FBI Director James Comey spoke last week at the Boston Conference on Cybersecurity, hosted by Boston College’s Woods College of Advancing Studies. It was the inaugural edition of what the Woods College—which launched a cybersecurity policy and governance master’s program last fall—hopes will become an annual event.
Comey started his talk by saying he thought BC was the perfect place for the conference.
“You’re stuck with me for about another six and a half years, and so I’d love to be invited back again,” Comey said.
It’s a somewhat bold statement from Comey, who was widely criticized for his decision at the end of the 2016 United States presidential campaign to tell Congress the FBI had reopened an inquiry into Democratic nominee Hillary Clinton’s emails. Former Attorney General Eric Holder wrote a Washington Post op-ed arguing Comey had broken with Justice Department precedent on discussing investigations during elections. Lawmakers, including Senator Bernie Sanders, have called for his resignation. In a conference call with donors and Democratic operatives in the days after the election, Clinton singled out Comey’s disclosure as the reason she lost.
Comey did not address either that controversy or allegations about President Donald Trump’s relationship with Russia, though he seemed to acknowledge the elephant in the room toward the end of his talk. He said the FBI had not talked much about encryption of data and communications over the last six months because it had been “distracted by other things.”
Comey thinks of cybersecurity threats as a stack of groups with different levels of danger. The second-to-last group in the stack are hacktivists, a “motley crew,” according to Comey, and at the very bottom are terrorists, who he said use the internet to proselytize and recruit but have not yet developed strategies for conducting mass destruction online.
Comey said the weakest link in the cybersecurity world is human beings. No matter how good the security infrastructure is, humans still staff that infrastructure and are therefore targeted by cyber threats. He said the FBI is especially worried about the corruption of information, giving the example of a blood bank potentially having its blood types changed.
The FBI has five ways it is trying to address cybersecurity. The first is focus—assigning cyber cases is difficult because “where they happened” does not always provide the most accurate answer. The FBI therefore is assigning cybersecurity work to field offices that are proving their ability to fight threats. That creates competition among FBI offices.
The FBI has developed “fly teams” of experts in counter-terrorism—expertise surges based on needs. One struggle for the FBI has been attracting the kind of computer science talent that private firms have the resources for.
“You don’t come to the FBI for a living and if you did we lied to you during the recruiting process,” Comey said. “The pitch we make to people is: come be part of this mission.”
And the FBI has tiny turnover—just 0.5 percent, so very few people leave. Comey called it an “addictive” lifestyle. His goal is to attract people of high integrity, physicality, and intelligence.
The second strategy is to “shrink the world.”
“Belarus and Boston are next-door neighbors on the internet,” Comey said.
Echoing President Barack Obama, Comey said the FBI’s job is to identify the bad guys and respond appropriately. He added that after Sept. 11, 2001, the U.S. has improved on communication among crime agencies. No matter who information is reported to, it gets to where it needs to be.
Third, Comey wants to impose costs on cyber criminals—to lock them up, even if they’re halfway around the world. That can help agencies to establish “norms” of behavior.
“We want to make sure that when a bad actor sits at a keyboard, they feel our breath on their neck,” he said.
The fourth goal is to help the FBI’s state and local partners be more digitally literate. Search warrants today often have to apply to laptops, drives, and other digital devices, so law enforcement needs better training and better equipment.
“I’m told that people get emails from me saying that I’m in Nigeria and need you to wire me money,” Comey said. “I’m not in Nigeria, and I don’t ever need you to wire me money.”
Lastly, the FBI works on protecting the private sector because it has the money. The majority of intrusions in the U.S. are not reported to law enforcement, Comey said, because companies want to avoid entanglement with the government, preferring to just deal with problems or even pay ransoms demanded by cyber criminals. The FBI’s goal is to convince the private sector to use its services.
Comey said that widespread, default encryption shatters a bargain Americans made at the founding—nothing is so private as to be beyond judicial reach.
“If we are going to move to a place where wide swaths of American life are off-limits to judicial authority, that’s a different way to live,” he said. “Maybe it’s a good thing, maybe it’s a bad thing, but it is not something in my view that we should drift to.”
Featured Image Courtesy of Stephan Savoia / AP Photo