On the heels of President Joe Biden’s $2 trillion infrastructure plan, Chris Krebs, former head of the Cybersecurity and Infrastructure Security Agency, suggested Wednesday that it was "well past time" for a large, federal grant program to improve state and local cybersecurity.
"I really think that it is well past time for a 21st-century 'digital infrastructure investment act,' where we provide the equivalent of block grants to state and local [government] where they can modernize their IT infrastructure," he said, answering a question on ransomware at a Center for Strategic and International Studies panel on the role of the Department of Homeland Security in cybersecurity.
"That'll improve citizen services," he continued. "That'll boost American tech companies. That will provide more high-paying, tech jobs to more Americans. And, yes, it will help stop ransomware."
Krebs highlighted shifts to cloud-based services and multifactor identification as avenues that such a plan could tap to improve state and local cybersecurity.
Krebs is best known for heading CISA's widely praised efforts to secure the 2020 election and his firing by then-President Donald Trump for not confirming unsubstantiated theories that the presidential election was fraudulent. But he also oversaw CISA and its predecessor division of the DHS, the National Protection and Programs Directorate, during the rise of ransomware targeting state and local targets.
At the panel, he said a series of government ransomware events in 2018 was his tipping point in categorizing ransomware as a national security priority.
"What I was most frustrated about, three years ago now at this point, was that it did not rank in terms of cybersecurity threats. We were still really focused on state actors and the exquisite threats posed by the Chinese MSS, the Russian GRU and SVR," he said. "But what I was seeing was American communities functionally disrupted by ransomware on a daily basis."
"Chris is absolutely right," agreed Michael Daniel, former White House cybersecurity coordinator during the Obama administration and current president and CEO of the Cyber Threat Alliance. "If you actually talk about what affects most Americans, they are never going to run into the Russian SVR. They're going to run into ransomware, business email compromise, other kinds of scams."
Ransomware efforts took the forefront for much of the panel.
Tim Maurer, senior counselor for cybersecurity at DHS, noted the agency recently announced a 60-day "sprint" to reduce ransomware — though he stressed the department's interest needed to continue long after the 60 days ended.
"I wish we could solve ransomware within the next 60 days," he said. "But that will not not be happening. It's more designed to draw attention to a particular priority area and empower the components of our work and also that of our partners — to drive that work forward and elevate it to a new level. "