Cyber-attackers are outpacing the defenders, so it's time to move the critical systems to an alternative Internet that is secure and restricted, an FBI official said.
BALTIMORE - With malicious
perpetrators increasingly devising sophisticated, complex attacks against
critical systems controlling critical infrastructure, such as power plants and
financial institutions, the time has come to consider a new secure alternative
Internet, according to a top government official.
The threats facing critical
systems are not going away, and the systems can never be secure enough to
thwart the attacks completely, said Shawn Henry, the executive assistant
director of the Federal Bureau of Investigation, told attendees at an
Information Systems Security Association conference in Baltimore Oct. 20.
Cyber-threats will always evolve and outpace efforts to defend networks, he said.
One way to protect critical
utility and financial systems would be to set up a secure Internet that was
separate from the regular public Internet, Henry said. The alternative Internet
would not allow anonymity, and only known and trusted individuals would have
access to the systems, he said.
"We can't 'tech' our
way out of the cyber-threat," Henry said, noting that not knowing who was
launching the attack made defenses a "challenge."
Attackers, whether they are
cyber-criminals, terrorist groups or cyber-spies, are devising "novel ways"
to steal information and compromise critical infrastructure, Henry said.
Cyber-attacks are an "existential threat" that can put a company out
of business, shut down infrastructure and even kill people, he said. He acknowledged
that he might sound "alarmist," but said it was important to realize
these kinds of attacks are occurring every day and are one of the "most
serious threats" facing the nation.
Terrorist groups have in the
past focused on "kinetic" attacks but are now looking at moving into
cyber-space, according to Henry. Cyber-attacks are cheaper, easier, faster and "much
much more lucrative" than the old kinetic attacks, he said. While some
people would claim these groups don't have the capability to launch cyber-attacks,
which Henry found "arguable," it is actually possible to rent or buy
attack software and infrastructure, or individuals with the skills to launch
"Just because something
hasn't been done before doesn't mean they won't do it," Henry said.
The FBI has made
cyber-attacks a top priority, and the agency is working with international
partners and with domestic law enforcement to investigate and track down
cyber-criminals. Information sharing was critical for defense, as the
government shares information about threats with the private sector and
academic institutions to help figure out defenses.
"I can't tell you how
many times we've walked into a company and told them they've been breached, and
they had no idea," and often had been compromised for months, Henry said.
However, everything the FBI was doing was reactive, he said, as something bad
has already happened.
The Internet is "arguably
the greatest invention," but it has become an "incredibly dangerous
place," he said.
"We have to imagine things
that haven't been imagined before" to stay ahead of attackers, Henry said.
Drawing on the physical world for his analogies, Henry said the Internet needs
better community-watch programs, and more gated communities to protect systems
and data. There needs to be less homeowner's insurance, which focuses on
mitigating damage after the threat.
An alternate Internet would
be built with the intention of securing critical systems from Day One. A "guard
post" was necessary to define rules on who can enter the secured
environment and access the systems. Access rules must be strict, and the people
allowed in must aggressively report bad guys and suspicious behavior, Henry
In addition to an alternate
network, the FBI advocates taking highly sensitive data offline altogether,
Henry said, echoing a sentiment made by Richard Clarke, former
counter-terrorism czar, last week at the Mandiant Incident Response conference
in Washington, D.C. If vulnerable infrastructure was disconnected from the
Internet, the systems would be much more secure because of the number of
threats that would be removed, Clarke said.