Risk
10/24/2011
11:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Top FBI Cyber Cop Recommends New Secure Internet

Shawn Henry says current Internet will never be secure enough to beat hackers or meet the security needs of critical infrastructure providers.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The current Internet and network architecture were not designed with enough security in mind to meet today's threats, and engineers and policymakers should consider developing an alternate, highly secure version of the Internet for critical infrastructure providers, a senior FBI official told IT security pros Thursday at a conference in Baltimore.

"Computer security has become an endless game of defense which has become incredibly costly and is unsustainable in the long term," Shawn Henry, the executive assistant director for the FBI's criminal, cyber, response, and services branch, said in a speech at an Information Systems Security Association event. "The current system will never be good enough, but it's too late for us to disconnect."

While Henry noted that he didn't have all the answers for how future networks should look, he did sketch out some rough elements, including the use of strict access rules and authentication to ensure that only trusted employees have access to critical infrastructure networks. The network would use the same core infrastructure as the regular Internet. Government, critical infrastructure companies, and the technology industry must work together on its design, he said.

[Could an attack by an organization like Anonymous Cripple Critical U.S. Infrastructure?]

The idea of a separate or quasi-separate Internet for critical infrastructure is one that has been tossed around some over the last year-plus. NSA director and Cyber Command commander Gen. Keith Alexander has called for a "secure, protected zone" on the Internet that others have nicknamed "dot secure." Officials and experts discussed the idea at length at a Senate hearing in June.

Henry said that critical infrastructure systems are increasingly under attack, and cautioned that he is concerned that attacks could "paralyze cities" and that "ultimately, people could die." He said, "I know it sounds alarmist, but it's real based on my observations."

Henry said that he was concerned about several primary bad actors, including foreign intelligence services, organized crime groups, terrorist groups, and compromised insiders. He noted a recent attack in which a foreign intelligence service likely compromised 10 years worth of research at a company, and another that breached the encryption capabilities of a major multinational financial company and was resident on the network for months, stealing millions.

"I couldn't tell you the number of times we've walked into a company and told them that they'd been breached, in many cases for months at a time, and they have no idea," Henry said.

The FBI has made cybersecurity a top priority in recent years. It now has "cybersquads" in every field office, and has made it a point to hire technologists and teach them to become agents. The FBI is also partnering widely with private sector and foreign organizations, and has FBI employees embedded with police in countries like Estonia and the Ukraine.

FBI officials are also increasingly monitoring threats rather than just responding to individual intrusions, and has had recent success in preventing attacks before they occur, Henry said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IDmachines
50%
50%
IDmachines,
User Rank: Apprentice
10/27/2011 | 1:19:28 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
DNSSEC with PIV-I (PIV) credentials perhaps along with an entity validation infrastructure to support it?
JWiewiora
50%
50%
JWiewiora,
User Rank: Apprentice
10/25/2011 | 4:13:40 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
This idea reminds me of the days of private frame relay and ATM (not automatic teller machines but asynchronous transfer mode) networks. A Gǣsecure internetGǥ concept could actually be a positive step towards securing those networks. The big question is whether the critical infrastructure sector will pay the additional costs of building and sustaining this separate network. Most moved away from private networks to save money, but is the cost of a hack and the possibility of loss of life driving a shift back to private networks? And a big question is how long it will be before the hackers figure out how to infiltrate the secure internet as well.

I've recently blogged about providing network access to mobile devices, which you can read here: http://blogs.unisys.com/securi...

-Patricia Titus, VP and CISO for Unisys
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio