Risky Business - Wide World of Cyber: SentinelOne's Chris Krebs on Chinese cyber operations
Episode Date: December 13, 2024In this edition of the Wild World of Cyber podcast Patrick Gray sits down with SentinelOne’s Chief Intelligence and Public Policy Officer Chris Krebs to talk all about... Chinese cyber operations. They look at the Salt Typhoon and Volt Typhoon campaigns, the last 20 years of Chinese operations, and the evolution of the cyber roles of China’s Ministry of State Security and People’s Liberation Army. It’s a very dense hour of conversation! This podcast was recorded in front of an audience at the Museum of Contemporary Art in Sydney. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hi everyone and welcome to another edition of the Wide World of Cyber podcast. My name is Patrick Gray.
Wide World of Cyber is a podcast series we do here at Risky Biz which is sponsored by Sentinel One.
So it's a partnership where I sit down usually with Chris Krebs and Alex Damos, who both work for SentinelOne.
And, you know, we sit down about once a month and just talk about the big issues in cybersecurity.
In this one, though, we're only going to hear from Chris because he was actually in Australia last week.
I flew down to record this interview live in front of an audience in Sydney. And big thanks to the SentinelOne team in Australia for organising all of that.
It all went really, really well.
And all of the AV was handled as well, which made my life a lot easier.
And yeah, so I sat down with Chris Krebs, who, for those of you who don't know,
he was the first director of CISA, the Cybersecurity and Infrastructure Security Agency in the United States, and a tremendously smart guy. So I sat down with him for this live interview all about
Chinese cyber operations and where they are now and where they've come from. Now, it does start
off with a couple of minutes of a history lesson, which is where I'm going to drop you in. So,
you know, that's me just prattling on for a couple of minutes, but it's important context
for the conversation that comes afterwards. And I will note too, there's a couple of rough edits
in this podcast, and that's mostly because I had to stop every few minutes to cough,
because I'm still not a hundred percent after getting sick a couple of months ago.
But here it is, my interview with Chris Krebs, recorded live in Sydney, in front of an audience, talking all about China.
And as I said, it starts off with a brief recap of the last 20 years history of Chinese cyber
operations. Enjoy. I think we can start with a brief recap of the last 20 years, right, of the Chinese cyber threat, where, you
know, they didn't have all that much formal 20 years ago. They had a little, but not all that
much. Gradually, they were able to co-opt, you know, people like nationalist activists and whatnot,
and, you know, get them working for the state, sometimes directly, sometimes indirectly.
Gradually, things formalized. And then you had this
PLA driven effort to steal massive amounts of intellectual property, which kind of culminated
in the APT1 report from Mandiant, which was a tremendously important event. That led to
your then president, Barack Obama, raising that with the Chinese and saying, hey, you need to
knock this off. That actually appeared to hold for a short time. And then, of course, we saw the rise
of the MSS and the PLA kind of disappeared and we didn't hear much from them. And that's changed now
because we've got Vault Typhoon, which is the stuff that is really scaring the pants of the
policymakers that I speak to more so than this
espionage collection on the salt typhoon stuff. Ish, but yeah.
Ish, but yeah. I guess my point is we've watched China develop and formalize its cyber capability.
And these days they're running that sort of split role in cyber where you've got the MSS,
which is fulfilling that sort of traditional role in cyber where you've got the MSS, which is fulfilling that
sort of traditional NSA role of doing the intelligence collection. And you've got the
PLA, which is now doing that more, that role, it's more cyber command, you know, but of course,
the way that they operate is still completely, even though the roles seem to mirror, the rules
don't, right? So I guess where's a good place to start? I guess a good place to start
might be to talk about the typhoons. And I know how much you hate using that terminology.
Well, I'll tell you what I find so interesting is that you just ran through about 20 years of
Chinese cyber operations history. And you're like, oh, wow,
that's been a lifetime for a bunch of folks in here.
But then when you really run out
offensive cyber operations out of our adversaries,
it doesn't extend much more beyond what you just laid out.
Even Russia, right?
Go back and read Kukuzeg.
1980, 283, 84, Cliff Stahl wrote
that, of course. It details a KGB operation, hacking into Lawrence Livermore and a bunch of
national labs and other sensitive networks in the US. So it really only goes 15 to 20 years beyond
what you just sketched out globally. The interesting thing, though, about Kukuzeg
is that there was a West German contractor that they were using to run the operations.
And so what we saw then is mirrored back to a lot of what we're seeing right now.
And I think that's one of the things that's so maybe confusing or mystifying about today's operations. And even when the initial salt typhoon activity happened with the U S tele
telecoms, it was a little interesting upfront because they're like, we don't know who this is.
It looks a little PLA ish, but the targeting is definitely MSS ish. And why is that? It's the
contractors. It's the proxies they're putting out in front. That's hosting the infrastructure.
That's providing a lot of the tooling.
Now, the button's getting pushed by the MSS and the PLA, but nonetheless, there's this
kind of overlay that's creating a little bit of mysteriousness over the top.
Yeah.
And it's interesting, because that goes back to the rules being different, even though
the roles are kind of broadly similar.
One of the most interesting things to happen recently on all of this was the Isun leaks, where we saw leaks from inside a, you know, contracting firm based in China that,
you know, served the government with tool development and operational support and whatnot.
But, you know, their internal chats leaked and everything from, hey, you know, the boss is drunk
and playing mahjong, get down here, you know, and take some money off him, right through to people
bitching about their pay packets and whatever. But it sort of showed us that that whole ecosystem
in China is yet to be formalized in the same sort of way that it is in the West, right? Like they
are cowboys in that industry there. Whereas here and in the United States and in other Five Eyes countries,
a lot of this tends to be taken quite seriously. It's a serious business. It doesn't seem to be
quite as serious. The internet is serious business. Yes, that's right.
But I think that's kind of probably reflective overall of corruption in general in China.
Rates quite low on corruption.
But is that corruption
or is it just sort of
weird management?
I think it's a little bit,
well, I think it's both.
But those two are related.
I think it's bad management
because it's in part corrupt.
I mean, there was some,
there was some of the recent research
that came out
about Western contractors
trying to dig up information on leadership in China.
And they go to companies like Isun and others and they pull it.
And then all the data...
There wasn't companies like Isun.
So what they did is they went to...
There's these underground data brokers in China
who bribe people who work for these contractors
or even who are working for the government.
They offer them like a month's salary per day,
use their credentials and then go and get data.
So these guys actually bought information on a bunch of APT operators in China indirectly
from corrupt people working at the same agencies.
But contractors as well.
I mean, they're just different points of access.
But again, it speaks to that larger challenge that they're having. And you and I have talked about this before, but particularly in authoritarian
states with rule by law setups, there's this kind of natural evolution of the contractors and
the actual government operators, the moonlighting piece. And I think that was one of your concerns,
almost working the other way, right, about
North Korea is like what happens when they actually get into ransomware rather than just
extracting value and what does that mean and where that threat is going.
And in the meantime, they've got a whole bunch of other stuff with the IT worker scam that
is fronting out of China as well.
So China seems to be the nexus of a lot of
really bad activity. Yeah. Yeah. I'm less worried about the IT worker stuff because I think the FBI
have found a point of vulnerability there, which is the people who are running laptop farms in
their basements for these people to proxy through. So they seem to be having some success knocking
that one on its head. But let's talk about the typhoons. As you point out, that naming convention from
Microsoft sort of conflates this activity into, oh, well, they're just the typhoons, right? Whereas
these are really distinct campaigns with completely different objectives. On one hand, we've got the
salt typhoon campaign, and I'm sure most people in this room are familiar with what that is, which is
a series of intrusions into basically all of the US telcos with the purpose of gathering all sorts of information. So one thing they're looking
at is they get into the CALEA wiretap systems to see what the tasking looks like, so they can see
who the FBI is surveilling, who the FBI is onto. They were looking at metadata to try to figure
out who's talking to the FBI. So there was that sort of counter surveillance, counter espionage bit.
They were targeting politicians
to intercept phone calls, text messages,
and also building out network graphs
of who's speaking to who.
Now, that is completely legitimate intelligence collection,
and to its credit, the United States hasn't really
objected to them doing that.
Yeah, it's the drill tweet, right?
Then we look at the vault typhoon stuff and this is the stuff which is more along the, you know, this is the PLA stuff.
This is military prep.
This is out of bounds.
And these two things seem to be getting conflate.
Do you think that's an issue that, you know, perhaps even some policymakers don't quite understand that one of these things is, you know The Typhoon framing, like the Blizzard framing,
is not particularly helpful outside of, I think, this narrow subset of audiences. You know, they
kind of intuitively know what it is. They follow, they read the reporting. But beyond that, when you
take it out into the policy sphere, when you take it out into the general public sphere, it's not
helpful at all.
And in fact, the only person that helps as I see it is Microsoft because somebody goes to Google
or Bing or whatever, types in what is Salt Typhoon, it goes to a Microsoft landing page URL,
and they can research it. We've got to pull it back out and use plain language because this is
a very, very serious issue. This is not just a one-off hack. This is part,
whether it's the MSS hacking into the telcos in the U.S. or the PLA hacking into critical
infrastructure, both military and civilian, overseas or inside the U.S., this is an
overarching national campaign. This is part of President Xi's preparation that he has
directed his military and his security services to be prepared to invade Taiwan by 2027.
Dmitry Alperovitch has been on your pod before and talked about this at length. Whether he's
made the political decision or not to go in does not matter one bit. The posturing, the positioning, as tasked,
they're moving full steam ahead and they are in critical infrastructure throughout APJ.
Yeah, I would like to point out too that when we hear reports of salt typhoon and vault typhoon,
the United States is actually somewhat more transparent about this stuff than our government
is. Like in the case of salt typhoon, we have the names of some of these telcos that have been impacted. We do not have the names
of telcos that have been impacted here. That doesn't mean that they haven't been impacted.
They almost certainly have been targeted and some of them have almost certainly been successfully
compromised. Okay. So two things on that. One, I wouldn't over-rotate too much on that,
particularly in the US, because it's all of them.
It's all of them.
There was a White House call earlier today, or yesterday, or whatever.
And they're like, yeah, it's eight plus.
Well, and we heard recently, too, that the telcos that have been impacted are not having a tremendously good time evicting the attackers.
They can't get them out.
They are in there and they're not going anywhere.
They can't get them out.
They can't give you a timeline for when they will be able to get them out.
And they also, I don't think, will be able to tell us where they went, what they were
able to access.
And part of it, I think, is due to just internal competencies in a number of
these networks. And you may say, hey, there are eight plus telcos in the U.S. There's more than
that. They're the bigs, they're the national ones, but then there are a ton of regional and rural
telco providers that serve the further flung regions. As you've already said,
incident response is still ongoing. Yeah. And there are...
Attempted incident response.
You know, I mean, look, the hunt teams are, the IR teams and the hunt teams are everywhere. And those are both government and industry DFIR teams. They're very, very active right now.
But nonetheless, these guys are very difficult, both on the getting into the critical infrastructure,
as well as the MSS side, getting into networks.
I do find it interesting, by the way,
think back four years ago.
What were we doing four years ago?
What were we talking about four years ago?
Today, like virtually, like literally right now.
COVID-19?
No, SolarWinds.
Yeah.
So it's the Russian intelligence services then that everybody's like hair on fire about. And now we're hair on fire. So history might not repeat, but it sure as hell rhymes. And I am gravely concerned about what 25 looks like, because if you go back and look at U.S. presidential transitions over the last two cycles,
so Biden coming in and then Trump coming in in 17, what happened in 17?
You had want to cry, not pet you, bad rabbit, and then a bunch of other stuff.
And then in 21, we started off the year still dealing with solar winds.
We're still going to be dealing with this in 25.
And then you had hafnium.
And then in the U.S., youial Pipeline. Then he had JBS.
Like 17 to 21 were super sporty. And I would not be surprised to see a really active 25.
I mean, only some of that was state directed though.
It doesn't matter. And that's the problem is even going back to 17, even going back to 21, the threat landscape, the number of actors, the players, their sophistication is off the charts.
And the question is, how much have we done from a defensive perspective?
And it's probably worth talking about, but from a defensive perspective, how much have we done to really push back and counter and prepare?
But I want to bring it back to that question around norms.
And I know it's like I was about to say, it's a word that makes people groan.
And he groaned, he literally groaned. Norms are for the good guys.
Yeah. So, I mean, we're in this situation where we think we've developed norms.
One of my colleagues, Tom Yuren, he worked at ASD for a long time. He's been working with us for a few years.
You know, he says norms are just created by people to explain how they want things to be.
They don't actually set how things are. That's sort of his perspective on norms. But certainly
the PLA directed activity towards critical infrastructure, we would regard as being
outside norms. So what do we do? Our norms, exactly.
So what do we do in that situation?
And I want to bring up an interesting point
that was made by Elise Thomas,
whose ex-ASPY does a lot of work in disinformation.
She posted on Blue Sky,
well, what if Trump comes in and says,
oh, you know, China has been, you know,
someone says China's been stealing
a lot of our intellectual property
and he just says, okay, we'll do it to them.
Steal their battery tech. You know. And I found that a really interesting thought exercise as well, because you would normally dismiss that as well. No US president's
going to do that. But with Trump, you never quite know. I would imagine there would be just all
sorts of insane legal roadblocks to prevent the US government doing something like that. There's
no legal mechanism through which they could do something like that. But again, as a thought
exercise, it's an interesting thing. What if the United States decides to unburden itself
from the norms that it itself has tried to establish over 20 years? And should it do that?
Because honestly, I was thinking, why not? Go steal their battery tech. Let's go. All right. So I'm going to come back to this. So first off, norms are for the good guys, right?
Norms are for setting expectations for rule of law countries, particularly those that are emerging
and those that you want to keep on sides, that you don't want them to tip over into the rule by law authoritarian model that is unfortunately emerging, I think a little
too aggressively. And I think it's an opportunity, right? It's like, this is how we want the world
to go. But it's also, there's a lot of mirroring going on here. It's like, we see these other
countries and we want to bring them into this side of the fence. And we think that they view
intellectual property ownership the same as we do. I think the reality is, particularly for China,
but other countries, they don't see it the same way. There is no differentiation between
a civilian-owned infrastructure, privately-owned infrastructure, and government government owned. Everything is in part viewed as a tool of the
state. It's empowering the weapon, the war machine in the United States. And so that's why everything's
on the table. And there's a second element of this too, is just the entire information warfare
doctrine is based on two elements. One is the aspect i've talked about this before but the technical element and the psychological element and in their doctrine they will hit both
and they will have a technical attack that cascades over into the psychological space
and that's a lot in my opinion and those i've talked to that's a lot of what the PLA, the Volt Typhoon activity, not going into
the military critical infrastructure like Pearl Harbor and the basin Guam and elsewhere and even
stuff here, but the activity, that second prong that's going after civilian critical infrastructure
in the U.S. like water systems, the grid, logistics and transportation.
The idea there, of course, is you hit it, you take it down, you keep it off for even just a couple of days. And the current assessments in the U.S. by the intelligence community
are that about the best we think our adversaries can do are regional impacts that are temporary. But temporary can only be three or four days. And it can only be
in a large metropolitan area like Atlanta, Washington, D.C., New York, or something like
that. And you still will have absolute societal chaos, absolute panic. I will tell you, the summer
of 21. Colonial with people filling up their plastic line trays in their trucks with fuel.
Yeah, like trash bags, black contractor bags.
Yeah.
And that was only three to four days.
In fact, colonial.
But was that widespread or was that just a few, you know?
That was the eastern seaboard of the United States.
Yeah, but how many people were panicking versus oblivious?
You know, like to what degree was there?
So let me put it this way.
And I don't know if Florida is a good example,
but Florida is not served by colonial pipeline.
Florida is served by barges.
Gasoline comes into the state of Florida
by barges and ships. still had there was no local
tightness at all there was no supply issue into Florida and yet you still had people going filling
up every you know jerry can they could in bags and yet the supply was fine it created subsequently
local tightness because they were pulling gas out of the ground faster than they could get it back in.
That shows you, though, that we're all having some kind of mental issues these days, apparently.
But it shows you that the societal panic piece is potentially part of the strategy.
So we'll get back to the norms in a second.
But just continuing on this then, what does this get China in terms of a military edge
in a theoretical January 2028 invasion of Taiwan across the Taiwan Strait? What advantage is it to
them of having people in Kentucky unable to use a telephone and worried about getting gas for their
car? Sometimes you can't win for fighting, Right. And that may be part of the analysis. And that's not exactly how Sun Tzu put it. But nonetheless, right, they've run the analysis. They want to undercut the ability of the U.S. to come to the support of Taiwan, the defense of Taiwan. population centers and clusters in the United States. You can take down critical infrastructure. You can cause panic where political leadership is not as much worried about prosecuting a war
over there that people in, would you say Kentucky, don't care about. They're not going to care about
Taiwan. They're not. They're going to care about what's happening in their community, in their
backyard. The political leadership, the U.S. Congress, everyone is going to be focused on getting the lights back up. And the thing that I think we gloss over a little bit
in all these discussions, either because we don't want to go there or it's not polite,
but death, loss of life. There will be loss of life if they pull the trigger and execute these disruption and destruction attacks against critical infrastructure in the United States.
People will die. The most obvious example is loss of power and other critical services to hospitals.
Mortality rates already spike due to ransomware attacks. We know that. We have that.
We don't talk about it enough.
For one reason, that's maybe another pod, but we don't talk about these things, but it happens.
There will also be other direct consequences outside of public health that will result in
loss of life. And that is, I think, the bridge that gets crossed in a MS or a PLA attack on civilian infrastructure that really
sets off political leadership. We have to fix this. We have to fix this now. We can't worry
about what's going on over there. And look, I've talked to plenty of U.S. elected officials.
Nobody really wants to get involved in this.
The early estimates of war games are 20,000 plus service members dead in the first two
weeks.
No one wants that.
I would have thought actually that widespread cyber attacks targeting critical infrastructure
would make it more likely for the US to get involved, not less.
I just wonder if the CCP is doing the numbers right.
Yeah, I don't know.
But look, let's bring it back to the norms thing, right? Because here we have this campaign that is
alarming and weird, right? What can you do in response to that? It's not like you can really
do the same thing to them. You can't just target a bunch of civilian infrastructure.
Yeah. thing to them. You can't just target a bunch of civilian infrastructure. So what can the West,
we'll just talk about the West as the Five Eyes Alliance, right? Because you're from a Five Eyes
country, we're from a Five Eyes country. What can we do in response to this? We're all friends here.
We are all friends. So there are some things I don't think you can do much about, and that's
the telco hacks by the MSS, the Salt Typhoon. That is, as you said, that is just good, clean.
That's in the game.
It's like OPM when even people I knew in the community were like, you got it.
You got it.
You got to add it to it.
You know, nice.
Yeah.
We do the same with them.
You know, they got us good. And that's the sort of stuff that I think is in the realm of, okay, that's not cyber
offense in peacetime.
That is, again, that's espionage.
And it's important to distinguish that, particularly when we're doing media.
This is not an attack.
This is a whatever you want to call it, a compromise, whatever.
Well, and the guidance from the US government since has been, hey, use over the top services. Let's go with Signal. Let's go with this. Let's go with that.
And I think it's going to make things like RCS, which is an encrypted protocol for text messages
more popular and whatever. And that's the right response, which is we're not going to stop this.
We're not going to launch a diplomatic protest over this, but here's some behaviors that we
can change to make these types of attacks less relevant. Yeah. And right. And the real question is for the average consumer, how much of the
content is the concern? Because it's a lot, right? And yeah, you do blue bubbles on your iPhone or
you use WhatsApp or whatever. Green bubbles. And you'll be okay. Unclean. Unclean. Yeah.
But there is the metadata piece.
And as you've already pointed out, you throw a bunch of data sets together, you run analysis over the top, and you get really interesting patterns of life that illuminate a lot that they're looking for in terms of deep cover spies, who's talking to their people.
Fox hunting, which is a big issue that we'll probably hear a lot about again that we haven't heard about in years. So fox hunting is when the Chinese send over police to go hunt dissidents that have fled
China and then they bring them back. And that's something that happens here. That's something
that happens in the U.S. and it's a real problem. I mean, you've heard about these police stations
that have popped up in all the different cities in the U.S. and elsewhere that are not official
and they don't have diplomatic appropriate certification endorsement. That's another
thing I think we're going to hear a lot about in the next administration. So what do you do about
the PLA activity? And that's another one. What about this and what has in the past been
deterrable or successful or effective in terms of deterrence?
Indictment sanctions. Have they been effective?
No, that's what I'm saying is like I don't I don't know if they have because odds are.
I mean, look, when you when you look at Russia and you look at the cyber criminals, for the most part, they're not bouncing around.
Indictments work for the calm types and the scattered spider types that are
operating out of Canada, the U.S., the U.K., but does it work if you're in a state that's already
recalcitrant and you're not moving around and you're not going to places that have
extradition with the U.S.? So here, I don't know if that's the answer.
Well, it's not. I mean, and there is no clear answer, which is why I'm asking you about it.
Yeah. Well, you know, maybe you've got one. Come on. Hit us with some ideas.
Well, so what I think we're going to see and and again, people have asked me a lot about what do I think is going to happen next year with the incoming Trump administration?
And, you know, let's just cabinet down on cyber right now.
First off, I don't know, right?
I mean, I talk to people, but I'm not in the short list
of candidates for any of the jobs,
but I still kind of, I have experience, right?
So I think the way I look at it is the floor
of what they will do, and again, just talking about cyber,
is what they did in what we did in the last
administration. So it's more aggressive cyber operations. It was, yes, standing up CISA.
And there were other things, of course. And then the ceiling is likely what is in the intelligence
community, Department of Defense and Homeland Security chapters or sections of the Project 2025
report.
And they're very clear.
I mean, in fact, I'd say the intelligence community section of Project 2025 is actually pretty well written.
I mean, this is something that we've discussed offline, which is that the tone and quality
of what's in that document is somewhat uneven.
Yeah.
Well, I mean, look, it was not written with one voice. Let's
just put it that way. Right. And that's what happens, I think, when you get policy documents
where the planks are written by different people. And look, you just kind of have to wade through
that. But in the intel piece, they do talk about strengthening offensive cyber operations. And one
of the first things they would do is go back to national security
presidential memorandum 13,
which was written at the end of the Obama administration,
then updated in the,
the Trump administration.
And that got wound back a bit,
wasn't it?
It got scaled back.
Yes.
As I understand it,
public reporting.
The state department was a little bit unhappy.
So here's the thing.
Why don't we explain NSP in 13?
So it's the Offensive Cyber Operations Doctrine.
It's a classified document, so I can't talk about the bits and pieces and the nuts and bolts of it.
But really, and to your point about norms, one of the continuous tensions is when you think about cyber operations,
it's not like you press a button and a server blows up in Tehran or,
you know, something in the outs at the outskirts of Moscow goes boom, right?
The way that we know these guys operate and we saw it in the 2016,
you know, messing around in the U.S. election, is they use third party infrastructure, you know, bulletproof hosting providers that they'll use servers and operational relays in other countries that tend to be friendly to us, like Europe and probably even here. So the idea is if Cyber Command is going to go conduct an operation to degrade command and
control infrastructure of the Russians or the Chinese or others, what do you do when that
server or that kit is sitting in Germany? Do you call Germany and say, hey, we're going to go
destroy this? Or do you just do it and then you ask for forgiveness later?
Or do you just not do anything?
And that was the core of sort of Trump's changes to NSPM 13, which was to unshackle, you know, Cyber Command.
Yeah.
Let them go and do the thing instead of, you know, being tied up.
That was one of them on the NSPM side. But the other hallmark of Trump offensive cyber operations in the last time around was this concept of persistent engagement.
Right. Defend forward. Get out there. Move. Move the line out from the shores.
And so that's where you saw cyber command teams, national cyber mission force teams deploying into Europe, into Ukraine,
for instance, getting on network of critical infrastructure and government agencies.
Happening here and not in Australia necessarily, but in the region, same sort of thing deploying
into places like Taiwan or whatever to give support. And that's good for a couple different
reasons, right? One, it helps defend those networks. It helps improve the resilience. It also gives us really exquisite insight into what the adversary is doing, what they're probing,
what they're testing, what they're prioritizing before they come hit U.S. networks. And in
preparation of the 2020 election, there were teams that were deployed out that were helping defend
elections in Europe. And we could see what the Russians
were going after. They were going after election voting rolls, so registrations, as well as some of
the reporting, how you report out what the results are. And so we were able to take that knowledge
from Cyber Command, come back to the U.S., talk to our election officials and say, hey, if you've got
one last dollar to spend, you want to put it on these systems or at least those that provide that service and
harden them because that's what we know the bad guys are going after.
So it's really useful.
But the bigger point here is, you know, if the contractor is operating out of Beijing
that's providing support to the PLA or the MSS rather than elsewhere, it's probably an
easier target to go after to degrade those
capabilities and that infrastructure um if it's operating elsewhere philippines somewhere else i
don't know um you know how are we going to play those rules i suspect that we are going to be
a lot more kind of leroy jenkins ish on this stuff. Leroy Jenkins.
And, you know, part of it is, are we done playing nice?
Yeah, no, I'm with you.
I mean, I was wondering where you were going with that and why we were talking about NSPM 13 in the context of what do we do
about some of this, you know, PLA-based activity.
And, you know, taking the gloves off a little seems pretty sensible.
There's a second part of this, though. But, I mean, even then, even when you're talking about taking the gloves off, right? If you were to sit down with some PLA general and say, this is us
taking the gloves off. What, going after our C2s in third countries is gloves off? Yeah. Like it's
pretty timid. Even that is pretty timid, but it does give you a better shot at degrading some of the adversary's ability to
attack right and what do we hear the word they love friction yeah it adds a bit of friction you
know yeah and look i mean there are pluses and minuses on this type of activity what's the minus
the minus is you lose visibility you go burn down their c2 and it's gone they have to rebuild it you
might not see where they rebuild it until a year later. You're like,
oh damn, they're in our telcos again. How'd that happen? Yeah. It's stuff like that. It's like the
jump scare. Um, the pluses of, of course are the, it, it, it makes them spend time on reconstitution.
Yeah. It makes them spend time on building up new things rather than actually launching
the attack. That's all good.
It is disruptive.
I mean, if you've got all of those beautiful shells and all of that beautiful malware out
there, you know, it's cumulative.
If you treat it like mowing a lawn, you know, you're going to prevent that situation where
just there is as much compromised at any one given point in time.
So, yes.
And so this is, I'm glad you kind of put it that way because as i think
about the missing piece right now it's not so much i think the offensive pressure on the adversary
and this is kind of the message that that i bring when i go talk to boards is hey guys um
government's not gonna save you in fact you, you keep clamoring for more intelligence and more classified information.
It ain't there.
They are sharing in the U.S. here.
I've talked to your security leadership.
They're sharing.
If there's something that's actionable, they get it out.
Post haste.
It's out there. Now, maybe some of the strategic intelligence isn't getting shared with with great speed or frequency.
But that that's not going to change any decision making for most security leadership or even business leadership. So this is where I get to the point about, you know,
historically in the kinetic space, the private sector didn't have to worry too much about war,
right? I mean, Australia and the U.S. have a lot of similarities in terms of our geographic
isolation. We have big old oceans around us that deter or at least limit the ability of our
adversaries like China or Russia to reach out
and touch us. Anyone wants to get to you, they've got to go through Canada first.
The 51st state, apparently. Yeah. Watch out for those Canadians.
Or maybe 51st and 52nd. But look, I mean, those things have been historically beneficial to both
of us. But now with everything being connected, then the democratization of the
internet has collapsed the geographic distances between us, allowed somebody on the other side
of the world just reach out and touch it and go, bing. And that's where I think corporate leaders
have to evolve what we have known for a long time, that this is the new battlefield,
that this is where the first
indicators and warning of conflict are going to pop up. It's on the systems that you guys manage
on a regular basis. The business leaders have to recognize that, that they have a social and
corporate responsibility to invest, to provide the support and resources needed, but also realize
that there's got to be some baseline where corporate has to pick up the slack
because the government's already doing all this other stuff that is way beyond the remit.
Sure. I mean, there should be a baseline, right? There should be a baseline.
I mean, you don't leave your front door open, right? There's an environmental level of crime.
There's an environmental level of bad activity.
And it happens in the real world, meat space, but it also happens here.
And I think that's what the conversation has to continue to drive.
And that goes back to my point about stop talking about typhoons.
Plain language. War, they're preparing. Again,
I don't know. And I don't know if, I mean, Dimitri has his opinions. Um, and, and, you know, he's,
he tells a compelling story. His book does a good job. I think laying out the case. Um, I don't,
I don't know from an, I can't wrap my brain around the economic side of this all, of why she would, you know, hit the green button and go.
It's not economics.
No, no, that's my point.
Yeah.
That's a consideration.
There are a bunch of other political legacy and others that would override and overshadow the economic piece, but it doesn't matter.
It doesn't matter if he says go or not.
It's an option that is real.
We can't just sit here and go,
ah, he's never going to do it.
Oh, 100%.
You have to prepare.
We don't know what the impact of this campaign would be.
I mean, we were expecting, you know,
when Russia invaded Ukraine,
we were expecting a level of cyber war
that was going to be crippling that never quite
materialized. Now there's- Oh, man.
Well, okay. So- Well, all I'm saying is that that's a third rail issue back on the old Twitter
days. There are plenty of people that would say, no, no, no, it was critical. It was an absolute
strategic enabler for the Russian forces. And you and I agree here that it was probably more tactical. It certainly wasn't strategic. It didn't change
the outcome. It did not. And I think someone, I can't remember who it was, so forgive me.
They posted on social media recently. I retweeted. I think it was Wiley Newmark
tweeted that anything outside of espionage in cyber is basically a sideshow. And I think
there's a compelling argument that
that's true, but we don't know yet because we haven't seen what it looks like when a country
like China pulls the trigger on something like this. And one of the differences between China
and Russia is that China has figured out how to do operations at scale. Russia hasn't.
I think that's right. And the other, and the other thing is I said this yesterday in Brisbane. And so I'm sitting there at, at QUT and I'm looking out, we're on, you know, the 20th floor or something, lookingaposition. Nonetheless, there are all these glass buildings.
And it kind of highlights my point.
I was like, we have some pretty glassy houses.
We are so dependent upon digital infrastructure
that may not exist in other theaters of conflict to date.
And so when the light goes red,
you're going to see manifestations, I think, at a scale we haven't seen before. And that's your point. China has scale. They've scaled operations.
This is like Chris Wray, director of the FBI, talks about the 500,000 plus cyber operators that
China has amassed across the various services.
If only there was some recent example of, say, a whole bunch of computers getting bricked
at once.
I think we did a podcast on that.
Look, I don't know if I'm in... Well, I mean, look, I think as a-
Was it chaos reigning?
All of our digital infrastructure ruined?
I mean, China would be hard pressed to do anything that impact, I would think.
But that kind of hits my point, right, about the ability to impact. That was global. So not just regional. That was a global. But it was also, it was temporary. But it was highly disruptive.
It was, but for most people, it was a curiosity. Like, oh, computers are down, huh? Wow, blue screens on my supermarket checkout. Oh, but it was, for most people, it was a curiosity like, oh, computers are down,
huh? Wow. Blue screens on my supermarket checkout. Oh, no, no, no, no, no. Well,
that's how it was here. I don't know, man. All right. Well, look, I mean, I'll, well,
the U.S. Americans filling up their bags with the gas again. Maybe you're, you're, uh,
I mean, we're a laid back people. What can I say? Maybe your, maybe your, uh, airlines were not as
affected because they were using a different EDR vendor. I't know um you got you got was it you got stuck at the airport
no i did not it was funny i was in vancouver uh canada um for for an event and it happened
thursday night right before midnight and my phone's on pacific time my phone's blowing up
and i'm just like oh my god i want to go to bed now I got to deal with this and then I got up and we were flying back on Friday the 19th and
no issues because the airline I flew did not use that EDR vendor.
Hey look I just want to go back to talking about one thing one aspect of
the whole China conversation that's really dropped off now I mentioned
earlier the APT1 report yeah stick your hand up if you know what that report is.
I'm guessing, see, this is the thing.
Lost to the sounds of time.
11 years ago is a long time, man.
So this was a report put out by Mandiant that directly attributed Chinese IP theft to a
unit 61398 of the PLA.
Yeah.
And they had pictures of the building.
They had pictures of the operators.
I mean, this was the first time anyone had done anything like this and it was absolutely a
sensation. Dropped it at RSA 2013. Yep. So APT1. And I mean, it was even the details on the amount
of connectivity running into that building and the utilization of those links. It was awesome.
It was amazing. Like the amount of IP that was just getting hoovered up.
And this was industrial stuff, right?
This wasn't even IP that was related to national defense.
Where I think IP theft relating to defense related technologies, again, is justifiable.
If I'm China, I want to know about the latest stealth coatings.
I want to know about various electronic warfare systems that are
being developed by the military industrial complex in the United States. They've put their entire
shopping list. Here's the beauty of- Well, hang on, hang on. There's a question coming, right?
So the question is, has that industrial espionage side of the IP theft, you don't hear about it as
much anymore. Chinese operators stealing things like wind
turbine designs and stuff that doesn't have national security uses. So we don't hear about
that as much anymore. We do hear about IP being misappropriated in a lot of these joint ventures
where Western companies are going into China and then their IP gets transferred through these, through these, you know, partnerships.
But we don't hear much about that type of IP theft anymore. What, do you have any sense of what's happened to the volume there and the priorities? So volume's hard to, I don't know
if I, if I can speak to the volume necessarily, but you make an interesting point about kind of
the dilution, at least, because they have other techniques. And there was a,
this was like 2018. I'm at, this is right before CISA. I'm still just, I'm DHS. And I go up to the
NSA and there's this group, the Emerging Security Framework and Enduring Security Framework. Sorry.
It's a DHS, NSA and industry collaboration on identifying really thorny problems and working together.
So BIOS back in the day was was probably the biggest success story.
But there was an FBI briefer that came up and threw this hub and spoke model up that had 12, 13 or whatever different spokes on the wheel.
And each wheel was or each spoke was labeled and one of them was cyber
the other is m&a the other is uh uh untrue you know non-traditional collection and like it just
kept going around and it was it was at the the it was classified at the time and it kind of i
started thinking about it as is either the wheel of death or the wheel of doom and it's just the
cheery yeah no it's lovely and and first thing I said is like, why is this classified? We have to get this out
from a counterintelligence purposes out to our corporate leaders. And the FBI subsequently
declassified it and it's open source and they've got it all over the place when specifically when
they talk about China counterintelligence. But they've know, they've got this multi-pronged approach.
And it's even going out and recruiting those that have family ties back to China.
And they say, hey, I got your grandma here.
You should bring that intellectual property back or she's going to her education camp.
These things happen.
But has the shopping list changed?
So, again, OK, so this is kind of where I was going earlier, is that the beauty of China is that
they're not shy. They tell you. Yeah, in their five-year, 30-year, whatever plans.
What they want and how they're doing it. And this is why we, not why we have some Chinese experts
and specialists like Dakota Carey, who works
closely with, I think, an Australian national treasurer, Alex Joski. But they read constantly.
Everything's out there. And so when you look at things like it's dated now, but the industrial
policy gives them that targeting list. And the classic Made in China 2025 plan, which I'm like, ooh, that's next year, gives you the 10 priority sectors that they want to go after.
And yeah, they still use cyber collection to go get intellectual property in advanced materials, AI.
I mean, they're banging all over.
It's all stuff that has national defense purposes as well.
So AI for national defense, exotic materials for military hardware.
It's all dual use.
Yeah, yeah, yeah, for sure.
But it seemed like previously they were just going after anything that wasn't nailed down, right?
So I still think they are.
All right.
So this is an interesting point, right?
It used to be that China was viewed as just the steal everything group,
just the Hoover vacuum that's- APT1 era.
Is Dyson Australian? No, British.
All right. So just go get everything, steal everything.
You just offended so many British people with that, but anyway.
Sure. So anyway, now it is much more targeted, but the most worrisome aspect about it is the disruptive and destructive nature of the broader set of activities.
Not necessarily the MSS stuff, but that the overarching campaign has evolved beyond just stealing everything.
Now it's about prepositioning.
And, you know, I've said it before, but it's like the arc of offensive cyber inevitably bends towards
disruption and destruction.
And I think that's what we're seeing now, at least the last-
Well, we've even seen their collection operations get very destructive, right?
So there was the Barracuda example where they were in a whole bunch of Barracuda email gateways.
Yeah.
And then when it was announced that that campaign was detected, instead of packing up and going home, they borrowed in deeply and wound up essentially bricking a lot of these devices.
Yeah.
Which isn't, again, but that's norms.
It's like, no, we're going to dig in.
We're going to keep this access.
It's like, you don't do that.
Come on.
Yeah, but some of that is also reminiscent of the GRU, too.
It's like, whoops.
Didn't mean for that to happen.
Didn't mean to jump the guardrails there,
but it's also not necessarily net new.
It's just an point of emphasis now.
It is a main priority.
They've elevated it.
Because in 2013,
we had the Chinese come into
natural gas companies,
the pipelines and compressor stations,
steel network schematics and then
pull a kaiser soze and they're just gone they never saw him again i was like what the hell was
that what were they doing there and now it's like oh got it all right so those pipelines
lead to power generation so it's baseload generation feeders and you kind of walk it out and you're like, oh,
all right. So they're trying to disrupt the power grid or they're trying to disrupt the energy
systems in the US. And they've been working it now for a decade plus. Now it's just a targeting
priority for them. We are out of time and we've got a Q&A to get through. So Chris Krebs, thank
you so much for joining me for this conversation. Fascinating stuff as always.
Pat, it's been real.
It's good to be here in person.