The recent flare up between the United States and Iran following the killing of one of the Islamic Republic’s top generals in a U.S. airstrike resulted in a “heightened awareness” of Iran’s cyber capabilities among state and local governments that shouldn’t be wasted as tensions subside, the Department of Homeland Security’s top cybersecurity official told a roomful of city leaders on Wednesday.
“While it may look at this thing has cooled off for the time being, let’s take advantage of this moment,” Chris Krebs, the director of DHS’s Cybersecurity and Infrastructure Security Agency, told attendees of the U.S. Conference of Mayors winter meeting at a Washington hotel. “Even if the Iranian threat is gone, you know what’s still out there? Ransomware. That’s something every single person in this room needs to be thinking about intimately.”
Krebs recounted how he had returned home from a holiday vacation to the news that Maj. Gen. Qassem Soleimani, the commander of Iran’s elite Quds Force, had been killed in a Jan. 3 airstrike, and proceeded to retweet an advisory his agency had sent about Iranian cybersecurity threats. Over the next week, CISA sent out more notices to the critical-infrastructure groups it works with, including state and local governments, and held multiple conference calls that Krebs said each had more than 5,000 participants dialed in.
Several state and local governments during that period, including the District of Columbia, said they were being more aggressive in monitoring their networks for traffic emanating from Iran.
While the situation between the United States and Iran has since de-escalated, Krebs reminded the mayors that ransomware remains an active a threat to state and local governments.
“It’s happening on a daily basis,” he said. “If you have not experienced it, it’s a matter of when.”
Krebs added, though, that CISA has a much better understanding of what goes on in the public sector than from private businesses, which he said do not share as much information with his agency.
Later, Krebs told reporters that the focus on ransomware now includes CISA’s role protecting states’ election systems, particularly voter registration databases. It’s a concern that some states’ top election officials have voiced themselves, after witnessing ransomware attacks on other agencies and communities within their states. But Krebs said the window after Soleimani’s death has provided an opportunity for tech officials to be more active in getting their bosses to pay attention to cybersecurity.
“We really want to take advantage of this heightened level of awareness so [chief information officers] and [chief information security officers] can walk into their chief executives and say these are the things to do so we don’t get owned and lose the voter registration database or the court system or whatever it is,” he said.
He also said that network protections can also come in handy against government-backed cyberattacks, such as those using Trojan horse viruses to drop ransomware payloads.
“If you can defend against Emotet, Trickbot, you can tend to defend against a good portion of the advanced persistent threats,” he said.
Elsewhere, Krebs said he is angling to expand the resources and personnel CISA deploys across the country, including potentially offering the continuous diagnostics and monitoring program it runs for federal networks to state and local governments. There are also bills moving through Congress that would give CISA a bigger nationwide presence to serve as strategic advisers to state and local governments, including one introduced last week that would give each state a federal “cybersecurity coordinator.”
The National Association of State Chief Information Officers on Wednesday included some of these measures among its top federal priorities.