“Who’s responsible for protecting dot com? Nobody!”, shouted Henry. “The FBI will respond if you get breached, sure, but they’re not actively monitoring dot com”, he said. This, he argues, is wrong. “The FBI protects hostages and save lives. Well, your data is being held hostage, and the life of your organization is at risk.”
Drawing on his employment at the FBI, Henry recalled that due to a lack of resources, the FBI was unable to respond to every cyber situation.” Instead, the FBI looks at mitigation – going after the threat. “We have to be aware of who the adversary is and stop them in advance”.
This, he recalls, is a change in strategy which was introduced after 9/11. “We became a global organization and we changed the way we measured success. We stopped measuring in numbers, and changed the metrics to measure preventions and sharing of intelligence.” A similar paradigm shift needs to take place in the information security industry, he said.
Cyber security, which Henry declared “the most significant threat we face as a society, other than weapons of mass destruction”, needs “people to be the best trained and the best equip to fight our enemies.”
They key to success is to consider who the adversary is, he argued. “Cyber is the great equaliser”, explained Henry. “Cyber means that we are all the adversaries – anybody, anywhere in the world can attack government and companies, meaning that the pool of potential adversaries is constantly expanding [to the 2.3 billion people with a computer and internet connection]. We have to assume they are already in our networks”.
This is a time-sensitive, issue, insisted Henry. “If we wait, it will be too late. We didn’t think people would fly planes into buildings either. Cyber attacks have the ability to take water or electricity away – we need to think about it today.”
Some quick strategic wins, suggests Henry, are to compartmentalize data (“The FBI don’t put everything on the networks”), deploy defense-in-depth (“If we focus purely on protecting the perimeter, we’ll fail”) and be pro-active, not re-active (“I don’t mean hacking back, I mean creating a hostile environment for adversaries to operate in”). Henry also emphasises the importance of “intelligence as the key. Intelligence should be based on: Strategy; collection; execution; analysis”.
In conclusion, Henry called on the information security industry to “stand side by side to protect the line between good and evil. Our failure to step up now to the cyber problem is a failure as a society. People are going to get hurt and they are going to die.” He ended on a more positive note: “Together, we can change this game.”