CHESTNUT HILL, Mass. — FBI Director James Comey has tough words for private sector firms that won’t engage with federal law enforcement authorities on cybersecurity, an area where the bureau has been dramatically expanding its investigation and prosecution efforts.
In a keynote address at a cybersecurity conference at Boston College, Comey lamented that most incidents of intrusion and attacks against U.S. businesses go unreported. But when a victim does report a breach to the FBI, such as the damaging attack against Sony in 2014 that was attributed to North Korea, agents will have a much easier time investigating and helping businesses mitigate the damage if they are already somewhat familiar with the target’s systems.
“Sony had taken the time to get to know us,” Comey said, describing a rapid response to that incident where agents with a baseline familiarity with Sony’s systems could hit the ground running.
“If you are the chief information security officer [CISO] of a private enterprise, and you don’t know someone at every single FBI office where you have a significant facility, you’re not doing your job. Know that you’re pushing on an open door,” Comey said. “We’re not looking to know your private information, but we need to know you in a way so we can help you in a difficult circumstance.”
Comey described a multi-pronged initiative underway at the FBI to crack down on cybercrimes that involves recruiting and hiring more cyber experts, improving engagement with outside partners — including the private sector — and rethinking the bureau’s traditional approach to working cases. The bureaus is also working to bolster deterrence both through hardening systems that might be targeted and winning convictions in more criminal cases.
[ Related: FBI’s top 10 most wanted cybercriminals ]
Comey also indicated that he intends to serve out the remaining 6 1/2 years of his term, despite speculation that he might step down amid tensions with the White House.
He did not address his reported request for the Justice Department to issue a statement refuting President Trump’s assertion that his campaign had been wiretapped by former President Obama, nor the unfolding probe into Russian hacking of political targets during the election. Comey participated in a brief question-and-answer session with audience members following his keynote address, but did not take questions from reporters.
A spectrum of threats, an ‘evil layer cake’
He did offer that nation-states comprise the most dangerous enemies in the “stack” of cyber adversaries, followed by multi-national hacking syndicates, insider threats, hacktivists and terrorists, the least menacing element of what Comey calls “an evil layer cake.”
“The reason I put them at the bottom of the stack is that terrorists are adept at using the internet to communicate, to recruit, to proselytize, but they have not yet turned to using the internet as a tool of destruction in the way that logic tells us certainly will come in the future,” Comey said.
Regardless of what type of actor initiates the attack, the FBI is looking at cyber events in a fundamentally different way than conventional crimes that have a clear physical location. If a pedophile is under investigation for crimes in San Francisco, say, the San Francisco field office of the FBI would handle the case. Not so with cyber. Comey said that the bureau is assigning those cases, where the perpetrators could be up the street or halfway around the world, to the field offices that best demonstrate “the chops” to handle specific cyber investigations. So even if a bank in New York was the victim of a cyberattack, the field office in Little Rock, Ark., potentially could take the lead on the case, with support from other offices that might need to conduct investigative work on the physical premises.
“Whichever field office has demonstrated the best ability on that, we’re going to give it to that field office,” Comey said. “This has a not-unintended consequence of creating competition within the FBI.”
Private sector has edge for hiring top cyber talent, money
In addition to reorienting the bureau’s internal approach, Comey said that the FBI is trying to step up its recruiting efforts to bring in the next wave of cyber experts, though he acknowledges that competing with private-sector for top talent is a perennial challenge.
“Here’s the challenge we face: we cannot compete with you on dough,” Comey said. “The pitch we make to people is come be part of this mission. Come be part of something that is really hard, that is really stressful, that does not pay a lot of money, that does not offer you a lot of sleep. How awesome does that sound? The good news is there’s a whole lot of people — young people — who want to be part of that kind of mission, who want to be part of doing good for a living.”
But the difficulties in winning over converts to the bureau’s mission are also tied up in a deeper problem, the same perception of the government as an adversary — or at least something to be avoided — that has clouded relations with some in the private sector.
[ Related: FBI v. Apple: One year later, it hasn’t settled much ]
Comey wants to dispel the notion of the FBI as “the man,” in the Big Brother sense.
“We have to get better at working with the private sector,” he said, decrying firms that are subject to a ransomware attack who opt to pay the ransom and enlist a security consultant to help clean up the mess without alerting law-enforcement authorities.
“That is a terrible place to be,” he said. “It is a great thing to hire the excellent private-sector companies that are available to do attribution and remediation, but if the information is not shared with us, we will all be sorry. Because you’re kidding yourself if you think I’ll just remediate this thing and it will go away, because it will never go away.”
Paying ransoms, he argues, only emboldens the criminals, and keeping details of the breach in-house hinders law-enforcement authorities from tracking down the perpetrators.
Plea to tech companies to resist outfitting products with unbreakable, default encryption
Comey put in another plug for tech companies to resist the impulse to outfit their products with unbreakable, default encryption, recalling the highly publicized showdown between the FBI and Apple, while calling for all parties in the debate to resist the urge to resort to “bumper-stickering” the other side and rejecting the suggestion of an inherent tradeoff between privacy and security as a false choice.
“It is short-sighted to conclude that our interests are not aligned in this,” he said. “We all value privacy. We all value security. We should never have to sacrifice one for the other.”