The Journal. - Former Election Security Head on America’s Biggest Threats
Episode Date: October 29, 2024During the Trump administration, Chris Krebs was the top cybersecurity official at the Department of Homeland Security. He spoke with WSJ’s Rolfe Winkler at WSJ Tech Live about the upcoming U.S. ele...ction and growing cyber threats from foreign governments. Further Listening: -The Chinese Hackers Spying on U.S. Internet Traffic -Red, White and Who? Playlist Further Reading: -China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack -U.S. Wiretap Systems Targeted in China-Linked Hack Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
During the last presidential election, Chris Krebs was the head of election cybersecurity
for the Department of Homeland Security.
His job was to basically watch over the nation's voting systems, make sure they weren't hacked,
and that foreign nations or bad actors didn't try to break in and change the outcome.
After the 2020 results came in, showing Joe Biden had defeated President Donald Trump,
Krebs and other cybersecurity officials released a statement saying that the 2020 election
was, quote, the most secure in American history, and that, quote, there is no evidence that
any voting system deleted or lost votes, changed votes, or was in any way compromised.
Trump disagreed with that assessment.
He claimed, without evidence, that the election was rigged and stolen from him.
So after Krebs put out that statement…
Breaking news out of the White House.
President Trump has just fired Christopher Krebs.
He's the director of the Federal Election
Security Agency that repeatedly vouched for the accuracy of the 2020 election. It called the
election the most secure ever and directly contradicted the president's false claims of voter fraud.
President Trump fired Krebs via tweet. Krebs responded on Twitter, writing, quote,
honor to serve, we did it right,
defend today, secure tomorrow.
And yes, I misspelled tomorrow.
Last week, our colleague Rolf Winkler interviewed Krebs
at the Wall Street Journal's Tech Live Conference.
Rolf had Krebs tweet posted on the screen behind him.
Speaking of- Thanks for that.
That was fun.
Remember last night. Speaking of tomorrow, for that. That was fun. Remember I laid him yesterday.
Speaking of tomorrow,
did you go into work the next day?
I did, because I had five computers at home.
It was the middle of COVID,
so there was about half the time working from home,
the other half in the office.
Probably had three iPads, six phones,
had to return all that stuff.
So I get into the office and my HR head calls and says,
hey, so your separation papers,
they left the reason for separation blank.
So you get to fill that in?
So like, do you wanna say you resigned
or that you were fired?
Mike, are you serious?
88 million people just saw that I was fired.
After getting fired, Krebs went back into the private sector. 88 million people just saw that I was fired.
After getting fired, Krebs went back into the private sector.
Now, he's the director of a cybersecurity firm called Sentinel One.
And in this job, he's continued to have a front row seat to election security and the
rise of new threats from foreign adversaries.
And he says what he sees from Chinese hacking groups is getting more and more serious.
So my view right now is that if it were not for the US election and all the attention
around the political outcome, but also some of the interference that we're seeing from
the Iranians, from the Russians, from the Chinese, if it were not for that, we would
be wall to wall coverage of the escalation and the tension emanating from China.
Welcome to The Journal, our show about money, business, and power.
I'm Ryan Knudson.
It's Tuesday, October 29th.
Coming up on the show, cybersecurity expert Chris Krebs on the security Google Pixel 9 Pro,
never rely on a stranger again.
Add yourself to any group photo through the magic of AI.
Get yours with Telus at telus.com slash Pixel 9 Pro.
[♪ music playing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, wind blowing, Here's our colleague Rolf Winkler on stage with Chris Krebs last week at the Wall Street Journal's Tech Live conference in California.
I want to turn to the present election.
What worries you about the election in two weeks?
Yeah, so I was watching CBS morning show this morning and Gin Easterly, my successor, was
on and it was like an out of body experience.
Because she's saying the exact same things
I was saying four years ago.
The threats have not changed, right?
So, and I could even go back to 2016
and tell you that the threats have not changed.
So when you look at what the Russians did,
it was primarily three things.
One is they were looking into election equipment.
The second is they were hacking political campaigns
and leaking documentation.
And the third is they were launching a much broader information operation to destabilize
public trust.
So on the first thread of going after election systems, we have seen the Russians, we've
seen the Iranians make efforts to look into different counties and states across the US
to get into those systems.
But they are much more secure than they've ever been.
A lot of paper.
Well, so what he's talking about is votes cast
in the United States.
At this point, for the 24 election,
98% of votes cast will have a paper record
associated with it.
What's that good for?
Auditing. Auditing.
You can go back and count, you can count again.
In 2016, that was fewer than 80%.
So one of the big initiatives that we had
after the 2016 election was to eliminate
some of those touchscreen systems
that came into vogue after what?
The 2000 election, when they got rid of the,
due to the hanging chads,
they got rid of the pull arm system. due to the hanging chads, they got rid of the pull arm system.
So we went to more digitized systems,
but not necessarily as many with that side car
that would spit out a ballot.
So there aren't as many systems
that they can hack into and change votes.
Well, yeah, so first off,
the systems that you touch to vote
are not connected to the internet.
To get access to one of these systems, you need some time to spend with it to crack it
open.
And they are under lock and key.
They are supervised throughout.
But the most important thing is they are tested before, they are tested during, and they are
tested after the election.
It's called logic and accuracy testing, and they pull them out and they test them throughout.
But again, the most important part is there is a ballot
associated with your vote.
Okay, so if this we don't have to worry about,
what do we have to worry about?
All right, so the biggest issue right now we're seeing
is this full-fledged assault
throughout the information ecosystem.
It's social media, it's traditional media.
We're seeing the Russians try to buy
and influence influencers, popular podcasters, $10 million.
And they don't know what's happening necessarily. They don't know who's right in the chest.
They're winning or unwitting. Yeah. But ultimately, they're being propped up as agents of influence
on behalf of the Russian government. I think the issue is that more than anything, social media, the incentive dynamics or the
incentive structures in social media have changed to such a degree where there are no
consequences.
It's all about engagement.
On X, you can get paid for views.
In some of the podcast culture, same thing. It's all about getting as many people onto
the platform. How do you do that? If Harris wins this election, there's maybe a good chance that
it'll be disputed. Do you think that will happen? And how should the country respond? Look, I think
there are legal challenges that are already in flight to, for instance, challenge military voters,
overseas voters, the UOCAVA process.
I think that is probably setting up as a pretext for challenges.
I'll say this, though.
I think that the process itself, the certification of votes,
January 6th through inauguration, I think those guardrails will
hold.
I do. But they held in 2020 and we're where we are today and 70 plus percent of Republicans think
the election was stolen. So it's not necessarily about the technical administration of the process,
it's about the narrative and in the myth building that that happens around it and the conspiracy theories
They run deep and and they're very very
Difficult to counter and debunk and in some cases a lot of the stuff that I'm seeing today
When I talk to election officials, they're not even thinking about engaging
Those that are true believers.
They see them as lost and gone.
Yeah.
It's those that are on the fence
and could be tipping into the fever swamps.
How do you engage those folks
and get them accurate information
on what's really happening in election administration?
Who are you gonna vote for in this election?
Ha ha ha ha. election administration. Who are you going to vote for in this election? That is a heck of a question.
I mean, I think it's pretty clear based on my Twitter history and my personnel record,
you know, where I stand on this one.
You're a lifelong Republican.
Yeah, look, I served in the Bush administration.
I was there in the early days of the Department of Homeland Security.
I came in in support of, you know, not necessarily the Republican Party, but public service in
the Constitution in 2017.
I think I played that through all the way up through the election in 2020.
But at this point, I'm voting Harris.
Coming up, Chris Krebs on the rise of AI.
Get yours with Telus at telus.com slash Pixel 9 Pro.
Now you are at a cybersecurity firm, Sentinel One.
Yep.
And the thing that keeps you up at night is the attacks that have come out of China.
Yeah.
The typhoons that are washing ashore.
Yep.
That's what we're calling them.
Salt typhoon, volt typhoon, flax typhoon.
Crimson, gingham, and keep going.
Oh, I didn't know about those.
Typhoon.
That's the name given to hacking groups
connected to the Chinese government.
These groups, like salt typhoon and volt typhoon, are embedding themselves in America's critical
infrastructure and broadband networks.
A spokesman at the Chinese embassy in Washington has denied that Beijing is responsible for
the alleged breaches.
Give us the highlights and tell us which are the ones we need to be most worried about
and why.
So in the last several years, there has been a marked shift in the aggressiveness of China,
not just in cybersecurity, but in general military buildup and preparedness. In fact,
the CIA director, Bill Burns, has said that based on their analysis, that President Xi has directed
his military to be ready for a takeover of Taiwan by 2027. Now, the political decision to invade or not to invade has
not necessarily been made, but the preparedness, the readiness for that invasion 2027, that has
been issued. Therefore, the U.S. National Security Establishment, so this was General Milley
previously, now the current leadership, the director of the FBI, Chris Ray, the director
of national intelligence has called China the pacing threat. They're the ones by which we measure
our capabilities. And unfortunately, at this point, in cyber, at least they're outstripping us.
600,000 cyber offensive operators. That's more than the US and our allies,
so the UK, France, Germany, Australia, Canada,
and the Five Eyes community,
that's more than all of those countries combined.
It is a significant risk.
When you say 600,000 operators,
you mean 100,000? Hands on keyboards.
Okay. Yeah.
I mean, I'm talking hands on keyboards,
that many between the Ministry of State Security,
the People's Liberation
Army.
I mean, it is a significant threat.
So what are they doing?
They're reaching into US companies and Western companies, taking intellectual property and
know-how and bringing it back, sharing it with national champions, operationalizing,
subsequently supplanting companies in the market.
But it feels like we've moved past just corporate espionage.
So they are firstly, they are absolutely still in the steal everything phase.
Okay.
So they're coming in, they're taking everything from health records to financial data, throwing
it into a big data ocean, and then running tools, including some AI capabilities over
the top to look for correlations, patterns of life, to expose intelligence operatives
and things like that.
But the most concerning thing is that they've also directed their military to start pre-positioning
in critical infrastructure.
So they're getting into telecommunications firms, they're getting into our military support and logistics outposts in Guam and Okinawa
and Diego Garcia and Honolulu and Australia on the west coast here, ports of LA and Long
Beach.
They want to be able to disrupt our ability to project force in support of Taiwan should
they make that move.
So that in and of itself is concerning.
Why? Well, I mean, it's very easy, I think, for people to...
We get lots of stories about cyber attacks and our personal information is compromised
in something and we just keep going on with our daily lives and we don't really notice
anything's different.
Like, why do we care?
Well, look, look what happened, what has happened rather in Ukraine for several years, dating
back to 2015, the Russians, the GRU, which is their military intelligence unit, they
brought down the Ukrainian grid several times.
That's what China is preparing for.
Not just the ability to turn off support to our military,
but the second prong of the Volt Typhoon attack,
which is the PLA, the military,
is to, in an almost stochastic ad hoc manner,
hit civilian critical infrastructure.
So to turn off the water in Omaha.
There's no rhyme or reason.
They are scanning?
You think that's possible?
You think they have the capability today to turn off water across the country or turn
off our grid?
So not wholesale, right?
They can't snap their fingers and shut down the entirety of the US grid.
It's not wired like that.
It's fairly resilient.
But there are things they could do at a regional level for temporary disruption.
And this is why they, this is the difference
between the Chinese and the Russians in the US.
When we think about cybersecurity,
we almost exclusively think about it
in a technical construct.
It's just, is the thing secure?
Can it be hacked?
Can it be damaged?
The way the Chinese and the Russians think about it
is in two different parallels.
One is the technical attacks.
So information technical.
The second is information psychological.
So they combine the technical attack, which doesn't have to be at a national level.
It can be at a regional level.
But they combine it with the psychological effect where they have the impact and the
outcome. But they combine it with the psychological effect where they have the impact and the outcome
But then they amplify it through social media and other sorts of these psychological operations disinfo and they get it to
Multiply and it creates civil unrest
It creates societal panic that is what's so concerning right now about volt typhoon in that second prong of the Chinese, the People's
Republic of China, their strategy.
What do we do about it?
Well, this is the real challenge.
There's not a lot the US military can do to counter these activities coming out of China,
because if you tear down their command and control infrastructure, they'll just repopulate
and build a new one the next day.
They just keep cycling.
We can indict, we can name and shame and indict these officers for the PLA and the MSS.
No, not many are going to be extradited.
But they're not, but they're not, yeah, well, first off, they're not being extradited, but
they're probably not leaving China anyway.
So the long arm of the law can't reach them. So this is where we have a bit of a gap in our defensive strategy where we need actually,
this is where corporate responsibility comes in and the business leaders that I'm talking
to I think are beginning to appreciate, oh wait, we're now in the crosshairs.
We're on the front lines of modern warfare
because we have democratized the internet,
because we've reduced barriers to entry.
And it's not just China, it's not just Russia.
It's also now we've got a global outbreak of ransomware.
And the waste through the economy
is absolutely out of control right now.
And it's hit in hospitals, it's hit in schools, state and local governments.
How do we fight back against that?
This is what I think has really emerged over the last 18 months, is that ransomware is
effectively a tool of geopolitical warfare as well. Five, six, seven, eight years ago, it was really what it was meant to be,
which is criminals,
that have figured out how to monetize
misconfigured and vulnerable systems.
And by ransomware, you sort of mean
get inside a system, lock it down,
and say, you've got to pay us millions of dollars
if you want the keys back.
So you get your entry, you get in,
you deploy malware that spreads throughout the system
and encrypts the servers.
Now that's evolved as well because before they encrypt, they're also exfiltrating.
They're taking the data out somewhere else and they're saying first pay us to unlock
it but also pay us not to release this data.
On China, I mean, is there any way for us to offensively counteract what they've done?
I mean, can we get into the air infrastructure?
Are we doing that?
Well, from a military perspective, and, you know, look, I'm not going to comment on cyber
command and other operations for one, you know, it's been a few years, but we have significant
capabilities.
You know, the problem is that we have the glassiest house, so we can have big rocks, but when the house houses down the street, they're the glassiest. Because
from a digital perspective, when you look at the top 10 most valuable companies in the
world, what's eight of them are tech companies, seven of them are US tech companies. I mean,
that's a great thing. We've created enormous value by digitizing virtually everything. We've
also created enormous risk and enormous liability in doing so. And for now, the gains and the
losses of the ledger are still heavily in the favor of productivity across the economy.
But the risks are starting to build up.
And I think that is where we have to be thinking very, very clearly about what the foreign
risk is, the Chinese in particular, and what that means to individual companies.
That can be looped into an operation and exploited by the Chinese.
Okay.
We've got to leave it there. Thanks, everyone.
Thank you.
Thanks, Chris.
That's all for today, Tuesday, October 29th.
The Journal is a co-production of Spotify
and The Wall Street Journal.
If you like our show, follow us on Spotify
or wherever you get your podcasts.
We're out every weekday afternoon.
Thanks for listening.
See you tomorrow.