- Robert S. Mueller, III
- Federal Bureau of Investigation
- International Conference on Cyber Security 2013, Fordham University
- New York, NY
- August 08, 2013
Remarks prepared for delivery.
Thank you, Father McShane, and my thanks to Fordham University for once again co-hosting this conference with the FBI. I am honored to share the stage with my good friends Keith Alexander and John Brennan.
Keith and John have already covered much of the key terrain in their remarks. But in closing today, I do want to address three points on the future of cyber security. This, from the perspective of the FBI.
First—the absolute necessity of focusing on the individuals behind the keyboards.
Second—the continued value of traditional law enforcement capabilities in identifying these persons and stopping them.
And finally—the crucial role the private sector must play in this fight and how we can improve government and private sector collaboration.
The People Behind the Keyboards
In recent years, we have seen a proliferation of adversaries in the cyber arena. As you have discussed this week, these criminals are constantly discovering and exploiting vulnerabilities in our software and our networks. They have also become increasingly professional: They are organized…they network…and they share tools, stolen data, and know-how.
In the years to come, we will encounter new intrusion methods, hacking techniques, and other unpleasant surprises. And in response, our nation will continue to develop—as we must—the technical skills and tools to prevent these intrusions and limit their damage.
But we will not be able to eliminate all vulnerabilities. True cyber security is more than defending against the ones and the zeros.
We must remember that behind every intrusion is a person responsible for that intrusion—a warm body behind the keyboard, whether he or she sits in Tehran or Tucson; Shanghai or Seattle; Bucharest or the Bronx.
Our ultimate goal must be to identify and deter the persons behind these keyboards. And once we identify them—be they state actors, organized criminal groups, or 18-year-old hackers—we must devise a response that is effective, not just against that specific attack, but for all similar circumstances.
So indeed it is fitting that we have the directors of our three respective agencies here today. To find the intruders behind the keyboards overseas, we absolutely need the considerable skills of Keith’s experts at NSA. But we also need the human intelligence capabilities of John’s team at the CIA. And you will not be surprised to hear me say that we also need the investigative and intelligence resources of the FBI.
We often think of cyber investigations as unique in nature. And most of them do require a certain technical expertise.
But our effectiveness in cyber investigations rests on the same techniques we have used in cases throughout the FBI’s history—physical surveillance, forensics, cooperating witnesses, sources, and court-ordered wire intercepts.
Let me share with you an example of how this works.
The combination of technical skills and traditional investigative techniques recently led the FBI to the hacker known as Sabu—one of the co-founders of LulzSec.
This case began when our Los Angeles Division collected IP addresses that were used to hack into the database of a TV game show. One of these led to an individual who had failed to anonymize his IP address. Our New York Office used confidential human sources, search warrants, and physical surveillance to identify and locate this man, who was only known then by his online moniker, Sabu.
When our agents went to arrest him, they gave him a choice: Go to jail now, or cooperate.
Sabu agreed to cooperate, continuing to use his online identity. His cooperation helped us to build cases that led to the arrest of six other hackers linked to groups such as Anonymous and LulzSec. It also allowed us to identify hundreds of security vulnerabilities—which helped us to stop future attacks and limit harm from prior intrusions.
At its beginning, any investigation into an intrusion is a search for intelligence that will enable us to define that particular threat. The FBI’s dual role as both a national security and a law enforcement agency is instrumental in this work.
We in the Bureau have Cyber Task Forces in each of our 56 field offices, as well as several Cyber Action Teams that can be deployed at a moment’s notice. When a major intrusion is discovered, we can have investigators on the scene almost immediately. That allows us to analyze logs and conduct interviews. If the intrusion appears to pose a national security threat, our partners at NSA will play a role as well. Being on the scene quickly also allows us to preserve evidence for prosecution as an option.
A good example of how this works took place two years ago at a water treatment plant in Illinois. A water pump had failed, and in their initial investigation, the employees identified traffic from Russia that had accessed the company’s network. Accordingly, they thought this traffic might be related to the pump’s failure.
The FBI responded, along with DHS, by sending a Cyber Action Team. After investigation, we determined that the pump had not failed because of malicious or unauthorized computer traffic from overseas—it was simply a faulty pump. The investigation disclosed that the traffic from Russia was in fact one of the plant’s contractors, who had logged in remotely to the plant’s system while traveling with his family in Russia.
In this case, our law enforcement capabilities allowed us to more quickly rule out any threat. But these same capabilities will be crucial in attributing responsibility for a major intrusion, and determining the right response.
The Importance of the Private Sector
Let me turn now to the critical role the private sector must play in cyber security—something that Keith and John have also noted.
I do believe that in the future, the cyber threat will equal or even eclipse the terrorist threat. And just as partnerships have enabled us to address the terrorist threat, partnerships will enable us to address the cyber threat.
But the array of partners critical to defeating the cyber threat is different. In this case, the private sector is the essential partner.
The private sector is, of course, a primary victim of cyber intrusions. Yet those of you in the private sector also have the expertise and the knowledge to be an integral partner in defeating this threat. You build the components of cyber security—the hardware, the software, and the networks—and you drive future technology. Without you, we cannot combine innovation and security.
The challenge we now face is to build more effective partnerships.
We in the FBI are working with the private sector to share threat information and to better protect our critical infrastructure. For example, the Domestic Security Alliance Council, with chief security officers from approximately 250 companies, represents every critical infrastructure and business sector. Another partnership is InfraGard, which promotes the sharing of information about threats to critical infrastructure. Today InfraGard has 58,000 members nationwide from government, the private sector, academia, and law enforcement.
While these outreach programs are helpful, we must do more. We must shift to a model of true collaboration—a model of working side-by-side as a matter of course.
We must build structured partnerships between the relevant government agencies on the one hand, and within the private sector on the other hand. Then, we must develop means for sharing information and intelligence more quickly and effectively between these two spheres.
The National Cyber Investigative Joint Task Force is one example of an effective partnership in the federal sphere. Nineteen separate agencies participate. It serves as a national focal point for and coordinator of cyber threat information, intelligence, and investigations.
In the private sector, we have the National Cyber Forensics and Training Alliance, located in Pittsburgh. This alliance is a wholly private entity and includes more than 80 industry partners from a variety of sectors. It has access to more than 700 subject matter experts, and passes real-time threat intelligence to its federal and international partners every day.
These entities are steps in the right direction. But we must build on them, to expand the channels of information sharing and collaboration.
Only by sharing intelligence swiftly will we be able to forecast coming attacks—and deter future ones. By fusing private-sector information with information from the intelligence community, we can produce a complete picture of cyber threats—one that benefits all of us.
* * *
When it comes to securing our networks, we are still in the early stages of a long struggle. As Winston Churchill once said during World War II, we have only reached “the end of the beginning.” And in this battle, our foes often seem to have all the advantages—they attack when, where, and how they want, and our weak points are many.
We cannot stop every attack. But we also know that by working together, with persistence, we can secure our networks and deter those who seek to harm us.
We can stem the loss of intellectual property that saps America’s economic strength.
We can prevent financial catastrophes, physical damage, and the loss of valuable national security secrets.
And we can preserve the sense of trust and security that is essential in our increasingly connected world.