Using Intelligence to Disrupt National Security Threats
Remarks as delivered.
Thank you. What I want to do is just give you a status report on some of the things the FBI is worried about today. And then I want to take questions and have a conversation with you that I hope will be maybe more interesting than me giving you an update.
But let me start with the FBI’s top priority, which is counterterrorism, and in the world of counterterrorism our major focus is on the so-called Islamic State—the group that we call ISIS or ISIL. That threat has come at us over the last three years in three prongs.
The first prong has been the efforts of the so-called Islamic State to attract people to their so-called caliphate. That was actually a major feature of the threat we were dealing with three years ago—their efforts, through a siren song that was coming mostly on social media, to attract people to come live and fight with them in Syria and Iraq.
The second prong of the threat is their efforts, again through social media primarily with slick propaganda, is to try to either inspire or enable or direct people in the United States to engage in acts of violence. That was a huge feature of the work the FBI was focused on in 2015 especially, and I'll say more about that.
The third element of the threat is the threat we're worried about going forward, which is the terrorist diaspora. The Islamic State, so-called, will be crushed by military force in their caliphate, and between the fingers of that crush, unfortunately, are going to come hundreds of really bad people who will flow out of the conflict zones and go places we worry about a great deal.
Those are the three prongs of the ISIS threat. The first prong, the traveler phenomenon, as I said, was a big feature of our work in 2014 and '15, and beginning in '16 we started to see a change. The number of Americans trying to leave and travel, primarily by departing and going to Turkey, sometimes North Africa, and then heading into Syria started to drop. And in about the early summer of 2016, it hit the floor, and has stayed there.
The ISIS terrorists have lost their ability to attract people to their so-called caliphate for a variety of reasons. We still see ones and twos of people trying to do it, but the phenomenon we were facing in '14 and '15 of dozens of people trying to travel every month has dropped and hit the floor and stayed down. That’s good news.
Second, their efforts to use the power of social media to get those who are not going to travel to kill where they are peaked in the spring of 2015, and that’s because they invested—for almost a year—in a social media brand and constantly pushed out images and the siren song, “Come or kill, come or kill.” That began to bear fruit with troubled Americans in the spring of 2015. In the spring and summer of 2015, I’ve got to tell you, the FBI was strapped. We were following or attempting to follow, to cover electronically with court orders, or to cover physically dozens and dozens and dozens of people who we assessed were on the cusp of violence.
I was asked on Capitol Hill, “Do you have enough people?” And the answer was, “I don't if this continues.” We were pulling, at that time, people off surveillance in criminal cases of all kinds and counterintelligence cases to help us deal with this explosion in people who were seeking meaning in this sick, misguided way and moving towards violence.
The good news is that spike stopped after 2015. Their ability to direct—to not just enable but to direct—people to engage in acts of violence dropped in part because military force took some of the directors off the battlefield and stopped ISIS’ ability to reach into the United States through Twitter, find converts, and push them to action.
That left us though with a lingering phenomenon, which is people being enabled and inspired. Not directed so much, but enabled and inspired to search for meaning and coming across the hyper-violent images of the Islamic State, so-called, and being told by this propaganda, “Be on God’s side in the ultimate fight. Kill where you are and it will bring you honor and glory.” We are still dealing with that phenomenon because things live forever on the Internet. Anwar al Awlaki remains a major feature of radicalization on the Internet. We're still dealing with in the area of 1,000 cases around the United States where we are investigating to understand where somebody is on the spectrum between consuming the poison and acting on the poison.
What makes this so hard for us is figuring out how we see them and how we assess them in a good way. Because it involves a search for meaning, there isn't a particular marker. Humans of all ages of all backgrounds are seeking meaning, and a small group of all different ages and backgrounds spread all over the country are seeking meaning in this particular way, and so it’s very difficult for us to answer the questions, “So what does the person we're most worried about look like and how do we spot them? What are the markers of their radicalization?” That is something we continue to work on but that remains elusive to us, that algorithm to tell us who the bad guys are and where they are.
This is the thing the keeps me up at night. Worrying about where the person is who may be bent on the next San Bernardino, the next Orlando attack. Will anybody close to them tell us what they see so that we can get on it? And even when we investigate someone—all of you know we investigated the Orlando killer for 10 months, and in my view, did a quality investigation. I've looked at it very, very hard and didn't find anything we could use to incapacitate that person. In fact, we didn't find any indicators of radicalization at that point, and I actually believe that killer radicalized much closer to the event. Our challenge is how do we find those? How do we assess them? How do we stop them? That dominates the FBI’s work today.
The third prong is the Ghost of Christmas Future that we worry about every single day. Because when the caliphate is crushed, and those hundreds and thousands of people flow out, where are they going? They're going to Western Europe, they're going to Southeast Asia, they're going to North Africa. Then what are they going to do there? These are the most radical of the radical who are not just radical in orientation but have been equipped with military battlefield experience and tactics. And so the future we worry about every single day is how we spot them and stop them as they flow out bent on continuing a global jihad by taking the fight to innocent people in those regions. The one we're focused on keenly, because it’s so easy to get here from there, is Western Europe. Western Europe is the front line of the FBI’s and the U.S. government’s efforts to stop those killers before they kill in Western Europe or kill here. This is something we worry about every day, trying to share information in a very good way and to break down barriers.
I have said to many, many of my European colleagues that 3,000 people died in my beloved country on a single day in 2001, and as a result we changed. We knitted ourselves together across city lines, county lines, state lines, international lines. We connected the NYPD and FBI in ways that people found unimaginable. We integrated the Intelligence Community of the United States and the military services of the United States to share and to focus and go to the fight with jointness. We changed this country for the better. We must work with you to share information, but it’s incumbent upon you to try to break down all of those barriers that we faced before 9/11 and break them down today in the EU so you can spot and stop the threat.
As we do this work, the Business Executives for National Security have been very, very helpful to the FBI. One of the things they focused on and gave us feedback on was whether we are doing a good enough job of thinking well inside the FBI about connecting the dots and sharing information. One of the things we are now doing much, much better, thanks to that feedback, is that we have knitted together our intelligence analysts and our special agents, again, in ways, to use what I said about the NYPD, that would have been unimaginable 15 to 20 years ago. We now train our analysts and agents together. When you walk into a classroom at Quantico, everybody’s wearing the same color golf shirts, sitting behind the same computer screens. You can't tell who is who and that’s the way we want it.
We want to go to the fight with everybody owning the mission and understanding what they bring to the fight, and it isn't, “Well, I'm a special agent, this is my role. I'm an intelligence analyst, this is my role.” It is a joint world inside the FBI, and so we are training the kids to be that way, not just in the classroom, but to have them work out together, drink beer together—which we don't do enough, frankly—to know each other and what they can contribute so then when they hit the field offices all over this amazing country, they know what to bring and what’s expected from their partners. They train together for 10 or 11 weeks and then the intelligence analysts graduate and the special agents stay because they are majoring in something very different, and focus on the things they need to know to be special agents, especially the tactical and physical aspects of their job.
That jointness is starting at Quantico from the bottom and we've pushed it down from the top, training all of our supervisors and leaders to have that kind of integration inside the FBI. I don't want to proclaim perfection, but we have made a lot of progress in the last three years. Working together inside the FBI to share the information, to gather it all over the country in a great way, assess it, and then push it out to our partners is what will make us more effective every day. So that’s my update on the counterterrorism threat.
I want to give you an update on cyber. Every threat the FBI faces today comes at us through the Internet. Counterintelligence, all the criminal threats—harm to children, fraudsters, stalking, gangs—all of that has a digital aspect to it. The one that does not yet have a significant digital aspect to it, in the same way, is the terrorist threat. The terrorists have not yet turned to trying to use the Internet as an instrument of destruction. They use it to proselytize, to communicate, to recruit, to direct, but they have not yet turned—with some minor exceptions—to looking to harm us by coming through the digital vector. Logic tells us in the FBI that that is a threat we will face. Eventually, these knuckleheads will figure out that as hard as we make it for them to come in as a human being, they come in as a photon at 186 thousand miles per second and do harm to this great country of ours.
So, what are we doing to try to be more effective when all the threats we face are coming at us through the cyber vector, through the Internet? We're doing five things but they're pretty simple so I want to explain all five to them to you.
We're trying to focus ourselves in a better way in the FBI. There’s a danger that we could try to become the jack-of-all-trades and end up being the master of none, so we are doing a couple things that are very unusual for the FBI. The normal way we assign work in the Bureau is based on answering this question: “Where did it happen?” If the bank robbery happened here in Austin, the Austin resident agents will work it. If a fraud occurred in California, we'll figure out, well, where did it occur, and we'll assign it to that field office.
We've decided that the threats that are coming at us though the Internet are such that the physical manifestation is actually not all that meaningful and that what we ought to do is assign work based on talent. So we now have a cyber threat team model in the FBI where we assign significant cyber threats based on which field office shows the best chops against that threat. A particular element of the threat posed by the Chinese, for example, or a particular element of a threat coming from Russia—which of our field offices is showing the greatest initiative, energy, and talent against that and they will then own that. Whether that’s Little Rock or Houston or Seattle, you got it because you've shown you're great. Then what we do, because we're not oblivious to physical manifestations of threats, if an intrusion manifests at a company in Springfield, Illinois, or in Tampa, Florida, we will allow that field office to help. We'll call the first field office our strat office—they own the strategic threat—and we call the others our tac offices—our tactical offices—up to four of them can help, and we'll air traffic control that from Headquarters.
We think this makes sense given the nature the threat, and the added benefit it brings to the FBI is that it fosters a pretty awesome competition inside the FBI for each field office to say, “No, we're actually better than Little Rock. You ought to give us this aspect of the threat and we'll show you how well we worked it, so take it away from those terrible people in Little Rock and give it to us here in San Antonio.” That is a healthy thing for the FBI and for the American people.
Then we're doing something else that we've borrowed from counterterrorism. Our counterterrorism agents have long been organized in fly teams, which are people who are prepared with a “go bag” at a moment’s notice to head to an aircraft and go to a scene of an attack anywhere in the world or in the United States to help us figure out what happened. We've built such a thing with cyber. We have cyber agents and analysts all over the country who are experts, and their commitment is that when we give them the signal, they go where we need expert investigation on a moment’s notice. Our cyber action teams, or CAT folks, are all over the country, and again, there’s great competition to be on the CAT. That is very healthy for the FBI.
And then, as I hope you know, in all 56 field offices we have cyber task forces. That is the resident talent that’s not just FBI talent, but involves partners from all different kinds of agencies that sit there and do the work in the field offices.
Then there’s one other way we're trying to focus ourselves. When we try to hire special agents for the FBI, we need a number of buckets of attributes. We need integrity. We need physicality. We're going to give you a weapon on behalf of the United States, so you need to be able to run, fight, and shoot. So integrity, physicality, and obviously we need intelligence. To find cyber agents, we need integrity, physicality, intelligence, and technical expertise. This collection of attributes is rare in nature. We will find people of integrity who are really smart and know cyber, but can't do a push-up. Or we'll find people who can do a push-up and they're smart and they can do cyber, but they want to smoke weed on the way to the interview.
So you can see the challenge we face. We are trying to focus ourselves in a good way on, “So where is the talent?” I don't want to say too much, because my interests aren't aligned with everybody in this audience because I'm trying to steal your talent. So where is the talent, what talent do we actually need, and how might we get it in a clever way?
It’s a work in progress. We're trying to figure out if cyber squads in the FBI should be different. Does everybody need a gun? Should we be eight people in a squad, which is a typical squad size, but two gun carrying special agents and six “something elses” who can skip push-ups and stuff but are people of intelligence, integrity and expertise?
Or another possibility is do we take integrity, physicality, and regular IQ—high IQ—and train our own? Do we build our own university inside the FBI? Should we make it easier to do something that is culturally impossible to this point in the FBI—for people to become special agents and then leave and go work in the private sector and then come back to the FBI? Because the current rule is you leave us for more than 24 months, you're going back through Quantico. Now what happens is, our people leave, go to the private sector, discover it’s a soulless, empty way to live, and then they realize, “My life is empty. I need moral content in my work.” And so they come back. I gave the creds for the second time to a 42-year-old cyber agent and I said, “So, how was Quantico?” He said, “It was a nightmare, it was a nightmare.” And so we're trying to figure out if there are ways we should approach this differently to recognize the challenge we have in attracting talent.
And I joked about this, but I compete with the private sector on moral content and the pitch to the talented young people is, “Look, you're not going to make a living with us. You're going to make a life. It’s hard, it’s stressful, but holy cow is it addictive to do good for a living. Come be part of this.”
That’s how we compete against the private sector, but it’s hard because the private sector’s got big bags of dough to weigh against my moral content, and it is a struggle for us. So we're going to be smart enough and agile enough to try and experiment with different ways to get our talent. That focus is going to make a difference.
The second thing we're trying to do, the bad guys have made the world tiny. Belarus and Boston are next door to each other on the Internet, and so we need—I'm not picking on Belarus, I needed a B—and so we need to shrink it back to be effective. We need to make the world as small for the good people as it is for the bad people.
To do that, the Bureau is doing a number of things. We're forward deploying more of our talent than ever before, embedding cyber agents and cyber analysts in our legal attaché operations around the world, because although it’s a digital threat, the physical relationship makes a huge difference.
We are also trying to make sure that inside the U.S. government, we have shrunk the distance between each other. We now have guidance from President Obama that lays it out like this. DHS has responsibility for cyber response for people figuring out how to harden their networks, for helping critical infrastructure think about how to be safer and better and for helping with remediation. The FBI, through the Justice Department, has the lead on investigation. Our role is to respond to threats, to try and see threats in the neighborhood before they emerge and stop them. And then the Director of National Intelligence has the responsibility for equipping all of that with good thinking and great intelligence.
Now, that explanation should not even matter to you, because if we are doing it right, it shouldn't matter who anyone calls inside the government when they have a problem. Where we are after 15 years in the counterterrorism world is that it does not matter who you speak to anywhere in law enforcement about a counterterrorism threat. It doesn't matter whether you walk up to an FBI agent or a deputy sheriff. If you say you saw something, it will get to the right people within minutes. It should be totally off of your radar screen to be thinking about who to call. We want to get to that place when it comes to cyber. It doesn't matter if you come to the FBI, or DHS, or Secret Service as part of DHS, we'll figure it out inside our organizations because we have shrunk the distance between each other.
The third thing we're trying to do is impose costs. The challenge we face is that the bad guys think it’s a freebie. Whether those bad guys are a part of a nation-state operation, a criminal syndicate, hacktivists, thieves, stalkers, creeps of all kinds, they sit there in their pajamas at their keyboard halfway around the world and hurt America. They steal our secrets, steal our innovation, threaten our children, threaten our Jewish community centers, and they think that because they are halfway around the world they're safe. We must make them—physically, ideally, but maybe metaphysically—feel our breath on the back of their necks and impose a cost.
The reason we think this makes sense is I'm not aware of any hacking that has yet occurred high on crack or inflamed by finding a lover in the arms of another. Hacking is done thoughtfully. People are susceptible to deterrents when they sit at a keyboard. If they are afraid of us, it will change their behavior, so the FBI is keen to put handcuffs on people all around the world. We are keen where we can't to name and shame, sometimes through an indictment. Oftentimes people say, “Well, this indictment is really an empty gesture.” Maybe, but we are dogged people. We just gave up on D.B. Cooper. For the younger folks, he is a guy that jumped out of an airplane over the Cascades with a bunch of stolen money—ransom money—and disappeared. We didn't give up for 52 years, I think. We're dogged people.
Hackers like to travel. They want their children to be educated overseas. Never say never. When your face is on a wanted poster, even if you're in another country on the other side of the earth, it gets your attention. And in getting that attention, we hope to change behavior. We also hope by naming and shaming conduct to get nation states to help grapple with us towards a set of norms. What is appropriate for a government to engage in? What is theft? And part of getting to that framework is calling out the behavior, either through criminal process or simply through declaring it for what it is. That imposition of cost is at the center of our strategy.
The fourth part of our strategy is, obviously, that everybody in law enforcement has to be able to investigate with digital expertise. Used to be in the good old days, you'd roll up and do a search warrant in a drug case and you'd hit the place and you'd find some kilos and some guns and you'd find a black composition notebook where the knuckleheads would have written down who gets how much money, who’s responsible for what drugs. You'd photocopy it and put an exhibit sticker on it and be good to go. Today you're going to get thumb drives, PDAs, laptops, electronic devices of all kinds, and your ability to understand the digital world and investigate there is the essence of all law enforcement. We in the FBI have an obligation to help our partners raise their digital game because we can't get to it all.
I'm told there are people, maybe in this audience, who have gotten e-mails from me from Nigeria, where as the “president” of the FBI, I sometimes spell my last name “Corny” and I ask you to wire me money in Nigeria. Don't do that.
But people get ripped off and the FBI does not have the resources to get to it all. Our state and local partners have to be able to, and we need to help them.
And the last piece is the hardest of all. We have to figure out how to share information more effectively across the barrier between the public and the private. We must find a way to get that barrier—consistent with law and policy and norms—semi-permeable, because nearly all of the digital world is in private hands in this country, and it should be, that’s a wonderful thing. But that means all the victims, all the indicators, where the bad guys are and what they're doing—that all lies in private hands. And we're in a terrible place. The vast majority of computer intrusions in this country are not reported to us. People convince themselves in private entities, “You know what, I'll just pay this ransom because I need to get my operations back,” or “We'll just hire one of these great firms and we'll remediate this and we'll get on with our business.” You're kidding yourself if you think that your interests and our interests are not aligned. They will be back. They will be back at your company, your people, in your neighborhood, in your industry. It is shortsighted to think, "I just need to get on with my work. I'm not going to tell anybody about this."
The challenge we face in cooperating across the barrier is mostly cultural, and it’s cultural in a number of different respects. We have cultural flaws on our side where the default is to hold close. The default is to say, “Well, this came from a classified source. I can't share this with companies in the United States.” We really could in most instances because they don't need sources and methods. They need indicators, they need the ones and zeros from us. But we often find ourselves with information—people in this room will know what this means—labeled ORCON. That’s “originator controlled,” and so we look at that and say, “Ah, that’s too hard. I'd have to go back to the people who gave it to us and say I want to share it with the XYZ Corporation, and that’s messy and difficult and it’s hard. It’s ORCON stuff, so I'll keep it to myself.” We need, culturally, to get to a place where the default is figuring out how to equip the private sector with those indicators of compromise so they can protect themselves and to do it faster. That’s one of our cultural challenges.
Our cultural challenge on the other side is companies need to understand that we treat them as victims and we are good at treating victims in a responsible, sensitive way. We have long experience doing that, including in the cyber realm. We will not re-victimize you. We will not share in an inappropriate way your information. We do not want your memos and your e-mails and your drawings. We need the indicators of compromise.
What we need to do is talk to each other in a better way. I used to be a general counsel, and here’s the problem with general counsels. They're awesome, but their job is to worry. And so when the chief security officer or the chief information security officer comes to them and says, “You know, we see this thing. It looks like an advanced persistent threat. Better call the Bureau and get them in here to figure out what’s going on.” And the general counsel goes, “Hold on. What’s that going to mean for our exposure to headline risk, to brand risk, to litigation, to competitive harm? Don't do that. See if you can fix it yourself.” And so part of my audience is not here today, which is general counsels of large enterprises, who need to understand that you need to have a conversation with us. We will tell you, “If you give us this, here’s what we'll do with that,” so you can make an informed risk-benefit analysis on that in an environment where we understand our threats are aligned. This is about culture; it’s not about law.
CIPA is a statute that was passed—a couple provisions of a statute—passed in the 1980s to govern how, in a criminal proceeding, we would handle classified information. It was designed to address concerns in the Intelligence Community that people like us would blow sources and methods by using a criminal process to incapacitate you in a particular case. If you thought the problem was solved by the passage of the statute, you don't understand human culture. Because it wasn't good enough that the framework was there. We in the FBI had to convince our brothers and sisters in the Intelligence Community that we can be trusted, that we will have an adult conversation, and we will protect your sources and methods – and that honestly took us about two decades to demonstrate that trustworthiness case by case by case by case. Now think we're in a pretty good place that if we need to use the criminal process to incapacitate, our brothers and sisters in the Intelligence Community know how sophisticated we would be in protecting that information. So it took 20 years of lure to build on an episode of lawmaking in the 1980s. We've got to travel the same journey when it comes to cyber, we have just got to travel it much, much faster than 20 years. We must figure out how to move through that semi-permeable barrier and share in a more effective way.
This is central to the FBI’s effectiveness. Sony is a great example. The North Korean attack on Sony Pictures was a sophisticated, large, very aggressive attack. It likely would have been worse, but for Sony’s relationship with the FBI. We knew Sony. We don't know their secrets. We don't know what’s in their memos. But we knew their CISO, we knew their CSO, we knew their physical layout, we knew the general layout of their networks, so that just like a fire department that knows your physical structure and knows where to go to find the standpipes and to rescue people when there’s a smoky disaster, that’s actually the way we were with Sony. We were on the ground at Sony very quickly—we knew the people, didn't have to learn anything new about where to go or who to talk to so we could remediate and try to stop that threat and investigate and ultimately attribute to the North Koreans. I've told all the CSOs in big companies around the country, “If you don't know your FBI office, and they don't know you in that same way, you're failing at your job.” We need to make that barrier semi-permeable in an appropriate way.
And I want to say one other thing before I shut up. Going Dark. Here’s the problem that we face. We love encryption. I love encryption. I'm going to just keep saying that. I love encryption. I love privacy on the Internet. I have an Instagram account. I have nine followers. They are all related to me, and one daughter’s serious boyfriend, because it’s serious enough now I finally accepted his request. I post pictures when I visit places. I'll probably post pictures from visiting this amazing place. I don't want anybody else looking at that. Anybody. I treasure my privacy. But I also have another obligation, given my job. It’s to protect innocent people from bad things. Those two things that we all love, privacy and public safety, are crashing into each other. They're crashing into each other and the best demonstration of that I can offer you this morning is that we collected data from October, November, and December and 2,800* devices were presented to the FBI examiners by our state and local partners with court orders to open them. Forty-three percent* of them we could not open with any technique, including classified techniques. Forty-three percent.* That is a shadow falling across our work. Default, ubiquitous strong encryption has a significant impact on our world.
If you imagine how we operate in the FBI, imagine a room—the corner of the room, there’s always been darkness there. What’s happened since the summer of 2013 is the default has become the darkness, so what’s happened is the darkness is spreading through the whole room. Now, so far I haven't offered you a value judgment on that, I'm just telling you what is happening. We need to talk to each other to figure out how we handle that. Is that a bad thing? Is that a good thing? What are the costs associated with that? What are the benefits on the privacy side of the way we are?
But we shouldn't kid ourselves—and I don't think I'm overstating it when I say it this way—the fundamental compact at the core of our government is changing. Because the deal in America since its founding has always been there’s no such thing as absolute privacy. The deal is, and has been since the founding, all of our papers and effects and all of our things are private. Unless the people of the United States need to see it. And then with the appropriate predication and oversight, they can see it. Go through our sock drawers, go through our safe deposit boxes, go through our cars, go through our bedrooms, go through the contents of mind. All of us can be compelled in appropriate circumstances to say what we remember. Even my communications with my clergy member, my spouse, my attorney are not absolutely private in America. In appropriate circumstances—rare, thankfully—a judge can order that I talk about any of those communications or that any of those partners to that communication. There’s never been absolute privacy in America, except now.
I don't have my phone with me, but I love my phone. My life is on my phone—it’s not much of a life, honestly, I don't need much of the storage—but so are your lives, and that’s a great, great thing. But as those devices become off limits to judicial authority, that’s a change in the way we live.
And the fundamental compact should not be changed by the FBI. We investigate. Our job is to tell you how it’s affecting our work. We should not decide what to do about it, and it should not be done by companies whose job it is to sell me an awesome mobile device. Their job is not to decide how the American people should live. The American people should decide how they live, and so my mission is simply to make sure people understand we're changing. I don't want to get to a place where, years from now, people look at me—I have six and a half years left in this amazing job, which I really do love—but I don't want people looking at me and saying, “Hey, how come you didn't say something? Wow, everything’s changed.” I'm saying something. And I am not an enemy of encryption. I am not advocating for back doors. I can say that until I can't speak anymore, but it'll still be reported.
I don't know exactly what the answer is. I reject the "It’s impossible" response. I don't think it’s impossible to optimize in a good way those two values. I don't. I just think we haven't actually tried it. And maybe as a country we'll decide, you know what, the benefits here are so extraordinary and the dangers and the risks and the complications over here to address the public safety concerns are so hard, it’s not worth doing. Or it’s just too hard for our adult democracy to grapple with, maybe. But I will not let it happen by default—by drift. I want people to know the work of the FBI in counterterrorism, counterintelligence, all our criminal work, is being significantly affected by this. And I am sure lots of smart people are thinking, "Well, what about metadata?" Well, what about metadata? Metadata is wonderful. The digital dust that bad guys leave is very, very valuable to us, but it is no substitute for content. Especially when the tools I use require us, and I like it this way, to prove guilt beyond a reasonable doubt. You try proving guilt beyond a reasonable doubt off of metadata. On a child pornographer, on a kidnapper, on a terrorist, on a gangster. Very, very tall order. And maybe we don't care, but we should talk about it.
And I want to end with one other thing. I care deeply about constraint and oversight. That’s why I don't get frustrated much in this job, but I get frustrated when people report that I'm trying to dictate how we should structure ourselves and live. No, no, no. That’s not my job. My job is to understand what the law is and abide by it. I am the seventh director of the FBI. I sit at the desk that I think all of us have sat at, directors of the FBI, and it has glass on it so I don't ruin it. Under the right corner of that desk, under that glass, I have put a single piece of paper. It is the October 1963 “application”—and I mean those air quotes—from J. Edgar Hoover to Robert F. Kennedy to bug and wiretap Martin Luther King, Jr. And I say “application” because it’s five sentences long and it simply says, in substance, there’s a communist influence in the racial situation so we’ve got to bug this guy King. It’s without time limitation, it’s without geographic limitation, and it’s signed by J. Edgar Hoover and Bobby Kennedy approved it. Boom, off to the races.
The reason I keep it there is that’s the corner of my desk where every morning when I'm in Washington I put a stack of FISA applications and it goes like this—thump—and lands on top of it. The reason there’s a thump is the FISA applications are almost always—I have skinny wrists—but significantly thicker than my wrist. It is a pain in the neck to get permission to conduct electronic surveillance in the United States—a pain in the neck. And that’s great. Because that thickness, especially contrasted to that thinness, represents to me in a real and physical way what constraint and oversight looks like. I think I'm an honest person. I believe half of what Bill McRaven said about me. I think I'm an honest person and I think John Adams once said to Thomas Jefferson in one of the great letter exchanges, “Power always thinks it has a great soul.” There’s great danger that I will fall in love with my own virtue. The antidote to that is the courts, Congress, the Inspector General restraining me, checking me, nailing me when I make a mistake.
The thickness of those FISA applications represents in living color what that restraint looks like, and so I keep the application there to remind myself. Everybody in the FBI knows that story. Everybody in the FBI knows the Director has that single page on Dr. King under his glass and they know it in part because I require all of them to go through training and to study the FBI’s interaction with Dr. King.
I'm not picking on J. Edgar Hoover. I'm not picking on Bobby Kennedy. I have no doubt they believed they were doing the right thing, that they were people who believed they were doing the right thing. They acted in the way they believed best, in the absence of someone saying, "So wait a minute, what are your facts? What’s the limitation? What will this look like? What’s fair? What’s right? What’s appropriate?”
We need to be constrained. We have awesome power to do good in the FBI, but if we fall in love with our own virtue we can go sideways, which is why we stare at our history and why I do things like that.
So thank you for the conversation we're going to have. Thank you to a whole lot of folks in this audience for being a pain in our neck—for questioning us, for pushing us, for fighting with us on technology and fighting with us on our judgments about the optimization of those two things. That’s great, because the alternative is, people fall in love with their own views and drift to places that maybe we don't want to drift to. So I thank you for listening to me and for supporting this great organization I'm a part of. I look forward to our conversation.
* Due to an error in methodology, this number is incorrect. A review is ongoing to determine an updated number.