- Robert S. Mueller, III
- Federal Bureau of Investigation
- RSA Cyber Security Conference
- San Francisco, CA
- February 28, 2013
Remarks prepared for delivery.
Thank you. I always appreciate the opportunity to speak at this conference, for I know that you are experts in cyber security. That being the case, you know that network intrusions pose urgent threats to our national security and to our economy.
These threats have been much in the news recently, and I need not spend time recounting them for you today. We all know that these threats are growing…and we must find a way to thwart them—together.
But if we are to confront these threats successfully, we together must adopt a unified approach. Today, I would like to discuss four issues relating to the way forward.
First, I would like to address the issue of what I call the “lanes in the road”—that is, how we define the roles of the various federal agencies responsible for cyber security.
Secondly, I want to focus on the crucial role the private sector must play.
Third, I would like to identify several obstacles to collaboration between the private sector and government—and suggest ways to overcome these obstacles.
Finally, I do want to talk about the need to focus on the criminals behind the keyboards.
Lanes in the Road
Let me begin by addressing a recurring question: What are the lanes in the road for federal agencies that handle cyber security? Michael Daniel of the White House has just spoken generally on this topic, but I would like to be more specific.
What is the allocation of responsibilities among DHS, NSA, and the FBI? I do know there has been some confusion as to the roles of these three agencies.
In recent meetings between Janet Napolitano of DHS, Keith Alexander of NSA, and the Bureau, as well as other leaders in our respective agencies, we have sought to ensure we are all on the same page with regard to our particular roles.
The FBI’s role—operating domestically—is to anticipate, investigate, attribute, and disrupt cyber intrusions affecting the United States.
Likewise, NSA’s role is to gather intelligence on foreign cyber threats and to protect national security systems.
DHS’s role is to protect our critical infrastructure and our networks…to coordinate mitigation and recovery from major cyber intrusions…and to disseminate threat information across various sectors.
One question often posed is that of who exactly is in charge of addressing any particular intrusion. While the answer depends in part on the scope and the nature of the intrusion, the FBI often will be the first responder because of our nationwide coverage. But the investigative team, at a minimum, should include the expertise of both DHS and NSA.
Our agencies operate under separate authorities and have different roles to play. Yet we also understand that we must work together on every substantial intrusion and share information among the three of us. In other words, notification of an intrusion to one agency should be—and will be—notification to all.
The Role of the Private Sector
Defining these lanes in the road is an important step.
Yet the private sector plays a critical role in cyber security. In this respect, I am reminded of the comparable challenge we faced in the wake of the September 11 attacks.
Improved collaboration and information sharing among federal agencies such as the CIA, NSA, DHS, and the FBI has been vital to our collective success against terrorism over the past decade. But equally critical to our success has been the integration of our state and local law enforcement counterparts through the establishment of Joint Terrorism Task Forces.
I do believe—and I have said in the past—that in the future, the cyber threat will equal or even eclipse the terrorist threat. But the alignment of actors critical to defeating the cyber threat includes a different array of partners.
Today, the private sector is the essential partner if we are to succeed in defeating the cyber threat.
On the one hand, the private sector is a primary victim of cyber intrusions—and your networks contain the evidence of countless such attacks.
On the other hand, you are key to defeating this threat. You possess the information, the expertise, and the knowledge to be an integral partner in this new world. You also build the components of cyber security—the hardware, the software, and the networks—and you drive future technology. Without you, we cannot combine innovation and security.
Yet as I mentioned before, there are a number of hurdles to strengthening the partnership between the public and private enclaves. And I want to mention three here.
First: There is a perception among many that the FBI cares only about prosecuting those responsible for intrusions. That is simply not true.
We learned as a result of the attacks of September 11 that our mission was to use our skills and resources to identify terrorist threats and to find ways of disrupting those threats. Prosecution is but one such avenue. We must be willing to use whatever legal means are available and appropriate—civil, criminal, or other means—to disrupt a particular threat—whether it be a terrorist threat or a cyber threat.
Under this approach, we recognize that at the beginning, any cyber investigation into a substantial intrusion is a search for intelligence that will enable us to define and attribute the particular threat. This has been the mindset at the heart of every terrorism investigation since September 11—and it must be true of every case in the cyber arena as well.
A second obstacle to strong cooperation and information sharing is that we have two separate legal regimes for collecting information about threats. First is the criminal justice regime, which looks to bring individuals to justice. Second is the national security regime, which seeks to identify and to thwart both domestic and external threats. These two regimes have separate statutory frameworks.
Since the attacks of September 11, we have been able, for the most part, to reconcile—and indeed, leverage—these two regimes with respect to counterterrorism. And by leverage, I mean using the strength of the criminal justice process to generate intelligence as a result of obtaining the cooperation of defendants.
The conflicts between these two regimes—which largely have been resolved in the counterterrorism arena—must also be addressed in the cyber arena.
Resolving these conflicts depends upon identifying particular factual scenarios and then applying a specific legal analysis that seeks to make full use of our capabilities under one—or, indeed, both—of these regimes.
A third obstacle we face is a lack of mutual understanding of basic concepts.
In the cyber arena, terminology has run amok. And by that I mean, who among you knows the meaning of all of the following: NCCIC…NTOC…ISMA…ASIS…BACSS…not to mention our own NCIJTF? I could go on and on.
There are so many affected participants at so many levels, each with their own jargon, that it is often difficult to comprehend what is being said. That is so without even considering the proliferation of acronyms in the government and elsewhere.
Collectively, we must strive to clarify our common language in this area and adopt a glossary that seeks to simplify the concepts being articulated.
We must overcome these several obstacles by building bridges between the federal government and the private sector. We in the FBI have undertaken a number of initiatives to build such bridges to better protect our critical infrastructure and to share threat information.
One is the Domestic Security Alliance Council, which includes chief security officers from more than 200 companies, representing every critical infrastructure and business sector.
Another is InfraGard, which has grown from a single chapter in 1996 to 88 chapters today. InfraGard has nearly 55,000 members nationwide, representing government, the private sector, academia, and law enforcement.
And just last week, the Bureau held the first session of our National Cyber Executive Institute, a three-day seminar to train leading industry executives on cyber threat awareness and information sharing.
But as noteworthy as these outreach programs may be, we must do more. We need to shift to a model of true collaboration. A model of working side-by-side, as a matter of course…rather than just outreach from one to the other.
We must build structured partnerships within our respective enclaves—both in government and in the private sector. We then must develop channels for sharing information and intelligence more quickly and effectively between these two enclaves.
Unfortunately, there is no quick fix to this problem. From the perspective of the private sector, disclosing information to the government raises the specter of privacy issues and lawsuits, loss of competitive edge, and bad publicity.
From the perspective of the government, sharing information with the private sector is inhibited by statutes protecting certain classes of information—such as grand jury testimony or classified information—as well as the threat of disclosure of sources and methods.
When I say there is no quick fix, I mean there is no one protocol that will solve each of these problems. But it is essential that we address the various strands of this Gordian knot to allow the exchange of information.
The National Cyber Investigative Joint Task Force, or NCIJTF—one of those unfortunate acronyms I referenced earlier—is one example of an effective partnership in the federal enclave. It comprises 19 separate agencies and serves as a national focal point for cyber threat information.
A wholly private entity, on the other hand, is the National Cyber Forensics and Training Alliance—a proven model for sharing private sector intelligence in collaboration with law enforcement. Located in Pittsburgh and with access to more than 700 subject matter experts, the Alliance includes more than 80 industry partners from many sectors—including financial services, telecommunications, retail, and manufacturing. It works together with federal and international partners to provide real-time threat intelligence every day.
Another such initiative, known as the Enduring Security Framework, includes top leaders from the private sector and the federal government. This partnership shows that the solution to cyber security lies not only with information sharing, but also with joint problem solving.
The framework addresses discrete threats such as DDoS attacks, malware, and emerging vulnerabilities in both software and hardware, such as one finds in mobile devices. It analyzes not only current threats, but also those we can anticipate down the road. In this way, we can resolve potential issues before the damage is done—before your company becomes a victim.
These entities are steps in the right direction. But we must build on these initiatives to expand the channels of information sharing and collaboration.
Consider a unique DDoS attack, for example. We can move faster and more efficiently if we have an experienced team in place—one with experts from both the private sector and government—experts who have worked together and who are focused on issues affecting specific sectors.
The sooner we have teams in place to dissect these issues, the sooner we can develop long-term strategies to resolve and—indeed—anticipate them.
In seeking a concrete way forward on any of these issues, we need your input and your expertise.
We do not merely want our private sector partners to report one-off intrusions after the fact—although such reporting is important. We want to work with you to identify anomalies or other signs that will help us forecast a coming attack, or that highlight a vulnerability to an attack.
For our part, the Bureau and our government partners must do more to provide you with better information in real time.
We must put into place the mechanism for sharing intelligence concerning vulnerabilities without necessarily disclosing the classified context of these vulnerabilities. The president’s recent executive order concerning cyber security mandates important steps in this direction.
Likewise, we do not need to know each and every detail about your intellectual property, your trade secrets, your proprietary information, your clients, or even your customers. We need information about threats and attacks so that we can work with you to address them.
Only by establishing channels to share information swiftly will we be capable of warning one another of pending attacks. We must put into place the mechanisms—both public and private—to meet those threats and to identify and deter similar events in the future.
And we must fuse private sector information with information from the intelligence community to produce a complete picture of cyber threats—one that benefits all of us. For only by having a common picture can we effectively disrupt those threats.
The People Behind the Keyboards
One last thought that I ask you to keep in mind: We must remember that behind every intrusion there is an individual—not a computer, but a criminal—responsible for that intrusion. We must remember that cyber security is not just defending the ones and the zeros.
For two decades, cyber security has focused principally on reducing vulnerabilities—through more complex firewalls, dual-factor authentication, aggressive password policies, and the like.
While these are worthwhile efforts, they cannot fully eliminate our vulnerabilities. We must identify and deter the persons behind those computer keyboards. And once we identify them—be they state actors, organized criminal groups, or 18-year-old hackers—we must devise a response that is effective, not just against that specific attack, but for all similar illegal activity.
We often think of cyber investigations as unique in nature. And yes, they do require a certain expertise. But our success in resolving cyber investigations rests on investigative techniques we have used in cases throughout the FBI’s history—physical surveillance, forensics, cooperating witnesses, sources, and court-ordered wire intercepts.
Let me share an example of how this works.
The combination of technical skills and traditional investigative techniques recently led the FBI to the hacker known as “Sabu”—one of the co-founders of the hacktivist group LulzSec.
This case began when our Los Angeles Division collected numerous IP addresses used to hack into the database of a TV game show. Meanwhile, our New York Field Office used a combination of investigative techniques, including human sources, search warrants, and surveillance, to identify and locate the man known as Sabu—who had failed to anonymize his IP address during this intrusion.
We went to arrest him, and we gave him a choice: Go to jail now, or cooperate.
Sabu agreed to cooperate, and he became a source, continuing to use his online identity. His cooperation helped us build cases that led to the arrest of six other hackers linked to groups such as Anonymous and LulzSec. It also allowed us to identify hundreds of security vulnerabilities—which helped us to stop future attacks and limit harm from prior intrusions.
* * *
Defeating today’s complex cyber threats requires us to continually evolve and adapt.
We need to abandon the belief that better defenses alone will be sufficient. And we need to stop thinking we can defeat this threat by acting on our own.
Instead of just building better defenses, we must build better relationships. And we must overcome the obstacles that prevent us from sharing information and, most importantly, collaborating.
If we do these things—and if we bring to these tasks the sense of urgency that this threat demands—I am confident that we can and will defeat cyber threats, now and in the years to come.