Transcript: Chris Krebs on "Face the Nation," May 16, 2021

Chris Krebs says pipeline attack shows ransomware "truly is a business risk"

The following is a transcript of the interview with former CISA Director Chris Krebs that aired Sunday, May 16, 2021, on "Face the Nation."


JOHN DICKERSON: Welcome back to FACE THE NATION. We want to go next to the former director of the Cybersecurity and Infrastructure Security Agency, Chris Krebs. Good morning, Chris. I want to start with the Colonial Pipeline. It was not intended to undermine American infrastructure, but it suggested some vulnerabilities. What did we learn?

FORMER CISA DIRECTOR CHRIS KREBS: Good morning, JOHN. First, I think that if there was any remaining question as to whether cybercrime and ransomware in particular was a national security threat, I think that question resolved itself over the last week. I think one of the- the key things I took away from the last week is that business executives have to stop looking at cybersecurity as a technical risk issue, and it truly is a business risk. I mean, we're talking resilience of the national economy and we've got to do a better job in terms of closing out vulnerabilities, in making our systems and our operations more resilient.

JOHN DICKERSON: The president signed an executive order this week to try to get at some of those issues. What's your evaluation of that executive order?

KREBS: I think it's a really ambitious plan. I think it should be effective if implemented properly, which I have confidence in the team both at my old agency as well as in the National Security Council and elsewhere. But the benefit here is that typically executive orders really only apply to the federal government. And what we're going to see is through the power of the purse, through the purchasing apparatus of the United States government, in the software from US tech companies and others, we're going to see improved security standards and improved security performance. And there's a trickle down or cascading effect where, you know, the government buys the same things that we do out in industry and at home. So the- all boats should rise with the tide here.

JOHN DICKERSON: So your argument is that if companies have to step up their game to provide products to the government, they'll use those same new higher quality products they create in the private sector.

KREBS: They're not going to build two different engineering teams to develop software. The same code that goes out for government is going to go out to industry and you're going to see better security out there as a result. And I think that's a great thing.

JOHN DICKERSON: You talked about execution, always a trick in government. A lot of a lot of great plans, execution is the challenge. The position you held there is an acting, not confirmed director. Is that a problem? And should that be fixed quickly?

KREBS: Well, I'm really optimistic by the candidate or the nominee that the president picked, Jen Easterly, and he even earlier this week encouraged the Senate to take up that nomination quickly. Jen is- I've known Jen for years, she's an incredibly effective leader. She's spent time in government as well as industry, and she knows what it takes to get the job done. But- but it takes more than obviously one person. And there is going to be a significant lift required by not just my old agency, but really every government agency. And it's going to require some resourcing. So Senate-  the Congress needs to put into place additional personnel, as well as funding to execute these programs across the government.

JOHN DICKERSON: And just to pull people back into the stakes here, what was exposed by this ransomware attack? Give us a sense of what we should think about in terms of the possibility of future challenges on the national security and infrastructure front.

KREBS: Well, this is- ransomware in particular is something I've been barking about for a number of years. Unfortunately, I think it's been treated as a law enforcement matter and not necessarily a national security threat. So you didn't necessarily get the full attention of the US government and some of our allies. But I think we've broken through that threshold. And I think the way we're going to get past ransomware, it's going to take kind of a three-pronged approach. First is that we need every organization to improve their security. And as the Congress contemplates an infrastructure bill, they've got to include cybersecurity investments in that bill. The second thing we have to do is we have to break the business model. It- it- ransomware is a business and business is good. I've said that a thousand times, so we've got to go look at what enables it. And that includes cryptocurrency as well as whether we can pay- whether ransom should be paid, and if so, how is that categorized or logged? And then the third thing is we have to go after the actors. Chairman Schiff mentioned it earlier. We have a set of tools that we can use to deplatform effectively these ransomware actors. But the last piece here is that when the president goes and meets with President Putin over the summer, this has got to be on the table. Sovereign states do not allow criminal enterprises to operate out of their territory like this without repercussions.

JOHN DICKERSON: On the question of ransom, is there any way to make paying ransom illegal? And do you think that should be on the table?

KREBS: Sure, it could be done with the stroke of a pen. Legislation could- could state that. I think there needs to be, though, a very thorough policy conversation. I think there's absolutely some edge cases where the payment of a ransom as a last resort may be necessary. And that's- that's a case where a hospital, where lives are at stake, might be justified. I do not like saying that because I think it could actually put a target on them. But nonetheless, I think there are probably some edge cases. But at a bare minimum, any organization that suffers a ransomware attack should be required to notify the federal government. And they I think one element we may be able to look at is seeking a license to pay that ransom, where the information on, A, the victim is tracked as well as where that money goes so we can continue to paint up the criminal ecosystem of ransomware.

JOHN DICKERSON: All right, Chris Krebs. We're likely to be coming back to this issue again, as prevalent as it is. We appreciate your time this morning. And we'll be right back in a moment with Dr. Anthony Fauci.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.