Shaun Henry, the FBI’s top cyber cop and executive assistant director responsible for cyber, told the Wall Street Journal (WSJ) that “we’re not winning” and that the current approaches being used by the public and private sectors are: “… Unsustainable. Computer criminals are simply too good and defensive measures too weak to stop them.”
The WSJ article entitled: U.S. Outgunned in Cyber War also reported that Henry said:
“"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security…
We have found their [company] data in the middle of other investigations. They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially….''
Meanwhile, other leading experts are sounding similar alarms. Richard Clark, former cybersecurity and cyberterrorism advisor to the White House, testified that “your government has failed you. Every major company in the United States has already been penetrated by China."
In an interview with the Smithsonian.com, Richard Clark goes further:
“I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial….
My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”
Finally, the National Security Agency (NSA) chief, General Keith Alexander told U.S. Senators that that the Chinese were behind the RSA attacks last year.
“The attack against RSA, in which the attacker conducted a spearphishing campaign that sent disguised emails containing malware that installed backdoors via a zero-day Adobe Flash exploit, indicates a high level of sophistication by China's hackers, according to Alexander. ‘The ability to do it against a company like RSA is such a high-order capability that, if they can do it against RSA, that makes other companies vulnerable,’ he said.
… The NSA director admitted that the government needed more real-time capabilities to work with private sector organizations to stop cyber attacks, and perhaps more authority to take action. He cited an attack in which an "adversary" was attempting to exfiltrate 3 gigabytes of data from a defense contractor in a foreign country, and DOD processes for communicating with that company were too manual.”
Taken together these quotes tell a pretty scary security story. I don't (generally) like to spread cyber fear, but these latest headlines and interviews are even a level worse than what I've seen in the past. Clearly, we need to adapt to the new global cyber attack environment.