In Brussels today, NATO and Russia are in security talks. NATO allies are concerned about Russia's military buildup near Ukraine's border, but boots on the ground are not the only threat that's raising concern.
Related: Russian-based hacking group REvil disappears from the internet
In the past, Russia has used an array of other tools to destabilize its adversaries — including cybertactics.
Yesterday, three US agencies that focus on cybersecurity released a report detailing the cyberstrategies in the Kremlin’s toolbox.
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, one of the agencies that produced the report, was the top person responsible for improving cybersecurity across the US government under the Trump administration.
Related: Cybersecurity expert: Israeli spyware company NSO Group poses ‘a serious threat to phone users’
Now a partner with the Krebs Stamos Group, a cybersecurity consultancy, Krebs joined The World’s host Marco Werman to discuss what the US is doing to mitigate Russian cyberthreats.
Related: A massive security flaw exposed in Germany — then a criminal investigation
Marco Werman: Chris, what stands out to you from this report? What do we know now that we didn't before?
Chris Krebs: It's a pretty remarkable report, both for what it says and what it doesn't say. So first, on what it says, is it gives a very broad rundown of the capabilities, the techniques of the various cyberoperators affiliated with the Russian government — and they are quite capable. So it gives cyberdefense teams good insight and things to look for, as well as some good guidance on how to prepare in the coming weeks and months. But more importantly, I think what is not in the alert is the timing of the alert. As you mentioned, US government officials are negotiating and having discussions with the Russians, and, assuming those do not play out well, and the Russians in fact move in to Ukraine, the US government and their allies, our allies, will take pretty strong steps, from what I understand, including very, very aggressive sanctions, and that will stoke the ire of these cyberoperators. And I would expect them — and I think that's what the US government expects — that some of those Russian government cyberoperators will then strike out at US companies and other organizations. Again, assuming a series of events takes place, including robust sanctions from the US government.
Right. So, in recent memory, we've covered the SolarWinds
hack and the Colonial Pipeline attack. Are these some of the major cyberbreaches that this report is responding to?
Partly. I think the SolarWinds or the broader Russian SVR [Foreign Intelligence Service], which is the equivalent, effectively, of the CIA, that's probably the most recent. But the Russian government cyberoperators have been very active over the last several years, not just here in the US, but also, I think, probably more notably, in Ukraine. Two years in a row, they shut down the electric grid right around Christmas time. And also, my first year in the Trump administration, they were responsible for a Ukrainian origin event known as NotPetya, that unfortunately had a global cascade. So I think organizations really need to be thinking about the first-order effects. You know, what happens if Russia does in fact move into Ukraine? If you have operations there, you need to be thinking about what the impacts are. But what are going to be the secondary and tertiary effects, including if the US responds with sanctions, how will the Kremlin react?
On the defensive side, Chris, has the US government been able to build up some of its cyberinfrastructure to prevent similar action from Russia in the future? And does it do that in coordination with the private assets that might be attacked?
So, CISA has been doing a good job quietly over the last several months, engaging private-sector partners as we've seen this build up along the Ukrainian border. There has been a pretty substantial emphasis on improving critical infrastructure cybersecurity over the last several years, in fact, going back several administrations. But there's still a significant amount of work to do because unfortunately, the adversary gets a vote, too, and the increase of defensive capabilities is not always directly pegged to the sophistication or capability of the adversary. So, as we improve defenses, we have to continue to make the bad guys pay and make them not want to play the game anymore. And that's just cost imposition and deterrence.
And when it comes to offense or retaliation, is the US also capable of similar cyberattacks on Russian assets, as a response to Russia's action? And has the US shown a willingness to strike back?
You know, without getting to any specific capabilities directly targeting the Russians, I think if you step back, I mean, the American government, between the intelligence community and the Department of Defense Cyber Command, has been in this game for quite some time. They are remarkably capable and our adversaries recognize that. So, we absolutely have capabilities, and I think we have a different value system, though, in which we use them. We certainly … like the Chinese government, we do not use our capabilities for domestic commercial gain, which they've been known to do. And we stay away from critical infrastructure. I mean, that's just kind of the rules-based order that we stick to, that unfortunately our adversaries don't always play by the same game.
I know you said, Chris, that the US has a different value system, but I do wonder why the US is in a position to call out other countries who do this stuff if the US is engaged in it as well.
Well, I think you have to differentiate the sorts of actions that we're talking about here. Intelligence collection is as old as mankind, but when we talk about cyberdisruption operations against critical infrastructure, against energy grids, against communications infrastructure, in a steady state peacetime, that is just not the way that I think the US or allies in the West and elsewhere have engaged.
Chris Krebs, you've seen this from the inside. What are some of the biggest holes in the US government's cybersecurity right now and as I look at the calendar, next November ,in the 2022 midterm, what are your concerns and how will Washington actually answer them?
So, I think generally, in the United States, there are absolutely some underperforming sectors within the critical infrastructure community that the government has to help and we have to continue providing them support and resources. But there are going to be areas where there's been market failures, and I would expect to see regulation to some degree over the course of the next year or so. We've already seen some regulatory enhancements in the pipeline sector. This summer, the Transportation Security Administration used some of their authorities. We've seen the same in the rail and public transportation sector. I would also hope that the Congress can pass a cyber incident notification requirement. We don't even have that, right? In the US, if you suffer an attack from a foreign government or a foreign cyber criminal, you have no obligation or requirement to report that to the United States government. And that puts the defenders and the policymakers at a disadvantage when they're trying to formulate their own strategies and dialogue with the foreign adversary. So, we need — at a minimum — that cyber notification requirement. But to your point about elections, we still have work to do. We need to continue investing in American election administration and systems, robust post-election, pre- certification audits, but also recognize that our adversaries are not just using technical means, like targeting election systems, but they're using dis- and misinformation to undermine confidence. And that's probably my greatest concern going forward is just the soft space in between our ears, frankly, that the bad guys are really starting to tune in on and drive a lot of dissonance across America and drive a deep wedge between us.
This interview was lightly edited and condensed for clarity.