Security expert Chris Krebs on TikTok, AI and the key to survival

This is part one of a two-part series.

VentureBeat recently sat down (virtually) with Chris Krebs, formerly, the inaugural director of the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and, most recently, Chief Public Policy Officer at SentinelOne. He was a founding partner of the Krebs Stamos Group, acquired by SentinelOne. Krebs is also co-chair of the Aspen Institute’s U.S. Cybersecurity Working Group.

Krebs’ leadership in the fields of national cybersecurity defense and the global dynamics of cyber threats have shaped the United States’ approach to modern digital threats. During his tenure at CISA, he led a 2,500-member organization that made significant strides in national cybersecurity defense during the pandemic. Krebs is known for his ability to distill complex cybersecurity issues into understandable terms.

VentureBeat spoke with Krebs about the recent TikTok legislation, AI and what companies can do to be vigilant about cybersecurity.

The following are highlights from VentureBeat’s interview with Chris Krebs today: 

VentureBeat:  What’s the outcome of the TikTok legislation on our national cybersecurity strategy for the long term, assuming that the U.S. Senate doesn’t ratify the bill?

Chris Krebs: I mean, it’s an interesting question, right? Because the Senate typically doesn’t love being force-fed House paper. They like doing their own thing, and there’s no question that they will make adjustments. I mean, for one, the bill, just like any piece of legislation, is not perfect. There are likely some flaws in it, and it can be improved, and the Senate likes putting its spin on things. And I suspect they’ll clarify some language. 

I think about the real problem, security issues, but there’s also a broader foreign influence issue. And so, if you separate it, then the part I think that has muddied it a bit, is what are the real risks of TikTok and other apps like it out of China. And that is another thing that I think is lost in this bill, is that it’s not just about ByteDance and TikTok, even though that’s what TikTok wants this to be about from their strategy. It is much broader, and I think could individually address things like WeChat and a number of other apps that are coming out of China but also out of Russia. I mean, Telegram could potentially get swept up in this as well.

If it doesn’t get through, I think we have this outstanding issue of data security and data privacy in addition to the foreign propaganda piece and the potential for influence. So I still think, and I thought this for a decade now, is that we really do need a national or federal privacy law. 

We have punted every Congress now on privacy for half a dozen-plus congressional sessions. And in the meantime, what’s happened is state by state, so you’ve got California, Illinois, New York and others that have really set individual state privacy laws, but then you’ve got Europe with the General Data Protection Regulation (GDPR) that’s starting to set the pace, and now they’re going on to GDPR 2. 

Virtually everybody that transacts on a global basis, at least in the EU, is starting to set their own internal strategies based on what GDPR dictates. The kind of flow-downs are happening here in the U.S., And I don’t think that’s the approach that we want. That’s not the approach that Congress should want. I know that there’s been plenty of complaints about Europe setting U.S. Tech policy by a kind of default. So I think that’s my first reaction to whatever happens with TikTok. It’s, we’re going to have to step up, or the Europeans will continue to dictate how our businesses operate.

Source: SentinelOne

VB: With nation-state attackers seeing gaps in hyperscalers and cloud security, do they see those gaps as weaknesses they can exploit, and is that why they’re coming after Microsoft, Google and Amazon, especially Microsoft, so diligently these days?

Krebs: This is my favorite question in the world because it blends together market dynamics with threat intelligence and cybersecurity. So stepping back and looking at the shifts in digital transformation over the last five years, the shift to the cloud, it’s been going on for a decade plus. COVID really pushed a lot of organizations into having to pivot from on-premise solutions to cloud-based solutions. 

At CISA alone, we had a workforce that was about 2,500 people that all of a sudden in one weekend shifted to a work-from-home posture. For the 2,500 people, we only had about 1200 VPN licenses across the organization because … we never load tested for everyone being out all of a sudden. We did have a remote work policy, but it was very limited in the D.C. area. But all of a sudden, boom, everybody’s home. It didn’t work.

Our whole approach collapsed and fell over, so we had to go to a workplace-as-a-service model with Office 365, and it really solved a lot of problems for us. We were not the only organization that went through that kind of realization that the prior digital strategy wasn’t going to get us to success and productivity. So there was this real boom in the cloud. 

We see that, we do it on the business side, guess who else sees that? The bad guys. The bad guys see all of this traffic shifting over and they say, “Okay, what’s happening here?” They’re going to a much smaller targetable set of organizations and hyperscale cloud and Microsoft, GCP, AWS and others, and that gives them a much smaller set of organizations that they can target. And they can reach out and touch them because there is some sort of, just by the nature of I.T. connectivity.

China in particular, but Russia as well, they have been putting resources and prioritization against piercing these cloud providers for quite some time. So the Tianfu Cup in China provides pretty significant bounties for cloud vulnerabilities and Hyper-V escapes and things like that. So we’re seeing them really organize a strategy around going after the cloud.

VB: How has our ability to use red teaming to identify vulnerabilities changed with more reliance on hyperscalers and cloud as a core part of  infrastructure?  

Krebs:  Historically with (Microsoft) Exchange or any sort of on-prem solution, the government red teams could go grab Exchange, they could put it on the bench at Fort Mead, and they could beat the hell out of it and find out all these vulnerabilities and how to attack, but mainly how to defend. And then they could share that back with Microsoft and say like, “Hey, we found this thing, you guys need to address it because if we can find it, that means somebody else can.” 

You don’t have that ability with a cloud-hosted solution that’s sitting in Redmond or some other public cloud system. It’s legal. Government can’t do it. There are some emerging abilities of private instances of cloud that the cloud providers are giving to the Fort or to the intelligence community, but it’s not as prevalent and certainly not as easy to access. So to a certain extent, the commercial cloud providers are not getting the same sort of support and benefit from the national security community that they once got because of just the way things work, because of contracts and laws. So we don’t have necessarily the same team fighting the fight that we would if it was a different technological deployment.  

And so it’s almost as if the cloud providers are fighting this one on their own. They get some insight, but from a technological or technical perspective, it’s not quite as good as it used to be. 

And this is what leads me to these conversations I have with folks in the national security community where it’s like we’re hanging on by a thread here. It is really getting to be a crisis point that we really need to get as many of these, whether it’s public-private partnerships or… I think it’s mainly, frankly, just on the bigger picture, it is public-private partnerships.

In Part II of our interview, Chris Krebs emphasizes the importance of anticipating cyber threats, particularly from Russia and China, and the need for proactive cybersecurity measures to secure critical infrastructure against evolving threats. Krebs advocates for a forward-thinking approach to cybersecurity to address future risks and vulnerabilities effectively.