Friday, March 30, 2012

U.S. "Not Winning" the Battle With Hackers

By Devlin Barrett of The Wall Street Journal: "The FBI's top cyber cop offered a grim appraisal of the nation's efforts against hackers: "We're not winning," FBI Assistant Director Shawn Henry said. The current public and private approach to fending off hackers is "unsustainable.'' Criminals are simply too talented and defensive measures too weak. His comments came as Congress considers two competing bills designed to buttress the networks for critical infrastructure, such as power plants and nuclear reactors. Though few experts disagree on the need for security improvements, business advocates have argued that the new regulations called for aren't likely to better protect networks. Mr. Henry said companies need to make major changes in the way they use networks to avoid further damage to national security and the economy. Too many companies fail to recognize the risks they are taking. "I don't see how we ever come out of this without changes in technology or changes in behavior. You never get ahead, never become secure, never have a reasonable expectation of privacy or security''. James A. Lewis, at the Center for Strategic and International Studies, said that, as gloomy as Mr. Henry's assessment may sound, "I am actually gloomier. I think we've lost the opening battle with hackers.'' Mr. Lewis said he didn't believe there was a single secure, unclassified computer network in the U.S. Mr. Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed. "We have found their data in the middle of other investigations,'' he said. "In many cases, they've been breached for many months, in some cases years.'' But even when companies build up their defenses, their systems are still penetrated, he said. "We've been playing defense. You can only build a fence so high, and we've found that offense outpaces, and is better than, defense,'' he said. Testimony Monday before a government commission assessing Chinese hackers underscored the dangers. Richard Bejtlich of Mandiant, a cybersecurity company, said that in cases where intrusions were traced back to Chinese hackers, 94% of the companies didn't realize they had been breached until someone told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year. In 2010, a group of Chinese hackers breached the network of the US Chamber of Commerce, and gained access to everything stored on its systems, including info on its three million members. In the debate over cybersecurity legislation, the Chamber has argued for a voluntary, non-regulatory approach. The FBI's Mr. Henry said there are some things companies need to change immediately. He said their most valuable data should be kept off the network altogether. And companies need to do more than just react to intrusions. Companies "need to be actively hunting inside the perimeter of their network". Companies also need to get their entire leadership involved. "If leadership doesn't say, 'This is important, let's come up with a plan right now; let's have a strategy,' then it's never going to happen".