(To receive weekly emails of conversations with the world’s top CEOs and business decisionmakers, click Here.)
Chris Krebs may be best known for being fired as director of the Cybersecurity and Infrastructure Security Agency (CISA) in a tweet by then-president Donald Trump after he refuted Trump’s claims of election fraud in Nov. 2020. Krebs Stamos Group has emerged as a trusted voice in cybersecurity since his dubious firing. It is run by Alex Stamos (ex-Facebook Chief Information Security Officer) and Krebs.
Two weeks ago, Krebs joined CISA’s Shields Up campaign, to raise awareness of Russian hacking as tensions around Ukraine escalated and provide resources to businesses to ward off cyberattacks. While the U.S. government is most concerned with potential attacks on vital infrastructure, Krebs says private businesses large and small are at just as much risk—and can be just as damaging to the U.S. economy. Krebs spoke to TIME about potential counter-attacks, and how business leaders can protect their company’s interests as the U.S. imposed more sanctions on Russia and Putin.
(This interview has been edited to be more concise.
Experts warn that Ukraine’s conflict poses a unique cyber threat to both U.S. companies and Western organizations. What is the reason for this?
We know for one that Russia’s security forces are highly skilled in cyberspace. Ukraine has the unfortunate designation as being Russia’s test kitchen for some of their cyber tools—the Russians have taken down the Ukrainian electrical grid twice, both in 2015 and 2016. Then they launched NotPetya, which was the largest cyberattack of its kind in human history. [ransomware widely attributed to the Russian military that targeted Ukraine’s government, financial, and energy institutions, as well as global companies with offices in Ukraine]It was June 2017. So we know that they’re not afraid to use their tools, generally speaking, but also specifically in coordination with a military assault and invasion. They used massive attacks on Georgian government agencies when they invaded Georgia in 2008. They also used the classic method of disinformation spreading and falsifying operations.
Unfortunately, we also have a history of Russian cyberattacks. They targeted some of our energy companies a few years back, then there were the SolarWinds espionage cases last year. [a malware attack that gave Russian intelligence officials access to data from thousands of US government agencies and private companies]. So when you combine the capability, their willingness to use it, and their prior targeting of American businesses and Western businesses in general, there’s a nonzero chance that something could happen. There’s no specific credible intelligence or information that I’ve reviewed, but there is a nonzero chance.
Business leaders need to be taking this situation seriously—beyond the fact that of course there’s a tragic war in Ukraine—because there could be spillover effects here in the U.S. and in the West.
Which sectors are you most concerned about Russian cyberattacks? Are you ready to take action right now
Given the information we have available to us—and that tends to be history, so the sectors they’ve gone after in the past, as well as the incitement that we may see from sanctions—then I would say our experience with Russia in what we could anticipate would include banks, because we’ve sanctioned a number of their banks. In the past, they have targeted energy companies in Russia. And they’ve also gone after transportation and the aviation sector. So when we pull this all together, it’s critical lifeline vectors with engagement between government and industry.
Every organization can be affected. Or should at least plan to be prepared, because we’ve seen ransomware actors in the past not necessarily be as strategic in their targeting, instead being incredibly opportunistic. Schools and hospitals could be targeted if part of their objective isn’t necessarily to disrupt the economy, but to instead disrupt the psyches of American citizens.
Was ist das?Are we seeing cyberattacks in these past days?
The first one is to directly target organizations in Ukraine. We’ve seen some of the denial of service attacks. There’s the HermeticWiper [malware that destroys data]This week, it was earlier in the week. Operational control over malware is sometimes difficult. The internet has a global network. It was reported that the HermeticWiper malware was installed in Ukraine. However, due to the network architecture and policy embedded in execution instructions, the malware can spread wherever there are connections. This included Latvia and Lithuania in this instance.
My opinion is that average Americans are smaller than small. It seems very distant to many business owners when they hear about cyberattacks and malware. How tangible could these issues have an impact on American business?
If we’ve learned anything in the last 12 to 14 months, it’s that the kind of mythical cyberattacks that we’ve all heard about are perhaps not as rare or uncommon or distant as we previously thought. Many Americans saw the 2016 election as a reminder that cyber manipulation can be used against Washington, D.C., and even middle America. And then last year with the ransomware attacks on Colonial Pipeline and JBS Meats—ransomware actors are not discriminating necessarily, they’re not falling in line under a targeting list, going after big banks and government agencies. They’re opportunists. So if you have a network that’s not configured properly, or a system that hasn’t been patched, that could be a gateway for a ransomware actor to come in and encrypt and lock up your network. It can lead to loss of network control. It is possible to miss your payroll. Contracts and agreements can be broken. I live in the D.C. area and when Colonial Pipeline was hit I couldn’t get gas for a few days last summer. They pose real risks to your business. This puts economic risk at stake.
Continue reading: Pipeline Hack Launches Gasoline Scramble
Are American organizations and companies prepared to face this type of threat, do you believe?
We’re as good as we’ve probably ever been. And we’re getting better every day. Because of ransomware attacks in the last year, we’ve seen a significant increase in cybersecurity awareness and improvement prevention services. Following Colonial, there was a lot of interest on the part of boards and executives. However, cybersecurity must be a top priority in business risk management. Directors and executives need to meet with their information security chiefs and department heads right now. They can ask for their support and tell them how they are doing to make the organization more secure. We can’t pretend that it’s business as usual right now.
You’ve been promoting a campaign called #ShieldsUp. What does Shields Up stand for?
Shields up is all about optimizing your business. You must optimize your business for profitability so that customers can buy or receive products and services. Security can sometimes be seen as a barrier to new product features being released or communication with clients and customers. We need to provide security with the necessary support to defend our organization in these moments of conflict and where the enemy has previously used such techniques.
Multi-factor authentication must be widely implemented throughout an organization. Every CEO and every board should ask their information security team, “Are we at 100% multi-factor authentication across the organization?” If the answer is no, the question is, “How long is it going to take us to get there?” Deploy security monitoring services, like an endpoint detection and response (EDR) capability. Every member of the team should know who to contact if there is a problem. Finally, if an emergency occurs, you can call CISA or the nearest FBI office. If there’s something happening or coming, the government needs to know because we’re in a national security crisis.
Are there any other phishing emails that are a hallmark of Russian cyberattacks business leaders need to be alert for?
Like the rest, they are economic rational actors. And so if the easy, basic stuff still works, they’re going to maximize it. Russian intelligence agencies have been known to use password-spraying, phishing emails and other simple tricks. They’ll go out on the internet criminal forums and buy password dumps that have been stolen from organizations. Secure your identity. CISA offers a wealth of information, the “known exploited vulnerabilities catalogue”. That shows you what they’re doing, how they’re getting into systems.
Are there any threats to everyday people’s online accounts and cloud services? Is it possible that Russian intelligence targets businesses and organizations where they have greater impact?
Well, I certainly think that the government is acutely focused on protecting critical infrastructure that leads to some of the national security and economic security implications that could come along with an attack, but every American needs to be aware of the information that’s been being served up to you on social media. Don’t just don’t just retweet or share a video or a picture or some sort of post, just because it claims something. I’ve seen a bunch of these over the last couple days, trying to make claims about certain things that have gone on in Ukraine. To verify, look for reliable sources. Usually, when you see something on social media and you get excited about it, that’s when you need to start asking, “Why am I excited about it? Are you sure this is real? Or is this something that happened two years ago. Is this actually from today? And how do I verify that?”
Continue reading: How Open Source Intelligence Became the World’s Window Into the Ukraine Invasion
Are you seeing increased cyber threats now that additional sanctions are being looked at?
It is my belief that sanctions will pose an asymmetric threat to countries or organizations. And the harder the sanctions become, the more stress the Russians will feel and they will begin acting out. The Russians have historically targeted non-governmental international organizations as well as governments that called out their corrupt behavior. Consider the Russian Olympic Doping Scandal. The Russian GRU pursued the European anti-doping laboratory. They targeted the South Korea Olympic games, and to some extent they also went after the Tokyo summer games.
So when I see things like Formula One canceling the Russian circuit, when I see Eurovision canceling or taking out any Russian participants, when I see UEFA moving the Cup games from St. Petersburg to Paris, I would probably be looking for some sort of response, whether it’s from a government agency, a nationalistic hacker, or a ransomware hacker. They use some of their more asymmetric tools, their gray zone, to enforce as I’ve called it a little bit of “gangster diplomacy.” They use things available to them to make their displeasure known.