The tangled webs of Christopher Krebs and Russia’s cyberattack

Have you ever made a boastful statement and then been undercut by harsh reality? “My kid has never been in trouble in school because we raised him right!” The next day, little Johnny sets a fire in the boys’ bathroom.

Christopher Krebs had one of those moments this past week. Krebs was the head of a government organization known as the Critical Infrastructure Security Agency (CISA), which is charged with keeping the most sensitive parts of America safe from cyberattacks. And then President Trump made him famous by firing him.

Shortly after the presidential election in November, Krebs issued a statement that didn’t sit well with the president, using absolutes rarely uttered in the world of cybersecurity. The contest was, according to Krebs, “the most secure election in American history.” Oh boy. Are you sure you want to go there, director? You are just a single line of hidden malicious code or one dirty hyperlink click away from being proven wrong. 

Nonetheless, go there he did, doubling down on his statement in testimony before a Senate committee last Thursday, claiming strong confidence in an election process that happened on his watch and pointing out there was no real evidence of electronic ballot tampering by an outside entity. “I am not aware of any … (voting) process that was accessed by a foreign adversary,”  Krebs testified.

Unfortunately for Krebs, a fire in the boys’ bathroom was breaking out at the very same time he was confidently testifying before the Senate. A historically extensive, damaging and embarrassing cyber intrusion of key government agency networks, likely by a hostile foreign intelligence service, was discovered. The attack had been ongoing for months. All of this happened on Krebs’s watch. He was unaware of it because there was no evidence it was taking place … until there was.

As a result, Krebs’s credibility has taken a legitimate hit. It’s hard to assert expert-level confidence in secure voting processes while you’re completely missing one of the biggest cyber hacks of all time. But that’s the nature of the cyber threat we face. It is complex and often undetectable. That is why absolutist statements of certainty regarding the security of anything cyber-related are not advisable.

Christopher Krebs entangled himself in webs that are part cyber and fully political. But he is not the story. He’s a patriot and deserves credit for getting in the ring and taking on a problem that is really, really hard. No, the bigger story is that the government has hurt, more than helped, the battle to keep our infrastructure, our businesses, our identities and personal data safe from bad actors exploiting the internet. 

First of all, the U.S. government has done a lousy job of protecting even its own valuable secrets.  In 2015, China was able to steal from the Office of Personnel Management (OPM) the detailed personal information of 22 million Americans entrusted with security clearances. This was crown jewel-level secret stuff sitting on poorly protected servers. 

And then, in 2017, some extremely sensitive malware developed by our own government for use against U.S. adversaries was inadequately protected and escaped the confines of the National Security Agency. Once in the wild, that malware became the enabling engine of devastating ransomware attacks such as WannaCry and NotPetya that have cost U.S. citizens and businesses billions of dollars in losses. 

From Edward Snowden’s easy pilfering to the lax oversight of third-party software such as SolarWinds that led to the current emerging debacle, our government has demonstrated insufficient regard for cybersecurity. The expensive government program that was supposed to stop things like this latest massive attack was once characterized by the Obama administration as “an Atari game in an Xbox world.” The American people hardly can be faulted for questioning any government claim that a given system is secure.

Second, Congress and the various administrations over the past 20 years have failed to pass meaningful cybersecurity legislation that would help make the U.S. a more hostile environment for cyber-attackers. Congress seems interested in cybersecurity only when it comes to possible interference in elections — in other words, when it affects their livelihood. 

For the first time in our history, the private sector cannot depend on the government to help deter a crime. The government is confronting a digital enemy riding electrons with old analog laws and geographically-based jurisdictions. The villains are mostly anonymous and out of reach.  Victims are prohibited from retaliating. The field is tilted in favor of the bad guys with no relief in sight.

An immense cybersecurity industry has sprung up with a dizzying variety of glittering tools. Never before have we spent so much on cybersecurity — and never before have we been more successfully attacked. If anyone tells you we have a strategy against criminal and hostile nation cyber-attackers, tell them it isn’t working. If any government official tells you we are secure, tell him to check the boys’ bathroom.

Kevin R. Brock, former assistant director of intelligence for the FBI, was an FBI special agent for 24 years and principal deputy director of the National Counterterrorism Center (NCTC). He independently consults with private companies and public-safety agencies on strategic mission technologies.