A retiring top deputy at the FBI has given a blunt assessment of public and private efforts to combat cyberattacks on corporate targets: "We're not winning."
Shawn Henry, the FBI's executive assistant director in charge of cybersecurity, told the Wall Street Journal that the government and private companies aren't up to the task of defending sensitive data from would-be hackers. He called the current approach to the problem "unsustainable," because criminals can easily outsmart the defenses put in their way.
Henry, who is leaving the FBI after two decades, didn't focus his criticism on specific legislation, but the pessimistic appraisal comes as Congress attempts to tackle the issue in two competing measures aimed at improving security at power plants, nuclear reactors and other infrastructure.
One Senate bill, in a stab at bipartisanship, strips away a controversial Internet "kill switch" and makes other concessions. The authors stress the urgency of imposing a new cybersecurity plan at a time when major data breaches and denial-of-service attacks are increasingly making the headlines, however, several Republican senators have raised concern with the bill and have urged Senate leaders to allow time for other committees to weigh in.
Henry, who is leaving the FBI for a cybersecurity job at an unidentified Washington firm, advocates companies make major changes to persistently vulnerable networks.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Henry told the Wall Street Journal.
On the congressional front, the bill introduced last month in the Senate, the Cybersecurity Act of 2012, calls on the Department of Homeland Security to consolidate cybersecurity programs into one office -- the National Center for Cybersecurity and Communications.
At the heart of the bill is a requirement that the federal government identify the most critical components of the country's cyber-infrastructure and require them to meet certain security standards. This would cover everything from the nation's power to water to transportation services.
The bill would require DHS to look at systems that could, among other scenarios, severely damage the economy or cause widespread casualties if they were disrupted in a cyberattack. Operators would work with DHS to secure those systems.