Krebs: More 'destructive,' 'brazen' attacks possible from Russia

Then-CISA chief Chris Krebs at an August 2019 cybersecurity conference.

The federal government's former top cybersecurity official warned lawmakers today the SolarWinds Orion hack is likely not the worst attack the United States may see from Russia.

"Particularly emanating from those four countries -- China, Russia, Iran, North Korea -- the behavior will continue until the leadership has decided that it cannot tolerate further behavior," Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, told the House Homeland Security Committee at a Feb. 10 hearing. 

Krebs testified alongside Sue Gordon, the former principal deputy director of national intelligence, Michael Daniel, president and CEO of Cyber Threat Alliance and Dmitri Alperovitch, co-founder and a former executive at Crowdstrike.

The hearing was one of the first of several that lawmakers will likely convene to discuss the SolarWinds hack, which has so far affected hundreds of private companies and at least 10 federal agencies.

Krebs' warning came in response to a question from Rep. Lou Correa (D-Calif.), who asked the former CISA chief about what the country can do to deter further attacks. Correa said these attacks "should in all sense and purposes constitute a declaration of war on the United States."

Krebs suggested the government could prevent attacks by levying financial sanctions on adversarial nations and certain oligarchs. Correa pushed back on that, saying, "We've heard this suggestion a number of years ago in this committee, you go after their pocketbook, you go after the oligarchs. Yet, this has not been used. What's been deterring our country from using this?"

Krebs responded that the U.S. has used financial sanctions to that effect, but those penalties need to be matched by other international allies. "But at the same time recognize, there are certain behaviors that, unfortunately, are within the realm of acceptable cyber behavior" such as espionage against a federal government.

The topic of whether or not the SolarWinds hack constitutes an "act of war" is a discussion coming up often among elected officials. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.

"So far, all of the information that is available about this intrusion indicates that it is espionage," said Daniel, the Cyber Threat Alliance official.

Gordon told Correa flatly that the government cannot stop all attacks, but lawmakers can clearly define what kinds of attacks and impacts -- such as knocking out an electrical grid -- would warrant a response. She also said lawmakers should not limit responses to a cyberattack with a "cyber response."

Since December when the initial hack was discovered, CISA has become the government's primary agency for responding to the damage caused by the breach. That role has called into question whether CISA has sufficient funding and staffing.

Asked about funding by Rep. Jim Langevin (D-R.I.) today, Krebs said his agency had a $2.2 billion budget, but only $1.2 billion of that were put toward cybersecurity programs.

"However, of that $1.2 billion, about $800 million was focused on two programs," he said, referring to the National Cyber Protection System and the Continuous Diagnostics and Mitigation program. "That leaves several hundred million dollars for incident response and actually very little frankly for broader engagement with the critical infrastructure community."

Krebs added it is his biggest regret that he could not put more funding toward engaging state and local governments and other critical infrastructure entities.

Alperovitch, the former Crowdstrike executive, in his opening remarks recommended CISA be given the authorities and resources to effectively become the government's chief information security officer.

Asked about that idea, Krebs said the current federal CISO, which is part of the White House's Office of Management and Budget, is a in a policy setting position, while CISA focuses on policy enforcement. Additional funding for CISA to help agencies improve their security would leave the federal government "in a much better place," he said.