With the US government now tying security clearances to the support of specific political positions, many in the security community fear it may tar US vendors with the same brush as their Russian and Chinese counterparts. Will enterprise CISOs now have to worry about whether they can rely on American threat intel?
More broadly, will security vendors, many of whom absolutely need security clearances for financial survival, take problematic positions to retain or obtain those clearances?
“The reality is that I don’t think CISOs are cognizant of the implications here. The fact that Trump cozies up to Russia is problematic at best,” said serial enterprise security chief Jim Routh. Routh has held CISO and other senior cybersecurity roles at MassMutual (CISO), CVS (CSO), Aetna (at different times, both CSO and CISO), KPMG (CISO), American Express (CISO) and JP Morgan Chase (Global Head of Application, Mobile and Internet Security). Today he serves as the chief trust officer at security vendor Saviynt.
Routh argued that threats from Russia, China, North Korea, and Iran are much more important today than a few years ago. With government intelligence resources being sharply cut back, that means that enterprises must rely far more on commercial cybersecurity intelligence and services. Those are the firms that need security clearances, and what the White House did is politicize the process, Routh said.
“This is an issue that CISOs need to worry about, and I don’t think they are,” Routh said.
Risk that CISOs will lose faith in US firms
The risk with the politicization of security clearances is that CISOs around the world, including CISOs representing American enterprises, are going to start losing faith in the integrity of information coming from US cybersecurity companies.
Routh said that he believes that, because he did it himself. When he was the CISO at Aetna, the team was evaluating Russian cybersecurity firm Kaspersky.
Even though the technology was excellent and the group had heard nothing specifically bad about Kaspersky, they knew that it was tightly integrated with the Russian government, and they simply didn’t trust the Russian government. “I remember bouncing Kaspersky from everything in our enterprise,” Routh said.
“[Kaspersky] had some good capabilities but it was simply not worth it. We made a tradeoff decision,” Routh said, describing the relationship between Kaspersky and Russia as “cloudy and uncertain, very similar to China and ByteDance.”
Beauceron Security CEO David Shipley echoed and extended Routh’s concerns.
“What happens if [the Trump administration] asks you to look the other way on something?” such as the deletion of Russian state actor cyber attacks from threat intel files, Shipley asked. “Let’s say that certain exploits are being designed by [now friendly governments] and they say, ‘Don’t report this in your EDR.’”
He said that Trump’s actions are, perhaps unintentionally, a massive gift to cybersecurity firms elsewhere — from Canada, Australia, Israel, India, Germany and Japan, places that would love to displace US cybersecurity firms.
“The American tech brand itself just suffered a brutal beating. If I was a global CISO, I would be re-evaluating where I am sourcing my technology from to make sure that they are not being interfered with by their government,” Shipley said. “People have to start planning to switch technology vendors to those based in countries where the rule of law still exists and democratic norms still exist. The damage to the American technology brand will be incalculable. CISOs need [cybersecurity vendors] that are not following the political whims of whoever is in office.”
Other than Kaspersky, Shipley, and others, referred to Chinese security equipment maker Nuctech as another good example of a security company tainted by its relationship with its government.
What brought this on
This is mostly a reaction to a White House order on Wednesday that tied security clearances to supporting political concepts.
The order chastised Chris Krebs, the former head of Trump’s Cybersecurity and Infrastructure Security Agency (CISA).
“Krebs’ misconduct involved the censorship of disfavored speech implicating the 2020 election and COVID-19 pandemic. CISA, under Krebs’ leadership, suppressed conservative viewpoints under the guise of combatting supposed disinformation, and recruited and coerced major social media platforms to further its partisan mission,” it read.
Trump then announced the punishment: “Those who engage in or support such conduct must not have continued access to our Nation’s secrets. Accordingly, I hereby direct the heads of executive departments and agencies (agencies) to immediately take steps consistent with existing law to revoke any active security clearance held by Christopher Krebs. I further direct the Attorney General, the Director of National Intelligence, and all other relevant agencies to immediately take all action as necessary and consistent with existing law to suspend any active security clearances held by individuals at entities associated with Krebs, including SentinelOne, pending a review of whether such clearances are consistent with the national interest.”
On Thursday, Krebs resigned from SentinelOne, presumably hoping that Trump would then spare the company and not remove its employees’ security clearances.
The current status of the security clearances for both Krebs and SentinelOne is unclear. The White House statement said the agency heads should revoke Krebs’ credentials, but it never said if that had happened yet. The same situation exists with SentinelOne. Neither the White House press office nor the media relations contact at SentinelOne commented on the clearance’s current status.
Kurtis Minder, the CEO of GroupSense, a Virginia company that sells threat intel to enterprises, said that the kind of wholesale switching of cybersecurity companies described is difficult, but it may ultimately happen.
“When CISOs have to start taking into account the pedigree of the [security vendor’s] leadership and the political positions that they have held in the past, in my mind that becomes untenable,” Minder said. “It may have to happen, and that is a bad thing.”
“US CISOs would have to start wondering if those companies were safe bets,” he said, and “it would resurface concerns” about governments asking for spyware and backdoors.
Minder was one of several cybersecurity executives who are waiting to see if the SentinelOne incident proves to be isolated, or the beginning of a trend.
“Depending on how this one is pushed, and if it happens to another cybersecurity company for any reason,” Minder said, “this is the first volley and we’ll have to wait and see where it lands.”
Minder was candid when asked what his firm would do if a government asked them to do something that he felt would hurt their customers, and threatened to yank security clearances if they refused.
He said that he would bring it to the company’s board, and all options would be evaluated in line with fiduciary obligations.
Could just be payback
But not everyone interpreted the security clearance order as especially problematic.
“I think this is primarily an issue with Trump and Chris specifically. It has to do with the election issue. SentinelOne is just temporary collateral damage,” said Steve Zalewski, the former CISO at Levis Strauss. He has held senior cybersecurity roles at both Pacific Gas & Electric and Kaiser Permanente; today he is a cybersecurity advisor for S3 Consulting.
“Trump is just being a New Yorker who does not forget a slight. Chris crossed him and this is payback,” Zalewski said. “What if he does it to other security companies? I don’t think that is in [Trump’s] mind. I don’t think he’s trying to make a deal. He’s just doing a little payback.”
Most analysts declined to comment on the Trump efforts, but Will Townsend, a principal analyst with Moor Insights & Strategy, said he doubts that the order will have much of an impact on the industry.
“The US boasts the most cybersecurity companies in the world, led by Microsoft, Cisco, CrowdStrike, Palo Alto Networks, and Zscaler, among many others including SentinelOne. I don’t foresee CISOs moving their business to other regions based on what’s materialized with Krebs resignation,” Townsend said. “Many may speculate that the pressure on Krebs was politically motivated, since he led CISA, but only those with security clearances will know the truth, and if SentinelOne truly poses any risks as a security provider to the US federal government.”
No Responses