Continued from page 1

“Similarly, companies are encouraged to develop relationships with the FBI, before a cyber intrusion occurs,” the FBI said in an email. “By working together, companies and government can improve cyber defenses against those actors who seek to do our nation and citizens harm.”

Exploiting the gap

Neither the government nor the private sector has a complete picture of online threats, said Mr. Henry, the former FBI official who is now president of CrowdStrike Services, a cybersecurity firm.

The government cannot peer into the many private networks maintained by U.S. companies, and the private sector lacks the government’s intelligence gathering and storage capabilities. Consequently, each sector can see only distinct types of cyberthreats and U.S. enemies can exploit that gap, Mr. Henry said, adding that better communication between businesses and government is needed to detect and combat cyberattacks.

Lawmakers on Capitol Hill have expressed concern that many companies prefer to handle network intrusions internally, and not notify the government or the public, because of fears about reactions from customers, shareholders and competitors.

House and Senate members questioned top managers of Target in hearings this year after the retailer disclosed that it had experienced one of the largest breaches in U.S. history. Hackers broke into its payment systems around Christmas and compromised 40 million customers’ credit and debt card data. Target CEO Gregg Steinhafel resigned last week partly because of fallout from the breach.

Mr. Henry said “blame the victim” attitudes must change if the public and private sectors are to work together on cybersecurity. Many companies are on the front lines of attacks from Russia, China and Iran, which have more technical savvy and finances than the businesses they target, he said.

“Can you imagine if all the houses in the neighborhood were being broken into every single day by a gang that were stealing people’s televisions, raping their family members, and the mayor of the city stood up and said, ‘You haven’t done enough to protect your house. You didn’t have the right alarms on your house, you didn’t have the right locks; therefore, we’re holding you accountable?’” said Mr. Henry. “Can you imagine? That would never happen. The citizens of that community would stand up and say, ‘What are you doing? Where is your chief of police? Why aren’t you arresting people?’

“In cyber, we just say the victims didn’t do enough to protect themselves,” he said.

Cyber is merely a weapon’

He said large companies involved in retail, financial markets and electricity distribution must contend with thousands of possible entry points into their computer networks — laptops, desktops, servers, printers, telephones — that hackers can exploit.

“Imagine trying to protect a building with 250,000 doors on it,” said Mr. Henry, who oversaw all of the FBI’s criminal and cyber programs and investigations worldwide. “The target space is so big it’s likely that every company is going to get breached.”

Because a company can’t protect against everything all the time, it needs to focus on its most significant risks, and many of those risks are rooted in the enterprise in which the company operates, he said.

Organized crime groups in Russia are targeting the financial sector to get personal information they can monetize quickly, he said. Nations including Iran and China are targeting defense and technology companies along with law firms to steal intellectual property.

Terrorists, including al Qaeda, are trying to mobilize “lone wolf” jihadists with computer skills to attack the electric grid or utility companies, he said. Al Qaeda also is training members in computer sciences and is contracting cybersecurity specialists to do its dirty work.

Story Continues →