John Carlin:
… from CAFE, welcome to Cyber Space. I’m your host, John Carlin. Every other Friday, I explore issues at the intersection of law, tech, and policy question guests who’ve made an impact in the world of cyber security. My guest this week is Shawn Henry. He’s the president of CrowdStrike, cyber security firm responsible for investigating cyber attacks for clients that include the US government and some of the world’s biggest corporations. CrowdStrike has helped devise measures to lessen the threat of election interference, and is at the forefront of protecting sensitive information made more vulnerable by the pandemic as a large part of the country continues to work remotely from home. Shawn, great to be back with you. We’ve worked together a long time now. Tell me, what led you to the FBI in the first place?
Shawn Henry:
My father was a New York City detective, and I was always interested in law enforcement. And I actually had a family friend who graduated from the FBI academy when I was a senior in high school, and I went to that event in Quantico, Virginia, and it really just solidified for me the importance of law enforcement, the value law enforcement adds to our society, and I just got completely fixated on joining the Bureau and trying to do what I could to help society.
John Carlin:
Over the years, there’s been some tension on occasion between New York City police detectives and the FBI. What’d your dad think of you joining FBI instead of following in his footsteps?
Shawn Henry:
Oh, my father was a New York City detective, my brother was a New York City detective, so there was always good-natured ribbing at any family gathering, but obviously he was very proud and happy about the selection that I made and the choice I made to stay in law enforcement and on what I always call the line that separates good from evil, and the ability for law enforcement services to help protect innocent people. He was certainly proud. But there was no shortage of good-natured jokes.
John Carlin:
That, I’m sure. And people are listening, they can’t see you, but you’re a big guy, and you look like you might be able to barge through a door and go after criminals. But instead of just doing physical crime and breaking mortar, you ended up in cyber crime. How’d you end up going to the cyber crime unit initially?
Shawn Henry:
I spent the first 10 years of my career actually working public corruption, believe it or not, corrupt public officials who were engaged in using their official office for personal gain. And that was through the late 90s, but I was always interested in cyber and technology. When I saw an opening in a particular unit that was focused on cyber crime, I really thought a lot of the techniques and skills I had developed in the physical world, fighting public corruption, could actually be applied in the cyber security space.
Shawn Henry:
And joining that unit and applying for that unit, being selected to lead that unit, what at the time was called the computer intrusion unit, was a game changer for me. Obviously, the world changed through the 2000s with the advent of technology and the ubiquity of computers, but I felt that there were more similarities between the physical world and the digital world than there were differences. And actually, if you can look at cyber crime fundamentally similar to the way we investigate on the physical world, then we’re able to be successful in that space. And I’m really glad I had that opportunity.
John Carlin:
And so, we’re talking back now late 90s when you start doing the transition to cyber, right? And did you have any sense then that it would end up being as big an issue as it is now?
Shawn Henry:
I really didn’t. I remember the first couple of big events that we had, and I call them events rather than actual cases. The distributed denial-of-service attacks against online retailers back in 2000, and some of the viruses like the ILOVEYOU virus that was launched from a kid, a young man in the Philippines, that took down a large portion of the internet, and website defacements, all the types of things that today are really quite limited and pale in comparison to what we’re currently seeing.
Shawn Henry:
So it’s just incredibly interesting to see the progression of cyber security, the growth of the risk, all based on the growth of the technology and the value of the technology. I think this is probably the greatest instrument, in my lifetime at least, in terms of the capability that the internet has brought, the value that it brings, but it also brings a lot of risk and a lot of threats. And we’ve got to balance that as citizens and as protectors of the infrastructure.
John Carlin:
[inaudible 00:05:22] when you were first doing it, as you say, there were a lot of pranks by teenagers, and you got involved with a big case that those who follow cyber think of as a seminal case about one particular teenager named Mafia Boy. And when you were first investigating, did you have any sense … Tell us a little bit about the Mafia Boy case, how you got assigned to it, and what you were thinking when you were first investigating.
Shawn Henry:
Well, now you’re going back 20 years, John. I got to go back in the way back machine. Mafia Boy, when I try to recollect that, I was the chief of the computer intrusion unit, and my role in that position was really to provide guidance and vision to the cyber security program across all 56 FBI field offices and these international offices. And part of that sometimes resulted in almost refereeing when different offices had a particular case, or a different US attorneys office that wanted to run with a case. The Mafia Boy case was this 15-year-old kid that was engaged in nefarious activity hacking and the like.
Shawn Henry:
And it turned out that he was calling himself Mafia Boy, and he was purporting that his father was in the Mafia, or he suspected his father was in the Mafia, which is why he used that interesting moniker. But again, when you think about it, a young kid operating out of his basement who can get dozens of federal agents around the country focused on him just because of his activity. And I think that really was kind of the real introduction that this was going to be something that was going to have an impact. If a 15-year-old kid could take some of the actions he took and impact critical infrastructure, then what could a nation state do, or a serious organized crime group do, or a terrorist group do? And that really was eye opening experience.
John Carlin:
I know when you and I worked together at the FBI, it was during a period of great change, and a lot of the focus had been transforming the FBI to be a national security agency, one that performed two missions, [inaudible 00:07:36] the criminal enforcement mission, but also, we collected intelligence to prevent threats. But for a period of time, that really focused on terrorism, and rightly so. But then there was a period where we were trying to catch up on cyber, this was roughly 2007, and start trying to pivot the FBI to really focus on national security threats. That’s seven years after Mafia Boy. Tell me a little bit about that pivot and how you think you did.
Shawn Henry:
Yeah, when you’re thinking about the history of cyber in the government, that really was a pivotal moment. I think that, we actually had been working nation state investigations going back to the mid-90s, nation states primarily targeting the Defense Industrial Base, targeting government agencies, in traditional espionage type matters where they were stealing data to help them better understand US capabilities and US direction.
Shawn Henry:
But in 2007, that time period, the Bureau had already gone through this major change, as you’ll recall, post-9/11, with the Bureau becoming an intelligence-led organization, using intelligence to try and understand, in advance of a terrorist attack, what they could do to disrupt and to mitigate an attack, rather than waiting for a bomb to go off, going back and collecting the evidence, figuring out who did it.
Shawn Henry:
That was a huge, a seat change for the Bureau. And I think we really looked to take those same lessons learned in terrorism and apply them to the cyber security space. So if we were effectively collecting intelligence, and what we now call indicators of attack, if we could collect that intelligence and find out in advance what an adversary was going to do, where were they doing reconnaissance, what tools were they bringing to the fight, what were they targeting, then we could be much more effective in mitigating the consequences of an attack or actually disrupting the attack.
Shawn Henry:
So back at that time, the Bureau, we started the NCIJTF, National Cyber Investigative Joint Task Force, and looked to work collaboratively across the intelligence agency and with other law enforcement agencies. What listeners might not understand is really how so many agencies have different authorities, different capabilities, and different missions. And if any one of those agencies looks to address cyber investigations unilaterally, they’re really at a disadvantage.
Shawn Henry:
But if you put together on the table all of their capabilities and all the tools in their chest, all of their authorities, you’re much stronger. And the NCIJTF was really bringing together all those different agencies to bring their intelligence and their tools to the table so they could more effectively disrupt primarily foreign adversaries, but also organized crime groups, in advance to help better protect American infrastructure.
John Carlin:
It reminded me, I remember when Director Mueller was getting ready to give his first major speech, really, on national security cyber threats, and this was in 2007. And at that point, you had worked on the NCIJTF, the National Cyber Investigative Joint Task Force, and there had been a smaller version in the Washington area, and you were working to nationalize it. Do you remember this? We had 10 speech prep sessions, and it was such a mouthful to say NCIJTF, that he was giving you flack. Your face was turning red.
Shawn Henry:
Every meeting I had, he looked at me and he said, “Can’t you find a different name?” And the funny part is, that was 2007, and throughout, for the next five years, he just mumbled it, and he just couldn’t ever seem to get it right. And then at my retirement, he got up to present an award of retiring from the Bureau, and he looked me square in the eyes. I was sitting in the front row. He looked me square in the eyes, and he said it perfectly. And everyone laughed, because everybody knew how he jumbled that up all the time, so it was kind of funny.
John Carlin:
I do remember that. So let’s talk about [inaudible 00:12:03] 25 years in at the FBI, and you left, and you went to a company where you’re still at called CrowdStrike. Why’d you leave?
Shawn Henry:
I was eligible to retire when I left, and in the Bureau, people traditionally transition out, and particularly at executive levels, because you’ve got to retire at 57. You’re mandated to retire. But when you’re 50, if you’ve got 20 years of service, you can retire. And if you do retire at that stage, which I did, I had 24 years at 50, you still have an opportunity to get a second job, traditionally in some type of security field.
Shawn Henry:
With your experience and expertise in this space, you’re able to help companies in the private sector protect their companies, not necessarily just on the cyber side, but also things like espionage, and fraud issues, and Continuity of Operations. All the traditional things you learn and practice in the Bureau, you can apply to the private sector. So lots of folks at my level were retiring and becoming chief security officers at major companies.
John Carlin:
Yet you did something different. You took a chance.
Shawn Henry:
I did. And I wasn’t actively looking, but I had a mutual friend with the CEO of CrowdStrike, and she said, “Hey, this company is just starting. They’re in cyber security. They’re looking for somebody with your background to run their operations. Are you interested?” And I said, “Not really,” because I really thought I’d, like my other colleagues, go into a chief security officer position at a major company, and be an advisor to the CEO, much like we were advisors to the director of the FBI.
Shawn Henry:
But I took the meeting, we had a dinner, talked to the CEO. And at the end of the dinner, he showed me his vision for this technology that he was developing, and I thanked him for the dinner, and I said, “Let me think about it.” And I called him back, “I’m not really that interested.” But over the course of a couple of months, I really was impressed with the technology, and I really was impressed with the proactive nature about being able to detect attacks in advance of the actual attack happening, which is exactly what we’d been thinking about in the government for many years prior, but we weren’t able to actually do it.
Shawn Henry:
There was a couple of US government programs that just really never got off the ground, or certainly not to the level they were originally envisioned. So George Kurtz had this idea for this technology, and he wanted to implement it. And I went to the company that at the time only had about a dozen employees when they started talking to me, and I got a lot of raised eyebrows, I think, by folks saying, “How are you doing this, going to this little startup company in cyber security when there are these other opportunities?”
Shawn Henry:
And I really felt that they had, first of all, that the threat landscape was such that it required the private sector to step in and provide some leadership and the technology and the vision. And two, that George had that vision, and he had the idea for the technology that I had known and discussed five years earlier, but hadn’t seen anybody develop. So it was kind of fortuitous that he introduced me to his vision. And thank goodness, four months after our first meeting, I took him up on his offer, and retired from the FBI and joined CrowdStrike.
John Carlin:
Let me talk a little bit about the role CrowdStrike plays. As you were saying, it fills a gap that the government isn’t filling. Is that a feature or a flaw? I mean, is it a problem that … It’s allowed for great success commercially, but thinking about it as a public policy, is CrowdStrike performing a role that really should be the government, and it shows that there’s a gap? Or will there always be a healthy interplay between commercial forensic firms trying to spot threats and what the government does?
Shawn Henry:
It’s a great question. And honest to goodness, and I’ve said this to George many times, I understand there’s a business side to this, and I think we’ve added a great value to many, many companies. But for me, I’m concerned about protecting the infrastructure, and making people safe, and helping companies recover their assets after they’re hit. So you’ve heard me say this before, John. I think a government’s fundamental responsibility is to protect its citizens. Any government, that’s their fundamental responsibility.
Shawn Henry:
And I think in this space, that the government is still not there, not because people don’t want to, but because this is a very different situation, and it’s very complex. I think in the physical space, if a foreign government flew jet fighters into US air space, you would expect that the US would scramble jet fighters and escort them offshore, and then there would be a phone call to that nation’s leader, saying, “You can’t let this happen again. It’s inappropriate, and if it happens again, this is what the response is going to be from our government.”
Shawn Henry:
And similarly, if there were a foreign government army that tried to march across our border, we know what that would look like. But in this space, NSA or DHS, they’re not sitting in the ISPs blocking all the malicious traffic and warning off these government attacks. And understandably, because of privacy concerns and civil liberties, I think a lot of citizens would have a concern, whether it’s legitimate or not, but they certainly would want to question, is NSA sitting in the ISPs, and what are they looking at? Do they have access to our content? Where’s our privacy? How is it being protected?
Shawn Henry:
So this space is just very unique, and I don’t think that we’ve gotten it right yet. What it has led to is the private sector having to step up and support companies because the government either doesn’t have the authorities, the capabilities, or the capacity to operate in the private sector space to prevent these attacks wholly. So consequently, what they’re doing is, they’re collecting intelligence, most often on the back side of an attack, similar to collecting forensic evidence after a physical attack, and then using that to take counteractions or countermeasures, or in some case, going back and warning off those governments, or helping to collect and identify organized crime groups or criminals, and making arrests in coordination with international law enforcement. So it’s an incredibly complex issue, but I think in the near future, the private sector’s going to continue to lead the way in protecting the private sector.
John Carlin:
Let’s pivot there a little bit to talk about something that’s on everyone’s minds right now. We’re about a month away from a very important election. There’ve been two recent bulletins put out by the FBI, by the Department of Homeland Security on September 22nd and 23rd warning of disinformation campaigns. We’ll talk about this a little bit more. You’ve lived through a historic campaign by Russian influence of 2016 campaign, but let’s start with where we are right now. What does that announcement tell you about current US preparedness, and where are we as a government and a private sector in working to defend our shores against foreign actors who want to attack democracy?
Shawn Henry:
So I think most everybody will agree that election security is a critical issue to defend democracy. It’s one of the foundational elements of a democracy, the ability to elect leadership, and to those who are going to ultimately set policy and legislative agendas, et cetera. So incredibly important. I think what we see now is adversaries that have done reconnaissance, and have probed election infrastructure. Certainly in 2018, we saw it on the heels of 2016. We’ve actually talked to stakeholders throughout the election space in the last couple of years at the federal, state, and local levels, and it’s clear cyber security is top of mind for all of them because of what happened in 2016 and then in 2018 as well.
Shawn Henry:
But there’s still a lot of work to be done, and there are so many different organizations that have to make important contributions in order to be successful. You think about the campaigns themselves for each of the candidates, because they’re protecting information, but then the actual election infrastructure, public sector election entities that have to be vigilant, the vendors that support the election infrastructure, those that are collecting and tabulating as part of that election infrastructure, and then the media who’s reporting out the results of those tabulated votes.
Shawn Henry:
So it’s such a big target space. I think there’s been a lot of discussion about how dispersed the US system is, because there literally are thousands of municipalities that are collecting across 50 states, and that there’s not one single point of failure. But I think when you look at our system, with the Electoral College and the narrow shape of our election process, that we could see individual municipalities targeted, which could have some type of an impact. And thankfully, people are absolutely aware and there’s been a lot of discussion. I think this is an area where the government does add a lot of value, the DNI, and the FBI, and DHS, who have done an awful lot to raise awareness.
Shawn Henry:
While they might not physically be able to be on site in certain areas, so they can’t add value perhaps in that area, there’s a lot they can do in terms of intelligence they’ve collected, sharing that intelligence, raising the awareness. But again, I think a lot of this still falls to the private sector to step up and add value to help to identify and disrupt adversary attacks.
John Carlin:
What are you most worried about heading into election? Is it disruption of the ability of people to vote? Is it change in vote counts? Is it disinformation?
Shawn Henry:
All of those things are concerning. Obviously, you’ve got to prioritize. I think the thing for me that was the biggest change on the heels of 2008 … You may remember, John, because we were there together. In 2008, there was an attack on both the Obama and the McCain campaigns that was … The US government attributed that to China.
John Carlin:
I remember. It was the first time I met anyone from the Obama campaign and the McCain campaign. And I remember you and I [inaudible 00:22:54] went to inform each and deliver the bad news, “You’ve been hacked, and it’s by China.” And they believed us.
Shawn Henry:
Well, the interesting part of that is, I think the general consensus of all those in the intel community was that, that was traditional espionage, where an adversary was interested in the policies of each of the candidates. Were they to be elected, what would their economic policy be? What would their military strategy be? Who were some of the people who might be considered as part of the administration? And that’s traditional espionage. And quite frankly, espionage has been going on for over 1,000 years, right?
Shawn Henry:
I say sometimes, “1,000 years ago, somebody crawled underneath a tent and pulled a piece of papyrus out from underneath that showed troop positions.” But now fast forward to where we are today, and the technology and the infrastructure has allowed for a much more targeted campaign. And I say campaign, I mean an attack campaign, as well as much more intelligence and information that’s been [inaudible 00:24:02]. So 2016 showed that adversaries, in addition to pure espionage, were actually going to operationalize information, and could use it to try and influence people.
Shawn Henry:
And now where we are today in 2020, I think we’ve seen that happen. The DNI’s office put out information just in the last few weeks that talks about a couple, three different countries, Russia, China, Iran, that may be trying to influence the election. And at the very least, they’re trying to influence US public policy, US public perception of things. You can see media from those nations that are distorting what’s happening and are putting a spin on things, in some cases supporting two sides of the same argument and putting it out to constituencies of far left or far right audiences to get people spun up, and to get them to question each other.
Shawn Henry:
And what that does, I think, is causes that sense of confusion, and foments this disruption and this divisiveness in the country. I think that foreign nations are interested in disruption of US democracy. I don’t portray myself as political on either side. I’m absolutely independent. I’ve been independent my career, my entire career. But I see it as a disruption of democracy, and that, to me, as a citizen, is something that’s incredibly disconcerting, because it is our fundamental right. And I’m concerned about those types of actions by foreign adversaries to unduly influence fellow Americans.
John Carlin:
And you’ve both observed this and have helped people who are responding to cyber attacks in your job, but you’ve also lived through it. Tell me a little bit about the role you were playing in 2016 when Russia decides to attack.
Shawn Henry:
We weren’t working with the DNC, we responded to the DNC. They asked us to come in as an incident responder, much like thousands of companies over the last eight or nine years have asked us to come in after they’ve been subjected to a hack. I mean, it’s happened literally thousands of times in my career where we’re asked to come in. And we found indicators, and this has all been reported quite extensively. We’ve put out a number of pieces on our website that talk about how we collected intelligence that to us indicated that it was coming from Russia, and that they were targeting the DNC.
Shawn Henry:
I think it is so important for Americans … Again, I say that what the FBI and DHS has done is to alert citizens so that they are more aware. That part of this is so critically important, that people have that appreciation for what can happen, and that understanding that this is going to continue to happen. Because of the success of that campaign, other nations are going to replicate those types of attacks, because again, they want to disrupt the US. They want to have an impact on democracy. And it’s going to be a challenge long term.
Shawn Henry:
And I’ll add one point here, John, because this is really important. This is not a US-centric issue. These types of attacks have happened globally. And there are, documented by other nations, documented attacks on their infrastructure by foreign governments and different foreign governments, depending on who the victim country is. But India, and Finland, and the UK, and France, and Israel, Australia, Chile, have all been targeted in various ways. Denial-of-service attacks, voter data being encrypted. Australia talks about an attack where they say China, back in November, attempted to plant an agent inside the Australian federal parliament. So again, these things are ubiquitous. They’ve become ubiquitous, and the technology provides another avenue by which these nations can gain access to these critical parts of infrastructure.
John Carlin:
Yeah, that global nature of the threat is a really important point. And when it comes to democratic countries, I think it’s something we’re still wrestling with, where what makes us strong is also a vulnerability, that we want open speech. But what do you do when digital technology allows you to amplify messages that are not true, the disinformation type campaigns? I know you’ve written on that.
John Carlin:
But you also, what you’ve been at the center of, but it still amazes me that you, a son of a police detective, a law enforcement family, serves 24 years with the FBI, goes into a business helping people respond to cyber threats, and somehow, due to a deliberate, I think, disinformation campaign partly driven by Russia to try to discredit the work that you did in 2016, have made all sorts of crazy allegations about you. What’s it been like hearing people describe you as political and all sorts of other things?
Shawn Henry:
Look, yeah, I learned early in my career that you’re not going to please everybody, and it is what it is. Right? So you follow the facts. Again, going back to, I’ve been in security for 30 plus years, and you follow the facts, and the facts are what they are. And you put the facts on the table, and at the end of the day, you need to be able to look yourself in the mirror and say, “You did the right thing for the right reason.” I had a leader early on in my career say that exact phrase to me, and I carry it with me. Do the right thing for the right reason.
Shawn Henry:
As it relates to the DNC, we responded to a request for help. Let me tell you, we’ve responded to republican campaigns and republican organizations to help them, too, because it doesn’t matter if it’s republican or democratic. It doesn’t matter who the candidate is. I’m absolutely, when I say apolitical and focused on the issue itself and protecting the democracy, that’s what important to me, it’s what’s important to my company, it’s what’s important to my employees. And it’s the mantra I carry. I’ve said it from the day I came into the Bureau. I mentioned to you I worked public corruption for the first 10 years of my career.
Shawn Henry:
I’ve arrested and convicted a lot of public officials. Not one time ever when an allegation came in, did I ask, “What political party does the person belong to?” I don’t really care. If you used your office for personal gain, and you put in jeopardy, and you violated the oath you swore to uphold, you victimized the citizens, shame on you. And I don’t care who you are, I don’t care the color of your skin, I don’t care your religion, and I don’t care about your political party. I look at the facts and follow the facts. And I think that if people are critical, so be it. It is what it is. But I’m very proud of the fact that I’ve been able to hold my head high and try to do what I think is the right thing every single day.
John Carlin:
What do you think, 2020 compared to 2016 … Do you think the average consumer of misinformation is in a better place today? Have we improved? Are we better postured to handle an attack?
Shawn Henry:
It’s interesting, John. You and I have worked a lot of national security matters separate and apart from cyber, and we’ve talked about people who’ve been radicalized and those that have been self-radicalized. And you just mentioned here a few minutes ago, social media, and how social media sometimes becomes an echo chamber. And the more videos you watch about a particular topic, the more videos that are similar to that are served up. And sooner rather than later, that’s all you see and hear about. And if that’s your only source of information, then it becomes reality for you.
Shawn Henry:
And I think we’ve seen a lot of that. I think social media has become an echo chamber. Much like people have been radicalized by terrorist organizations, I think they’ve become radicalized by extremists in the United States. I think that people just need to be aware of where they’re getting information from, and to be open-minded, and to watch both sides of an issue. We know that adversaries are contributing to those echo chambers. They’re trying to do exactly what we’ve seen successfully done by Al-Qaeda and ISIS and others, because those have been successful campaigns and are doing the same thing.
Shawn Henry:
And I think that consumers of information, consumers of the media, consumers of the news need to be very open-minded and listen to both sides of an issue, both sides of the media, so that they can be better informed. And you’ve got to know and understand the source of information. Right? If somebody walked up to you on the street and told you something, you needed to give them money, or you needed to immediately go lock yourself in your apartment because something was going on, you would question that because you didn’t know who that person was. If it was your best friend-
John Carlin:
[crosstalk 00:33:58]
Shawn Henry:
If it was your best friend or your spouse, you would immediately do what they said because you have full trust and confidence in them. But somebody off the street, you don’t know who they are or what their motivation is, where they come from. And I think we have to look at media the same way. Is this a trusted source, and is it balanced, and is there another side to this piece that I need to educate myself so that I can make an informed decision?
John Carlin:
And do you think in that echo system where this information’s getting pushed in social media … I’ve seen recent announcements by both Microsoft in terms of what they are observing, Facebook has discussed taking down a big Russian effort to capitalize on their platform to put out misinformation. Are they doing enough? Are there specific actions you think they should be taking that they’re not taking?
Shawn Henry:
I don’t know that I want to wade into that for this reason. I think that Congress has been asking the questions. I think that there have been efforts made. Certainly there have been public statements made by many of the social media platforms that they are taking efforts. I do know some folks that work for some of these platforms that have told me, and I have confidence in them that they are taking efforts. Is it enough or not? I don’t know. I think that will be borne out here in coming months.
Shawn Henry:
But I think it’s something that we have to be attentive to, that they have to be attentive to, and recognize that their platforms are absolutely a huge influence on Americans’ perception, and ultimately policy, and how people react to things. And I think that they are going to have to be held accountable and responsible for that, so I’m glad that the questions are being asked. I’m glad that they are at least publicly making those statements, and I’m glad that more citizens are hearing it. And hopefully that sensitizes them to the potential for those media outlets to be manipulated, so that they’re better educated and they become better consumers because of that.
John Carlin:
And switching gears slightly. We’re in a pandemic, and I don’t know about you, but day to day … Well, I do know a little bit about you, because we’ve talked about it some. But I’m just seeing a huge growth in the number of victims reaching out because they’ve been attacked during the pandemic by cyber actors, be they criminal groups or nation states. And there are some who would call what we’re in the midst of a cyber pandemic. What are your thoughts on how COVID-19 has changed the playing field for cyber security?
Shawn Henry:
COVID has absolutely made a substantial change in the way people do business and from a cyber security perspective. So of course, companies have pushed their employees out of the corporate stack, off the corporate stack, and they’re now working, many people are calling it work from home. We call it work from anywhere, because you really can work from anywhere. Those employees may not be educated, they might not have any technical skills, they’re working off a home ISP and a home router that they may not have updated, they may not have patched.
Shawn Henry:
And because they’re off the corporate stack, many times there’s a lack of visibility by the company into what their employees are doing. Therefore, the target space has gotten much greater, and adversaries know that, and they’re exploiting this hybrid workforce. Companies have had on their roadmap a digital transformation to the Cloud, many companies, and typically it’s been a multi-year process. What we saw in March of this year was that multi-year digital transformation condensed to multi-week transformation. It’s a growing period, and companies are adapting to that, but they recognize that their employees are vulnerable, and that therefore, their network is vulnerable.
Shawn Henry:
So COVID-19 has changed the landscape. We are also seeing organizations, both organized crime groups and nation states, exploiting COVID-19. What do I mean by that? Not just because the target space is bigger, but actually using COVID-themed lures in phishing attacks. So here’s a news story on a recent strain that’s been identified, that people want to click on because they want to protect their health. Or here’s a map of the hotspots, the emerging hotspots, the reemerging hotspots. Click on this, and it’s got malware, or it directs you to a website that will download malware to your browser.
Shawn Henry:
And then building upon that, the economic stimulus that has occurred. And building on the COVID theme, adversaries using that as a lure to get people to execute malware in their environment so that they can gain control, and therefore have access to the corporate network. So it’s created this ecosystem that is much more vulnerable and much more dispersed, and very clearly being exploited. We’ve seen the number of attacks in our measurement, through our intel, in excess of 45% greater than this time last year, and we attribute much of that to a post-COVID environment.
John Carlin:
Wow, 45% year over year increase. That fits anecdotally with what I’m seeing, but I hadn’t heard that statistic before. I’ve also noted, and you’re touching on it, so there’s this general surge, and then in particular, we’re hearing more about ransomware attacks against health care facilities. I noted that prosecutors in Germany just opened a negligent homicide investigation in connection with the death of a German woman who was turned away from a hospital because they were suffering a ransomware attack, and then she later died. That’s a significant step to open a homicide investigation. As far as I know, and I’m curious your thoughts, I think that may be the first death that could be attributed to ransomware. Do you think that’ll change behavior at some of these institutions?
Shawn Henry:
I’ve always said, and people ask me all the time, “When are people going to pay attention to this?” And I’ve always said, “When it has a physical impact on them.” Because oftentimes, an adversary hacks into a network, they steal data, and all of it is somewhat transparent. You don’t actually see the data physically leaving. They’re not boxing it up and backing up an 18-wheel truck to the loading dock to leave. It all happens in the ether. And until you see a physical impact, and here, and I don’t have direct information on this, just what I’ve read in the media, about this death that was attributed to the ransomware because they could not conduct the procedure and needed to physically move her.
Shawn Henry:
I think that that does get people’s attention. I think that we have seen actual attacks through IoT, the Internet of Things, medical devices that have been impacted by ransomware and remotely by adversaries where, at least in the lab, not necessarily in the wild, been able to demonstrate their ability to shut things off or change calibration, which would have an impact on life. But I’ll take it another step further, John, and when you think about critical infrastructure like SCADA systems, and the electric power system, and dams and transportation and communication, where those things can be impacted, and what would the impact be on life if you’re able to shut things down for days or weeks?
Shawn Henry:
Some of the attacks we’ve seen beyond ransomware. You’re very familiar with [inaudible 00:41:37] and the destructive nature of that attack, where whole systems were offline for weeks, or in some cases at least operating inefficiently for months because of that attack, where physical infrastructure was destroyed. And I think that that’s what’s on the horizon. That’s not going away. And that is absolutely evidenced by what we’re seeing right now with ransomware. The number of attacks we’re seeing by ransomware on municipalities and hospital systems, education institutions, where adversaries don’t really care about anything but the dollars, and they recognize some of these facilities are not adequately protected, they don’t necessarily have the expertise to protect themselves, or they don’t have the technology to protect themselves.
Shawn Henry:
And they can’t afford to be down because their constituents need to study, need to do surgery, need to let their [inaudible 00:42:31] system operate. And if ransomware is locking up the files that prohibit that from happening, these people are going to pay. So they’re all about the money, they’re motivated by the finances, and they’re not really considering the impact on innocent civilians. And that, to me, we are already seeing it at CrowdStrike, and we are going to continue to see those types of attacks because they’re effective and they’re making people a lot of money.
Shawn Henry:
Last point on that, because extrapolating back to the election, if an adversary, or an organized crime group … Forget nation states. We’ve been talking about nation states and the election. Organized crime group, if they’re able to encrypt the voter registration servers or databases, or they’re able to access some other critical part of the infrastructure and shut it down through a ransomware attack or a denial-of-service attack, one, what impact might that have on the actual election itself, but on two, on the mentality, the morale, the concern of citizens, if that’s able to happen? I said a lot there, so I’ll stop talking, but these are things that are concerning me.
John Carlin:
And that last is a vital point I’ve worried about a lot. Places are getting hit every day. There are thousands of different municipalities involved in an election, so really could see impact, as you say, from a ransomware attack of an opportunistic criminal group that’s just out to make a buck, that ends up impacting the sense of fairness of the election, even if results are ultimately tabulated. On that, a couple questions. One is, if you could make policy tomorrow, would you make it unlawful to pay a ransom?
Shawn Henry:
I’ll say this. And I know you’ve seen OFAC rules and the thoughts of the Treasury about where money is going, and is it fueling this? And I would say it is fueling it. It’s successful. These organized crime groups are making money. If they weren’t making money, they wouldn’t continue to do it. So my philosophy is, you don’t pay. And what you do is, you are in the preventative mode, and you need to actually have technology in place, and you need to have capabilities in place to actually stop this from happening. And if you can’t do that, you’ve actually got the ability to reconstitute your environment to get yourself back up and running without paying for it.
Shawn Henry:
That said, I know companies that have been stuck in a position that they don’t have any way to get out, and it is potentially an existential threat to them, that they’ve got such critical data that is now unrecoverable, that they need to get it back. And they make a business decision. And I don’t subscribe to paying those ransoms, because it does encourage and allow this to persist, but I understand why some companies have done that.
John Carlin:
So yeah, two important points there. One is, what you’re saying is, if you want to avoid being in a situation where you feel like you need to make a payment as a business or a municipality, in addition to defensive steps, one of the most important defensive steps you could think about now, and I’m sure you’ll join me, Shawn, in saying everyone after they’ve suffered one of these attacks, spends a lot more both time and actual resources on resilience. And these days, it’s harder to have backups because the bad guys look to get high level access in your systems if they can, and they go after the backups.
John Carlin:
So you need to make sure that they’re both backed up and separate from your network, and also that those who have access to it are very few, that their accounts are monitored, that they have multi-factor authentication, in other words, not just a username and password. And the other thing you bring up is, last week there was guidance put out by the Department of Treasury, and specifically the part of the Department of Treasury that administers sanctions, that says, “Hey, this country is a country where you can’t do business with them using the US dollar, or it’s a violation,” or a criminal group. Like they’ve designated famously, there is actually a criminal group that goes by the name Evil Corporation.
John Carlin:
Just in case you had any doubts about whether what they were doing was evil, they named themselves Evil. The Treasury Department has designated that group. That means, if they’re designated, then it would be unlawful to make a payment. So the way the law works right now, if it’s a designated entity, then you’re not permitted to make the payment. But if it is all the other groups that are out there that haven’t been designated yet, and it’s legally permissible … And Shawn, I think you’re encouraging people not to pay, but I don’t hear you going so far as to say that the law should change to make it illegal.
Shawn Henry:
I honestly want to see people focusing on preventing this from happening. I subscribe to the fact that if you pay, you are encouraging this to happen again, to your neighbor in your industry, to others around the globe, because again, this is not focused on the US, this is a global issue. And it’s going to go on indefinitely, and some of these adversaries are in places where law enforcement is never going to get access to them. Therefore, they will continue uninterrupted, because the return on investment is substantial.
Shawn Henry:
Companies need to invest into their system, they need to put strategic programs into place, they need to have technology that allows them to identify these attacks and disrupt them before they impact them. I think, John, about, again, I said earlier, lots of physical and digital similarities. And you think about people, somebody who might be severely overweight, they don’t eat right, they don’t exercise, they smoke. And as soon as they have a heart attack, they go on a weight loss program, they quit smoking, and they start exercising.
Shawn Henry:
And I say to myself, “Had you done that five years ago, you know that a heart attack is a likely occurrence or something that’s a possibility, certainly, if you engage in this type of behavior. Why wouldn’t you change your behavior?” And I look at companies now that get hit with ransomware, and then they have an immediate need, and they want somebody to immediately come out and help remediate. And of course, we do that as part of a service, but my point is, you can proactively make these changes now, and not have to suffer through the metaphorical heart attack. And it is the right thing to do for your customers, for your employees, for your shareholders. And I think it’s really important for people to invest in themselves and not wait for something bad to happen.
John Carlin:
Shawn, it’s been a pleasure working with you over the years. I think people listening can hear your passion that you have for protecting people, that you had both at the FBI and now working with you in your new spot at CrowdStrike. But before we wind up the interview, I did want to ask something non-cyber-related, and that is, how did you become involved with one of the great mysteries of the modern era, the disappearance of Amelia Earhart? Where’d you even find the spare time to be working on that? Tell us a little bit about that.
Shawn Henry:
A TV producer who I’d met in the course of my career, and he had been working with a former federal agent who had actually been, for about a decade, engaged in the search for Amelia Earhart. And he actually found the pictures that were, I think clearly indicative of Amelia Earhart being in the Marshall Islands, that she landed her plane safely, her and her navigator, Fred Noonan, in the Marshall Islands. And he said he wanted to put this documentary together, but he wanted somebody with an investigative background who could kind of oversee and lead the investigation.
Shawn Henry:
So I did. I took him up on that, and it was a lot of my free time on weekends, and traveling a little bit over a Christmas holiday to go to the Marshall Islands, to go to Saipan, and to interview people who had familiarity with what happened and had heard from others, family members of people who were involved in this. So for me, it was just another great investigation about a historical episode that had been a tremendous mystery for almost 80 years. And I think that when we finished that, I think that the evidence proves beyond a reasonable doubt, there’s always going to be some doubt, but beyond a reasonable doubt that she actually did land in the Marshall Islands and was taken by the Japanese. How she ultimately died, I’m not sure, but I think the evidence really does demonstrate that that’s what happened.
John Carlin:
Shawn Henry, it’s been a pleasure. Thank you.
Shawn Henry:
Thanks, John, for your partnership over the years back in government and for what you’re continuing to do. I think that one of the things we haven’t talked about, but I think is so critically important, is leadership in this space, and for people to have the courage to stand up and to challenge their colleagues and coworkers to take this issue seriously, to protect the infrastructure, because our failure to do that is going to be catastrophic in its consequences. And I really do feel that way, and I appreciate you acknowledging my passion. And it’s really because our families, our citizens, and our loved ones are at risk, and we really got to stand strong. So thanks for doing what you do. I appreciate the opportunity to stay in this fight.
John Carlin:
Cyber Space is presented by CAFE. Your host is John Carlin. The executive producer is Tamara Sepper. The senior producer is Adam Waller. The senior audio producer is David Tatasciore. And the CAFE team is Matthew Billy, Nat Weiner, Sam Ozer-Staton, David Kurlander, Noa Azulai, Jake Kaplan, Calvin Lord, Geoff Isenman, Chris Boylan, Sean Walsh, and Margot Maley. The music is by Breakmaster Cylinder. Today’s episode was brought to you in collaboration with Brooklyn Law School’s BLIP clinic. Special thanks to Amanda Kadish, Isabel Augosto, Jordan Khorshad, and Molly Rivkin.