The public service video stars Shawn Henry, when he was still head of cyber investigations for the Federal Bureau of Investigation. Bald, blue-eyed, and straight-talking, he stands in what looks like a room full of computer servers, directing his message about the cyber-threats facing corporate America to an imagined audience of CEOs and board directors.

From intellectual property to research and development, “the essence of your [company’s] being is either stored or transmitted electronically, and because of that it’s substantially vulnerable,” he says in the clip. “If I told you there were people in your office rifling through your file cabinets and walking out with boxes of your private business documents, you’d leap from your seat, you’d dial 911, you’d rally your security team, you might even walk over to the office yourself. Yet that is what’s happening every single day.”

It’s all a lead-up to Henry’s top marching order: executives need to roll up their sleeves and make corporate cybersecurity a top priority.

“Try this,” he says. “Grab your executive staff. Talk to your chief information officer, your corporate counsel, your CIO, your CISO about the threat. Ask them: What does this mean to us? What are we doing about it? And more important, what happens if we don’t do anything about it?”

Henry, who retired as executive assistant director from the FBI in March, has been trying to get the private sector’s attention on cybersecurity for a good part of his career. He joined the FBI in 1989 and began working on cybersecurity matters in 1999, during the Y2K frenzy. He ardently believes that the risks facing companies are, in the bigger picture, matters of the country’s economic and national security—and that corporations have to step up their response. The testimony [PDF] he gave last Tuesday at a House of Representatives subcommittee hearing on cyber attacks gives substantial insight as to why: we’re already facing billions of dollars in the cyber-crime losses and identity thefts, easily exploitable critical infrastructure, and unrelenting adversaries.

Put another way: this is an iceberg, he told his audience on the Hill, and the tip of that iceberg is what we hear about all the time—credit card theft, identity theft, breached bank accounts. But what’s lurking below the waterline, according to his prepared remarks, is even more dangerous: “The most significant cyber threats to our nation are those with high intent and high capability to inflict damage or even death in the U.S.; to illicitly acquire substantial assets; or to illegally obtain sensitive or classified U.S. military, intelligence, or economic information.”

Now Henry is beating the drum from within the corporate ranks, so to speak, as the new president at CrowdStrike Services, a security technology company that launched this year. Before his retirement, he’d been approached by CrowdStrike’s CEO but wasn’t sure about joining a start-up. His three predecessors at the FBI, after all, went on to become security chiefs at major companies.

But the offer nagged at him. He was intrigued by their technology and the company’s vision. And then it started to click: Between running cyber operations at the FBI, working with the U.S. intelligence community, and going up to the Hill and over to the White House, “I’m constantly surrounded every single day with this incredibly overwhelming threat,” he recalls. “I’m looking at this looming threat, and I’m looking at how do we as a country get out from underneath this big dark cloud, and on my left shoulder is this CEO saying, I’ve got this interesting idea and this interesting technology.”

As his motivational images of deadly icebergs and thieves rummaging through corporate files illustrate, Henry likes to use real-world analogs for these matters. For one thing, it helps close the gap between what the experts say and how people actually conceive of this threat. How could it be, he asks, that the most senior people in the U.S. intelligence community—including General Keith Alexander, the head of the National Security Agency, and General Michael Hayden, former director of the NSA and the Central Intelligence Agency—have sounded these same alarms publicly while so many executives still aren’t taking cyber threats seriously? 

“I’m going to tell you why,” Henry says. “Because people, while they might hear the words, they can’t see it, and they can’t touch it.”

He goes on: “Everybody knows what a bomb looks like. They’ve seen the carnage. But they do not understand when I tell them that there’s somebody inside your network, and they’re stealing all your data. They just don’t know what it means.”

Henry may sound like a messenger of doom, but he absolutely believes physical ramifications of a cyber attack are imminent. “We will see the lights go out somewhere, we will see a water treatment facility go down.”

Though he’s certainly no defeatist. “One of the most basic things companies can do is constantly evaluate their networks every single day,” he explains. Adversaries are already on the inside, and it’s not enough to sweep the network once every few months. He notes the countless times, as an FBI agent, that he knocked on company doors and said: We found your stolen proprietary corporate data on a server elsewhere. Many times, companies didn’t even know the data had been pilfered.

“Unless you’re constantly monitoring the network,” Henry says, “you’re hosed.”

Another thing corporations can do is share more intelligence with law enforcement  that will help to identify the human beings behind the cyber-crimes and mitigate the threat they pose. “We do not have a malware problem. We have an adversary problem,” he says. “Because we’re talking about computers, I think people forget that there are people behind these attacks.”

The big thing, though, is that chief executives need to assemble the C-suite in one place and talk. “There are 10 people at an executive leadership level, 10 people in the C-suite who have a section of responsibility for this,” Henry says, “and until one human being pulls all these people around a table and comes up with a comprehensive plan at a macro level, it’s never going to get fixed at each corporation.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]