Wide World of Cyber: SentinelOne's Chris Krebs on Chinese cyber operations

Patrick Gray

Hey everyone, and welcome to another edition of the Wide World of Cyber podcast. My name is Patrick Gray. Wide World of Cyber is a podcast series we do here at Risky Biz, which is sponsored by Sentinel One. So it's a partnership where I sit down usually with Chris Krebs and Alex Stamos, who both work for Sentinel 1. And you know, we sit down about once a month and just talk about the big issues in cybersecurity. In this one though, we're only going to hear from Chris because he was actually in Australia. Last week I flew down to to record this interview live in front of an audience in Sydney. And big thanks to the Sentinel One team in Australia for organizing all of that. That it all went really, really well and all of the AV was handled as well, which made my life a lot easier. And yeah, so I sat down with Chris Krebs, who, for those of you who don't know, he was the first director of cisa, the cybersecurity and infrastructure security agency in the United States. And, you know, tremendously smart guy. So I sat down with him for this live interview all about Chinese cyber operations and where they are now and where they've come from. Now it does start off with a couple of minutes of a history lesson, which is where I'm going to drop you in. So, you know, that's me just prattling on for a couple of minutes. But it's important context for the conversation that comes afterwards. And I will note too, there's a couple of rough edits in this podcast and that's mostly because I had to stop every few minutes to cough because I'm still not 100% after getting sick a couple of months ago. But here it is, my interview with Chris Krebs recorded live in Sydney in front of an audience talking all about China. And as I said, it starts off with a brief recap of the last 20 years history of Chinese cyber operations. Enjoy.

Chris Krebs

I think we could start with a brief recap of the last 20 years, right, of the Chinese cyber threat where, you know, they didn't have all that much formal 20 years ago. They had a little, but not all that much. Gradually they were able to co opt, you know, people like nationalist hacktivists and whatnot and you know, get them working for the state, sometimes directly, sometimes indirectly. Gradually things formalized and then you had this PLA driven effort to steal massive amounts of intellectual property which kind of culminated in the APT1 report from Mandiant, which was a tremendously important event that led to your then President Barack Obama raising that with the Chinese and saying, hey, you need to knock this off. That actually appeared to hold for a short time. And then, of course, we saw the rise of the MSS and the PLA kind of disappeared, and we didn't hear much from them. And that's changed now because we've got Volt Typhoon, which is the stuff that is really scaring the pants off the policymakers that I speak to. More so than this espionage collection on the salt typhoon stuff.

Alex Stamos

Ish, but yeah.

Chris Krebs

Ish, but yeah.

Alex Stamos

But I can keep going, I guess.

Chris Krebs

My point is we've watched China develop and formalize its cyber capability, and these days they're running that sort of. That sort of split role in cyber, where you've got the mss, which is fulfilling that sort of traditional NSA role of doing the intelligence collection, and you've got the pla, which is now doing that more cyber. That role. It's more cyber Command, you know. But of course, the way that they operate is still completely. Even though the roles seem to mirror the rules. Don't. Right. So I guess where's a good place to start? I guess a good place to start might be to talk about the typhoons. And I know how much you hate using that terminology.

Alex Stamos

Well, I tell you what I find so interesting is that you just ran through about 20 years of Chinese cyber operations history, and you're like, oh, wow, that's been a lifetime for a bunch of folks in here. But then when you really run out offensive cyber operations out of our adversaries, it doesn't extend much more beyond what you just laid out. Even Russia, Right? Go back and read Cuckoo's Egg. 1982, 83, 84. Cliff Stoll wrote that. Of course, it details a KGB operation hacking into Lawrence Livermore and a bunch of national labs and other sensitive networks in the US so it really only goes 15 to 20 years beyond what you just sketched out globally. The interesting thing, though, about Cuckoo's Egg is that there was a West German contractor that they were using to run the operations. And so what we saw then is mirrored back to a lot of what we're seeing right now. And I think that's one of the things that's so maybe confusing or mystifying about today's operations. And even when the initial salt typhoon activity happened with the US Telecoms, it was a little interesting upfront because they're like, we don't know who this is. It looks a little PLA ish, but the targeting is definitely MSS ish. And why is that? It's the contractors, it's the proxies they're putting out in front that's hosting the infrastructure that's providing a lot of the tooling. Now the button's getting pushed by the MSS and the pla, but nonetheless there's this kind of overlay that's creating a little bit of mysteriousness over the top.

Chris Krebs

And it's interesting because that goes back to the rules being different, even though the roles are kind of broadly similar. One of the most interesting things to happen recently on all of this was the isoon leaks, where we saw leaks from inside a contracting firm based in China that served the government with tool development and operational support and whatnot. But their internal chats leaked and everything from hey, the boss is drunk and playing mahjong, get down here, we'll take some money off him. Right through to people bitching about their pay packets and whatever. But it sort of showed us that that whole ecosystem in China is yet to be formalized in the same sort of way that it is in the West. Right. Like they are cowboys in that industry there. Whereas here and in the United States and in, you know, other five eyes countries, you know, a lot of this tends to be taken quite seriously. There's a, you know, it's a serious business. It doesn't seem to be quite as serious.

Alex Stamos

The Internet is serious business.

Chris Krebs

Yes, that's right.

Alex Stamos

But I think that's kind of probably reflective overall of corruption in general in China, you know, rates quite low on corruption.

Chris Krebs

But is that corruption or is it just sort of weird management?

Alex Stamos

I think it's a. Well, I think it's both, but those two are related. I think it's bad management because it's in part corrupt. I mean, there was some, there was some of the recent research that came out about Western contractors trying to dig up information on leadership in China. And they go to companies like ISOON and others and they pull it. And then all the companies, it wasn't.

Chris Krebs

Companies like isoon, so what they did is they went to, there's these underground data brokers in China who bribe people who work for these contractors or even who are working for the government. They offer them like a month's salary per day, use their credentials and then go and get data. So. So these guys actually bought information on a bunch of APT operators in China from corrupt, you know, indirectly from corrupt people working at the same agencies.

Alex Stamos

But, but all the contractors as well, I mean, they're just different points of access here. But again, it speaks to that larger, larger challenge that they're having. And I, you know, you and I have talked about this before, but particularly in authoritarian states with rule bylaw setups, there's this kind of natural evolution of the contractors and the actual government operators. The moonlighting piece. And I think that was one of your concerns, almost working the other way, Right. About North Korea is like, what happens when they actually get into ransomware rather than just extracting value, and what does that mean and where that threat is going? And in the meantime, they've got a whole bunch of other stuff with the IT worker scam that is fronting out of China as well. So China seems to be the nexus of a lot of really bad activity these days.

Chris Krebs

Yeah, yeah. I'm less worried about the IT worker stuff because I think the FBI have found a point of vulnerability there, which is the people who are running laptop farms in their basements for these people to proxy through. So they seem to be having some success knocking that one on its head. But let's talk about the typhoons.

Alex Stamos

Yeah.

Chris Krebs

As you point out, that naming convention from Microsoft sort of conflates this activity into, oh, well, they're just the typhoons. Right. Whereas these are really distinct campaigns with completely different objectives. On one hand, we've got the salt typhoon campaign, and I'm sure most people in this room are familiar with what that is, which is a series of intrusions into basically all of the US Telcos with the purpose of gathering all sorts of information. So one thing they're looking at is they get into the Kalea, like, wiretap systems to see what the tasking looks like so they can see who the FBI is surveilling, who the FBI is onto. They were looking at metadata to try to figure out who's talking to the FBI. So there was that sort of, you know, counter surveillance, counter espionage bit. They were targeting politicians to intercept phone calls, text messages, and also building out network graphs of who's speaking to who. Now, that is completely legitimate intelligence collection. And to its credit, the United States hasn't really objected to them doing that.

Alex Stamos

You don't have to hand it to them.

Chris Krebs

Yeah, it's the drill tweet. Right. Then we look at the vault typhoon stuff, and this is the stuff which is more along the. This is the PLA stuff. This is military prep. This is out of bounds. And these two things seem to be getting conflated. Do you think that's an issue that perhaps even some policymakers don't quite understand, that one of these things is, you know, not what we want, but within the boundaries of what's acceptable behavior from a state and another one is just completely not.

Alex Stamos

So this is, yeah, you know, this is kind of a top issue for me. The Typhoon framing, like the Blizzard framing is not particularly helpful outside of, I think this narrow subset of audiences. You know, they kind of intuitively know what it is, they follow through the reporting. But beyond that, when you take it out into the policy sphere, when you take it out into the general public sphere, it's not helpful at all. And in fact, the only person that helps, as I see it, is Microsoft because somebody goes to Google or Bing or whatever types in what is Salt Typhoon. It goes to a Microsoft landing page URL and they can research it. We've got to pull it back out and use plain language because this is a very, very serious issue. This is not just a one off hack. This is part. Whether it's the MSS hacking into the telcos in the US or the PLA hacking into critical infrastructure, both military and civilian overseas or inside the US this is a overarching national campaign. This is part of President Xi's preparation that he has directed his military and his security services to be prepared to invade Taiwan by 2027. Dmitry Oparovich has been on your pod before and talked about this at length. Whether he's made the political decision or not to go in does not matter one bit. The posturing, the positioning as tasked, they're moving full steam ahead and they are in critical infrastructure throughout apj.

Chris Krebs

Yeah, I would like to point out too that when we hear reports of Salt Typhoon and Vault Typhoon, the United States is actually somewhat more transparent about this stuff than our government is. Like in the case of Salt Typhoon, we have the names of some of these telcos that have been impacted. We do not have the names of telcos that have been impacted here. That doesn't mean that they haven't been impacted. They almost certainly have been targeted and some of them have almost certainly been successfully compromised.

Alex Stamos

So two things on that one, like I wouldn't, I wouldn't over rotate too much on that, particularly in the US because it's all of them. Like it's all of them. There was a White House call earlier today and, or yesterday or whatever and they're like, yeah, it's eight plus.

Chris Krebs

Well, we heard recently too that the telcos that have been impacted are not having a tremendously good time evicting the attackers. They can't get them out. They are in there and they're not going anywhere.

Alex Stamos

They they can't get them out. They can't give you a timeline for when they will get, be able to get them out. And they also, I don't think, will be able to tell us where they went, what they were able to access. And part of it, I think is, is due to just internal competencies in a number of these networks. And you may say, hey, there are eight plus telcos in the us there's more than that. They're the bigs, they're the national ones. But then there are a ton of regional and rural telco providers that serve the further flung regions. As you've already said, incident response is still ongoing. Yeah, and there are attempted incident response. You know, I mean, look, the hunt teams are the IR teams and the hunt teams are everywhere. And those are both government and, you know, industry DFIR teams. They're very, very active right now. But, but nonetheless, like, these guys are very difficult both on the getting into the infrastructure, critical infrastructure as well as the MSS side, getting into networks. I do find it interesting, by the way, think back four years ago. What were we doing four years ago? What were we talking about four years ago today? Like, virtually, like, literally.

Chris Krebs

COVID 19.

Alex Stamos

No solar winds.

Chris Krebs

Yeah.

Alex Stamos

So it's the Russian intelligence services then that everybody's like hair on fire about, and now we're hair on fire. So history might not repeat, but it sure as hell rhymes. And I am gravely concerned about what 25 looks like, because if you go back and look at US Presidential transitions over the last two cycles, so Biden coming in and then Trump coming in at 17. What happened in 17? You had WannaCry, not Petcha, Bad Rabbit, and then a bunch of other stuff. And then in 21, we started off the year still dealing with solar winds. We're still gonna be dealing with this in 25. And then you had hafnium, and then in the US you had colonial pipeline, then you had JBS. Like 17 to 21 were super sporty. And I would not be surprised to see a really active 25.

Chris Krebs

I mean, only some of that was state directed, though.

Alex Stamos

You know, it doesn't matter. I mean, that, that's. And that's, that's. The problem is even going back to 17, even going back to 21. The threat landscape, the number of actors, the players, their sophistication is, is off the charts. And the question is, how much have we done from a defensive perspective? And it's probably worth talking about, but from a defensive perspective, how much have we done to really push back and counter and prepare.

Chris Krebs

But I want to bring it back to that question around norms. And I know it's like I was about to say, it's a word that makes people groan. And he groaned. He literally groaned.

Alex Stamos

Norms are for the good guys.

Chris Krebs

Yeah. So, I mean, we're in this situation where we think we've developed norms. One of my colleagues, Tom Uren, he worked at ASD for a long time. He's been working with us for a few years. You know, he says norms are just created by people to explain how they want things to be. They don't actually set how things are. That's sort of his perspective on norms. But certainly the PLA directed activity towards critical infrastructure we would regard as being outside norms. So what do we do? Our arms, our norms. Exactly. So what do we do in that situation? And I want to bring up an interesting point that was made by Elise Thomas, who's ex Aspie, does a lot of work in disinformation. She posted on Blue sky, well, what if Trump comes in and says China has been. Someone says, China's been stealing a lot of our intellectual property. And he just says, okay, we'll do it to them. Steal their battery tech. And I found that a really interesting thought exercise as well, because you would normally dismiss that as well, no US President's going to do that. But with Trump, you never quite know. I would imagine there would be just all sorts of insane legal roadblocks to prevent the US Government doing something like that. Like, there's no legal mechanism through which they could do something like that. But again, as a thought exercise, it's an interesting thing. What if the United States decides to unburden itself from the norms that it itself has tried to establish over 20 years? And should it do that? Because, honestly, I was thinking, why not, you know, go steal their battery tech?

Alex Stamos

Let's go. All right, so I'm gonna come back to this. But so first off, norms are for the good guys, right? Norms are for setting expectations for rule of law countries, particularly those that are emerging and those that you want to keep on sides, that you don't want them to tip over into the rule by law authoritarian model that is unfortunately emerging, I think a little too aggressively. And I think it's an opportunity. Right? It's like, this is how we want the world to go, but it's also, there's a lot of mirroring going on here. It's like, we see these other countries and we want to bring them into this side of the fence, and we think that they view intellectual property ownership the same as we do. And I think the reality is, particularly for China, but other countries, they don't see it the same way. There is no differentiation between a civilian owned infrastructure, privately owned infrastructure, and government owned. Everything is in part viewed as a tool of the state. It's empowering the weapon, the war machine of the United States. And so that's why everything's on the table. And there's a second element of this too is just the entire information warfare doctrine is based on two elements. One is the technical aspect. I've talked about this before, but the technical element and the psychological element. And in their doctrine they will hit both and they will have a technical attack that cascades over into the psychological space. And that's a lot, in my opinion and those I've talked to, that's a lot of what the pla, the Volt typhoon activity, not going into the military critical infrastructure like Pearl harbor and the basin, Guam and elsewhere, and even stuff here, but the activity, that second prong that's going after civilian critical infrastructure in the U.S. like water systems, the grid, logistics and transportation. The idea there, of course, is you hit it, you take it down, you keep it off for even just a couple days. And the current assessments in the US by the intelligence community are that about the best we think our adversaries can do are regional impacts that are temporary. But temporary can only be three or four days and it can only be in a large metropolitan area like Atlanta, Washington, D.C. new York or something like that, and you still will have absolute societal chaos, absolute panic. I will tell you the summer of.

Chris Krebs

21, colonial, with people, colonial filling up their plastic lined trays in their trucks with fuel.

Alex Stamos

Yeah, like trash bags, black contractor bags.

Chris Krebs

Yeah.

Alex Stamos

And that was only three to four days, in fact, colonial.

Chris Krebs

But was that widespread or was that just a few?

Alex Stamos

You know, that was the eastern seaboard of the United States.

Chris Krebs

Yeah, but how many people were panicking versus oblivious, you know, like to what degree was there?

Alex Stamos

So let me put it this way. And I don't know if Florida's a good example, but Florida is not served by colonial pipeline. Florida is served by barges. Gasoline comes into the state of Florida by barges and ships. You still had. There was no local tightness at all. There was no supply issue into Florida, and yet you still had people going, filling up every, you know, jerry can they could in bags, and yet the supply was fine. It created subsequently local tightness because they were pulling gas out of the ground faster than they could get it back in that shows you, though, that we're all having some kind of mental issues these days, apparently. But it shows you that the societal panic piece is potentially part of the strategy.

Chris Krebs

So we'll get back to the norms in a second. But just continuing on this, then. What does this get China in terms of a military edge in a theoretical January 2028 invasion of Taiwan across the Taiwan Strait? What is it? What advantage is it to them of having people in Kentucky unable to use a telephone and worried about getting gas with their car?

Alex Stamos

So, you know, sometimes you can't win for fighting. Right? And that may be part of the analysis, and that's not exactly how Sun Tzu put it, but nonetheless, right. They've run the analysis. They want to undercut the ability of the US to come to the support of Taiwan, the defense of Taiwan. One of the things you can do is you can hit population centers and clusters in the United States, you can take down critical infrastructure, you can cause panic. Where political leadership is not as much worried about prosecuting a war over there that people in, what did you say, Kentucky don't care about. They're not going to care about Taiwan. They're not. They're going to care about what's happening in their community, in their backyard. The political leadership, the US Congress, everyone is going to be focused on getting the lights back up. And the thing that I think we gloss over a little bit in all these discussions, either because we don't want to go there or it's not polite. But death, loss of life. There will be loss of life. If they pull the trigger and execute these disruption and destruction attacks against critical infrastructure in the United States, people will die. The most obvious example is loss of power and other critical services to hospitals. Mortality rates already, you know, spike due to ransomware attacks. We know that we have that. We don't talk about it enough for one reason. That's maybe another pod, but we don't talk about these things. But it happens. There will also be other direct consequences outside of public health that will result in loss of life. And that is, I think, the bridge that gets crossed in a Ms. Or a PLA attack on civilian infrastructure that really sets off political leadership. We have to fix this. We have to fix this now. We can't worry about what's going on over there. And look, I've talked to plenty of U.S. elected officials. Nobody really wants to get involved in this. I mean, the early estimates of war games are 20,000 plus service members dead in the first two weeks. No one wants that.

Chris Krebs

And I Mean, I would have thought actually that, you know, widespread cyberattacks targeting critical infrastructure would make it more likely for the US to get involved, not less. I just wonder if the, I don't know, CCP is doing the numbers. Right.

Alex Stamos

Yeah, I don't, I don't know, you.

Chris Krebs

Know, but look, look, look, let's bring it back to the norms thing, right? Because here we have this campaign that is alarming and weird, right. What can you do in response to that? It's not like you can really do the same thing to them. You can't just target a bunch of civilian infrastructure, you know.

Alex Stamos

Yeah.

Chris Krebs

So what can the west, you know, we'll just talk about the west as the five eyes alliance, right? Cause you're from a five eyes country, we're from a five eyes country. What can we do in response? We're all friends here.

Alex Stamos

We're all friends here.

Chris Krebs

We are all friends.

Alex Stamos

So there's some things I don't think you can do much about, and that's the telco hacks by the mss, the salt typhoon. That is, as you said, that is just good, clean espionage.

Chris Krebs

It's like opm, when even people I knew in the community were like, you gotta hand it to em, you know, Nice. Yeah, we'd do the same to them, you know, they got us good.

Alex Stamos

And that's the sort of stuff that I think is in the, in the realm of, okay, that's not cyber offense in peacetime, that is again that's espionage. And it's important to distinguish that, particularly when we're doing media. This is not an attack, this is a, whatever you wanna call it, a compromise, whatever.

Chris Krebs

Well, and the guidance from the US government since has been, hey, use over the top services, let's go with signal, let's go with this, let's go with that. And I think it's gonna make things like rcs, which is an encrypted protocol for text messages, more popular and whatever. Right. And that's the right response, which is we're not going to stop this. We're not going to lodge a diplomatic protest over this. But here's some behaviors that we can change to make these types of attacks less relevant.

Alex Stamos

Yeah. And right. And the real question is for the average consumer, how much of the content is the concern? Because it's a lot. Right. And yeah, you do blue bubbles on your iPhone or you use WhatsApp or whatever, green bubbles and you'll be okay.

Chris Krebs

Unclean, Unclean.

Alex Stamos

But, but there's, there is the metadata piece and as You've already pointed out, you throw a bunch of data sets together, you run analysis over the top, and you get really interesting patterns of life that illuminate a lot that they, that they're looking for in terms of deep cover spies, who's talking to their people, fox hunting, which is a big issue that we'll probably hear a lot about, again, that we haven't heard about in years. So fox hunting is when the Chinese send over police to go hunt dissidents that have fled China and then they bring them back. And that's something that happens here, that's something that happens in the US and it's, and it's a real problem. I mean, you've heard about these police stations that have popped up all, in all the different cities in the US and elsewhere that are not, you know, official and under, you know, they don't have diplomatic, appropriate certification, endorsement. That's another thing I think we're going to hear a lot about and in the next administration. So what do you do about the PLA activity? And that's another one. You know, what about this and what has in the past been deterrable or successful or effective in terms of deterrence? Indictments, sanctions, have they been effective? No. That's what I'm saying is like, I don't know if they have, because odds are, I mean, look, when you look at Russia and you look at the cyber criminals, for the most part, they're not bouncing around. Indictments work for the com types and the scattered spider types that are operating out of Canada, the US The UK but does it work if you're in a state that's already, you know, recalcitrant and you're not moving around and you're not going to places that have extradition with the U.S. so here, I don't know if that's the answer.

Chris Krebs

What's not? I mean, and there is no clear answer, which is why I'm asking you about it. Yeah, well, you know, like, maybe you've got one. Come on, hit us with some ideas, guy.

Alex Stamos

Well, so what I think we're gonna see. And again, people have asked me a lot about what do I think is gonna happen next year with the incoming Trump administration. And let's just cabin it down on cyber right now. First off, I don't know, right? I mean, I talk to people, but I'm not in the short list of candidates for any of the jobs, but I still kind of, I have experience, right? So I think the way I look at it is the floor of what they will do. And again, just talking about cyber is what they did in what we did in the last administration. So it's more aggressive cyber operations. It was, yes, standing up cisa and there were other things, of course, and then the ceiling is likely what is in the intelligence community, Department of Defense and Homeland Security chapters or sections of the Project 2025 report. And they're very clear. I mean, in fact, I'd say the Intelligence community section of Project 2025 is actually pretty well written. And there's, I mean, this is, I.

Chris Krebs

Mean, this is something that we've discussed, you know, offline, which is that it. The tone and quality of what's in that document is somewhat uneven.

Alex Stamos

Yeah, well, I mean, look, there's. It was not written with one voice, let's just put it that way. Right. And that's what happens, I think, when you get policy documents where the planks are written by different people. And look, you just kind of have to wade through that. But in the intel piece, they do talk about strengthening offensive cyber operations. And one of the first things they would do is go back to national security Presidential Memorandum 13, which was written at the end of the Obama administration, then updated in the Trump administration.

Chris Krebs

And that got wound back, wasn't it?

Alex Stamos

It got scaled back, yes, as I.

Chris Krebs

Understand, because of the State reporting, the State Department was a little bit unhappy.

Alex Stamos

So here's the thing, so why don't.

Chris Krebs

We explain NSP 13.

Alex Stamos

So it's the offensive cyber operations doctrine. It's a classified document, so I can't talk about the bits and pieces and the nuts and bolts of it, but really, and to your point about norms, one of the continuous, the tensions is when you think about cyber operations, it's not like you press a button and a server blows up in Tehran or something at the outskirts of Moscow goes boom. The way that we know these guys operate, and we saw it in the 2016 messing around in the US election is they use third party infrastructure, you know, bulletproof hosting providers that they'll use servers and operationally operational relays in other countries that tend to be friendly to us, like Europe and probably even here. So the idea is if, if Cyber Command is going to go conduct an operation to degrade command and control infrastructure of the Russians or the Chinese or others, what do you do when that server, where that kit is sitting in Germany, do you call Germany and say, hey, we're gonna go destroy this, or do you just do it and then you ask for forgiveness later? Why did you just not do anything?

Chris Krebs

And that was the core of sort of Trump's changes to NSPM 13, which was to unshackle, you know, Cyber Command, say, and let them go and do the thing instead of, you know, being tied up.

Alex Stamos

That was one of them on the SPM side. But the other hallmark of Trump offensive cyber operations in the last time around was this concept of persistent engagement, right? Defend forward, get out there, move the line out from the shores. And so that's where you saw Cyber Command teams, National Cyber Mission Force teams deploying into Europe, into Ukraine, for instance, getting on network of critical infrastructure and government agencies happening here, and not in Australia necessarily, but in the region. Same sort of thing, deploying into, you know, places like Taiwan or whatever to give support. And that's good for a couple different reasons, right? One, it helps defend those networks, it helps improve the resilience. It also gives us really exquisite insight into what the adversary is doing, what they're probing, what they're testing, what they're prioritizing before they come hit US networks. And in preparation of the 2020 election, there were teams that were deployed out that were helping defend elections in Europe. And we could see what the Russians were going after. They were going after election voting rolls, so registrations, as well as some of the reporting, how you report out what the results are. And so we were able to take that knowledge from Cyber Command, come back to the us, Talk to our election officials and say, hey, if you've got one last dollar to spend, you want to put it on these systems or at least those that provide that service and harden them, because that's what we know the bad guys are going after. So it's really useful. But to the bigger point here is, you know, if the contractor is operating out of Beijing, that's providing support to the PLA or the MSS rather than elsewhere, it's probably an easier target to go after to degrade those capabilities in that infrastructure. If it's operating elsewhere, Philippines, somewhere else, I don't know, you know, how are we going to play those rules? I suspect that we are going to be a lot more kind of Leroy Jenkins ish on this stuff.

Chris Krebs

Leroy Jenkins.

Alex Stamos

And, you know, part of it is, are we done playing nice?

Chris Krebs

Yeah, no, I'm with you. I mean, I was wondering where you were going with that and why we were talking about NSPM 13 in the context of what do we do about some of this, you know, PLA based activity and, you know, taking the gloves off a little seems pretty sensible.

Alex Stamos

There's a second part of this though.

Chris Krebs

But I mean, even then, even when you're talking about taking the gloves off. Right. If you were to sit down with some PLA general and say, this is us taking the gloves off. What, going after our C2s in third countries is gloves off? Yeah, like it's pretty timid, even. That is pretty timid. But it does give you a better shot at degrading some of the adversary's ability to attack. Right. What do we hear the word? They love friction.

Alex Stamos

Yeah.

Chris Krebs

It adds a bit of friction, you know. Yeah.

Alex Stamos

And look, I mean, there are pluses and minuses on this type of activity.

Chris Krebs

What's the minus?

Alex Stamos

The minus is you lose visibility. You go burn down their C2 and it's gone. They have to rebuild it. You might not see where they rebuild it until a year later. You're like, oh, damn, they're in our telcos again. How'd that happen? Yeah, it's stuff like that. It's like the jump scare. The pluses of course are the. It makes them spend time on reconstitution.

Chris Krebs

Yeah.

Alex Stamos

It makes them spend time on building up new things rather than actually launching the attack.

Chris Krebs

It is disruptive. I mean, if you've got all of those beautiful shells and all of that beautiful malware out there, you know, it's cumulative. If you treat it like mowing a lawn, you know, you're going to prevent that situation where just there is as much compromised out any one given point of time.

Alex Stamos

So. Yes, and so this is. I'm glad you kind of put it that way because as I think about the missing piece right now, it's not so much, I think, the offensive pressure on the adversary. And this is kind of the message that I bring when I go talk to boards is, hey guys, government's not going to save you. In fact, you keep clamoring for more intelligence and more classified information. It ain't there. Like they are sharing in the U.S. here, I've talked to your security leadership. They're sharing. If there's something that actionable, they get it out post haste, it's out there. Now, maybe some of the strategic intelligence isn't getting shared with great speed or frequency, but that, that's not going to change any decision making for most security leadership or even business leadership. So this is where I get to the point about, you know, historically in the kinetic space, the private sector didn't have to worry too much about war. Right. I mean, Australia in the US have a lot of similarities in terms of our geographic isolation. We have big old oceans around us that deter or at least limit the ability of our adversaries like China or Russia to reach out to us.

Chris Krebs

And anyone wants to get to you, they gotta go through Canada first.

Alex Stamos

The 51st state, apparently. Yeah, watch out for maybe 51st and 52nd. But look, I mean, those things have been historically beneficial to both of us, but now with everything being connected, then the democratization of the Internet has collapsed. The geographic distances between us allow somebody on the other side of the world just reach out and touch and go. Bing.

Chris Krebs

Yeah.

Alex Stamos

And that's where I think corporate leaders have to evolve. What we have known for a long time that this is the new battlefield, that this is where the first indicators and warning of conflict are going to pop up. It's on the systems that you guys manage on a regular basis. The business leaders have to recognize that, that they have a social and corporate responsibility to invest, to provide the support and resources needed, but also realize that there's got to be some baseline where corporate has to pick up the slack because the government's already doing all this other stuff that is way beyond the remit.

Chris Krebs

Sure. I mean, there should be a baseline. Right? There should be a baseline.

Alex Stamos

You don't leave your front door open. Right. There's an environmental level of crime, there's an environmental level of bad activity. And it happens in the real world, meat space, but it also happens here. And I think that's what the conversation has to continue to drive. And that goes back to my point about. Stop talking about typhoons. Plain language war. They're preparing again, I don't know. And I don't know if. I mean, Dimitri has his opinions and, you know, he tells a compelling story. His book does a good job, I think, of laying out the case. I don't know from. I can't wrap my brain around the economic side of this. All of why she would hit the green button and go.

Chris Krebs

It's not economics.

Alex Stamos

No, no, that's my point. Yeah, that's a consideration. There are a bunch of other political legacy and others that would override and overshadow the economic piece. But it doesn't matter. It doesn't matter if he says go or not. It's an option that is real. We can't just sit here and go, ah, he's never gonna do it.

Chris Krebs

Oh, 100%. Although we don't know. We don't know what the impact of this campaign would be. I mean, we were expecting, you know, when Russia invaded Ukraine, we were expecting a level of cyber war that was going to be crippling that never quite materialized. Now there's.

Alex Stamos

Oh, man.

Chris Krebs

Well, okay, so.

Alex Stamos

Well, hold on. No, all I'm saying is that like that's a third rail issue. Back on the old Twitter days, there are plenty of people that would say, no, no, no, it was critical. It was an absolute strategic enabler for the Russian forces. And you and I agree here that it was probably more tactical. It certainly wasn't strategic. It didn't change the outcome.

Chris Krebs

It did not. You know, and I think someone, I can't remember who it was, so forgive me, they posted on social media recently. I retweeted, I think it was Wiley Newmark tweeted that, you know, anything outside of espionage in cyber is basically a sideshow. And I think there's a compelling argument that that's true, but we don't know yet because we haven't seen it. When a country like China pulls the trigger on something like this. And one of the differences between China and Russia is that China has figured out how to do operations at scale. Russia hasn't.

Alex Stamos

I know that's right. Well, and the other thing is, I said this yesterday in Brisbane. And so I'm sitting there at QUT and looking out. We're on the 20th floor or something, looking out across the river and seeing all these gorgeous modern buildings and next to the heritage buildings, which is just such an odd but gorgeous, beautiful juxtaposition nonetheless, there are all these glass buildings. And it kind of highlights my point. I was like, we have some pretty glassy houses. We are so dependent upon digital infrastructure that may not exist in other theaters of conflict to date. And so when the light goes red, you're going to see manifestations, I think at scales we haven't. At a scale we haven't seen before. And that's your point. Like China has scale, they've scaled operations. This is like Chris Wray, director of the FBI, talks about the 500,000 plus cyber operators that China has amassed across the various.

Chris Krebs

If only, Chris. If only there was some recent example of say, a whole bunch of computers getting bricked at once.

Alex Stamos

I think we did a podcast that could.

Chris Krebs

That was fun.

Alex Stamos

I don't know if I'm in. Well, I mean, look, I think as a.

Chris Krebs

Was it chaos reigning? All of our digital infrastructure ruined? I mean, you know, China would be hard pressed to do anything that high impact, I would think.

Alex Stamos

But it, but that kind of hits my point, right, about the ability to impact. That was global, so not just regional, that was a global. But it was also. It was temporary, but it was highly Disruptive.

Chris Krebs

It was, but it was for most people, it was a curiosity. Like, oh, computers are down, huh?

Alex Stamos

Wow.

Chris Krebs

Blue screens on my supermarket checkout.

Alex Stamos

Oh, computers are dump. No, no, no.

Chris Krebs

Well, that's how it was here. I don't know, man.

Alex Stamos

All right, well, look, I mean, I'll.

Chris Krebs

Were the US Americans filling up the bags of the passing.

Alex Stamos

Maybe you're.

Chris Krebs

I mean, we're allowed people. What can I say?

Alex Stamos

Maybe your airlines were not as affected because they were using a different EDR vendor. I don't know.

Chris Krebs

Was it you got stuck at the airport?

Alex Stamos

No, I did not. It was funny. I was in Vancouver, Canada for an event and it happened Thursday night, right before midnight. And my phone's on Pacific time, my phone's blowing up and I'm just like, oh my God, I want to go to bed now. I got to deal with this. And then I got up and we were flying back on Friday the 19th. And no issues because the airline I flew did not use that EDR vendor.

Chris Krebs

Hey, look, I just want to go back to talking about one thing, one aspect of the whole China conversation that's really dropped off. Now, I mentioned earlier the APT1 report.

Alex Stamos

Yeah.

Chris Krebs

Stick your hand up if you know what that report is. I'm guessing, See, this is the thing lost to the sounds of time.

Alex Stamos

Eleven years ago is a long time. It is.

Chris Krebs

So this was a report put out by Mandiant that directly attributed Chinese IP theft to a unit 61398 of the PLA. Yeah. And they had pictures of the building, they had pictures of the operators. I mean, this was the first time anyone had done anything like this. And it was absolutely a sensation.

Alex Stamos

Dropped it at RSA 2013.

Chris Krebs

Yep. So apt won. And I mean, it was. Even the details on the amount of connectivity running into that building and the utilization of those links.

Alex Stamos

Like the awesome.

Chris Krebs

It was amazing. Like the amount of IP that was just getting hoovered up. And this was like industrial stuff, right? Like, this wasn't even IP that was related to national defense, where I think IP theft relating to defense related technologies, again, is justifiable. If I'm China, I want to know about the latest stealth coatings. I want to know about various, you know, electronic warfare systems that are being developed by the military industrial complex in the United States.

Alex Stamos

Put their entire shopping list. Here's the beauty.

Chris Krebs

Well, hang on, hang on. There's a question. Okay, Right. So the question is, has that industrial espionage side of the IP theft? You don't hear about it as much anymore. People's, you know, Chinese Operators stealing things like wind turbine designs and stuff that doesn't have national security uses. Right. So we don't hear about that as much anymore. We do hear about IP sort of being misappropriated in a lot of these joint ventures where western companies are going into China and then sort of their IP sort of gets transferred through these, through these, you know, partnerships. But we don't hear much about that type of IP theft anymore. What do you have any sense of what's happened to the volume there and the priorities?

Alex Stamos

So volume's hard to. I don't know if I can speak to the volume necessarily. But you make an interesting point about kind of the dilution at least because they have other techniques. And there was a. This was like 2018. I'm at. This is right before CISA. I'm still just, I'm DHS and I go up to the NSA and there's this group the Emerging Security Framework and Enduring Security Framework. Sorry, it's a dhs, NSA and industry collaboration on identifying really thorny problems and working together. Solving bios back in the day was, was probably the biggest success story. But there was an FBI briefer that came up and threw this hub and spoke model up that had 12, 13 or whatever different spokes on the wheel. And each wheel was. Or each spoke was labeled and one of them was cyber, the other is M and A, the other is non traditional collection. And it just kept going around and it was classified at the time. And I started thinking about it as either the wheel of death or the wheel of doom. And it's just the cheery, yeah, no, it's lovely. And first thing I said is like, why is this classified? We have to get this out from a counterintelligence purposes out to are corporate leaders and the FBI subsequently declassified it and it's open source and they've got it all over the place. When specifically when they talk about China counterintelligence. But they've got this multipronged approach and it's even going out and recruiting those that have family ties back to China. And they say, hey, I got your grandma here, you should bring that intellectual property back. Or she's going to her education camp. These things happen.

Chris Krebs

But has the shopping list changed?

Alex Stamos

So again, okay, so this is kind of where I was going earlier. Is that the beauty of China is that they're not shy.

Chris Krebs

They tell you, yeah, in their five year, 30 year plan, whatever plan and.

Alex Stamos

How they're doing it. And this is why we not why we have some Chinese experts and Specialists like Dakota Kerry, who works closely with, I think, an Australian national treasurer, Alex Joski. But they read constantly, everything's out there. And so when you look at things like it's dated now, but the industrial policy gives them that targeting list. And the classic Made in China 2025 plan, which I'm like, ooh, that's next year, gives you the 10 priority sectors that they want to go after. And yeah, they still use cyber collection to go get intellectual property in advanced materials. AI. I mean, they're banging all.

Chris Krebs

But isn't this all stuff that has national defense purposes as well? So, AI for national defense. Yeah, I mean, exotic materials for military hardware.

Alex Stamos

It's all dual use. Yeah, yeah, yeah, for sure.

Chris Krebs

But it seemed like previously they were just going after anything that wasn't nailed down. Right.

Alex Stamos

So I still think they are. All right, so this is an interesting point. Right. It used to be that China was viewed as just the steal everything group. Right. Just the Hoover vacuum.

Chris Krebs

That's apt.

Alex Stamos

One era is Dyson Australian.

Chris Krebs

No, British.

Alex Stamos

All right, so just like, just go get everything, steal everything.

Chris Krebs

You just offended so many British people with that. But anyway, sure.

Alex Stamos

So anyway, now it is much more targeted. But the most worrisome aspect about it is the disruptive and destructive nature of the broader set of activities. Not necessarily the MSS stuff, but that the overarching campaign has evolved beyond just stealing everything. Now it's about pre positioning. And, you know, I've said it before, but it's like the arc of offensive cyber inevitably bends towards disruption and destruction. And I think that's what we're seeing now, at least.

Chris Krebs

Well, we've even seen their collection operations get very destructive. Right. So there was the Barracuda example, where they were in a whole bunch of Barracuda email gateways.

Alex Stamos

Yeah.

Chris Krebs

And then when it was announced that that campaign was, you know, detected.

Alex Stamos

Yeah.

Chris Krebs

Instead of packing up and going home, they burrowed in deeply and wound up, you know, essentially bricking a lot of these devices.

Alex Stamos

Well, they. Yeah.

Chris Krebs

Which isn't, you know, again, but that's norms. But how much we're gonna dig in, we're gonna keep this access. It's like, you don't do that. Come on.

Alex Stamos

Yeah, but some of that you just. Also reminiscent of the GRU too. It's like, whoops, didn't mean for that to happen. Didn't mean to jump the guardrails there. But it's also not necessarily net new. It's just in point of emphasis now. It is a main priority. They've elevated it because in 2013, we had the Chinese come into natural gas companies, the pipelines and compressor stations, steal network schematics and then pull a Kaiser Soze and they're just gone. Nick never saw him again. I was like, what the hell was that? What were they doing there? And now it's like, oh, got it. All right, so those pipelines lead to power generation, so it's baseload generation feeders. And you kind of walk it out and you're like, oh, all right. So they're trying to disrupt the power grid or they're trying to disrupt the energy systems in the US and they've been working it now for a decade plus now it's just a targeting priority for them.

Chris Krebs

We are out of time and we've got a Q and A to get through, so. Chris Krebs, thank you so much for joining me for this conversation. Fascinating stuff as always, Pat.

Alex Stamos

It's been real. It's good to be here in person.