Cyber chief Chris Krebs: ‘You find out who your friends are’ (Fin Time Lunch series)
https://www.ft.com/content/975cd642-7202-46d4-b127-4811df0ee3c3
While the chaos is unlikely to subside in the immediate future — he is now suing the Trump campaign and others for defamation — at least the social stigma has begun to wear off. “It’s remarkable,” Krebs notes wryly. “You find out who your friends are . . . I had neighbours that hadn’t talked to me for a while because they found out I was in the Trump administration, and now they are. “Considering the current situation, I’m OK with that,” he adds. “Just as long as you’re not torching my house.” Krebs’s public departure from government may have secured him an enemy in the former president but it also made him a new friend — the renowned Washington chef, José Andrés, whose restaurant he has chosen for our lunch. The flaws of this man [Trump] were obvious to everybody that was willing to pay attention Andrés picked his own argument with Trump in 2016, responding to the former president’s anti-Mexican rhetoric by pulling out of a contract to open a restaurant in one of his hotels. And after Krebs was fired, the chef tweeted that he would always “have a seat and a table” at his places. We are at Jaleo in central Washington to make good on Andrés’ promise. In deference to Krebs’s bond with the patron, I let him choose our tapas options. Krebs picks olives, Manchego and the salchichón Ibérico de bellota, cured slices of acorn-fed pork. But despite the sputtering gas heater nearby and the marquee that surrounds us on three sides, I am in need of something a little more warming. (Indoor dining is banned when we meet.) At my prompting, Krebs agrees also to order prawns stuffed with garlic and a glass of albariño for each of us. A life-long Republican, Krebs gave up a lucrative job as Microsoft’s head of cyber security policy to join the Trump administration. He says now he knew the decision could backfire, but he wanted to help set up the organisation he went on to lead, giving the US a dedicated cyber security agency for the first time. The job was not just about combating cyber attacks: Krebs was also tasked with fighting back against online misinformation from foreign states. In the wake of the 2016 election, which was marred by allegations of Russian interference, there could hardly have been a more sensitive role in government. It was always one that carried the potential for conflict with the president. “The flaws of this man [Trump] were obvious to everybody that was willing to pay attention,” he says. “[But] to do your job, you have to be able to compartmentalise. I was willing to do that.” Krebs was not alone. Across Washington, Republicans like him swallowed their reservations about Trump and joined his administration, hoping to shape it from within, or simply do a good job and fly beneath the radar. It eats away at you, the other parts of the department that were doing stuff that just seemed so inhumane During three and a half years of service, Krebs oversaw the establishment of the Cybersecurity and Infrastructure Security Agency and helped plot strategies for how to identify and defeat cyber attackers. He also witnessed some of the more controversial policies his colleagues were implementing elsewhere in the Department for Homeland Security — from the border wall with Mexico to the family separation policy. Did Krebs consider following the example of Rex Tillerson, the former secretary of state, or John Bolton, the former national security adviser, who were dismissed or quit their jobs and became some of Trump’s most trenchant external critics? “Over time, it eats away at you,” he admits, stumbling slightly for the first time in our lunch. “It eats away at you, the other parts of the department that were doing stuff that just seemed so inhumane. I was never involved in any of those policy conversations,” he adds. “In fact, it would be, like, ‘Now we’re talking about the border wall’, and I’d go, ‘All right, I’m off’.” He says he told friends in the department: “I am never going to sit in your meetings, I don’t want to know anything about what you do.” Cynics might say Krebs managed to get fired at just the right time: after completing his term in government but before the trauma of the final weeks, when a mob of Trump supporters attacked the US Capitol in an attempt to overturn the result of the election. That attack prompted a spate of resignations from high-profile members of the administration, including Krebs’ former boss, the acting homeland security secretary Chad Wolf. . .
Former US cyber chief calls for military to attack hackers
Chris Krebs urges government to take more aggressive approach to ransomware attacks
The former US government cyber security chief has called for the military to target organised criminal gangs of hackers who launch ransomware attacks on companies and governments.
Chris Krebs, the ex-head of the US Cybersecurity and Infrastructure Security Agency, told the Financial Times the country needed to be more aggressive in hitting back against hackers who hold organisations to ransom by encrypting their data systems and demanding a fee to unfreeze them.
He suggested military cyber attackers could try to deter gangs using ransomware by publishing their private details, a tactic known as doxing. “You’ve got to go after the bad guys, and I’m not just talking about law enforcement,” Krebs said in an interview with the FT.
He added: “You actually deploy title ten employees [civilians employed by the military], like Cyber Command, and you deploy intelligence capabilities. You direct message them, saying, ‘We know who you are, stop or we’re going to come after you, using information warfare.’ You dox them. There are things you can do.”
Krebs’s comments run counter to orthodox thinking in the cyber security establishment. Experts tend to warn companies against “hacking back” at ransomware attackers, given that it can be difficult to establish which adversary they are dealing with or their capabilities.
Ransomware attacks have become increasingly prevalent in recent years as criminals have taken advantage of the widespread use of cryptocurrencies such as bitcoin to collect payment without being tracked. The shift to remote working during the pandemic has left businesses more vulnerable to attacks.
The practice has become more common in part due to the development of the “ransomware-as-a-service” market, where sophisticated hackers rent out their expertise to criminals without the requisite coding skills needed to launch an attack.
The number of attacks increased by about 40 per cent in the first three quarters of 2020 compared with the same period of 2019, from 142m cases to 200m, according to data from SonicWall, a data security company.
Meanwhile, the average ransom payout more than doubled from $84,000 in the final quarter of 2019 to nearly $234,000 in the third quarter of 2020, according to an analysis by Atlas VPN, a virtual private network service.
As head of the CISA, Krebs was in charge of monitoring online threats from foreign countries. He was fired by then president Donald Trump just before it emerged that suspected Russian hackers had infiltrated the systems of several companies and US government departments in one of the most widespread attacks in recent years.
Krebs is now helping deal with the fallout from that attack as a consultant to SolarWinds, the technology company whose software was compromised. But he told the FT such large-scale state-backed hacks are now less of a threat than widespread ransomware attacks carried out by private criminals.
“You’ve got to start with what really matters the most and then you work out from there,” he said. “So from that perspective . . . ransomware is the biggest threat.”
In recent years, US state and municipal governments have increasingly come under ransomware attack. Atlanta has been targeted, while Baltimore was attacked twice in the space of two years. “States are buying cyber insurance,” Krebs said. “How crazy is that?”
He added: “We have to have a broader set of tools to stop this stuff, because it is systematically undermining the state and local governments’ ability to provide services.”
While Krebs said he wanted to see the US government take more aggressive action against ransomware attackers, he added that companies also needed to tighten up their cyber security practices, especially given so many employees are now working from home.
“[Working from home] is introducing vulnerabilities, exposures, it changes the risk surface,” he said. “Can you push [software] updates? Can you refresh [security] certificates? The issue of home dirty Wi-Fi is a problem . . . The Russians, in the past, have compromised home routers.”
He added that technology companies themselves could also help fix the problem by making their own networks and services more secure.
“A lot of this could be solved by tech companies enforcing certain policies at the enterprise level,” he said, specifically mentioning making people confirm their identity on more than one device before logging in. “Default multi-factor authentication would do a whole bunch of good.”
The Taxman Cometh for ID Theft Victims
The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.
One state’s experience offers a window into the potential scope of the problem. Hackers, identity thieves and overseas criminal rings stole over $11 billion in unemployment benefits from California last year, or roughly 10 percent of all such claims the state paid out in 2020, the state’s labor secretary told reporters this week. Another 17 percent of claims — nearly $20 billion more – are suspected fraud.
