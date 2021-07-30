Chris, welcome back to Washington Post Live.
MR. KREBS: Hey, Ellen. Good afternoon. Thanks for having me.
MS. NAKASHIMA: So great to have you with us. You know, there's a lot of news we want to talk through with you today in the next 30 minutes, so why don't we just dive right in.
MR. KREBS: Sure.
MS. NAKASHIMA: This week, President Biden signed a national security memorandum aimed at boosting the cyber defenses of critical infrastructure. The program will be voluntary are first, but administration officials are signaling they're ready to work with Congress to make them mandatory, if necessary. After 20 years of a voluntary approach, Chris, is it time for regulation to make standards mandatory? What do you think?
MR. KREBS: Well, I think, you know, when you look back at history, when you look at about 10 years ago with the Lieberman-Collins bill, there was an opportunity to introduce at least minimum standards for cybersecurity for critical infrastructure that did not withstand an onslaught from certain corners, business interests. But I also think that perhaps at the time, industry wasn't ready. The cybersecurity industry wasn't ready. The technology vendors were not ready for a rigorous federal oversight mechanism, but in 10 years, so, so much has changed, both on the threat environment but also in terms of the security capabilities that are out there. And so we need to align those issues.
So, when you look back across the last several weeks now and even past couple months, you are seeing some indicators from the executive branch that more prescriptive or performance standard approaches are coming, the TSA directive, the first one about designated security officials, which is a bare minimum, right, just bare minimum that every company has to have a 24/7 security contact. We've had that in the shipping industry since Exxon Valdez, and it's time to bring that sort of same operational readiness posture to, at a minimum, pipelines but elsewhere. But then you saw the second directive that started dictating some performance standards. So, yeah, I think it's coming, and I think Congress is also taking a hard look at what congressionally mandated requirements are needed.
MS. NAKASHIMA: Yeah. In fact, you said you--yesterday you met with the House Democratic Caucus on ransomware, and is it your sense from talking to the folks on the Hill that the climate has now changed enough, that even regulation-skeptical Republicans will support legislation with mandates?
MR. KREBS: I think--I think so, and this is independent of any briefings I've given recently. You know, when you go back and you look at the confirmation hearings for Chris Inglis and Jen Easterly and you had a member of the Senate Homeland Security Committee and Senator Hawley from Missouri--he actually asked something along the lines of is it time for regulation or do we need to do--have more mandatory requirements, and so I think there is an appetite.
I think there's an awareness, particularly after Colonial and JBS, those ransomware events that finally really hit at a national level, Americans, you know, unfortunately what they care about but also kind of the capital centers in the economy.
But you also look at some of the legislation that's either underway, already released, or in the works. You look at Senate Intelligence Committee. Senator Warner and Senator Rubio and their bill on data breach reporting released the latest incident reporting requirements, and then, you know, pretty much every other committee, particularly the homelands are taking--Homeland Committee, Senate and House, are taking a hard look.
MS. NAKASHIMA: Yeah.
MR. KREBS: So, again, at a minimum, we have to have reporting requirements, particularly for ransomware. We don't understand what the denominator is and how many attacks are happening because companies are not informing the federal government.
MS. NAKASHIMA: Right. So I want to move on just briefly here to another recent news event. The Biden administration recently publicly condemned China for the February Microsoft Exchange hack, which was one of the most potentially disruptive nation-state cyberattacks in recent memory. It affected at least 100,000 servers worldwide, and they also got an impressive number of allies, including the EU and NATO, to express concern about attacks emanating from Chinese soil.
But in contrast to the case of SolarWinds, where the administration in April imposed sanctions on Russia, in this case, the administration did not seek to punish Beijing. Was that a mistake, and if so, why?
MR. KREBS: So, just thinking about that exchange event in general, it was a global-event attack in nature. I'm not sure it was the most destructive or disruptive because, you know, they got access, and it doesn't seem like they did much with it, other than just kind of hold access for potential future exploitation. And then also, interestingly enough, the FBI took some proactive measures to disable those activities.
But to your question about the attribution, the attribution itself was remarkable, as you pointed out. You had NATO and EU and others, and that was heartening to see. But to the larger point, if you're going to make an attribution, we have to have consequences and penalties attached along with it.
There were four indictments, three indictments on Chinese officers and a fourth indictment on a private-sector individual, a contractor. Indictments are good. Indictments, you know, limit the ability of those actors to be able to move around globally, but we have to start hitting them with some penalties.
One of the things I've thought about is what primarily drives at least the Chinese intelligence collection efforts over the last several years is that transfer from intelligence collection to commercialization. So I think we--as that same bloc or group of nations that did the attribution, we need to look at identify those companies that benefit from that intellectual property theft and put them on a ban list, say you cannot sell this. We are not going to buy your products if they're the product or byproduct of theft, and the Comac C919 aircraft that the CrowdStrike did a report on a couple years ago is a great roll-up of, you know, 20 different technologies that were stolen from western companies.
MS. NAKASHIMA: So, essentially, put some sanctions on them or export controls on them, on these Chinese companies that benefit?
MR. KREBS: Yeah. Look, I mean, if China wants to be a full-blown member of the World Trade Organization and participate in the global market, there have to be consequences and repercussions for behaving badly, and we've got to do more of it.
MS. NAKASHIMA: Right. And going back to SolarWinds for a moment, which was an espionage campaign, not a disruption, disruptive campaign, as far as we know, was the punishment commensurate to the crime, do you think, punishment being sanctions?
MR. KREBS: You know, we--let's also be clear, right, that we don't always know the full range of consequences that the U.S. government and our allies use when we make these attributions and the things. There could be covert action. There could be private diplomatic conversations. They're off--you know, kind of off-the-record engagements. We don't know the full range, but I think that it is time that we ratchet up the pressure on Russia again.
And I know that--and I've had these conversations with ex-foreign ministers, that we feel like we've sanctioned everything that's sanctionable, and that's simply not true.
MS. NAKASHIMA: Right.
MR. KREBS: You know, there was a great op-ed in The Post by Dmitri Alperovitch a couple weeks ago about how to ratchet up that pressure on Russia, and it's going after that secondary debt market. Think about, you know, the national champions of Gazprom and Rosneft really going after them so that they can't participate in that, again, in that global market, particularly in Europe.
MS. NAKASHIMA: Well, in fact, along those lines, in June, President Biden warned President Putin that if he didn't take action against ransomware groups operating from Russian soil--and most of these ransomware attacks are emanating from Russian soil--the United States would take action, and then three weeks later, there was the hack of the IT firm, Kaseya, which was one of the largest and potentially most disruptive to take, and so he warned Putin again. He said he'd take any necessary action to defend American critical infrastructure. Have you seen any indication these warnings have led to a reduction in ransomware attacks? Do you think it's the right approach?
MR. KREBS: It's hard to say. Again, let's go back to that understanding that we don't actually have a full understanding of the landscape of ransomware activity. Again, there's not a requirement for reporting, so that's why we need a mandatory reporting structure.
I still tend to believe that both the Colonial, the JBS, the Kaseya were probably aberrations in the typical ransomware actor playbook. I think they overstepped in some sense, and others, they were perhaps going for a different target or they didn't realize what they had. So it's hard to say why we haven't seen another pipeline get hit since then, so maybe that's success.
MS. NAKASHIMA: Okay.
MR. KREBS: I think the message was delivered. I think the message resonated. I think there's more we need to continue to do, but ransomware hasn't gone away. Yes, the DarkSide crew shut down. Yes, the REvil core or the team shut down. Why, we don't know, but we are seeing indicators that the DarkSide team and the REvil team or at least parts of it have recombined to create this new ransomware team called Dark Matter [sic].
MS. NAKASHIMA: Exactly. Right.
MR. KREBS: And so it's a really vibrant ecosystem that continues to evolve, and it's like water, right? It looks for the low spots, and until we put meaningful consequences on these actors where it's no longer profitable for them to participate and they don't want to participate anymore because they have--the risk is too high, that's what's going to change. And how you lever up that risk on them, I think that's where we're still exploring, and we certainly have not done enough to date.
MS. NAKASHIMA: Well, another thing President Biden did when he met with Putin is speak cryptically about the U.S. government's cyber muscle, right? He said he warned Putin, "We have significant cyber capability, and if they violate norms, we will respond." That suggests that the government, the U.S. government, can or would unleash attacks that can neuter or affect foreign adversaries' capabilities. Is that a realistic prospect, Chris? Are U.S. government offensive cyber operations a strategic tool or more of a tactical tool that can disrupt temporarily an adversary?
MR. KREBS: I, you know--
MS. NAKASHIMA: How should we think about this?
MR. KREBS: The answer is yes, I guess, right? I mean, it's both a strategic capability--
MS. NAKASHIMA: You think it's a strategic? Okay.
MR. KREBS: Yeah. Strategic and tactical.
But the biggest challenge here--and there was a great piece. I think it was in Lawfare last week or maybe early this week about how that--the lack of transparency in what cyber offensive capabilities really are and what they look like actually hinders the ability to have weighted and balanced conversations within deterrence or the deterrence conversation.
And part of, I think, you know, particularly for some of our adversaries, they trade a lot on overinflated capabilities, and so whether we'll ever achieve any sort of transparent--full transparency in what tools or capabilities we have, I don't think we'll get there.
But, nonetheless, we have to start--we have to continue that dialogue at the global level, rather. The UN's group of global--the government experts, the GGE, you know, updated their norm, the norms of behavior in cyberspace--
MS. NAKASHIMA: Right.
MR. KREBS: --a couple weeks ago. I thought that was continued progress.
But norms in and of themself when there are no penalties and there's no law attached to it, you know, that's not going to change behavior. Again, as a group of allies, we have to make it painful for these adversaries to participate in these behaviors. We have to disrupt their ability. That means going after the internet infrastructure they use. We have to be able to take them off network as much as we can, but also, we've got to make it harder for them to hit us here. It's still far, far, far too easy for the bad guys to come in here and take advantage of vulnerable networks in the U.S.
MS. NAKASHIMA: You know, you talk about getting like-minded allies working together to impose meaningful consequences on these adversaries, and the U.S. has been working at this for years. I mean, this UN set of norms, this is, I think, the third time that the Russia and China signed on to these norms that include you shall not let criminals conduct unlawful cyber activities on your soil, and they agreed to that. But they still let that happen. They do it. So what's it going to take, Chris? How are we going to make governments, allies work together to impose meaningful consequences?
MR. KREBS: Yeah.
MS. NAKASHIMA: Why is it taking so long, and whether is it so hard, especially with China?
MR. KREBS: So the norms, you know, when you think about the target audiences for the UN norms, it's not exclusively or expressly for China and Russia.
MS. NAKASHIMA: That's right.
MR. KREBS: It's also for emerging--it's for emerging countries, right, that are getting into the space. They're thinking about developing these sorts of capabilities because it is increasingly open. Commoditization of malware and cyber offensive capabilities are a real thing. When you look at some of the offensive security tools that are just globally available, like Cobalt Strike, things like that are available to anyone, criminals or state actors, and so, as these emerging countries start thinking about dabbling in this space, we as global leaders need to be able to communicate, "Hey, these are the sorts of things--if you want to be--you know, if you want to play ball in the global economy, these are the sorts of things we expect you to participate with." And then you've got to use the separate sort of engagements with China and Russia as well.
But, again, you know, at least from a criminal perspective, I do think that the criminal space is a lot--is eminently more solvable than the state actor space. Espionage along the lines of SolarWinds, we may not like it, but that sort of behavior is going to continue to happen. Spies are going to spy, and so we have to just make it harder. We have to detect it. We have to mitigate it as fast as possible. What we really need to be thinking hard about--and this is what was so remarkable about the Chinese attribution last week was the call-out of Chinese behavior targeting pipelines, right, and it said that they were looking to develop capabilities down the road to disrupt functional operations of hard infrastructure.
MS. NAKASHIMA: Right.
MR. KREBS: That is what should have sent a chill up everyone's back in that they are--you know, they're looking to hold us at risk, and we have to aggressively root out that access, make it such that our infrastructure is more resilient.
Are we ever going to be able to eradicate or eliminate these sorts of activities? I don't think that's reasonable. I don't think it's cost effective. I think what we have to have is a more nimble response posture and a more resilient infrastructure that can take a hit and keep on pushing forward.
MS. NAKASHIMA: Could I ask you a quick CISA question? I wanted to make sure I got to this. Some have called for removing the cybersecurity mission from the Department of Homeland Security and making CISA its own Cabinet-level agency. Would you support that?
MR. KREBS: Are you trying to trigger me, Ellen? Come on.
[Laughter]
MR. KREBS: This has been a really interesting debate for a couple different years, and there was a--I think it was in New York Times, pro and con op-ed between Ted Schlein from Kleiner Perkins and Suzanne Spaulding, my predecessor, about should we have a department of cybersecurity. And I'm not fully on board with a department of cybersecurity just yet, but I do think we need to take a very hard look at the formulation of the Department of Homeland Security, which was thrown together in fairly rapid fashion in the wake of 9/11, a terrorist movement, response to the terrorist attacks, and take a look does DHS reflect our current national security priorities. And I think a rational evaluator, analyst could say it doesn't. I think we need to take a hard look at what are the core domestic infrastructure and just domestic resilience activities that take place within DHS and probably pull those together and then let the immigration and border pieces group themselves elsewhere, and so that would look like a CISA, FEMA, TSA, perhaps part of the science and technology mission working together, and there's plenty of pull-through between those different agencies.
Just look at all the work that TSA and CISA have done over the last couple years, and it's not just pipelines. It's also aviation security. As we continue to think about space, there's cybersecurity infrastructure issues with satellites, with space-based and ground-based space infrastructure. There's plenty of room for collaboration, and I think we just need to make it easier to work together, not harder.
MS. NAKASHIMA: Got it. So another quick CISA question here is back to ransomware. You have long been one of the voices out there warning about the threat of ransomware. I'm just wondering why you couldn't or didn't do more about it on your watch.
MR. KREBS: Yeah. Again, Ellen, with questions.
[Laughter]
MR. KREBS: I think it's a great question. Look, I mean, ransomware has been around for 10-plus years. It started off in a much smaller scale, and I think what happened is as it built up, it has historically been treated as a law enforcement matter, and it didn't really cross that threshold into national security imperative until probably about the summer of 2019. And it wasn't because 23 counties in Texas got locked up or seven parishes in Louisiana or Baltimore got locked up twice or Atlanta or Mecklenburg County. I mean, I can go on and on and on about specific events--
MS. NAKASHIMA: Of course.
MR. KREBS: --that should have been the wakeup call, but it was when we could connect the dots of our threat modeling for 2020 election preparation where we really narrowed it down to the greatest threats of the 2020 election. The top two threats were ransomware attacks on voter registration databases, and the second one was disinformation campaigns undermining confidence in the electoral process. And, thankfully, we didn't see any ransomware attacks on the voter registration database in part because we did launch an initiative about a year out from the election, but I think it's a fair question.
Rob Joyce talked about this a couple weeks ago. Rob is now the head of the Cybersecurity Directorate at the National Security Agency. He did a podcast with Patrick Gray, the Risky Business podcasting, and I think he put it in very stark economic terms of we have a whole lot of national security priorities and imperatives, and the threat landscape seems to be evolving and growing on a daily basis, but we only have so many resources. We only have so many people. We only have so many dollars, and we've got to rack and stack, and there are national security and intelligence priorities that we need to constantly and continuously evolve. And it's clear that ransomware, because of the disruptive threat to critical functions like pipelines, like the food supply, that it finally, perhaps too late, crossed that threshold.
MS. NAKASHIMA: Yep.
MR. KREBS: My view is that when they were hitting hospitals during COVID, that was more than enough to bear that national security threshold.
MS. NAKASHIMA: Okay. Look, in the few minutes we have left, I would be remiss if I didn't get to that other big priority in national security and cybersecurity, and that's disinformation and election security. President Biden just this week suggested that Russia was sowing this information to influence the 2022 midterms, called it a "violation of our sovereignty." What do you think of his remark, and have you seen any evidence of Russian efforts with regard to 2022?
MR. KREBS: So, you know, I obviously don't have intelligence read-ins anymore. I don't get to see what's in the PDB, the Presidential Daily Briefing. You know, it's not surprising that there would be information to suggest that either the Russian Intelligence Services or some of their proxies are continuing to stoke--you know, undermine confidence and stoke chaos in our democratic processes. You know, I got to admit, though, they don't have to try too hard because we're doing a pretty good job of it ourselves here at home.
But what I would also encourage the administration to stay on point on is that China from a disinformation perspective is much more subtle, much more insidious. They work it at a local level, you know, where China--or Russia tends to be more of the arsonist. They're much more subtle in terms of laying their groundwork, and you hear Chris Wray, the director of the FBI. Every time he testifies, he talks about opening Chinese counterintelligence activities or investigations every 10 hours. I mean, it is a remarkable--
MS. NAKASHIMA: Sure.
MR. KREBS: --a remarkable campaign.
But I will say this. As I was leaving the administration last year, as I was thinking about what I would say to my successor, now Jen Easterly, two key priorities, one is ransomware and second is disinformation. And the administration--every government out there, U.S., European, elsewhere has to be thinking about disinformation as a strategic threat, and much like we were having these equities battles 10, 15 years ago on cyber, if you remember the bubble charts of General Alexander and DHS at the time--
MS. NAKASHIMA: Yes.
MR. KREBS: --who owns what, we have to have those same conversations now. What are the lanes of responsibility? And that is one of the things that we're looking at over at the Aspen Institute Commission on Information Disorder: What are the roles and responsibilities of government? How do we increase transparency in the platforms? How do we boost trust throughout the ecosystem?
MS. NAKASHIMA: CISA under your leadership was pretty active in countering baseless claims about the election and stolen elections, but how far should CISA's role extend in the disinformation, misinformation debunking space? Should it go much beyond election security to--I know you talked about 5G towers, about spreading COVID, but what--should you be debunking all disinformation, misinformation at CISA? What do you think?
MR. KREBS: I think if there's an infrastructure nexus, there's an opportunity for CISA to contribute.
I think what's probably the way that I was hoping it would evolve--and I think there's still some room to grow here--is that rumor control, which was what we developed in the run-up to the election--in fact, we launched that, I think, on, I want to say, October 20th, right before the Iranian disinformation email campaign. But that sort of infrastructure for rumor control, that's a skill set. That's a discipline. That discipline can be augmented by subject-matter expertise on whatever the topic of interest is. So, whether it's COVID, you could layer it on top. If it's 5G, you layer it on top.
So I think CISA has an opportunity to--you know, just like disinformation as a service is emerging, disinformation for hire, rumor control is a service, prebunking, debunking disinformation as it hits us on those infrastructure-related and national security-related topics. I think there's plenty of opportunity there.
Again, the challenge here is you have to think about disinformation holistically, strategically over the top.
MS. NAKASHIMA: Right.
MR. KREBS: You have to figure out what the elements are. Disinformation, prebunking is one, but civic education, awareness building on how these things happen, digital literacy. There's so much opportunity out there for the government but also the private sector and others to engage.
MS. NAKASHIMA: A number of elected Republicans at the federal and state level are continuing to baselessly question the legitimacy of Biden's election and are pushing for election audits. Are those efforts undermining faith in the electoral process, Chris, and could that spill over into 2022 and 2024?
MR. KREBS: Ellen, we've got, like, two minutes left, and you ask me a question like that? Come on.
MS. NAKASHIMA: You have the two minutes.
[Laughter]
MR. KREBS: Absolutely. I mean, what's going on in Arizona is a travesty. Their own--the Senate liaison just quit because of the inconsistency, the lack of transparency, and the lack of integrity in the process. There are certified, approved audit processes out there and firms, and it's not like audits just fell off the back of a turnip truck. They've been doing audits for years and years. We need more of them, in fact, but with a transparent methodological process, not what is happening in Arizona and is threatening to spread to other states.
You know, this thing drives me crazy, right? I mean, shame on those that continue to push the big lie, that continue to support this narrative that the election was stolen, and, you know, the former president pushes this still. What it all comes down to, this is all about a--this is a power play, and this is about fundraising. And that's all it is, and it's a shame because the United States of America has it all on the line right now over a couple bucks.
MS. NAKASHIMA: Wonderful. Should CISA--
MR. KREBS: [Unclear] trigger.
[Laughter]
MS. NAKASHIMA: Last question. Should CISA be doing more to debunk this big lie, do you think, on elections, or should they leave it to others like you?
MR. KREBS: I don't--I think CISA has done their operational role, and they've done it admirably and effectively. I think there are others in the community that are better situated right now to take this head on. I think what's happening out in Arizona with Stephen Richer, the county registrar, he's doing a fantastic job.
But, ultimately, you know, some folks, unfortunately, are too far gone. I think there's alternative reality bubble that's set up around this. I mean, I--you know, I make the mistake of diving into Twitter at times and looking at some of the comments that are made and--
MS. NAKASHIMA: Yeah.
MR. KREBS: --you know, the alternate realities that have evolved.
So CISA needs to continue focusing on their mission and let others take on this problem as it continues to metastasize.
MS. NAKASHIMA: Well, Chris, we'll have to leave it there, unfortunately, but thank you so much. This has been a terrific conversation, and thanks so much to everyone else out there for joining us. Chris, looking forward to having you back again soon.
MR. KREBS: Thank you.
MS. NAKASHIMA: I'm Ellen Nakashima, as always, thanks for watching
