Christopher Wray
Federal Bureau of Investigation
Ninth Annual Financial Crimes and Cybersecurity Symposium
New York, New York
November 1, 2018

Keeping Our Financial Systems Secure: A Whole-of-Society Response

Remarks prepared for delivery.

Thanks, Cy. It’s great to be here with all of you.

I hope I’m catching you on a sugar high and not a sugar crash the day after Halloween. Having grown up here in the city—but having raised our kids in Atlanta and D.C.—I sometimes tell them they really missed out on the trick-or-treating front. In classic New York fashion, it’s tough to match the sheer scale and efficiency of working entire elevator banks of candy. Kids can hit about 60 apartments in a half-hour, without even going outside....

* * *

Today I want to talk to you about some of the challenges we face—collectively—that threaten the integrity of our banking and financial systems—from the increasingly dangerous cyber threat, to more sophisticated and digitally-enabled types of fraud, to new public safety concerns arising from emerging technologies. We’re all here today because we recognize that we’ve got to address these challenges through a whole-of-society response—one that includes strong partnerships between the FBI, our law enforcement and regulatory partners, and the private sector.

At the FBI, we’re seeing an increase in the complexity of threats, in both the national security and criminal sides of the house. And we’re seeing an evolution in the impact, the scale, and the speed—the agility—of these threats. Today, I’d like to focus on some of the most difficult aspects of the cyber threat and the technological challenges we face.

As everyone in this room knows all too well, the cyber threat has evolved dramatically in recent years. We’re worried about a wider-than-ever range of threat actors, from multi-national cyber syndicates to nation-state adversaries. We’re concerned about a wider-than-ever gamut of methods, from botnets to ransomware and from spearfishing to business email compromise. We’re seeing these diverse threats in almost every company, at almost every level. The days of wondering if you’re going to be the next victim are gone. Instead, it’s a matter of when, or even how often you’ll get hit, and how bad it’ll be when it happens. Every company—every bank, every firm—every agency is a target. Every single bit of information, every system, every network is a target. Every link in the chain is a potential vulnerability. Even your own employees and contractors—what we call the “insider threat.

We’re very much concerned about American innovation ending up in the wrong hands. Certain nation states are intent on stealing proprietary information for their own political or economic gain.

Nation-State Sponsored Intrusions/Espionage

I want to focus for a moment on the increase in nation-state sponsored computer intrusions. Rival countries are aggressively deploying efforts to strengthen themselves and weaken the United States. But no country poses a broader, more severe intelligence collection threat than China.

Nearly every FBI field office currently has economic espionage cases that lead back to China. Let’s be clear: China’s goal is to replace the U.S. as the world’s leading superpower. They seek to gain any advantage on the global stage, through whatever data they can pilfer. They’re using an expanding set of nontraditional methods to do that—both lawful and unlawful—from things like foreign investments and corporate acquisitions, to cyber intrusions and supply chain threats. As just one example, last November, the Department of Justice unsealed indictments against three Chinese nationals for computer hacking, theft of trade secrets, conspiracy, and identity theft against employees of three different companies—three different corporate victims … over a six-year period. These guys worked for a China-based Internet security firm. They used their access to the computer systems of these three corporations to exfiltrate sensitive internal documents and trade secrets, to help Chinese companies improperly gain a competitive advantage.

China is of course not the only aggressor. Russia, for instance, is still a serious threat. And without question, they remain one of our most tenacious adversaries. But Russia, in many respects, is fighting today’s fight. China is fighting tomorrow’s fight, and they want what we have so they can get the upper hand on us. They are persistent, but patient, in chasing that goal. So, the FBI is taking the China threat very seriously. And we’re asking American companies to get more serious about that threat, too.

So how do we fight these threats? Our folks in the FBI are working around the clock and around the globe to find and stop the criminals and nation-states targeting American business. To address the threat from nation-state and criminal actors, we’re using a broad set of tools and allies. Often we use our traditional law enforcement authorities to arrest or charge a malicious actor. But we might also work with the State Department to have a subject’s visa revoked. We might work with the departments of Commerce or Treasury to sanction a foreign company for misconduct. And we might work directly with a U.S. company to help identify and remove an insider threat.

On the cyber front, we’ve got Cyber Task Forces in each of our 56 field offices across the country—with partners from over 180 different local, state, and federal agencies joining us on these task forces. Our Cyber Action Team is an elite, rapid response force that we can deploy around the country. And we have more than 20 cyber investigators embedded in foreign locations around the world.

Thanks to these capabilities, and others, we’ve made progress on several fronts. For example, in February, the DOJ extradited the operator of the Kelihos botnet. The Kelihos botnet was a global network of tens of thousands of infected computers. It distributed hundreds of millions of fraudulent e-mails, stole banking credentials, and installed ransomware and other malicious software on computers all over the world. We worked with our foreign law enforcement partners in both Spain and the Netherlands to identify and apprehend the Russian hacker and dismantle the botnet.

And in June we announced the results of Operation WireWire—a major effort to disrupt international business e-mail compromise schemes that intercept and hijack wire transfers from businesses and individuals. We worked with our partners at the Secret Service, the U.S. Postal Inspection Service, ICE, Treasury’s Financial Crimes Enforcement Network, and the IRS. And we had significant assistance from both private sector partners and our international partners in Nigeria, Canada, Mauritius, Poland, Indonesia, and Malaysia. The six-month sweep resulted in 74 arrests, the seizure of nearly $2.4 million and the disruption and recovery of about $14 million in fraudulent wire transfers.

So we’re making strides, and we’ve had a number of successes, but we still need to do more. We’ve got to have a whole-of-society defense. The vast majority of our critical infrastructure is in the hands of the private sector. The financial sector is one of the most prepared for detecting, responding to, and mitigating a cyber attack, but it also remains one of the most targeted by malicious actors. You know the risks, you know the weak spots, and you’re more likely to discern emerging threats coming down the road. And we need the benefit of your insight, knowledge, and experience.

But we also know that information-sharing works best when it’s a two-way street: we share with you, and you share with us, creating a virtuous cycle that supports economic security for the American marketplace. We’re sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information directly with companies like many of those represented in this room. Together, we need to work closely on specific problems that affect the financial sector—and we’re open to being educated about those threats in the way that you see them, just as we urge you to learn from our perspective in law enforcement. At the FBI, we’re able to perform analysis and combine that with the intelligence we collect, to put you in a better security posture before an incident occurs. If you do suffer a data breach, getting the FBI involved early allows us—and our federal partners—to mitigate any ongoing damage to your networks and your data.

Emerging Challenges

I want to turn to emerging challenges for a moment. The threats against us don’t stand still—so we can’t, either. We’ve got to be able to keep pace with technological change. One of my priorities as Director is to make the FBI more agile and resilient. We have to be more and more innovative because as we all know, technology is evolving more quickly than ever. But we at the FBI can’t do it alone. We need partnerships, and we need a broader societal response to emerging technology, to ensure public safety.

Two areas, in particular, will require all of us to adapt—enforcement agencies, the private sector, and society as a whole. One is cryptocurrencies. They’re becoming prevalent in a wide variety of our investigations. Cryptocurrencies can be used to launder illicit criminal proceeds. They’re a means to pay assets—human assets—and double agents in counterintelligence operations. They’re a way to fund terrorist groups. And they can be used to pay off cyber extortionists and make ransomware go away.

Of course using cryptocurrency isn’t itself illegal. But because these currencies are not traditional financial mechanisms, they’re not easy to trace. You can trace a credit card back to a brick and mortar bank; you can issue a subpoena to a wire transfer service to find out who sent the money and to whom. With cryptocurrencies, sometimes all you have to go on is part of an alphanumeric address, similar to a bank account number. It makes it more anonymous to receive and send funds. You may not know who’s behind the transaction, where the value was transferred, or what the currency was used to pay for. And that makes our jobs in law enforcement tougher—whether we’re following the money in counterterrorism, counterintelligence, cyber, or organized crime investigations. And it makes your jobs tougher—those of you in the private sector as well as those of you who are regulators—because you’re trying not to impede innovative ways for businesses to raise capital or generate revenue. Yet you want to protect investors, customers, and the public from criminals who are creative—and unfortunately, there is a ready supply of individuals willing to leverage new technologies to evade the law. Last year, a Long Island woman was indicted on bank fraud and money laundering charges for allegedly stealing and making foreign transfers of $85,000 in Bitcoin and other cryptocurrencies to support ISIS.

Another concern is the prevalence of fraud in “initial coin offerings.” We’ve had a number of cases of fraudulent capital raises for fake cryptocurrencies—where investors provide capital in return for a currency that doesn’t actually exist. As cryptocurrencies continue to gain prominence, there’s got to be a broader social recognition of their potential illicit use and thought about mechanisms to counter that.

Another way criminals can take advantage of evolving technology is through the problem we call “Going Dark.” I want to thank the District Attorney and other law enforcement officials here for continuing to raise this issue. It’s becoming increasingly difficult for law enforcement at all levels to intercept communications between criminals—from drug dealers and organized crime groups to money launderers and identity thieves.

We all recognize the important benefits of strong methods of encryption—cybersecurity, after all, is at the heart of the FBI’s mission. But when encryption puts communications beyond the law, it means that even when we can demonstrate probable cause, we can’t get the content we need. When we can’t access these communications, our trail of evidence evaporates, our cases fall apart, and bad guys go free. And they stay free, to victimize more people. Our adversaries know this. The same technology that companies use to protect their customers’ data is used by criminals to conduct their illicit schemes. Criminals are shifting more and more of their lives over to encrypted devices and encrypted messaging platforms, making it tougher for law enforcement, internal teams, and regulators to track their activities.

We’ve seen this in a wide range of cases—including kidnappings, violent crime, and terrorism—where lives are on the line. Going Dark has also affected our ability to investigate white-collar crimes involving fraud, money laundering, and insider trading. In August of 2017, a bank IT employee pled guilty to a wide-ranging insider trading scheme that netted more than $5 million in proceeds. To evade detection, the employee used a messaging app to pass encrypted messages to two friends about confidential planned corporate mergers and acquisitions.

Also last year, the U.K.’s Financial Conduct Authority fined a former banker nearly £40,000—or roughly $46,000—for sharing confidential information on an encrypted messaging app. As you can see, this isn’t just a domestic problem. It’s an international problem and one that’s recognized by our closest allies, not to speak of our adversaries. Together, law enforcement, regulators, and industry have got to find a way forward so that criminals can’t use technology to escape the law.

Let me share just one example—and I feel sure there are others—of how the public and private sectors might seek to strike this balance. Many of you know about the chat and messaging platform called Symphony, used by a group of major banks. It was marketed as offering “guaranteed data deletion,” among other things. That didn’t sit too well with the regulator for four of these banks—the New York State Department of Financial Services. DFS was concerned that this feature could be used to hamper regulatory investigations on Wall Street. In response to those concerns, the four banks reached an agreement with DFS to help ensure responsible use of Symphony. They agreed to keep a copy of all e‑communications sent to or from them through Symphony for seven years. The banks also agreed to store duplicate copies of the decryption keys for their messages with independent custodians who aren’t controlled by the banks. So the data in Symphony was still secure and encrypted, but it was also lawfully accessible to regulators, so they could do their jobs.

I should note that this system is both end-to-end encrypted and aims to protect privacy. We’re not looking for a “back door”—a phrase commonly used to mean some type of secret, unsecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has confirmed we have probable cause.

We know much of the debate over encryption has been polarized. But it’s important that we have an honest and rigorous search for technical solutions that will benefit society as a whole. I’m heartened to see more discussion regarding these solutions outside of government—including in recent academic publications. After all, this is not just a law enforcement issue, it’s a matter of public safety.

We’ve seen incredible technological changes over the past 20 years. We’re likely to see even greater changes and challenges over the next 20 years as transformational technologies—such as autonomous cars, drones, 5G, and AI—take hold. We’ve got to make sure that as the ingenuity that drives this nation continues, it’s also designed and used to solve real-world, flesh-and-blood public safety concerns associated with those technologies. And that our legal frameworks keep up with the pace of change. I’m confident that with law enforcement, academics, the tech industry, and the government working together, we can find a way to cooperate so that criminals can’t use technology to flout and escape the law.

I want to close with a great analogy one of our cyber executives uses to describe the threat landscape. He talks about working on a case with the port authority as an agent in South Texas. And there was an accident on the water one night, when a tugboat pushing a number of barges smashed into a pylon on a bridge. The agent asked a couple questions: “How fast was the tugboat going? And how long does it take to stop?” And the port authority guys said, “Oh, about 5-7 knots. And it takes about 200 yards to stop.”

The agent could see the lights on the tugboat only illuminated the ship up to the bow, which was a big problem because the boat captain couldn’t see the bridge up ahead. So that accident actually happened about two minutes before the collision—the moment the tugboat lost its ability to maneuver around the danger. He couldn’t stop, and he couldn’t steer fast enough to avoid the collision.

The same is true for all of us. The bad guys—hackers for hire, nation-state adversaries, organized criminals—they’re taking advantage of mistakes and vulnerabilities. They’re sitting on our systems, lurking. And if they’re not there yet, they’re making every effort to get there.

Many of the intrusions we’re seeing now actually happened some time ago—sometimes even years. For companies to wait until there’s actually an impact before re-positioning, before tightening up systems, is a mistake. Because by then, it’ll be too late. The accident will have become unavoidable. And when it happens, we’re all just reacting after-the-fact to a bad situation. And that’s not the best case scenario for anyone.

We want to be ahead of the threat; we want to prevent you and your companies from being victimized in the first place. To do that, we’ve got to have a full understanding of what you’re seeing. We want to know what keeps you up at night. We’ve got to build these relationships now. If a crisis does strike, it’s much easier to work together when we already have that baseline relationship—that initial sense of trust and understanding. It’s like the old saying: “The best time to patch the roof is when the sun’s shining.” We’ll keep doing what we can on our end to build these relationships—at the national level, with symposiums like this, and at the local level, through our field offices. And we’d ask you to reach out to us, to talk to us about what you’re seeing, and to let us know how we can help. I look forward to continuing the discussion. Thanks for having me here today.