Ex-FBI cyberexpert: Potential for digital Pearl Harbor is real
Shawn Henry talks to CNET about why he left public service and joined a private-sector firm, and he predicts that we will see an attack on critical infrastructure that has physical consequences.
After 24 years with the FBI, Shawn Henry retired late last month from his post as executive assistant director of the Criminal, Cyber, Response, and Service Branch of the agency. Today, he announced that he will be working for security startup CrowdStrike.
In a phone interview with CNET today, Henry discusses what he thinks are the biggest cybersecurity threats facing the country and why the bad guys always seem to be one step ahead.
So, what will be your role at CrowdStrike?
I'm going to run their services operation, so president of the services division. CrowdStrike has three parts: technology, intelligence, and services and I'll be running the services part.
And why go to CrowdStrike?
I've been saying for a long time that the private sector needs to drive innovation and that the market needs to drive changes in the way we do this and take a bigger role in the fight here. When I saw CrowdStrike -- George (Kurtz, CrowdStrike co-founder and CEO) and Dmitri (Alperovitch, co-founder and chief technology officer) contacted me, I had not had a prior relationship with them -- their vision lined up with everything I've been saying for the last several years about the private sector taking a larger role and being proactive rather than merely reactive. Everything kind of came together. The time is right in terms of what is happening. It's a historic time in our nation's history and the depth and breadth of the attacks are such that they require new thinking. I was not actively looking for a job. I'm proud to have been at the bureau for as long as I was there. We've had a number of successes at the bureau and this was an opportunity that just made sense.
We've been hearing references to a "digital Pearl Harbor" for ages. Why haven't we seen that? Will we ever? If so, when?
I first heard that term back in probably 1999 prior to Y2K. When adversaries have access to a network they have the ability to do a number of things to it. Everyone talks about exfiltration of data which we see on an unbelievable level every single day. But they have the ability to manipulate or change data and to disrupt or destroy the networks the data is carried on or destroy the data. Certain adversaries now with the access that they have, it makes no sense at this point to cut off that access. That access is so important because of visibility it gives them into the way we do business, the way our government operates, the way our military operates.
CrowdStrike is going to be serving primarily corporate customers, but government customers as well?
I think we are looking at the government space, but the reality is that anywhere there is a computer network there are people who require these types of services.
How would you explain "digital Pearl Harbor" exactly and what does it entail?
I haven't used that term in the last five years. I can only assume when people are talking about that they are talking about destruction of networks. They're talking about something that has such a magnitude that it has physical consequences. One of the challenges of highlighting this threat with the general public is they often don't see the physical ramifications of these types of attacks. When data is exfiltrated, it's gone but it's also still physically there. The adversary has it but when you open up your folders you see it there, so it doesn't seem real. When people talk about a "digital Pearl Harbor" they are talking about physical ramifications that are really going to get people's attention.
Are we going to see it? When?
I think the capability, the potential for that is absolutely there. I can't predict the future but I can tell you everything I've seen leads me to believe that we are going to continue to suffer these types of damages and an infiltration resulting in real-world physical results is going to occur.
How serious is the Internet-borne threat to critical infrastructure?
I think it's absolutely serious. The backbone of what we do every single day, the essence of what we do, our lives is dependent on critical infrastructure. And I think there are groups that are intent on penetrating that infrastructure and it's a matter of either acquiring or developing the capability. And the networks are inherently vulnerable. The technology is vulnerable. The technologies deployed to run the infrastructure is very complex. The reason we see the level of attacks we see is because there are a lot of vulnerabilities, whether they be software, hardware, human vulnerabilities, application layer vulnerabilities. You cant protect it all. And the offense outpaces the defense. Therefore we are vulnerable. We have to assume that the adversaries are on the networks. It's incumbent upon us to hunt for the adversaries on the network. We can't just continue to build higher walls.
National Intelligence Director James Clapper has said new technologies are outpacing the government's ability to keep up. Do you agree, and if so, what can be done about that?
I agree that the advent of technology makes it very hard to secure at all. Technology is pushed out to the public. Security is not always the first thought in the deployment of that technology. And there are vulnerabilities in technology, which adversaries are constantly poking holes through. They are constantly seeking to exploit those vulnerabilities and you can't just keep putting your finger in the dike. Sooner or later the dike is going to crumble, unless you identify and mitigate the threat.
For consumers what is the biggest cybersecurity threat?
The average consumer is concerned about their personally identifiable information, about their credit card. I think the average consumer needs to be concerned as a citizen and about the threat of the broader infrastructure. The average consumer needs to think about the economy and threats to the economy. They need to be aware of the bigger threat to the way we do business as a society, the way we operate. Everything we do is connected to the networks. And it's much bigger than what the average consumer may think is the threat to them personally.
Americans love to apply the war metaphor -- i.e. winners and losers, arms race -- to every challenge we face, such as drugs, terrorism, cyberthreats. But is it really apt? Is computer security something that will ever truly be winnable?
I don't think so really. No. It's going to be a constant battle and a constant evolution. And it's going to require us to be eternally vigilant. There are some threats I don't think we'll ever get out from under. In the physical world we've been victimized by white collar crime, organized crime, and street gangs. That's been happening for a long time. The threat from spies has been going on for thousands of years. The game has changed a little bit, the players have changed a little bit, and the rules. But it's still the same game. You've got to constantly adapt and change your tactics. Companies need to change the way they better secure themselves by being more proactive and less focusing solely on the perimeter.
Can you comment on how the agency views the threat from Anonymous and other politically motivated hackers? Are they more nuisance or seen as a serious threat?
I don't want to comment on how the FBI sees these things now. There are folks that are part of that process that are better able to make that comment.
It seems that the FBI has started doing intelligence work in other countries and the CIA is doing such work domestically, for instance helping the New York police gather intelligence on citizens. With the increasing lack of walls, particularly in a digital world, how should we redefine the mission of the bureau so it is congruent with its real activities in a borderless world?
The lanes on the road are actually pretty well-defined, I think. The FBI has a role domestically. It collects domestic intelligence. The FBI shares that intelligence with others in the community and I think those lanes are pretty well-defined under policy and statute. The FBI has a role internationally but they do it in partnership with other agencies, both domestic and foreign. But it's all well-described by (various laws) and presidential directives. There's a whole host of parameters and I think they are pretty well-followed.
What have we not covered that we should?
I've seen a tremendous transformation both in the threat and the ability for the government to respond to the threat. I've got nothing but positive things to say about my experience in the FBI. It's been the best experience of my life and I'm proud to have been there. That being said, I make this move to the private sector and to CrowdStrike because I think there's an opportunity for the private sector to do more. We need to do more from development of innovation and development of strategies. There's been a lot of successes but we're still falling behind. Society as a whole is falling behind because there is more data being pushed, more adversaries seeking that data, and there's more technology that has vulnerabilities in it that provides access to an adversary.