Christopher Wray
Federal Bureau of Investigation
Fordham University - FBI International Conference on Cyber Security
New York City, New York
July 25, 2019

The Way Forward: Working Together to Tackle Cybercrime

Remarks prepared for delivery.

Good afternoon. You’ve already covered a lot of ground this week, and I’m the only thing standing between you and lunch and either a summer afternoon in the city—maybe a rooftop bar—or your trip back home. So let me jump right in.

When this conference began 10 years ago, I understand it used to be held around the corner, in the bowels of the old law school. You had to walk through dim corridors—even through the gym—to get from session to session. Still, even back then—in its very first year—it was standing room only. And now, here we are, in this sophisticated setting, with what I’m told is much better food.

Like this conference, the cyber and digital threats we face have become much more sophisticated, with a greater range of actors and techniques. These threats have also become more pervasive, with a far wider variety of victims. And more dangerous, with the potential for ominously greater damage, as we become increasingly dependent on digital capabilities.

And with every advance in technology, from AI to drones to the many different ways we now communicate with each other, the degree of risk posed by these threats increases. You’ve talked about this issue all week. Most of you live it, every day. From a technological standpoint, it’s a new world—and every day, it keeps evolving. So we’ve gathered this week to help combine the talents, resources, and insights of folks across the government, private sector, and academia. And to press forward, together, towards even better ways of protecting ourselves and keeping our nation safe.

Brief Overview of FBI’s Role

I’d like to spend a few minutes talking about what the FBI brings to our common fight.

Given our law enforcement authorities, our central role in the Intelligence Community, and the span of our responsibilities—from counterterrorism to counterintelligence to criminal investigations—we’re particularly well-positioned to address cyber threats to our national security. And because we’re out on the ground, running these investigations, we’ve got a lot of unique information to share with our partners—in law enforcement, in the IC, with our private and public sector partners, with academia, and with Congress.

But our role isn’t limited to investigations. We’re using our expertise to warn the public and private sectors about what we’re seeing—and to spotlight risks and vulnerabilities. I want to touch on a few of those—foreign influence, foreign investment, and lawful access to digital evidence. And then I want to wrap up by talking about our way forward, working together.

How We’re Addressing Cyber Threats

My view is that the cyber threat is bigger than any one government agency—or even the government itself. But the FBI brings a rare combination of scope and scale, experience, and tools to the mix. We investigate criminal activity like intrusions and cyber attacks, but we also investigate national security threats like foreign influence.

Our Cyber Division leads our response to high-level intrusions. But we’ve also got decades of experience in our Counterintelligence, Weapons of Mass Destruction, Counterterrorism and Criminal Divisions—thousands of folks throughout the Bureau, in all 50 states across the U.S. and in almost 75 countries overseas, who are experts in the people and technology behind the crimes.

We’ve got technically trained personnel—with cutting-edge tools and skills you might never have imagined seeing outside of a James Bond movie—covering roughly 400 offices around the country. We’ve got an elite rapid deployment force, our Cyber Action Team, which can respond to a cyber incident pretty much anywhere in the world. And we’ve got dedicated Cyber Task Forces—a lot like the JTTFs in the terrorism context—all over the country. These task forces include folks from more than 180 different federal, state, and local law enforcement agencies. CyWatch, our 24-hour watch floor, coordinates the U.S. law enforcement response to intrusions, tracks victim notification, and collaborates with other federal cyber centers.

All that adds up to a pretty formidable arsenal. And we’re bringing it to bear against some of the most challenging cyber threats out there.

To pick one recent example, in December, we indicted members of APT10, a hacking group operating in China, associated with the Ministry of State Security. They conducted major intrusion campaigns targeting managed service providers to compromise the networks of U.S. government agencies and companies around the world. The list of 45 victim companies ran the gamut from biotech, agriculture, and health care to oil and gas exploration and NASA. They stole hundreds of gigabytes of intellectual property and confidential business information.

The scope of the investigation was broad, including FBI field offices in New Orleans, New York, Sacramento, San Antonio, and Houston. We worked closely with the Department of Justice, Defense Criminal Investigative Service, and the Department of Homeland Security. Our Cyber Action Team, with our counterparts at DHS, deployed to multiple locations to provide investigative assistance. And we worked with the Naval Criminal Investigative Service to investigate APT10’s theft of Personally Identifiable Information (PII) from more than 100-thousand naval service members.

Some people are skeptical about the value of indictments where a foreign nation-state actor is involved. But in the case of APT10, the indictments marked an important step in publicly exposing China’s continued practice of stealing intellectual property to give Chinese firms an unfair advantage in the marketplace. The indictment led to statements of condemnation against China from 11 foreign governments. It also led to the first formal declaration that China had violated the 2015 Cyber Commitments agreed to by President Obama and the Chinese president.

By revealing the names and activities of hackers in cases like these, we limit their travel and job prospects, and we raise their cost to operate. An indictment signals to our allies that we’re so confident in our assessment of culpability that we’re willing to put the full weight of the U.S. criminal justice system behind it. Perhaps most importantly, such indictments reaffirm our commitment to the rule of law and to rooting out criminal conduct. We stand behind American individuals and companies who have been victimized, no matter how powerful the culprit—and even when the culprit is a foreign government. So these indictments are paying off in a number of ways.

And that’s why if you do suffer a breach, it’s important to take the long-term view. Waiting to report a breach almost always proves counterproductive. Getting the FBI involved early allows us—and our federal partners—to mitigate any damage to your networks and your data. It helps us connect the intrusion to any larger threat streams, and give you information you need to understand what really happened. It helps you mitigate sometimes crippling reputational risk from a delayed notification. And it helps us notify other potential victims.

I know there’s sometimes a reluctance out there to turn to the feds when you’ve been hacked. But we want to help you. And it’s much harder for us to do that if you don’t turn to us promptly.

Foreign Influence

So that’s a run-down of our investigative capabilities. I want to turn to the risks of foreign influence.

We’re working hard to combat a variety of digital threats to election security. In the last few years, we’ve seen many examples of cyber actors targeting political campaigns to glean intelligence, and directing bots to propagate divisive messaging. We’ve also seen examples of actors targeting election infrastructure to obtain PII, exact ransoms, temporarily disrupt election operations, and undermine voter confidence in the electoral process.

We expect much of the same in 2020, especially with new cyber tools continuing to fall into the hands of adversaries who wish us harm, like services sold on the darknet and DDoS capabilities that have become available to an even wider range of would-be hacktivists.

We’ve yet to see attacks manipulating or deleting election and voter-related data, or attacks taking election management systems offline. But we know our adversaries are relentless. So are we.

Through the FBI’s Foreign Influence Task Force, we’re tackling malign foreign influence with a three-pronged approach: investigations, information sharing, and outreach. We’re also working closely with our partners at every level to share information and intelligence. And we’ve been building on our strong relationships with the private sector, providing companies with actionable intelligence to help them address abuse of their platforms by foreign actors.

But the foreign influence threat isn’t just limited to election season. We’ve got to remain vigilant, all year round. We’ve got to raise public awareness and increase our country’s resilience in a more sustained and enduring way. That combines the efforts of many folks—government agencies, election officials, journalists, technology and social media companies, think tanks, NGOs, researchers, and the public. All have a role to play.

Foreign Investment

Foreign investment is another issue on our radar, because it can be another way that hostile foreign powers seek to exercise their influence. Our economy benefits tremendously from a wide array of outside investments. At the same time, certain foreign investments in U.S. companies, especially investments by certain foreign governments and closely associated companies or state-owned enterprises, may put American proprietary data and technology at serious risk.

Our adversaries want access to our information, and if they can’t get it some other way, they’re willing to buy access. We’re working with the Committee on Foreign Investment in the United States—better known as CFIUS—to make sure we’re all on the same page when it comes to reviewing foreign investment in American companies that produce critical technologies or collect sensitive personal data of U.S. citizens.

We know that those of you in the private sector take protecting IP, data, and R&D seriously and that you consider that as part of your risk management plans. But we in the intelligence and law enforcement communities have facts that aren’t always available to you. You may be underestimating the level of risk, on the one hand, or overestimating the effectiveness of protections and countermeasures available to you, on the other hand.

We want you, your executives, and your boards of directors, to look long and hard at the decisions you’re making. You’ve got to look beyond near-term financial performance to the long-term bottom line. A decision to enter into a joint venture or contract with a particular vendor or cloud computing company may look good today—it may make a lot of money this quarter. But that decision might not look so great five years down the road, if you’re then in the throes of a slow bleed of data. Or, worse, if you’re then suffering a major hemorrhage of intellectual property.

And you’ve got to take steps, and make hard choices, to safeguard your R&D, PII, and proprietary data even after a deal is done. You’ve got to think about restricting access to protected information, and monitoring those who are accessing that data—even if they’re trusted insiders.

Lawful Access

Before I wrap it up, I want to talk about the FBI’s need to ensure that our nation’s protectors, the people in law enforcement, have lawful access to the digital evidence that they need to stop criminals—and to keep you, your families, and your colleagues safe. The attorney general spoke on this topic at the opening of this conference, and I share his concerns.

Just as technology has become a force multiplier for the good guys, it has become a force multiplier for all sorts of bad guys—for terrorists, hackers, child predators, and more. User-controlled default encryption is a real challenge for law enforcement. Our agents continue to encounter criminals, from street drug-dealers to foreign spies, who relish the ability to hide on encrypted devices and inside encrypted messaging platforms. They’re attracted to these technologies, for the common-sense reason that they think it helps them do their harm with impunity, and without detection.

This isn’t just a national security issue, it’s a public safety issue. And if not addressed, it impedes not only federal law enforcement, but our state and local partners as well. Let me give you just a few recent examples.

Last month, in a New England town, a cyber tip came in to FBI agents and state and local officers, suggesting that a 9-year-old girl was being sexually abused. The tip indicated that the abuser was using a particular app to send out images of what he was doing to that little girl anonymously. Agents and officers contacted the app provider and—using legal process—got information that allowed us to locate the child in less than 24 hours. After obtaining multiple search warrants, we rescued her and arrested the guy. Without the information from that company, we wouldn’t have even known about that young girl. And we wouldn’t have been able to rescue her.

In another case a few weeks ago, another child predator used a different app to distribute sexually explicit images of two young girls. Responding to a tip, agents served legal process on that app provider, and located and rescued the two young girls in less than 12 hours.

Both of those examples could have ended very differently. Think about what might have happened had we not been able to rescue those young girls. Law enforcement receives millions of tips like these every year. I don’t want to think about a world in which we lose the ability to detect dangerous criminal activity because a technology provider decides to encrypt this traffic—data “in motion”—in such a way that the content is cloaked and no longer subject to our longstanding legal process. Our ability to do our jobs—law enforcement’s ability to protect the American people—will be degraded in a major way.

The challenge of lawful access also affects data that might be at rest on a device, like a phone. Take for example the 2017 church shooting in Sutherland Springs, Texas. The gunman killed 26 people and injured 20 more. It was the fifth deadliest shooting in the United States at that time. The FBI got the gunman’s phone for analysis. It’s configured with a complex numeric code that allows a new PIN every few minutes. We applied the most advanced commercial tool available to crack the code, and more than 600 days later, we’ve still had no luck. With the tools and capabilities we have right now, it could take hundreds of years to unlock the device.

In this case, the attacker is deceased, but we still want to get in there to find out what we can. Experience tells us that information might lead us to a network of likeminded people bent on committing similar acts of violence. It might help us prevent a future attack. If we were dealing with a living subject—someone we were still trying to track down, who could be out planning another attack—the situation could be even more dangerous.

These are real-world concerns, happening to us now. And this isn’t just a communications issue—if you layer on top of this trend the rise of virtual currency as a tool for criminals to hide their transactions, the public safety threat becomes exponentially more daunting.

I’m well aware that these are provocative subjects in some quarters. I get a little frustrated when people suggest that we're trying to weaken encryption—or weaken cybersecurity more broadly. We're doing no such thing.

Cybersecurity is a central part of the FBI’s mission, as I described at the outset. But as the attorney general discussed earlier this week, our request for lawful access cannot be considered in a vacuum. It’s got to be viewed more broadly, taking into account the American public’s interest in the security and safety of our society, and our way of life. That’s important because this is an issue that’s getting worse and worse all the time.

As FBI Director, I’ve now visited all 56 of our field offices and met with law enforcement leaders from all over the country and around the world. And I can tell you that police chief after police chief, sheriff after sheriff, Intelligence Community leaders, our closest foreign partners, and other professionals are raising this issue with growing concern and urgency. Barely a week goes by in my job that I’m not confronted with an investigation impacted by this obstacle. So while we’re big believers in privacy and security, we also have a duty to protect the American people. That’s the way it’s always been in this country; no technological advance or company’s business model changes that fundamental precept.

There’s one thing I know for sure: It cannot be a sustainable end state for us to be creating an unfettered space that’s beyond lawful access for terrorists, hackers, and child predators to hide. But that’s the path we’re on now, if we don’t come together to solve this problem.

So to those resisting the need for lawful access, I would ask: What’s your solution? How do you propose to ensure that the hardworking men and women of law enforcement sworn to protect you and your families maintain lawful access to the information they need to do their jobs?

I know we’ve started hearing increasingly from experts like cryptographers and cryptologists that there are solutions to be had that account for both strong cybersecurity and the need for lawful access. And I believe those solutions will be even better if we seek them together.

That’s what I hope we can accomplish. That’s where we need to be—solving this important public safety predicament. Because this issue isn’t going anywhere, and it’s only getting worse.

The Way Forward

We’re working hard to tackle all these challenges. But we can’t do it alone. These threats strike—and they strike hard—at our security. That means our economic security and our ability to keep our companies safe from theft and intrusion. It means our national security and protecting ourselves from terrorists and malign foreign influence. And it means our safety as everyday citizens, walking the streets and sending our kids to school.

We hear folks talk about a “whole of society” approach to cybersecurity, and the importance of public-private sector partnership. The point is that we have a shared interest. And we’re strongest when we act together. I think you all recognize the risks we face—the real impact to our marketplaces, our everyday lives, our networks, our information—or you wouldn’t be here. And I hope that’s a promising sign that you want to work together.

* * *

Last week marked the 50th anniversary of the Apollo 11 moon landing—July 20, 1969. It’s a reminder of how rapidly technological developments can unfold and the type of awe-inspiring accomplishments they can yield. But, as the Space Race showed, such rapid change brings hard questions.

As President Kennedy put it at the time, “Surely the opening vistas of space promise high costs and hardships, as well as high reward.”

The same applies to us today in the world of cyber. So much is happening, so quickly, that we’re all challenged to keep up.

As we leave here today, it’s a good time to think about where we are, and where we need to be—tomorrow, the next time we meet here at Fordham, even 10 years down the road. Thank you for having me, and thanks for sticking around to hear my thoughts.