Good morning, it’s nifty to endure here. I desire to give thank you lot Father Burns, Provost Quigley, as well as Boston College for coordinating this conference. Let me start yesteryear proverb how honored I experience to endure hither representing the 37,000 men as well as women of the FBI.
As I brand my way around our 56 patch offices, our Headquarters divisions, as well as our Legat offices around the world, I encounter instance afterwards instance of selfless, relentlessly hard-working, honest, brave as well as professional person folks. Patriots. And I couldn’t endure to a greater extent than proud or inspired, but at the same fourth dimension pretty humbled, to stand upward with them every bit nosotros human face upward the formidable challenges of today—and tomorrow.
The function of the FBI, to seat it mildly, is complex as well as covers exactly close every threat nosotros face. This morning, of course, I’m focused primarily on the cyber threat. Many of you lot withdraw hold been thinking close the threats inwards this particular arena for a long time. Before taking this job, the final fourth dimension I had to call upward seriously close cyber security through a constabulary enforcement as well as national security perspective was thirteen years ago. Back then, I was caput of the Justice Department’s Criminal Division, which included the Computer Crimes as well as Intellectual Property Section, overseeing cyber investigations. It’s fair to say that no surface area has evolved to a greater extent than dramatically since then, given the breathtaking as well as blistering stair of technological change. And I’ve tried over the yesteryear half-dozen months to start catching upward on all things cyber.
So perhaps the most useful thing I tin practise today is to offering the viewpoint of someone who’s looking at this basis with fresh eyes. I’d similar to verbalise to you lot close what the cyber threat moving painting looks similar today, what the FBI is doing close it, as well as most importantly, what’s the way forward? Where’s the threat going? And where practise nosotros demand to endure to run across that threat?
How Things Have Changed
The cyber threat has evolved dramatically since I left DOJ inwards 2005, partly exactly reflecting how much the digital basis has itself evolved over that time. Back then, “tweeting” was something only birds did. I’ve noticed it’s a fleck to a greater extent than pop now. Today, nosotros alive much of our lives online, as well as everything that’s of import to us lives on the Internet. And that’s a scary thought for a lot of people. What was i time a comparatively modest threat—people hacking for fun or for bragging rights—has turned into full-blown economical espionage as well as extremely lucrative cyber crime.
This threat is straight off coming at us from all sides. We’re worried—at the FBI as well as with our partners—about a wider hit of threat actors, from multi-national cyber syndicates as well as insider threats to hacktivists. And we’re concerned close a wider gamut of methods, from botnets to ransomware, from spearfishing as well as work organisation email compromise to illicit crypto mining as well as APTs. We’re seeing an growth inwards nation-state sponsored reckoner intrusions, similar final year’s massive WannaCry ransomware attack, of late attributed to North Korea, as well as NotPetya—the most destructive as well as costly cyber laid on inwards history. Launched yesteryear the Russian military, NotPetya resulted inwards billions of dollars inwards harm across Europe, Asia, as well as the Americas.
We’ve also begun seeing a “blended threat”—nation-states using criminal hackers to practise their dingy work. Nation-state actors are also turning to to a greater extent than creative avenues to pocket information. They are no longer dependent on exactly intelligence services to send out their aims. Instead, they utilize people from all walks of life—hackers, businesspeople, academics, researchers, diplomats, tourists, as well as anyone else who tin acquire their hands on something of value.
We at the FBI are inwards the work organisation of protecting vital assets, whether those are authorities province secrets or corporate merchandise secrets, as well as nosotros facial expression frontward to working with folks similar you lot to aid protect your crown jewels.
What Are We Doing About Cyber?
So what’s the FBI doing close the cyber threat? Realistically, nosotros know nosotros can’t forbid every attack, or punish every hacker. But nosotros tin build on our capabilities. We tin strengthen our partnerships as well as our defenses. We tin acquire ameliorate at exchanging information to position the telltale signs that may aid us link cyber criminals to their crimes. And nosotros tin impose a diversity of costs on criminals who call upward they tin cover inwards the shadows of cyber space. We tin practise these things—and nosotros are.
We’re improving the way nosotros practise work organisation as well as blending traditional investigative techniques with technical capabilities. We’re assigning function based on cyber experience as well as ability, rather than jurisdiction. We withdraw hold white-hat Cyber Action Teams of highly skilled agents as well as experts who tin deploy at a moment’s notice, much similar our Counterterrorism Fly Teams. We withdraw hold Cyber Task Forces inwards every patch component that response to breaches, send victim-based investigations, as well as collect malware signatures as well as other actionable intelligence—much similar our highly successful Joint Terrorism Task Forces.
We know that nosotros demand to a greater extent than cyber as well as digital literacy inwards every computer program throughout the Bureau—organized crime, crimes against children, white-collar crime, exactly to call a few. We’re embedding non-cyber agents with cyber squads, so they also tin acquire how to send cyber investigations. We’re sending non-cyber personnel to cutting-edge cyber training. We’re also bringing intelligence analysts from the patch to Headquarters to acquire to a greater extent than tactical cyber experience. And we’re boosting our preparation for our most cyber-savvy agents, offering interactive, kicking camp-type classes to walk agents through simulated cyber investigations—including reckoner intrusions as well as phishing schemes.
Raising the average proficiency across the scheme volition allow all of our investigators to counter threats to a greater extent than efficiently as well as effectively, patch freeing our truthful cyber “black belts” to focus on the most vexing attacks, similar nation-state cyber intrusions. One number I’m fixated on is whether we’re recruiting, hiring, as well as preparation straight off the sort of tech-savvy people we’ll demand inwards five,10, or fifteen years. We demand to non only recruit ameliorate from the outside; nosotros demand to bolster our preparation within the Bureau to give to a greater extent than of our agents as well as analysts the science laid as well as experience they demand to function cyber cases.
We’ve strengthened our investigative capabilities, but nosotros demand to hold doing ameliorate to genuinely lay hands on the culprits as well as lock them up. And fifty-fifty where nosotros can’t attain them, we’re straight off using all the tools at our disposal—we’re “naming as well as shaming” them with indictments as well as we’re seeking sanctions from the Treasury Department. We’re going afterwards their criminal infrastructure as well as we’re seizing their assets.
We’re also edifice on our partnerships. One of the things that’s jumped out at me coming dorsum to the Bureau is how much to a greater extent than committed as well as enthusiastically invested the FBI straight off is inwards partnerships—especially yesteryear comparing to 10 or fifteen years ago. It’s much to a greater extent than a component of the deoxyribonucleic acid of the scheme than I, frankly, expected to find, as well as I call upward it’s a nifty thing for the province as well as for the world. It’s a mindset of: What tin nosotros convey to the table? What tin they convey to the table? How tin nosotros correspond strengths, so that when nosotros seat the 2 that the FBI has, together with the 2 that each of our partners has, it makes non four, but v or half-dozen or seven?
We’re working to a greater extent than closely with our federal partners. Just every bit an example: Seven federal agencies, including DHS, withdraw hold detailed personnel to our Cyber Division. This threat is moving so apace that whatever fourth dimension for turf battles is long gone. To those of you lot inwards the private sector, I would say this: It doesn’t thing if you lot telephone phone us, or DHS, or whatever other agency—we all function together, so your information volition acquire where it needs to acquire out as well as you’ll acquire the aid you lot need. We attention less close who you lot telephone phone than that you lot call, as well as that you lot telephone phone every bit promptly every bit possible.
We’re also working to a greater extent than closely with our unusual partners. We withdraw hold a strong human relationship with the European Cybercrime Centre (EC3). We withdraw hold cyber agents embedded with our international counterparts inwards strategic locations worldwide, helping to build relationships as well as coordinate investigations. We’re sharing actionable information—details of cyber tools as well as operational infrastructure. And we’re working with our partners around the globe to curb our adversaries’ might to send farther attacks or generate illicit funding.
We’re also trying to function ameliorate with our private sector partners. We’re sharing indicators of compromise, tactics cyber criminals are using, as well as strategic threat information whenever nosotros can. I’m sure enough you lot tin appreciate at that spot are times when nosotros can’t percentage every bit much every bit we’d similar to, but we’re trying to acquire ameliorate as well as smarter close that.
The goodness tidings is, we’re making progress. Last summertime nosotros took downward AlphaBay—the largest marketplace on the DarkNet. Hundreds of thousands of criminals were anonymously buying as well as selling drugs, weapons, malware, stolen identities, as well as all sorts of other illegal goods as well as services through AlphaBay. We worked with the DEA, the IRS, as well as Europol, as well as with a number of partners around the globe, to dismantle the illicit work organisation completely. But nosotros were strategic close the takedown—we didn’t desire to rush it as well as lose these criminals. So, nosotros waited patiently, coordinated with other agencies as well as nosotros watched. When nosotros struck, AlphaBay’s users flocked to some other DarkNet marketplace—Hansa Market—in droves. Right into the hands of our Dutch constabulary enforcement partners, who were at that spot waiting for them, as well as they closed downward that site, too.
And exactly final month, DOJ extradited the operator of the Kelihos botnet. Last year, the Kelihos botnet distributed hundreds of millions of fraudulent e-mails, stole banking credentials, as well as installed ransomware as well as other malicious software on computers all over the world. We worked with our unusual constabulary enforcement partners inwards both Kingdom of Spain as well as the Netherlands to position as well as apprehend the Russian hacker as well as dismantle the botnet.
Through our continuous function together, we’re forming stronger partnerships as well as adapting our strategy to endure to a greater extent than nimble as well as effective. But the bad tidings is, we’re non the only ones edifice partnerships as well as adapting—the criminals practise that too.
I mentioned the blended threat earlier. You’re in all likelihood aware of the Yahoo matter, where hackers stole information from to a greater extent than than 500 i thou 1000 Yahoo users. In response, final February, nosotros indicted 2 Russian Federal Security Service officers as well as 2 well-known criminal hackers who were working for them. That’s the blended threat—you withdraw hold intelligence operatives from nation-states similar Russian Federation straight off using mercenaries to send out their crimes. Last March, our partners inwards the Royal Canadian Mounted Police arrested i of the hackers inwards Canada. The other 3 are Russian citizens living inwards Russia—but nosotros made the judgment that it was worth calling them out, so straight off they’re also fugitives wanted yesteryear the FBI, which agency their opor-garai destinations are to a greater extent than limited.
We’re making strides, but the FBI needs to practise to a greater extent than to run across the cyber challenge. For example, nosotros desire to practise to a greater extent than to mitigate emerging threats. While nosotros may non endure able to halt all threats before they begin, nosotros tin practise to a greater extent than at the foremost to halt threats before they acquire worse. But nosotros demand the private sector to function with us. At the FBI, nosotros process victim companies every bit victims. So, please, when at that spot are indications of unauthorized access to—or malware introduce on—critical information technology systems, when an laid on results inwards a meaning loss of data, systems, or command of systems, when there’s a potential for impact to national security, economical security, or populace wellness as well as safety, or when an intrusion affects critical infrastructure, telephone phone us. Because nosotros desire to aid you, as well as our focus volition endure on doing everything nosotros tin to aid you.
The Way Forward—Digital Transformation
As cyber threats evolve, nosotros demand to evolve every bit well. This agency evolving both our day-to-day operational strategies as well as our broader approach to treatment global digital challenges.
To combat these blended threats as well as worldwide reckoner intrusions, nosotros tin no longer exactly investigate private parts of a criminal scheme occurring inwards i jurisdiction. We demand to focus our efforts on dismantling the entire cyber enterprise. We’re prosecuting the actors, burning their infrastructure, as well as seizing their illicit proceeds. We’re taking downward the groups running malware campaigns as well as the criminals who back upward them—those who operate the night markets, compromise networks as well as servers, as well as the people who purchase as well as sell stolen data. Think of it every bit going afterwards the distribution band as well as the manufacturer rather than only taking out the drug dealer on the corner. And nosotros demand to withdraw hold a global perspective. We demand to delegate roles as well as responsibilities across multiple patch offices as well as to international partners—so that nosotros tin percentage information inwards existent time, every bit nosotros target as well as dismantle the most meaning cyber enterprises.
Another thing driving the FBI’s function frontward is that at some point, we’ll withdraw hold to halt referring to all technical as well as digital challenges every bit “cyber.” On the i hand, sophisticated intrusions as well as cyber policy issues are really much at the forefront of the conversation. But nosotros also withdraw hold to recognize that there’s straight off a applied scientific discipline as well as digital constituent to almost every case.
Transnational criminal offense groups, sexual predators, fraudsters, as well as terrorists are all transforming the way they practise work organisation every bit applied scientific discipline evolves. Huge swaths of these crimes withdraw hold a digital constituent or occur almost only online. And novel technical trends are making the investigative surroundings a lot to a greater extent than complex. Just a few months ago, for example, 3 immature men pled guilty to creating the Mirai botnet—malware that exploited to a greater extent than than 100,000 devices connected to the Internet of Things. The botnet overwhelmed websites, similar the attacks that took downward Netflix as well as Twitter final year.
The digital surroundings presents novel challenges that the FBI has to address inwards price of what’s coming downward the pike. Advances similar artificial intelligence or cryptocurrencies withdraw hold implications non exactly for the commercial sector, but for national security. Encrypted communications withdraw hold changed the way criminals as well as terrorists computer program their crimes. More on that inwards exactly a moment. And the avalanche of information created yesteryear our utilisation of applied scientific discipline presents a huge challenge for every organization.
I’m convinced that we, the FBI—like a lot of other organizations—haven’t fully gotten our arms around these novel technologies as well as how they may impact our national security as well as cyber security work. On our end, nosotros know nosotros demand to endure working with the private sector to acquire a clearer understanding of what’s coming around the bend, of what we’re non seeing yet—but presently will. We demand to seat our heads together inwards conferences similar this as well as inwards other ways, to endure ameliorate prepared. Not exactly to human face upward electrical flow threats, but to human face upward the threats that volition come upward at us five, 10, as well as fifteen years from now.
When I was final inwards government, I saw how the 9/11 attacks spurred the FBI to fundamentally transform itself into a to a greater extent than intelligence-based national security organization. In the same way, I believe the novel digital surroundings demands farther telephone substitution transformation from us. Some of our smartest people are thinking strategically close how the entire FBI tin evolve inwards this rapidly changing environment. To practise that nosotros also demand to focus to a greater extent than on innovation, approaching problems inwards novel ways, with novel ideas—which isn’t something that ever comes naturally to government. We can’t exactly rely on the way we’ve ever done things. And I don’t hateful exactly technological innovation—although that’s a huge component of it. I’m talking close excogitation inwards how nosotros approach challenges, excogitation inwards partnerships, excogitation inwards who nosotros hire, excogitation inwards how nosotros train, as well as excogitation inwards how nosotros build our workforce for the future.
So nosotros demand to a greater extent than of the correct people, as well as to a greater extent than innovation. But the FBI can’t navigate that digital landscape alone. We also demand to acquire out on edifice on our partnerships with our counterparts inwards federal agencies, with our international counterparts, with the cyber inquiry community, as well as with the private sector.
Finally, inwards some cases nosotros may demand lawmakers to update our laws to hold stair with technology. In some ways, it’s every bit if nosotros notwithstanding had traffic laws that were written for the days of the horse-and-buggy. The digital surroundings agency nosotros don’t only demand improved technical tools; nosotros also demand legal clarifications to address gaps. Bottom line: We demand to endure a forcefulness of specialized, technically trained personnel that’s cutting-edge, forward-leaning as well as able to fully investigate as well as combat the various cyber threats.
Going Dark
I desire to roll upward yesteryear talking close i of our biggest challenges connected to the digital revolution. I’m referring, of course, to the Going Dark problem. We human face upward an enormous as well as increasing number of cases that rely on electronic evidence. And nosotros human face upward a province of affairs where we’re increasingly unable to access that evidence, despite lawful ascendance to practise so. Let me give you lot some numbers to seat some meat on the bones of this problem.
In financial twelvemonth 2017, nosotros were unable to access the content of 7,775—using appropriate as well as available technical tools—even though nosotros had the legal ascendance to practise so. Each i of those nearly 7,800 devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat. Last autumn I spoke to a grouping of CISOs as well as someone asked close that number. He basically said, “What’s the large bargain with 7,800? There are millions of devices out there.”
We’re non interested inwards the millions of devices used yesteryear everyday citizens. We’re only interested inwards those devices that withdraw hold been used to computer program or execute criminal or terrorist activities. Some withdraw hold argued that having access to the content of communications isn’t necessary—that nosotros withdraw hold plenty of other information available exterior of our smart phones as well as our devices. Information similar transactional information for calls as well as text messages—metadata. While there’s a sure enough amount nosotros tin glean from that, for purposes of genuinely prosecuting terrorists as well as criminals—to genuinely forbid attacks as well as salvage lives through arrest as well as prosecution—words tin endure evidence, patch mere association betwixt subjects genuinely isn’t.
Being unable to access nearly 7,800 devices is a major populace security issue. That’s to a greater extent than than one-half of all the devices nosotros attempted to access inwards that timeframe. And that’s exactly at the FBI. That’s non fifty-fifty counting devices sought yesteryear other constabulary enforcement agencies—our state, local, as well as unusual counterparts. It also doesn’t count of import situations exterior of accessing a specific device, similar when terrorists, spies, as well as criminals utilisation encrypted messaging apps to communicate, which is an increasingly widespread problem. This work impacts our investigations across the board—human trafficking, counterterrorism, counterintelligence, gangs, organized crime, kid exploitation, as well as cyber. And this number comes upward inwards almost every conversation I withdraw hold with leading constabulary enforcement organizations, as well as with my unusual counterparts from most countries—and typically inwards the foremost thirty minutes.
Let me endure clear: The FBI supports information security measures, including strong encryption. Actually, the FBI is on the front end line fighting cyber criminal offense as well as economical espionage. But information security programs demand to endure thoughtfully designed so they don’t undermine the lawful tools nosotros demand to hold the American people safe.
While convinced of the problem, I’m opened upward to all constructive solutions, solutions that pick out the populace security number seriously. We demand a thoughtful as well as sensible approach, i that may vary across work organisation models as well as technologies, but—and I can’t stress this enough—we demand to function fast.
We withdraw hold a whole bunch of folks at FBI Headquarters devoted to explaining this challenge as well as working with stakeholders to detect a way forward. But nosotros demand as well as desire the private sector’s help. We demand them to response to lawfully issued courtroom orders, inwards a way that is consistent with both the dominion of constabulary as well as strong cybersecurity. We demand to withdraw hold both, as well as tin withdraw hold both. I recognize this entails varying degrees of excogitation yesteryear the manufacture to ensure lawful access is available. But I exactly don’t purchase the claim that it’s impossible.
For i thing, many of us inwards this room utilisation cloud-based services. You’re able to safely as well as securely access your e-mail, your files, as well as your music on your habitation computer, on your smartphone, or at an Internet cafĂ© inwards Tokyo. In fact, if you lot purchase a smartphone today, as well as a tablet inwards a year, you’re notwithstanding able to securely sync them as well as access your information on either device. That didn’t spill out yesteryear accident. It’s only possible because tech companies took seriously the existent demand for both flexible client access to information as well as cyber security. We at the Bureau are only quest that constabulary enforcement’s ain lawful demand to access information endure taken exactly every bit seriously. We’re non looking for a “back door”—which I sympathize to hateful some type of secret, insecure agency of access. What we’re quest for is the might to access the device i time we’ve obtained a warrant from an independent judge, who has said nosotros withdraw hold likely cause.
Some of you lot may know close the chat as well as messaging platform called Symphony. This was used yesteryear a grouping of major banks, as well as marketed every bit offering something called “guaranteed information deletion,” with other things. Maybe the labeling, perhaps the content didn’t sit down also good with the friendly regulator downward the street—the New York Department of Financial Services. DFS was concerned that the characteristic could endure used to hamper regulatory investigations of Wall Street. In response, the 4 banks reached an understanding with the Department to aid ensure responsible utilisation of Symphony. They agreed to hold a re-create of all communications sent to or from them through Symphony for a catamenia of 7 years. The banks also agreed to shop duplicate copies of the encryption keys for their messages with independent custodians who aren’t controlled yesteryear the banks.
So at the end, the information inwards Symphony was notwithstanding secure, notwithstanding encrypted, but also accessible to the regulators so they could practise their jobs. I’m confident that yesteryear working together as well as finding similar areas to grip as well as compromise, nosotros tin come upward up with solutions to the Going Dark problem.
After all, America leads the basis inwards innovation. We withdraw hold the brightest minds doing as well as creating fantastic things. Influenza A virus subtype H5N1 responsible solution volition contain the best of 2 nifty American traditions—the dominion of constabulary as well as innovation. But for this to work, the private sector needs to recognize that it’s component of the solution. Again, I’m opened upward to all kinds of ideas. But I spend upward this notion that at that spot could endure such a house that no thing what sort of lawful ascendance you lot have, it’s utterly beyond attain to protect innocent citizens. I also can’t pick out that anyone out at that spot reasonably thinks the province of play every bit it exists now—much less the administration it’s going—is acceptable.
Conclusion
So that’s a perspective on cyber from the novel guy dorsum on the block. If i thing’s acquire out clear to me afterwards immersing myself i time to a greater extent than inwards this basis for the yesteryear few months, it’s the urgency of the project nosotros all face. High-impact intrusions are becoming to a greater extent than common; the threats are growing to a greater extent than complex; as well as the stakes are higher than ever. That requires all of us to enhance our game—whether we’re inwards constabulary enforcement, inwards government, inwards the private sector or the tech industry, inwards the security field, or inwards academia. We demand to function together to rest ahead of the threat as well as to accommodate to changing technologies as well as their consequences—both expected as well as unexpected.
Because at the destination of the day, nosotros all desire the same thing—to protect our innovation, our systems, and, higher upward all, our people. Thank you lot all for everything you’re doing, to brand the digital basis safer as well as to a greater extent than secure. I facial expression frontward to working with you lot inwards the years to come. Now I’d endure happy to pick out a few questions.
Comments
Post a Comment