Home / Blogs

U.S. Outgunned in Hacker War

Terry Zink

The Wall Street Journal has an interview with the outgoing head of the FBI's cyber crime investigation Shawn Henry. In it, he has a blunt assessment of the US's capabilities when it comes to combatting online crime, especially data theft and hacking. The article jumps around a bit because it lumps in the Anonymous data hacks with cyber espionage conducted by the Chinese. While both involve hacking, the motivations for each of them are very different:

WASHINGTON — The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is "unsustainable." Computer criminals are simply too talented and defensive measures too weak to stop them, he said.


Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking — or the costs they may have already suffered unknowingly — by operating vulnerable networks, he said.


High-profile hacking victims have included Sony Corp., which said last year that hackers had accessed personal information on 24.6 million customers on one of its online game services as part of a broader attack on the company that compromised data on more than 100 million accounts. Nasdaq which operates the Nasdaq Stock Market, also acknowledged last year that hackers had breached a part of its network called Directors Desk, a service for company boards to communicate and share documents. HBGary Federal, a cybersecurity firm, was infiltrated by the hacking collective called Anonymous, which stole tens of thousands of internal emails from the company.


Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn't realize they had been breached until someone else told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year, he added.

The more I read around the Internet, the more clear it's becoming at how cyber security is becoming a central focus. This has pretty big implications for the cloud. Companies who provide cloud services, like Amazon and Microsoft, store not just their own data there but the data of lots and lots of people from all sorts of organizations there. That presents a serious risk for these types of companies and they must provide mechanisms to:

  1. Protect data by classifying data (something I've written about many times on this blog) and encrypting highly sensitive data.
  2. Restrict access to the data, or at least have procedures and processes for granting it (we're going through this right now and it's a pain-in-the ***).
  3. Harden the perimeter from attacks from the outside by implementing a Secure Development Life Cycle (SDLC) which forces developers to think about security. For example, our own SDLC makes people think about sanitizing user input when accept data from a web page. I'd say that this bullet point is more important than (2) (but I am biased).

I am biased towards Microsoft's policies because I work here and am familiar with them, but they do seem to have better privacy controls than other big companies like Apple, Google or Facebook, and their SDLC has been copied by other companies, notably Adobe.

The other security meme is "Assume you've been breached." This is something that is less relevant for the cloud. Whereas companies who protect data in the cloud are usually protecting customer data like medical information, credit cards, and other PII, most companies prefer to keep their Intellectual Property in-house. If you're paranoid like me, you wouldn't want to store your uncompiled algorithms and source code on Amazon's web servers (or maybe you would, what do I know?).

But if you assume that you've been breached, what applies? Well, you need to come up with ways to detect breaches like searching for abnormal behavior among users, unauthorized logins, having securing policies for users, and so forth. I'm not as much the expert in this area but I do find it interesting. But those things above apply — access to sensitive data should be restricted so not just any old person can get it.

Let me close with the final paragraph from the article:

Companies also need to get their entire leadership, from the chief executive to the general counsel to the chief financial officer, involved in developing a cybersecurity strategy, Mr. Henry said. "If leadership doesn't say, 'This is important, let's sit down and come up with a plan right now in our organization; let's have a strategy,' then it's never going to happen, and that is a frustrating thing for me,'' he said.

Completely true. I think that many businesses today either don't think that they are a target or underestimate how valuable their intellectual property is, or how sophisticated the attackers are. Part of implementing a strategy is getting to understand that this is a problem.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cloud Computing, Cyberattack, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics



Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by


Sponsored by