Join Gen AI enterprise leaders in Boston on March 27 for an exclusive night of networking, insights, and conversations surrounding data integrity. Request an invite here.
This is part one of a two-part series. Read part one here.
VentureBeat recently sat down (virtually) with Chris Krebs, formerly, the inaugural director of the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and, most recently, Chief Public Policy Officer at SentinelOne. He was a founding partner of the Krebs Stamos Group, acquired by SentinelOne. Krebs is also co-chair of the Aspen Institute’s U.S. Cybersecurity Working Group.
In Part II of VentureBeat’s virtual interview, Krebs emphasizes the need for organizations to improve their infrastructure’s cyber and physical security. He also shares his perspective on why supply chain attacks are increasing, with a specific focus on healthcare and manufacturing. Krebs also explains how generative AI needs to strengthen and improve human-centric security to make an impact.
The following is the second half of VentureBeat’s interview with Chris Krebs:
VentureBeat: How would you address the national security strategies around cyber and physical security with a focus on infrastructure? In the 2024 Annual Threat Assessment of the U.S. Intelligence Community just released, the report mentions Russia is particularly good at attacking infrastructure.
Krebs: We have a number of clients we work with in the control systems manufacturing space as well as in the hard manufacturing sectors, and so I am helping them think through what the current threat landscape looks like.
But I think one thing that we probably do a little bit more than others is look back historically on as you mentioned, Russia, so we’ll talk about Sandworm and the GRU, the military intelligence team. They’ve been very, very effective over the last several years. They were the ones in 2015, 2016, that brought down the Ukrainian grid. Andy Greenberg talks about this in his book Sandworm. And then they’ve done a few other things, NotPetya and then you’ve got some of the stuff in the Middle East and then even recently where they showed some really interesting capabilities with the Hitachi Micro SCADA events.
And what I keep seeing is this really interesting stairstep of capability and sophistication enhancements. And so, particularly with the last one, living off the land in control systems in SCADA is really, advanced. And so I’m like, what year is it? It’s like 2023, 2024. Where were they in 2015, 2016? Where do we think they’re going to be in 2027? And that’s what I push a lot of my team to think about. Based on this arc, where do we think they’re going to go? What’s the arc of the possible here? Let’s start working with our clients and customers to start closing out as many attack surfaces and entire classes of potential vulnerabilities as possible. And I think that gets you into a different mindset. When SentinelOne launched our new brand recently at our sales kickoff, I was just beside myself with our motto, “Securing tomorrow.” Because when I was at CISA, our motto was, “Defend today, secure tomorrow.”
And the entire concept here is that look; you can address the crap we’re seeing every day right now all day long. You’re always going to be fighting that stuff. But if you don’t take at least some portion of your day, of your week to think about where the bad guys are going and where you want to be in two years, and you start planning and executing that strategy, you’re always going to be fighting today’s stuff.
VentureBeat: How are the Chinese targeting infrastructure?
Krebs: It is also interesting that the Chinese have made such a shift in their infrastructure targeting strategy. For a decade plus, it was all about intellectual property theft and commercial espionage, almost to the point where the joke was they’ve moved on because they’ve stolen everything. There’s nothing left to steal. But obviously, it’s much different. And this is a much graver situation because their pre-positioning within U.S. critical infrastructure is tied also to their military plans. And with President Xi telling his military leadership that he wants to have not necessarily the decision but the ability to invade and take over Taiwan by 2027.
Part of this obviously is going to be about getting into position in critical infrastructure in the INDOPACOM operating area. But what’s most concerning about some of the Volt Typhoon and other reporting is that they’ve been discovered here in U.S. critical infrastructure in stuff that has no direct military support linkage. So, it’s not logistics, it’s not defense industrial base, it’s not U.S. military. It is civilian critical infrastructure.
And this gets to the why. And the why is almost the TikTok element, right? There’s a data security piece, and then there’s an influence operation piece. And this is just a further manifestation of that broader strategy of it’s not always about the technical attack. It’s about the psychological manifestations of the physical attack. And the Russians do this quite well.
And the Chinese are starting to adopt this strategy. And we have to be a little bit more, again, securing tomorrow, thinking about where the bad guys are going, getting out of our very technical cyber-only thinking of technology and what the risks are. The risks are probably much, much greater, frankly, on the human impacts of cyber-physical systems and attacks on cyber-physical systems.
Every executive right now needs to be thinking, “Okay, how could my systems become a target in an invasion of Taiwan by the Chinese? How could I get rolled up into this? How could I, frankly, right now, get rolled into disrupting the U.S. election in 2024?” It’s not just about voting systems. “Is there something else that I own, that I manage, that could get targeted, that could have some sort of impact?” And this requires, again, a much different level of thinking from the day-to-day, and it takes a lot of people out of their comfort zones.
But Change Healthcare is a great example here, who I think fully appreciated the role that they play in the healthcare system and facilitating that transfer between payers and practitioners. You really have to step out and say, “All right, if I was targeted and knocked out, what would the real big picture impacts be?” And I think we’re a little bit too asleep at the wheel in thinking about the next quarter and how we’re performing.
VB: Do you agree with the assessment that the bad actors look for weak supply chains where, let’s say, life hangs in the balance with healthcare to realize that they can extract inordinately large ransom demands?
So, in healthcare specifically, I think it’s not unreasonable to think about it that way, that there’s a lot of pressure on these organizations to pay.
I think it’s probably more likely that through enough repetitions and attacks, they’ve discovered that healthcare is really vulnerable: lots of legacy tech, not a lot of investment, and that the organization’s pay when under duress because of the life and death. You can start looking at organizations that have a similar profile of massive estates, lots of legacy systems, probably poor identity management and hygiene, and poor vulnerability management. And then what are the consequences of an attack and being taken offline?
And we see it also in manufacturing. The Watchtower report from 2023 suggests that manufacturing was actually targeted more than healthcare. But the same thing with manufacturing: downtime on the plant floor or the shop floor has a real bottom-line impact. So, I think that’s kind of the trend that I would continue to see. It’s really about when you lock them up, and the business is offline; that’s where the bad guys are taking advantage of the business owners and operators.
With regard to ransomware, defenses are improving. Detection is improving, mitigation is improving and recovery is improving. There’ve been some innovations in the recovery space with Rubrik and others. And I’m an advisor to Rubrik, so I’ll just flag that. But there have been immutable backups that are available rather than just tape or others that can get compromised. So I think we’re seeing maybe the higher end of the value of payouts has increased, but I think the number of payouts proportionately is probably decreasing on encryption.
Payouts are probably up on the data extortion side in part because of regulatory increases, but also just reputation, customer data, and things like that. And that’s something that I would really encourage policymakers like those at the White House to be thinking about when you really want to make a market intervention. You’re thinking about payment bans; look at what kind of payments we are talking about here. Are we talking about banning payments on encryption and decryption? Are we talking about payment bans on data extortion and data deletion? And just different factors and incentives in play and also different defenses that are available, and things that law enforcement and those in the military and cyber command can engage in.
VB: What about generative AI in the context of enabling more human insight? You’ve alluded to the fact of not being too caught up in technology but more focused on the human element. What do you see gen AI’s role in enabling better human-centric security?
Krebs: Gen AI, in general, I think, has been overhyped. And it’s not just me. I mean, there are plenty of reports now, and sales teams are saying, “Hey, let’s tamp down expectations here. We’re not quite what we thought we were going to be.” And then, when you look at, particularly from a cyber perspective, the adversarial use of gen AI is not matched up with some of the horror stories yet. I mean, the OpenAI Microsoft report from a couple of weeks ago talked about the three primary uses of gen AI by the bad guys right now: social engineering and writing better phishing emails. The second is research of targets and personnel. And then third is just automation of basic tasks. And what would we expect down the road? Malware development, but that’s going to be a ways off. Intelligent implants that are even further off. So, I mean, my sense of things right now is that defense is outpacing offense. We’re actually doing a pretty good job of using gen AI for the good guys, at least; we’ve got our own tech at SentinelOne with Purple A.I. and threat hunting. That should go into general availability in a few weeks.
I think that [AI] makes things a lot easier. So you don’t have to know how to write a YARA rule for threat hunting. You can ask a natural language question, say, “Hey, find me any evidence that I may have a sandworm compromise,” like that’s incredibly accessible. And then when the transformer says, “Hey, here are two other or three other related questions you might want to ask me to go look for”. And ultimately all of that’s going to get automated. So, to me, it’s really an advantage to the good guys because it takes some of the complexity and the truly technical barriers out of the way and makes it much, much more accessible to everyone.
){kind=link}