Security experts cold on former FBI official's Black Hat keynote
- — 27 July, 2012 14:41
A former FBI official's keynote at the Black Hat security conference got a chilly reception Thursday from security experts who bristled at his call for business to do more to help the government defend against cyber attacks.
Shawn Henry, former FBI executive assistant director in charge of cyber-investigations, said businesses needed to "step up" in helping defend government and corporate networks against hackers and spies trying to steal intellectual property and government documents.
The comments from the ex-government cop-turned-security-vendor was met with only polite applause, an indication that the speech failed to spark the patriotic spirit among attendees of the Las Vegas conference.
[See also: Cybercrime 'much bigger than al Qaeda']
In fact, members of a panel discussion following the keynote agreed that government was responsible for building security for the common good, while businesses were better at product innovation.
Security experts who were not attending Black Hat, but who read Henry's comments, tended to agree with that assessment. "His heart is in the right place, but the message is stale," said Andrew Plato, president and chief executive of consulting firm Anitian Enterprise Security.
He added that it was not the role of private industry to provide for the common defense. "That is one of the most basic duties of our Republic," Plato said.
Xuxian Jiang, an assistant professor and security researcher at North Carolina State University, agreed, saying there is "always a line between government and business."
"The focus of government should be mainly on the infrastructure for the common good, while commercial companies can better focus on product innovation with business opportunities and returns," he said.
Henry, who retired from the FBI in March and joined security startup Crowdstrike as president a month later, advocated a "paradigm shift" in which businesses re-architect networks, so the cost of hacking computer systems would be much higher.
The techniques he mentioned, all well known in the security industry, include building traps that lure hackers into stealing bogus data and hiding sensitive information behind multiple layers of security.
While few experts would argue that better security is needed in corporations, they also point to the federal government's tarnished record. Security flubs include (PDF document) hackers gaining access last year to documents from major defense contractors working on new weapons systems. In the same year, the U.S. Senate's computer network was broken into by hacker consortium LulzSec.
But what irritated Plato most was the tone of Henry's speech, which presented the problem in jingoistic terms that do not impress security professionals.
"The government, as well as some industry leaders, need to drop all the war imagery and military jingoism and start interacting with this community in a more sophisticated manner," Plato said. "We all care about protecting our country, we don't need the 'guns a blazing' imagery. It just comes off as ham-fisted. Hackers don't jump out of helicopters."
Read more about critical infrastructure in CSOonline's Critical Infrastructure section.