Home News Speeches The Cyber Threat: Who's Doing What to Whom?
  • Steven R. Chabinsky
  • Deputy Assistant Director, Cyber Division
  • Federal Bureau of Investigation
  • GovSec/FOSE Conference
  • Washington, D.C.
  • March 23, 2010

*Remarks as prepared for delivery

Thank you for the kind introduction, and my thanks to each of you for joining us today. I have less than an hour to talk with you about the cyber threat, why it’s important, and how you can help your organizations—and in doing so, help our country—rise to this enormous challenge.

Some of you no doubt are on the front lines of the cyber security problem and are quite familiar with it, while others of you may only have passing familiarity with this growing problem. I will try to strike a balance in my remarks today, in the hopes that everyone will find some relevance in joining this session.

First, let me share with you the importance of the cyber security problem from the lens of the FBI. As you know, the FBI is a law enforcement agency that investigates hundreds of federal crimes as well as a domestic national security agency that combats terrorism, espionage, treason, and sabotage.

Our fight against terrorism remains our number one priority. And you would expect no less. Second in strategic priority is our investigation of foreign countries that seek every day to steal our state secrets and private sector intellectual property, sometimes for the purpose of undermining the stability of our government by weakening our economic or military supremacy.

I will tell you upfront that terrorists and foreign countries are both using cyber means to exploit our weaknesses. However, a discussion of the full extent of those problems will need to be reserved for another talk in another forum. Today I want to focus on cyber crime. Amongst all of the crimes our country faces, the FBI considers high-tech crimes to be the most significant. As a result, the FBI’s top three priorities are the previously mentioned counterterrorism and counterintelligence, followed immediately by cyber.

Why cyber? The answer is simple. The cyber threat, exploiting our nation’s enormous cyber vulnerability, holds the potential of being a game changer. Despite all of the advantages of computers and the Internet, if we fail to act, the cyber threat can be an existential threat—meaning it can challenge our country’s very existence or significantly alter our nation's potential. How we rise to the cyber security challenge will determine whether our nation's best days are ahead of us or behind us.

We as a nation are so vulnerable to this threat that, based upon my first hand knowledge in this area, I am convinced that given enough time, motivation, and funding, a determined adversary will always be able to penetrate a targeted system.

For those of you who aren’t involved in IT security, it may be hard to understand why it is so difficult to secure an organization’s computer system. Well, let me give you just a taste of what needs to be secured. On the technical side—the web servers, e-mail servers, databases, firewalls, routers, embedded network devices, internal networks, remote access, custom applications, off-the-shelf applications, backup and storage areas, and all telephone, PBX, and VoIP systems.

On the human side, you need to secure your physical infrastructure, employee accesses and permissions, and connections to business and corporate partners. These are just the basics on the way to a secure network, all of which need to be monitored and updated regularly, as the technologies change constantly and so do our users.

To the general public, crimes against networks may not seem real—since theft against our networks routinely occur while the front doors to our businesses and agencies remain well-guarded, the file cabinets remain locked, and the motion detectors remain undisturbed when we leave for the night—nothing appears to have been touched, no less stolen wholesale.

And, the criminals themselves don’t seem to have faces or names (other than their online nicknames or spoofed e-mail names). The general public therefore may view cyber crime as wholly different and less severe than those of the “real” criminals. That impression, however, could not be further from the truth and could lead us into complacency.

Cyber crime is having enormous real consequences, which holds the potential to cripple businesses and services.

As for the criminals themselves, they obviously are real people who live in our world. They are diverse in their talents and motivations, and could include your neighbors. They usually behave just like other “real world” criminals, using their illicit profits to buy fast cars and take expensive vacations. Although their crimes might be committed in the virtual world, their profits come in real world currency and their victims suffer real world harm.

As with other illicit activities that have become more organized and professional, like human trafficking and weapons dealing, serious cyber crime is becoming dominated by criminals who view themselves as businessmen…and cyber crime is their business. To these criminals, dealing with law enforcement is a business risk, to be dealt with as effectively as possible through denial, deception, operational security, and violence, just like any other criminal operation.

Indeed, because of the money involved, cyber crime is becoming popular with violent organized crime groups. As a result, we're seeing that a significant number of our subjects have violent criminal histories and, in today's cyber crime environment, the FBI is actually using SWAT teams to make some of the arrests. During the course of one recent cyber investigation, a hacker was reportedly kidnapped by another cyber criminal, beaten, stripped down, and photographed holding a sign describing him as a rat and a pig for leaking information to the media and investigators.

Still, most hackers are not hardened convicts who live in worlds where prison time is considered a badge of honor or rite of passage. Rather, they are white collar criminals who tend to think they can outsmart law enforcement and believe that they will never have to do jail time. Increasingly, they are wrong.

In this regard, I'm reminded of a case from two or three years back. A group of FBI agents arrived outside a house to arrest a well-known cyber criminal whose crimes had led to the theft of millions of dollars. As the front line agents breached the door, an agent waiting outside heard the scream of a young child, most likely a girl. When it came time for the agent to enter, he immediately looked around the room in order to protect the girl from the rush of armed agents…and then he realized that the high-pitched scream had come from the legendary hacker.

Today, I would like to describe how cyber criminals of all kinds have evolved their practices to make their crimes more profitable—how they choose specialties, master their skills, create networks of colleagues, and organize their crimes. And then I would like to discuss how the FBI, with the help of our partners domestically and abroad, are meeting the criminal evolution head on. Cyber crime might be committed in the virtual world, but it is prevented, investigated, prosecuted, and punished every day in the world in which you and I live.

Cyber crime, like most crimes, began as a singular operation. One person would conceive of and commit the crime from start to finish, relying on his own skills and tools, fronting all the expenses with his own resources and keeping all the profits for himself. Such self-reliance is very rare in the cyber world of today. Almost every cyber criminal is a member of at least one online forum, website, or chat service. Some of these are completely public, while others have more requirements for entry, such as vetting by current members or through tests of skill. Most of these sites have discussion areas for trading tips and techniques, market areas for buying and selling tools and goods, and means to report and evaluate fellow users, just like the rating system on eBay.

Not long ago, there was an online carding forum named Darkmarket. It had members worldwide who were involved in buying and selling stolen financial information, such as credit card data, login credentials, and equipment to carry out financial crimes. Darkmarket doesn't exist anymore. Why? Because the FBI infiltrated it and brought it down. Through a two-year undercover operation led by an individual known to most users only as “Master Splyntr,” we penetrated the highest levels of this group and identified and located its leading members, which led to over 60 arrests worldwide and the prevention of tens if not hundreds of millions of dollars in economic loss. To the shock of criminals worldwide, Master Splyntr—who was on the site nearly everyday, participating anywhere from one hour to 15 hours a day—was a very dedicated and talented FBI special agent, of which we are proud and fortunate to have many. Still, it's a lot of work to take down a single forum, but it shows we can succeed if we have the right people in place and the resources to apply.

In other words, having hired and trained special agents who can talk the talk, and given the resources to spend enough hours online for an extended period of time, we have found that almost any cyber criminal enterprise will begin to trust us, despite having never met us face-to-face. We also learned that the communication methods used by these criminals are, to them, a social outlet as well. Just as often as they are speaking about malware, crimes, and goods for sale, they are talking about their families, their girlfriends, their vacations, and their cars. After a time, members of these forums become friends. That is where the intrinsic trust stems from. When somebody first enters as a new member, they’re considered a potential cop; a month later, they’re less of a cop; six months later, they’re a friend; a year later, they are trusted implicitly—to the extent that when an outsider anonymously told a Darkmarket participant that Master Splyntr was actually the FBI (which, as you now know, was true) all Master Splyntr had to do was deny the accusation and he was believed because he was an insider, whereas the informer was an outsider.

The Darkmarket case also provides us with insight into cyber crime tradecraft. Cyber criminals deploy countermeasures that can cost them a lot of time and effort, in hopes of evading our lawful investigative techniques. Consider the fact that cyber criminals routinely change their nicknames, e-mails, digital currency accounts, and the ICQ numbers they use in forums. Not only do they change these accounts and identifying numbers, but they also use different combinations of the information in each forum they participate in.

Besides being a defense against identification by law enforcement, this also acts as a counterintelligence method for the criminals. Depending on the e-mail or ICQ number we contact them at, and the nickname we associate them with, they can discern which forum we know them from, and therefore what information we should know about them—such as what they buy and sell, or what services they offer. If we seem to know more about them than we should, our chances of success fall off sharply.

In addition, in today’s world of professional cyber criminals, many of the most well-known bad guys are going deeper underground, moving away from using public forums as a place to do business. Yes, they will always turn to forums as a means of making new contacts, to sell and buy some items, and to keep up-to-date with techniques. However, it is becoming more common for cyber criminals to organize their unlawful activities using encrypted, private chat services. These are generally invitation-only and new additions must be recommended and vouched for by existing members. Those involved in these private channels are steadily becoming career criminals, just like those in the mafia or any other gang. They make so much money and have so many connections that they no longer need a legitimate day job.

With the professionalization of their crimes, cyber criminals are becoming smarter about the ways they communicate, organize, scheme, and network. In many of the most recent cases, these criminals work like “corporations” with extraordinary logistics. They typically consist of a small group of trusted “associates” who respect the skill sets each has to offer and work together to complete their crimes as efficiently as possible.

Also participating in the scheme are a variety of “contractors” who don’t always know the full picture of the criminal enterprise, but contribute bits and pieces, such as money mules, drop accounts, a piece of malware, or server maintenance. When no current “associate” or ”contractor” has the requisite skills, someone in the group will suggest an outsider who has the required resource or ability, and the leader or another member will reach out to them for that specific need. For operational security reasons, outsiders likely won’t be invited into the private chat channels.

Both in the general population and in the elite class of professionals, most cyber criminals have selected specialties within the cyber crime model. By specializing, they can develop a good reputation in their area of expertise, establish steady client relationships and regular customers, and make more money by being the best and most reliable in a single aspect of the cyber crime model rather than join a single criminal enterprise.

And so, just like we have doctors who are specialists instead of general practitioners, we have cybercriminals who are specialists instead of general practitioners.

Here are the 10 specializations we see in a typical cyber crime.

First, we have the coders or programmers, who write the malware, exploits, and other tools necessary to commit the crime. Contrary to popular belief, coders are not protected by the First Amendment when they knowingly take part in a criminal enterprise—and they go to jail just like the rest of the enterprise.

Second, we have the distributors or vendors, who trade and sell stolen data, and act as vouchers of the goods provided by the other specialties.

Third, we have the techies, who maintain the criminal infrastructure, including servers, bulletproof ISPs, and encryption; and who often have knowledge of common database languages and SQL servers of course.

Coming in fourth on my list, there are the hackers, who search for and exploit application, system, and network vulnerabilities to gain administrator or payroll access.

Fifth, there are the fraudsters, who create and deploy social engineering schemes, including phishing, spamming, and domain squatting.

Meanwhile, and sixth for those keeping track, there are hosters, who provide “safe” hosting of illicit content servers and sites, often through elaborate botnet and proxy networks.

Seventh, we also have the cashers, who control drop accounts and provide those names and accounts to other criminals for a fee, and who also typically control full rings of our eighth category, money mules.

Ninth, we have the tellers, who help with transferring and laundering illicit proceeds through digital currency services and between different world currencies.

Finally, logging in at number 10 on the specialty list, there are leaders—many of whom don’t have any technical skills at all. They’re the “people-people.” They choose the targets; choose the people they want to work each role; decide who does what, when, and where; and take care of personnel and payment issues.

This specialization has been extremely beneficial to cyber criminals. Rather than having hundreds of people who dabble in all aspects of cyber crime, the cyber underground now consists of subject matter experts that can focus all their time and energy on improving their techniques, their goods, and their services.

For example, coders can focus on staying up-to-date on advancements in software, hardware, and applications so that their malware can target unknown and unpatched vulnerabilities. Many coders have moved away from even attempting to write malware that exploits operating systems or the firewalls and infrastructure we've been troubleshooting and hardening for years. Instead, they are writing exploits that target the plug-ins and applications on your computer, such as Adobe PDF and Flash and the Microsoft Office Suite, just to name a few.

Much of the newest malware is being deployed through social engineering schemes or through third-party applications on social networking sites, like Facebook (but by no means limited to them), often in the form of suggested plug-ins, games, and new friend requests.

Coders are also spending time creating customizable malware kits. These kits have multiple exploits that attempt to target a system one-at-a-time. If an exploit doesn’t work, the next is tried. As soon as one does work, the designated executable is downloaded and run on the system. These kits appeal to those in the cyber world who can’t write their own malware, or who don’t have the time or patience to test individual exploits manually. An additional benefit to the criminal is that these kits are easily updated, so once bought by a cyber gang, they can simply update the kit to attempt exploits against certain types of target systems and download specific malware with the capabilities they want for a specific crime.

Another example of how specialization is benefiting the criminals is in the work of fraudsters. These criminals, especially those who can properly write and speak English, can cheat people out of a lot of money by creating and deploying social engineering schemes for themselves or for other criminals who need a convincing malware infection vector. With specialization, fraudsters no longer have to mass-deploy their schemes, but can instead focus on spear phishing specific high-level targets with administrator level or payroll system access. They will often use research or multiple step compromises to ensure that the receiver will believe the e-mail is legitimate.

Don't be surprised if a criminal compromises your or one of your colleague's personal social networking accounts to retrieve the e-mail addresses of some of your friends, and then uses that information to spoof an e-mail to you or your colleague at work. Other criminals use publicly available information from a company’s website to target employees up to the CEO, whose titles, e-mail addresses, and major areas of interest are typically available on the website.

Fraudsters are also increasingly engaging in telecommunications fraud like “smishing” (phishing via text message), and hacking VoIP systems to make phone fraud seem more legitimate. Although social engineering schemes have been around for a long time, they continue to be very successful in compromising victim accounts.

Let me next turn to the mules. Unfortunately, despite the many warnings that law enforcement has put in the media about work-at-home and money remitter scams, many money mules are located in the U.S. We are making much more effort to identify the mules that are regularly used by cyber criminals, investigate them to work our way up the criminal food chain, and prosecute. As we see it, there are three categories of money mules.

“One and done mules” are those people who get tricked by social engineering schemes to send money. Often times, after sending the money, they realize their error and self-report to law enforcement. When this happens, we consider lower prosecuting options if the subject provides information to identify the schemers and realizes the error of their ways.

As one agent said of investigations of such money mules in the U.S.—you can get 10 years behind bars, or you can come work for Team America. Most are happy to help us find the bad guys.

The next level of mules are the “career money mules,” who make a living, or at least a substantial amount of fun money, by completing money transfers or wire transfers between bank accounts. There are generally multiple suspicious activity reports (SARs) against these individuals and there is no way they are unaware that their activities are part of a larger illicit scheme.

Through a number of investigative techniques that I will not disclose here, we can gain significant insight into their criminal enterprises.

“Premier mules” are the top of the money mule world. These individuals are actually sent to the U.S., often on work or student visas, with the purpose of moving money for criminals. They have specific instructions on where to open bank accounts, what names and addresses to use, and when and where to send money.

More than that, these mules and their handlers have done their homework—they know how banks attempt to flag fraud, attempt to word their wires to go unnoticed, and often purchase cell phones in the area codes of the victimized accounts so that their location when verifying transfers via phone seems legitimate.

These individuals sometimes set up money mule “franchises,” in which, instead of being a mule themselves, they find others to be the mules, and they take and give the instructions while keeping a percentage of the money for themselves. Sometimes these franchisers are the criminals posting work-at-home scams on employment websites, rather than the criminals actually in need of the mules. Many premier money mules are now focused on making direct wire transfers from U.S. accounts to accounts in foreign countries, which allows for much higher amounts of money to be transmitted without interference.

When the bad guys put this all together, it could look pretty impressive. But, we still catch them. Take the case of a recent global ATM fraud scheme. The criminal enterprise used hackers to break through an encrypted system and steal account numbers and PIN codes, they produced more than 400 fake ATM cards, they recruited hundreds of mules spread out in 280 cities around the world and—in less than 24 hours—they made over 14,000 ATM transactions totaling nearly $10 million. The victim company came forward quickly, and our international partnerships worked just as planned. Today, the top three hackers, among others, are in custody.

Let's move next to discuss how cyber criminals have evolved in the area of anonymization.

For years, criminals have used various tools for anonymizing their computer traffic and concealing or making it difficult for others to trace back fraudulent activity. Unfortunately, criminals are making great strides in specializing in this activity. A number of botnets, like Haxtor, are specifically leased out to criminals for proxying their malicious activities. Rather than typical random proxying services, criminals can choose which nodes of the botnet they would like to use based on up-time, connection speed, and other factors.

The FBI recently investigated a cyber criminal group that set up its own infrastructure complete with fully-encrypted servers running on so-called “bulletproof” networks. Bulletproof networks are, for lack of a better way to put it, networks that by design are not law enforcement friendly. In fact, their business model is actually to advertise that they will not shut down websites no matter how many complaints they receive of unlawful conduct.

This group—and there are more just like them—had the cell-like structure of roles and responsibilities I described earlier, with some members being responsible exclusively for maintaining the infrastructure, transferring data between servers, maintaining server uptime, rotating the upstream providers being used, and ensuring that no one was there that shouldn’t be. To gain access to the servers, new members had to have their identities and reputations vouched by current members, and anyone who spoke English (at least to the group's knowledge) was not given access. The group operated worldwide around the clock, as do many others, without holidays, weekends, or vacations. Indeed, there is never a time of the day that someone of every role—coder, hacker, casher, botherder—isn’t on the server chatting about their activities and available to help someone else.

As a result, when an opportunity presents itself, these criminals can start planning within hours. In a particular instance, one hacker of the group found a vulnerability in the server of a company; another member was able to customize malware to exploit the vulnerability; and simultaneously, the group organized money mules to cash out the stolen funds—all leading to a successful criminal operation carried out in under 100 hours.

Despite everything I've told you, a lot of business owners and individuals I speak with often feel secure against cyber crime because they don’t view themselves as likely targets. They ask me, "Why would anybody want to break into my computer?" The answer lies in the fact that you can be a target of opportunity. Unlike with traditional organized criminal groups, cyber crime groups don’t necessarily form with a particular target in mind.

Instead, a good number of the lower echelon members are hackers who spend their time testing exploits against every company, bank, or website they think they can find a hole in. When one of these exploits works, they will dig around a bit to see what they can gain access to. If they think it is something the group leaders would be interested in looking into further, they report it up the chain. As a result, they typically get a flat “finder’s fee,” or a percentage of whatever profits are eventually reaped from that company. Then they move on to look for more vulnerable businesses.

I recall getting initiated to the world of hackers about 12 years ago. We were working on a case in which the hacker found a vulnerability, broke into the computer, and then patched the system. Was this a “good hacker?” I wondered, spending his days going around, finding unpatched systems and fixing them for free? The answer was no. In fact, I came to learn that it’s quite common for hackers to patch vulnerable systems. Why? Once they’ve figured out how to break into your system, they use their access to set up what appear to be legitimate user accounts and passwords. Then, they no longer need to break in. But why patch the system? So that they can retain exclusive control of your network. Simply put, they don’t want another hacker to get in. And, by this point of the story, if you were to scan your system, you would never believe you were hacked. You have no malware for your anti-virus software to find and your computer is up to date with the latest security fixes. It’s all very stealthy, and very effective.

Not surprisingly, criminal organizations also monitor software manufacturer security bulletins that discuss flaws in their products. As soon as the latest reports are published, criminals immediately reach into their pool of contacts to find someone to write an exploit to target the vulnerability before everyone patches it. Criminals also conduct research about the networks they break into. When they exploit a vulnerable computer, in addition to stealing credentials, money, or corporate secrets, they typically scavenge for manuals and handbooks that explain how the organization’s computer systems work. They pay attention to company staffing—specifically, when IT security teams are least staffed, such as at night, on weekends, or on federal holidays—and they schedule their crimes to happen at these times when they’re more likely to go unnoticed. Finally, they listen to the news. They read what is publicized about ongoing law enforcement investigations. They like to figure out what investigators do and do not know, who of their colleagues were caught, and how they got caught—all of which could lead a criminal to believe they've identified an undercover operation and—in one case you now know about—our undercover agent having to deny it.

With specialization allowing cyber criminals of all skill levels to improve their abilities, organized crime is now reaping such significant profits that criminals are investing more in their work. Some of the most notable examples of front-end funding is in intellectual property rights (IPR) crime. Take, for example, the father and son who recently pled guilty to selling counterfeit software that was worth over $1 million. They sold the software with websites that they maintained, and actually purchased advertising for the websites from major Internet search engines in order to sell the counterfeit software.

Prior to that, in a joint FBI-Chinese Ministry of Public Security investigation, a Chinese court convicted 11 individuals for producing and distributing pirated Microsoft products. The group operated similarly to a multinational corporation and produced high quality products by using industrial equipment that cost millions of dollars. Microsoft estimated the sales of the pirated software to be over $2 billion.

In addition, as cyber criminals develop their skills, they can charge more for their goods and services. Take the Zeus crimeware kit as an example.

Recently, the writers of Zeus added an anti-piracy component that aims to prevent fellow criminals from hacking the malware’s code to replicate it for free. The software generates a hardware ID based on the criminals customer’s PC hardware and operating system's version number that is then forwarded to the seller of the program, who in turn gives the product activation code necessary to begin using the toolkit. Even a small modification in PC hardware would prevent the malware from running, so it can only be run from the customer’s computer. The basic configuration of Zeus sells for between $3,000 to $4,000 in the underground market, with more advanced versions selling for as much as $10,000.

Unfortunately, with more money to invest in their crimes, cyber criminals can afford sophisticated attacks with more operational security, which leads to higher profits with less chance of getting caught.

Cyber criminals have developed a business cycle—they invest money, get back even more money, learn their lessons, tweak their schemes, and then reinvest their profits into bigger and more profitable crime. Which leads me to one of the most concerning aspects about today’s cyber crimes. It isn’t just that cyber criminals steal money, it’s the amount they steal. When bandits rob a bank or store, they can only steal what is on the premises; but, if the same criminals gain access to a company’s internal network, change account limits, and alter logs, they can steal money that doesn’t exist. Imagine waking up one day to discover that $2 million had been stolen, transferred, and withdrawn from an account that only had $1,000. After all, as somebody I worked with once noted, not only is there no gold backing all of our dollars, there are no actual printed dollars behind all of our dollars. Ultimately, our financial transactions rely upon the integrity of accounting entries.

Making matters worse, the cyber threat is not merely about data. We also are constantly vigilant about protecting those networked systems and services that allow for remote control over critical aspects of our infrastructure, to include among others our electric power and water treatment facilities.

By this point, I think we can all agree that cyber security is a serious problem.

Yet, it's equally clear that the rapid and constant advances in cyber criminal techniques and tradecraft make global investigations and criminal deterrence a challenge, to put it mildly. The perpetrators can be anyplace in the world. As are the victims. And, for that matter, the evidence.

To meet this challenge, the FBI has formed cyber squads in each of its 56 field offices with over 1,000 advanced cyber-trained FBI special agents, intelligence analysts, and forensic examiners ready to combat the rising cyber crime threat. In addition, thousands of FBI agents have gone through and continue to go through basic cyber training, which is now required of every FBI special agent before they can even graduate from Quantico.

Still, the cyber threat cannot be subdued by any one agency.

Piecing together a case requires close collaboration with our counterparts, all of whom have unique resources and insight to bring to the table. The FBI has taken great strides to ensure that it has all the connections and relationships necessary to successfully prevent cyber crimes, and to successfully investigate and help prosecute cyber criminals in close coordination and collaboration with our partners. In this regard, the FBI serves by presidential directive as the lead of the National Cyber Investigative Joint Task Force, formed to ensure that all cyber threat investigations leverage and are coordinated amongst the group's 20 federal agency participants.

The progress domestically over the past years has been remarkable. Still, today’s international organized cyber criminal groups can only be confronted by an international organized law enforcement response. In most cases today, cyber crimes cross at least one border—either where the criminal is, where the victim is, or where the evidence is. Actually prosecuting a cyber crime case requires harmonizing different criminal justice systems, all of which work according to the laws of their own lands.

The FBI, with the enormous contributions of the Department of Justice's Computer Crime and Intellectual Property Section, its Office of International Affairs, and Assistant U.S. attorneys throughout the country, has worked tirelessly to create relationships and coordinated investigations with our international partners. As a result, gone are the days that transnational organizations could take safe haven by conducting their crimes from abroad.

Today’s FBI has offices not only within the United States but, by invitation of our foreign partners, we have 60 additional legal attaché offices throughout the world. As a result, over the past year alone, there have been more than 230 international cyber crime arrests thanks to our international partnerships. So important is this aspect of our strategy that we have FBI special agents embedded in several police agencies in Eastern Europe, working side by side with our foreign partners to assist full-time on cyber investigations. And, we are opening up new cyber crime fighting relationships elsewhere.

Consider Operation Phish Phry, in which we identified 101 subjects who had used a network of compromised computers to conduct fraudulent bank transfers that victimized approximately 5,000 U.S. citizens.

Close cooperation with our Egyptian counterparts led to the identification and arrest of 78 subjects in Los Angeles, Charlotte, San Francisco, San Diego, Las Vegas and, significantly, Cairo—with simultaneous, well-choreographed raids conducted across each of these time zones just a few months ago.

The FBI also has established or participates in several information sharing platforms that include state and local law enforcement, private industry, security researchers, and academia. The National Cyber Forensics and Training Alliance, located in Pittsburgh, is a prime example of a functioning platform for non-attributable real time collaboration on current and emerging cyber threats between law enforcement, researchers, and private industry. The National Intellectual Property Rights Center coordinates domestic and international law enforcement efforts against IPR violations. And on the consumer end, we have joined forces with the National White Collar Crime Center to form the Internet Crime Complaint Center (IC3), which maintains the leading cyber crime incident reporting portal. Other organizations the FBI works closely with in combating cyber crime are the Department of Homeland Security’s U.S.-Cyber Emergency Readiness Team (US-CERT), the Financial Crimes Enforcement Network (FinCen), the Financial Services Information Sharing and Analysis Center (FS-ISAC), the International Organized Crime Intelligence and Operations Center (IOC2), as well as state and local law enforcement throughout the country.

Which leads me to discuss the public/private partnership in which I have had the longest affiliation—InfraGard. InfraGard is the premier example of the success of public private partnerships. Starting out with one great idea at one FBI field office and expanding over the past 14 years, the organization has grown to over 36,000 members in 85 members alliances spread throughout the United States—all of which incidentally are volunteers who choose to go the extra mile in protecting our country. The peer-to-peer exchange of knowledge and experience and resources is invaluable and contributes to the fabric of an integrated and coordinated homeland security strategy. One of the key metrics of InfraGard's success is and has always been its ability to partner across agencies, sectors, jurisdictions, and organizational cultures in a collaborative way for a common purpose. InfraGard has partnerships with many key organizations, including other nonprofits such as the Information Systems Security Association, and government partners, to include, most prominently, the Department of Homeland Security. In fact, an announcement is expected later today that InfraGard will start providing access to the Department of Homeland Security's Critical Infrastructure Training through its infragardmembers.org website. If you are not a member, you can apply to join through the infragardmembers.org site or infragard.org. InfraGard also will be working with the Office of Bombing Prevention and FEMA on additional training opportunities that fall outside of the cyber security arena but are equally critical to our nation's safety.

Finally, I would like to discuss the need for a public dialogue. I began my remarks by stating that I am convinced that given enough time, motivation, and funding, a determined adversary will always be able to penetrate our computer systems. That, quite frankly, is unacceptable. At risk is nothing less than our economic and national security.

Please take the time to determine and question the risk postures of your organizations and agencies. Determine whether your hardware can be trusted, whether your software can be trusted, and whether your data can be trusted. Determine whether your systems and services are subject to being manipulated at a time and place of a distant criminal's choosing.

Ask the companies that are providing you with cyber security services and solutions whether they guarantee your systems against computer intrusion and malware infection. If they don't, ask them why in order to find out your continuing security exposure. If the answers to any or all of these questions lead you to believe that the cyber risks are too great for your business, your agency, and our country, talk about it, get involved in groups like InfraGard, and demand we improve it for our most critical data and infrastructure systems—whether through improved security, improved hardware and software assurance, or more easily attained attribution.

Report intrusions to law enforcement, not only to protect your property, but as a civic responsibility to help us protect the rights and property of others. The FBI cannot be successful without victims coming forward and providing their assistance.

So, in closing, it is fair to say that cyber security is our shared challenge. You and I know that this country has never backed away from hard problems. Similarly, we have always embraced new technologies. Working together, we can continue to benefit from the high-tech revolution while conquering the problems I discussed.

I appreciate your time here today, and I commend each and every one of your for your commitment to our government's security. Enjoy the rest of this excellent conference, and thank you very much.

 
Recent Speeches
10.29.14
The FBI and the IACP: Facing Challenges Together James B. Comey, Director, Federal Bureau of Investigation, International Association of Chiefs of Police 121st Annual Conference, Orlando, FL
10.16.14
Going Dark: Are Technology, Privacy, and Public Safety on a Collision Cour James B. Comey, Director, Federal Bureau of Investigation, Brookings Institution, Washington, D.C.
09.18.14
The Men and Women of the FBI: Defining Excellence, Every Day James B. Comey, Director, Federal Bureau of Investigation, Director’s Awards for Excellence, Washington, D.C.
07.10.14
Celebrating a Milestone Mark F. Giuliano, Deputy Director, Federal Bureau of Investigation, Jackson Field Office 50th Anniversary Event, Jackson, MS
07.07.14
Protecting Critical Infrastructure and the Importance of Partnerships James B. Comey, Director, Federal Bureau of Investigation, FBI WMD Directorate/Interpol International Law Enforcement Critical Infrastructure Symposium, Miami, FL
06.23.14
Keeping America’s Children Safe James B. Comey, Director, Federal Bureau of Investigation, Press Conference on Operation Cross Country VIII, FBI Headquarters, Washington, D.C.
05.19.14
Confronting Corporate Crime James B. Comey, Director, Federal Bureau of Investigation, New York City Bar 3rd Annual White Collar Crime Institute, New York City, NY
05.19.14
Combating State-Sponsored Cyber Espionage Robert Anderson, Executive Assistant Director, Federal Bureau of Investigation, Press Conference Announcing Charges Against Five Chinese Military Hackers, U.S. Department of Justice, Washington, D.C.
04.28.14
The FBI and the ADL: Working Toward a World Without Hate James B. Comey, Director, Federal Bureau of Investigation, Anti-Defamation League National Leadership Summit, Washington, D.C.
02.26.14
The FBI and the Private Sector: Closing the Gap in Cyber Security James B. Comey, Director, Federal Bureau of Investigation, RSA Cyber Security Conference, San Francisco, CA
More