FBI Official Supports Secure Shadow Internet for Critical Systems
Modernizing Authentication — What It Takes to Transform Secure Access
BALTIMORE -- With malicious perpetrators increasingly devising sophisticated, complex attacks against critical systems controlling critical infrastructure, such as power plants and financial institutions, the time has come to consider a new secure alternative Internet, according to a top government official.
The threats facing critical systems are not going away, and the systems can never be secure enough to thwart the attacks completely, Shawn Henry, the executive assistant director of the Federal Bureau of Investigation, told attendees at an International Systems Security Association conference in Baltimore Oct. 20. Cyber-threats will always evolve and outpace efforts to defend networks, he said.
One way to protect critical utility and financial systems would be to set up a secure Internet that was separate from the regular public Internet, Henry said. The alternative Internet would not allow anonymity, and only known and trusted individuals would have access to the systems, he said.
"We can't 'tech' our way out of the cyber-threat," Henry said, noting that not knowing who was launching the attack made defenses a "challenge."
Attackers, whether they are cyber-criminals, terrorist groups or cyber-spies, are devising "novel ways" to steal information and compromise critical infrastructure, Henry said. Cyber-attacks are an "existential threat" that can put a company out of business, shut down infrastructure and even kill people, he said. He acknowledged that he might sound "alarmist," but said it was important to realize these kinds of attacks are occurring every day and are one of the "most serious threats" facing the nation.
Terrorist groups have in the past focused on "kinetic" attacks but are now looking at moving into cyber-space, according to Henry. Cyber-attacks are cheaper, easier, faster and "much much more lucrative" than the old kinetic attacks, he said. While some people would claim these groups don't have the capability to launch cyber-attacks, which Henry found "arguable," it is actually possible to rent or buy attack software and infrastructure, or individuals with the skills to launch attacks.
"Just because something hasn't been done before doesn't mean they won't do it," Henry said.
The FBI has made cyber-attacks a top priority, and the agency is working with international partners and with domestic law enforcement to investigate and track down cyber-criminals. Information sharing was critical for defense, as the government shares information about threats with the private sector and academic institutions to help figure out defenses.
"I can't tell you how many times we've walked into a company and told them they've been breached, and they had no idea," and often had been compromised for months, Henry said. However, everything the FBI was doing was reactive, he said, as something bad has already happened.
The Internet is "arguably the greatest invention," but it has become an "incredibly dangerous place," he said.