FBI Assistant Director gives speech on cyber threat

October 20, 2011

The Cyber Threat

Some of the  most critical threats facing our nation today emanate from the cyber realm. We’ve  got hackers out to take our personal information and money, spies who want to  steal our nation’s secrets, and terrorists who are looking for novel ways to  attack our critical infrastructure.

President  Obama called the cyber threat one of the most serious economic and national  security challenges we face as a nation.

I believe  the cyber threat is an existential one, meaning that a major cyber attack could  potentially wipe out whole companies. It could shut down our electric grid or  water supply. It could cause serious damage to parts of our cities, and  ultimately even kill people.

While it  may sound alarmist, the threat is incredibly real, and intrusions into  corporate networks, personal computers, and government systems are occurring  every single day by the thousands.

We see  three primary actors in the cyber world: foreign intelligence services,  terrorist groups, and organized crime enterprises. Dozens of countries have  offensive cyber capabilities, and their foreign intelligence services are  generally the most capable of our cyber adversaries.

Their  victims run the gamut from other government networks to cleared defense  contractors to private companies from which they seek to steal secrets or gain  competitive advantage for their nation’s companies.

One company  that was recently the victim of an intrusion determined it had lost 10 years  worth of research and development—valued at $1 billion—virtually overnight.

Terrorist  groups are interested in impacting this country through a digital attack the  same way they’ve done historically through kinetic attack; they’re always  looking for creative ways to harm us. Some say they currently don’t have the  capability to do it themselves. But the reality is that capability is available  on the open market. And as 9/11 taught us, we can’t assume that just because  something hasn’t been done before, it isn’t a possible threat.

Organized  crime groups, meanwhile, are increasingly migrating their traditional criminal  activity from the physical world to the computer network. Rather than breaking  into a bank with guns to crack the safe, they breach corporate networks and  financial institutions to pilfer boatloads of data, including user credentials,  personally identifiable information, and corporate secrets, which they can  monetize.

These  groups, often made up of individuals living in disparate places around the  world, have stolen hundreds of millions of dollars from the financial services  sector and its customers. Their crimes increase the cost of doing business, put  companies at a competitive disadvantage, and create a significant drain on our  economy.

The value  of thefts via hacking the financial services sector or its customers far exceeds  that of physical bank robberies many, many times over.

In one of  the most sophisticated and organized attacks on the financial sector, an  international network of hackers obtained access to a financial corporation’s  network and completely compromised its encryption. They were inside the system  for months doing reconnaissance, which enabled them to steal millions of  dollars in less than 24 hours when they finally took overt action.

Another  major international hacking group used an Automated Clearing House (ACH) wire  transfer system to access online commercial banking accounts and distribute  malicious software that led financial institutions to lose nearly $70 million.

These cases illustrate how the offense far outpaces the defense in the  cyber realm. And, unfortunately, under the current Internet infrastructure, we  haven’t been able to “tech” our way out of it. It’s very difficult to put a price tag on all this in  the aggregate, but several consultancies have actually tried to quantify it.

The 2011  Norton Cybercrime Report put the global cost of cyber crime at nearly $400  billion a year, and found that there are more than one million victims of cyber crime every day.

And a study  released in August by the Ponemon Institute found that the number of attacks on  companies it surveyed this year were up 45 percent from last year and cost 70  percent more to fix. On average, each attack took 18 days and $416,000 to fix.

And that’s only the tip of the iceberg, because what I’ve referred to so  far relates to remote access attacks. The reality is our adversaries use  multiple attack vectors, including the supply chain, trusted insiders, and  proximity attacks to target the network and its very valuable data.

Mitigating the Threat

So now that I’ve painted this grim picture, you’re probably asking, “What  are we doing about it and what more should we be doing?”

Despite the fact that our adversaries’ capabilities are at an all-time  high, the good news is we have made combating this challenge a top priority not  only of the FBI, but the entire U.S. government. We are devoting significant  resources to it. And our partnerships among government, industry, and academia  have also led to a dramatic improvement in our ability to mitigate the threat.

For our part, the FBI has formed cyber squads in each of its 56 field  offices, with more than 1,000 advanced cyber-trained FBI special agents, intelligence  analysts, and forensic examiners. We have increased the capabilities of our  employees by selectively seeking candidates with technical skills and enhancing  our cyber training.

As an agency with both national security and law enforcement  responsibility, the FBI is well-positioned to address the cyber threat. The  anonymity of the Internet often creates challenges in determining exactly who  the adversary is, but our authorities and capabilities allow us to investigate  and target criminal, foreign intelligence, and terrorist actors alike.

Partnerships

But we recognize that we can’t do it alone. Through the FBI-led National  Cyber Investigative Joint Task Force (NCIJTF), we coordinate our efforts and  bring to bear the resources of 20 agencies.

The task force operates using Threat Focus Cells—small groups of agents, officers,  and analysts from different agencies. They are subject-matter experts who are focused  on very specific threats.

Through the NCIJTF, the FBI has collected real-time intelligence that has  been incredibly valuable for the protection of our networks.

We’ve also forged tremendous relationships with the private sector, and  through much more robust information sharing, we’ve prevented attacks before they’ve occurred. I can’t tell  you how many times we’ve gone to a company and told them they were breached,  and where the intruder was on their network, and they were shocked to hear  it.

And because  there is often a foreign nexus to cyber crime, we are working closely with our  international law enforcement partners.  In fact, we’ve physically embedded FBI agents in foreign police agencies  around the world to investigate cyber intrusion jointly, including in Estonia,  the Netherlands, Romania, and Ukraine.

Each year,  we are training and collaborating with approximately 500 foreign law  enforcement officers from more than 40 nations in cyber investigative  techniques.

Return on Investment

I’m pleased to say we’re having success. In 2010, we arrested 202  criminals specifically for cyber intrusion—up from 159 in 2009. In addition,  our foreign law enforcement partners made dozens and dozens of arrests last  year based on intelligence we’ve shared with them. And we obtained a record  level of financial judgments for those cases in excess of $100 million.

Those arrests included five of the world’s top cyber criminals. Among  them were the perpetrators of the financial services company intrusion I  mentioned earlier, which resulted in one of the first hackers extradited from  Estonia to the United States.

We also worked with our industry partners and our law enforcement counterparts in the Ukraine, the United Kingdom, the Netherlands, and elsewhere to apprehend those responsible for the ACH fraud scheme I talked about. Operation Trident Breach targeted more than 50 of the world’s most prolific cyber and organized crime subjects. We and our international partners carried out arrests, interviews, searches, and evidence seizures in 24 cities in 12 countries.

We are also  employing novel ways of combating the threat. In Operation Coreflood, the FBI  worked with our private sector and law enforcement partners to disable a botnet  that had infected an estimated two million computers with malicious software. The  malware on this Coreflood botnet allowed infected computers to be controlled  remotely by criminals to steal private personal and financial information from  unsuspecting users. In an unprecedented move, the FBI seized domain names,  re-routed the botnet to FBI-controlled servers, and responded to commands sent  from infected computers in the United States, telling the zombies to stop the  Coreflood software from running. The success of this innovative operation will  help pave the way for future cyber mitigation efforts and the development of  new “outside the box” techniques.

Going  forward, the U.S. government as a whole is collaborating to sharpen our focus  on the cyber threat.

In May, the  White House issued a proposed package of legislation aimed at enhancing the  security of the nation’s networks and infrastructure and increasing penalties  for cyber crime. The administration also released its International Strategy for  Cyberspace, which outlines the U.S. government’s vision for the future of  cyberspace and sets an agenda for partnering with other nations to realize it.

Managing the Risk

But is all  this enough? Because if we have to get involved in a response capacity,  something bad has already happened.

Before it  was created, the Internet was something very few people could have imagined. To  keep pace with our adversaries, we have to continue to think on that level to  mitigate the cyber threat.

This is  arguably the greatest invention of our lifetime, but it can be a dangerous  place, as we’ve all seen. I believe it’s key that we recognize the risk in the  environment we’re working in and learn to manage that risk.

That means we must divide our resources and efforts to reduce each of the  factors that put us at risk.

To do so, it’s important to understand the classic risk formula, which  states, ‘risk equals threat times  vulnerability times consequence.’

If we lower any of those three variable factors, we lower the risk. If we  can completely eliminate any of those variables, we eliminate risk. But that’s  virtually impossible, so we must adopt a defense-in-depth approach—lowering  each of the three.

This is where we have to work together—kind of like a zone defense.

Think of the risk model in terms of protecting your house from being  robbed: If there are no burglars in your area, you’ve  dropped the threat to zero. So you wouldn’t need to spend money on a security  system. And you might even leave your doors unlocked to save yourself time  getting in and out.

Not because you don’t have any valuables, but it doesn’t matter how  vulnerable you are because you don’t have any threat actors.

If, all of a sudden, you get reports that there are burglars operating in  your area, and people’s homes are being broken into, then you begin worrying  about vulnerabilitiesbecause you  know there’s a threat. You start locking the doors. You leave the outside lights  on. Maybe you put in an alarm system. You might move certain valuables out of  your house to a safety deposit box, or even install a safe.

Or you create a community watch to look out for the bad guys and protect  not just your own property, but the whole neighborhood. Maybe you even move to  a gated community with a 24/7 security guard that checks IDs at the gate. You’ve  reduced your threats and vulnerabilities to counter the risk.

Consequence management, then, assumes that despite your best efforts to eliminate  the threat and reduce your vulnerabilities, the bad guy still gets in.

So now you manage those consequences—you purchase homeowner’s insurance  to replace the valuables you may lose. Or you might put in a hidden camera to  catch the thief in the act. That won’t stop your valuables from being stolen,  but might lead you to be able to recover them afterward.

Translating those concepts to the cybersecurity realm, we’ve already  established that the threats exist and are increasing. So we could reduce the threat  by taking a law enforcement, intelligence, or economic action to prevent or  deter an adversary from acting. We took 202 threats off the playing field last  year, but clearly, the threat continues.

So how do we lower the vulnerabilities of the cyber threat? It requires  hardening the targets, including protecting the supply chain. It could entail  keeping certain pieces of information off the network—maybe in a physical safe.  Do you really need the 100-year old recipe for the secret sauce stored on the  network?

Managing the consequences of a cyber attack entails minimizing the harm  that results when an adversary does break into a system.

An example would be encrypting data so the hacker can’t read it, or  having redundant systems that can readily be reconstituted in the event of an  attack.

In all cases, those who have addressed these individual risk factors have  an opportunity to share information with others in order to lower our collective  risk.

Alternate Models

I said earlier that under the current Internet structure, we can’t tech  our way out of the cyber threat. But what if the playing field were changed?

There is a growing sense among a number of subject-matter experts that  the current Internet environment is simply not sustainable.

One proposal has been to begin exploring alternate, highly secure  Internet options that focus on more easily spotting and tracking the threat  actors. And then providing the law enforcement and intelligence communities and  others the tools they need to mete out justice and deter future attacks.

Going back to the concept of alternatives, let’s think of it in terms of  the crime in the neighborhood analogy. Some people live in communities that  have heightened security by focusing on who can enter at guarded posts—only  certain people get in, and the rules to do so are stringent. They look for bad  guys and report them to the police. These types of alternate security models  can translate meaningfully to the Internet as well.

The reason the Internet is the way it is now is based on decisions made  by those who developed it. They purposely allowed for anonymity, and there are  legitimate reasons for wanting to keep it that way for some users and for some uses  of the Internet. There are users for whom maintaining their privacy is worth  the risk of intrusions into their computers or networks.

But for those critical uses of the Internet where intrusions are entirely  unacceptable because the risk of compromise is so high, market-driven factors  need to be explored; businesses must seek the solutions and options they want  and need.

Electric power grid operators, for example, would likely opt for higher-trust  models that don’t foster anonymity, but instead promote assurance and  attribution.

Assurance allows the ability to detect changes in data or hardware, and  attribution provides the ability to determine who’s on the network and who made  any changes on it.

Right now, computer security has become an endless game of defense, which  is both costly and unsurvivable in the long term if the status quo remains.  Going after the threat actor is an absolutely necessary part of the risk  equation, and one that can be made far more effective with alternate  architectures.

Under the current environment, victims are often focused on how to get  malware off their systems and on finding out what was taken. But what they  should be asking is, ‘What was left behind? And did it change my data?’ Most  users have no idea whether their software, hardware, or data integrity has been  altered. Our current networks were never designed to detect that type of  deviation.

So it’s critical to note that attribution without assurance is useless.  It doesn’t do you any good to know who did it if you don’t know what they did  and how to look for it.

A key question in establishing alternate Internet models is how you  prevent users of both platforms from contaminating the secure one.

As many of you know, we’ve seen cases in which removable media have  introduced malware from unclassified government systems onto classified  ones.

To avoid this in alternate security environments, it would be critical  that the networks lack interoperability. Imagine if you will a virtual version  of the pumps at gas stations that offer both diesel and regular gasoline. You  can’t even fit the diesel nozzle into a regular gas tank. It’s idiot-proof. If  you don’t provide that kind of barrier on your new system, you would always be  susceptible to human error. All users would need to adopt the same standards.

The trend toward cloud computing and new environments could present an  opportunity to begin trying and testing new architectures.

U.S. innovation and ingenuity created the Internet, which is now a global  phenomenon that has provided tremendous opportunities. With it, however, have  come tremendous security challenges to certain users. For them, the current system  will never be good enough. But it’s too late to disconnect. It’s not possible  to be offline anymore, and there’s currently no alternative.

I don’t have the answers about how to build greater choices in the  security architectures used today, but I do feel strongly that the discussions  must begin now. I’ll leave the solution to the potential customers, the  technologists, and the entrepreneurs. I’ve outlined just a few of the issues  that should be considered. But I challenge you to continue the discussion about  whether there is a need and enough demand to develop alternate networked  environments that rely less on playing defense, and rely more on discovering  and capturing threat actors so they change their own risk calculus on whether cyber crime pays.

We must  continue to push forward, because our adversaries are relentless. They want our  money, our property, and our secrets, and some seek to harm us well beyond that.  Together, we can turn the tide against them and bolster the security of our  nation’s information, networks, and infrastructure. Thank you.  (Source:  http://www.fbi.gov/news/speeches/responding-to-the-cyber-threat)

Posted in Industry News
Like Us on Facebook
Follow Us on Twitter
people follow iismualumni

Connect with LinkedIn

Connect with us and other alumni!

IISMU Alumni