CrowdStrike’s Shawn Henry on Cyberterrorists, Ransomware and Hacked ElectionsAn interview with President and CSO of CrowdStrike Services
When the Democratic National Committee discovered in June that’s its entire computer network had been hacked, it called on Shawn Henry, president of CrowdStrike and former head of the FBI’s cyber division, to ferret out the damage and ultimately identify the perpetrators, who were deemed to be agents of the Russian government.
Henry, an early contributor to BRINK, has a “tough love,” no-nonsense style when dealing with his clients that underscores his vast experience dealing with the various adversarial groups lurking in the shadows of the internet. In our wide-ranging interview with Henry, he covers everything from the CEO that believes his company has nothing of value to hackers—so why bother with cybersecurity efforts—to whether companies should pay up when hit with ransomware demands to the fact that criminal cartels and terrorists groups—let alone nation states—are all “prolific” when it comes to deploying criminal activities in cyberspace.
BRINK: There’s a virtual library of information on cyber security measures that companies can take; however, we still regularly hear about security breaches. What’s the biggest cyber security mistake you continually run into when you’re consulting with companies, and why does that keep happening?
Shawn Henry: I think companies continue to be reactive rather than proactive. In other words, they’re responding to incidents after the fact, rather than proactively going out and deploying technologies that allow them to get better visibility into the environment and allowing them to see what’s coming, rather than waiting until after an incident happens to figure it out. The proactive piece, where companies take security into their own hands or start actively hunting for adversaries in their environment, that, to me, is the single biggest step that organizations can take.
BRINK: How pervasive is the threat from state-sponsored cybercrime? Does it happen across all public and private sectors, and does it go beyond state sponsored actors? For example, are there major criminal cartels involved? Do terrorist organizations have their own cybercriminal element to them?
Henry: Yes. All of those groups are involved and are pretty prolific. Nation states [are] targeting organizations for intellectual property and research and development information and corporate strategies. Also, terrorist groups are targeting critical infrastructure. We know that they’re developing these capabilities. We know they have the intent to do it and they’re continuing to develop the expertise. The organized crime groups are targeting primarily the financial services sector and retail. They are increasingly using ransomware, targeting many other types of organizations where they feel that they can get some return on their investment, and it’s turning out to be a sizable return for what little investment they make. So all those groups continue to find targets across every single sector: health care, financial services, manufacturing, government, educational institutions, energy and transportation. No sector is left untouched.
Companies must be proactive in their approach to cybersecurity by actively hunting adversaries in their networks.
BRINK: What do you say to a CEO who says, “I’m just a shoe manufacturer,” or “I’m in the fertilizer business … Why should I spend the time, effort and money beefing up my cybersecurity efforts? We don’t have anything that hackers would want to steal.”
Henry: I tell them a couple of things. First, every company that’s in business has something that’s of value, otherwise they wouldn’t be in business. They’re selling something. They have some type of commodity, they have business practices, they have proprietary information that differentiates them from others in their industry. So every business—regardless of what that is—has something that’s valuable.
Second, adversaries are not necessarily looking just to steal data. We’ve seen adversary groups that have actually destroyed networks simply because they’re not happy with the company, they’re not happy with the way a company is doing business, they’re not happy with the products they sell or they think that perhaps they’re not respectful of the environment. Whatever it may be. These adversaries are using the networks as an opportunity to make a statement. So it’s not just being prepared to protect your data, it’s also being aware of the critical risk you face if somebody accesses your network and decides they want to wreak havoc for whatever reason.
BRINK: What’s your position on whether companies should pay up when they become victims of a ransomware attack?
Henry: I think that companies shouldn’t pay and that instead they should invest their money in developing a continuity of operations plan, such as having a backup strategy so that they can reconstitute their network. I think paying those types of ransoms just encourage the continued attacks by those organizations that are engaged in targeting infrastructure.
BRINK: The debate over whether companies should be able to “hack back” is getting some more play these days. What’s your opinion on that?
Henry: I think companies cannot legally leave their network to target somebody else. They can’t try to track them down and steal their data back. They can’t send malware out to another party, so they’re really limited in what they can do by what the law says. I think that there is probably going to be more debate on this subject as the situation continues to worsen and there will be calls for companies to be able to take some type of action, but right now the law is very clear: They can’t do it.
BRINK: Would you support a change in the law that lets companies be allowed do that?
Henry: I think it goes beyond saying that companies be allowed to do that. In doing that, you face the risk of companies getting engaged in foreign countries, in foreign laws and even in dealing with nation states. However, I think there is a lot that companies can do in terms of collecting and sharing intelligence with the government. The government used to be better at collecting that intelligence and actually using it to identify who the adversaries are so that they can stop these attacks. So I don’t think individuals or individual corporations are able to take action. I think that what they can do is work in a more coordinated fashion with others in their industry, as well as the government, to do a better job of identifying who the attackers are.
BRINK: During the current election cycle, there has been a lot of talk about Russia’s potential to interfere with the upcoming presidential election. Is our election process, for example, electronic voting machines, are they vulnerable to hacking? And just how probable is it that we might see state-sponsored “cyber interference,” for lack of a better term, in the upcoming election?
Henry: I think that the way the system’s set up right now, it’s pretty dispersed. In other words, we don’t have a national election system where everybody’s vote is online and connected to the network. You have 50 states, each of which has a different system. Most of them have paper backups. Even if they do something online, they can turn to the paper backups for verification. A lot of states actually still just use paper.
I don’t think we’re susceptible to a really nefarious type of attack, but only because our system is not advanced enough. I think that there could be a destruction of voter records. In other words, the registry of voters. If those systems were online and somebody was able to get into them, if they were able to destroy or manipulate them, that that would cause a problem. I think that any reported attack that gets attention will raise some concern among the American population, which is understandable, but I don’t think that the integrity of the election will be changed by an attack on the actual system.