Part of the bid for on intelligence issues including Mitch Mcconnell minority leader schubert and senators warner and berger the Senate Intelligence community is leading an investigation into russias interference. Keyes spoke yesterday at a Cybersecurity Conference he says he plans to serve the remaining six 1 2 years of his decade term as fbi director. [applause] thanks for the introduction to share some thoughts with you. This is the Perfect Place to have this conference and i am thrilled to be part i think there will be more it is of plenty places because the challenges of opportunities in this great city and region but because boston colleges a leader of thinking and educating these issues so this is a great place to have it you are sticking with me another six and half years of above to be invited back again any place called irish call is a neat place to have this given my background. And what the fbi thinks of the threat that we face and how the fbi is trying to redress that threat in the key parts of that approach will involve of partnerships and then i would like to take your questions you can ask me about anything i am very slippery and will not talk about anything i dont want to but questions have to come from the table will be begin by talking about the threat to. To state the obvious, the threats are too fast, too big and too widespread for any of us to address them alone. We need to Work Together to address them that is every bit as true as with cyberthreats. Like think of a stack of bad actors so at the top of the stack from the fbi perspective think china china, russia, iran, north korea that is the top of the stack. Just below that of our multinational syndicates backed are involved increasingly specialized roles to steal information and money and innovation through this cybervector and on behalf of the of Mesa Convention asian states nation States International cybersaid tickets then down the stack it is the hacktivists. Those that try to conduct cyberintrusions. The bottom of the stack is terrace. I put the map of bottom this because the terrorists are using the terrorist to communicate and prophesies but they have not yet turned to using the internet as a tool of destruction will logic tells us certainly will come in the future how do they operate . Obviously sophisticated focusing on larger targets in and looking to exploit of weakest weakest link as good as we become in the firewalls there only as good as the cybersecurity hygiene so the whole stack of backers is focused on social engineering to see if there isnt a way into a well defended network. Access, advantage of it is even about the loss of data and the corruption think about of harm to change blood types the intrusion of changing just a few digits and worry about the lack of access to data that shuts a business down. The impact is obvious as well. On an infrastructure and employees and custers and reputation and economy and security and increasingly attacks on the fundamental rights guaranteed to us as three people we cannot prevent every attack. The attack surface is too big that is too pronounced and ubiquitous but this behavior is subject to deterrence. If they are not motivated or enflamed by jealousy there is a lot of thinking that goes into cyberintrusions in reid believe there is an opportunity to influence behavior to impose awful this does say put their fingers to the keyboard. We believe we have to be more productive and less reactive and there are things that we can do together to address the threat to and that involves us with the fbi helping you in the private sector and partners to understand what are the bad guys doing . Hour they coming after us . What are their fingerprints . We also think part of this is making severs security a priority im talking to the people who will get it but it is important is not one risk assigned to some guy in the basement of enterprise because the threat britains the entire enterprise so must we thought of as the enterprise risk at the board level and something that has to be imbedded in every single thing that enterprise does have to Work Together to reduce the threat it to find people responsible and hold accountable and obviously wants any of us are hit we have to be effective that mitigating the damage. We think we have a role to play to help victims understand what has happened to them that is what we can all do together but what the fbi strategy is and give me feedback there are five parts to this strategy and they are simple andrea are trying to focus ourselves in a better way doing that in number of different ways that may not be apparent from the outside but the normal way the fbi assigns work is by asking the basic question, where did it happen . Reverend have been reassigned to that field office. Where did the bank area coker . In boston so boston works it. Where would the children victimized blacks boston division. With cyberit breaks down because were happened use a lot and up with the random manifestation of a threat coming from someplace on the other side of the year hitting many different places nd United States and it just happens to pop any particular place we think if we assign the work of that random manifestation we may not be at our best so we have the cyberthreat team model we are assigning cyber intrusion work based on who shows the tops to address that threat. Which field office demonstrated the greatest ability to respond and detect and thwart a particular sophisticated adversary . Whichever field office has demonstrated that recall that the strat of this. The strategic office. The physical machines that sits in a particular place recall those the offices that help we called them a the tac office. Those that show themselves greater at the threat even though that physical minyan manifestation will help in little rock. It has the unintended consequence of generating competition you want people to try to steal ownership of the threat i dont mean sneaky but showing you have the chops. That has the effect we come up with the of concept of counterterrorism at requires Response Data moments notice that our horrific that is what we have a flight team that is an expert that have the go bag with the model times they go to hit the spot so we surge expertise at that place. Also with cyber, it is called the cyberaction team or capped where there are experts even the wood is virtual behalf to be prepared to be physically present at the site of the cyberintrusion an emergency even to. These are experts who all over the country are part of the cyberaction team but we live the concept we do nothing alone will bring together a great talent to form a cybertaskforce to have the chops to think about how the threat is moving and most importantly it to get appropriate information the second week to focus ourselves is to steal your talent. New concede that the interest and not tie early aligned but and tired of dealing but to respond to the sophisticated a shortage of cybertrain talent we cannot compete with you on monday. You dont come to the fbi if you did we lie to you. In meaningful pursuits of the American People are want to be transparent about that but that pitch remake back to people is, be a part of the mission that is something that is hard and stressful that does not pay a lot of money how often does that sound . The good news there is a lot of people that want to be a part of that type of mission and to you do good in your time Status Survey last year of over 50,000 young people they ask them to name the ideal employer. Fbi was number five. Apple was number four that is painful to contemplate but we have to be ahead of them attracting people to be a part of this mission one of the major challenges was summed up by one of my daughters who said the problem is you are the may and which i thought was a complement and i said thinking you she said no. That is not a good thing who wants to work for the man . Said you are right bieber wrong because if people will the new with the men and women of the fbi wants to be a part of this mission so we are about to showing people what this is like the fbi is in the addictive life almost nobody leaves a matter what you look like for your background turnover is about the same. 5 it is addictive work soviets trying to show people what it is like to be a part of this mission with the you are the man trap is to be a little cooler than i may appear. To offer them the enterprise that is more agile were not going to beanbag chairs earlier trying to get close to that to make sure these great young people understand the opportunities for innovation and agility that they may not realize that comes from those creative people who joined the fbi to be a cyberspecial agent you need several buckets of attributes of integrity physicality if youre going to carry a weapon and you better be able to run and fight and shoot even if recession to is behind a keyboard. And the high intelligence and special intelligence those are rare attributes High Integrity your high intelligence cannot do a pushup those who can do pushups with anyone to smoke weed on the way to the interview so we need to figure out how to find people High Integrity and physical physicality and intelligence. Can we grow more of our own and then grow our own specialization to meet the need for the talent that we need today at 01 to give away today secrets but are there better ways to offer an interchange between public and private . One of the parts of the fbi culture is you come and you never leave or to make it easier for special agents to leave to go work in the private sector that comeback and work that the fbi. And then be will take great ideas from the people that we hire stealing your talent and focusing ourselves in a better way. Trying to shrink the world the cyberthreat has made everybody in nextdoor neighbor to everybody else. Belarus and boston are neighbors on the internet the bad guys have made is small we have to shrink back on behalf of the good people. On who has what responsibilities at the end of the administration he offer the clarity so to figure out what the bad guys are doing to understand the threat in a great way the department of romance security is for a threat mitigation helping people with hardened targets to avoid being victimized and helping people get back on their feet and for helping to make sure we all have the intelligence we need to mitigate responsibly that should not matter food recall one thing we have gotten better better late does not matter who you report the terrorism threat if you have a tip to a Police Officer or fbi agent does not matter because the information will get to the joint Terrorism Task force almost instantly. We have to get to the same place with cyber. Exactly he was doing what . We have to get to a place and we are pretty darn close that gets to the people who need that to act on it. That should be our responsibility we will make the world smaller maurer Intelligence Analyst even though we did say digital pratt moving at the speed of light if we are wise upon human relationships to strengthen the world we try to impose cost. Ill be added to this earlier, we want to make sure that when a bad actor sits at a keyboard that that will change behavior to the truly a lock people up to impose cost. How we find the cybercriminal . They go one honeymoons we are able to lay hands if we cannot lock people up is important we indicted actors from the Peoples Liberation army in china from iran engaged in Denial Service attacks. A wanted poster if that gets your attention. Then you dream of traveling and many flaws we are dogged people food just gave up recently and to jump out over the aircraft we dont give up your dogged people and that has an impact that changes in behavior to put the breath on the back of our net. Part of this grapples cyberspace is relatively new to all of us and we are trying to establish norms of behavior and among those that we have had with our counterparts in china is an understanding of remark that goes like this. Nation states engage in intelligence gathering. Railways have and always will our job is to catch and stop nation states to steal information for their vantage and steal stuff to make money and in order to prevent this from the nation state engaged in espionage we have agreement with the chinese that the framework makes sense we have seen positive steps toward embracing the framework to understand of criminal activity to help this investigate the criminal activity whether indictment or arrest or prosecution to name or call that out to make people think about us before they put the figures on their keyboard and that requires digital literacy. In the good old days you could execute a search for donna drug location to find a black composition no work no book for they would right who got the key los into got the money the lookouts in the runners but today that same search warrant requires you to take and exploit lawfully come drives, laptops, tablets all digital devices and to do anything in the criminal investigative world requires digital the judges were trying to look at better training and Better Partnership to lift the tide across the United States. The fbi cannot get to all fraud and intrusion. Im told people get emails from these telling you that i and in nigeria. I dont ever need you to wire me money but day rip people off subsidies to a investigate that and that is almost Corporate Partners and the last part of the strategy is we have to get better to work with the private sector. You are the primary targets everything sits on your networks because that is where the bad guys go as a nation state or the of rochester or hacktivists or equivalent of a the bank robber. The majority of intrusions in this country are not reported they are kept from us that we just need to take care of this and get on with our business we need to mediate the threat and paid the ransom and move on with operations. That is a terrible place to be. It is great to hire as private Sector Companies but if the information is not shared with the sale will lobby sari youre kidding yourself if you thank you will be immediate this to go away because it will never go away. Well come back to hit you and your neighbor and your family it is shortsighted to conclude our interests are not aligned when it comes to this people say interest hourlong term or shortterm because of the nature of the threat. Had we get you to talk to us to explain how we operate and why we are practiced and expert trading like the victims that you are. We have gotten very good over the last 100 years to treat victims of Violent Crime like the victims that they are but to make sure they are read victimized by a process in disclosure of personal information so they are not traumatized by our engagement also in the cybercontext the company that suffers the intrusion is a victim and will be treated that way by the fbi. I know that one of the obstacles was a general counsel who was worried about what will happen to the information we share with the government . We will need lawsuits will live violate an obligation . What does that mean with our regulators . Theres too much risk. Lets radiate and move on. Mediate and move on we have a track record of hundreds of investigations to arm protect your privacy we will not share data and we will have an adult conversation at the beginning to explain here is what we will do with the information you will share with us though the general counsel chief Security Officer can make a judgment about the risks and benefits maybe you decide i dont want to cooperate but it is high and the likely that you will. Your main question is what do you need from us . I would suggest this for you to get to know was before there is the intrusion. You all have a significant facility you know, the layout with the Fire Department the generator plant in this setup that and i intellectual property or details but they know when laugh so in the midst of a crisis with smoked bacon find their way to save the lives of the people who work with you every need to get to a similar place. We could respond to the attack on saudi very quickly to read mediated to stop the bleeding because we knew them. Bought their secrets period males but there chief information Security Officer the contours of their network, a physical locations and enough to be on the ground within minutes or maybe even hours because sony had taken the time to get to know us. And armed with that we found our way through smoke to do good which was the victim of a terrible intrusion and attack. If you are a the officer of the private enterprise into dont know someone will have a significant facility, you are not doing your job. Were not looking to know your proprietary information that we need to know if in a difficult circumstance. Is conversations beyond the formal framework for close since the 80s there has been a statute called the classified information procedures act working for of many years that if we give you information and you end up using the criminal prosecution, will you jeopardize our sources or methods . We say no. There is a statute to protect your information but that did not get it done. It took case after case for the fbi to show the cia that it could work and be will protect information that builds a culture of trust and understanding. Like to stand here all day long hubby can protect information we have to show it to you case by case to build a reservoir of trust and hope you will engage in those conversations that is a majority of cyberintrusions and how can we stop that from happening again . And although we havent talked a lot publicly over the last six months i want to talk about the impact of ubiquitous strong description on our worker want to urge you to continue to engage on a difficult subject. The advent of default and strong encryption is the improved me fbi investigates theres always a quarter of a room where the fbi operates for those who have access to encryption and then cover their information. Just when it was getting exciting. That is all the time we have. Thank you laugh laugh so picture a room there is always a corner that is dark with sophisticated actors spies common nation states who would find ways to encrypt their data and find ways of their communications in motion. What has happened since the summer of 2013 that more room has gotten dark as to encryption has become the default but because it is sold on devices and available through a huge numbers of applications become the work of the less sophisticated, and drug dealers, armed robbers, terrorists, of pedophiles and bad people so what happens now is that shadow spreads from of uh corner the quarter. October through december the fbi received to our examiners 2000 devices for which we have Lawful Authority or by the fbi. 1200 of those devices we could not open with any technique. These are devices with armed criminal investigations or with any tool that is the big deal so the question we have to ask ourselves is what do we want . We all values security we should never have to sacrifice one for the other. That is at the center of this amazing country and the bar again goes like this. All of us have a reasonable expectation of privacy in our homes, cars in this vital part to be an american. Without good reason that this of heart of america. The government through Law Enforcement can invade private spaces. The most common example and that is the house to the safe deposit box. Lawenforcement goes to the judge but Law Enforcement can search for ever they told him and seize whatever the judge told them they could. In a domain to freaky route but i think it is true that even memories are not private. And even the communications with spouses and clergy members about this private communications can be justified in corporate 34 in court. That affects National Security cases that the fbi works and it affects criminal case is that the fbi works. Its something we have to talk about. Maybe its a good thing. Maybe its a bad thing but it is not something in my view that she would draft. I dont ever want to get a place for people say to me someday why didnt you tell us that the room is going dark in which you operate and so im not going to let that happen. I am keen to force a conversation about this that people understand the impact so we can have an adult conversation. I know people and ive had lots of great conversations with people who see it differently than i do and thats fine. I may not be right but i hear people say you all can get metadata or you can do lawful hacking. You can develop the secrets and the techniques that would allow you to boston to those 1200 phone so you cant open today. Heres what i dont think people realize. Metadata is very limited, especially when you are talking about an obligation to prove guilt in a criminal case beyond a reasonable doubt. Its a burden that i love and accept that metadata alone is unlikely to get you there in a case involving a pedophile, a gangster or a terrorist. And while having other technical tools can be useful is incredibly expensive and it does not scale. You may be able to develop a tool that we have a search warrant to take a particular device to quantico and open it but it cant be used broadly because its perishable and so it doesnt solve the challenge that state and local Law Enforcement talk to me about all of the lamb. Some folks have said to me arent you suggesting we weaken encryption . You want backdoors. I want either of those things. I actually believe that it is not a question of whether we like strong encryption or weak encryption. I love strong encryption. We use it to protect the fbi information. We believe it is essential to protecting against exactly the cyber intrusions i talked about the strong encryption is a great thing. It allows us to protect people but we also believe that user control of data is not a requirement for strong encryption. We issue personal Electronic Devices to our workforce but we still retain some control over those devices in a response to Lawful Authority. We have the ability to produce, to access those devices and produce information for those devices to the ability to do so by design does not require weak encryption. It does require us to design the system in a different way and i guarantee every business in the United States who is giving their employees devices is doing. Thats why describe it not so much as a technical issue but as the Business Model issue. That doesnt necessarily solve the problem but it frames it in a way that makes more sense. Heres the deal though. It is not the fbis job to tell the American People how to live. Our job is to investigate. I think their job is to tell folks that when our tools are becoming less effective you ought to know about as he can figure out what to do. I also dont think its the job of Tech Companies to tell the American People how to live. Their job is to innovate and to sell great stuff, stuff that i love but its not our job or their job to decide a question that is at the heart of how we govern ourselves. I think its the American Peoples job to figure out how we want to live and how i want to govern ourselves. To have that conversation which is really hard we need to do a few things. We need to stop Bumper Sticker in each other. There are no evil people in this debate. Theres all this effort to get the fbi in to apple even though they are the number for employer. We are number five. I love their stuff. They are not evil people. They may weigh things differently than i do and thats okay. I see the world differently. Maybe i see the world to dark he maybe they see it not darkly enough because they live where its sunny all the time. I dont know but there arent evil people in this conversation. They are people who share the same values and selling to stop Bumper Sticker in each other and we need to stop tweeting at each other. We need to find the space to have a hard conversation about how we want to be. We need time, we need space, we need information and we need an understanding that everyone is approaching this debate with an open mind and a genuine respect for the rule of law and for privacy and public safety. So my hope is that we dont drift, that we used the opportunity of a new year to have a fresh conversation about what we can do, what might we do that helps optimize both of those values. The Cyber Threats we face are enormous. I dont know if we can stay ahead of them and i think to say otherwise would be hubris. Standing in the middle of the greatest transformation in Human History all of our lives are changing in incredible ways. I think it requires a humility on the part of the fbi and all of us who care about this issue to understand we may not know enough we may not be smart enough and we may not be smart enough but starting with humility allows us to make other decisions. We have to be humble enough to know okay we are pretty good though we can be a lot better. We need to ensure that cybersecurity is a priority for every enterprise in the United States at all levels. We need to get better and faster at sharing information in appropriate ways. We need to make sure we have the right people on board to help us fight that threat and we need to build trust between trust and most of all we need to work this together because the world has shrunk making all of us good people next arent a process well. Thank you for being part of that conversation and thank you for being part of that solution. Think solution. Thank you prayer willingness to try and make us safer. I appreciate you listening to me. [applause] i have 10 minutes. Ask me tricky questions. Yes sir. [inaudible] [inaudible] the fbis business is not cyber offensive capability so im not expert enough or foolish enough to start answering that part of the question. I can answer your question about how companies should think about self help in that regard. Dont do it. Its a crime. Dont do it. Its not only against the law but it runs the risk of tremendous confusion and in a crowded space and i know thats a frustrating answer often and maybe someday our country will change the law but the hacking could cause all kinds of complications for things we are trying to do to protect you. My ask what the good you shouldnt do Something Like that but before you considered you should talk to us and consider how we might be able to help. [inaudible] [inaudible] [inaudible] thats a great question. The question is what more can we do especially for small and Mediumsized Enterprises . Find a way to be part of and there are many different ones and information sharing Alliance Within your sector. And find a way to build a relationship with us even if you are a small enterprise to become part of for example the guard where you will get information from us that is useful to you i hope and thats something i should have said. What we are trying to do inside the bureau is to default to share and that requires a cultural change for us. When i want to share things with you because you are outside of us and we worry very much about sources and methods that what we have come to realize is whether its a Small CompanyMedium Company or a big company you dont need to know our sources and methods just as we dont need to know whats in your memos. We need indicators of compromise. We need the fingerprints of the bad guys so thats really what you need from us so we are working very hard to default to share, an approach where you dont need to know where we got it from and you dont need to know our valuation but look for these i. D. Ranges in these indicators. Thats a little more complicated than people may realize because oftentimes the information that we get is another agencys information so it comes to us and those of you over to the government will know it comes to us with an originator controlled obligation attached to but the fbi is not allowed to share with anybody else without going back to the original source. So its bigger than just the fbi changing but i think we are Getting Better at it. What i tell Small Enterprises is connected and for guard and an Alliance Within your sector. If you are not part of either of those find a way to get our Cyber Task Force people in the full find ways to get you the indicators that you need. Two years i heard director mueller talk about the changing changing [inaudible] can you talk about where the fbi is going in this important area . Thats a great question and its a challenge that im sure you understand given the purity of the urgent its difficult for us to find the mind space to think beyond that inbox into what might be coming over the hill. There lots of different ways in which were trying to do it in one of his talking about exclusively to make sure that we have a focus on strategic intelligence in every part of the fbi. We rewrote her vision statement recently to make a short but also to capture this notion. We want to be ahead of the threat. Leadership agility and integration and everyone has been forced to watch man video say this and people will groan when i go into it again. Ahead of the threat they need to weigh the bad guys are trying to hurt people today are using different techniques. We need to adjust. As importantly we need to be ahead of the threats we are not facing yet. Something is coming over the hill to hurt the American People that we cant see from our side of the hill we have to have the space time and people to climb the hill and look out over to anticipate whats coming next and i wont bore you with the details but a big part of it is people. Deploying people and saying your job is not to work a case. Your job is not to be an Intelligence Analyst supporting todays effort. Your job is to sit there and think these thoughts and to meet with academia and the private sector and think about what is coming over the hill and we have gotten better at that, gotten some great talents into the organization and put them in an ivory tower and wall them off so they can think well but we are not as good as we need to be yet. Thats probably the best way to describe where we are. [inaudible] [inaudible] thats a great question. Health Care Enterprises face all the same challenges that the rest of us do. Oftentimes we have discovered a lot of hospitals and other medical facilities talk about securing of the urgent are so busy and shorthanded often they dont have adequate backups for their systems and so when theyre hit with a Ransomware Attack in their files are all locked up their reaction is oh my lord we have to pay this ransom or as we can deliver care to our patients and so i think its a special need in the Health Care Sector to focus on preparing for that day because its disastrous to pay the ransom. When you pay the ransom the plague is just going to spread to more of us. We are trying to find the people behind this and physically locked them up. We have to make it unprofitable for them because they have hit a few small hospital chains around the country and we have had circumstances where people paid the ransom and that led to more attacks because they suddenly see the Health Care Sector. All the normal hygiene things i would talk about patching and things like that but please focus on your ability to recover from a Ransomware Attack. Today all of your system was locked up what would you do . I hope the answer is we go to the backup is the a backup multiple times a day so we have all the patient records there. Into many places thats not sure when thats a recipe for a real problem. I have now run out of time so thank you for this. I hope i will see you again. Thank you for helping us fight this scourge. [applause] congressmen you begin your career but redoing . I got into specialized units and louisiana called task force which is a general crime suppression unit and then i went to homicide. I was one of the youngest homicide investigators ever in the city of chicago. I did that for about seven years a very good line of work and its rewarding when you catch people that have done terrible things