On May 9, President Donald Trump fired FBI Director James Comey Jr. The day before, May 8, Director Comey delivered some of his last public remarks at the 2017 American Hospital Association’s Annual Membership Meeting. Over the course of his 30-minute remarks at the Washington Hilton (where, incidentally, President Reagan was shot in just over 16 years before), Director Comey talked about cyber threats and what it means to be a member of the FBI. Here are some highlights.
THE digital THREAT
“The FBI’s in the house,” Comey said as he opened his remarks, “to try to share with you our perspective on something you care about deeply already . . . the threats that come at us through the digital vector. . . . especially as it effects hospitals in the United States.” I was puzzled, at first. Why would the FBI director engage an audience of hospital and healthcare executives? Quickly, I understood. Most prominently, it’s about cybersecurity and the immense threat that America’s healthcare networks face from cyber criminals. Indeed, for cyber criminals, healthcare is a rich resource. Gain access to hospital information networks and lock them up with ransomware and people’s lives are on the line. In response, time has shown, hospitals are willing to pay, and pay quickly, to save lives.
Director Comey describes that threat as an “evil layer cake . . . a stack of bad actors.” The layers, Comey explains, are nation states, near-nation state criminal actors or criminal syndicates that “move in and out of those foreign governments.” Next down, autonomous criminal syndicates around the world, including the United States. Next, criminals . . . “people in their pajamas in their basements somewhere around the world trying to steal things.” Finally, there are an assortment of other “bad actors, hactivists, stalkers, bullies” who leverage the cyber vector to do harm. Altogether, these threats work to gain access to the data, the personal information, the research information, and more, all of which are of immense value to those with deep pockets. For instance, “Criminals have discovered that you are a ripe target for blackmail through ransomware,” Comey noted.
digital threat MITIGATION
There are a multitude of cyber vulnerabilities. To identify all the threats is a dizzying challenge. To effectively address all of them a more sizeable challenge. Director Comey boils down the vulnerabilities to three basic factors: the human factor, machine vulnerabilities, and damage mitigation. On the human front, according to Comey, “The weak link is always people.” “No matter how good you make your intrusion detection system,” Comey says, “it’s only as good as the security culture of your entire organization and the security awareness of your individual employees.” Training, in part, is fundamental to effectively addressing this vulnerability. IT account management is, as well, important. “All of us have to do a better job at growing that security culture in our organizations, at training our folks better,” Comey advises, “and at being much more careful about who gets a privileged account.”
Machine vulnerabilities, of course, are about staying ahead on IT security programs that defend against the latest evolutions of viruses and new viruses coming on the scene daily. Hourly. Then, effective damage mitigation plans are critical. Inevitably, large organizations with rich information are going to be high value targets to hackers and criminal networks. Inevitably, one hospital or another will be a victim of a ransomware attack. Surviving that sort of attack is a matter of planning. “Every organization in this room,” Comey tells the audience, “should have given thought to a business continuity plan in case there’s an attack. . . . Do we have the backups we need to be able to go on and operate immediately” if ransomware attacks lock up organizational information?” With the right plans and the right backups, organizations may suffer what would otherwise be debilitating ransomware attacks and respond seamlessly by switching transparently to backup data and systems.
FBI’s FIVE-PART STRATEGY
“We stand in the middle of a transformation of human experience that I believe is unlike any that’s ever happened before. And anyone who stands in the middle of a transformation of human experience and says, ‘I know what the answer is’ is either amazing, or a fool. And I’m not amazing, and I try not to be a fool.” In this way, Comey begins to address what he describes as FBI’s five-part effort to change the way the Bureau shapes itself to respond to cyber crime.
For instance, when it comes to cyber crime response, the FBI has adopted a new approach to investigation. They now assign work based on expertise, not geography. In other words, it’s not so relevant that an attack took place in Los Angeles. What’s more relevant is the kind and source of the attack and which field office is the best at responding to the attack. According to Comey, FBI offices with the greatest expertise in a particular threat wins assignment to investigations associated with that threat. It’s about internal competition. Every office wants to be best. “Every field office wants to demonstrate the expertise to own this threat coming from Iran, this threat coming from China, this threat coming from this organized criminal group.” To support field offices, the FBI has established cyber fly teams, or cyber action teams, CAT teams, deploy to the scene of the cyber crime, so to speak.
Comey continues through the balance of the remarks to itemize the FBI’s strategy and, at the same time, shape perspectives about working in the FBI in a way that makes Bureau service all the more attractive to talent the Bureau needs. As Comey points out, the Bureau is in competition with the very people to whom he speaks for the best talent in tech, and it’s not a fair competition for a variety of reasons, one of which, of course, is something as simple as salary. When it comes to pay, it is, right now, difficult for the FBI to compete. However, as he makes clear, when it comes to exciting, intriguing work on the cutting edge of cyber crime, there’s no place better.