The following is a transcript of the interview with former CISA Director Chris Krebs, which aired Sunday, May 16, 2021 on “Face the Nation”.
JOHN DICKERSON: Welcome back to FACE THE NATION. We want to go alongside the former Director of the Agency for Cybersecurity and Infrastructure Security, Chris Krebs. Hello, Chris. I want to start with the Colonial pipeline. It was not intended to undermine American infrastructure, but it did suggest certain vulnerabilities. What have we learned?
FORMER CISA DIRECTOR CHRIS KREBS: Hello, JOHN. First, I think if there was still the question of whether cybercrime and ransomware in particular posed a threat to national security, I think that question resolved itself over the last week. I think one of the main things I took away from last week is that business leaders need to stop seeing cybersecurity as a technical risk issue, and it really is a business risk. I mean, we’re talking about resilience of the national economy and we need to do a better job of removing vulnerabilities, making our systems and operations more resilient.
JOHN DICKERSON: The president signed an executive order this week to try to resolve some of these issues. What is your assessment of this decree?
KREBS: I think it’s a really big plan. I think it should be effective if implemented correctly, which I trust the team both at my former agency and at the National Security Council and elsewhere. But the advantage here is that the decrees generally only apply to the federal government. And what we’re going to see is through the power of the stock market, through the buying apparatus of the United States government, into the software of American technology companies and others, we are going to see standards. improved security and improved security performance. And there’s a trickle-down or cascading effect where, you know, the government buys the same things that we do in industry and at home. So all boats should come up with the tide here.
JOHN DICKERSON: So your argument is that if companies are to step up their game to provide products to government, they will use the same new, better products that they create in the private sector.
KREBS: They’re not going to create two different engineering teams to develop software. The same code that will be sent to the government will be sent to the industry and you will see better security. And I think that’s a good thing.
JOHN DICKERSON: You mentioned enforcement, always a government thing. Lots of great plans, execution is the challenge. Your position there is that of an interim and unconfirmed administrator. Is it a problem? And should this be fixed quickly?
KREBS: Well, I’m really optimistic about the nominee or nominee the president picked, Jen Easterly, and he even earlier this week urged the Senate to accept that nomination quickly. Jen is- I’ve known Jen for years, she’s an incredibly effective leader. She’s spent time in government as well as in industry, and she knows what it takes to do her job. But – but obviously it takes more than one person. And there is going to be a significant increase required not only by my old agency, but really every government agency. And that will require resources. The Senate, Congress must therefore put in place additional staff, as well as funds to run these programs across government.
JOHN DICKERSON: And just to get people back into the stakes here, what was revealed by this ransomware attack? Give us an idea of what we should be thinking about in terms of the possibility of future challenges on the national security and infrastructure front.
KREBS: Well, this particular is- ransomware is something I’ve been barking for a number of years. Unfortunately, I think this was treated as a matter of law enforcement and not necessarily as a threat to national security. So you didn’t necessarily get the full attention of the US government and some of our allies. But I think we’ve crossed that threshold. And I think the way we’re going to overcome ransomware, it’s going to take a kind of three-pronged approach. First, we need every organization to improve its security. And since Congress is considering an infrastructure bill, it must include cybersecurity investments in that bill. The second thing we need to do is break the business model. It-it-ransomware is a business and the business is good. I’ve said it a thousand times, so we have to look at what allows it. And that includes cryptocurrency as well as whether we can pay – whether the ransom should be paid, and if so, how is that categorized or recorded? And then the third thing is that we have to tackle the actors. President Schiff mentioned this earlier. We have a set of tools that we can use to effectively deport these ransomware players. But the last point here is that when the president goes to meet with President Putin over the summer, it has to be on the table. Sovereign states do not allow criminal enterprises to operate outside their territory in this way without repercussions.
JOHN DICKERSON: On the ransom issue, is there a way to make the ransom payment illegal? And do you think that should be on the table?
KREBS: Of course, it could be done with the stroke of a pen. The legislation could – could say it. I think it takes, however, a very in-depth political conversation. I think there are absolutely extreme cases where paying a ransom as a last resort may be necessary. And that’s – that’s a case where a hospital, where lives are on the line, might be justified. I don’t like to say that because I think it might actually impose a goal on them. But nevertheless, I think there are probably extreme cases. But at the bare minimum, any organization that experiences a ransomware attack should be required to notify the federal government. And I think one item we might be able to look at is finding a license to pay this ransom, where information about, A, the victim is tracked as well as where that money is going so that we can continue to paint. the criminal ecosystem. ransomware.
JOHN DICKERSON: All right, Chris Krebs. We will probably come back to this question, however widespread it may be. We appreciate your time this morning. And we’ll come back to Dr. Anthony Fauci in a moment.