- Robert S. Mueller, III
- Federal Bureau of Investigation
- RSA Cyber Security Conference
- San Francisco, California
- March 04, 2010
*Remarks as prepared for delivery.
Good afternoon. I am pleased to be back here in San Francisco.
I recently read a news story about a tailor in Bogotá, Colombia—a tailor who makes bulletproof menswear. He will design the garment to your specifications, and line it with Kevlar sufficient to stop a bullet fired from a .38 caliber pistol at point-blank range.
Some may question whether this is necessary, or extravagant, or perhaps both. But the world has become increasingly dangerous; this man was merely combining the need to stay safe with the desire to look good at the same time.
Of course, my first thought was for the brave but foolish volunteer who wore these clothes during the testing phase. My second thought was that we could use this kind of ingenuity to safeguard our computer systems.
In the early 1990s, we marveled at the potential of the Internet. The risks seemed a world away, and the dangers were largely limited to teenage hackers and identity theft.
Today, the power and pervasiveness of the Internet are evident in the way we communicate, conduct business, and learn. But the risks are no longer a distant possibility. They are right here at our doorstep. And in some cases, they are already inside the house.
Unlike the Colombian tailor, we are not bulletproof, nor can we make ourselves so. But we can work together to line our networks with the equivalent of Kevlar. We can work together to find and stop those who are taking shots at us, and to prevent future attacks.
Cyber Threat Overview
Almost 20 years ago, here in San Francisco, I read the book entitled “The Cuckoo’s Egg,” the story of Cliff Stoll—a systems manager at a Berkeley laboratory. He noticed an accounting discrepancy of just 75 cents, and ultimately tracked it to a German espionage ring tapping into our military networks.
I mentioned the story to several FBI employees to illustrate the evolution of cyber crime. And I asked if anyone had read the book.
One reply did stick in my craw. A younger employee said, with what looked like a smirk, “I haven’t read it, sir; I was only 10 when it was published.” I said, “Thank you for reminding me of how old I am. I am sure you will be very happy in the FBI’s Yemen office.”
Ancient though it may be, the story of Cliff Stoll illustrates how far we have come, and how quickly.
Today, we will talk about what the FBI is doing to investigate and prevent cyber crime. We will focus on the power of partnerships. And we will touch on what we must do to prevent cyber crime from becoming endemic to our businesses, our economy, and our national security.
Let us begin with cyber threats to our national security. As you well know, a cyber attack could have the same impact as a well-placed bomb.
To date, terrorists have not used the Internet to launch a full-scale cyber attack. But they have executed numerous denial-of-service attacks. And they have defaced numerous websites, including Congress’ website following President Obama’s State of the Union speech.
A group known as the Iranian Cyber Army claimed responsibility for this attack. And while the damage may have been limited, such groups may attack for publicity or impact, and they are becoming more adept at both.
In the past 10 years, al Qaeda’s online presence has become as potent as its physical presence. Extremists are not limiting their use of the Internet to recruitment or radicalization; they are using it to incite terrorism.
Thousands of extremist websites promote violence to a ready and a willing audience. They are posting videos on how to build backpack bombs and bio-weapons. They are using social networking to link terrorist plotters and plans.
Of course, the Internet is not only used to plan and execute attacks; it is a target in and of itself. Usama bin Laden long ago identified cyberspace as a means to damage both our economy and our psyche—and countless extremists have taken this to heart.
We in the FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real, and it is rapidly expanding. Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyber attacks.
Apart from the terrorist threat, nation-states may use the Internet as a means of attack for political ends. Consider what took place in Estonia in 2007 and in the Republic of Georgia in 2008. Wave after wave of data requests shut down banks and emergency phone lines, gas stations and grocery stores, even parts of each country’s government. The impact of these attacks left us all aware of our vulnerabilities.
Counterintelligence and Economic Espionage
Let us turn for a moment to counterintelligence intrusions and economic espionage.
Espionage once pitted spy versus spy, country against country. Today, our adversaries sit on fiber optic cables and wi-fi networks, unknown and undetected. They may be nation-state actors or mercenaries for hire, rogue hackers or transnational criminal syndicates.
These hackers actively target our government networks. They seek our technology, our intelligence and our intellectual property, even our military weapons and strategies. In short, they have everything to gain, and we have a great deal to lose.
There has been much discussion of late about which nation-states pose the greatest danger of cyber attack. And to a certain extent, that discussion is irrelevant. It may not matter who the attacker is, or whether the motivation is political, ideological, or financial. The information may be bought and sold by anyone, anywhere in the world, whether friend or foe.
The end result will be the same: we will lose our data. We may lose access to our own information. And we may well lose our security.
In recent years, we have witnessed a new trend: the collection of seemingly innocuous information about a company and its employees—from e-mail addresses to power point presentations to notes from meetings. This data not only provides inside knowledge of research and development, business plans, or client negotiations. It can provide entrée to a company’s network.
Hackers are using this data to spearphish employees, sending e-mails purportedly from co-workers with content often too alluring or realistic to ignore. And just one breach is all they need to open the floodgates.
We have seen not only a loss of data, but also corruption of that data. We are concerned with the integrity of your source code. If hackers made subtle, undetected changes to your code, they would have a permanent window into everything you do. The same is true for those with access to hardware and software in the global supply chain.
Some in the industry have likened this to “death by a thousand cuts.” We are bleeding data, intellectual property, information, and source code, bit by bit, and in some cases, terabyte by terabyte.
The solution does not rest solely with better ways to detect and block intrusion attempts. We are playing the cyber equivalent of cat and mouse, and, unfortunately, the mouse seems to be one step ahead.
We must work to find those responsible. And we must make the cost of doing business more than they are willing to bear.
The FBI: Protecting Our Infrastructure
We in the FBI pursue cyber threats from start to finish. We have cyber squads in each of our 56 field offices around the country, with more than 1,000 specially trained agents, analysts, and digital forensic examiners.
Together, they run complex undercover operations and examine digital evidence. They share information with our law enforcement and intelligence partners, including the Secret Service, which also has strong capabilities in this area. And they teach their counterparts—both at home and abroad—how best to investigate cyber threats.
But the FBI cannot do it alone. The National Cyber Investigative Joint Task Force includes 17 law enforcement and intelligence agencies, working side by side to identify key players and schemes. The goal is to predict and prevent what is on the horizon, and to pursue the enterprises behind these attacks.
The task force operates through Threat Focus Cells—smaller groups of agents, officers, and analysts from different agencies focused on particular threats.
For example, the Botnet Focus Cell investigates high-priority botnets. We are reverse-engineering those botnets with an eye toward disrupting them. And we are following the money wherever it leads, to find and stop the botmasters.
This week’s takedown of the Mariposa botnet is one example of that collaboration. As you may know, Mariposa was an information-stealing botnet—one that infected millions of computers, from Fortune 1000 companies to major banks. And this case, like so many others, emphasized the need for global cooperation.
We have more than 60 FBI legal attaché offices around the world, sharing information and coordinating joint investigations with our host countries. And we have special agents embedded with police forces in Romania, Estonia, and the Netherlands, to name just a few.
Together, we are making progress. Last October, we worked with Egyptian authorities to dismantle a computer intrusion and money laundering scheme operating in the United States and Egypt.
With our partners in the United Kingdom, Germany, and Turkey, we dismantled Darkmarket, one of the most sophisticated online criminal syndicates—and one of the forerunners in using the Internet to buy and sell stolen financial data.
And we have worked with the Romanian National Police to arrest more than 100 Romanian nationals in the past 18 months. Four years ago, several American companies threatened to cut cyber ties with Romania because of the rampant hacking originating from that country. And yet today, Romania is one of our strongest partners.
These cases present unique hurdles in terms of jurisdiction and prosecution. We see borders as obstacles; criminals see them as opportunities.
Together, we must continue to work toward an international standard for cyber crime. And we must continue to press forward, country by country, and company by company.
In recent years, we have investigated a number of cases where financial institutions have been breached, with losses in the tens of millions.
You have likely heard about a recent global bank heist, where the hackers broke through an encrypted system to steal account numbers and PIN codes. They created more than 400 hundred fake ATM cards and recruited hundreds of mules around the world. In just 24 hours, in roughly 280 cities, they stole nearly $10 million dollars. The loss was limited only by the number of mules and the cash in the ATMs.
This was a revolutionary attack, in terms of its sophistication and its success. But our approach to finding those responsible was revolutionary as well.
First and foremost, the company came forward quickly, which was of great help to us.
We deployed a mobile FBI Cyber Action Team—a highly-trained group of agents, analysts, and experts in both computer forensics and malicious code. These teams travel the world on a moment’s notice to respond to fast-moving cyber threats such as this one.
We worked closely with our counterparts here at home and overseas to investigate this attack. And we alerted our private sector partners to the potential danger so they could make the necessary patches.
Today, the top three hackers behind this attack are in custody in Eastern Europe. But the simple truth is, if this company had not come forward, we would not have been able to stop these individuals from hitting the next victim.
This is where we can be of value—not just in finding these criminals, but in making certain they cannot get to you in the first place. If we cannot prevent every attack, we must stop them from striking again and again. To do that, we need your help.
Importance of Private Sector Partnerships
Let me again emphasize the importance of private sector partnerships.
Historically, there has been a dichotomy between network security on the one hand, and the investigative process on the other. It has been the great divide between us. But it needn’t be.
We in the FBI understand that you have practical concerns about reporting breaches of security. You may believe that notifying the authorities will harm your competitive position. You may have privacy concerns. Or you may think that the information flows just one way—to us.
We do not want you to feel victimized a second time by an investigation. And we know that putting on raid jackets, courting the media, and shutting down your systems is not the best way to get the job done.
We will minimize the disruption to your business. We will safeguard your privacy and your data. Where necessary, we will seek protective orders to preserve trade secrets and business confidentiality. And we will share with you what we can, as quickly as we can, about the means and methods of attack.
For example, we recently worked with our partners in the financial sector to draft an intelligence report on threat patterns in certain banking transactions. We shared that report with more than 4,000 partners. Together, we worked to limit the breadth and scope of this potential threat, and we closed the door to countless hackers.
Remember that for every investigation in the news, there are hundreds that will never make the headlines. We are behind the scenes, working to find those responsible. Disclosure is the exception, not the rule.
That said, we cannot act if we are not aware of the problem.
Maintaining a code of silence will not benefit you or your clients in the long run. It calls to mind the old joke about two hikers in the forest who run into a grizzly bear.
The first hiker says to the other, “We just need to outrun him.” And the second replies, “I don’t need to outrun him. I just need to outrun you.”
You may well outrun one attack, but you aren’t likely to avoid the second, or the third. Our safety lies in protecting not just our own interests, but our critical infrastructure as a whole.
Following World War I, France built a line of concrete fortifications and machine gun nests along its borders. It was designed to give the French army time to mobilize in the event of an attack by Germany. The secondary motivation was to entice Germany to attack Belgium as the easier target.
As we all know, the Maginot Line held strong for a brief time. However, in the long run, it did little good. The Germans invaded Belgium, flanked the line, and stormed France.
In the end, neither fortresses nor fortifications stopped Nazi Germany. Our success in defeating Germany was built on a united front. We stopped playing defense, and we pushed back, day by day. No one country, standing alone, could have ended that war.
The same is true today, in this new context. No one country, company, or agency can stop cyber crime. A “bar the windows and bolt the doors” mentality will not ensure our collective safety. Fortresses will not hold forever; walls will one day fall down. We must start at the source; we must find those responsible.
The only way to do that is by standing together. Together we can find better ways to safeguard our systems and stop those who would do us harm. For ultimately, we face the same threat. We both serve the American people. And we must continue to do everything we can, together, to minimize these attacks.
Thank you and God bless.