U.S. intelligence agencies are withholding information that could help American businesses fend off threats to their computer networks, the FBI’s former top cybersecurity official says.
“I understand the need for the government to protect sources and methods of how they may have collected some of this information, some of this actionable intelligence,” said Shawn Henry, former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch. “But U.S. corporations arguably have the most valuable intellectual property anywhere in the world, and that’s being systematically stolen.
“So the actionable intelligence that the government has — there’s a lot more of it to be shared with the private sector to make them safer.”
The government’s lack of information-sharing with companies was spotlighted last month in a report about the Heartbleed bug, a security flaw that allowed hackers to steal computer users’ passwords and other data.
The National Security Agency had known about Heartbleed for two years before private researchers discovered and repaired it in April, Bloomberg News reported. The NSA used the flaw to exploit computer networks and gain intelligence at the expense of businesses, Bloomberg reported.
Reports about Heartbleed compelled thousands of computer users to change their passwords, the Canadian government to suspend electronic tax filings, and computer companies such as Cisco Systems and Juniper Networks to provide patches to repair their systems.
Intelligence agencies’ ability to conduct cover operations conflicts with business needs to protect online assets and customer data, said Ashkan Soltani, an independent cybersecurity consultant.
“[This issue] highlights the problematic ‘dual missions’ of the NSA,” Mr. Soltani said in an email. “The NSA’s ‘Information Assurance’ division is tasked to defend the nation’s infrastructure and identify/patch vulnerabilities like Heartbleed that would do our infrastructure harm.
“The intelligence directorate’s offensive mission stockpiles these sorts of vulnerabilities in order to attack our adversaries — all the while leaving our unpatched systems exposed. Definitely a conflict of interest and one that’s problematic given that U.S. citizens rely on the same sorts of systems our adversaries do.”
Soon after the Bloomberg report, the Office of the Director of National Intelligence issued a statement denying that the intelligence community had known about the Heartbleed flaw. It said whenever the NSA uncovers a virus or flaw, it’s in the national interest to disclose the vulnerability rather than keep it secret.
However, the White House has said any online vulnerability should be disclosed unless “there is a clear national security or law enforcement need” to keep it under wraps.
Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland, said private companies should understand the occasional need for law enforcement agencies not to disclose information immediately, such as in an operation exploiting a vulnerability to catch a hacker when revealing that the flaw would expose the investigation.
But in light of Heartbleed and concern about other threats that authorities haven’t disclosed, the government “needs to regain the people’s trust and they have to work harder at convincing the private sector that their interests are aligned,” Mr. Katz said.
The FBI says it “routinely shares information” about cyberthreats with the private sector.
“Similarly, companies are encouraged to develop relationships with the FBI, before a cyber intrusion occurs,” the FBI said in an email. “By working together, companies and government can improve cyber defenses against those actors who seek to do our nation and citizens harm.”
Exploiting the gap
Neither the government nor the private sector has a complete picture of online threats, said Mr. Henry, the former FBI official who is now president of CrowdStrike Services, a cybersecurity firm.
The government cannot peer into the many private networks maintained by U.S. companies, and the private sector lacks the government’s intelligence gathering and storage capabilities. Consequently, each sector can see only distinct types of cyberthreats and U.S. enemies can exploit that gap, Mr. Henry said, adding that better communication between businesses and government is needed to detect and combat cyberattacks.
Lawmakers on Capitol Hill have expressed concern that many companies prefer to handle network intrusions internally, and not notify the government or the public, because of fears about reactions from customers, shareholders and competitors.
House and Senate members questioned top managers of Target in hearings this year after the retailer disclosed that it had experienced one of the largest breaches in U.S. history. Hackers broke into its payment systems around Christmas and compromised 40 million customers’ credit and debt card data. Target CEO Gregg Steinhafel resigned last week partly because of fallout from the breach.
Mr. Henry said “blame the victim” attitudes must change if the public and private sectors are to work together on cybersecurity. Many companies are on the front lines of attacks from Russia, China and Iran, which have more technical savvy and finances than the businesses they target, he said.
“Can you imagine if all the houses in the neighborhood were being broken into every single day by a gang that were stealing people’s televisions, raping their family members, and the mayor of the city stood up and said, ‘You haven’t done enough to protect your house. You didn’t have the right alarms on your house, you didn’t have the right locks; therefore, we’re holding you accountable?’” said Mr. Henry. “Can you imagine? That would never happen. The citizens of that community would stand up and say, ‘What are you doing? Where is your chief of police? Why aren’t you arresting people?’
“In cyber, we just say the victims didn’t do enough to protect themselves,” he said.
‘Cyber is merely a weapon’
He said large companies involved in retail, financial markets and electricity distribution must contend with thousands of possible entry points into their computer networks — laptops, desktops, servers, printers, telephones — that hackers can exploit.
“Imagine trying to protect a building with 250,000 doors on it,” said Mr. Henry, who oversaw all of the FBI’s criminal and cyber programs and investigations worldwide. “The target space is so big it’s likely that every company is going to get breached.”
Because a company can’t protect against everything all the time, it needs to focus on its most significant risks, and many of those risks are rooted in the enterprise in which the company operates, he said.
Organized crime groups in Russia are targeting the financial sector to get personal information they can monetize quickly, he said. Nations including Iran and China are targeting defense and technology companies along with law firms to steal intellectual property.
Terrorists, including al Qaeda, are trying to mobilize “lone wolf” jihadists with computer skills to attack the electric grid or utility companies, he said. Al Qaeda also is training members in computer sciences and is contracting cybersecurity specialists to do its dirty work.
Because of the lack of visibility between private industry and U.S. intelligence networks, the best thing the U.S. can do to deter cybercriminals and defend its networks is to draw some clear “red lines” for nations, Mr. Henry said.
“Cyber is merely a weapon. People talk to me about cyber as if it’s all new. There’s nothing new about organized crime groups, nation-state espionage, terrorists. These are all activities that have occurred dozens of years, hundreds of years, some of them,” he said. “There are more things the U.S. government can do.
“[It] can have some pretty candid conversations with heads of state and other governments about what’s acceptable and what’s not acceptable and what the red lines are,” Mr. Henry said. “Maybe there are some civil actions, maybe there are some economic sanctions or diplomatic measure that are taken. But the government has a responsibility to protect its citizens, and its citizens aren’t being protected in this space.”