- Robert S. Mueller, III
- Federal Bureau of Investigation
- Commonwealth Club of California
- San Francisco, California
- October 07, 2009
Thank you and good afternoon. I am happy to be back in San Francisco, and back at the Commonwealth Club.
Today, I want to talk about cyber threats. So it seems fitting that my remarks are being broadcast on the Club’s national radio program, airing on XM Radio and iTunes, and streaming live to Club members. This is going on all around us, but if Skip hadn’t mentioned it, we would be none the wiser. Our lives are impacted by the Internet all the time, whether we can see it or not.
The Internet has thrown wide the windows of the world, allowing us to learn and communicate and conduct business in ways that were unimaginable 20 years ago. This is the upside of globalization, as author Tom Friedman has noted in best-sellers such as “The World is Flat.” But the downside of our increasingly flat world is that the Internet is not just a conduit for commerce, but also a conduit for crime.
The Internet has created virtual doors into our lives, our finances, our businesses, and our national security. Criminals, spies, and terrorists are testing our doorknobs every day, looking for a way in.
Cyber crime is a nebulous concept. It is difficult to grasp intangible threats, and easy to dismiss them as unlikely to happen to you. So far, too little attention has been paid to cyber threats—and their consequences.
But what if I told you that as you sit here today, strangers were walking through your offices, homes, and dorm rooms? What if they were opening your drawers, reading your files, accessing your financial information, or stealing your company’s research and development?
Well, that is happening, right now, in homes and offices and schools around the world. Intruders are reaching into our networks every day, looking for valuable information. And unfortunately, they are finding it, because many of us are unaware of the threat these persons pose to our privacy, our economic stability, and even our national security.
Most of us assume we will not be targets of cyber crime. We are not as careful as we know we should be. Let me give you an example.
Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.
It turned out that he was just a few clicks away from falling into a classic Internet “phishing” scam—“phishing” with a “P-H.” This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.
He definitely should have known better. I can say this with certainty, because it was me.
After changing all our passwords, I tried to pass the incident off to my wife as a “teachable moment.” To which she replied: “It is not my teachable moment. However, it is our money. No more Internet banking for you!”
So with that as a backdrop, today I want to talk about the nature of cyber threats, the FBI’s role in combating them, and finally, how we can help each other to keep them at bay.
* * *
Let me start by giving you two examples of what the FBI investigates on a daily basis.
In July 2008, a California oil and gas company called Pacific Energy Resources contacted the FBI and the Long Beach Police to report a computer attack. Six computer servers had been rendered inoperable, disabling the critical leak-detection systems on three off-shore oil platforms. This was the last in a series of network attacks, which cost the company over $100,000 in losses.
The investigation led us to a former IT contractor. After he had been let go, he retaliated by remotely accessing the system. His actions could potentially have resulted in significant environmental damage. He pled guilty last month to a federal computer intrusion charge, and faces up to 10 years in prison.
And this past April, someone hacked into the database of the Virginia Department of Health Professionals. The intruder blocked over 8 million patient records—records that hospitals, doctors, and pharmacies depend on in order to accurately prescribe and dispense medication. Those records are no longer blocked, and our investigation continues.
As you can see, cyber cases can have costly—and potentially deadly—consequences.
Again, most of us assume our systems have nothing that would interest a hacker or spy. But we never know exactly what information might have value to a criminal. Information is power, period.
Whenever an intruder opens a door to our networks, there is a clear risk to individual privacy and intellectual property—not to mention economic and national security.
My eyes were first opened to these risks back in the early 1990s, when I read a book called “The Cuckoo’s Egg.” It chronicles the electronic adventure of Cliff Stoll, then a systems manager at a Berkeley laboratory. In the mid-1980s, he noticed an accounting disparity of 75 cents. This was before the Internet as we know it existed. Cyber threats were just beginning to appear on our radars.
He tracked it to an unauthorized user who had repeatedly broken into the system and then used the lab’s computers to tap into military networks. He eventually traced the attacks to a German hacker who was part of an espionage ring.
The book was prescient. Twenty years later, the whole world is online. And because the web offers near-total anonymity, it is that much more difficult to discern the identity, motives, and location of an intruder.
At the start of a cyber investigation, we do not know whether we are dealing with a spy, a company insider, or an organized criminal group. Something that looks like an ordinary phishing scam may be an attempt by a terrorist group to raise funding for an operation. An intrusion into a corporate network could be the work of a high-school hacker across the street, or a hostile foreign power across the ocean.
Cyber threats present a unique challenge to law enforcement because we have a tendency to compartmentalize our investigations. Criminal cases are usually separate from espionage cases, which in turn are separate from counterterrorism cases. But when it comes to cyber threats, there is almost always some overlap.
The FBI is both a law enforcement and national security agency, which means we can and must address every angle of a cyber case. This is critical, because what may start as a criminal investigation may lead to a national security threat.
Take, for example, a next-generation bank robbery that occurred last fall. A group of cyber criminals orchestrated a highly sophisticated attack on a major financial institution. Hackers found their way into the network of this institution, and altered data to allow them to increase the funds available for a number of accounts. They also stole account data and created duplicate ATM cards. Then, one day in early fall, they struck.
Within 24 hours, the thieves targeted more than 2,100 ATMs in 280 cities around the world. They inserted their phony ATM cards, and then walked away with more than $9 million. Arrests have been made internationally, and our investigation continues.
To put it in perspective, imagine for a moment that these groups had simultaneously entered dozens of banks, armed with assault weapons, and emptied the vaults. It would have been one of the most notorious bank heists in history. But instead, the attack was planned and executed under the radar, using computers and fiber-optic cables as weapons. They did it without a shot being fired, and then disappeared back into the ether.
Such techniques make global deterrence a challenge, to put it mildly. The perpetrators can be anyplace in the world. And so can the victims. And, for that matter, the evidence.
At a minimum, piecing together a case requires close collaboration with our counterparts in other countries. But actually prosecuting one requires harmonizing different criminal justice systems, all of which work according to the laws of their own lands.
The global scale and scope of such attacks puts law enforcement at a disadvantage. The investigative challenges may seem insurmountable.
But we do have a significant advantage: partnerships. Partnerships with law enforcement and intelligence communities across the world. Partnerships with universities, corporations, and small businesses. Partnerships with citizens such as yourselves.
* * *
After the September 11th terrorist attacks, the FBI’s mindset and mission changed fundamentally. We could no longer focus our efforts on investigating terrorist attacks after the fact; we had to prevent them from happening in the first place. The only way to do that is to gather and analyze intelligence, and share it with those who need it.
The same mindset is true for our cyber responsibilities. The FBI can bridge both criminal and national security cases. So we are uniquely positioned to facilitate joint investigations that cross both local and international jurisdictions.
Within the government, the FBI has established the National Cyber Investigative Joint Task Force. This task force brings together law enforcement, intelligence, and defense agencies to focus on high-priority cyber threats.
But cyber threats take us well beyond partnerships with government alone. The FBI runs a program called InfraGard, which is one of our most important links to the private sector. We exchange information with partners from a host of industries, from computer software companies to chemical corporations. They are the experts on our critical infrastructure, the majority of which rely on computer networks. We have 32,000 members and counting, and those relationships have helped us to prevent risk from becoming reality.
And our partnerships stretch beyond our borders. For example, a substantial amount of cyber crime originates in Eastern Europe. And so we have embedded FBI agents in several police agencies there, to assist full-time on cyber investigations. Our relationship with the Romanian National Police is an example of the results of such cooperation: In the past year alone, we have dismantled organized criminal groups and arrested over 100 individuals, both here and in Romania.
And just this morning, we announced a major takedown in an international cyber investigation. A group of criminals in the United States and Egypt was engaged in a wide-ranging “phishing” scam. They targeted American financial institutions, and also approximately 5,000 American citizens. The FBI, the Secret Service, and state and local law enforcement cooperated closely with our Egyptian counterparts. As a result, earlier today we arrested over 50 subjects in the United States and Egypt.
This is the first joint cyber effort between the United States and Egypt. It is the largest international “phishing” case ever conducted. And it shows the power of our global partnerships in the face of global cyber criminal networks.
Those are just a small sampling of our many partnerships. Yet we are still outnumbered by cyber criminals. And that is where you come in.
Just as the police cannot come by every home or business, every night, to make sure the doors are locked, we must all take ownership of cyber security.
Cyber crime might not seem real until it hits you. But every personal, academic, corporate, and government network plays a role in national security. And given the extent of the damage cyber attacks can cause, it is important for all of us to protect ourselves, and each other.
If you are a basic user, then make sure to enable basic protections for your network—firewalls, anti-virus software, strong passwords, and security patches. And if you are part of a large corporate or academic network, start thinking of cyber security as a mission-critical component, and not an afterthought.
Investing in cyber security is akin to buying hazard insurance for a house. You invest relatively little to guard against losing everything.
Finally, talk to us. The more information we have, the more effective we can be at preventing you from becoming a victim of cyber crime. Whenever companies or institutions inform us of a potential breach, we have the chance to gather, analyze, and share critical intelligence. You never know when a single scrap of information may lead to the takedown of a global ring of cyber criminals, or even a terrorist cell. Remember the example of Cliff Stoll: a 75-cent billing disparity was no mere accounting error. It was the key to uncovering an international espionage ring.
* * *
For better or worse—and I generally think for better—cyberspace is here to stay. We live in a wireless world, and we have grown accustomed to its convenience.
We are all used navigating with GPS, checking our e-mail at the airport, trading stocks online, and—for most of us, anyway—paying bills online. “Tweeting” or updating your Facebook status from anywhere is no longer a luxury but an expectation.
There is no going back. Technology will continue its march forward, and criminals will take full advantage of it. We in the FBI liken our challenge to a “cyber arms race,” where both sides are competing to stay ahead of the other.
We have to bring the fight to them. We have to work together, as a united front—government, private industry, and the public.
We know the game plan of our adversaries. They will keep twisting doorknobs and picking locks until they find a way in. But we must not let them in. We must change the locks. We must bar the doors. And we must sound the alarms when we notice anything out of the ordinary.
We are all citizens of the Internet, and we must also be its stewards. We all have a responsibility to protect the infrastructure that protects the world. It will not be easy. But together, we are up to the task.
I will leave you with just one more warning. Many of you may be familiar with the Nigerian e-mail scam, which offers the recipient the “opportunity” to make millions—if they could just help the author with a few illegal money transfers.
If you ever receive a similar e-mail purporting to be from me—as has happened in the past—delete it! Especially if it asks you for money. Take it from me—having to memorize all those new passwords is no picnic.