If there is one upside to having been publicly fired by Donald Trump, Chris Krebs reflects towards the end of our lunch, it is that some of his neighbours have started talking to him again.
Picking over tapas outside an upmarket Spanish restaurant on a wintry Washington day, we have spent two hours dissecting Krebs’s past four years, which were tumultuous even by the heady standards of the Trump administration.
Joining the federal government in 2017, he was later appointed as its first cyber security tsar, in charge of defending the US against cyber attacks and disinformation, both foreign and domestic. Krebs is credited with helping companies keep working through the pandemic and overseeing two successful and secure national elections — the 2018 midterms and the 2020 presidential election. But when he started to rebut the former president’s claims that last year’s vote had been rigged, he promptly found himself out of a job and facing death threats from Trump’s most ardent supporters.
While the chaos is unlikely to subside in the immediate future — he is now suing the Trump campaign and others for defamation — at least the social stigma has begun to wear off. “It’s remarkable,” Krebs notes wryly. “You find out who your friends are . . . I had neighbours that hadn’t talked to me for a while because they found out I was in the Trump administration, and now they are.
“Considering the current situation, I’m OK with that,” he adds. “Just as long as you’re not torching my house.”
Krebs’s public departure from government may have secured him an enemy in the former president but it also made him a new friend — the renowned Washington chef, José Andrés, whose restaurant he has chosen for our lunch.
Andrés picked his own argument with Trump in 2016, responding to the former president’s anti-Mexican rhetoric by pulling out of a contract to open a restaurant in one of his hotels. And after Krebs was fired, the chef tweeted that he would always “have a seat and a table” at his places. We are at Jaleo in central Washington to make good on Andrés’ promise. In deference to Krebs’s bond with the patron, I let him choose our tapas options.
Krebs picks olives, Manchego and the salchichón Ibérico de bellota, cured slices of acorn-fed pork. But despite the sputtering gas heater nearby and the marquee that surrounds us on three sides, I am in need of something a little more warming. (Indoor dining is banned when we meet.) At my prompting, Krebs agrees also to order prawns stuffed with garlic and a glass of albariño for each of us.
A life-long Republican, Krebs gave up a lucrative job as Microsoft’s head of cyber security policy to join the Trump administration. He says now he knew the decision could backfire, but he wanted to help set up the organisation he went on to lead, giving the US a dedicated cyber security agency for the first time.
The job was not just about combating cyber attacks: Krebs was also tasked with fighting back against online misinformation from foreign states. In the wake of the 2016 election, which was marred by allegations of Russian interference, there could hardly have been a more sensitive role in government. It was always one that carried the potential for conflict with the president.
“The flaws of this man [Trump] were obvious to everybody that was willing to pay attention,” he says. “[But] to do your job, you have to be able to compartmentalise. I was willing to do that.”
Krebs was not alone. Across Washington, Republicans like him swallowed their reservations about Trump and joined his administration, hoping to shape it from within, or simply do a good job and fly beneath the radar.
During three and a half years of service, Krebs oversaw the establishment of the Cybersecurity and Infrastructure Security Agency and helped plot strategies for how to identify and defeat cyber attackers. He also witnessed some of the more controversial policies his colleagues were implementing elsewhere in the Department for Homeland Security — from the border wall with Mexico to the family separation policy.
Did Krebs consider following the example of Rex Tillerson, the former secretary of state, or John Bolton, the former national security adviser, who were dismissed or quit their jobs and became some of Trump’s most trenchant external critics?
“Over time, it eats away at you,” he admits, stumbling slightly for the first time in our lunch. “It eats away at you, the other parts of the department that were doing stuff that just seemed so inhumane. I was never involved in any of those policy conversations,” he adds. “In fact, it would be, like, ‘Now we’re talking about the border wall’, and I’d go, ‘All right, I’m off’.”
He says he told friends in the department: “I am never going to sit in your meetings, I don’t want to know anything about what you do.”
Cynics might say Krebs managed to get fired at just the right time: after completing his term in government but before the trauma of the final weeks, when a mob of Trump supporters attacked the US Capitol in an attempt to overturn the result of the election. That attack prompted a spate of resignations from high-profile members of the administration, including Krebs’ former boss, the acting homeland security secretary Chad Wolf.
As Krebs and I talk, members of the House of Representatives are meeting just a mile away to debate impeaching Trump for his role in inciting the attack. The following day, they do so, making Trump the first president in history to be impeached twice.
Krebs has been one of the most vocal Republicans to call for impeachment, and is visibly agitated by the possibility that the former president might not be held to account for his actions. “There has to be some sort of accountability measure in here, for the sake of the United States of America — that we signal clearly that, yes, this was an insurrection.”
We are working our way through our tapas plates. The Manchego cheese is nutty and sharp and pairs well with sweet Spanish olives, while the slivers of salchichón are more delicate than I had expected. But neither of these dishes are quite enough to combat the chill.
Luckily the hot, garlicky prawns have just arrived. As I spoon some of the broth on to my plate to be mopped up by pieces of soft, warm bread, Krebs goes into detail about the kind of cyber warcraft he dealt with in his former role.
Much of Krebs’s work for the Trump administration was focused on neutralising the threat from each of the “big four” countries with significant cyber warfare capabilities — Russia, China, Iran and North Korea.
“On the Russian front, you’re primarily talking about the FSB, the GRU and the SVR,” he says, referring to the country’s three main intelligence services. “The SVR is in a different class, as an intelligence operation. Their top priority, their mandate, is just go and get info. Go get info, figure out who wants what and does what, and then you can harass.”
He adds: “If you see the GRU in your network, be afraid, be very afraid. They’re operators that wreak havoc.”
It appears to be the SVR that was behind the massive recent hack that compromised the IT systems of even the most sensitive of government departments, including the Treasury and energy department. Krebs tells me he believes the hackers wanted to extract information rather than do any material damage — action that would have been more serious, but also more likely to incur retaliation.
Krebs and his new business partner, former Facebook executive Alex Stamos, are now working with SolarWinds, the targeted company at the centre of that hack, to try to repair the damage, both technical and reputational. The two have launched a new cyber security consultancy, the Krebs Stamos Group.
The pair do not believe Russia was able to gain access to classified information in the SolarWinds hack, though Stamos recently told the FT he thought it would take years to find every piece of spyware embedded into American IT systems. He compared the clean-up operation to the “iron harvest”, the springtime farm work in France and Belgium that even now turns up unexploded bombs and shrapnel from the first and second world wars.
If the Russians are creative with the ways they will try to enter IT systems undetected, Krebs says the Chinese have a different advantage: manpower. “What China has is sheer numbers. They’re very formulaic, and everyone does the same thing . . . They have gotten very, very good and very, very quiet.”
And while he believes Moscow’s main aim is to sow cultural and political discord in America, Beijing is more interested in stealing commercial secrets to boost its own domestic industry. The US has tried to combat such corporate espionage in recent years, launching criminal action against companies such as the Chinese telecoms equipment maker Huawei for intellectual property theft.
But Krebs warns that both China and Russia have become very good at evading US law enforcement. “They know that we’re not monitoring all the [communications] pipes, because of first amendment [free speech] protections. And they know we have the fourth amendment against unreasonable search and seizure. If you suspect that you’ve got a Russian sitting on a hosting service, or Chinese, you can go get a warrant, but warrants take time. And these guys move like ghosts.”
Whatever the risk posed by hostile governments, Krebs is far more worried about civilian teams of criminals who try to infiltrate corporate and government servers in an attempt to extract a ransom. So-called ransomware attacks have been rising exponentially in recent years, thanks in part to the rise of digital currencies such as Bitcoin, which make it possible to take payments without being detected.
Travelex, the UK-based currency exchange business, was targeted in late 2019, which along with the impact of coronavirus helped knock £25m off its profits. Krebs reels off a list of US state institutions that have been hit: “The City of Atlanta, the City of Baltimore got popped twice, the Colorado Department of Transportation, the County of Mecklenburg, North Carolina.”
The threat to companies is even more pronounced, Krebs says, because so many people are now working from home, often logging in to company networks using non-secure devices and WiFi networks. “We have to continue improving defences. Multi-factor authentication for account log-ins at a minimum. Any organisation that doesn’t have MFA in place, really needs to get serious about their security.”
The tapas are running low, and I twist Krebs’s arm to order a plate of croquetas de pollo to keep the cold at bay.
His talk of combating Russian cyber attacks raises an obvious question: what did it feel like to do that under a president who so often seemed to play down the threat from Moscow?
Krebs says his lowest moment came with the now infamous Helsinki summit in 2018 between Trump and Putin, at which the US president appeared to contradict his own security services and accept Putin’s denials of having interfered in the 2016 election. Reminded of this, Krebs puts his head in his hands. “I was watching it live.” What did he make of what the president said? “Words that aren’t fit to print.”
Throughout this time, Krebs believes the president did not know who he was. That quickly changed towards the end of last year. Last October, Krebs started the government’s Rumor Control website, dedicated to rebuffing false claims about US election security. At first his work was lauded by the White House, especially when CISA helped prove that emails that supposedly came from the far-right Proud Boys group, threatening people to vote for Trump, actually came from Iranian hackers.
But the dynamic shifted suddenly after the election, when the biggest source of misinformation became the head of the executive branch himself. For almost every false claim Trump made about the vote, Rumor Control had a correction. Ballots could have been destroyed without anyone knowing? Not so, said his own administration — ballots have to be kept for 22 months after the election. Electronic voting machines were not tested and were subsequently manipulated? Not according to CISA — machines underwent testing before and after the vote.
After two weeks of this, Trump fired Krebs, tweeting: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud . . . Therefore, effective immediately, Chris Krebs has been terminated.”
Krebs says he intends to print out the tweet and frame it. But he is less sanguine about what has happened since. After he was fired, Krebs continued to be attacked by Trump’s allies, with the lawyer Joe diGenova telling the rightwing news channel Newsmax that Krebs should be “drawn and quartered”. Death threats started to appear, via tweet, text message and, most disturbingly, through the mail.
Eventually Krebs decided to sue, taking on the Trump campaign, diGenova and Newsmax in a joint defamation lawsuit. The exhibits in that lawsuit, including a hand-drawn picture of a gallows, show the extent to which he has been threatened.
Does he think it is safe for him to walk the streets? “In the era of Covid I can throw on a mask, a hat and sunglasses, and walk around and nobody recognises me . . . At home, yes, I’m worried about my family, my kids, my wife.”
By this time we are on to the espressos. But the cold is pressing in and we are both keen to leave our street-side table. We stand and bump elbows. Then Krebs puts on his hat, pulls up his mask, throws on a pair of sunglasses and melts into the passing crowd.
Kiran Stacey is the FT’s Washington correspondent
Follow on Twitter to find out about our latest stories first
Listen to our podcast, Culture Call, where FT editors and special guests discuss life and art in the time of coronavirus. Subscribe on Apple, Spotify, or wherever you listen