Ex-FBI agent tells hackers to 'step up' against cyberattacks

Former bureau official says hackers working for corporations have a duty to defend all the U.S. networks.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
3 min read
Shawn Henry sounds a call-to-action for security professionals to pursue "the adversary," during the Black Hat 2012 Day One keynote presentation.
Shawn Henry sounds a call-to-action for security professionals to pursue "the adversary," during the Black Hat 2012 Day One keynote presentation. Seth Rosenblatt/CNET

LAS VEGAS -- With all the intensity and sincerity of a drill sergeant rallying his troops to war, former FBI Executive Assistant Director Shawn Henry urged hackers to do their part to fight the biggest cybermenace out there: cadres of unknown attackers infiltrating government and corporate networks to steal data and potentially do worse.

"I implore all of you to be committed to your cause, because the stakes are too high. And I believe our failure to step up is a failure to society," Henry, wearing a business suit and sporting a shaved head, told the crowd during the keynote presentation that started off the 15th annual Black Hat security conference here. "Our failure to do so means people are going to get hurt and people are going to die."

The keynote started with video footage of members of the FBI's critical incident response group leaping from helicopters, shooting guns, setting off incendiaries, and doing other very loud things in unidentified places. Henry said that when he led that unit he learned that "we need warriors to fight the enemy."

Now the threat from computer network exploitation and computer attacks is the most significant threat society faces, other than a weapon of mass destruction going off, because so much data integral to our lives is stored electronically and is thus vulnerable, he said. And despite all the news of consumer passwords leaked and credit card data being stolen, 90 percent of the computer-based attacks affect classified systems, he added.

The attackers can range from anybody with a $500 laptop and an Internet connection to terrorist groups hell-bent on pulling off the cyber-equivalent of September 11, he said. Meanwhile, it's business as usual for many organizations. "We need to have a paradigm shift in the way we all do business," Henry said.

Companies can't just rely on defending the perimeter of their networks with firewalls anymore, Henry said, without providing too many specifics (though more detail may come from his new security firm, CrowdStrike, which he surprisingly did not plug in his keynote speech). In more general terms, he said companies need to be more proactive. And no, he's not talking about hacking back against other countries that appear to be launching the attacks in a strike back kind of action.

"There is a lot we can do to create a hostile environment for an adversary, maybe it's denial and deception," such as allowing cybercriminals to steal decoy files, he suggested. He also praised efforts at shutting down botnets by seizing command-and-control servers . "I would argue that your data is being held hostage and that the life of your organization is at risk."

So, defense starts in the corporate network and it's up to the elite cyberwarriors in the audience to put this battle front and center, he seemed to be saying.

"I can only ask you to stand side by side to protect that line between good and evil. People might think I'm being dramatic, but I believe it," Henry said. You have a responsibility and an obligation to your company, to your customers, to your families, to your co-workers. You have an obligation, because if we don't do that, bad things are going to happen. This is the time to step up. Together we can change this game."

The polite applause and lack of rousing cheers afterward could be seen as a sign that Henry's keynote failed to strike a chord among the mild mannered security researchers and corporate white hat hackers in the audience. Several other speakers, however, had no trouble expressing their opinion.

"I lose my cool when I hear people from the government, or formerly from the government, say the private sector needs to step up" Marcus Ranum, chief of security for Tenable Security, said in a panel following the keynote presentation. "Providing for the common defense is what the government is supposed to do."

Bruce Schneier, founder of Counterpane Internet Security, concurred, saying: "He's right (pointing to Ranum). Government needs to step in and do the national security stuff."