The FBI and Corporate Directors: Working Together to Keep Companies Safe from Cyber Crime
Remarks prepared for delivery.
Thanks, Peter. It’s great to be here with you.
One of our priorities at the FBI is building relationships at the corporate level. This is our inaugural meeting with such a large group of board members. And it’s incredibly important to me. Because we need your help to confront the threats we face.
I was in the private sector for 12 years before coming back to law enforcement. And there are a few things I miss about life in the private sector—mostly living outside of the Beltway, way outside of the Beltway—and being able to drive my own car. That’s one of the things you don’t think about before taking a job like this—the driving.
Another thing I sometimes miss is the focused nature—relatively speaking—of practicing law. At my old law firm, I ran an international practice group and served on our firm’s policy committee. And I sometimes thought I had a lot on my plate then. My scope of responsibility is just a bit more broad these days. And needless to say, my hair is a lot more gray, as my kids like to remind me on a regular basis.
But I was thinking about it, and the same is true for all of you. Not the gray hair part—the responsibility part. You’ve got to understand almost every aspect of the companies you serve—strategy, succession, performance; vulnerabilities; and the needs of management, employees, customers, and shareholders. And you’ve got to be able to see the big picture—what’s coming down the road. That can be a lot of responsibility.
And your burdens aren’t getting any lighter in this brave new world. A world where terrorism moves at the speed of social media. A world where hackers for hire and nation-state adversaries are using cyber as a weapon—to steal our innovation, our data, our secrets, and our technology. A world where geopolitics, global markets, and crime have converged.
I want to give you a sense of how the FBI is thinking about these threats—in particular, cybersecurity and espionage. And some sense, from our perspective, of what we can do together to fight them. And then I’ll take a few questions.
Let’s start with the cyber threat.
The cyber threat has evolved dramatically since I left DOJ’s leadership in 2005, partly reflecting how much the digital world has itself evolved over that time. Back then, “tweeting” was something only birds did. I’ve noticed it’s a bit more popular now. Today, we live much of our lives online, and everything that’s important to us, and to your companies, lives on the Internet—on our devices, our systems, our networks, and in the cloud—which means this threat is now coming at us from all sides.
We’re worried about a wider range of threat actors, from multi-national cyber syndicates and insider threats to hacktivists. And we’re concerned about a wider gamut of methods, from botnets to ransomware, from spearfishing to business email compromise and APTs—advanced persistent threats. We’re seeing these diverse threats in every company, at every level.
The days of wondering if you’re going to be the next victim are gone. Now it’s a matter of how often you’ll get hit, and how bad it’ll be. And we’re not talking just about defense contractors or critical infrastructure. Every company is a target. Every single bit of information, every system, and every network is a target. Every link in the chain is a potential vulnerability.
We’re talking about the vendors you work with. Your contractors—and their sub-contractors, over whom you may have little or no supervision, or even knowledge. Your supply chains—especially technology supply chains, because the hardware components and software code often comes from foreign sources, including developers in Russia and China. And even your own employees—what we call the “insider threat.” We’re seeing more incidents of employees taking proprietary information when they’re about to be on the job market. And we’re seeing business competitors—and foreign governments—seeking to place spies into rival companies to gain access to information.
The danger isn’t limited to data exfiltration or manipulation or ransomware attacks. Access alone can cause a real problem. And most companies don’t see that as an issue. But think about it for a moment. Who has access to your proprietary information? Who has information about your day-to-day operations and decision-making? Your long-term plans? Who holds the keys to the kingdom? Should they? Once someone has access to your data, your ideas, and your innovation, it’s practically impossible to pull it back. Even worse, you may never even know you’ve got a problem.
And the more we expand our global footprint, the more we do business in other countries, the more risk we assume on the cyber front. Even local companies often draw from global supply chains, a global talent pool, and global internet and communications systems.
I want to focus for a moment on the increase in nation-state sponsored computer intrusions. It’s no surprise to anyone in this room that China, in particular, seeks our information, our technology, and our military secrets. They seek to gain any advantage on the global stage, through whatever data they can pilfer. They’re using an expanding set of non-traditional methods—both lawful and unlawful—like cyber intrusions, foreign investment, corporate acquisitions, and supply chain threats.
As just one example, last November, the DOJ unsealed indictments against three Chinese nationals for computer hacking, theft of trade secrets, conspiracy, and identity theft against employees and computers of three corporate victims over a six-year period. These three individuals worked for a China-based Internet security firm. They used their access to the computer systems of these three corporations to exfiltrate sensitive internal documents and trade secrets to help Chinese companies improperly gain a competitive advantage.
The Chinese government isn’t pulling any punches. They’re strategic in their approach—they actually have a formal plan, set out in five-year increments, to achieve dominance in critical areas.
Another example: In April of this year, we charged nine individuals and companies with conspiracy to commit economic espionage and theft of trade secrets from a U.S. company for the benefit of several Chinese state-owned enterprises.
That U.S. company manufactures syntactic foam—a strong, lightweight material with commercial and military uses, including in U.S. Navy submarines and vessels. Syntactic foam was specifically identified in China’s 12th five-year plan as a technology China wanted to acquire. The scheme—funded by millions of dollars from China—involved setting up a front company and recruiting employees of the victim company with access to trade secrets.
We’re getting more serious about the China threat. And we’re asking you to get more serious about that threat, too. Because it’s only going to get worse. No country poses a broader, more severe intelligence collection threat than China. Actors working to benefit China—including state-owned and ostensibly private companies—are the most active perpetrators of economic espionage against us.
We have economic espionage investigations that almost invariably lead back to China in all 56 field of our field offices, spanning almost every industry or sector. And China is by no means the only aggressor. Russia, for instance, is still a serious threat. But Russia, in many respects, is struggling to stay relevant after the fall of the Soviet Union—they’re fighting today’s fight. They remain one of our most tenacious adversaries. But China is fighting tomorrow’s fight, and they want what we have so they can get the upper hand on us.
A Harvard psychology professor has argued that humans are good at reacting to immediate threats, but we’re not so great at reacting to gradual threats. We can recognize acute problems with local, short-term consequences—a child with the flu, a broken air conditioner, a crisis at work. But we don’t respond as effectively to chronic problems, even those entailing global, long-term consequences.
That’s one reason why counterintelligence threats are often underestimated. It’s much easier for the FBI to respond to a bank robbery than to understand and combat a gradual process like technology theft or malign foreign influence. Even though these are the generational threats that will shape our nation’s future, and determine what we’ll look like in 20 years, in 50 years.
Our folks in the FBI are working their tails off every day to find and stop the criminals and nation-state adversaries targeting your companies. To address the threat from nation-state actors, we’re using a broad set of tools and allies. Sometimes we use our traditional law enforcement authorities to arrest a malicious actor. But we might also work with the State Department to have a subject’s visa revoked. We might work with the departments of Commerce or Treasury to sanction a foreign company for misconduct. Or we might work directly with a U.S. company to help identify and remove an insider threat.
On the cyber front, we’ve got Cyber Task Forces in each of our 56 field offices across the country—with partners from over 180 different local, state, and federal agencies. We have more than 20 cyber investigators in key locations around the world. Our Cyber Action Team maintains an elite rapid response capability we can deploy around the country. And we operate a 24/7 steady-state watch capability called CyWatch.
But we can’t do it on our own. We’ve got to work together, particularly with those of you in the private sector. We’re sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information whenever we can. I’m sure you can appreciate there are times when we can’t share as much as we’d like to, but we’re trying to get better and smarter about that.
The vast majority of our critical infrastructure is in the hands of the private sector, of course. You own it, you run it—you’re on the front lines. You know the risks, you know the weak spots, and you’re more likely to see emerging threats coming down the road. That’s why it’s so important for us to keep these lines of communication open.
I want to turn to the role of the board of directors for a moment. As board members, you’re expected to take the enterprise-level view. You’re expected to have that 360-degree perspective of the whole organization. And unlike the CEO or executive management, you’re not typically involved in the day-to-day operation of the company. As leaders, we know that the day-to-day grind is tough. There’s too much to do, and too little time to do it. So all the stakeholders of a company, from the shareholders to executive management, are relying on you to see the big picture.
They’re relying on you to have a mature understanding of the risks and vulnerabilities at hand. What questions should you be asking yourselves? What decisions should you be making right now? Management might be focused on near-term objectives, but you’ve got to play the long game—balancing short-term profitability with long-term risk. A decision to enter into a joint venture or contract with a particular vendor or cloud computing company may look good today—it may make a lot of money today. But that decision might not look so great five years down the road, if you’re in the middle of a slow bleed of data. Or, worse, if you’re suffering a major hemorrhage of intellectual property.
As members of the board, you can, and should, help keep the companies you serve focused on what information is most important to protect. You’ve got to work with executive management to establish and communicate a clear information security plan. You’ve got to be confident in your organization’s plan to restrict access to protected information, and its ability to monitor who’s accessing that data. You’ve got to ensure that the responsible executives have established an enterprise-wide cyber risk management framework. You’ve got to know that your organization has business continuity plans in place now, before the crisis strikes. And if you do suffer a breach, it’s important to take the long-term view.
Getting the FBI involved early allows us—and our federal partners—to mitigate any ongoing damage to your networks and your data. It helps us connect the intrusion on your systems to any larger threat streams, and give you the information you need to understand what happened. It helps mitigate any risk to your reputation from a delayed notification. And it helps us notify other potential victims.
I know there’s sometimes a reluctance out there to turn to the feds when you’ve been hacked. But we’re not going to rush in wearing raid jackets and shut down your operations. In our eyes, you are—and you should be treated as—a victim. But time is of the essence in these cases.
So, please, when you see indications of unauthorized access or malware on your systems, when an attack results in a significant loss of data or control of systems, when there’s a potential impact to national security, economic security, or public health and safety, or when an intrusion affects critical infrastructure, reach out to us. Call your local field office. In every field office, we have a private sector coordinator dedicated to engaging with your companies. We want to work with you, we want to help you. But we can’t do anything to help if you don’t turn to us.
One of our cyber executives uses a great analogy to describe the cyber threat. He talks about working on a case with the port authority as an agent in South Texas. And there was an accident on the water one night, when a tugboat pushing a number of barges smashed into a pylon on a bridge. The agent asked a few questions: “How fast was the tugboat going? And how long does it take to stop?” And the port authority guy said, “Oh, about 5-7 knots. And it takes about 200 yards to stop.”
The agent could see the lights on the tug only illuminated the ship up to the bow, which was a big problem. Because the boat captain couldn’t see the bridge up ahead. So that accident actually happened about two minutes before the collision—the moment the tug lost its ability to maneuver around the danger. He couldn’t stop, and he couldn’t steer fast enough to avoid the collision. The same is true for all of us.
The bad guys—hackers for hire, nation-state adversaries, and organized criminals—they’re taking advantage of mistakes and vulnerabilities. They’re sitting on our systems, lurking. And if they’re not there yet, they’re making every effort to get there. Many of the intrusions we’re seeing now actually happened some time ago—sometimes even years.
For companies to wait until there’s an impact before re-positioning, before tightening up systems, is a mistake. Because by then, it’ll be too late. The accident will be unavoidable. And when it happens, we’re all just reacting after-the-fact to a bad situation. And that’s not the best case scenario for anyone.
We want to be ahead of the threat; we want to prevent you from being victimized in the first place. To do that, we’ve got to have a full understanding of what you’re seeing. We want to know what keeps you up at night. What could damage your operations, your information, your networks, your people, your reputation? How are you addressing those risks? We’ve got to get to know each other, and the challenges we’re facing.
We’ve got to build these relationships now. If a crisis does strike, it’s much easier to work together when we already have that baseline relationship—that initial sense of trust and understanding. To coin the old saying: “The best time to patch the roof is when the sun is shining.”
We’ll keep doing what we can on our end to build these relationships—at the national level, with conferences like this, and at the local level, through our field offices. And we’d ask you to reach out to us, to talk to us about what you’re seeing, and to let us know how we can help. I hope we can keep this forward momentum going.