tv David Johnson Discusses FB Is Role in Preventing Cybersecurity Breaches CSPAN November 25, 2016 12:00pm-12:24pm EST
entire industry and indeed most industries are going to be doing this, how am i going to be a part of that? am i going to be a laggard or a leader? the security research team is an awesome resource and you need to find a way to engage in them and bring them to the staff. one time or two times or three times, listen to every word she said especially cybersecurity is a matter of public safety. >> thank you our panel for a great session. [applause] >> good morning. thank you very much for the opportunity to be here today to talk about the f dei and what we are doing -- fbi and what where
doing in regards to cyber crime. morally obligated to start out by saying i know i'm the last person between you and lunch and i will keep that in mind. i have 15 minutes, give or take for comments and a some time for q and a. i will hold up my side of the bargain and you have to hold of yours. here we go. i will focus on four things. the current overall cyber threat, how see this threat impacting the automotive industry, what the fbi is doing to prevent and respond to cyberattacks and lastly, the importance of public-private sector collaboration and what do you or the industry can expect from the fbi if you suffer a breach or the victim of in a cap. with a little story. everybody local a story about a meeting i went to in march of this year and it was with intel
corporation. after this meeting was a commercial futurist panel and there were three individuals on the particular panel. one was marc andreessen from injuries and horowitz and peter getz. and jim all very successful in prominent venture capital firms in california. one of the questions that was asked of them was, where do you see future growth in it the next 10 years from a technology perspective? they were not all consistent in their responses, but one or two of the responses work -- work -- mobile, quantum computing and autonomous driving systems. the way venture capitalists see growth over the next 10 years. it gives us a pretty good idea of where we are headed and what we have to consider going forward. the big question for much from a
bureau perspective the industry, what are we going to do about that today? let me talk about the current cyber threat landscape. in general, more complaints, more intrusions, more victims, more losses and the bad guys are getting more sophisticated. we have that going for us. who are the players? nationstates sponsored intrusion. characters, china, russia, north korea, iran. we're deal with multinational information for sale to the highest bidder. hackers are motivated by different things whether political, financial or harassment. we still consider the cyber terrorist perspective. arenow that terrorists highly proficient at using the internet for recruiting, propaganda and executing attacks. we know they aspired to gain
access to our systems. we know is they are not there yet or we do not think they are there but it is a concern. how do these groups operated? increasingly complex attacks combining multiple techniques and insight knowledge. using social generic to target us and develop human vectors to get into your system. they are using social media to target employees. i would be remiss if i did not mention the insider threat. not just limited to hackers on the outside but insider threat is a significant problem, disgruntled employees, employees who are targeted and employees willing to sell to the highest bidder. what are they after? pretty much anything and everything from information first active. access, economic, political or ideological. today, where not so much concerned about the loss of
data. after the sony case, an issue of corruption of data or lack of access to our own information. why does it matter to everybody here in the room? more than attack on your infrastructure, these are caps on employees and customers. attacks on your reputation. and attacks on our autonomy and security. tol quickly, i would like talk about the impact of the automotive industry from the fbi perspective most of the folks a bunch of heard panels talking about that this morning. from our perspective, the vulnerabilities include network and autonomous systems. because new cars and infrastructure are increasingly connected to networks, an attack could prevent vehicles from communicating with each other and infrastructure.
autonomous vehicles are especially vulnerable. in my previous job as a special agent in charge of the san francisco division, i worked with california highway patrol commissioner who was very interested in these particular issues. a comes and are not from negative way, but he was constantly asking me when it comes. time's vehicles, who is thinking about these issues and were asking the hard questions? in the wake of the tragic accident with a tesla using autopilot earlier this month, safety is obviously front and center. it is also critical that security in particular cybersecurity be a consideration in the design stage rather than as an afterthought. it is not just tesla and google pushing the envelope's on autonomous vehicles, i'm sure you have heard about george who is making a self driving car in his garage. what could possibly go wrong with that?
supply chain. we are want to talk about it again. another vulnerability clearly. under many possible scenarios that we are thinking about involving malware introduced during gps updates. another access point. .ransportation infrastructure hackers can compromise the gps or navigation and send drivers to the wrong place. or bad actors can use rates and to extort money in exchange for information to get them to the right place. here is what the fbi is doing. director comey has recognized the severity of this particular risk and combating get one of his top priorities. we as an organization are constantly evaluating how we go about dealing with our responsibilities prefer those of you looking got a news this morning, the department of justice, inspector general pushed out of report talking
about how the fbi is looking at the cyber threat and giving us areas for improvement, all of which we will take very seriously and implement as possible. for the less winners is your years, the fbi has worked cases heard much in the same way. we assigned to investigators there are either aware of where the victim companies are at it does not work and cyber so we had to change in the model. it has not been without pain. we make a case assignments based on subject matter, expertise and where the expertise resides. we have created cyber action teams. we are taking our best technically trained agents and computer scientists and employ them to areas. we are maintaining a constant focus on recruiting, training and retaining cyber talents. we know we needed to hire more
just as everybody else does. about constantly thinking this differently and how to go about it in different ways. would replacelly technically trained folks into two different job families, as agents or what we call professional support employees, computer scientists is. we are taking a look of whether or not that is a good idea and generally the best is it is not. we're thinking about bringing additional computer scientists and data scientists onboard and expanding the subject matter expertise we have and we know we will need moving forward. trying to provide additional clarity on the lanes and the road. it can be confusing to the private sector in terms of who will respond to particular event and who will do what following an intrusion. we have been working very hard
with the inter-agency took come up with additional guidance. it is still ongoing and you can imagine how hard it is to herd and we are close and we expect an announcement soon. i would think within the next week or so there would be additional guidance from the federal government. we are doing our best to impose costs and we are getting fatter at attribution and figure out for the bad guys and prosecuting when appropriate. when we cannot reach out and touch them, we expose them publicly. i was skeptical of this approach are first but it has had a chilling effect. and march of this year, we did .his with seven iranian hackers it can be embarrassing for country for those countries to care if the activities are state-sponsored and have consequences for the individuals if they would like to travel with their family or otherwise. lastly, that guy is helping
counterparts be more effective ,n dealing with cyber crime providing training, equipment and expertise and we expect to continue to do so for the foreseeable future. , what canou expect industry expressed from the fbi if you suffer an intrusion and where you should be at in regards to engagement with your organization? veal qlik technologies contains revolve, the fbi and automotive industry must engage on cybersecurity. -- vehicle technologies continue to evolve, that's not in automotive industry must engage on cybersecurity. develop a relationship with your local fbi office before something happens rather than after something bad happens. fbi will do everything we can to share the relative information we can share with you. we frequent push out what we
call flash report to share tactics and malware signatures. we will provide direct briefings on request or otherwise to have companies learn from previous event youd in the provide with information, we will provide you with feedback on what you have given us. the bottom line is we need your help to allow us to better address these threats. we know the private sector owns almost all of the infrastructure, the primary target and all of the information and evidence we would need to move forward resides on your networks and servers. unfortunately, more often than not, law enforcement is not notified when a niche region occurs. the estimates are about 20% are reported. another 80% out there. a understand there is multitude of reasons why a company would not want to report an intrusion to law-enforcement
but we have to figure out a way to get past that and work together. we need to make a routine for companies to turn to law-enforcement for help. why? we need to find out who is behind in the attacks and prevented them from doing it again. it meant i be a company's first concern which is normally to get back to business. thosedo not find responsible, they will continue to attack. speed matters. lawfaster you turn to enforcement, the faster we can turn to leave and get to the right course. we understand the -- best i understand competitive -- and the fbi understands competitive edge in reputation and disrupting your operations and dealing with regulatory agencies and liability. the bottom line and this what you will expect, you will be treated as a victim. we will amend a lot -- minimize the disruption and protect your privacy and not share data about
your employees or operation. we will do our best to provide clear rules regarding the information you share for us and what happens to it and how it can be use and share as much as quickly as we can. let me wrap up real quickly. i think i'm doing boko time. thank you for the opportunity to be heard today. i applauded the automobile industry to minimize risk. to working with you on these issues. i would be happy to answer any questions you may have before lunch. [laughter] >> thank you very much. if people have no questions, please write them down and well folks who can pay them up. i have a question. andhe cyber does not occur the supplier -- and we have
supplier, what can the fbi provide not only in cyber but handling the media? given the fbi's extensive experience with it dealing with incidents across sectors? yeah, a couple of different thoughts. wonder, if iwill can. yes, on the media for, we have the office of public affairs in each field office has a media itrdinator and in the event is determined it may be something that a company would want to help you effectively engage with the media, the bureau would be more than willing to provide you with a plan to make that happen. that wethe other things provide is we have an office of victim assistance.
each field office has victim specialist at if your employees or employee of a company are potential victims, the victim specialist can sit down and talk to your employees are about ways to mitigate those risks and help them get back on track not only from a realistic perspective but from a psychological perspective as well. if it is likely a nation state-sponsored intrusion, we would be the interface with the intelligence community and other outside agencies that would have the visibility to the extent we could if we had cleared individuals in another company, we would be able to share that information as quickly as possible if we can. -- lastly, i talked a little bit about the pre-existing relationship. you want to have that in place
before something happens and the reason why is you can engage in these conversations on a regular basis. you can learn more about what the fbi can bring to the table and what the dhs could bring to the table and was secret service could bring to the table. and develop a plan beforehand in the event something happens, you won't know exactly what you can and cannot do or should do. you will know that what you can can i do or should do. >> anymore questions from the audience? chris i had one question but then thought about something else while you were talking. i can see maybe some organizations are hesitant to report to this information. we know reputational risk and all of those things,
reputational damage, i should say. but also is there any connection with your reporting and investigation to the federal regulators for instance? there can be concerned and they would be under more scrutiny if they are reporting these things to the f ei -- fbi. david: that is absolutely a fair question. a gym trainerwith before i came out and we were talking about sony. and how dull bureau responded to and and we have tailored -- how the bureau responded to that and how we tailored. the answer is you will be treated, the company will be treated like a victim. the fbi is not going to provide opinion or commentary into regulatory agencies about conduct or omissions or otherwise, that is just not what what our lane in terms of
we would do and how we would respond. i thought i was off the hook. i get to read it. i can make it any question i want, right? what are we having for lunch today? no. what measures do the fbi employee to protect the anonymity of a company that reports a cyber incident? internally, we don't. we don't prevented the anonymity of companies. when it comes to pushing information out that is relevant , that may be relevant to other law enforcement agencies or intelligence community members, we do not identify the company that has either suffered a -- we haveas
information or intelligence about. we may prefer to a company in a report that is going out to the community as company a tour company -- or company b. internally, we do not. i do not have any instances of where we had to. well, sonyefer to -- is an example. well, we don't absent prosecution. >> thank you. -- a rapid up. thank you. -- that should wrap it up. [applause] our feature programs on c-span. saturday night at 8:00 eastern, the black world conference, the impact of the 2016 election.
melanie campbell, executive director of the national coalition for black civic participation
and moderator mark thompson host of "make it plain." and mayor of new york, new jersey. >> when we get together as a black folks, we have an agenda, we also have to unite with other is -- in win, doubted the object is to win. there are hundreds of thousand people in our community that or jailed, people are beaten, people are dead. we're not activists and revolutionaries because it is fun. my mother father did not participate in the movement for metals or twitter or instagram or to get these things and be praise. they did because it is necessary. announcer: american values, the founding fathers and the purpose of government. meaning of america is
persuasion. the meaning of america is love. america's building a better product
or creating a better service or persuaded somebody to marry you are joined their church or synagogue. a huge civic mindedness in american history. announcer: newt gingrich, van jones, and patrick kennedy discusses opioid addiction. is true, people have to change their minds. they have to have willpower will but because of the way opioids were, that the change their brains back. this is a biological thing. your brain is an organ. are handing doctors you these pills, we took the molar out of your mouth, take these pills. for a lot of people, those pills damage is at work in. announcer: watch on c-span and www.c-span.org and listen on the free app.