“After the investigation of Operation Aurora, the cyberattack on Google from within China that was revealed in 2010, I realized a completely new type of security strategy and technology was needed. I was leading research at McAfee and had been involved in investigations of criminal activity online, working closely with law enforcement. Aurora put us up against a nation-state, not a criminal. I was briefing the State Department as they crafted statements for Hillary Clinton to make publicly about the issue.
The online criminal problem was and is a big issue, but it pales in comparison to what nation-state attacks are doing to this country and our allies. Google has one of the best security teams on the planet, better than most government organizations, but they and many other companies with very good security practices were still getting hit. The problem was not the security widgets and technology they were using; it was the strategy. That’s why I left McAfee to start CrowdStrike.
The industry and the government were using a passive strategy of trying to detect and block cyberattacks, and that doesn’t work against an actor that’s really determined. China’s army is not going to give up and say, ‘Well, we’re out of the cyber-espionage business.’ What you really want is for a cyberattack to be very costly and risky, so it is used only rarely and only against really high-value targets.
Today security companies look for malware and software exploits, but they change constantly. And new ones are launched by the hundreds of thousands each day. At CrowdStrike we look for traces of the adversary and try to find out who the adversary is, what they are after, and what their tradecraft is. We also disseminate that information to enable collective action. It doesn’t have to just be every company for themselves—they can band together and maybe join with government to put pressure on the enemy. We’re starting to see that with some of the public disclosures about China, including ones I’ve done, leading the U.S. administration to start talking openly about the problem. That helped lead to Obama raising the issue at his summit with the Chinese president.
We use data from many sources to detect traces of adversaries and uncover everything we possibly can about them. Our customers can find out who is targeting them and how. We’ve showed how we could see the Chinese navy crafting spear-phishing e-mails so we could warn targets before they even received one.
We call this new strategy ‘active defense.’ We respect the law, but we’re in discussions with Congress about making changes because most relevant laws were written in 1986. We should enable the private sector to engage in self-defense in the cyber world, like we do in the physical world. Mall cops protect property the government doesn’t have the resources to protect. A cyber-world equivalent could be allowing some licensed cybersecurity companies or individuals to take certain actions in defense of a network. That should not involve retaliations; hacking back to destroy the other guy’s machine has no useful purpose and should be illegal. But if you see your data going to some other network, why can’t you go into that network for the purpose of getting your data back, or take data off that machine to mitigate the damage? Allowing the private sector to do things like that can help companies make themselves a much less attractive target.”
—as told to Tom Simonite