VentureBeat recently sat down (virtually) with Chris Krebs, former director of the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and most recently Chief Public Policy Officer SentinelOne. He was a founding partner of Krebs Stamos Group, which was acquired by SentinelOne. Krebs can be co-chair of the Aspen Institute's US Cybersecurity Working Group.
In Part II of VentureBeat's virtual interview, Krebs highlights the necessity for corporations to enhance the cyber and physical security of their infrastructure. He also shares his perspective on why supply chain attacks are increasing, with a specific deal with healthcare and manufacturing. Krebs also explains how generative AI must strengthen and improve human-centered security to make an impact.
The following is the second half of VentureBeat's interview with Chris Krebs:
VentureBeat: How would you approach national security strategies around cyber and physical security with a deal with infrastructure? In the U.S. Intelligence Community 2024 Annual Threat Assessment The report just released mentions that Russia is especially good at attacking infrastructure.
Cancer: We have various customers that we work with in each control systems and hard manufacturing. So I help them think through the present threat landscape.
But I feel one thing that we probably do a bit bit greater than others is look back at history, as you mentioned, Russia, so we're going to discuss Sandworm and the GRU, the military intelligence team. They have been very, very effective in recent times. They were those who caused the Ukrainian power grid to collapse in 2015 and 2016. Andy Greenberg talks about it in his book Sandworm. And then they've done just a few other things, NotPetya, after which there's a few of that within the Middle East after which even recently where they've shown some really interesting capabilities with the Hitachi Micro SCADA events.
And what I keep seeing is that this really interesting level of performance and refinement improvements. And so, especially with the last one, living off the land has really come a great distance on top of things systems in SCADA. And then I ask myself: what 12 months is it? It's like 2023, 2024. Where were they in 2015, 2016? Where do we expect they can be in 2027? And that’s something I urge a variety of my team to take into consideration. Where do we expect they may go based on this arc? What is the arc of the possible here? Let's start working with our customers and customers to shut as many attack surfaces and full classes of potential vulnerabilities as possible. And I feel that puts you in a special mindset. When SentinelOne recently unveiled our latest brand at our launch, I used to be blown away by our motto, “Securing Tomorrow.” Because once I was at CISA, our motto was: “Defend today, secure tomorrow.”
And the entire concept here is that this look; You can address the crap we see day by day now all day long. You're all the time going to be fighting these things. But in the event you don't spend at the very least a part of your day, your week, fascinated by where the bad guys are going and where you wish to be in two years, after which start planning and implementing that strategy, you're all the time going to be up against it today's things are fighting.
VentureBeat: How are the Chinese targeting infrastructure?
Cancer: It can be interesting that the Chinese have made such a shift of their infrastructure alignment strategy. For greater than a decade it was all about mental property theft and company espionage, almost to the purpose where the joke was that they moved on because they stole all the things. There's nothing left to steal. But obviously it's completely different. And it is a rather more serious situation, as their pre-positioning throughout the US's critical infrastructure can be linked to its military plans. And President Xi is telling his military leadership that he wants not necessarily the choice but the flexibility to invade and take over Taiwan by 2027.
Part of it will obviously be positioning itself within the US's critical infrastructure INDOPACOM Operating area. But what’s most concerning about some reports of Typhoon Volt and other events is that they were discovered here on critical U.S. infrastructure, in an environment circuitously linked to military support. So it's not logistics, it's not a defense industrial base, it's not the US military. This is civil critical infrastructure.
And that is about why. And the why is sort of the TikTok element, right? There is an information security part after which an influence part. And that is just one other manifestation of this broader strategy that it's not all the time in regards to the technical attack. It's in regards to the psychological manifestations of the physical attack. And the Russians do it quite well.
And the Chinese are beginning to adopt this strategy. And we’d like to do a bit more again to secure the long run, take into consideration where the bad guys are going, and get out of our very technical cyber-only fascinated by technology and the risks. Frankly, the risks are probably much, much greater in the case of the human impact of cyber-physical systems and attacks on cyber-physical systems.
Every manager now must ask themselves, “Okay, how could my systems be targeted by the Chinese invading Taiwan?” How could I be drawn into this? Frankly, how could I be enticed now to interfere with the US elections in 2024?” It’s not nearly voting systems. “Is there the rest that I own, that I manage, that could possibly be targeted, that would have some impact?” And this again requires a really different way of considering than in on a regular basis life and takes many individuals out of their comfort zone.
But Change Healthcare is an amazing example here that I feel fully appreciates the role it plays within the healthcare system and facilitates transfer between payers and physicians. You really need to exit and say, “Okay, if I were targeted and knocked out, what would the actual impact be on the larger picture?” And I feel we're a bit too asleep on the wheel as we expect in regards to the next quarter and take into consideration our performance.
VB: Do you agree that malicious actors are searching for weak supply chains where, for instance, lives and healthcare are at stake, with a view to realize that they’ll extort excessive ransom demands?
Especially within the healthcare sector, I don't think it's unreasonable to think in regards to the incontrovertible fact that there may be a variety of pressure on these organizations to pay.
I feel it's probably more likely that through enough iterations and attacks they've found out that healthcare is basically vulnerable: a lot of outdated technology, no big investments, and that the organization is paying under duress when it's a matter of life and death. You can start organizations which have the same profile with huge assets, a lot of legacy systems, likely poor identity management and hygiene, and poor vulnerability management. And what are the implications of an attack and going offline?
And we see it in manufacturing too. The 2023 Watchtower report suggests that manufacturing has actually been more targeted than healthcare. But the identical applies to manufacturing: downtime within the factory or workshop has a major impact on the underside line. I feel that's form of the trend that I might proceed to see. It's really about while you lock them up and the business is offline; This is where the bad guys benefit from the business owners and operators.
When it involves ransomware, defenses are improving. Detection improves, containment improves, and recovery improves. There has been some innovation within the recovery space with Rubrik and others. And I'm a consultant to Rubrik, so I'm just going to mark that. However, there are also immutable backups that aren’t only available on tape or other backups that will be compromised. So I feel we may even see the highest of the payouts have increased, but I feel the variety of payouts relative to encryption might be happening.
Payouts on the information extortion side have likely increased partially as a result of regulatory tightening, but additionally just because of popularity, customer data and the like. And I might really recommend that policymakers like those within the White House take into consideration once they actually need to intervene available in the market. You are fascinated by payment bans; Take a have a look at what style of payments we’re talking about here. Are we talking a couple of ban on payments for encryption and decryption? Are we talking about payment bans, data extortion and data deletion? And there are only various factors and incentives at play and in addition different defenses which can be available and things that law enforcement and people in military and cyber command can become involved in.
VB: What about generative AI within the context of enabling more human insights? They identified that one mustn’t focus an excessive amount of on the technology but relatively focus more on the human aspect. What role do you think that generational AI will play in enabling higher human-centered security?
Cancer: I feel Gen AI typically has been overrated. And it's not only me. I mean, there's a variety of reports now and sales teams are saying, “Hey, let's temper expectations here.” We're not quite what we thought.” And then while you have a look at it, especially from a cyber perspective, you may controversial use of genetic AI cannot yet be reconciled with a number of the horror stories. I mean, the OpenAI-Microsoft report from just a few weeks ago was in regards to the three essential uses of Gen AI by the bad guys straight away: social engineering and writing higher phishing emails. The second is researching goals and personnel. And thirdly, it's simply about automating basic tasks. And what would we expect later? Malware development, but that can still be a great distance off. Smart implants which can be even further away. I mean, I feel just like the defense is outperforming the offense straight away. At least for the great guys, we're doing a fairly good job of leveraging genetic AI. At SentinelOne now we have our own technology with Purple AI and Threat Hunting. This needs to be generally available in just a few weeks.
I feel (AI) makes things so much easier. So you don't must know tips on how to write a YARA rule for threat hunting. You can ask an issue in natural language and say, “Hey, find me evidence that I may need a sandworm compromise,” in order that's incredibly accessible. And then when the transformer says, “Hey, listed below are two or three other related questions that you just might want me to look up,” and ultimately all of it becomes automated. So to me it's really a profit to the great guys since it takes out a number of the complexity and the really technical barriers and makes it much, rather more accessible to everyone.