[01:38] Chris Krebs of the Krebs Stamos Group
Rachel: We have Chris Krebs who's a founding partner of the Krebs Stamos Group. He served as the first director of the Department of Homeland Security Cybersecurity and Infrastructure Security Agency known as CISA. Welcome back to the podcast, Chris.
Chris: Good to see you again, saw you a few weeks ago down in Florida or was that Georgia?
Eric: Yes, it’s a brief conference. Chris, is it CISA or CISA?
Chris: I try not to be pedantic about this, but, as the person that came up with the name, it’s CISA.
Eric: I get confused because you hear it both ways and I'm like, "Wait a minute. What did CISA say?"
Chris: Try to have some sort of consistency across government agencies.
Eric: We've got the DoD and then the Homeland piece. CISA and DHS are part of the intelligence community down there.
Chris: There is a part of DHS, the intelligence analysis function, but CISA is not a member of the intelligence community. We would have some attachments or detailees. That's actually a point of discussion within the policy circles and on the hill whether CISA should become part of the IC. They've got more opportunity to excel in the open-source space more than probably any other agency in the federal government.
When you think about the information ecosystem right now, just how it's exploding, that classified piece is proportionately shrinking compared to proprietary and open source. CISA needs to really focus on growing its understanding and enrichment and contextualizing of that open source space.
Eric: We were doing an exercise and you were the national security advisor.
Chris: Sue Gordon, the former deputy national intelligence, director of national intelligence was the president. I had the honor to serve as her national security advisor. There was a big ransomware scenario, but it was a lot of fun.
Eric: I was in the intelligence group. We were going through this ransomware exercise and what you would do next. I threw out a suggestion. Someone said, "We're working with CISA on this. We need to inform CISA and let them know what we're seeing." I said, "We also need to inform the industry of what's going on as the IC." And I got these two people just whipped their heads around and said, "CISA is the IC." I backed up, I was like, "Okay. I was out. Got it. We're going to inform."
Chris: I remember that and I said, "Well, wait a second. Aren't you going to have CISA make those notifications to the private sector?" It's another one of those really interesting policy discussions from the government perspective. There's a lot of value for a range of different agencies to engage with the private sector. But from the private sector perspective, it gets really confusing.
It gets very complex and becomes a drain of resources when you think about, "Okay, I need to call the FBI. I need to call CISA. If I'm energy, I need to call the Department of Energy. I need to call the NSA." One of those areas where there's a lot of room for improvement and simplification from a government perspective is to streamline the government engagement process.
Chris Krebs Is a Homer for CISA
Chris: I'm always obviously a homer for CISA and CISA should be that front door. But honestly, until the president of the United States says, "This is how private sector engagement is going to work with the government," you're going to continue to see that kind of equity battle.
It was always funny to me when I would testify in front of Congress. I've seen this happen to Jen Easterly, my successor and then Chris Inglis who's the national cyber director and senators and Congress members would say, "Who's in charge of cyber," and I would always be like, "Why are you asking me? You make those decisions, not me."
Eric: Well, I took the cowardly approach and I punched out. I said, "Okay, as long as somebody notifies, works with industry, and owns it, I'm out." I readdressed it with the two individuals the next day in a joking fashion but it was not a fight I felt like fighting.
Chris: Nonetheless, it was a fun exercise. Those tabletop simulations are really valuable particularly when you have really thoughtful people in the same room. Test some assumptions that we all have on how things work. Throw out some envelope, bleeding edge type recommendations that can help inform the policy discussion.
When I was in the role at CISA, I’d just ravenously consume podcasts and articles and podcasts like this. I never thought about it that way, maybe we can test that. Test some of our assumptions and come up with really well-rounded, well-tested 360 degree almost proof policy concepts.
Eric: The example on pineapple pizza. There's some really creative stuff that we saw come out of CISA and still does. People were in different roles. We had senior former government officials leading the groups.
Chris: You had currents too. Rob Joyce from the NSA was there, Jen Easterly was there, playing the assistant director role.
Eric: You may have been in the CISA group with Jen having never worked with DHS or CISA. You may have been an IC person or you might have been from industry. Just seeing the way the machine works today and the way people think about it. It was a relatively simple, modern-day exercise going through ransomware attacks hitting America and some critical infrastructure. I won't go into a ton of detail, what do we do?
What will the different groups across America that are responsible do? How do they handle it? What is CISA's role? What's the intelligence community's role? How does the DoD or the industry handle it? Chris and Sue Gordon were up on stage as the president and the national security advisor. They weren't allowing any lightweight answers or any slack there. It was great but you got different perspectives into the way the government works. I thought it was an immensely beneficial exercise.
Chris: It's a great conference too, Suzanne Kelly and the Cipher Brief threat conference every year down at Sea Island, Georgia. Pound for pound, when you think there may be a couple of hundred people there, just the caliber of senior officials that attended. I've been going to it for a few years. What's interesting is, we all appreciate here in this community but years ago, it was more about traditional espionage, human intelligence, CIA, SVR-type battles, intelligence, and counterintelligence.
[09:43] The Misfit Toy
Chris: The bulk of the discussion this year was cyber. It's a great development. We've been the misfit toy, so to speak, in the national security community, at least the front half of the last decade. But things have absolutely shifted. This is where the dialogue is, this is where the conversations are on the hill. And this is where the funding is going on the hill. Now granted, they're still going to invest in aircraft carriers, in F35s, but cyber is coming into its own.
I hope that we can continue to push this discussion. Broaden the aperture beyond just like cyber command is here to save the day. We're not going to attack our way out of this problem. We have to have a more meaningful defensive conversation, regulatory conversation, diplomatic conversation. It's a really complex space and it ain't going to get any better anytime soon, by the way.
Eric: I might argue, it's only going to get worse.
Chris: This is the rhetorical trick I do in some of my speaking engagements. But I say, "Close your eyes, think five years in the future. Are you going to have more connected devices in your home, in your work environment, in your car, in your person?" William Gibson described it, cyberspace. Neuromancer has unthinkable complexity. That is going to be the playing field for the rest of human history.
The digitization movement is here to say and it will only expand whether we're talking about devices or data. We have to get out of yesterday's battles and be thinking five years in the future about how to address these risks. It's not about eradicating risk. It is about managing risk.
Don’t Only Survive but Thrive
Chris: It’s about operating, accepting the fact that we're operating in, effectively, a contested space. How do you not just survive but thrive in that ecosystem.
Eric: This goes to some of what you were saying in a recent breaking defense article. The more connected we are, that's me, not you. But that means the adversaries has more opportunity. The attack surface has expanded and we have a significant advantage. But I'd also say we have the most significant disadvantage, we're the most connected society out there.
Chris: This is the glasshouses problem. We may have the biggest rocks but we've got the glasshouses. There’s a breaking defense article that came out after the cyberwar conference here in DC that a few bubbas put together. John Hultquist is the ring leader there. They do a great job pulling together what the threat landscape looks like. He asked me to keynote it.
I'm sitting there going like, "Okay, these are like the top threat researchers both academic and industry in the world or at least in the country." But yes, there's a fair representation from Europe there and Asia. I was like, "What am I going to say to these guys that they don't already know?" So I tried to make a pivot here and talk more about the trends that I'm seeing, what I saw at CISA.
I've been spending the last year since my termination tweet, traveling around the country. Talking to CEOs and CISO’s and boards and experts at the Cipher conference. There are three trends I'm coming away with. The third one I usually talk about is that the sophisticated adversaries are pivoting towards disruptive capabilities.
Don’t Listen to Chris Krebs
Chris: Don't listen to me, look at this CISA FBI alert from this summer. They talked about Chinese state-sponsored actors, they were targeting US natural gas pipelines. There’s a line in that alert that I always talk about. It could set the hair up on the back of your neck.
It's about how they're looking to hold our critical infrastructure at risk. Overlap that alert in that one line with what you're seeing right now in Taiwan, in the straight to Taiwan. That increase in tentions between mainland China and the Chinese communist party in Taiwan and how the US is involved and if that ever went hot, I would assume a first strike package would include disruption of domestic critical infrastructure here in the US.
They may go after defense, industrial bases like in Peter Singer's ghost fleet book. But they're also going to start hitting that core infrastructure that would disrupt the ability of the government to sustain itself. If this was to happen in the middle of winter and you shut down natural gas pipelines particularly in the Midwest in the dead of winter, that's a problem.
You're going to see the US government resources have to pivot focus to restoring operations. That's a significant area of concern for me. Never mind the fact that, yes, we talk about China, Russia, North Korea, and Iran all the time. But we go back to that massive digitization and that massive connectedness problem. Every single government on the face of this earth is developing some espionage capability, some domestic surveillance capability, some likely financial criminal infrastructure. That's how North Korea gets by.
The Spheres of Influence
Chris: Lastly, the ability to disrupt technical operations in the spheres of influence. This is not just us, but the Gulf region. It’s going to be throughout Asia, so it's a significant area of concern. Every board member, every executive has to be thinking about cyber, not just as a technical risk but as a business function risk, like Colonial.
IT shutdown leads to an operational shutdown and you're not shipping refined fuel products. I'm sitting here in DC. I don't know what it’s like up in Maryland, but in Alexandria, Virginia, you couldn't get gas for a few days.
Eric: Fortunately, I'm working from home and not driving very much. I'm in the office today, I'm doing 50 miles a week. I didn't need gas during that window. It was available in Maryland but it’s definitely something people were talking about.
Chris: That’s a really interesting point. It's not just about the actual disruption, it's the psychosocial impact. Panic buying. There are runs on gas in Florida. Colonial Pipeline does not feed Florida. The gasoline is brought into the state of Florida by barge. And yet, the panic buying is like toilet paper at the beginning of COVID. That sparked runs on gas. What happened is just like in hurricane season. People are pulling gas out of the ground faster than the refuel trucks can put it back in.
Eric: We had people who were filling plastic bags with gas. It's definitely going to be a problem. I don't know what the answer is. I've spent a lot of time thinking about it. We know that before things go kinetic, when there are geopolitical situations. Most nation-states have, at least, the option to lead with cyber. They have the options.
[18:20] Chris Krebs Has Seen Smaller Scale Activities
Chris: It will absolutely be part of an options package. For 20 years now we've heard about Cyber Pearl Harbors. Cyber 9/11 hasn't happened. You have seen smaller-scale activities. The Russians turned out the lights in Ukraine in 2015 and 2016. You'll see those local disruptions.
Part of this is to change the decision calculus of the adversary. If you can start turning the lights out, even if it's localized or regional, even if it's short-term, that will influence a decision-making process when you're looking to project force.
Rachel: It's good to have an honest conversation about the landscape. You need to know what you're dealing with if you're going to try to move forward.
Chris: That's part of it and the joke that I make and Alex Thomas, my partner, maybe there's like an Eastern philosophy that says effectively if you accept your mortality, you make a different set of decisions. And that's okay. If you can accept the fact that this is a contestant environment, that you will be targeted, that you may be part of a game plan then you make different decisions. You can focus on resilience. Like, "I'm going to get hit, how do I restore operations? How do I investigate, how do I mitigate, how do I recover and get back up and running?"
That's the necessary transformation in risk management decision making. Let's get away from the perimeter and move towards that layer of defense. Whether we're calling it zero trust or assume breach or whatever it is. That's exactly the direction we need to be heading.
Think About Resiliency
Eric: So corporations who live in hurricane-prone cities do that from what I've seen. If you live in tornado alley, you may do that. What percentage in your experience of corporations across the globe or America pick your landscape? How many think about resiliency, plan for it, and look at it for operations and business continuity?
Chris: I saw a presentation a few weeks ago by Bryson Bort who's at SCYTHE and GRIMM. He's behind the ICS village. He gave a presentation a couple of weeks ago and said, effectively in the US there are 32 million businesses. Probably half of that are single proprietor LLCs. But anyway, you cut it, maybe half the businesses in the country have some security function.
Whether its duties are otherwise assigned, but you start winnowing that down, at least, as Bryson talks about it. Maybe somewhere from a thousand to 2000 companies in the US have effectively a red team capability to really be thinking more aggressively about their security posture. That's a little frightening.
Eric: That's actually better than I expected you would say.
Chris: There are a lot of those offensive security tools and companies out there. I don't know what the total addressable market is for an offensive security capability or red team as a service. But I think it's probably in that one to 2000 company set. Maybe it's like the Russell 2000. But that just speaks to where we are on the maturity curve of security thinking from an executive perspective. It also speaks to the business education process, MBAs and other technical leadership degrees, security as an afterthought.
Chris Krebs Wants You to Think About Tomorrow’s Board Cadre
Chris: We've got to change that. Colonial was a big wake-up call because it shifted the view of cyber from a technical risk to a business risk. That's a good thing. So today's board member cadre is waking up. We need to be thinking about tomorrow's board cadre. Make sure that we have more technically sophisticated savvy cyber mindset people in that cohort. That will happen naturally and organically as people move up the ranks into board positions. The resilience piece isn't just going to happen on its own.
Rachel: Chris, I follow your Twitter feed and I really want to applaud your awesome use of GIF.
Chris: I got a lot going on right now between five kids and setting up a business. I was working with the Aspen Institute on the commission on information disorder. We just released our final report. I find it much more efficient to tweet using GIFs and memes. It's a good way of saying a lot more than a hundred, how many characters it is these days.
Rachel: I would love to get your thoughts on ransomware. A lot of the discussion, the putting sanctions on like the SUEX exchange and how we impair the financial incentive, it's on the rise. Or, at least, it feels like it is. What are you seeing out there from your perspective?
Chris: Without question, this has been, from a public visibility perspective, the year of ransomware. At least, the big hits but ransomware has been around for a decade or more. What has happened more than anything is that the install base of that increasingly complex digitization space has always been there for the taking.
A Vulnerable and Misconfigured Space
Chris: That's why we have as many cyber security companies as we do right now. It's a vulnerable and misconfigured space. What happened was the bad guys, in this case criminals, figured out how to monetize the vulnerable misconfigured space. Part of that is not only did they monetize it primarily through the availability of cryptocurrencies outside of the traditional economy space.
The oversight mechanisms that prevent things like terrorist financing, we're able to lock that down over the last 15 years. Those same mechanisms that know your customer, AML, Anti-Money Laundering, have not been applied rigorously against the cryptocurrency economy. The adjacent piece is that there was a safe harbor, safe haven principally in Russia.
It’s also in other countries around the former USSR Eastern Europe and even in Ukraine. Some of those spaces like Ukraine and Romania are becoming less hospitable to criminal actors. Belarus is still there. We saw an indictment, including some Iranian actors conducting ransomware last year. It all goes back to they've had a safe harbor, they've been able to conduct their activities.
The authorities there know or very well should know they've been informed enough. It gets to the point of, it doesn't matter if the Russian FSB is directing this stuff. They know about it. They're not doing anything to stop it other than saying, "You better not hit anybody that has a Cyrillic language package installed on their windows machine."
Eric: We're just shielding from Americans, what's the problem? It's okay. We get lots of money.
Chris: As I've said on ransomware operators in Russia. Whether it's affiliates or the dev groups crews, it helps the Russian state, the Kremlin for a few reasons.
[27:48] Building a Strategic Cyber Force
Chris: One is that it builds a strategic cyber force. That thing where you keep talking about here like the civilian cyber court. That's basically what you're doing here. If they really need to use them for other reasons down the road, they can. The second is it brings money home. It brings revenue into the state. If they track it against GDP, few hundred million dollars in fiscal year 2022 is not a bad thing for Russia.
Eric: For a cost of almost nothing.
Chris: The third is, it is consistent with the Kremlin's strategic objectives. It’s to undermine the confidence of the west and the citizenry trust in the national security establishment's ability to protect them. We're seeing hospitals, schools, state local government agencies, pipelines, that continues to erode confidence in the public's confidence in the government's ability to protect them.
Eric: Just somewhat aligned with their national goals there.
Chris: At least as I see it, it makes sense. That leaves you with the question, how are we going to get out of this? We all want silver bullets, we all want single-shot solutions. It's just not going to happen here. Even if Russia, which they won't clamp down universally on ransomware, they would just go, Iran would. They are doing it.
Remember every country on the face of the earth is developing capabilities, including financial, criminal infrastructure. We need to continue to push pressure on Russia. The jury's still out on whether the administration's engagements with the Kremlin have been successful. There are some indications that it has been, but I don't know if we have enough data.
Chris Krebs Is Not Ready to Go There Yet
Chris: Put it this way, you certainly haven't seen the colonial or JBS like events. You've seen revel come back up and they get smacked back down. So jury's still out there. There are a lot of people that don't think of the administration's efforts of diplomatic engagement to reduce cybercrime. They don't think it's working, I'm not ready to go there yet. So then what's left?
First is we have to continue targeting enforcement actions against the criminal infrastructure. You talked about the Suez exchange based out of Czech Republic. That’s one of those primary wallets or exchanges rather for Russian actors they allegedly, reportedly went after some other cryptocurrency bits of the ecosystem last week in Moscow. We keep going there and it's time to bring the cryptocurrency community into the regulated space.
At least they've been there. We just need to enforce upon it. This treasury department is focused on doing that. That's going to require partnerships with our foreign allies as well. The last thing is that soft underbelly. We have to continue to raise the bar on defense and make ourselves harder targets. This is where it truly is incumbent upon the private sector where they have a corporate social responsibility. It's almost like it's part of the ESG movement at boards of environmental, social, and governance.
Cyber belongs there. What's happening when companies present themselves as such an easy target is allow this criminal enterprise and ransomware to proliferate, to really blossom. What we have to do is shift national security assets, intelligence, community, cyber command, law enforcement assets to stopping this. The problem is it's a zero-sum game in the US government, whether we like it or not.
Retasking an Intelligent Community Capability
Chris: By tasking, retasking an intelligent community capability away from who knows what to deal with ransomware, we now have a blind spot. This is where for years, you've heard the private sector say, "We need the government to help us on cybers." Now the government can say, "We need you to help us on cyber."
Rachel: Supply chain is such a hot topic right now. We recently had Sudhakar Ramakrishna, the CEO of SolarWinds. SolarWinds was one of the first clients that you had at the Krebs Stamos Group. That was a fascinating experience he shared with us. I'm sure you're seeing a lot more on the front lines as part of your work today.
Chris: SolarWinds is the KSG plank holder client, number one. Alex and I had been talking about pulling something together. Maybe, start in April when we've got our lives in order. Then Sudhakar calls and says, "I'm starting in January. We would love for you guys to sit on my shoulders. Help me get through this and understand what I'm dealing with." I don't know if it was FOMO, and I was just going through some withdrawal.
It seemed an opportunity to continue to engage in a meaningful way in this national security space. But it goes to the theory of our company that there are systemically important companies. There are systemically important problems. It's not thinking about yesterday, it's thinking about what the next five years looks like.
The thing about the SVR campaign, whether we're calling it Abell or Holiday Bear, the key takeaway is that it was not just SolarWinds. There were other companies that were involved and so what you're seeing is a manifestation.
Good Security Leadership
Chris: This was the exact responsible way for Sudhakar to come forward and be as transparent. Partner as well as he did with the government, and get out there and talk about his problem. To me, that's good security leadership. It’s being transparent. There are other companies that got hit and did not come forward. They have been hiding and people know who they are, and that matters. So beyond that though, the real takeaway. I talked about a couple of trends and takeaways I'm seeing.
First was that destructive attack, second was ransomware. The third trend I'm seeing, and I already touched on this a little bit, is the SVR, the Chinese MSS, and others. They have shopping lists, they have target sets that they go through. They’re dedicated units in these foreign intelligence services that work through the IT services and product supply chain. They want to be in positions to pivot.
They're not going after the bad guys anymore at the front. Their targets are the state department, treasury, the big banks, and defense industrial base. To them, it's not as effective to use a single shot access to get into an agency. Once you block them out, you're done. You have to move on from that target. But if you can make the transition and pivot into the supply chain where you have broader visibility, almost God's eye into multiple targets, it's much more efficient.
It allows them access everywhere. They want the ability to look almost real-time at their targets of choice. It really amounts to a global cyber intelligence collection capability and that's the ideal. That is what the SVR was trying and is still trying to do.
What Cloud Hopper Was All About
Chris: You saw it with the Microsoft third-party reseller, a report from a couple of weeks ago and the MSS is doing it too. That's what Cloud Hopper was all about from two and a half, three years ago. This is really one of the harder problems because we operate in an environment that's based on trust. When you're a software provider, your vendor sends you an update package that's signed by them and says, "This is good to go."
Most organizations don't have the ability to dig into that code and test it and validate, nor should they. It's not efficient. That's what I see a lot of organizations right now are struggling with, like Zero Trust. They’re relentlessly, aggressively looking, signaling, and validating every transaction. Whether it's identity or data, whether that's going to fix it, this is the space that there's a lot of industry discussion right now.
Eric: I love their idea of secure by design. Talk about an organization that encountered an issue and really doubled down on addressing it. It was such an impressive interview. You've been out of government just over a year now. You're advising, you're meeting with people in and out of government and commercial industry.
Where do you think you have more power? When you were in CISA, you and the team secured the election and a ton of other things that weren't reported on. Or, is it now that you're able to take that knowledge and go out and really dig in deep with corporate America and elsewhere? Where can you move the needle more?
[39:14]Chris Krebs Is the Devil to Jen Easterly’s Angel
Chris: Honestly, I haven't thought about the question in this framing. I almost want to be the devil to Jen Easterly's angel. She's in the government role and has a much higher bar. The way she engages, having been in those positions, you can't always say what needs to be said or you want to say. There's a more diverse and broader set of equities that you have to balance.
There are other people that have a chop on it now. Where I am in life, I don't necessarily have those filters. I'm a little bit like Phineas Gage after he got the railroad spike through in his frontal lobe. I can use my memes and GIFs on Twitter to say what I want. Or I can do podcasts like this and really get to some of the harder targets. But I do get out and just talk to different sets of people now.
I want to help drive that system mission forward because that's an organization that is going to have generational impact. What I'm so excited and thankful for was that we got CISA on the map effectively for doing good work. It's very rare that an organization like that achieves visibility and a platform to do good work rather than doing bad work.
Eric: That quickly too from standing up until results.
Chris: It had been around in different iterations for a while. Honestly, it’s one of the biggest challenges, at least in previous times, before CISA was the organization known as the national protection programs director. Imagine going to a recruiting fair or putting up a booth at
RSA. Saying, "Hi, we're the..." What?
Recruiting Chris Krebs to NPPD
Eric: NPPD, let me tell you what that is. We'd like to talk to you about joining.
Chris: From recruiting, partly when you go out and you market as well. It’s like trying to work with a stakeholder somewhere out in the Southwest. You're knocking on the door saying, "You give him a call, send him an email, run into them at a conference." Then say, "Hey, we're with NPPD and we'd love to talk to you." They're like, "What do you mean you're within. I don't understand what that is."
Or there were actually a lot of cases where we'd show up particularly at universities and say, "We're with the Department of Homeland Security. We'd like to talk to you." They're like, "I got to get the lawyers and the DHS." There are all these other issues. As soon as we say, "We're with the Cyber and Infrastructure Security Agency," yes, that's a mouthful.
But, at least, it tells you as a potential consumer or partner what you're dealing with. That was, to me, probably the biggest impact. Everybody knows that branding a name is just about everything. The government, particularly the US government, is really bad at naming things.
Eric: It's different from what I'm hearing but you're less constrained now? Do you have a Rubik's Cube?
Chris: Jen gave me one. I understand how it works. They're algorithms. I just haven’t taken the time to memorize and practice, but she's amazing at this thing. You can take a scrambled Rubik's Cube, she's got speed cubes. So she'll just look, figure it out, and like, "Okay, so it's this, it's behind the back." Boom, there you go.
Practice Till You Get It Right
Eric: I want to put my 14 year old up against her, he's down to 31 seconds.
Chris: Honestly though, it's almost like everything else. It's practice and you can get it right.
Eric: He's studying the algorithms as he calls them and then he's now beating me in chess. Same thing.
Chris: Same thing there.
Eric: That was my question.
Rachel: Well, thank you so much for joining us today. This has been a fantastic discussion. Thanks for sharing your insights from being on the front lines as cyber trenches for many years. Thank you for the great work you continue to do. We need you out there fighting the good fight.
Chris: Thanks for having me. This has been great. The thing that excites me the most is that I can still engage. Just because I'm not in the CISA role anymore, I still have the ability to talk. Hopefully be a positive voice, positive influence in the community. It is, far too often, trying to tear itself down a little bit. There's some toxic aspects here. So there's a lot we can do together. If we keep pushing towards bringing everybody into the same big tent, we're going to be okay even if the world does seem to be a pretty scary place right now.
Rachel: To all our listeners, thank you so much for joining us this week. As always, hit the subscribe button. You get a fresh podcast in your inbox every Tuesday. Until next time, be safe.
About Our Guest
Chris Krebs is founding partner of Krebs Stamos Group. He most recently secured America’s election as the first Director of the Cybersecurity and Infrastructure Security Agency. With a long career as a cyber-policy expert in the private and public sector, Chris has unprecedented experience building coalitions to deal with critical security challenges.
Before serving as CISA Director, Mr. Krebs was appointed in August 2017 as the Assistant Secretary for Infrastructure Protection. In the absence of a permanent NPPD Under-Secretary at the time, Chris Krebs took on the role of serving as the Senior Official Performing the Duties of the Under Secretary for NPPD until he was subsequently nominated as the Under Secretary and confirmed by the Senate the following year.
Chris Krebs joined DHS in March 2017, first serving as Senior Counselor to the Secretary, where he advised DHS leadership on a range of cybersecurity, critical infrastructure, and national resilience issues.
Prior to coming to DHS, he was a member of Microsoft’s U.S. Government Affairs team as the Director for Cybersecurity Policy, where he led Microsoft’s U.S. policy work on cybersecurity and technology issues.
Before Microsoft, Chris Krebs advised industry and Federal, State, and local government customers on a range of cybersecurity and risk management issues. He holds a bachelor’s degree in environmental sciences from the University of Virginia and a J.D. from the Antonin Scalia Law School at George Mason University.