"Computer security has become an endless game of defense which has become incredibly costly and is unsustainable in the long term," Shawn Henry, the executive assistant director for the FBI's criminal, cyber, response, and services branch, said in a speech at an Information Systems Security Association event. "The current system will never be good enough, but it's too late for us to disconnect."
While Henry noted that he didn't have all the answers for how future networks should look, he did sketch out some rough elements, including the use of strict access rules and authentication to ensure that only trusted employees have access to critical infrastructure networks. The network would use the same core infrastructure as the regular Internet. Government, critical infrastructure companies, and the technology industry must work together on its design, he said.
[Could an attack by an organization like Anonymous Cripple Critical U.S. Infrastructure?]
The idea of a separate or quasi-separate Internet for critical infrastructure is one that has been tossed around some over the last year-plus. NSA director and Cyber Command commander Gen. Keith Alexander has called for a "secure, protected zone" on the Internet that others have nicknamed "dot secure." Officials and experts discussed the idea at length at a Senate hearing in June.
Henry said that critical infrastructure systems are increasingly under attack, and cautioned that he is concerned that attacks could "paralyze cities" and that "ultimately, people could die." He said, "I know it sounds alarmist, but it's real based on my observations."
Henry said that he was concerned about several primary bad actors, including foreign intelligence services, organized crime groups, terrorist groups, and compromised insiders. He noted a recent attack in which a foreign intelligence service likely compromised 10 years worth of research at a company, and another that breached the encryption capabilities of a major multinational financial company and was resident on the network for months, stealing millions.
"I couldn't tell you the number of times we've walked into a company and told them that they'd been breached, in many cases for months at a time, and they have no idea," Henry said.
The FBI has made cybersecurity a top priority in recent years. It now has "cybersquads" in every field office, and has made it a point to hire technologists and teach them to become agents. The FBI is also partnering widely with private sector and foreign organizations, and has FBI employees embedded with police in countries like Estonia and the Ukraine.
FBI officials are also increasingly monitoring threats rather than just responding to individual intrusions, and has had recent success in preventing attacks before they occur, Henry said.