Risk
10/24/2011
11:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Top FBI Cyber Cop Recommends New Secure Internet

Shawn Henry says current Internet will never be secure enough to beat hackers or meet the security needs of critical infrastructure providers.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The current Internet and network architecture were not designed with enough security in mind to meet today's threats, and engineers and policymakers should consider developing an alternate, highly secure version of the Internet for critical infrastructure providers, a senior FBI official told IT security pros Thursday at a conference in Baltimore.

"Computer security has become an endless game of defense which has become incredibly costly and is unsustainable in the long term," Shawn Henry, the executive assistant director for the FBI's criminal, cyber, response, and services branch, said in a speech at an Information Systems Security Association event. "The current system will never be good enough, but it's too late for us to disconnect."

While Henry noted that he didn't have all the answers for how future networks should look, he did sketch out some rough elements, including the use of strict access rules and authentication to ensure that only trusted employees have access to critical infrastructure networks. The network would use the same core infrastructure as the regular Internet. Government, critical infrastructure companies, and the technology industry must work together on its design, he said.

[Could an attack by an organization like Anonymous Cripple Critical U.S. Infrastructure?]

The idea of a separate or quasi-separate Internet for critical infrastructure is one that has been tossed around some over the last year-plus. NSA director and Cyber Command commander Gen. Keith Alexander has called for a "secure, protected zone" on the Internet that others have nicknamed "dot secure." Officials and experts discussed the idea at length at a Senate hearing in June.

Henry said that critical infrastructure systems are increasingly under attack, and cautioned that he is concerned that attacks could "paralyze cities" and that "ultimately, people could die." He said, "I know it sounds alarmist, but it's real based on my observations."

Henry said that he was concerned about several primary bad actors, including foreign intelligence services, organized crime groups, terrorist groups, and compromised insiders. He noted a recent attack in which a foreign intelligence service likely compromised 10 years worth of research at a company, and another that breached the encryption capabilities of a major multinational financial company and was resident on the network for months, stealing millions.

"I couldn't tell you the number of times we've walked into a company and told them that they'd been breached, in many cases for months at a time, and they have no idea," Henry said.

The FBI has made cybersecurity a top priority in recent years. It now has "cybersquads" in every field office, and has made it a point to hire technologists and teach them to become agents. The FBI is also partnering widely with private sector and foreign organizations, and has FBI employees embedded with police in countries like Estonia and the Ukraine.

FBI officials are also increasingly monitoring threats rather than just responding to individual intrusions, and has had recent success in preventing attacks before they occur, Henry said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IDmachines
50%
50%
IDmachines,
User Rank: Apprentice
10/27/2011 | 1:19:28 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
DNSSEC with PIV-I (PIV) credentials perhaps along with an entity validation infrastructure to support it?
JWiewiora
50%
50%
JWiewiora,
User Rank: Apprentice
10/25/2011 | 4:13:40 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
This idea reminds me of the days of private frame relay and ATM (not automatic teller machines but asynchronous transfer mode) networks. A Gǣsecure internetGǥ concept could actually be a positive step towards securing those networks. The big question is whether the critical infrastructure sector will pay the additional costs of building and sustaining this separate network. Most moved away from private networks to save money, but is the cost of a hack and the possibility of loss of life driving a shift back to private networks? And a big question is how long it will be before the hackers figure out how to infiltrate the secure internet as well.

I've recently blogged about providing network access to mobile devices, which you can read here: http://blogs.unisys.com/securi...

-Patricia Titus, VP and CISO for Unisys
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I agree with you! 
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.