Wide World of Cyber: SentinelOne's Chris Krebs on Chinese Cyber Operations

Podcast: Risky Business
Host: Patrick Gray
Guests: Chris Krebs, Alex Stamos
Release Date: December 13, 2024

1. Introduction and Context

Patrick Gray opens the episode by introducing the focus on Chinese cyber operations. Recorded live in Sydney, Australia, Patrick highlights his discussion with Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States. Due to technical hiccups from illness, the introduction is brief, setting the stage for an in-depth conversation about China's evolving cyber threats.

2. Evolution of Chinese Cyber Threats

Chris Krebs provides a comprehensive overview of the last two decades of Chinese cyber operations. He outlines the transition from informal hacktivist activities to a more structured and state-backed approach:

• 00:07 - 03:09: Krebs details how China initially relied on nationalist hacktivists, gradually formalizing their cyber capabilities under state control, particularly within the People’s Liberation Army (PLA). The pivotal APT1 report by Mandiant exposed significant intellectual property (IP) theft, leading to temporary diplomatic pushback from the Obama administration.
• 03:09 - 05:36: Krebs explains the rise of the Ministry of State Security (MSS), which took over traditional intelligence roles, causing the PLA's cyber activities to recede briefly before resurging with more sophisticated operations like Volt Typhoon.

3. In-Depth on Specific Cyber Operations

The discussion delves into specific Chinese cyber campaigns, notably Salt Typhoon and Vault Typhoon:

• 05:36 - 12:18:
  • Salt Typhoon involves intrusions into U.S. telecommunications companies, aiming to gather intelligence by accessing wiretap systems and metadata to uncover FBI surveillance details.
  • Vault Typhoon represents a more aggressive PLA-driven campaign targeting critical infrastructure, raising alarms among policymakers.
  • Krebs highlights the distinction between espionage-focused activities (Salt Typhoon) and disruptive operations (Vault Typhoon), emphasizing the latter's potential to create societal panic and infrastructure paralysis.

Notable Quote:

“We watched China develop and formalize its cyber capability... They've got the MSS... operating in a way that completely outside norms.”
— Chris Krebs [03:54]

4. Challenges of Defining and Responding to Cyber Norms

Alex Stamos critiques the terminology used to describe Chinese cyber operations, arguing that labels like "Typhoon" obscure the severity and distinct objectives of different campaigns. He emphasizes the necessity of using plain language to convey the threats to policymakers and the general public.

• 15:30 - 25:25:
  • The conversation explores the concept of cyber norms, with Krebs quoting Tom Uren on their limited influence: “norms are just created by people to explain how they want things to be.”
  • Stamos underscores that while espionage might be within acceptable state behavior, destructive attacks on infrastructure are clear breaches of these norms.
  • They discuss the hypothetical scenario where a U.S. administration might abandon established norms, leading to unchecked cyber aggression from China.

Notable Quote:

“Norms are for setting expectations for rule of law countries... Everything is in part viewed as a tool of the state.”
— Alex Stamos [17:04]

5. Implications for U.S. Defense and Critical Infrastructure

The guests analyze the potential impact of Chinese cyber operations on U.S. infrastructure and national security:

• 20:02 - 41:27:
  • Stamos outlines how cyberattacks could cripple critical infrastructure like power grids and transportation, causing societal chaos and undermining public trust.
  • They reflect on past incidents, such as the Colonial Pipeline disruption, illustrating how localized panic can ripple into broader national crises.
  • Krebs raises concerns about China’s preparation for a possible invasion of Taiwan by 2027, suggesting that cyber operations are a strategic component to weaken U.S. support mechanisms.

Notable Quote:

“They want to undercut the ability of the US to come to the support of Taiwan... causing panic.”
— Alex Stamos [20:58]

6. Strategies for Defensive Measures and Counteractions

The conversation shifts to potential defensive strategies and the effectiveness of current measures:

• 25:25 - 37:17:
  • Krebs and Stamos debate the efficacy of U.S. responses, such as indictments and sanctions, noting their limited impact against state-sponsored actors.
  • They discuss National Security Presidential Memorandum 13 (NSPM 13) and the concept of persistent engagement, advocating for proactive and aggressive cyber operations to disrupt Chinese capabilities.
  • Stamos highlights the importance of corporate responsibility in cybersecurity, urging businesses to adopt robust defensive measures as government defenses alone are insufficient.

Notable Quote:

“Corporate leaders have to evolve... there's got to be some baseline where corporate has to pick up the slack...”
— Alex Stamos [36:34]

7. Future Outlook and Conclusion

In the closing segments, Krebs and Stamos reflect on the future landscape of cyber threats and the necessary evolution of defense strategies:

• 37:17 - 49:46:
  • They anticipate an escalation in cyber activities by China, predicting more sophisticated and widespread disruptions.
  • The discussion touches on the limitation of current defensive measures and the need for a unified, robust response across government and private sectors.
  • Krebs emphasizes the importance of maintaining resilience and adaptability in the face of evolving threats, while Stamos calls for clear, actionable policies and industry collaboration.

Notable Quote:

“China has figured out how to do operations at scale. This is something that we've discussed offline... and it's just an overarching national campaign.”
— Chris Krebs [39:09]

8. Audience Q&A and Closing Remarks

The episode concludes with final thoughts from both guests, reinforcing the urgency of addressing Chinese cyber threats and the pivotal role of both government and private sectors in fortifying defenses.

Key Takeaways

• Chinese Cyber Evolution: From hacktivist roots to state-backed, sophisticated operations targeting IP and critical infrastructure.
• Operational Distinctions: Differentiating between espionage activities (Salt Typhoon) and disruptive campaigns (Vault Typhoon) is crucial for effective policy response.
• Cyber Norms: Current norms are insufficient to deter state-sponsored destructive cyber activities, necessitating a reevaluation of defensive and offensive strategies.
• Corporate Responsibility: Businesses must adopt stringent cybersecurity measures as part of national defense, complementing government efforts.
• Future Threats: Expect increased scale and sophistication in Chinese cyber operations, emphasizing the need for proactive and unified defensive mechanisms.

Notable Quotes

• “We watched China develop and formalize its cyber capability... They've got the MSS... operating in a way that completely outside norms.”
  — Chris Krebs [03:54]

• “Norms are for setting expectations for rule of law countries... Everything is in part viewed as a tool of the state.”
  — Alex Stamos [17:04]

• “Corporate leaders have to evolve... there's got to be some baseline where corporate has to pick up the slack...”
  — Alex Stamos [36:34]

• “China has figured out how to do operations at scale. This is something that we've discussed offline... and it's just an overarching national campaign.”
  — Chris Krebs [39:09]

This episode provides an insightful exploration into the complexities of Chinese cyber operations, emphasizing the need for cohesive strategies between government bodies and the private sector to mitigate emerging threats. Listeners gain a nuanced understanding of the strategic objectives behind state-sponsored cyber activities and the imperative for adaptive and resilient defense mechanisms.