs said that undermining the strength of U.S. democratic processes is another looming threat.
“Disinformation, I think, is the great national security threat that we do not have a good answer for or our arms around,” he concluded. “We need a national security plan to counter disinformation.”