FBI Director James B. Comey addressed the assembled masses at RSA Conference to discuss cyber threats to the United States' national security. Although there have been some steps forward much remains to be done. The government and the private sector need to share threat information in real time and create open lines of communication and share best practices.
Given that Comey is five months into a ten-year term to run the FBI, there is great interest in the direction he will set for how internal security policy will play out in his term. Comey began his presentation saying that he has a focus on listening and learning.
"My impression of the FBI as an incredible institution has been confirmed," he said. "I've also learned that, like all human organisations, we have lots of problems. We need to do a better job of listening to one another, listening to law enforcement and listening to you to gain a perspective different to our own and to understand what these other folks need from us".
Comey acknowledged that threats are coming from myriad sources such as nation states, hackers for hire, organised crime syndicates and terrorists looking for all sorts of data and to compromise critical infrastructure.
"The threat is so dire that cyber-security is a given at the top of DNI [Director of National Intelligence] Clapper's list of threats facing our country ahead of both terrorism and espionage, and ahead of weapons of mass destruction for the second year in a row," Comey explained.
Comey's response to these threats is to focus on the 'biggest and most dangerous intrusions". The focus is on the largest and most dangerous botnets, state-sponsored hackers and global syndicates topped his list.
"We want to try and predict and prevent attacks rather than reacting after the fact," he explained.
This being done by avoiding "turf battles" through multi-agency, cross jurisdictional taskforces that share information freely and take a coordinated approach to detection and enforcement. While jurisdictional issues within the United States are being managed through this process, Comey noted that work with international agencies remains complex due to differences in international law.
However, Comey told the packed hall that the FBI had agents embedded in law enforcement agencies in countries such as Estonia, Romania, the Ukraine and The Netherlands "with the goal of trying to spot emerging trends and identify key players".
Despite all of this work, Comey acknowledged that it is not enough and that more assistance is needed. "We cannot do what we need to do without our private sector partners".
Comey said to the crowd "You are the primary victims of the evolving threat. You are also the key to defeating it. You have the information on your servers and on your networks. And you have the expertise and the knowledge and the innovation that can help us stop these attacks".
The issue is that disclosure of threat information, data theft and actual system infiltrations are rarely shared by businesses because of concerns regarding damage to reputation and company value that directly impacts the bottom line. Comey noted that when the government came asking for this information that there was very little upside to sharing the information and that there was nothing offered or given in return.
"There is no doubt that we in the government have information we can’t always share for reasons that would make sense to you," Comey explained. "But we've got to do our best to make that list as small as possible and share information as much as we can and as quickly as we can".
"That's why we have created something called the FBI Liaison Alert System, Flash, to send specific data used in an attack that we believe will be used again and send it at high speed".
All of this is to be done at machine speed and human-speed is not fast enough.
Comey also noted that there was a need for an automated intrusion system and a standard language and data format for both the government and business to communicate but with a focus on company privacy while promoting innovation.
Other steps such as making threat information more readily available in usable formats and reducing the victim notification backlog so that businesses can take steps in close to real time to minimise breaches and to deliver the right information when the FBI notifies a company that they are under attack.
Comey is seeking to forge closer relationships with key business people. He has set an expectation that the Special Agents in Charge at each of the FBI's 56 field offices in the USA need to be on a first-name basis with "key industry partners in their area of responsibility".
This transformation has commenced according to Comey. A new malware repository and analysis tool, the Binary Analysis and Characterisation and Storage System, has been created to provide near real-time investigative information that can be used across jurisdictions. Although this is a new enforcement tool, a more open version called Malware Investigator, will be made available later this year.
A new means for securely reporting electronic intrusions was also mooted. iGuardian will be used for law enforcement and the private sector to quickly pass information back and forth.
Anthony Caruana travelled to RSA Conference as a guest of RSA