The new FBI director today told the audience at the RSA Conference in San Francisco that cybersecurity is now at the top of a list of domestic security concerns, eclipsing both terrorism and weapons of mass destruction. Comey said the FBI has been working to train local law enforcement partners to respond to cyber-related issues, as well as with the NSA, CIA, and Secret Service, to share information and eliminate turf battles in combating cybercrime.
Comey recalled that the outgoing FBI director, Robert Mueller, told him the next 10 years of his tenure would be dominated by cybersecurity, much like Mueller’s was driven by counterterrorism. “I know that this is now true less than five months on the job,” Comey admitted.
An assortment of malicious actors – including hackers, organized crime syndicates, and foreign espionage agents – are looking to steal state secrets and private sector intellectual property, Comey noted. “We have been doing a lot, but it is not enough”, he lamented. “We need your help. We cannot do what we need to do without our private sector partners. You are the victims of these cyber threats, and you are also the key to the solution.”
Comey acknowledged that many in industry are reluctant to share information, primarily because it can affect the public’s perception – the trust factor – when cooperating with government, or allow competitors access to proprietary information. “You have an iron-clad, non-transferable responsibility to your shareholders, customers and investors, and then the government knocks on the door telling you what they need, and you get very little in return. I get it,” he said, highlighting the scepticism of private sector. “I believe everyone in this country should be suspicious about government power…our country was founded on this scepticism, and that’s why our government was split into three branches” to provide these checks and balances.
“I am someone who is not a scaremonger, but I am in a serious business”, Comey commented, adding that private firms must share more information with law enforcement, and vice versa, if each hopes to develop a comprehensive picture of the cybersecurity landscape. The FBI director also admitted that law enforcement needs to be clearer about the type of information it is looking for when reaching out to the private sector in the aftermath of a cyber-attack.
“We have to find a way to share this information more quickly and routinely. We have to cultivate personal relationships.” Comey said it was his expectation that every FBI field agent would be on a first name basis with key members of industry in their field of responsibility.
Then the FBI director pivoted from assessment to prevention. “Human speed will not cut it anymore. Threats are too fast and too vast”, he said, asking the audience to contemplate a scenario where malware could be stopped in transit over information systems. “It’s no longer good enough to identify malware after it has attacked your systems. We need an automated intrusion system, and a standard language and data format that communicates in real time.”
Cognizant of the privacy concerns among many in the private sector – and the general public – Comey attempted to dispel the myth that privacy and security are incompatible. “Some folks suggest that there is an inherent conflict among national security and protecting privacy and civil liberties. I think this is wrong. That assumes it’s a zero-sum game. I believe there are ways in which security promotes liberties. [The FBI] does not see it as a zero-sum conflict.”
“We simply must work together, and play to the best of our abilities”, Comey reiterated to the audience of security professionals, many of who work for the security product vendors. “You have the expertise, cybersecurity capabilities and the ability to innovate. We have law enforcement capabilities and a global presence. We will not always see eye to eye…but we must work together to combat the cyber-threat problem.”