It's been a busy few months for Chris Krebs. As the director of the US Cybersecurity and Infrastructure Security Agency, Krebs oversaw the country's election preparedness, grappling not only with potential foreign hacking threats but a firehose of disinformation from President Donald Trump and his associates. He spent weeks countering conspiracy theories about voter fraud and manipulated voting machines, only to be fired in a Donald Trump tweet on November 17.
Since then Krebs has remained active. He recently joined the Aspen Institute as a senior fellow, leading a commission that will study “information disorder.” He founded a consulting firm with former Facebook chief security officer Alex Stamos, and signed high-profile Russian hacking victim SolarWinds as a client. And he has remained a vocal critic of Trump and his enablers on social media and beyond. On Wednesday, Krebs joined WIRED for an interview that touched on disinformation, SolarWinds, ransomware—and what can be done to close the chasm opened by Trump's conspiracy brain.
Brian Barrett: CISA was worried rightly about misinformation from other countries, from Russia, Iran, China, but at what point did it become clear that you may have have a bigger domestic problem? And not only that, but a problem coming from the president himself?
Christopher Krebs: This is a pretty timely conversation; even though the election's over and we have a very clear winner, the effects of disinformation are continuing on a daily basis. And unfortunately, it's gotten to the point where the long tail of disinfo has led to physical manifestations of violence, as we saw last week at the Capitol.
When I think back about election security and all the work we did over the last four years, the principal goal was to ensure that the voting systems themselves were as secure as possible. So, no foreign actor—Russian, Iranian, Chinese, or otherwise—could hack into systems and affect the election process. We had a pretty good sense from the beginning that the actual voting machines that the voter engages with and casts their votes on, and then the tabulators and all the other machinery or the equipment involved in the election, that they were fairly distributed in a way that it would be difficult for any foreign actor to affect the outcome of an election at scale.
But as the concern of the actual hack went down, our concern of a perception hack went up. We had spent four years effectively building every sort of scenario possible where you could see someone try to affect an election. We had dozens and dozens of these scenarios that we had red-teamed and threat modeled. All along, we unpacked them and said, OK if you were going to do this, what would be the defense against it? And then we built those defenses into our strategy.
As the spring and Covid-19 turned into the summer and we saw this expansion of mail-in and absentee votes, that's what it really became clear to us that voter confidence, manipulation, or these perception hacks in disinformation were not just going to be a foreign threat. We were seeing domestic efforts by the president and the campaign as well. So at that point we started thinking through what sort of information we get out to the public to reinforce confidence in the processes that are involved. We started pushing documents like risk assessments and the security controls in place over the summer. And then that carried through the election and the establishment of the Rumor Control website, which was very effective at pushing back against specific claims that the president and others were making.
In fact, Trump ended up clearing house at CISA to a large extent in response, including you unfortunately. You mentioned you red-teamed various scenarios leading up to the summer. Did that include something specifically like the situation we’re in right now, where Trump refuses to concede the election and claims fraud?
We didn't specifically threat model this kind of physical violence and physical manifestation that we saw last week at the Capitol building until the later stages of the campaign, until right before the election. That's when I think everyone was concerned about a number of different scenarios. Even on Election Day we were thinking through, maybe we would see armed protesters showing up at voting locations.
And then after that and the actual voting process, if you think of the convention center where they were counting votes in Philadelphia, seeing people that would storm in to disrupt the process, those were the sorts of scenarios that we were thinking through, and sharing information on how to protect physical locations—whether it's the actual polling places or the election offices where they conduct some of those post-election activities.
At that point, getting into the certification and protecting that process and the actual Electoral College, and then the inauguration, was beyond our ability to engage in. A whole other load of partners are involved in that process; the Capitol Police, National Guard, and other police departments.
Would you have ever thought that it would get this far, or as far as it got on January 6 with people storming the Capitol building?
From a CISA perspective, we were focused on using the limited resources and the bandwidth that we had available to the areas that we can make the most impact. In part, that was helping at the local level. But also, when you go back to Rumor Control, that was identifying those streams of disinformation that were emerging.
One of my all time greatest hits is this “Kraken,” releasing the “Kraken,” where Hugo Chavez from the grave would rise up and kinda like in The Walking Dead come into Georgia and change votes, flip votes. That’s just not how it works. So we were steadily pushing out counter-disinformation updates to say, look, here's why even if the Hammer/Scorecard and Dominion rumors were true—they weren’t—you had a paper ballot that you could go back and recount to ensure confidence in the election. And that's what happened in Georgia. You know, they counted once, they did a hand recount statewide, and then they counted again a third time. And the outcomes were consistent within a very narrow margin of error. And that, to me, shows that there was no Hammer/Scorecard, there was no Kraken, and we have to continue to push out factual information.
Our hope through Rumor Control was that we would kneecap these disinformation campaigns and this broad destabilization and undermining of confidence in the election so we wouldn't get to the point of where we are right now. I think we did a pretty darn good job of it, but when the leader of the free world is one of the most active propagators of the disinfo, and had 85 million or more followers on Twitter, and they can share this information without recourse or consequence, that’s a heck of a challenge. Obviously we weren't effective enough.
It seems a little bit like Whac-A-Mole almost, right? You have a rumor come from the president, who has 85 million followers, or Sidney Powell, Rudy Giuliani, whoever it is, and you can counter it, but you're never going to reach as many people as Trump. As we found this past week, the only way to really shut off that spigot, or unplug the Whac-A-Mole machine, that power lies with the platforms. Do you think it was the right call to take Trump off Twitter and off of Facebook? And do you have any concerns that private companies are on the front lines here, and the ultimate deciders?
I think what you’re seeing more than anything is that countering disinformation effectively requires a whole of society approach. That's kind of a cheesy, bureaucratic, inside-the-Beltway term. But it really is not a challenge that the US government is going to solve alone. It's not a challenge that the private sector that these platforms are going to solve alone. It's going to require everyone coming together and forming a partnership.
And that's one of the things that we're looking at tackling over at Aspen Institute, with the recently announced commission on information disorder that I'm going to chair. We want to pull everybody together to figure out who the key players are, what the roles and responsibilities are, and recommend a set of short term and longer term solutions that will allow us to move forward as a community, as a society, and get past this.
But even if you think about the individuals and their roles and responsibilities, I think there's a fair argument that over the last several years, there was absolutely a public policy interest in having the president maintain access to his Twitter account. Obviously when you incite violence via that account, that's a different set of circumstances. And I think Twitter was justified in permanently suspending the president's account. The challenge is going to be how do they enforce the terms of their policy globally? We tend to live in a bubble here in the US, but there are other foreign leaders that are as bad if not worse on platforms. And it's going to be important that the social media companies enforce those policies globally.
You said recently that Donald Trump needs to resign, that’s the first step out of this mess. That seems unlikely, but we do have this impeachment process going on right now. It seems likely that the House will vote to move articles forward. [The House of Representatives later voted 232-197 in favor of impeachment, with 10 Republicans joining the Democrats.] Is impeachment the right decision? How do you expect that to play out? And what else still needs to happen to fix this mess we’re in?
The reason that I think the first option is that the president resign is because he needs to accept responsibility for what he's done, that he lied to his followers, that all of these claims of fraud and stolen and rigged elections, that was all a grift. It was a long game. It was a con, and he needs to own up to that. And you need to tell his followers that they need to back down and listen to their state and local election officials about how elections actually work.
In lieu of him resigning, impeachment is the right mechanism. We have to communicate very, very clearly to the American people that inciting insurrection and trying to overturn a free and fair election will not be tolerated. That it is unacceptable behavior.
And it's not just about the American people, but it's about the rest of the free world, that we can communicate clearly to our allies, that we can communicate to aspiring democracies, that we can communicate to dictatorships that attempts to overthrow or overturn a free and fair election will not be tolerated in the United States. We've got to continue to set an example, and yes there are consequences.
You’re hearing from a lot of Republicans that are not supporting impeachment that there needs to be a time of healing. That doesn't do the trick, that doesn't restore confidence. That doesn't stave off the next attempt in 2024, where a candidate tries to do the same thing.
Your role as director of CISA was more than about just elections. It's about broader infrastructure security. And at the end of last year, there was the revelation of the SolarWinds hack, which happened as early as last March. As part of your new venture with former Facebook chief security officer Alex Stamos, you’re working with SolarWinds to plot a path forward. What can companies do about these insidious, so-called supply chain attacks? Did CISA miss something last year? Did everyone? And how do we not miss it again?
Supply chain risk management has been something that we’ve been focused on at CISA over the last couple of years. We established a Supply Chain Risk Management Task Force in 2018 that brought together 20 IT companies, 20 communications companies, and 20 federal agencies to pull everybody together. Much like disinformation, where there's not a clear center of gravity in the US government, supply chain risk management efforts were distributed across NIST, the Director of National Intelligence, the NSA, parts of the Department of Commerce, and DHS and CISA. So our efforts were designed to pull everybody together and figure out what's working, what's not working, and share best practices.
What really became clear to us was that supply chain risk management in general is an incredibly complex undertaking that most organizations were not equipped to manage effectively. The bigs do it pretty well, but the nature of dependencies and interrelationships and third-party risk; it's all based on trust. It's all based on trusted relationships. A lot of the times when somebody shows up and hands you that certificate and says, “you should trust us,” you take it for granted. You frankly don’t know what they are doing to protect themselves. And that's what the Russians have exploited here.
The Chinese have done it similarly back in 2018 with their Cloud Hopper campaign, where they came in through managed service providers and accessed the networks of hundreds of companies. This is the new challenge for organizations and leaders. I'm excited about working with SolarWinds right now because you have a CEO that is focused on becoming best in the business. And what we're trying to do is help him pull together, the processes, the security culture to accomplish that.
The key takeaway is that a security culture has to start at the top. The CEO cannot view security, cybersecurity, supply chain risk management, as just a tech problem. It's much bigger than that. It's a business risk; it's as important as auditing your books. And so the CEOs that commit to cybersecurity and invest in cybersecurity are the ones that are going to be able to not just survive in this incredibly geopolitical environment; they're actually going to thrive.
It's also not just the actual hacks that we're seeing. There's an element of disinformation as a threat, a hybrid, a toolkit of state and non-state actors. Whether you're a company that's developing a Covid-19 vaccine or deploying a 5G network across the country, you need to be thinking about how conspiracies and disinformation can undermine your brand, your reputation, your business model. This is going to be just one more risk area that CEOs and boards and other risk managers are going to have to prioritize.
That sets up our first audience question perfectly: Why was it so hard for Dominion to get its message out there to counter this disinfo?
Well, they actually did. They set up their own Rumor Control equivalent page. It's more, I think, a lesson learned for executives that need to be thinking about where you fit into the landscape, if you're a systemically important company. There are really only five major vendors for voting equipment. So by definition, if you have a certain market share you're systemically important. If you're producing 30 percent of the vaccines, if you're 40 percent or even smaller of any sector or segment, you’re systemically important. You need to be thinking about your disinfo risk. You think about crisis communications and you need to start that planning for a bad day that's going to happen four years from now. You can't pull this together in a week.
Our work on Rumor Control didn't just start the week or two before the election. The preparation, the due diligence, the discipline that we developed was three-and-a-half to four years in the making. And so when that bad day came that all this disinfo was popping up, we were ready to go. Although again, when you're fighting a head of state and battling that sort of disinformation, it's incredibly challenging.
I’m going to combine two related audience questions in the interest of time. What issues prevent us from putting the entire voting system online, and can we convince people that the election was fair through some sort of blockchain voting system? I know there have been a lot of objections to both of those approaches over the years, but if you could talk through why they haven’t been implemented broadly.
CK: If you look at the National Academy of Sciences voting security report, they had a couple of recommendations. First was that every vote in the United States needs to have a paper ballot associated with it. There's a “keep it simple, stupid” element here where you have a record that you can touch, and you can go back and count it and count it and count it.
That's what they did in Georgia. They counted three times. They're conducting a risk-limiting audit right now up in Michigan. They’re doing a risk-limiting audit of the runoff from last week in Bartow County, Georgia. it's important that you have evidence-based elections with meaningful post-election audit processes.
The problem with going to the internet-based voting system is that we're still not in a position where we can conduct trusted transactions in an anonymous fashion. People say, hey, if it's good enough to bank online, well, credit cards get popped every day. Bank accounts get popped every day. And the problem is, money is fungible. A vote is not.
Blockchain is a great mechanism for tracking transactions on a distributed ledger, but the problem is garbage in, garbage out. If you're voting on one of these platforms and it's not secure and you can't trust the device, then you're just putting garbage into the blockchain. Also, not everyone has smartphones.
The key takeaway from that National Academy of Sciences report was that we're just not in a spot where internet-based voting or online voting could be deemed trustworthy, and let's get back to the basics. Let's make sure every vote's got a piece of paper associated with it. That should be the priority, along with these meaningful post-election audits.
We have time for one more audience question: What kind of threats are the general public not thinking of? Where has our imagination failed? And I'll add to that: What's keeping you up at night when you think about threats to the US?
I think from a US government perspective we tend to overthink or over-focus on the exquisite threats. We have a fetish for state actors like Russia, China, Iran. In the meantime, America's state and local governments are just getting crushed right now by ransomware.
I've been encouraged by the increased attention on countering ransomware actors over the last year or so. And I've seen recently the private sector led by Microsoft and a few others step up. We've got to put these bad guys out of business; we can defend all we want but we have to change the business model. We have to disrupt the way they're paid, whether it's through bitcoin or whatever, then we have to go after the bad guys. It's just basic blocking and tackling, but we haven't done enough of it.
And then with disinformation, we are facing a significant challenge to confidence in democracy and civil society, writ large. Long term, we need to increase digital literacy in our children, in our school system, our education system. It's not where it needs to be right now. Too many people are susceptible to what they come across online.
This transcript has been lightly edited for clarity and length. You can watch the full video of WIRED's interview with Chris Krebs below.
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- The self-driving chaos of the 2004 Darpa Grand Challenge
- The right way to hook your laptop up to a TV
- The oldest crewed deep sea submarine gets a big makeover
- The best pop culture that got us through a long year
- Hold everything: Stormtroopers have discovered tactics
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers
