The Wall Street Journal has an article up today with an interview with outgoing head of the FBI’s cyber crime investigation Shawn Henry. In it, he has a blunt assessment of the US’s capabilities when it comes to combatting online crime, especially data theft and hacking. The article jumps around a bit because it lumps in the Anonymous data hacks with cyber espionage conducted by the Chinese. While both involve hacking, the motivations for both of them are very different:
WASHINGTON—The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: "We’re not winning," he said.
Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is "unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.
Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.
High-profile hacking victims have included Sony Corp., which said last year that hackers had accessed personal information on 24.6 million customers on one of its online game services as part of a broader attack on the company that compromised data on more than 100 million accounts. Nasdaq which operates the Nasdaq Stock Market, also acknowledged last year that hackers had breached a part of its network called Directors Desk, a service for company boards to communicate and share documents. HBGary Federal, a cybersecurity firm, was infiltrated by the hacking collective called Anonymous, which stole tens of thousands of internal emails from the company.
Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year, he added.
The more I read around the Internet, the more clear it’s becoming at how cyber security is becoming a central focus. This has pretty big implications for the cloud. Companies who provide cloud services, like Amazon and Microsoft, store not just their own data there but the data of lots and lots of people from all sorts of organizations there. That presents a serious risk for these types of companies and they must provide mechanisms to
- Protect data by classifying data (something I’ve written about many times on this blog) and encrypting highly sensitive data.
- Restrict access to the data, or at least have procedures and processes for granting it (we’re going through this right now and it’s a pain-in-the ***).
- Harden the perimeter from attacks from the outside by implementing a Secure Development Life Cycle (SDLC) which forces developers to think about security. For example, our own SDLC makes people think about sanitizing user input when accept data from a web page. I’d say that this bullet point is more important than (2) (but I am biased).
I am biased towards Microsoft’s policies because I work here and am familiar with them, but they do seem to have better privacy controls than other big companies like Apple, Google or Facebook, and their SDLC has been copied by other companies, notably Adobe.
The other security meme is “Assume you’ve been breached.” This is something that is less relevant for the cloud. Whereas companies who protect data in the cloud are usually protecting customer data like medical information, credit cards, and other PII, most companies prefer to keep their Intellectual Property in-house. If you’re paranoid like me, you wouldn’t want to store your uncompiled algorithms and source code on Amazon’s web servers (or maybe you would, what do I know?).
But if you assume that you’ve been breached, what applies? Well, you need to come up with ways to detect breaches like searching for abnormal behavior among users, unauthorized logins, having securing policies for users, and so forth. I’m not as much the expert in this area but I do find it interesting. But those things above apply – access to sensitive data should be restricted so not just any old person can get it.
Let me close with the final paragraph from the article:
Companies also need to get their entire leadership, from the chief executive to the general counsel to the chief financial officer, involved in developing a cybersecurity strategy, Mr. Henry said. "If leadership doesn’t say, ‘This is important, let’s sit down and come up with a plan right now in our organization; let’s have a strategy,’ then it’s never going to happen, and that is a frustrating thing for me,” he said.
Completely true. I think that many businesses today either don’t think that they are a target or underestimate how valuable their intellectual property is, or how sophisticated the attackers are. Part of implementing a strategy is getting to understand that this is a problem.