Former FBI director James Comey claims that celebrity was never one of his career goals. Soft-spoken and thoughtful, he sounds more like the university professor he will be in the fall than a high-profile lawman who is the target of his president’s ire.
At OpenText's recent Enfuse conference, e Comey and OpenText CEO Mark Barrenechea sat down with select journalists to chat about cyber security.
InsightaaS: In your book, A Higher Loyalty: Truth, Lies, and Leadership you comment on your worries about encryption. How do we solve that issue? There's encryption for privacy, there's encryption for security, and then there's 'we need to know what's encrypted' for precisely the same reasons.
James Comey: As I said in the book – and I said it because I meant it – this was the hardest problem I encountered in government because there's a collision. At the top of this collision are two fundamental values: privacy and security on the one hand, and public security on the other, with implications for all kinds of things. I think the most important step towards solving it is to avoid demonizing across the government-private barrier and to realize that we share the same interests, even though we may balance and weigh them differently. But this, the hardest problem I've ever seen, is only going to be solved by smart people opening their minds to what's possible, and to what would optimize those values, and figuring out how to do that in a sensible way. And one thing that I'll actually talk about this morning was that I entered that debate in a stupid way – I'm going to open my remarks talking about a mistake I made. The way in which I entered that debate allowed the government's position to become bumper stickers – the FBI wants a backdoor to everyone's device – and we wasted so much time bumper stickering that we didn't get anything done in any quality way. The answer is not going to come from either industry alone deciding what should happen, or government alone deciding what should happen. It's too complex for an answer to be dictated either by the forces of the market, which are really important, or the forces of government security interests.
Mark Barrenechea: If I can just amplify one part of it, probably a third part of that triangle is that there are bad actors out there and so you need to encrypt as well. Whether they're state actors or espionage actors who are constantly on the hunt, industry alone cannot solve it. There's no such thing as a Geneva Convention for data. We have a Geneva Convention for war; we need a type of alliance on data that government and industry lock into. I can't outspend the government for security so I encrypt as well. So I think there's another layer to this, and it's got to be solved in partnership.
Comey: I know it doesn't surprise you, but it might surprise some people that as FBI director I was a huge fan of encryption. I wanted our data, our devices, our jewels for tech locked in the most secure safe possible. It's not a question of being for or against encryption; it's about understanding if there is a way to achieve security and security. It's not civil liberties versus security, it's actually security versus security. We all want security and privacy in our private moments, in our data, and our money, and our government secrets, and we need security against bad actors who would take advantage of those safe spaces to hurt kids, to plot terrorist attacks, all those things. Framing it that way I hope makes for a healthier conversation.
InsightaaS: I would imagine you're aware of Microsoft's call for a cyber Geneva Convention, in particular for state actors not to be attacking civilians in peacetime. But is that possible, given our state of connectedness?
Comey: I don't know. I guess I don't know enough to react. I'd want to understand the thinking behind it. Something that you'd worry about with a convention like that is that all the good people sign up to it and the bad people either don't sign up or they sign up knowing that they'll violate it. I just I don't know how it would work.
Barrenechea: Now it's still at the informational stage, but the concept of banks or any organization connected to the net defend itself against a state actor is an interesting question? Could we actually bind ourselves by some rules that could help us?
InsightaaS: I think one of the big worries is organizations like hospitals, where ransomware attacks hospitals could cost lives big time, and they are lives of vulnerable people.
Barrenechea: By nature, it's going to change the definition of what war is, and this big term will have to be used carefully, obviously. It's definitely changing the conflict landscape – has changed the landscape – and I use the term ‘war’ very carefully.
Comey: Right, so how do you evolve norms in that space? And how do you secure when attribution is one of the key challenges in responding to all cyber-attacks; how do you create an enforceable regime, an international compact, in that world? It's not easy... I suppose the Russians can take the patches off their uniforms and walk into Ukraine. But in the main, you can't have a kinetic attack against another state without clear attribution. It's totally different in the cyberspace. Look at what you mentioned – ransomware is a scourge. One of our central challenges in the FBI was to try to convince people not to pay ransoms because you're just throwing gasoline on that fire, but rather to prepare themselves with backups. It wasn't the big hospital chains we found were vulnerable, but the smaller chains that hadn't invested.
Barrenechea: This harkens back to June 2015, to when its data was stolen from the Office of Personnel Management. How do you defend and protect against that?
InsightaaS: Could a lot of the problem be related to corporate/government cultures? Have they perhaps not evolved sufficiently to handle the cyber world? People can mostly cope with – not necessarily happily – with a physical attack. A cyber attack is often harder to detect, and you really don't know how to cope with it.
Comey: My first reaction is that your response will be more informed, but it's a spectrum. And as people get smarter, and invest more, they realize that cybersecurity is a board level issue, it's not something that should be simply given to a chief information security officer who's left alone. It presents systemic enterprise wide risks, so more and more companies are investing in it and doing what they need to do. But there’s a spectrum, driven primarily by the size of entity, in which some organizations slide away from investment. Another mindset shift has to happen, in the government and outside the government, in which people realize how inextricably linked personnel security is to cybersecurity. You can have the best intrusion detection patch management firewall in the world, but your weak link is always going to be your people. For years, many organizations were separating the two – cyber security resides over here, while HR handles the security of our personnel. In the FBI, we were transforming the way we approached the insider threat to make sure we connected those two things.
InsightaaS: That approach is particularly important in the current environment, where people are bringing their own devices. There's almost no division between the real world and the work world.
Comey: Yes, and negligence or bad actor intentional misconduct will defeat the best software or hardware security, so personnel security has to be the third leg of that stool.
Barrenechea: So right on! We talked yesterday about the latest Verizon report. It shows that insider threats account for almost 30 percent of all attacks today. It could be the employee who's carrying a laptop that plugged in at a Starbucks and then the corporate network – so bad things are already on the laptop, or it's intended.
InsightaaS: People here (at the conference) can plug a drive into the kiosks scattered about and download all the presentations. We were having a bit of a chuckle about how that was very dangerous on a public kiosk. One of the good things for the attendees here is that many of them are forensic analysts and have no intention of plugging that drive into anything but their slave system and giving it the once over before opening the files.
Comey: Yeah, but some of them are not, and all you need is one! I suspect even one of those forensic experts will have gone to the bathroom, leaving their access card stuck into their device. Or in a hurry they’ve used a thumb drive that they found in their desk or at home for those kinds of things.
At one place I worked, which I will not name, we used to drill people by sending them fake malware to click on and when they open the link a big message would come up that basically said, "dumb-ass, go speak to your supervisor," and the supervisor would have been notified about what they had done. I had one of my employees contact me and say, "But I closed it really quickly." So I said, "Did you close it at 186,000 miles per second?" He said, "What do you mean?" I told him, "That's the speed of light. If you closed it faster than that you're okay."