Christopher Wray, the current (and the 8th) Director of the FBI, wrapped up the opening keynote session, in discussion with Susan Hennessey of the Brookings Institution.

Change Your Facebook Password Today

But before I get to that, here's a public service announcement. Change your Facebook password now. You might have heard that Facebook kept  "hundreds of millions" of passwords in unencrypted form. Here's Wired's story yesterday Facebook Stored Millions of Passwords in Plain Text—Change Yours Now.

To understand just how incompetent this is, see my post Passwords: How Even Your Bank Doesn't Know Your PIN. In the same way, Facebook shouldn't "know" your password, its employees shouldn't be able to find it out or to search for it. It is unbelievable that a company at the scale of Facebook would make such an elementary error, and not notice for many years. As I mention in the Breakfast Bytes post linked to above, I was taught not to do that in undergraduate computer science over forty years ago. This is neither a subtle nor a new mistake.

FBI

The FBI at RSA is a bit like Daniel in the lions' den. The FBI would really like some sort of impossible dream, whereby they can read anything they want, but nobody else can. I would say the security experts are generally of the opinion that weakening security to accommodate law enforcement is simply weakening security. An example that is often quoted is the way that the phones of the Greek government were all compromised by the existence of a backdoor in the cellphone network for law enforcement access. The FBI's attitude is summed up in the phrase they use for widespread use of strong encryption, "going dark." 

I've tried to include as much as possible of what I noted down during the discussion, since whether you agree or disagree with what is being said, Christopher runs the FBI, the main domestic law enforcement agency, so his opinion is important.

Susan started by asking Christopher his perspective on the landscape.

We're seeing greater uptick in threats from foreign countries: Russia, China, Iran…and also what we call a blended threat where a foreign adversary teams with hackers. North Korean hackers are involved in everything from WannaCry, Sony Pictures, and more.

Next Susan wondered what aspects of the mission of overall security is unique to the FBI, where other parts of the country won't or can't.

Today’s cyber threat is bigger than any one agency. But no agency brings the same scope and scale that the FBI has. Cyber threat is a very multidisciplinary with a wide range of types of threats and motivations. We’ve been the lead on this for 110 years. We have offices all over the US. We have elite cyber task forces, FBI led but with 200 different federal state and local law enforcement agencies that we work with. We even have a lot of personnel overseas. We have offices in 65 plus countries and lots of those have cyber resources embedded.

Susan pointed out that most of the audience approach this from a private sector perspective.

In cyber the need for private sector participation is higher than pretty much anywhere. Over 90% of critical infrastructure is in private hands, so we couldn’t do what we do without the private sector. The key is for the private sector to build relationships with their local field offices ahead of time. It’s not just prevention, it is mitigation. At the end of the day, we need each other.

One example: a few years ago, there was a guy who, through hacking, obtained the names of 1200 US government personnel and provided that as a kill-list to ISIS. We would not have go that without important information sharing from the private sector.

Unlike some FBI directors, I have spent time in the private sector. So just as technology has become a force multiplier for the good guys, it has for the bad guys too. They are hiding in encrypted devices and messaging platorms. I’m well aware this is a provocative topic. We are not trying to weaken encryption, not seeking backdoors, any more than folks on the other side are trying to weaken public safety. But this is a problem that is getting harder and harder. We’re also duty bound to protect the American people. We need to figure out a way to deal with this problem. It can’t be a stable end state to have a space where criminals, terrorists and spies can hide their communications. We have the best law enforcement in the world, and the most innovative private sector. In my first 18 months in this job, I am hearing there are solutions.

To much laughter, Susan switched to a "less controversial topic" of Russia. Are they a threat?

In the last election we’ve not seen much on electrion infrastructure, but on social media to pit Americans against each other. That continues. We expect it to grow for 2020.

So what are you doing for 2020?

We're bringing multidisciplinary hub, working closely with NSA, DHS, ODNI. There's a lot more engagement with other partners now, and the social media companies themselves. They can police their own platforms and maybe provide useful information to us.

What about China?

For too long we’ve been underfocused on the counterintelligence threat that China poses. There is nothing like it. Of all the things that surprised me when I came back into this world, it was the depth, and breadth of the China threat. Just this fall, we had four different times where we charged hackers working for the Chinese government trying to steal IP. It’s a real issue.

DOJ has made a number of high profile arrests. Is that being driven by ongoing trade discussions?

It's not about trade or politics, it's about the rule of law. We follow the facts indepdently wherever they lead, and if we find people committing crimes we are going to go after them, and I don’t really care what some foreign government thinks about it.

Is the DOJ effective?

Indictments are just one part of the government approach. People like privacy and some hackers are unable to get work because they’ve been called out. The indictments often allow other parts of the government to enforce other costs on them. FBI is patient and dogged, and when people decide to travel, we are waiting.

What about foreign governments responding?

We are always concerned about what other governments do.

It's been a difficult and challenging couple of years for FBI, Susan suggested.

Rumors about our morale are grieveously overstated. What matters is not the chatter on social media or cable news but what happens on the ground. We have hired more special agents since October than in all of the prior year. We see a big uptick in people who want to make it their career out of college. Our selection rate is 5-6% for both interns and agents. Our attrition rate is 0.5%. There are few organization in the audience that low. When people get a taste of the mission, I would stack our workforce up to anybody anywhere in the world.

Susan's last question, "When you look down the road, do you have a talent pool?"

There’s a shortage for everybody, so of course, we’d like more. I go and ask agents where they come from. Some where you'd expect. Law enforcement. The military, of course. But also Wall Street, STEM. It’s inspiring. I’ve been to all 56 field offices and met people in office after office. What they have in common is a commitment to the mission.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.