The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said. published wsj.
Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said the current public and private approach to fending off hackers is "unsustainable." Computer criminals are simply too talented and defensive measures too weak to stop them, he said.
His comments weren't directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks for critical US infrastructure, such as electrical power plants and nuclear reactors. Though few cybersecurity experts disagree on the need for security improvements, business advocates have argued that the new regulations called for in one of the bills aren't likely to better protect computer networks.
Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security," Henry said.
High-profile hacking victims have included Sony Corp., which said last year that hackers had accessed personal information on 24.6 million customers on one of its online game services as part of a broader attack on the company that compromised data on more than 100 million accounts.
Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.
"We have found their data in the middle of other investigations," he said. "They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially."
Henry said that while many company executives recognize the severity of the problem, many others do not, and that has frustrated him. But even when companies build up their defenses, their systems are still penetrated, he said. "We've been playing defense for a long time. ...You can only build a fence so high, and what we've found is that the offense outpaces the defense, and the offense is better than the defense," he said.