Home / Blogs

U.S. Outgunned in Hacker War

Terry Zink

The Wall Street Journal has an interview with the outgoing head of the FBI's cyber crime investigation Shawn Henry. In it, he has a blunt assessment of the US's capabilities when it comes to combatting online crime, especially data theft and hacking. The article jumps around a bit because it lumps in the Anonymous data hacks with cyber espionage conducted by the Chinese. While both involve hacking, the motivations for each of them are very different:

WASHINGTON — The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is "unsustainable." Computer criminals are simply too talented and defensive measures too weak to stop them, he said.


Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking — or the costs they may have already suffered unknowingly — by operating vulnerable networks, he said.


High-profile hacking victims have included Sony Corp., which said last year that hackers had accessed personal information on 24.6 million customers on one of its online game services as part of a broader attack on the company that compromised data on more than 100 million accounts. Nasdaq which operates the Nasdaq Stock Market, also acknowledged last year that hackers had breached a part of its network called Directors Desk, a service for company boards to communicate and share documents. HBGary Federal, a cybersecurity firm, was infiltrated by the hacking collective called Anonymous, which stole tens of thousands of internal emails from the company.


Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn't realize they had been breached until someone else told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year, he added.

The more I read around the Internet, the more clear it's becoming at how cyber security is becoming a central focus. This has pretty big implications for the cloud. Companies who provide cloud services, like Amazon and Microsoft, store not just their own data there but the data of lots and lots of people from all sorts of organizations there. That presents a serious risk for these types of companies and they must provide mechanisms to:

  1. Protect data by classifying data (something I've written about many times on this blog) and encrypting highly sensitive data.
  2. Restrict access to the data, or at least have procedures and processes for granting it (we're going through this right now and it's a pain-in-the ***).
  3. Harden the perimeter from attacks from the outside by implementing a Secure Development Life Cycle (SDLC) which forces developers to think about security. For example, our own SDLC makes people think about sanitizing user input when accept data from a web page. I'd say that this bullet point is more important than (2) (but I am biased).

I am biased towards Microsoft's policies because I work here and am familiar with them, but they do seem to have better privacy controls than other big companies like Apple, Google or Facebook, and their SDLC has been copied by other companies, notably Adobe.

The other security meme is "Assume you've been breached." This is something that is less relevant for the cloud. Whereas companies who protect data in the cloud are usually protecting customer data like medical information, credit cards, and other PII, most companies prefer to keep their Intellectual Property in-house. If you're paranoid like me, you wouldn't want to store your uncompiled algorithms and source code on Amazon's web servers (or maybe you would, what do I know?).

But if you assume that you've been breached, what applies? Well, you need to come up with ways to detect breaches like searching for abnormal behavior among users, unauthorized logins, having securing policies for users, and so forth. I'm not as much the expert in this area but I do find it interesting. But those things above apply — access to sensitive data should be restricted so not just any old person can get it.

Let me close with the final paragraph from the article:

Companies also need to get their entire leadership, from the chief executive to the general counsel to the chief financial officer, involved in developing a cybersecurity strategy, Mr. Henry said. "If leadership doesn't say, 'This is important, let's sit down and come up with a plan right now in our organization; let's have a strategy,' then it's never going to happen, and that is a frustrating thing for me,'' he said.

Completely true. I think that many businesses today either don't think that they are a target or underestimate how valuable their intellectual property is, or how sophisticated the attackers are. Part of implementing a strategy is getting to understand that this is a problem.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cloud Computing, Cyberattack, Cybersecurity, Networks


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic