The public service video stars Shawn Henry, when he was still head of cyber investigations for the Federal Bureau of Investigation. Bald, blue-eyed, and straight-talking, he stands in what looks like a room full of computer servers, directing his message about the cyber-threats facing corporate America to an imagined audience of CEOs and board directors.
From intellectual property to research and development, the essence of your [companys] being is either stored or transmitted electronically, and because of that its substantially vulnerable, he says in the clip. If I told you there were people in your office rifling through your file cabinets and walking out with boxes of your private business documents, youd leap from your seat, youd dial 911, youd rally your security team, you might even walk over to the office yourself. Yet that is whats happening every single day.
Its all a lead-up to Henrys top marching order: executives need to roll up their sleeves and make corporate cybersecurity a top priority.
Try this, he says. Grab your executive staff. Talk to your chief information officer, your corporate counsel, your CIO, your CISO about the threat. Ask them: What does this mean to us? What are we doing about it? And more important, what happens if we dont do anything about it?
Henry, who retired as executive assistant director from the FBI in March, has been trying to get the private sectors attention on cybersecurity for a good part of his career. He joined the FBI in 1989 and began working on cybersecurity matters in 1999, during the Y2K frenzy. He ardently believes that the risks facing companies are, in the bigger picture, matters of the countrys economic and national securityand that corporations have to step up their response. The testimony [PDF] he gave last Tuesday at a House of Representatives subcommittee hearing on cyber attacks gives substantial insight as to why: were already facing billions of dollars in the cyber-crime losses and identity thefts, easily exploitable critical infrastructure, and unrelenting adversaries.
Put another way: this is an iceberg, he told his audience on the Hill, and the tip of that iceberg is what we hear about all the timecredit card theft, identity theft, breached bank accounts. But whats lurking below the waterline, according to his prepared remarks, is even more dangerous: The most significant cyber threats to our nation are those with high intent and high capability to inflict damage or even death in the U.S.; to illicitly acquire substantial assets; or to illegally obtain sensitive or classified U.S. military, intelligence, or economic information.
Now Henry is beating the drum from within the corporate ranks, so to speak, as the new president at CrowdStrike Services, a security technology company that launched this year. Before his retirement, hed been approached by CrowdStrikes CEO but wasnt sure about joining a start-up. His three predecessors at the FBI, after all, went on to become security chiefs at major companies.
But the offer nagged at him. He was intrigued by their technology and the companys vision. And then it started to click: Between running cyber operations at the FBI, working with the U.S. intelligence community, and going up to the Hill and over to the White House, Im constantly surrounded every single day with this incredibly overwhelming threat, he recalls. Im looking at this looming threat, and Im looking at how do we as a country get out from underneath this big dark cloud, and on my left shoulder is this CEO saying, Ive got this interesting idea and this interesting technology.
As his motivational images of deadly icebergs and thieves rummaging through corporate files illustrate, Henry likes to use real-world analogs for these matters. For one thing, it helps close the gap between what the experts say and how people actually conceive of this threat. How could it be, he asks, that the most senior people in the U.S. intelligence communityincluding General Keith Alexander, the head of the National Security Agency, and General Michael Hayden, former director of the NSA and the Central Intelligence Agencyhave sounded these same alarms publicly while so many executives still arent taking cyber threats seriously?
Im going to tell you why, Henry says. Because people, while they might hear the words, they cant see it, and they cant touch it.
He goes on: Everybody knows what a bomb looks like. Theyve seen the carnage. But they do not understand when I tell them that theres somebody inside your network, and theyre stealing all your data. They just dont know what it means.
Henry may sound like a messenger of doom, but he absolutely believes physical ramifications of a cyber attack are imminent. We will see the lights go out somewhere, we will see a water treatment facility go down.
Though hes certainly no defeatist. One of the most basic things companies can do is constantly evaluate their networks every single day, he explains. Adversaries are already on the inside, and its not enough to sweep the network once every few months. He notes the countless times, as an FBI agent, that he knocked on company doors and said: We found your stolen proprietary corporate data on a server elsewhere. Many times, companies didnt even know the data had been pilfered.
Unless youre constantly monitoring the network, Henry says, youre hosed.
Another thing corporations can do is share more intelligence with law enforcement that will help to identify the human beings behind the cyber-crimes and mitigate the threat they pose. We do not have a malware problem. We have an adversary problem, he says. Because were talking about computers, I think people forget that there are people behind these attacks.
The big thing, though, is that chief executives need to assemble the C-suite in one place and talk. There are 10 people at an executive leadership level, 10 people in the C-suite who have a section of responsibility for this, Henry says, and until one human being pulls all these people around a table and comes up with a comprehensive plan at a macro level, its never going to get fixed at each corporation.
