(To receive weekly emails of conversations with the world’s top CEOs and business decisionmakers, click here.)
Chris Krebs may be best known for being fired as director of the Cybersecurity and Infrastructure Security Agency (CISA) in a tweet by then-president Donald Trump after he refuted Trump’s claims of election fraud in Nov. 2020. Since that dubious dismissal, Krebs, a respected voice in cybersecurity, has joined with former Facebook Chief Information Security Officer Alex Stamos to run Krebs Stamos Group, a cybersecurity consultancy.
Two weeks ago, Krebs joined CISA’s Shields Up campaign, to raise awareness of Russian hacking as tensions around Ukraine escalated and provide resources to businesses to ward off cyberattacks. While the U.S. government is most concerned with potential attacks on vital infrastructure, Krebs says private businesses large and small are at just as much risk—and can be just as damaging to the U.S. economy. As the U.S. ramped up sanctions on Putin and Russia, Krebs spoke with TIME about likely counter-attacks and how business leaders best protect their companies.
(This interview has been condensed and edited for clarity.)
Experts have been warning that the conflict in Ukraine poses an unprecedented cyber risk even for U.S. and Western companies and organizations. Why is that?
Well, for one, we know that the Russian security services are very capable in the cyber arena. Ukraine has the unfortunate designation as being Russia’s test kitchen for some of their cyber tools—the Russians have taken down the Ukrainian electrical grid twice, both in 2015 and 2016. And then they launched the most destructive cyberattack in history, the NotPetya attack [ransomware widely attributed to the Russian military that targeted Ukraine’s government, financial, and energy institutions, as well as global companies with offices in Ukraine] in June of 2017. So we know that they’re not afraid to use their tools, generally speaking, but also specifically in coordination with a military assault and invasion. In 2008, when they went into Georgia, they used destructive attacks against government agencies in Georgia. As well as their classic technique of spreading disinformation and false flag type operations.
We also have an unfortunate history of cyberattack experience with the Russians, of course. A couple years ago they were targeting some of our energy companies, and then you have the espionage cases from last year with SolarWinds [a malware attack that ultimately gave Russian intelligence officials access to data from about 100 U.S. government agencies and private companies]. So when you combine the capability, their willingness to use it, and their prior targeting of American businesses and Western businesses in general, there’s a nonzero chance that something could happen. There’s no specific credible intelligence or information that I’ve reviewed, but there is a nonzero chance.
Business leaders need to be taking this situation seriously—beyond the fact that of course there’s a tragic war in Ukraine—because there could be spillover effects here in the U.S. and in the West.
What sectors do you think are the most likely targets for Russian cyberattacks right now?
Given the information we have available to us—and that tends to be history, so the sectors they’ve gone after in the past, as well as the incitement that we may see from sanctions—then I would say our experience with Russia in what we could anticipate would include banks, because we’ve sanctioned a number of their banks. They have gone after energy companies here in the past. And they’ve also gone after transportation and the aviation sector. So when we pull this all together, it’s critical lifeline vectors with engagement between government and industry.
But every organization could be affected here. Or should at least plan to be prepared, because we’ve seen ransomware actors in the past not necessarily be as strategic in their targeting, instead being incredibly opportunistic. If part of the objective is not necessarily to be disruptive to the economy but instead disruptive to the psyche of the American people, then you could see schools and hospitals being targeted.
What kind of cyberattacks are we already seeing so far in the past few days?
Well, first is directly targeting organizations that are in Ukraine. We’ve seen some of the denial of service attacks. There’s the HermeticWiper [malware that destroys data] from earlier this week. Now, the challenge here is that operational control of malware can sometimes be difficult. The internet is a globally connected ecosystem. The HermeticWiper was apparently deployed and installed in Ukraine, but due to the network architecture, and the policy that was embedded in the execution instructions, the malware spreads wherever the network has connections. In this case, that included Lithuania and Latvia.
I think average Americans and small business owners hear things about malware and cyberattacks, and it feels very far away. What kind of impact could some of these things have on American businesses in a very tangible way?
If we’ve learned anything in the last 12 to 14 months, it’s that the kind of mythical cyberattacks that we’ve all heard about are perhaps not as rare or uncommon or distant as we previously thought. For a lot of Americans, the 2016 election was a bit of a wake up that cyber manipulation is a truly geopolitical tool or weapon that can be used not just against Washington, D.C., but middle America. And then last year with the ransomware attacks on Colonial Pipeline and JBS Meats—ransomware actors are not discriminating necessarily, they’re not falling in line under a targeting list, going after big banks and government agencies. They’re opportunists. So if you have a network that’s not configured properly, or a system that hasn’t been patched, that could be a gateway for a ransomware actor to come in and encrypt and lock up your network. What that leads to is a loss of network control. You could miss payroll. You can default on contracts and agreements. I live in the D.C. area and when Colonial Pipeline was hit I couldn’t get gas for a few days last summer. Those are real business risks. And it puts the economy at risk.
Read More: Pipeline Hack Sets Off Scramble for Gasoline
Do you think overall that American companies and organizations are prepared for this kind of threat?
We’re as good as we’ve probably ever been. And we’re getting better every day. Because of ransomware attacks in the last year, we’ve seen a significant increase in cybersecurity awareness and improvement prevention services. After Colonial last summer, I got a lot more interest from executives and boards. But we have to continue making cybersecurity a business risk management priority. We need boards of directors and executives right now, in this very moment, to talk to their information security department and their chief information security officers, ask them what support they need, what more the organization needs to do to be secure. We can’t pretend that it’s business as usual right now.
You’ve been promoting a campaign called #ShieldsUp. What does Shields Up mean?
Shields Up is about changing how you, as a business, are optimized. So most of the time you have to optimize for the bottom line, so you can sell your product or services and deliver for customers. And sometimes security can be seen as a hindrance to releasing a new product feature or communicating with clients and customers. Right now, in this moment where there is conflict, where we know the adversary has used these sorts of techniques before, we need to give security the support they need to help defend the organization.
That means implementing multi-factor authentication broadly across an organization. Every CEO and every board should ask their information security team, “Are we at 100% multi-factor authentication across the organization?” If the answer is no, the question is, “How long is it going to take us to get there?” Deploy security monitoring services, like an endpoint detection and response (EDR) capability. Make sure that everybody on the team knows who they need to call if they see something. And then if you do encounter an event, or some kind of incident, call CISA, call the local FBI office, they can help. If there’s something happening or coming, the government needs to know because we’re in a national security crisis.
Is there anything aside from standard phishing email awareness that is maybe a trademark of Russian cyberattacks that business leaders should be aware of?
They tend to be economic rational actors just like the rest of them. And so if the easy, basic stuff still works, they’re going to maximize it. The Russian intelligence services have used password spraying and phishing emails and all sorts of other basic tricks. They’ll go out on the internet criminal forums and buy password dumps that have been stolen from organizations. Lock down identity. CISA has a great resource known as the known exploited vulnerabilities catalog. That shows you what they’re doing, how they’re getting into systems.
Is there a threat to everyday people’s online accounts and cloud services? Or does Russian intelligence typically go after organizations and businesses where they can have broader impact?
Well, I certainly think that the government is acutely focused on protecting critical infrastructure that leads to some of the national security and economic security implications that could come along with an attack, but every American needs to be aware of the information that’s been being served up to you on social media. Don’t just don’t just retweet or share a video or a picture or some sort of post, just because it claims something. I’ve seen a bunch of these over the last couple days, trying to make claims about certain things that have gone on in Ukraine. Look for trusted sources to verify. Usually, when you see something on social media and you get excited about it, that’s when you need to start asking, “Why am I excited about it? Is this real? Is this from two years ago? Or is this in fact from right now? And how do I verify that?”
Now that there are additional sanctions packages being considered, are you seeing an increase in cyber threat each time a sanction package is released?
I do think that there will be an asymmetric threat posed to organizations or governments that impose sanctions, and the more painful those sanctions get, the more duress and stress that the Russians feel, they will start acting out and lashing out. The Russians historically have also targeted international organizations and non-governmental organizations that have called them out on their bad behaviors. Think about the Russian Olympic doping scandal. And the Russian GRU went directly after the anti-doping lab in Europe. They attacked the South Korea Olympic games and they went after, to a certain extent, the Tokyo summer games as well.
So when I see things like Formula One canceling the Russian circuit, when I see Eurovision canceling or taking out any Russian participants, when I see UEFA moving the Cup games from St. Petersburg to Paris, I would probably be looking for some sort of response, whether it’s from a government agency, a nationalistic hacker, or a ransomware hacker. They use some of their more asymmetric tools, their gray zone, to enforce as I’ve called it a little bit of “gangster diplomacy.” They use things available to them to make their displeasure known.
The original version of this story misstated the number of U.S. companies and agencies compromised by the SolarWinds attack. About 100 were ultimately compromised, not thousands.
- Employers Take Note: Young Workers Are Seeking Jobs with a Higher Purpose
- Signs Are Pointing to a Slowdown in the Housing Market—At Last
- Welcome to the Era of Unapologetic Bad Taste
- As the Virus Evolves, COVID-19 Reinfections Are Going to Keep Happening
- A New York Mosque Becomes a Refuge for Afghan Teens Who Fled Without Their Families
- High Gas Prices are Oil Companies' Fault says Ro Khanna, and Democrats Should Go After Them
- Two Million Cases: COVID-19 May Finally Force North Korea to Open Up