Henry said U.S. adversaries have shown that they are capable not only of stealing sensitive information, but of manipulating and destroying it. In some cases, he said, hackers have penetrated corporate networks so thoroughly that companies have had to jettison hardware and software before recovering.
“Once they’re in,” Henry said of the hackers, “they’re in.”
Despite an entreaty by FBI Director Robert S. Mueller III to remain at the bureau, Henry this month joined a cybersecurity start-up called CrowdStrike, where, he said, he hopes to help clients take the fight to sophisticated foreign adversaries.
“I know a lot of companies have suffered, and they are going to want to see somebody come in and assist them,” said Henry, former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch. “It won’t be the U.S. government . . . so it’s going to have to be the private sector.”
Henry’s remarks come as more current and former officials are speaking out about the need for action to contain a threat that Mueller recently said is likely to eclipse terrorism as the top menace to the country.
Last week, Rear Adm. Samuel Cox, director of intelligence at U.S. Cyber Command, said that “a global cyber arms race” is underway. James E. Cartwright Jr., who retired in August as vice chairman of the Joint Chiefs of Staff, said at a separate event that even a limited cyberattack on the nation’s power grid or financial system could spark tremendous public fear.
“If you can take out one area of electric power or one bank, the question that puts in people’s minds about the security of others is what you’re really worried about,” Cartwright said last week at a conference hosted by the Center for Strategic and International Studies.
Despite such concerns, experts have said the government is legally constrained in its ability to help companies protect their networks, in part because of privacy issues surrounding the sharing of information between the government and the private sector.
Congress is set to take up proposals aimed at fostering information-sharing as well as security standards for some companies to better protect commercial networks.
In the meantime, the costs of cyber-espionage are proving to be enormous.
Scott Borg, chief economist at the U.S. Cyber Consequences Unit, a research group, has assessed the annual loss of intellectual property and investment opportunities across all industries at $6 billion to $20 billion.
Henry, a former executive assistant director of the FBI’s cyber-crime branch, said the bureau knew of one company that lost $1 billion — 10 years’ worth of research and development — in a weekend after being hacked. One thinly capitalized firm that processed credit card payments was forced to close two years ago when it was breached.
The FBI has become more aggressive in collecting and correlating intelligence, and over the past couple of years it has notified dozens of defense contractors, government agencies and companies that they were being targeted for intrusion, according to Henry.
Still, he said: “There needs to be much greater sharing of intelligence across all the sectors.”
“You can only be punched in the face so many times before you fall to your knees,” he added. “There needs to be more offense and less defense.”
As head of services at CrowdStrike, Henry, who spent 24 years at the FBI, said he will adopt many of the techniques used by government intelligence agencies. But unlike the government, CrowdStrike is planning to name names — not just of individual hackers but of foreign government agencies, said the firm’s co-founder, Dmitri Alperovitch.