“Black Tuesday” for cybersecurity came on November 17, when the President of the United States fired Chris Krebs, the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Mr. Krebs had the temerity to do two things. First, he led the federal agency primarily responsible for securing the 2020 election effectively and with style, lending experts to conclude that the election was the most secure in American history. Second, said “out loud” that the election was trustworthy, which undermines the President’s political narrative that the election was stolen.
There are no positives to the firing, which was universally condemned by cybersecurity professionals (just check “infosec Twitter”). Removing the nation’s cyber and election security leader during a presidential transition, when the threat of disinformation about the election result remains, undermines the homeland and national security of the United States. Firing Chris Krebs is convincing evidence that Donald Trump during his remaining time in office will not “faithfully execute the Office of President of the United States, and will” not “to the best of [his] ability, preserve, protect and defend the Constitution of the United States.”
This action, along with other developments, provide a “hockey stick” moment for cybersecurity. The actions taken by the elected and appointed leaders of the United States, over the next few weeks and months, will determine whether cybersecurity becomes far better or much, much worse. Public consciousness of the issue has never been higher – you will find the story of Krebs’ firing among the first articles provided on the websites of the Washington Post, New York Times, and CNN. The shocking cyber incidents of the proceeding years, like NotPetya and election interference in many countries, have helped to build the basis for further action nationally and globally. The Cyberspace Solarium Commission report demonstrates that there is bipartisan consensus that significant actions must be taken, even if there are minor disagreements about what a few of those actions should be. And there is even widespread agreement among global cybersecurity leaders and experts – the World Economic Forum held its “Cyber Davos” concluding on the same day Chris Krebs was fired – that like-minded nations must join to address cybersecurity together.
We are presented with both risk and opportunity. The risk is that nations will allow internal political divisions to undercut their national capabilities and actions, like firing Chris Krebs. The risk is also that nationalism and relatively minor differences on cybersecurity and privacy will limit international action. This path leads to chaos and losses that magnify the global damage the pandemic has caused. The opportunity is that we as a nation and a member of the global community can marshal public opinion about cybersecurity and privacy, political recognition of the need for action, and partnership with the private sector and civil society organizations to change the nature of the Internet and how we use it, not in decades but in mere years.
The author, Philip Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.