19 April 2014

RSA Cyber Security Conference San Francisco, CA February 26, 2014

James B. Comey 
Director 
Federal Bureau of Investigation 

Remarks prepared for delivery.

Good afternoon. It is great to be here with you for what I hope will become a series of conversations over the next several years.

If you had told me a year ago that I would be standing here on this stage, talking to you about the FBI’s capabilities to fight cyber intrusions, I would have said you were crazy.

Last year, I left Bridgewater Associates to teach law at Columbia Law School. I got to spend time with my wife and children, got to help out around the house. I wanted to learn to play the piano, get in good shape, read books I long wanted to read. Life was good…for a few months. In March, I received a call asking me if I would be willing to be interviewed for FBI Director. I told the caller that I didn’t think so because it would be too much for my family, but I would think about it and call back.

I went to bed intending to call back in the morning and say “no.” The next morning, I found my wife on the computer, checking out real estate in the D.C area. She said, “Look, I’ve known you since you were 19 years old. This is who you are and what you love.” And then she paused for dramatic effect and said, “Besides, they’re never going to pick you anyway.” You can’t put a price on that kind of support.

My wife, Patrice, in addition to being enormously supportive, has taught me a lot about life. She might argue it’s because I have so much to learn. One of the most important things I’ve learned is the art of listening.

There are three kinds of listening. The first is what I like to call “Washington listening,” which amounts to just nodding and waiting for the other person to shut up so you can say what you knew you wanted to say before they started talking.

The second kind of listening is actually paying attention to what the other person is saying—actually hearing their words.

It took me the longest time to learn that real listening—active listening—is a third kind. And it is a contact sport. You hunch forward, trying to pull information out of that person. You listen with an ear toward actually being convinced. You’re saying, “I’m in this—I’m with you.” And it is exhausting. But it is the real deal.

I’ve been meeting with folks in the FBI and with our state and local counterparts, and I’ve been doing a lot of active listening. My goal is to understand everyone’s needs and to set expectations early in the game so that we are all on the same page.

My impression that the FBI is an incredible place has been confirmed over the past few months. We have folks all over the world, doing an amazing array of things—and doing them well. But, like all human organizations, we have problems. And we need to do a better job of listening to one another, to our law enforcement and intelligence counterparts, and to all of you to get a handle on our perspectives and what we need from one another.

I don’t need to explain the cyber threat to you. You are the experts. You know we face cyber threats from state-sponsored hackers, hackers for hire, organized cyber syndicates, and, yes, terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas. They may seek to strike our critical infrastructure and our economy. The threat is so dire that cyber security has topped Director of National Intelligence Jim Clapper’s list of global threats for the second consecutive year, surpassing both terrorism and espionage—even the threat posed by weapons of mass destruction.

Given the scope of the cyber threat, agencies across the federal government—including DHS, the Secret Service, and the Department of Defense—are making cyber security a top priority. Within the FBI, we are targeting high-level intrusions—the biggest and most dangerous botnets, state-sponsored hackers, and global cyber syndicates. We want to predict and prevent attacks rather than reacting after the fact.

FBI agents, analysts, and computer scientists are combining technical capabilities and traditional investigative techniques—such as sources and wires, surveillance and forensics—to fight cyber crime. We are working side-by-side with our federal, state, and local partners on Cyber Task Forces in each of our field offices. And we are training our state and local counterparts to triage local cyber matters so that we can focus on national security issues.

We are also working closely with our federal partners through the National Cyber Investigative Joint Task Force. Every key federal player is right there in one space—DHS, the CIA, the NSA, and the Secret Service, among many others—sharing cyber intelligence and working cases together. No turf battles or jurisdictional hurdles—just solid teamwork and collaboration.

Our legal attaché offices overseas coordinate cyber investigations and address jurisdictional hurdles and differences in the law from country to country. As you know, what is criminal here with regard to malware and intrusions may not be illegal overseas. We have special agents embedded with police departments in cyber “hot spots,” including Estonia, Romania, Ukraine, and the Netherlands, to identify emerging trends and key players.

But it isn’t enough.

We can’t do what we need to do without our private sector partners.

You are the primary victims of the evolving cyber threat. But you are also the key to defeating it. You have the information on your servers and your networks. And you have the expertise and the knowledge we need to stop these attacks.

We are actively listening to your concerns. We understand that you are reluctant to report intrusions, either because you’re worried the government will start rummaging around your networks or because you fear your reputation will take a hit in the marketplace. You may be reluctant to share information with your competitors. You’re worried about the loss of confidentiality and liability issues.

We don’t always clarify what information we need from you, and you think it will take too long to provide it. There’s no unified threat reporting system, and there is still some confusion about the “lanes in the road”—who is responsible for what in the federal government when it comes to cyber crime. How do you know who to turn to and how best to navigate the federal bureaucracy?

I get it. I know where you’re coming from. I came to the Bureau from eight years in the private sector—five years as general counsel with Lockheed Martin, and three years with investment manager Bridgewater Associates. You have a responsibility to your shareholders and to the board. Your focus is on the bottom line. And then the government knocks on your door with a long list of requests and not a lot to offer in return.

As general counsel, I spent a lot of time asking myself—and my team—the same questions: “How come we can’t get more information out of the government? How come they don’t share information? Nations and criminals are trying to steal all our stuff; why can’t they help us more?”

It often seems that the information flows just one way—to the government. Yes, we have information that we cannot always share. We are doing our best to change that. We need to share as much information as we can, as quickly as possible, and in the most usable format so that those of you in the private sector can take action. We need to continue to reduce our victim notification backlog so that you can take steps to minimize any breach. And we need to clarify what we are looking for when you discover that you’ve been attacked.

We understand that you need to zealously guard your proprietary information and your customer data. We are surgical and precise in what we are looking for, and we will do what we must to protect your privacy rights and your competitive advantage. We want to work with you to figure out what happened and who was responsible so that we can better defend our networks and our data, identify emerging trends, and protect the public.

But we have to work together to see the whole picture. Look, I can patrol the street and say, “Hey, the street looks safe,” but there are 50-foot walls on either side. And I can’t see through those walls, and I can’t get around them, so I don’t know what’s happening on the other side. We need your help to get past those walls, to protect you, and to do the job the American people have entrusted us to do.

We must provide the incentives, the means, and the assurances to share information quickly and routinely, as a matter of course. Effective partnerships are one way to do this.

The FBI has several great partnerships with the private sector already in place, such as the Domestic Security Alliance Council, InfraGard, and the National Cyber Forensics and Training Alliance. Many of you are familiar with these groups, and many of you contribute to their work. These partnerships are important. But we also need to cultivate one-on-one relationships.

Every special agent in charge of every field office should be on a first-name basis with key industry partners in their communities. And if they aren’t, I need to know about it. If the SAC in your community hasn’t reached out to you, take the initiative. As the old saying goes, the time to patch the roof is when the sun is shining. And it’s cloudy at best out there.

We also need the means to share information in real time—machine-to-machine.

To date, we’ve been fighting DDoS attacks at mere human speed, sending malware indicators, host names, and IP addresses to those in the private sector. We understand that sending a laundry list of IP addresses without any context isn’t useful and puts companies at risk of blocking legitimate web traffic. That’s why we created the FBI Liaison Alert System—the FLASH—to send specific data used in an attack and that we believe will be used again.

We are providing ISPs with the information they need to shut down compromised attack nodes. And whenever possible, we have warned potential victims of pending network attacks so they can shore up their defenses.

But human speed won’t cut it anymore. The cyber threat is too pervasive, too persistent, and too fluid.

Imagine a day where intelligence from combined sources—the government, anti-virus companies, ISPs, the financial services sector, and communications companies—is shared instantaneously, machine-to-machine, pursuant to law and with strong privacy protections in place. What if we were able to stop much of the malware as it transited the networks? It is no longer good enough to identify malware as it attacks your system.

We must be able to break down each intrusion into distinct phases. We need to create a blueprint, because even our most sophisticated adversaries will try to repeat successful attacks. We need to examine patterns and behaviors, to determine how they operate, and how best to stop them. We must build an intelligence-driven predictive capability. To do that, we need an automated intrusion system and a standard language and data format through which we all communicate in real time. And, of course, we need to do all of this while being mindful of the need to protect privacy and promote innovation.

But how do we get there?

We in the FBI have created a malware repository and analysis tool known as the Binary Analysis Characterization and Storage System, or BACSS, which provides near real-time investigative information. BACSS helps us link malware in different jurisdictions and paint a picture of cyber threats worldwide. Later this year, we will introduce an unclassified version of BACSS, known as Malware Investigator, for use by all of our partners.

If your company has been hacked, you can send the malware to us, and, in most cases, receive a report within hours on how it works, what it might be targeting, and whether others have suffered a similar attack. Our goal is to make BACSS the nation’s repository for malware and viruses, in the same way the FBI maintains fingerprints, DNA, and criminal arrest records.

We also want to provide a real-time electronic means for reporting intrusions. Through iGuardian, law enforcement and the private sector can quickly and easily pass information back and forth, both classified and unclassified. We can build on our collective knowledge and fight these attacks head-on.

This is the model we are striving for—using intelligence gathered from our own authorities and our own partners to stop a threat before it becomes a problem. This is the only true incentive we need—to prevent as many attacks as possible.

I want to touch on issues of privacy for a moment.

Some have suggested there is an inherent conflict between protecting national security and preserving privacy and civil liberties. I disagree. In fact, I think the ideas of “balance” and “trade-offs” are the wrong framework because they make it seem like a zero-sum game. At our best, we are looking for security measures that enhance liberty. When a city posts police officers at a dangerous park so kids and old folks can use the park, security has promoted liberty.

The men and women of the FBI are sworn to protect both national security and civil liberties. It is not a question of conflict; we must care deeply about both—in every investigation and every program.

The fact of the matter is that the United States faces real threats from criminals, terrorists, spies, and malicious cyber actors. That is reality. The playground is a very dangerous place right now. To stop those threats, the government needs timely and accurate intelligence to identify threat actors and to figure out what they are planning. That means we need to conduct electronic surveillance and collect data about electronic communications. That is also reality. The real question is this: How do we do that in a way that allows us to prevent bad things from happening to our own people and our allies, and, at the same time, protect privacy and civil liberties and promote innovation?

I’ve never been someone who is a scaremonger, crying wolf—but I’m in a serious business, so I want to ensure that when we discuss altering tools we use to collect information on an individual we believe to be connected to criminal, terrorist, or other unlawful activity, that we understand the benefits and trade-offs on the other side. The same is true when we allow the effectiveness of those tools to erode gradually over time through the failure to update our laws, or when our tools become less effective through unauthorized disclosures of our capabilities.

Intelligent people can and do disagree, and that’s the beauty of American life, but we need to make sure that everyone understands the risks associated with the work we do and the choices we make as a country.

The same considerations exist with regard to cyber security. Before he left, Director Mueller told me that he believed cyber issues would come to dominate my tenure as counterterrorism had dominated his time as Director. And I believe he is right. We must be agile and predictive on every front. And we must use every tool and authority at our disposal to stop these malicious activities.

The cyber threat is different than the terrorist threat, of course, because we have not yet experienced a watershed event like the attacks of September 11th, but we all recognize that we are at risk and that we must act quickly.

Look, these are tough issues. And there are legitimate questions and important things to discuss. I hope you know a bit about my history—I have dedicated my career to upholding the rule of law, and I am committed to making sure that people understand how the government is using its legal authorities. But finding the space and time in American life to understand these issues is very hard.

My hope is that we can resolve these issues through open and honest communication. That’s my goal. It’s my goal within the FBI, with our state, local, and international counterparts, and with all of you.

We simply must work together and play to our strengths. When it comes to cyber security, you have the technical expertise, the infrastructure, and the innovation. And you are often the first to see what’s coming over the horizon. We have the intelligence and law enforcement capabilities and the global presence. We are each playing to our strengths. But even that isn’t enough. We’ve got to play as a team.

It won’t be easy. And we won’t always see eye to eye. Basketball coach Phil Jackson—the so-called Zen master of the court—knew that each player held the power to make or break the team. In his words, “The strength of the team is each individual member. And the strength of each member is the team.”

We need to figure out how to combine our strengths. And that will take time and a lot of active listening. But I’m in this for the long haul—I have a 10-year term. The FBI is in this for the long haul. We really are on your side. And we will do everything we can to keep your data, your innovation, and your intellectual property—not to mention your friends and families—safe and secure.

I look forward to working with you down the road. Thank you for having me here today.

No comments: