Christopher Krebs, senior official performing the duties of the under secretary, Department of Homeland Security

In the wake of recent breaches, organizations have become ever more conscious of their susceptibility to cyberthreats. Not all cybersecurity awareness, however, is created equal. “Traditionally on the IT side, we have been focused on security, and this goes back to 2003,” said Christopher C. Krebs, a senior official performing the duties of undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security (DHS).

Back then, he noted, the operating system Microsoft XP came out with serious security flaws, creating awareness at the tech company and among its corporate users about the need for IT security. But while that planted the seed of modern cybersecurity practices, it took over a decade for other companies to become aware of what Krebs called “operational security” (OT), or the security of physical hardware and critical infrastructure.

It wasn't until a slew of attacks on critical infrastructure—from the 2013 BlackEnergy malware affecting the energy industry in Ukraine to the “Dragonfly” hacking group targeting energy infrastructure in the U.S. and Europe years later—that OT became a widespread concern.

And it is here where Krebs' National Protection and Programs Directorate (NPPD) comes into play. “We're responsible for two main things: for DHS cybersecurity and critical infrastructure security,” he said, adding that the team looks to serve the 16 defined critical infrastructure sectors in the economy.

Yet, the NPPD isn't like other government agencies. For one thing, it doesn't have any regulatory authority. “I have no mandatory powers, it's all voluntarily,” Krebs said, explaining that the group offers cybersecurity services to critical infrastructure companies if they chose to use them.

Krebs breaks these services down into three parts: “One, is information sharing; two, is sharing and developing best practices and support; and three, is incident response [assistance].”

Of the three, information sharing is the team's most active task. “With 200 entities involved, in a little less than 18 months we've shared about 1.3 million unique indicators,” Krebs said. But he added, “It's not a lot; it needs to be more.”

Through the use of “automated information sharing (AIS) programs,” however, the NPPD is looking to grow the amount of information it shares and become more efficient in declassifying and disseminating actionable data, he added.

As an example of the benefit of such information sharing, Krebs noted that his team shared “a number of bulletin alerts and updates to state and local officials during the past election, and we continue to do that now.”

But it was the summer before the 2016 election that Krebs most clearly saw the success of the NPPD's information sharing come to fruition. During the early hours of the worldwide WannaCry ransomware attack, the team “was able to determine something was happening just about the same time everyone else was figuring it out,” he noted.

The NPPD “reached out to a number of security researchers and other experts we had on speed dial and immediately started sharing information on what we were seeing,” he added.

The efforts led to companies and government officials being able to understand and act on the threat quickly, mitigating its growth and protecting other networks from being compromised.

But for Krebs, this was not the only success against WannaCry. “If you ask me, the real success story was not what happened the day WannaCry was detected; it was all the work the businesses did in the months prior” to insulate their IT infrastructure from attack.

To be sure, federal efforts to protect critical infrastructure goes far beyond just the NPPD. Krebs, for instance, credits Executive Order 13800, issued in 2017 by President Donald Trump, with tasking the federal government with protecting federal networks and critical infrastructure sectors.

He also credits progressive cybersecurity work of past administrations, such as Executive Order 13636, issued by then-President Barack Obama, which helped identify what constitutes critical infrastructure in the U.S. and provide cybersecurity assets to the companies that manage such infrastructure.

In addition, there was also the foundation laid by former President George W. Bush's Comprehensive National Cybersecurity Initiative (CNCI) and former President Bill Clinton's Presidential Decision Directive 63 (PPD-63).

Yet despite the government support, Krebs believes securing critical infrastructure will only get more difficult given the growth of mobile devices and internet-of-things (IoT) connections.

In addition to federal aid, what Krebs believes is needed now more than ever is scalable cybersecurity solutions that can that help mitigate the cybersecurity threats of a company with multiple and ever-growing openings.

And he is cautiously optimistic such solutions can come into effect, especially those which “leverage machine learning,” he said. “Bringing machines into the defensive side, that is where we need to be going.”