- Shawn Henry
- Executive Assistant Director
- Federal Bureau of Investigation
- Information Systems Security Association International Conference
- Baltimore, Maryland
- October 20, 2011
Remarks as prepared for delivery.
Good afternoon. I appreciate the opportunity to be here with you today to discuss the cyber threat, the challenges it presents, and some alternative ideas for mitigating it.
The Cyber Threat
Some of the most critical threats facing our nation today emanate from the cyber realm. We’ve got hackers out to take our personal information and money, spies who want to steal our nation’s secrets, and terrorists who are looking for novel ways to attack our critical infrastructure.
President Obama called the cyber threat one of the most serious economic and national security challenges we face as a nation.
I believe the cyber threat is an existential one, meaning that a major cyber attack could potentially wipe out whole companies. It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately even kill people.
While it may sound alarmist, the threat is incredibly real, and intrusions into corporate networks, personal computers, and government systems are occurring every single day by the thousands.
We see three primary actors in the cyber world: foreign intelligence services, terrorist groups, and organized crime enterprises. Dozens of countries have offensive cyber capabilities, and their foreign intelligence services are generally the most capable of our cyber adversaries.
Their victims run the gamut from other government networks to cleared defense contractors to private companies from which they seek to steal secrets or gain competitive advantage for their nation’s companies.
One company that was recently the victim of an intrusion determined it had lost 10 years worth of research and development—valued at $1 billion—virtually overnight.
Terrorist groups are interested in impacting this country through a digital attack the same way they’ve done historically through kinetic attack; they’re always looking for creative ways to harm us. Some say they currently don’t have the capability to do it themselves. But the reality is that capability is available on the open market. And as 9/11 taught us, we can’t assume that just because something hasn’t been done before, it isn’t a possible threat.
Organized crime groups, meanwhile, are increasingly migrating their traditional criminal activity from the physical world to the computer network. Rather than breaking into a bank with guns to crack the safe, they breach corporate networks and financial institutions to pilfer boatloads of data, including user credentials, personally identifiable information, and corporate secrets, which they can monetize.
These groups, often made up of individuals living in disparate places around the world, have stolen hundreds of millions of dollars from the financial services sector and its customers. Their crimes increase the cost of doing business, put companies at a competitive disadvantage, and create a significant drain on our economy.
The value of thefts via hacking the financial services sector or its customers far exceeds that of physical bank robberies many, many times over.
In one of the most sophisticated and organized attacks on the financial sector, an international network of hackers obtained access to a financial corporation’s network and completely compromised its encryption. They were inside the system for months doing reconnaissance, which enabled them to steal millions of dollars in less than 24 hours when they finally took overt action.
Another major international hacking group used an Automated Clearing House (ACH) wire transfer system to access online commercial banking accounts and distribute malicious software that led financial institutions to lose nearly $70 million.
These cases illustrate how the offense far outpaces the defense in the cyber realm. And, unfortunately, under the current Internet infrastructure, we haven’t been able to “tech” our way out of it. It’s very difficult to put a price tag on all this in the aggregate, but several consultancies have actually tried to quantify it.
The 2011 Norton Cybercrime Report put the global cost of cyber crime at nearly $400 billion a year, and found that there are more than one million victims of cyber crime every day.
And a study released in August by the Ponemon Institute found that the number of attacks on companies it surveyed this year were up 45 percent from last year and cost 70 percent more to fix. On average, each attack took 18 days and $416,000 to fix.
And that’s only the tip of the iceberg, because what I’ve referred to so far relates to remote access attacks. The reality is our adversaries use multiple attack vectors, including the supply chain, trusted insiders, and proximity attacks to target the network and its very valuable data.
Mitigating the Threat
So now that I’ve painted this grim picture, you’re probably asking, “What are we doing about it and what more should we be doing?”
Despite the fact that our adversaries’ capabilities are at an all-time high, the good news is we have made combating this challenge a top priority not only of the FBI, but the entire U.S. government. We are devoting significant resources to it. And our partnerships among government, industry, and academia have also led to a dramatic improvement in our ability to mitigate the threat.
For our part, the FBI has formed cyber squads in each of its 56 field offices, with more than 1,000 advanced cyber-trained FBI special agents, intelligence analysts, and forensic examiners. We have increased the capabilities of our employees by selectively seeking candidates with technical skills and enhancing our cyber training.
As an agency with both national security and law enforcement responsibility, the FBI is well-positioned to address the cyber threat. The anonymity of the Internet often creates challenges in determining exactly who the adversary is, but our authorities and capabilities allow us to investigate and target criminal, foreign intelligence, and terrorist actors alike.
But we recognize that we can’t do it alone. Through the FBI-led National Cyber Investigative Joint Task Force (NCIJTF), we coordinate our efforts and bring to bear the resources of 20 agencies.
The task force operates using Threat Focus Cells—small groups of agents, officers, and analysts from different agencies. They are subject-matter experts who are focused on very specific threats.
Through the NCIJTF, the FBI has collected real-time intelligence that has been incredibly valuable for the protection of our networks.
We’ve also forged tremendous relationships with the private sector, and through much more robust information sharing, we’ve prevented attacks before they’ve occurred. I can’t tell you how many times we’ve gone to a company and told them they were breached, and where the intruder was on their network, and they were shocked to hear it.
And because there is often a foreign nexus to cyber crime, we are working closely with our international law enforcement partners. In fact, we’ve physically embedded FBI agents in foreign police agencies around the world to investigate cyber intrusion jointly, including in Estonia, the Netherlands, Romania, and Ukraine.
Each year, we are training and collaborating with approximately 500 foreign law enforcement officers from more than 40 nations in cyber investigative techniques.
Return on Investment
I’m pleased to say we’re having success. In 2010, we arrested 202 criminals specifically for cyber intrusion—up from 159 in 2009. In addition, our foreign law enforcement partners made dozens and dozens of arrests last year based on intelligence we’ve shared with them. And we obtained a record level of financial judgments for those cases in excess of $100 million.
Those arrests included five of the world’s top cyber criminals. Among them were the perpetrators of the financial services company intrusion I mentioned earlier, which resulted in one of the first hackers extradited from Estonia to the United States.
We also worked with our industry partners and our law enforcement counterparts in the Ukraine, the United Kingdom, the Netherlands, and elsewhere to apprehend those responsible for the ACH fraud scheme I talked about. Operation Trident Breach targeted more than 50 of the world’s most prolific cyber and organized crime subjects. We and our international partners carried out arrests, interviews, searches, and evidence seizures in 24 cities in 12 countries.
We are also employing novel ways of combating the threat. In Operation Coreflood, the FBI worked with our private sector and law enforcement partners to disable a botnet that had infected an estimated two million computers with malicious software. The malware on this Coreflood botnet allowed infected computers to be controlled remotely by criminals to steal private personal and financial information from unsuspecting users. In an unprecedented move, the FBI seized domain names, re-routed the botnet to FBI-controlled servers, and responded to commands sent from infected computers in the United States, telling the zombies to stop the Coreflood software from running. The success of this innovative operation will help pave the way for future cyber mitigation efforts and the development of new “outside the box” techniques.
Going forward, the U.S. government as a whole is collaborating to sharpen our focus on the cyber threat.
In May, the White House issued a proposed package of legislation aimed at enhancing the security of the nation’s networks and infrastructure and increasing penalties for cyber crime. The administration also released its International Strategy for Cyberspace, which outlines the U.S. government’s vision for the future of cyberspace and sets an agenda for partnering with other nations to realize it.
Managing the Risk
But is all this enough? Because if we have to get involved in a response capacity, something bad has already happened.
Before it was created, the Internet was something very few people could have imagined. To keep pace with our adversaries, we have to continue to think on that level to mitigate the cyber threat.
This is arguably the greatest invention of our lifetime, but it can be a dangerous place, as we’ve all seen. I believe it’s key that we recognize the risk in the environment we’re working in and learn to manage that risk.
That means we must divide our resources and efforts to reduce each of the factors that put us at risk.
To do so, it’s important to understand the classic risk formula, which states, ‘risk equals threat times vulnerability times consequence.’
If we lower any of those three variable factors, we lower the risk. If we can completely eliminate any of those variables, we eliminate risk. But that’s virtually impossible, so we must adopt a defense-in-depth approach—lowering each of the three.
This is where we have to work together—kind of like a zone defense.
Think of the risk model in terms of protecting your house from being robbed: If there are no burglars in your area, you’ve dropped the threat to zero. So you wouldn’t need to spend money on a security system. And you might even leave your doors unlocked to save yourself time getting in and out.
Not because you don’t have any valuables, but it doesn’t matter how vulnerable you are because you don’t have any threat actors.
If, all of a sudden, you get reports that there are burglars operating in your area, and people’s homes are being broken into, then you begin worrying about vulnerabilitiesbecause you know there’s a threat. You start locking the doors. You leave the outside lights on. Maybe you put in an alarm system. You might move certain valuables out of your house to a safety deposit box, or even install a safe.
Or you create a community watch to look out for the bad guys and protect not just your own property, but the whole neighborhood. Maybe you even move to a gated community with a 24/7 security guard that checks IDs at the gate. You’ve reduced your threats and vulnerabilities to counter the risk.
Consequence management, then, assumes that despite your best efforts to eliminate the threat and reduce your vulnerabilities, the bad guy still gets in.
So now you manage those consequences—you purchase homeowner’s insurance to replace the valuables you may lose. Or you might put in a hidden camera to catch the thief in the act. That won’t stop your valuables from being stolen, but might lead you to be able to recover them afterward.
Translating those concepts to the cybersecurity realm, we’ve already established that the threats exist and are increasing. So we could reduce the threat by taking a law enforcement, intelligence, or economic action to prevent or deter an adversary from acting. We took 202 threats off the playing field last year, but clearly, the threat continues.
So how do we lower the vulnerabilities of the cyber threat? It requires hardening the targets, including protecting the supply chain. It could entail keeping certain pieces of information off the network—maybe in a physical safe. Do you really need the 100-year old recipe for the secret sauce stored on the network?
Managing the consequences of a cyber attack entails minimizing the harm that results when an adversary does break into a system.
An example would be encrypting data so the hacker can’t read it, or having redundant systems that can readily be reconstituted in the event of an attack.
In all cases, those who have addressed these individual risk factors have an opportunity to share information with others in order to lower our collective risk.
I said earlier that under the current Internet structure, we can’t tech our way out of the cyber threat. But what if the playing field were changed?
There is a growing sense among a number of subject-matter experts that the current Internet environment is simply not sustainable.
One proposal has been to begin exploring alternate, highly secure Internet options that focus on more easily spotting and tracking the threat actors. And then providing the law enforcement and intelligence communities and others the tools they need to mete out justice and deter future attacks.
Going back to the concept of alternatives, let’s think of it in terms of the crime in the neighborhood analogy. Some people live in communities that have heightened security by focusing on who can enter at guarded posts—only certain people get in, and the rules to do so are stringent. They look for bad guys and report them to the police. These types of alternate security models can translate meaningfully to the Internet as well.
The reason the Internet is the way it is now is based on decisions made by those who developed it. They purposely allowed for anonymity, and there are legitimate reasons for wanting to keep it that way for some users and for some uses of the Internet. There are users for whom maintaining their privacy is worth the risk of intrusions into their computers or networks.
But for those critical uses of the Internet where intrusions are entirely unacceptable because the risk of compromise is so high, market-driven factors need to be explored; businesses must seek the solutions and options they want and need.
Electric power grid operators, for example, would likely opt for higher-trust models that don’t foster anonymity, but instead promote assurance and attribution.
Assurance allows the ability to detect changes in data or hardware, and attribution provides the ability to determine who’s on the network and who made any changes on it.
Right now, computer security has become an endless game of defense, which is both costly and unsurvivable in the long term if the status quo remains. Going after the threat actor is an absolutely necessary part of the risk equation, and one that can be made far more effective with alternate architectures.
Under the current environment, victims are often focused on how to get malware off their systems and on finding out what was taken. But what they should be asking is, ‘What was left behind? And did it change my data?’ Most users have no idea whether their software, hardware, or data integrity has been altered. Our current networks were never designed to detect that type of deviation.
So it’s critical to note that attribution without assurance is useless. It doesn’t do you any good to know who did it if you don’t know what they did and how to look for it.
A key question in establishing alternate Internet models is how you prevent users of both platforms from contaminating the secure one.
As many of you know, we’ve seen cases in which removable media have introduced malware from unclassified government systems onto classified ones.
To avoid this in alternate security environments, it would be critical that the networks lack interoperability. Imagine if you will a virtual version of the pumps at gas stations that offer both diesel and regular gasoline. You can’t even fit the diesel nozzle into a regular gas tank. It’s idiot-proof. If you don’t provide that kind of barrier on your new system, you would always be susceptible to human error. All users would need to adopt the same standards.
The trend toward cloud computing and new environments could present an opportunity to begin trying and testing new architectures.
U.S. innovation and ingenuity created the Internet, which is now a global phenomenon that has provided tremendous opportunities. With it, however, have come tremendous security challenges to certain users. For them, the current system will never be good enough. But it’s too late to disconnect. It’s not possible to be offline anymore, and there’s currently no alternative.
I don’t have the answers about how to build greater choices in the security architectures used today, but I do feel strongly that the discussions must begin now. I’ll leave the solution to the potential customers, the technologists, and the entrepreneurs. I’ve outlined just a few of the issues that should be considered. But I challenge you to continue the discussion about whether there is a need and enough demand to develop alternate networked environments that rely less on playing defense, and rely more on discovering and capturing threat actors so they change their own risk calculus on whether cyber crime pays.
We must continue to push forward, because our adversaries are relentless. They want our money, our property, and our secrets, and some seek to harm us well beyond that. Together, we can turn the tide against them and bolster the security of our nation’s information, networks, and infrastructure. Thank you.