The Adversary Manifesto recently spoke with Shawn Henry, President of CrowdStrike Services about geopolitics and cybersecurity. Henry is a sought-after expert on cybersecurity who was formerly the executive assistant director for the FBI. While there, Henry boosted the organization’s computer crime and cybersecurity investigative capabilities.
Here’s what he had to say about cybercrime and how it affects states and their relations with their allies and adversaries:
TAM:
Why does it seem that cybersecurity is becoming a fundamental part of national politics, international relations, and geopolitical relations? Shawn Henry (SH): It seems new because there is more media coverage of it, but attention has been paid to the issue of cybersecurity since the early 2000s. What we’ve seen is that as more and more networks become interconnected and more and more organizations build onto their existing infrastructures, the opportunities for adversaries to connect to, infiltrate, and access information increases. Networks aren’t limited to geographic or political boundaries, and there are nation states that are aggressively targeting government, military, and even commercial networks. The cost associated with cybercrime is in the hundreds of billions of dollars just from a financial perspective. In terms of risk, particularly in the case of a national security risk, the cost is hard to calculate. As a result, you have governments increasingly involved in trying to limit the risk. When people ask me about cybercrime, they often think I am only referring to places such as Russia, China, and Iran. They ask, “Well, what about the U.S.? We’ve all heard about Snowden.” My answer to them is that the U.S. isn’t involved in commercial espionage – it isn’t stealing from Toyota and giving that information to General Motors. The U.S. is, on the other hand, often the target of nation states and organized crime groups, some of which may be under the control of nation states, because of our vast and enhanced capabilities in terms of technology and research development in dozens of critical sectors, including healthcare, transportation, energy, communications, and many others. TAM:
What impact does the current high level of geopolitical conflict have on the state of cybersecurity? SH:
When there are tensions, nations often rely on their asymmetrical vectors to provide them with an advantage. So if there is a conflict between the U.S. and another nation, there are groups of people within that nation – either sponsored by the government, complicit with the government, or even perhaps working on their own – who are going to try to exploit U.S. capabilities. For example, a small country in the Middle East cannot compete from a military or technological perspective, but someone there can reach out and touch Uncle Sam from 6,000 miles away with just a $500 laptop and an Internet connection. The barrier to entry is low, and the potential impact is high. Moreover, the risk of being caught or harmed is limited – it’s not like you are literally walking onto a battlefield where you might die. Many people are encouraged to bring their laptops to the fight. Another side of it is from the diplomatic side. When you look at a conflict, such as what is happening now between Russia and Ukraine, the U.S. is engaged as a third party. As a world leader, the U.S. has to express concern on the international stage and has done so. This issue would overshadow any issues the U.S. may have with either Russia or Ukraine about cybersecurity, because priorities have to be set about what will be discussed. If you are talking to Putin about Ukraine, you aren’t going to use your political capital to bring up cyber-attacks targeting U.S. energy companies. When tensions run high and there is active conflict in an area, cybersecurity definitely takes backstage. TAM:
What kinds of organizations are most at risk for cybercrime or cyber-attacks? SH:
Every organization that is connected to the Internet is at risk of having data stolen, destroyed, disrupted, or changed. There are ways to mitigate the risk, but the risk is across every single sector. Entertainment companies have lost, for example, hundreds of millions of dollars from stolen intellectual property, disruption of their businesses process, such as the ability to communicate or provide services to their customers. Often people think that cybercrime only affects the financial services sector or the retail industry. The reality is that the impact on healthcare, energy, transportation, and manufacturing is huge. There is no boundary, and there are really no limits. TAM: What should CIOs and CTOS be paying most attention to if they are looking to upgrade their defenses against cyber-attack? SH:
Historically, companies have looked at this from a prevention viewpoint: “How do we make sure it never happens? How do we make sure nobody ‘bad’ gets into our network?” Today’s networks are too vast to approach it from that view. There are companies that have 200,000 endpoints deployed globally. These are different users accessing the network from laptops, iPads, mobile devices, and desktops. It would be like trying to protect a building that has 200,000 doors. What are the chances if you have 200,000 doors that someone is going to leave one unlocked or propped open? Somebody is going to get in somewhere. The measure of success shouldn’t be outright prevention, although that is certainly the goal. You want to prevent as much as you can, but it needs to turn from hardening the perimeter to detection. Organizations should be asking “How can we put mechanisms in place so that if someone does breach our perimeter, we are able to detect them?” If you focus all your efforts solely on prevention at the perimeter and they ultimately get in, you will miss it. I have seen cases where someone was undetected on a network for months or even years, and that is when the real damage occurs. If you can detect someone trying to access your network, you can mitigate the consequences.