Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI's Top Cyber-cop Says We're Losing the War Against Hackers

Posted by Soulskill on from the have-you-tried-bullets dept.

New submitter sienrak writes "Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is 'unsustainable.' 'I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,' Mr. Henry said."

9 of 134 comments (clear)

  1. Given the previous FBI story... by 3seas · · Score: 5, Insightful

    Well of course they are losing the battle..... a house fighting against itself will fall.

    1. Re:Given the previous FBI story... by poetmatt · · Score: 5, Insightful

      Nah, see it's just a word replaced incorrectly. they're losing the war against profit. "Cybercrime" is just the justification. They want people to spend more money under the guise of counter-terrorism.

    2. Re:Given the previous FBI story... by Anthony+Mouse · · Score: 5, Interesting

      Anyone anywhere can come up with a way ( if smart and motivated enough) to hack anything anywhere, it is completely different from invading another country or defending your own.

      You're completely right. And the idea of having some incompetent bureaucracy with the power to spy on everyone and shut down the internet is is totally insane.

      But let's not just complain about it, shall we? Why don't we do one better?

      Making systems totally secure is a pipe dream, but we can certainly make them more secure. And entirely without a surveillance bureaucracy.

      The key is to understand that secure software is a market failure: Nobody wants to pay for security until after they get hacked, which means software developers have the wrong incentives. The one that goes out of their way to do security right end up going out of business because they get beat to market by the ones that ship the first code that compiles. But let's resist the knee jerk government reaction to this, which is to pass laws telling everybody what to do. That isn't what's needed here -- the result of any sanctions will be a "teaching to the test" problem where developers do the bare minimum to avoid liability while not actually making secure software, and meanwhile software development is made far more expensive due to regulatory compliance burdens. So forget about that.

      What would actually work? SE Linux. It was produced by the NSA, it's open source, and it makes things more secure. Why don't we spend the money on that sort of thing? Use the carrot, not the stick. Have the NSA provide free, voluntary security audits to major infrastructure providers. Have them produce more software in the nature of SE Linux -- things designed by all those genius cryptographers they already employ, which can subsequently be adopted by everyone everywhere and make things more secure. Fund more software like TOR which can protect privacy, to get such things to the point that they're fast and efficient enough for regular use by everyday people (and screw over enemy countries that censor and oppress in the process). Provide incentives for the more rapid adoption of technologies that increase security, like DNSSEC and IPv6.

      These are the things that have the potential to actually work. If they're actually serious about improving security, and Something Must Be Done, let it be that. Because the last thing we need is another hopeless regulatory bureaucracy.

  2. The new "Think of the Children" by Anonymous Coward · · Score: 5, Insightful

    "Privacy and Security". Watch those words, folks. In the name of privacy and security we have already given up bits of both. This yahoo wants us to give up even more. Fear the person who says he can guarantee your privacy and security because first you need to give those up to him.

  3. The Propaganda war has begun by realmolo · · Score: 5, Insightful

    Can you feel it? The government wants to get control of the internet, and computers, and all communications devices in general.

    They're going to pretend it's for our safety. They just want to protect us from hackers, after all.

    I'm not a "government is evil" guy, but this is the kind of thing governments typically want to do. And it has to be prevented. Call your congressman.

  4. Refreshingly, he does NOT call for new laws by TheEmperorOfSlashdot · · Score: 5, Informative
    He places the blame right where it belongs, on those corporations and government agencies that are too incompetent to design secure computer systems or hire those who can:

    Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.

  5. Don't aim to outrun the bear... by wanderfowl · · Score: 5, Insightful

    There are hackers, phishers, spammers, and other untrustworthy people on the internet. The FBI seems to have just realized that they can't prevent them from existing, and now tells us that we'll "never be secure", and people react. But this has always been the case offline as well. There are thieves, murderers, and con-artists, and we can never make them go away either, and as such, here too, we will never be secure.

    That said, if you use common sense, encrypt your important data, don't click links in unsolicited emails, and use a password better than "12345", you'll already be enough of a pain to most "hackers" that they'll not bother, because next door, there's a guy who's got a plaintext full of banking passwords on his desktop with file sharing on.

    There's a saying that if attacked by a hungry bear, you don't need to outrun the bear, just the other people at the campground. Same goes here.

    1. Re:Don't aim to outrun the bear... by mlts · · Score: 5, Insightful

      The FBI is also dealing with a lot of businesses who have existed for years with at best paying lip service to computer security.

      I remember a few years back so many PHBs saying, "security has no ROI" like it was a mantra for magic success. Of course when I asked the person about what they do if they do get breached, the answer was invariably, "Call Geek Squad, and they will fix it."

      The sad thing is that there is no real drive for private businesses to focus on actual security. A breach happens, and usually it won't be reported, and if it is, it is because there are thousands of people who got nailed and have hard evidence finding who did it upstream. Even though there are laws to disclose breaches with private info lost, it isn't hard to ignore them -- the company top brass will find a fall guy, and the domain admin password will continue to remain "swordfish". Even if the firm goes bankrupt, it doesn't really matter, because the top brass just finds a niche somewhere else.

      There is also the belief that intruders won't do much damage. A wiped box? Stick in a backup tape. Lost customer info? Not our problem if customers get identity theft issues. Lost source code? The H-1Bs end up copying it to their home soil anyway.

      Until the attitude that security is a cost center with nothing to gain back goes away, it is no wonder that criminal organizations and foreign intel departments are having a field day.

      Ironically, where I see actual improvement in security is in government. The main reason is that government departments (and this applies not just to the US but any country out there) have a lot to lose, especially around election years. Companies can fold and the CEO just moves to a new venture, but a government department that is weak on security will face the wrath of the voters, as well as any elected official that is looking to keep their jobs. In countries that are not democracies, it can mean loss of face for leadership which will be swiftly dealt with.

  6. Businesses need to invest in IT from day 1 by undeadbill · · Score: 5, Insightful

    At least, that is what I got out of the warnings in the article. It wasn't about the FBI needing more money, so much as his discussion of the absolutely deplorable state of most business networks. Most businesses, even IT managers within businesses, seem to think that best security practice means sending someone to a Cisco firewall class, putting an ASA into an external facing connection, and passing a security scan as all they need to stop the bad guys. They never really consider what it means to really monitor the health of a network, or have an understanding of how their internal applications operate across their machines, nor are they willing to really invest in the kind of staffing and knowledge needed to make sure their data is actually secure. In the end, they are better off with making that early investment, because that knowledge also translates into fewer expenditures on gimmicky appliances, and a better focus on having things run right. It is a shame that mostly these businesses are blithely whistling past the graveyard.

    Most businesses seem to miss from the day they replaced their file drawers with a file server, they went from a "widget" company to an IT company that does widgets. It is a subtle but definitive change in how businesses need to focus investments in resources. Unfortunately, most businesses just don't get it. They think because some snake oil dealer slapped "security" on the side of the box that the word means anything.

    What I'd like to see is ACM, the ISC, ISC2 (no relation), and other organizations start pushing for more stringent best practices written into regulation (not law). Basically, if a business doesn't take the effort to invest in their own security, then they should be held liable if they get broken into. Don't expect insurance to pay out. Don't expect to be personally shielded by corporate liability if your client data goes into the wild. On the other hand, if businesses DO meet those standards, then they likewise shouldn't be held liable. I would really like to see the above organizations testifying on the Hill about what that would mean.