Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2011
11:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Top FBI Cyber Cop Recommends New Secure Internet

Shawn Henry says current Internet will never be secure enough to beat hackers or meet the security needs of critical infrastructure providers.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The current Internet and network architecture were not designed with enough security in mind to meet today's threats, and engineers and policymakers should consider developing an alternate, highly secure version of the Internet for critical infrastructure providers, a senior FBI official told IT security pros Thursday at a conference in Baltimore.

"Computer security has become an endless game of defense which has become incredibly costly and is unsustainable in the long term," Shawn Henry, the executive assistant director for the FBI's criminal, cyber, response, and services branch, said in a speech at an Information Systems Security Association event. "The current system will never be good enough, but it's too late for us to disconnect."

While Henry noted that he didn't have all the answers for how future networks should look, he did sketch out some rough elements, including the use of strict access rules and authentication to ensure that only trusted employees have access to critical infrastructure networks. The network would use the same core infrastructure as the regular Internet. Government, critical infrastructure companies, and the technology industry must work together on its design, he said.

[Could an attack by an organization like Anonymous Cripple Critical U.S. Infrastructure?]

The idea of a separate or quasi-separate Internet for critical infrastructure is one that has been tossed around some over the last year-plus. NSA director and Cyber Command commander Gen. Keith Alexander has called for a "secure, protected zone" on the Internet that others have nicknamed "dot secure." Officials and experts discussed the idea at length at a Senate hearing in June.

Henry said that critical infrastructure systems are increasingly under attack, and cautioned that he is concerned that attacks could "paralyze cities" and that "ultimately, people could die." He said, "I know it sounds alarmist, but it's real based on my observations."

Henry said that he was concerned about several primary bad actors, including foreign intelligence services, organized crime groups, terrorist groups, and compromised insiders. He noted a recent attack in which a foreign intelligence service likely compromised 10 years worth of research at a company, and another that breached the encryption capabilities of a major multinational financial company and was resident on the network for months, stealing millions.

"I couldn't tell you the number of times we've walked into a company and told them that they'd been breached, in many cases for months at a time, and they have no idea," Henry said.

The FBI has made cybersecurity a top priority in recent years. It now has "cybersquads" in every field office, and has made it a point to hire technologists and teach them to become agents. The FBI is also partnering widely with private sector and foreign organizations, and has FBI employees embedded with police in countries like Estonia and the Ukraine.

FBI officials are also increasingly monitoring threats rather than just responding to individual intrusions, and has had recent success in preventing attacks before they occur, Henry said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IDmachines
50%
50%
IDmachines,
User Rank: Apprentice
10/27/2011 | 1:19:28 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
DNSSEC with PIV-I (PIV) credentials perhaps along with an entity validation infrastructure to support it?
JWiewiora
50%
50%
JWiewiora,
User Rank: Apprentice
10/25/2011 | 4:13:40 PM
re: Top FBI Cyber Cop Recommends New Secure Internet
This idea reminds me of the days of private frame relay and ATM (not automatic teller machines but asynchronous transfer mode) networks. A Gǣsecure internetGǥ concept could actually be a positive step towards securing those networks. The big question is whether the critical infrastructure sector will pay the additional costs of building and sustaining this separate network. Most moved away from private networks to save money, but is the cost of a hack and the possibility of loss of life driving a shift back to private networks? And a big question is how long it will be before the hackers figure out how to infiltrate the secure internet as well.

I've recently blogged about providing network access to mobile devices, which you can read here: http://blogs.unisys.com/securi...

-Patricia Titus, VP and CISO for Unisys
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.