Christopher Wray, the director of the Federal Bureau of Investigation, told a standing room only room of attendees at Fordham’s Lincoln Center campus on July 25 that the FBI will always be as persistant as America’s enemies when it comes to defending the country.
But the agency cannot go it alone.
“Just as technology has become a wonderful force multiplier for the good guys, it has become a force multiplier for all sorts of bad guys—for terrorists, hackers, child predators, and a lot more. User-controlled default encryption is a real challenge for law enforcement,” he said, echoing comments that U.S. Attorney General William P. Barr made at Fordham on Tuesday.
Wray’s appearance at Fordham’s School of Law closed out the 8th International Conference on Cyber Security (ICCS). He last visited Fordham in January, 2018, when he delivered the opening remarks for the 7th ICCS conference.
To illustrate the FBI’s ongoing efforts, Wray highlighted the Bureau’s involvement in the December take down of APT10, a hacking group associated with China’s Ministry of State Security. The group had compromised the networks of U.S. government agencies and 45 companies around the world.
Working with field offices around the country and agencies such as the Defense Criminal Investigative Service, and the Department of Homeland Security, the U.S. Department of Justice obtained criminal indictments against two members of the group.
“The indictments marked an important step in publicly exposing China’s continued practice of stealing intellectual property to give Chinese firms an unfair advantage in the marketplace,” he said, noting that it also let to the first formal declaration that China had violated the 2015 Cyber Commitments agreed to by the United States and China.
“By revealing the names and activities of hackers in cases like these, we limit their travel and job prospects, and we increase significantly their cost to operate. An indictment signals to our allies that we’re so confident in our assessment of culpability that we’re willing to put the full weight of the U.S. criminal justice system behind it.”
Wray addressed foreign influence in his remarks, noting that the bureau fully expects to see in 2020 efforts to target election infrastructure to exact ransoms, temporarily disrupt election operations, and undermine voter confidence in the electoral process.
“Happily, we’ve yet to see attacks manipulating or deleting election and voter-related data, or attacks that actually take election management systems offline. But we know our adversaries are relentless. So are we,” he said.
Equally important, he noted, was foreign investment. If adversaries can’t access our most valuable and sensitive information, he said, they may try to buy their way to it. Working with the Committee on Foreign Investment in the United States, the Bureau has access to data about sensitive industries unavailable to private citizens. Don’t overestimate the effectiveness of protections and countermeasures available to your company, he said.
“A decision to enter into a particular joint venture or contract with a particular vendor or cloud computing company may look good today – it may make a lot of money this quarter. But that decision might not look so great five years down the road, if you’re then in the throes of a slow bleed of data. Or, worse, if you’re then suffering a major hemorrhage of intellectual property,” he said.
“So you’ve got to take steps, and make hard choices, to safeguard your R&D, PII, and proprietary data even after a deal is done.”
The issue of lawful access to encrypted data was where he was most hopeful that the private sector and law enforcement could learn to cooperate. In a New England town last month, he said the FBI received a tip that a nine-year-old girl was being sexually abused, and that the abuser was using an app—which Wray declined to identify—to distribute images of her anonymously. Agents contacted the app provider, located the child in less than 24 hours, obtained multiple search warrants, rescued her and arrested the suspect.
“Law enforcement receives millions of tips like these every year. I don’t want to think about a world in which we lose the ability to detect dangerous criminal activity because a technology provider decides to encrypt this traffic – data “in motion” – in such a way that the content is cloaked and no longer available subject to our longstanding legal process,” he said.
The FBI has been “hearing increasingly” from cryptologists that there are solutions that could work to protect encryption and fulfill law enforcement’s need for accessing encrypted communications, he said, which gives him hope that a mutually acceptable solution may emerge soon.
“This is not just a national security issue, it’s a fundamental public safety issue. If it is not addressed, it impedes not only federal law enforcement, but our state and local partners as well,” Wray said.