FBI Director James Comey on Tuesday said that certain actions the federal government is taking to deter cyber threats to the country are working, at least in part, even if threat actors aren’t arrested and locked up.
Comey said that the indictment two years ago of Chinese military hackers for economic espionage and this year of Iranians working on behalf of their government to hack the United States financial sector shows that “we have managed to send an important and chilly wind through them. Even though you may be sitting half-way around the world, it makes a big difference to have your face on a wanted poster.”
While critics of this approach to deterring cyber threats believe it’s just “yapping into the wind,” Comey said the “name and shame” tactics the FBI is using against these foreign cyber threat actors might limit their lifestyles.
“You might dream of going abroad yourself,” Comey said at Symantec’s [SYMC] annual government cyber security symposium. “You might dream of sending your kids to get educated. You want to go see those kids. And you know those people from the FBI are not all that smart but boy are they dogged…The long arm of the law is not only long it’s very patient.”
Last September the U.S. and China reached agreement on prohibitions on either side from stealing intellectual property from each other. Comey said that norms of espionage don’t allow for this sort of economic theft.
Asked about the cyber agreement with China and that country’s compliance, Comey said that “it’s still early but we see encouraging signs in the way our Chinese counterparts are talking about and understanding the framework that I discussed…that nation-states do not engage in theft for commercial purposes.” He said there are “early indications of efforts to cooperate with us in investigating and trying to bring to justice people who’ve done that,” adding that “this is a process that takes a long time.”
Comey declined to discuss U.S. government efforts to deter and retaliate against Russia for hacking computer networks of the Democratic National Committee and another Democratic organization.
Nation-states are at the top of the FBI’s threat stack of cyber threat actors, Comey said, followed by multi-national criminal syndicates, “purveyors” of ransomware, hacktivists, and finally terrorists. State sponsored cyber attackers are getting more aggressive, the criminal organizations are getting more specialized and sophisticated, and ransomware is “spreading like a virus” globally, he said.
Although terrorist groups such as the Islamic State are adept at using the Internet to attract followers and communicate their messages, “what we don’t see them doing yet, and I underline yet, is moving towards and developing a capability for computer intrusions,” Comey said. “But logic tells us that that has to be the future of terrorism as we make it harder and harder for them to get physically into this country to kill people and to damage.”
Comey said that all cyber attackers are becoming more sophisticated. He said their techniques take advantage of “inside knowledge” by “harvesting” information through social media and other “human vectors” used to access organizations. Even as systems become increasingly more difficult to attack, people remain the “weak link,” he said. “And the threat actors know that so they spend a tremendous amount of time trying to understand how they can get in through human beings, through spoofing the existence of a human being, to actually recruiting someone who is disgruntled, who is unhappy, who is looking to do damage to an employer or make extra dough on the side.”
In addition to deterring cyber attacks and hacks by changing behavior through indictments and arrests, Comey said the FBI is working on attracting, developing and organizing agents and analysts to the bureau’s cyber capabilities. The FBI is also working with state and local governments on training, equipping and creating task forces to bolster cyber security and respond to citizen requests for help, he said.
Cooperation with the private sector also needs to improve to address cyber threats, Comey said. The private sector has “all the evidence we need,” but unfortunately “the majority of our private partners do not come to law enforcement when they face an intrusion and that is a very big problem,” he said.
The private sector needs to “integrate” the FBI into its cyber risk assessment planning, Comey said. He said the FBI was able to respond quickly nearly two years ago after Sony Pictures Entertainment [ADR] was hacked because the company already has a relationship with the bureau.
“We have to get to a place where its routine for people who are victimized to turn to us for assistance,” Comey said, adding that the FBI has become “very good” at protecting the privacy of organizations and individuals and not sharing their data.