The FBI and Cyber Crime: New Perspectives, New Partnerships, and New Ways of Doing Business
Remarks as delivered.
Thank you. Thank you for that kind introduction. I did take a shot at the New England Patriots on live television, which I heard about from one of my brothers, who betrayed the family when he moved to Massachusetts and became a Patriots fan.
What I want to do very briefly is share with you some thoughts that are top of mind today for the FBI. And then I want to shut up and take questions that I will try to avoid answering from the great Mike Leiter.
And I'm determined not to make news, for those of you who are following this.
First things that are top of mind, I want us to talk very, very briefly about how the FBI is thinking about our cyber strategy. Then I want to talk about a unique challenge to all of our work in the form of ubiquitous, strong encryption, and explain to you why that matters so much to the FBI, and why we are determined to continue to talk about it.
But first, our cyber strategy. To state the obvious for this room, all the threats the FBI is responsible for come at us through the Internet. Counterintelligence, all the criminal threats we're responsible for, and terrorists in the following way: to proselytize, to communicate, to inspire, to direct—not yet to use the cyber vector as a way of doing actual harm—inflicting harm on infrastructure—but logic tells us that’s inevitable for the terrorists’ mind to find that vector. And so, all the threats the FBI is responsible will come at us in that way.
The first part of our strategy is humility. We are standing in the middle of the greatest transformation, I think, in human history. The way we learn, the way we work, the way we love, the way we connect, the way we believe; all is affected by the digital era, the digital revolution.
And so, we stand there with an attitude of humility because it would be foolish to say, we know how the FBI should grow and change and adapt to—for me—the transformation that has never happened in human history. We don't know for sure.
What we’re trying to do are things that are thoughtful, that make good sense to us and then get feedback from our own people, from our partners, from our colleagues around the world about whether it’s making sense, and then we will iterate.
But our strategy has five parts and actually, two parts of it I want to spend some time on. So, I'll run through it relatively quickly. Our first part of our strategy is we want to focus ourselves, and there are two aspects that I want to highlight for you the way in which we're trying to focus.
The first is the way we assign the work in the FBI. Traditionally in the FBI, the physical manifestation of an event is what drives the work assigning. So, if the bank robbery in Chicago, the Chicago Field Office works the bank robbery. If the fraud is based in Seattle, the Seattle office.
We've come to the conclusion that the physical manifestation of a cyber intrusion isn’t all that meaningful, because it’s being committed likely by somebody far away from the physical manifestation, it’s being committed at the speed of light, and it may be quite random as to where the intrusion pops first.
And so, we’re approaching our work in a very different way for the FBI. We now assign computer intrusion work, whether that’s a nation-state, whether it involves a criminal syndicate, whether it involves a criminal syndicate working for a nation‐state, whether it involves hacktivists or somebody else, sort of the motley crew of people who are engaged in intrusions. We assign it based on talent.
We make a judgment as to which field office has shown the best chops against a particular dimension of a threat posed to us by a nation‐state and we assign it there because they've demonstrated the ability. But physical manifestations of intrusions are part of the real world and there really is a chief information security officer and there really is a CSO and a CEO of a company that’s been victimized. We're not blind to physical manifestation, and so we assign the threat to the talent and then we allow up to four other offices to help. The first office is called a “strat” office for strategic. The other officers are called “tac” offices for tactical. And then we air traffic control from Washington.
This has had a great effect inside the FBI because it has fostered an intense competition among field offices to generate and demonstrate the talent against various dimensions of the threat. And so if Little Rock shows they are best against a particular intrusion set from a foreign nation, it goes to Little Rock, regardless of where the hits are from that intrusion set.
So far, it’s working pretty well. So far, the air traffic control has worked well. But again, we stand here with humility and if it isn't working in some way, we're going to iterate. That’s the way we're now assigning the work.
The second way we're trying to focus ourselves is on stealing your talent, and here’s what I mean by that. The challenge we face at the FBI is that to have a special agent work in cyber, we need a variety of things. We need high integrity, we need fitness, we're going to give you a firearm on behalf of the FBI, and you have to be able to run, fight and shoot. So, we need integrity, fitness, then we need smarts, we need intelligence and then we need specialized knowledge to make you a cyber agent.
That collection of attributes is rare in nature. You may find integrity, somebody who can't do a push‐up, who has great specialized knowledge and general intelligence, or we'll find somebody who has great specialized knowledge, can pump out a push‐up, but wants to smoke weed on the way to the interview.
And so, we stare at the pool of talent and we have two reactions to the pool. We can't compete on money. You in the private sector have more money than we do. We acknowledge that to the people we're trying to recruit. Then we also make sure they understand that life with you is soulless and empty, he said half-kiddingly.
And if you want to do work with moral content, come to us. It’s not about the living, it’s about the life. A pitch that I know worked for a lot of you in this room of ours. And so, we try to recruit on moral content.
And then, we're trying to think differently about how we might generate that talent in a number of different ways. We're considering, do we really need gun carrying special agents making up an entire squad? Now we have squads of eight around the country.
Should we instead have two special agents and six something else’s, maybe people of integrity, people of high intelligence, people who have specialized knowledge, we don't give them a gun because they don't have that physical attribute? Maybe.
Something else we're considering is if we can find that integrity, that physicality and basic high intelligence, should we grow our own? Should we build our own university to take that talent and raise it up to be cyber talent? Maybe.
And should we also do something else that'd be very, very new for the FBI? Should we try to make the barrier between us and the private sector semipermeable, so that special agents might come and work for the FBI and then go work in the private sector, and then come back?
The current rule requires anyone who leaves for 24 months to go back through Quantico, and that’s a painful experience for people in their 40s. They all want to come back because they discover your lives are empty and soulless, and so they want to come back, but we've made real barriers to their returning. And might we be able to encourage people from the private sector to come work with us as that “something else”? Don't have to go through Quantico to learn to run, fight and shoot, and then return to the private sector.
Our minds are open to all of these things because we are seeking talent in a pool that is increasingly small. So you're going to see us experiment with a number of different approaches to this. And then I hope when you see us doing something that doesn't make sense, you'll tell us. When you see us doing something you think we ought to do more of, you'll tell us that as well. And it will be met with an attitude of humility. So, focusing in a better way our work and on how to get our best talent is our first part of our strategy.
The second part is we need to make sure that we—inside the government—have our act together in such a way that it doesn't matter to whom a victim of an intrusion or a cryptoware attack or some other attack, it doesn't matter who they tell in the federal government. We're in that place when it comes to counterterrorism.
You walk up to an FBI agent, a deputy sheriff, a police officer with a piece of information about a terrorism threat, it will get to the right place very, very quickly. It doesn't matter who you tell. We've got to get to that place inside the federal government. We made a lot of progress on that, trying to understand the rules of the road, but we still have work to do.
The third thing we're trying to do is impose costs. I don't know of a cyber intrusion that has ever been committed high on crack or inflamed by finding a lover in the arms of another. These are crimes, these are intrusions, these are attacks that are committed with reflection and calmness at a keyboard.
We think that’s an opportunity for deterrence, for influencing behavior. And so, we are keen to make sure that attacker, whether it’s somebody sitting in a government office halfway around the world, or in a basement somewhere in the Pacific Northwest, that they feel our breath on the back of their necks, maybe literally, but at least metaphorically, as they begin that intrusion activity.
We think we can shape behavior by locking people up, and where we can't lock people up, by sending message of pretty scary deterrence, faces on wanted posters. And people sometimes say to me, yeah, but the hacker is somewhere halfway around the world working for another government or they're sheltered by a government, how are you ever going to get them?
And my response is that life is long, the world is short, we are dogged people. We just gave up on D.B. Cooper.
And that took us about 52 years, I think. For those of you who are young, he was a guy who jumped out of an airplane over the Pacific Cascades and we hunted him for 50 years. We're pretty sure he’s dead now, so we're giving up. But when your face goes on a wanted poster, we are not going to give up in your lifetime. And that can change behavior. So you will see us trying to send those messages to shake people as they think about intrusions.
The fourth aspect of our strategy, I won't spend a lot of time on, is to help our brothers and sisters in state and local law enforcement raise their digital game, because everything they do requires digital literacy. In the good old days, a narcotics detective would roll‐up on a location, execute a search warrant at a drug house and find not just drugs and money, but one of those black composition notebooks and the dealers would have written who got how much and how much they were and that had to be photocopied and an exhibit sticker put on it and you were good to go.
Today, there’s no black composition notebook. There’s a PDA, there’s a thumb drive, there’s a laptop, there is a digital device. We have to help our colleagues get to that work in a quality way because there’s simply no way the FBI could be part of helping with all of it.
I'm told that people get e-mails from me when I'm in Nigeria asking for money to be wired. I usually do not identify myself as the President of Federal Bureau of Investigation. Don't send me any money. But people do get ripped off and the Bureau can't reach all of that. So the fourth part of our strategy is help our partners raise their game and there’s a lot behind that, but I'll leave it there.
The fifth thing, which is the one I want to spend just a few minutes on, we must get better at sharing information across the boundary – and there should be a boundary between the public sector and the private sector. We have to find ways consistent with the law and policy and tradition and culture to make the barrier between us and the private sector semipermeable in some fashion.
And the reason for this is nearly all of the intrusion activity in the United States—coming at the United States—hits the private sector. All the victims are in the private sector, all the indicators are in the private sector, all the evidence if you want to go criminal is in the private sector. We are not nearly good enough at getting information from the private sector to us, getting information from us to the private sector.
This, I believe, is actually a problem not so much of law but of lore. And the biggest problem—I was a general counsel as you heard—the biggest problem is people like I was—who are spotting risks and calling them out. Because we give that information to the government, will it be used against us in competition? Will it be disclosed to Congress in some way that it becomes public? Will we get sued? What will our shareholders say? How will this hurt the enterprise? I see too many risks.
What you ought to do is hire one of the great firms that can help us remediate and let’s get back on with our business. Even people saying, yes, our files are locked up with ransomware, let’s just pay the ransom and get on with it. Most of the intrusions in this country are not reported to law enforcement and that is a very bad place to be.
People are foolish and short‐sighted to think that their interests in the private sector are not aligned with ours when it comes to this. Because you're kidding yourself if you don't realize that the hackers will be back, if not to you, then to your subsidiaries and your supply chain. Those with the ransomware will be back, especially if you paid them off. Our interests are aligned.
The challenge we face is having the private sector know us well enough to realize we understand what a victim is and we treat victims for what they are, which is victims. And we do not re‐victimize people. Whether that’s a sexual assault case or an armed robbery case, a Mafia case or a computer intrusion case—we have lots of practice at this.
Our challenge is people don't know us well enough. Too much confusion and skepticism and distance derived from misunderstanding and myths. So the FBI’s mission is to get out and talk to the private sector and let you know what we're like.
Now, I liken this to a journey that the CIA and the FBI have traveled since the mid‐1980s. And that’s what I mean by the difference between law and lore. Most of the people in this room know that in the mid‐1980s, the Classified Information Procedures Act was passed that offered us certainty about how sources and methods would be treated and protected, so if the Government decided to use a criminal prosecution to incapacitate, to reassure the intelligence community that we're not going to blow sources and methods, there’s this framework and here’s how it will work.
That did not get the job done because that’s law. It took us 20 years of building trust, case by case by case, so the intelligence community came to realize, “You know what? This really works, we really can trust the FBI to protect our sources and methods, to use these tools that have been on the books since the 1980s and use them in a way that protects us.”
That took us two decades to build that trust. It is in a very healthy place today. It is not in a healthy place when it comes to the private sector.
And so my ask, those of you who run companies—who are the chief security officers, the general counsels, the CEOs—is that if you don't know someone at the FBI office where your facilities are, you're failing. You are pushing on an open door, come and talk to us, understand in the event of an intrusion, in the event of an attack, what is it we need?
And you'll discover we don't need your memos. We don't need your e-mails. We need indicators of compromise. We need to know how did the bad guys come? What are the signals, what are the indicators that we can use to attribute and to try and pose costs and to help you get over this attack.
The Sony attack was a vicious, hugely damaging attack. It would have been worse if Sony hadn't invested the time to know us before the attack. Every single one of you works in a facility that your local fire department knows the general layout of, right? They don't know your intellectual property, they don't know your secrets, but they know where your standpipes are, where your elevators are, they know the general layout so that in the midst of a smoky disaster, they can save lives.
We knew Sony in that same way. We didn't know their secrets, we don't know their intellectual property. We knew their key people, we knew their facilities, we knew the layout of their network generally. And that day, within hours, we were on the ground helping stop the bleeding.
The private sector has to get to know us better if we're going to be more effective. But it doesn't stop there, because it’s bad that people don't share information to us. We don't do a good enough job at pushing information to the private sector.
We have a cultural impediment, which is, we have this information. If I give it to them, are they going to jeopardize sources and methods. Sometimes we forget that you don't need the sources and methods. You need indicators of compromise, so you can figure out how they're coming at you.
And all of you in the room know this, oftentimes private sector partners don't realize what ORCON means. Oftentimes, the FBI will have a piece of information. We can't just turn it over to you. We've got to go back to the people who own that information and gave it to us, but we can do that so much better than we're doing it today. We will get better. I hope you will help us get better as well.
And the last thing I want to leave you before I start avoiding Mike Leiter’s questions is this.
I intentionally did not talk a lot last year about the challenge we face from ubiquitous, strong encryption. Our judgment at the FBI was that this is a complicated issue with legal aspects, technical aspects, policy aspects, values—it was too complicated to discuss during an election year. I know you're thinking you're totally wrong, we could have nailed this during the election year, but we decided that we would not force a conversation about it, but that we would use the time to try to collect data so we could show people what’s happening to our world.
And here’s what’s happening. Imagine the FBI works in a room. A corner of that room has always been dark for the last 20 years. Sophisticated actors could always find encryption to lock‐up a device, encryption to cover data in motion, the sophisticated actors, nation-states, near nation-state actors.
What’s happened since the summer of 2013 is that dark spot has started to spread through the entire room. Ubiquitous default encryption on devices, ubiquitous default strong encryption on apps and other forms of communication has spread the shadows so it’s starting to cover more and more of our room.
I'll demonstrate this with the facts of our encounters with devices. October, November, and December, 2,800 devices were presented to the FBI in the United States with lawful authority to open them. Some from FBI investigations, others from state and local partners. They gave them to the FBI saying, we have a court order, can you help us?
In 43 percent of those cases, we could not open those devices with any technique—any technique. That is the shadow falling across our work. And they may say, who cares? I don't know, but I think America needs to have a conversation about this. Because I care deeply about privacy. Treasure it.
I have an Instagram account with nine followers. Nobody is getting in.
They are all immediate relatives and then one daughter’s serious boyfriend. I let him in because they're serious enough.
I don't want anybody looking at my photos. But I treasure my privacy and security on the Internet. My job, like a lot of people in this room, is public safety. Those two values, privacy and safety, are crashing into each other.
But I actually believe something more fundamental is happening. Especially with regards to devices, those devices contain so much of our lives—our business life, our social life—our lives are on those devices that we wear on our hip or we carry in our pockets. That’s a great thing. That has made us better in lots of different ways.
But it’s also introduced with ubiquitous default encryption a concept that’s new to America, which is absolute privacy. We have never had absolute privacy in this country. This country was founded on a bargain, which is that your stuff is private unless the people of the United States need to see it.
And then with appropriate predication and oversight—obvious example of that being enshrined in the Fourth Amendment—the government, the people of the United States can see your stuff. They can go through your safe‐deposit box, your sock drawer, your car. They can actually compel you to say what you remember in appropriate circumstances. We've never had absolute privacy.
The bargain was, we have this privacy that can be invaded with this predication oversight, so we achieve a balance between privacy on the one hand and security on the other. What’s happened to us now is we're drifting to a place where absolute privacy is a huge feature of American life. There are wide swathes of American life that are now off‐limits to judges. I'm not offering that as a value statement, that’s just a fact. That’s a different way to live.
If we are going to change the fundamental compact at the heart of this country, it should not be the FBI that does it, it should not be companies that are making amazing devices that do it. The American people ought to do it. And so, what I'm determined to do is not tell you what we ought to do to solve this problem, but to tell you there’s a problem and to urge all of you to participate in this conversation.
Maybe at the end of the day we say, you know what? The benefits of privacy in this instance are so important that we'll put up with the tradeoffs. Or maybe we say, you know what? The tradeoffs are so significant, we ought to see if we can't find a way to optimize both of those values better than we are today.
And I actually reject the idea that it’s too hard. I actually don't think we've given the shot that it deserves. I don't know anybody in the private sector that’s actually making devices who is incentivized to try to figure out how to optimize those two values. They sell privacy, I get that. We're responsible for public safety. Somehow, we’ve got to bring those two together.
The FBI is an example of how it could be done. We give devices to our agents—some of our agents are here today. We give them devices that we work very hard to make secure. But we retain the ability, in appropriate circumstances, to access that content.
It does not require weakening encryption. It does not require giving the government a backdoor of some sort. I could actually imagine a world where someday, if you're going to sell devices in the United States, you're required to be able to comply with judicial orders. You figure out how.
I don't know whether we're going to go there, but first, we have to have a conversation about it. So, you're going to see the FBI trying to supply data to this conversation, stories of how it impacts our work, so that we can foster and inform debate.
Because what I don't want to have happen is—I have six years and a few months to go—that six years from now people say to me, hey, how come you didn't say something? I'm going to say something. This is affecting our national security work, counterterrorism, counterintelligence and all of our criminal work in profound ways, which you would expect because we're now living in a different way. We should talk about it.
And I thank you so much for joining that conversation and I will look forward to Mike’s questions.