INTELLIGENCE MATTERS - CHRIS KREBS

CORRESPONDENT: MICHAEL MORELL

PRODUCER: OLIVIA GAZIS, JAMIE BENSON

MICHAEL MORELL: Chris, welcome to Intelligence Matters. It is great to have you here.

CHRIS KREBS: Thank you. It's great to be here.

Get Breaking News Delivered to Your Inbox

MICHAEL MORELL: You have a very important job at the Department of Homeland Security. But before we get to that, I want to spend a little time asking about you and your background. When I look at your resume, it seems to me that you were groomed for the position that you're currently in. Can you walk us through some of the experiences you've had where you've learned about cyber security and the cyber problem?

CHRIS KREBS: Yeah. I came about it in an unconventional way. In fact, if you had asked me if I was a technical person, I'm not. I came up post 9-11 in the Bush administration within the Department of Homeland Security focusing on critical infrastructure protection issues.

But less from the guards, gates, and guns physical side. More thinking through risk management and how do private sector organizations work with government to better enable risk-management decisions. And then as the Bush years wore on and then shifted out into the private sector was engaging much, much more closely with boards of directors and senior executives.

One of the victims in the Western district of Pennsylvania Chinese hacking indictments of the early Obama years was one of my clients. And we worked with them to help, again, better enable and better engage with the various parts of the intelligence community, DHS, and law enforcement community.

MICHAEL MORELL: And that was focused on cyber?

CHRIS KREBS: Yep. That was focused on cyber. And that was really the first time the US government stepped out and called China out for its bad behavior in intellectual property theft. And by others in the intelligence community, and General Alexander, I think, said, it's the greatest transfer of wealth in human history. Could've been Hayden.

MICHAEL MORELL: That's absolutely true.

CHRIS KREBS: Yeah. And it's really not slowing down. So over time then shifted over to Microsoft and led some of the US cyber policy work. But, again, really focused on how can give best help the private sector, recognizing that ultimately the private sector owns and operates the majority of critical infrastructure, shared responsibility, we've got to do this together. But if we learned anything, I think, through 2016 and the Russian interference with our elections, it's: no single organization, no single state, no locality can go at this problem alone. When you're facing a concerted effort from the Russian military, the GRU, the SVR, the FSB, it's going to take a team effort to push back and harden the underlying infrastructure, harden our people, our citizenry, and then strike back when we have to.

MICHAEL MORELL: Chris, one more career question. So cyber security, one of the top issues of the day, is going to be with us for a long time. I run into a lot of young people who want to get into this space. And they always ask me, what should I study? What kind of experiences should I pile up? What would you tell them?

CHRIS KREBS: Well, stepping back a little bit, I think what benefits us the most, the United States, is our diversity of experiences, the diversity of our people, the diversity of the education system. It takes all kinds to be successful in this space. My background: environmental science undergrad, and then law school.

So it really takes a wide range of skill sets. I think the number one trait that I'd encourage people to really focus on is their critical thinking and ability to communicate. Those two aspects, when you pile together, put you in a position to be successful, particularly in government, but also in the private sector, and being able to navigate between the technical community and the executive suite.

MICHAEL MORELL: Being able to translate from the technical to the policy?

CHRIS KREBS: I think one of the challenges we're having right now, particularly with cyber security, election interference, the information and influence operations is that we've over-rotated a bit into the technical sphere. And we talk about things that we can't really grok, we mentally struggle with in understanding the scope, the impact, the risk.

So nuance is not our friend in this space, is really where I'm going with this. So if we can clean up the way we talk about things to be much more clear and concise and take out some of the bureaucracy, the bureaucratic language, and the technical jargon and make it just cleaner for the American people to understand.

MICHAEL MORELL: We'd be better off. Chris, okay, to your agency. What's its mission? What are your core functions? What are you supposed to accomplish?

CHRIS KREBS: So when you really strip it down to what we're supposed to be doing, and what we're trying to do, and what Congress has entrusted us to do, we're the nation's risk advisor. And I use those words pretty carefully. And I'm not saying we're the nation's risk manager.

I've already talked about -- Now, I don't have original sourcing for the 85% number. That's long debated. But, look, the way we work in this country is that private sector, government, if you own the network, it's your responsibility to secure it. My job is to, again, help those network defenders, the blue team folks make the right decisions, make sure they have the information to enable them to make the right security decisions and then help provide policy makers the decisions to shape the policy in regulatory and legislative space.

So that comes at it from an over the top, we are risk advisors, whether it's physical, cyber, whatever it is at this point. Three main mission areas. One is cyber security, leading efforts across the federal government, the civilian agencies to help protect federal networks.

Second is working with the critical infrastructure community to help protect their networks as well. So that's the cyber side. On the physical side, really focused right now on a number of issues including soft target security. And that's working with places of worship, schools, stadiums, sporting venues, places where people gather.

And I think as we step back a little bit and we look at the post-2000, the 9-11 world, the Department of Homeland Security was established, as you recall, to be a counter-terrorism organization, really focused on the physical threat from terrorist.

Over the intervening 15, 16 years since 2003 when the department was stood up, the threat landscape has shifted dramatically. We have peer and near-peer adversaries. Great power competition is a thing again. So as we were structured for physical security risks, now we are much more focused, in addition, on cyber security threats.

So we're taking a lot of those relationships we've built over the years where physical security relationships with key strategic infrastructure, we're now working with them at hard infrastructure that matters. We're working with them on cyber security issues, too.

MICHAEL MORELL: So you're CISA's first director?

CHRIS KREBS: Yes.

MICHAEL MORELL: So it's now an agency. And it was elevated in DHS from a previous incarnation as the National Protection and Programs Directorate. Why did the administration make that change? And what does it mean from a day to day perspective? How is life different today than before?

CHRIS KREBS: Well, it's funny because it's actually a thing that the prior administration tried to get going, day one. We had to kind of demonstrate our ability to deliver success. And I think that took time. Plus you also had to figure, is there a real demand for a primary cyber security agency.

So that was one of my top priorities when I came in. How things are different, what this really means -- so this puts us on par with TSA, with FEMA as a true operational agency within the Department of Homeland Security.

There's some more mundane organizational issues, where now we have to have our own HR functions. We have to have our own CFO functions. We're not drawing on the headquarters' support elements.

But from a day to day perspective, it puts the button on us when it comes to leading cyber security defensive efforts across the United States government.

We've always been in that position, statutorily, the Secretary was. Now it's much more clear. We have stepped into that role. We're owning it. And we're making a lot of progress over the last couple years. And I think if anything, our ability to step up after 2016 and help lead the nation's efforts to protect our elections, I think that really shows that we have a role. We can deliver success and value to our stakeholders.

MICHAEL MORELL: So, Chris, you've identified China, supply chain, and 5G as some top priorities that you need to address in the immediate term.

Those are all interrelated, of course. But maybe we can just take them one at a time. So China, is China the biggest cyber threat we face? Or are they competing with that label with Russia? How do you think about where China falls on the threat spectrum, here?

CHRIS KREBS: So from a strategic perspective, I think they're certainly the top if not one, two with Russia threat. I look at Russia as trying to disrupt the system, particularly from an elections and undermining democracy perspective. They're trying to knock us off our global position as a leader of the free world and lead democracy. And that's really what it comes down to. Russia's not trying to win the game. They're trying everyone else to lose. And that's kind of the Gerasimov doctrine.

MICHAEL MORELL: That's a great way to put it.

CHRIS KREBS: The Chinese are thinking much more strategically, I think. There's probably some debate here. But they want to ultimately be a peer, if not a dominant position to us and have us more in a client state where they're the primary economic power and we're so interdependent with them and dependent on their supply chain.

So they're not trying to disrupt us, necessarily. They're trying to manipulate us, put us in that, again, that client state position. And to do so, though, they're going to have to overcome our ability to innovate. They're going to have to overcome our ability to be out in front of the next technological revolutions.

And they're getting there by intellectual property theft, acquiring US companies, requiring US companies to come into the Chinese market to join in JVs and tech transfer. But I think, if anything, I've learned in the last couple years is that it's possible that China's overplayed their hand a little bit. That they have over exerted influence internally, and particularly US companies that were looking at China as a big market to go into. They're not getting the returns they expected, maybe four or five years ago.

MICHAEL MORELL: Where are we in terms of intellectual property theft? Are they going after it as much as they ever have? Or has the pace slowed? What's the story there?

CHRIS KREBS: So I think if you asked the F.B.I. and some of their ongoing investigations in the counter intelligence efforts, while it's probably kind of ebbed and flowed and waxed and waned over the last half decade or so, I think they're as active probably as they've ever been. It's hard to kind of quantify, really.

MICHAEL MORELL: Because you don't know what you don't know.

CHRIS KREBS: Yeah. But look, they're active. I think the APT-10 indictments from this past December, and that was the Department of Justice indicted a couple of Chinese actors that had been jumping into managed service providers and cloud service providers in these points of aggregation and pilfering all the intellectual property that they wanted.

That shows that they're still at it. And they're as effective as they've ever been. If not, they're improving their tradecraft. And rather than going that whack-a-mole, onesie, twosie approach, they're going to the points of aggregation. And they're just sweeping up a whole bunch of information while they're doing it.

MICHAEL MORELL: Can you talk a bit about the Huawei issue and why it's so important from a cyber security perspective?

CHRIS KREBS: So I step back and think about Huawei and really other Chinese companies. What we're seeing here more than anything is these companies, these tech companies and other companies coming out of China, they're just an extension of the Chinese state.

They're being operationalized. They're being weaponized in a certain sense. President Xi has even said that. They don't walk the Western road of constitutionalism. They look at the world differently. And they are using all instruments and tools of the state, including their "private sector," I'm using my air quotes, to get what they want.

And so what happens when we know that China has attempted over the last decade plus, and not just attempted but been successful, to extract the intellectual property from the United States and our partners and allies. We know that they are aggressive, and increasingly aggressive in cyber operations.

So we know them for what they are because we have experience and they've demonstrated intentionality. These are adversaries. Second, we are building out the next generation of communications technology that is going to empower innovation the likes of which we've never seen.

MICHAEL MORELL: So we call it 5G.

CHRIS KREBS: 5G telecommunications networks. I think we're still trying to figure out what it really truly means. But it is going to, again, empower all sorts of innovation, machine to machine communication, automation, things that we haven't even contemplated across our economy.

And the third piece is we know that the quality of their engineering is not great. The United Kingdom has established, because they've been working with Huawei for a decade or more, an oversight board where they pretty stringently review the tech product.

And they've said that the quality of the engineering is objectively worse than their peers. So we've got a state that's demonstrated hostility to the United States, our peers, and our allies. We have a tech sector that they've operationalized that is in a lead position to build out the next telecommunications networks. And we know that their product's not great. That just puts me in a position, from a risk management perspective, that says we need other options. We have got to go a different direction. I am not confident, comfortable with that roll out.

MICHAEL MORELL: So what direction should we go?

CHRIS KREBS: Well, we need to look at a number of things. First, is what does 5G really mean? And this is, obviously, a much longer drawn out conversation. But we need to take a look at what's the rest of the market look like? How do we encourage vendor diversity? How do we use the other tools of the US government to incentivize additional players in the market or bolstering more reputable, trustworthy players?

One thing we can look at is why are certain Chinese companies successful on the global scale? It's because they come in with an integrated tech stack. They have low to no-cost financing. And they're subsidized by the Chinese state. Those are all market advantages that in some cases are inconsistent with the World Trade Organization.

We need to look at holding them accountable to the agreements they said they would adhere to. And there needs to be a degree of reciprocity. They don't let US companies go into the Chinese market with an integrated tech stack. Why would we let them come here and do the same?

So we need to take a hard look at the way they operate within the markets in the US and elsewhere and provide others options. I was in NATO in Brussels a couple weeks ago; our allies are very clear-eyed about the threat from China. The challenge that we have is there in some cases are economic entanglements that even if the security services say, "Hey, we know what's going on here, but we don't have any other options." How do we get those options?

MICHAEL MORELL: So your experience in talking to the allies about this is they get the security risks?

CHRIS KREBS: Oh, yeah. Oh, yeah.

MICHAEL MORELL: But they're stuck because they've got economic relationships that would be put at risk if they went in a different direction, is that fair?

CHRIS KREBS: Yes. That's part of it. Another part's people just like, "Hey, I'm little old me. I don't have much to worry about here. I'm not the US." We also do not want to encourage the export of digital authoritarianism to the rest of the world. We want democracy to grow. And that's really kind of what this is boiling down to, right now, is there's a self-sorting mechanism going on between democracy and the rise of authoritarian states.

MICHAEL MORELL: So Chris, the concern about supply chain, can you let people know what that means, from a security perspective?

CHRIS KREBS: Sure. The more things we connect, the more interconnected we become between sectors and functions in the economy, what we're discovering is the less we actually know about the provenance of the things that we're plugging in. Who is writing the code? Who's building the hardware?

Do we have the right level of attestation and certification across the componentry that's going into these products? At the same time, we're finding that nation states are able to exploit a number of these supply chain dependencies for their own intelligence and operational gains.

So what we are trying to do, working with the IT sector, the comp sector, and the rest of the federal interagency is get everybody on the same page in terms of intelligence and threat information sharing. We took a step two years ago, September 2017, issuing a directive across the federal government that said, 'You know what, we've taken a look at Kaspersky anti-virus products and determined them to be too risky to be deployed within federal networks.'

And the decision, or the rationale behind it was anti-virus operates at a pretty broad level across systems below which we usually monitor. In fact, the AV is the thing that actually does the monitoring, sweeps for data. And really effective AVs, anti-virus products, take the data, or the files, the anomalies they find, and they send it back to a central collection point.

In the case of Kaspersky, that was Moscow. And we also know the legal system in Russia, it's not really known for meaningful judicial review, the balance and checks and balances that we have here in the US. And we know that there are laws that compel telecommunications companies and tech companies to comply with the intelligence service.

So we kind of added this all up. And then you kind of look at the relationships between Kaspersky leadership and the Putin regime. And we said, 'All right, theoretically, we've got a company that is delving into the depths of the US federal government that the FSB or the SVR, or GRU could operationalize.

That's just not acceptable.' So it gives us a good framework of looking at the technical piece, the legal piece, and the relationship piece, which we can look at Kaspersky. And we can look at, frankly, any organization to do a risk assessment of a product as it would be baked into the federal government. And we can help export that into the private sector and help them understand what their risk is.

MICHAEL MORELL: So Chris, let's talk a little bit about critical infrastructure. First, how do you define critical infrastructure?

CHRIS KREBS: So it's historically been defined across the lines of 16 -- well, at one point it was 18 and then it was 17 and then it was 18 now it's 16 -- but it's those pieces of the economy that drive our country and our economic engine. And would include things like, there's the energy sector, banking and finance, emergency services, nuclear power, oil and natural gas.

Again, 16 sectors. But, again, it's these artificial buckets of the economy and how to group common players. What we've done over the last year is take a different look. It's not just the big buckets of the economy. Because we tend get more focused on specific organizations, specific assets.

And as I mentioned with the interconnectedness and the interdependencies between pieces of the economy, for instance, the banking and finance sector. They're dependent upon power, water, and a number of other sectors. So how do we tease out these interdependencies?

So what we've done is drilled down to say, 'All right, let's do less on the specific organizations and more on the functions and services that are being delivered across the critical infrastructure community.' And we've bottomed out at this point.

It's a living breathing list. But 55 national critical functions. So when you look at the banking and finance sector, it kind of nets out to five critical functions including wholesale payments, capital markets. And it gives us a more granular view of risk.

MICHAEL MORELL: It's more refined now than it used to be?

CHRIS KREBS: It's evolved. It's certainly evolved. I think we were in a little bit of a rut in terms of our risk management approach. And it gives us that more evolved approach.

MICHAEL MORELL: So Chris, the public hears a lot about our adversaries accessing or trying to access our critical infrastructure with cyber tools.

Right, with the idea that if they ever want to use those tools to do damage, they're ready to go. How much do you worry about that? Is that something we need to worry about? Have we been compromised? Have we been able to keep them out? Can you talk about that a little bit?

CHRIS KREBS: Yeah. So we certainly have been targeted. If we saw anything in the 2016 elections that the Russians were attempting to get into our election infrastructure. There's probing, scanning, whatever you call it, mapping the internet happens every single day.

If you go talk to some of the energy sector folks, there are companies that'll say that they get probed, or whatever, millions of times a day. I think, as we've seen, the Russians have been active in this space. The Chinese have been active.

DNI Coats recently talked about pipelines in the Worldwide Threat Assessment. That's hard strategic infrastructure that's being targeted. And then the Russians, we issued an alert last year, in fact, about their attempts to map and get into the energy infrastructure.

So we know what the adversary is doing. We know they're trying to understand and identify and get into our strategic infrastructure. And that's why it's so important that we build strong relationships with those critical infrastructure players.

We can share with them the intelligence we collect, and the risk management strategies. But we also need to do a better job, I think, of working with those infrastructure partners to get a real understanding of the things that they view as risky.

What are the things that they are worried about? And then we can pull the understanding back and send it to your old shop, and General Nakasone at the NSA and say, 'Look, when your collectors go out, your guys don't necessarily know what the domestic infrastructure space looks like.

Rightly so, but I'm going to tell you, these are the things, from an intelligence perspective, that you need to go collect against so that we can lay the right trip-wires to help inform the network defenders back here in the US. Because again, we've got to do a better job of informing and tuning the intelligence collection mechanism.'

MICHAEL MORELL: Chris, I know you can't respond directly to the recent New York Times report that said that US cyber command was being more proactive and putting our tools in other nations' infrastructure so that we're able to act. I know you can't comment on that. But what I want to ask you is does it make sense, from your perspective, that we have something like mutually assured destruction when it comes to cyber and critical infrastructure?

CHRIS KREBS: I think the nuclear deterrence model in the escalation ladder, Kahn, and all that, it works when you have a small set of players and there are barriers to entry, including cost and technological development, which is just not reality in cyber.

It's a commodity game right now. And honestly, we focus a lot on the big four of China, Russia, North Korea, and Iran. But every country is developing tools. If they're not, they're not trying. So what I am increasingly thinking about, and this is coming up through my team, is we need to be thinking more like the British in the Battle of Britain in WWII.

They did three main things. One, they hardened their underlying infrastructure. They were getting hit every day. So they really hardened their buildings, their facilities. They hardened their buildings. And then they hardened their people, too.

They said, 'Here, you've got to understand what the threat is. And you have to take your own steps to protect yourselves. We'll do what we can. But also there's a shared responsibility here.' And the third piece is based on information, based on intelligence, based off their radar, their early warning system, they were able to also go take strategic selective strikes against the adversary and put them on their back foot. So this is a blended operation space of enhanced defense, enhanced resilience, and then offense when it's appropriate.

MICHAEL MORELL: Offense for the defensive purpose.

CHRIS KREBS: They play off each other.

MICHAEL MORELL: They play off each other.

CHRIS KREBS: Yeah. We have a great relationship with Cyber Command and the intelligence community. I think we saw that in 2018 and the defense of the midterm elections. Secretary Mattis, Secretary Nielson signed an MOU, a memorandum of understanding, that DOD and DHS would work together to protect our critical infrastructure, including the elections. And we really operationalized that in a way that I don't think had ever been done before. And that included support from Cyber Command operators to the DHS defensive mission potential incident response capabilities.

MICHAEL MORELL: So Chris, I'd love to get you to talk for a couple minutes about maybe what is a philosophical issue.

It makes sense to everybody that the government is responsible for protecting .gov. Right. A question, though, is what should the government be responsible for in terms of protecting .com. Right? What's the role of the government in protecting the private sector? How do you think about that?

CHRIS KREBS: Well, I'll even add a little bit to this conversation. What about state and local governments? We have a system of federalism here where elections are a great example. I keep coming back to elections. It seems that's what I talk about most of the time now.

Article One, section four of the constitution states that states will determine the time, place, and manner of how elections are conducted. And why is that? Well, it's because the people, the states decide who to send to the congress and to the federal government to represent them, represent their interests.

It's not the other way around. It's not the federal government saying this is how you're going to do this. So what we've got to do is strike that right balance of collective defense. And that's really where we're going. We need to be able to put the information, as we collect it, into the hands of those that can do something with it.

Actionable intelligence into the hands of the network defenders. When we understand that there is an active adversary, whether it's a criminal group, a proxy group, a nation state, the US government needs to act using a range of tools both overt and covert, offensive legal sanctions, diplomatic.

We have a broad range of tools. And we have used those in the last two years expansively and extensively against the Russians. I think we're still trying to figure out what the true pain point is for President Putin and his regime. But there's no question that we've inflicted an increasing amount of pain upon him.

So again, we are putting information in the hands of people that can do it. We are working to build capacity for the private sector. We're looking at the .com, the private sector, the critical infrastructure community kind of along a maturity model.

Think about a scatter plot with an X and Y axis. The X axis is awareness. And the Y axis is capability. So awareness is something that's the independent variable. Capability is going to be dependent upon how much you know and how much you invest.

What we're finding is at the very top of that, or the top right hand of that graph, we're finding banks and energy companies that make significant investments. The big banks invest close to $1 billion a year in their cyber security. So we're going to tailor a set of capabilities and tools to them that's going to be much more advanced. That includes really finely tailored intelligence.

But at the bottom left, close to that zero, zero on the X-Y axis is where we're putting a lot of thought of how do we raise capability, just baseline capability. When we get out there and we do vulnerability assessments for state and local governments, and small and medium sized businesses, we're finding a lot of just legacy technology.

MICHAEL MORELL: What can they do better? Those places that need to do better, what are the handful of things that they can do that would make a difference?

CHRIS KREBS: So what we're finding, particularly, again, for elections, but just state and local governments, small and medium businesses is, run modern systems. Patch and update systems aggressively. So get on the latest operating system. Patch your stuff when the updates become available.

I'll talk about the BlueKeep, Microsoft BlueKeep vulnerability right now. I've got shades of 2017 and want to cry and not patch it. If you haven't patched from the BlueKeep vulnerability yet, you need to do that now. So patch, run modern systems, two factor authentication.

Make it harder for the bad guys to get into your stuff. We do the basics, 90% to 95% of the problem set -- I don't want to say goes away, but we make the bad guys move. They're not using zero days today because they don't have to, because we're still not doing the basics right.

We're making it too easy for them to spearfish us. We're making it too easy for them to exploit mis-configuration. Again, let's do the basics right. But I have got to say this, doing the basics is hard. It takes commitment, understanding, and investment.

MICHAEL MORELL: You have got to stay at it, right?

CHRIS KREBS: Yeah, you do. And when you look at building a company or doing a startup or a small mom and pop shop, you don't naturally think of, 'I need a dedicated IT director that's thinking everyday about how our systems are running.' So my hope is that we get into a space in the next couple years where there are easy buttons out there. And the products that come from the big tech companies are just inherently more secure.

MICHAEL MORELL: So Chris, you've mentioned the 2020 elections a number of times. Obviously, cyberattacks played a role in 2016. 2018, they didn't stop. We did a better job, I think, in 2018. What's CISA's role with regard to 2020?

CHRIS KREBS: Yeah. So we are working every single day with our state and local partners, those that run elections at the state level and the local level. We're working with all 50 states and approaching about 2,000 local election jurisdictions. The challenge here is that there are 8,800 or so election jurisdictions throughout the country.

And a lot of them are small jurisdictions that don't have a lot of technological investment and sophistication. And that's okay, we can work with anybody. We're actually in the midst of the second annual Tabletop the Vote. It's kind of a goofy thing that we do but a three-day exercise.

We have 48 states playing in 1,000 or so jurisdictions. Get everybody together and work through, what does a bad day look like, who are you going to call, what are your communications strategies, and what are your response plans. So what we are doing is working with these election folks and helping them get to a more secure posture, including retiring legacy systems.

Getting that old stuff that may be 15 years old or out of support, making sure that auditability is achievable and that they are in fact auditing. We've got to get to a position where you can go back and you can audit the process. And that includes some kind of paper back up.

MICHAEL MORELL: So because of the constitutional issues you talked about, do you have to wait for them to come to you? Or can you go to them?

CHRIS KREBS: We can go to them. We can't compel action. But that's the ethos of CISA, is that we are public-private partnership embodied in the federal government. And we have to go out and we have to provide something of value. And two or three years ago, we didn't have much of value directly for the election community.

Now we do. And that includes intelligence, information sharing, vulnerability assessments, regular vulnerability scans. We are providing capabilities that states and local jurisdictions just haven't invested in historically because they never thought they needed to. Prior to 2016, who would've thought that a random county in the Midwest was going to be targeted by the Russian GRU? It just beggared belief.

MICHAEL MORELL: So if I were the Russians or Chinese, I would be all over every presidential campaign. So are you providing any kind of support to the presidential campaigns?

CHRIS KREBS: Yeah. We've met with every single campaign, both sides. Provided them, 'Here are the things we offer. Here are the things you need to do. Call us if you need any of these assessments.' The DNC and the RNC, Bob Lord, over at the DNC has done a great job of, again, saying this is not about going and buying some silver bullet cyber security tool. It's about doing the basics. It's running on a commercial enterprise grade email, multi-factor authentication, secure messaging apps. It is that simple, the basics they can do.

MICHAEL MORELL: And do you get a sense that people are listening?

CHRIS KREBS: I think so. Yeah, I mean, gosh, if you didn't learn from 2016, then you're not listening. I still think of the three pronged attack of the Russians, between targeting election infrastructure, targeting the political campaigns, and then just the broader structure information, or the influence ops. I think the second prong, that hack and leak against DNC and other political organizations, that was the most impactful. That was the most visible part of their strategy. And shame on us if we're not ready this time around.

MICHAEL MORELL: Chris, thank you very much for taking the time to be with us. And most important, thank you for the work that you and your folks do every day to keep the country safe.

CHRIS KREBS: Thank you.

MICHAEL MORELL: Great to be with you.

CHRIS KREBS: Great. Thanks for having us.