Most of what the public is aware of when it comes to cyber security threats and attacks is just the “tip of the iceberg” but the reality is that the worst attacks are never reported publicly, the former head of the FBI’s division that investigates cyber attacks in the United States said recently.
Cyber crime such as stolen credit cards and lost identities is what is commonly reported by the media and that occurs above the water line, which is the “separation between the unclassified and the classified environment,” Shawn Henry, who until last month was the executive assistant director at the FBI’s Criminal, Cyber, Response, and Services Branch, told a House panel. “Thus, the most sophisticated and damaging attacks occur primarily out of the public’s sight.”
Henry, who is now president of the consulting firm CrowdStrike Services, said that when senior government leaders in the intelligence community such as Cyber Command Chief Gen. Keith Alexander and former National Security Agency head Michael Hayden, and others, who have “all seen below the water line” and mention the depth of the cyber security threat, then the country should be concerned.
“The most significant cyber threats to our nation are those with high intent and high capability to inflict damage or even death in the U.S, to illicitly acquire substantial assets, or to illegally obtain sensitive or classified U.S. military, intelligence, or economic information,” Henry told the House Homeland Security Subcommittee on Oversight, Investigations and Management. “These are the threats from foreign intelligence services, and for those I have seen below the waterline.”
Henry told the pane that he could not go into detail about the threats. He believes that most large companies have already suffered cyber breaches, many of which don’t even know it.
Rep. Michael McCaul (R-Texas), chairman of the subcommittee, pointed to China and Russia as the “most aggressive collectors of U.S. economic information and technology.” However, James Lewis, a cyber security expert with the Center for Strategic and International Studies, said he believes that China and Russia are not willing to risk going to war with the United States through cyber attacks.
Instead, Lewis believes, Iran and North Korea represent the biggest threats to the United States through cyber attacks. He said that Iran blames the United States for the Stuxnet malware attacks two years ago against that country’s nuclear development program. He also said that Iran is “trying to create a cyber army.”
Tomorrow, the House Homeland Security Committee will host a hearing on the Iranian cyber threat to the United States.
Some of Henry’s prescriptions for improving the nation’s cyber defense posture include increasing the stakes for cyber attackers by being able to identify them and then “take the fight to them to raise their cost of attack.” He said that adversaries need to be hunted on “our networks,” which means “acquiring a better site picture of the adversary [and] what assets they are targeting.”
Henry said that improving the sharing of intelligence information from the federal government with the private sector broadly is an important component to boosting cyber security, but he believes the key component to any legislation is requiring companies to report data breaches. Currently, companies have to disclose when cyber attacks result in the theft of personal data but not intellectual property
Lewis said that cyber security legislation that will be debated in the House this week is a step in the right direction but said government needs more authorities to require critical infrastructure to have better security. These authorities are lacking in the bills slated to be debated this week as the House leadership prefers to see the private sector adhere to its own self-imposed security standards.
Stephen Flynn, co-director of the homeland security research institute at Northeastern University, said that so far the free market hasn’t been able to create adequate security standards posed by cyber security threats.