Inaugural gathering. I hope there will be many more. Its the Perfect Place for the reasons that hank shaw said, not just because of the challenges and opportunities in this great city in this region, but because Boston College is a leader in thinking and educating on these incredibly important issues. So this is a great place to have it. Hope you will do it many more times. You are stuck with me for about another six and a half years and so i would love to be invited back again. Obviously if you place called irish all is a neat place to have this, given my background. What i want to do is share with you some thoughts about how the fbi thinks about the threat we all face and how the fbi is trying to address that threat, a key part of that approach is going to involve the partnerships that special agent in charge shop referred to. Once i am done yammering with you id love to be quiet and take some questions. Hope we have time for that. You can ask me about anything. Im very slippery. I will avoid things i dont want to talk about but the question had to come from the tables, not from our partners in the back. Begin by talking about the threat. To state the obvious, the threats are too fast, too big and too widespread for any of us to address them alone. The way we think about fighting terrorism is there similar. The threats are hard to see. Theyre moving quickly. We need to Work Together to address them. That is every bit as to what comes to cyber threats. So let me start with who we think of as the bad actors. I think of it as i saw combat actors, kind of an evil layer cake. At the top of that stack from the fbis perspective are nationstates. Think china, russia, iran, north korea. Thats the top of the stack we focus on. Just below that and often calls related or multinational syndicates that are involved increasingly specialized roles to steal information, to steal money, to steal innovation through the cyber vector and often times doing it on behalf of nationstates can oftentimes doing it on behalf of anybody else whos willing to pay for it. So nationstates, International Cyber syndicates. The next layer down, actually the group we would love together under the insider threat. That is employees, workers, contractors who for any number of motivations might be moved to penetrate and network that is will defend from the outside by penetrating it from the inside. They can be motivated by personal grudges, by ideological beliefs, by money. Next down the stack, hactivist. This is a motley group of people of all different kinds of motivations, some political, some financial, some emotional to trying to duck cyber intrusions. Actually the bottom of the stack, terrorists. The reason i put them at the bottom of the stack is that terrorists are adept at using the internet to communicate, to recruit, to proselytize but they have not yet turned to using the internet as a tool destruction in the way that logic tells us certainly will come in the future. Those are the threat actors. How do they operate . They are increasingly sophisticated focusing on larger targets and looking to exploit the weakest link which is human beings. Because of strong as we make our intrusion detection systems, as good as we, at patching come as good as our firewalls are, youre only as good as a cybersecurity, the cyber hygiene of our employees. So the whole stack is focused on social engineering, to find out how our people think and work in operate, and see if there isnt through that expanded attack surface away into even a well defended network. What are they after . Obvious, information, access, advantage. Its not just even about the loss of data. Increasingly we are worried about the corruption of data. Think about the harms someone could do by an intrusion at the blood bank and changing blood types, and attrition in a Financial Institution and changing just a few digits in the holdings of an institution. And of course were worried about the lack of access to data that shuts the business down. Think sony what to talk more about in a second. The impact is obvious as well. These are more than just a tax on our infrastructure. They are attacks on employees and customers. They are attacks on reputation. They are attacks on our economy and our security, and their increasing attacks on our fundamental rights, the rights guaranteed to us as free people especially here in this great country. So what can we do . We cannot prevent every attack. The attack surface is too big. The weakness of systems and people pronounce ubiquitous, but this behavior is subject to deterrence. People conducting cyber intrusions are not high on crack. They are not motivated and inflamed by jealousy or some passion that often motivates people to bad acts. There is a lot of thinking that goes into cyber intrusions, and in the think and we believe is an opportunity to influence behavior, to cause, and post some process on people is to put fingers to keyboard. To do that we believe we have to be more predictive and less reactive. We think there are three things that we can do together to address this threat. First, reduce vulnerabilities overall and that involves us in the fbi helping you in the private sector and our partners of the government understand what are the bad guys doing, how are they coming after us, what are the tactics, techniques, what either fingerprints . By sharing that information we allow you to harden your targets against the bad guys. Also think part of this is making cybersecurity a priority at all levels. Talking to group of people who get it but its a very very important that cybersecurity not be one risk assigned to some guy in the basement of your enterprise to focus on. Because the threat threatens the entire enterprise so it must be thought of as an enterprise risk. Must be thought of at the board level, at the sea suite level as something that has to be embedded in every single thing that an enterprise does. Second, weve got to Work Together to try to reduce the threat. I talked about that and i will hit that more would explain exactly what the fbi is doing. We need to find people responsible for the intrusions and hold them accountable in order to force upon that actors some reflection before the act. The third thing is, once any of us are hit we had to be effective at mitigating the damage. We think we have a role to play their in helping victims understand just what is happened to them so they get themselves back on their feet. Thats what we think we can all do together but i want to focus on exactly what the fbi strategy is to win as questioned you can poke at it and give me feedback. There are five parts to the fbis strategy to address all things cyber, and they are pretty simple. First, we are trying to focus, and by that we mean focus ourselves in a better way. Were doing that in the number of different ways inside the fbi that may not be apparent to you from outside someone to go into some detail here. The normal way the fbi assigned work is by asking a basic question, where did it happen . Wherever it happens we assign it to the field office where the place is. So where did the bank robbing a complex it occurred in the Boston Division, so the boss individual work at. Where were these children victimized and hard to . That happened in the Boston Division so the Boston Division will work at. When it comes to cyber, that framework breaks down because where it happened, if thats all you ask, you may end up with some fairly random manifestation of a threat that is coming from someone on the other side of the earth that is hitting many different places in the United States and around the world. It just happens to pop in a particular sign in the intrusion in a particular place. And we think if we assign the work based on that often random manifestation of a threat we may not be at our best. So we develop something called the Cyber Threat Team model where we are doing something new to assign work in the fbi. We are assigning cyber intrusion work based on who shows the chops to address that threat. Which field office has demonstrated the greatest ability to respond, detect, respond to afford a particular sophisticated adversary sort. Whatever field office estimates that the best we would give it to that field office. We call that the strap office. Strategic office. And then because physical menace cessation is a real thing and there are executives that need to be talked to, victim enterprises that had to be visited and interviewed, physical machines have to be examined that sit in a particular place, we allow up to four other offices to help you recall those attack offices. To make sure this doesnt become chaotic, air Traffic Control for this effort is run from a Cyber Division and headquarters. A particular field office that showed itself great at a threat, even though the physical manifestations of the intrusion are in indianapolis and seattle and dallas, those offices will help little rock will go to little rock if they have shown very good against this threat. This has not unintended consequences of generating competition in the fbi. We want people working to try and steal ownership of a threat from other parts of the enterprise. I dont mean still by being sneaky. I showing weve got the chops. In boston, you ought to give us this aspect of the chinese threat because which and we can work it in a great way. We think i will have the effect, that competition, lifting the entire Cyber Program in a good way. Second, weve come up with the concept that we barred from the world of counterterrorism. Because counterterrorism requires respond at a moments notice that a horrific and maybe anywhere around the country around the world. We have what are called fly teams when it comes to characters in. Experts in different aspects of responding to an attack who have a go back with them at all times. When something happens in the United States, around the world, the fly kinkos and hits that spot. So we surge expertise to that place your we will go with the same sort of thing with cyber whispers something called the Cyber Action Team, cat, where we have experts who know at a moments notice have to be prepared even though its a Virtual World they have to be prepared to be physically present at the site of a cyber intrusion and emergency that. These are experts who are all over the country but their part of the Cyber Action Team and know thats one of their responsibilities. And last, and every field office to make this work we have cyber taskforces. Where as you heard from hank shaw, we live the concept that we do nothing alone. We bring together great talent from throughout the Division Like boston to form a Cyber Task Force so we have the chop in each of our field offices to respond to threats to collect evidence, to think and great way about how the threat is moving. And most important way to the cyber taskforces, to share information with the private sector and get appropriate information from the private sector. So thats one way were kind of focus ourselves. The second way were trying to focus is stealing your talent. By stealing the great people who work for you and you can see her entries are not entirely outlined here. By attracting great talent to work for the fbi, to respond to this sophisticated threat. We all face the same challenges. A shortage of cyber trained talent. Heres the challenge we face. We cannot compete with you on monday. You have more money to pay people that we do. You dont come to the fbi for the living. If we did we lie to you during the recording process. Theres no going back. We compete with you by telling everyone your lies are empty pursuits of money. Hours are meaningful pursuits of the protection of the American People. We badmouth you up a storm. I want to be transparent about that, but the pitch would like to people is, come be part of this mission. Come be part of something that is really hard, that is really stressful, that does not pay you a lot of money, that does not offer you a lot of sleep. How awful doesnt sound . The good news is theres a whole lot of people, young people who want to be part of that kind of mission, want to be part of doing good for a living. The New York Times did a survey i read last year of over 50,000 young people and asked them to name the ideal employer. 50,000. The fbi was number five. Apple was number four which is a painful thing to contemplate. Not that its not a Great Company but weve got to be ahead of them. In terms of attracting people to be part of this mission. One of our major challenges is summed up by one of my daughters who said to me that, the problem is you are the man, which i thought was a couple so i said thank you. I am the man. [laughing] and she said no, i dont mean that in a good way. The problem is you are the man. Who would want to work for the man . My reaction is you are right but you are wrong because if people really knew what this man and woman of the fbi are like, they would want to be part of this mission. So we are about to get out across this land and chill people what this is like. The fbi is an addictive life. Almost no one leaves. The matter what you look like, the matter what your background, if you become a special agent, our turnovers about the same. About. 5 . It is addictive work we are about trying to show people including your talent what its like to be part of this mission. Part of avoiding this you are the man trap, is to be a little cooler that i may appear. To offer these talented young people and enterprise that is more agile than they might expect. We are not going to beanbag chairs and granola and whiteboards that were trying to get close to that, to make sure these great young people understand that although we are enormous, there are opportunities for innovation and agility inside the fbi that they may not realize. New responses to old problems will come from those created young people who join the fbi. Something else we face as a challenge, to be a cyber special agent to the fbi. You need several buckets of attributes. We need integrity, nonnegotiable. We need physicality here you are going to carry a weapon on behalf of the United States of america, you better be able to run, fight, shoot. Even if youre specially keeps you got a keyboard. And we need high intelligence and a specialized kind of intelligence. Those are rare attributes in nature. We will often find people high integrity, intelligence who cant do a pushup old might find people who can do pushups and a great guy to computer but they want to smoke weed on the way to the interview. So we need to figure out how to find people high integrity, physicality and intelligence. One of the things where considering is can we grow more of our own works attract those great people of integrity, physicality of intelligence and then grow our own specialization inside the fbi. To meet the need for the talent we have today. So i dont want to give away to win more of our secrets about how we are going to approach this. Among the things were kind to think about is, are there better ways to offer and interchange between public and private . One of the parts of our fbi culture is you, and you never leave. We think differently about that . We make it easier for special agents to live and work in the private sector and come back and work at the fbi . Our mind is open to whatever will make sense and were going to take great ideas from jim people that we hire. Within a focus on stealing your talent, focus on focusing ourselves in a better way. Thats the first. Second, we are trying to shrink the world. The cyber threat has been everybody a next her neighbor to everybody else. Belarus in boston are nextdoor neighbors on the internet. The bad guys have made it small. The way we have to respond is by shrinking it back on behalf of the good people. The first thing we need to do is make sure we are clear inside the government i do is what responsibilities. At the end of president Obamas Administration he offered us the clarity that some an episode wanted that makes good sense. The lanes in the road i hope you know if youre at this conference, the fbi is responsible is threat response, to figure what the bad guys are doing, respond to intrusions, to understand the threat in a great way. Department of Homeland Security is responsible for threat mitigation. We are especially helping people harden the targets to avoid being victimized and once they are victimized being great at helping people get back on the feet. The director of National Intelligence is responsible for making sure we all have intelligence we need to understand the threat and to mitigate it responsibly. Heres the deal. It shouldnt matter who you ca call. One of the things weve gotten better at as a country since september 11th is it doesnt matter to the report that terrorism threat. If you cant find you walk up to a sheriff or to a Police Officer or to an fbi agent, it doesnt matter. The information will get to the joint Terrorism Task force almost instantly. We have to get to the same place when it comes to cyber. Its not your job in the private sector to figure out exactly who is doing what. I think we have clarity what you dont need to remember that. We have to get to the place and were getting close the matter whoever you offer information to tickets to the people who needed to act on it. That should be our responsibility and not yours. And then around the world we will make the world smaller by forward deploying our people. More cyber attaches, special agents embedded in the prisons around the world and Intelligence Analysts who specialize in cyber. Even though its a digital threat moving at the speed of light, it relies upon human relationships to shrink the world for the good people against the bad people. Third, were trying to impose costs. I alluded to this earlier. We want to make sure that when he met actor sits at a keyboard they feel our breath on their neck. We believe they feel our breath on their neck, that will change behavior. We have to literally lock people up to engage in cyber intrusions, to impose costs. And oftentimes people think theyre halfway around the world, how are you going to find a cyber criminal . Cyber criminals vacation, too. They go on honeymoons. They go to visit friends. And by getting together the good people of Law Enforcement and national security, were able to lay hands on those people much more often these days than ever before. That imposes a cost that makes the others think about us. Even if we cant lock people up we think its important to call out the conduct, to name and to shame. We did that two years ago by indicting actors, people of the Liberation Army china can we did it by indicting actors in iran in 20122013. We believe that has real effect, a wanted poster with your face on it, even if you set halfway around the world working for another government, gets your attention. And even if youre working for another, halfway around the world you, too, dream of traveling. You dream of your children going abroad to be educated. We have many flaws because what human beings in the fbi. We are dogged people. We just gave up on db cooper recently i think. Took us over 50 years to give that one out. A man jumped out of an aircraft over the cascades. We dont give up. We are dogged people who do not forget everything that has an impact on people. We think it changes behavior and puts that breath on the back of our neck. And part of this is grappling as a committee of nations towards norms. Cyberspace is relatively new to all of us and we are bit by bit trying to establish norms of behavior. And among the key norms that weve had discussions with our counterparts in china about over the past two years are an understanding of a framework that goes like this. Nationstates engage in intelligence gathering. They always have, they always will. Our job in fbi is to catch and stop nationstates from trying to steal information for their advantage as a nation. That goes on. It will always go on. We will try to get better. They will try to get better. Nationstates do not do and cannot do is steal stuff to make money. To steal innovation, to steal formulas, to steel plant seeds in order to benefit commercial enterprise. That is criminal behavior. That is very different from the actions of the nationstate engaged in espionage. Believe it or not since the indictment of the three pla actors two years ago we have agreement with the chinese that the framework makes sense and we have seen positive steps towards them embracing that framework and understanding the difference between nationstate conduct and criminal activity and helping us investigate the criminal activity. So were working very hard whether its to indictments arrest, prosecution or simply naming and calling it out towards establishing a set of norms and for making people think about us before they put their fingers on the keyboard. The fourth thing were trying to do is help our state and local partners deal with the fact that almost every criminal investigation today requires Digital Literacy. In the good old days, for those of you have been around for a while, you could execute a search work on a drug location to find one of those black composition notebooks where the morons wouldve written who got how many kilos and you got what money and that would split up and who is going to do what, who were the lookouts, who were the writers, who were the enforcers. Today that same search warrant requires you to take an exploit lawfully thumb drives, pdas, laptops, tablets, all manner digital devices. To do anything in the criminal investigative world requires Digital Literacy. One of the pieces were trying to add its value to american lawenforcement is better training, that a partnership, or equipment to lift the tide of Digital Literacy across the United States. So the fbi, as because we are, simply cant get to all frauds, all intrusions that are coming into the internet. Im told people get emails from me saying im in nigeria, i need you to wire me money. Im not in nigeria. I dont ever need you to wire me money, but those frauds ripoff people, especially old folks, a vulnerable people. And someone needs people to investigate that in a good way and that is almost always a great partners of state and local Law Enforcement and we think we can help them do that in a good way. The last part of our strategy is probably the most important to this conversation. We have to get better in working with the private sector. You in the private sector are the primary targets of cyber intrusions. Because the data, the innovation, the money, everything sits on your networks because that is what sits, thats what the bad guys go whether theyre a nationstate, i hactivist for a fraudster or the functional equivalent of a bank robber. Heres a depressing fact. The majority of intrusions in this country are not reported to us. They are kept from us by companies who think we just need to take care of this thing and get on with their business. We dont need to be entangled with the feds. It will be such a hassle. We need to remediate this threat, and sometimes wrong, very, very wrong in my view, we need to pay this ransom and move on with our operations. That is a terrible place to be. It is a great thing to higher the actual private sector countries that are available to do attribution remediation, but if the information is not shared with us, we will all be sorry because you are kidding yourself if you think ill just remediate this thing and it will go away. Because it will never go away. It will be back to hit you, hit her neighbors, your families. It is shortsighted to conclude that our interests are not aligned when it comes to this. Oftentimes people think the fbis interest is longterm, my are shortterm. We have the same. They are the same interest because the nature of the threat. How are we going to get you to talk to us more . By yammering at you constantly. To explain to you how we operate and why we are practiced and expert at treating you like the victims that you are. We have gotten very good over the last 100 years at treating victims of Violent Crime like the victims that they are and making sure that they are not re victimized by a legal process, by the disclosure of personal information so they are not re traumatize our engagement. Weve also gotten very good at doing that in the cyber context in the way people may not realize. A company that suffers an intrusion is a victim and they will be treated that way by the fbi. We know, because i was a general counsel at a company that whatever obstacles are that we need conservative general counsel. I was a general counsel who was worried about what would happen to the information we share with the company. Will it hurt us in the competition . Will there be lawsuits . Will violate . What will it mean with our regulators . How will this all work . Theres too much risk. Lets remediate and move on. Well, we think we have a compelling case to make. Based on a track record of hundreds and hundreds of investigations that we protect your privacy. We will not share data about your employees and your operations, and will have an adult conversation at the beginning to explain heres what we will do with the information you share with us so that you, as a joke alta, achieves a good officer, a ceo, to make a judgment about the risks and benefits. Maybe after you have that conversation decide i dont want to cooperate, but i think its highly likely what you understand how we operate, that you will. Your main question to us when youre a victim is, so what do you need from us . Well, i would suggest to you what we need from you is for you to get to know us before there is an intrusion. I guarantee that all of you have significant facilities, have relationship with the Fire Department, the Fire Department knows your layout, know your standpipes, know your generator plant, knows the status of your operation. They dont know the details. They dont know your intellectual property. They dont know any of your proprietary information but they know enough so that in the midst of a crisis with smoke all around they can find the way and save the life of the people who work with you. I think we need to get to a similar place. We were able to respond to the attack on sony very, very quickly and remediate it, stop the bleeding because we knew sony. We did know their proprietary information. We dont know any of their secrets. We are not reading the emails but we knew their chief information to good officer. We knew the basic contours of the network. We knew the physical locations. We knew enough to be on the ground within minutes, hours probably, maybe even minutes to try to begin to work that. Because sony had taken the time to get to know us. And armed with that we found a way to a whole lot of smoke to do some good for sony, which was a victim of a terrible intrusion and attack. If you are the chief information to good officer of a private enterprise, and you dont know someone at every single fbi office will have a significant facility, you are not doing her job. Know that youre pushing on an open door. Again were not looking to know your proprietary information but we need to know you in a way so we can help you in a difficult circumstance. I part of building this relationship of trust is conversations beyond the formal framework. Since the 1980s theres been statute on the book and the trainee called the classified information procedures act. One of the cias worries and working with the fbi for many many years was it we give you people information and you can use a criminal prosecution to disrupt terrorist or spies, will you jeopardize our sources and methods . And we would say for years, no, theres a statute that provides that we can protect your information. But that didnt get it done actually. It took case after case after case over 20 years for the fbi to show the cia that that actually will work, that we will protect your information. We will not burn your sources and methods. That built a in october november december, the fbi received to our examiners 2800 devices for which we had lawful authority. These were devices seized by state and local Law Enforcement or by the fbi. 1200 of those devices of 43 percent, we could not open with any technique, any technique. These are devices recovered in armed career criminal investigations, gang investigations, pedophile investigations, terrorist investigations, counterintelligence investigations. With any tool, we could not open 43 percent of those devices. That is a big deal. And its a question we have to ask ourselves is, what do we want . We all value privacy, i hope. We all value security. We should never have to sacrifice one for the other. Our founders struck a bargain and its at the center of this amazing country of ours and has been for over two centuries and the bargain goes like this in our gate great country, all of us have a reasonable expectation of privacy in our homes , in our cars and in our devices. It is a vital part of being an american. The government cannot invade our privacy without good reason, reviewable in court. Thats the heart of america. It also means that with good reason, reviewable in court, the government through Law Enforcement can invade our private spaces. Thats the bargain of ordered liberty. The most common example is it lawenforcement has probable cause to believe there is evidence of a crime and some space to you control whether thats your house or safedeposit box or a car, Law Enforcement goes to a judge, makes a showing of probable cause and get a warrant. Then, Law Enforcement can search whatever the judge told them they can search and seize whatever the judge told them they could seize. They can take whatever the judge permitted them to take. Heres something that i dont mean to freak you out with but i think is true, even our members are not absolutely private anymore. Any of us can be compelled through appropriate circumstances to say what we remember, what we saw. Even our communications with our spouses, our clergy members, with our attorneys are not absolutely private in america. The appropriate circumstances, a judge can compel anyone of us to testify in court about those private communications and they are really important to the strength of Law Enforcement as they should be but the general principle is one weve always excepted in this country. There is no such thing as absolute privacy and america. There is no place in america outside judicial reach. Thats the bargain. We made that bargain over two centuries ago to achieve two goals to achieve the very important goal of privacy and to achieve the important goal of security. Widespread encryption changes that bargain. It shatters the bargain. And theres something seductive about the notion of absolute privacy. I love privacy. I have an instagram account, i have nine followers. They are all immediate relatives and one daughter has a serious boyfriend, i let him in because i think its going to work out. I dont want anybody looking at my pictures, not inappropriate pictures but they are pictures of my life, where i travel, things i see in pictures of my children. I dont want anybody seeing them, i love privacy but i also love and live by the bargain that i talked about that is at the heart of ordered liberty. If we are going to move to a place where wide swaths of American Life are offlimits to judicial authority, thats a different way to live. That is a change of something at the heart of our country. It affects national security, the fbi works, it affects criminal cases the fbi works. It is something we have to talk about. Navy is a good thing, maybe its a bad thing but it is not something in my view we should drift on. We dont ever want to get to a place where people say to me someday, how come you didnt tell us the room was going dark in which you operate . Im not going to let that happen. I am keen to force a conversation about this, that people understand the impact so we can have an adult conversation. I know people that have lots of great conversations with people who see it differently than i do and thats fine, i may not be right but i hear people say you all can get metadata or you can do lawful hacking. You can develop the secrets, the techniques that would allow you to tap into those phones that you cant open today. Heres what i dont think people realize. Metadata is very, very limited, especially when you are talking about an obligation to prove guilt in a criminal case beyond a reasonabledoubt which is a burden that i love and accept. But metadata alone is unlikely to get you there in a caseinvolving a pet avail , gangster or terrorist. And while having other technical tools can be useful, its incredibly expensive and it does not scale. You may be able to develop a tool that when you have a search warrant to pick a particular device in quantico and open it, but it cant be used broadly because its perishable. So it doesnt solve the challenge that state and local Law Enforcement talk to me about all over the land. Some folks have said are you suggesting we weaken encryption. You want backdoors. I dont want either of those things. I actually believe that it is not a question of whether we like strong encryption or we like weak encryption. I love strong encryption. We use it to protect the fbis information. We believe it is essential to protecting against the kind of cyber intrusions i talked about, strong encryption is a great thing. It allows it toprotect people but we also believe that user control of data is not a requirement for strong encryption. Ill give you an example from the fbi. We issue personal Electronic Devices to our workforce. But we still retain some control over those devices and in response to lawful authority, we have the ability to produce, to access those devices and produce information from those devices. The ability to do so by design does not require weak encryption. It does require us to design the system in a different way as we guarantee every business in the United States is grooming their employees devices is doing. Thats why i described not so much as a technical issue but as a Business Model issue, that doesnt necessarily solve the problem but it frames it in a way that makes more sense. The deal though. It is not the fbis job to tell the American People how to live our job is to investigate. I think our job is to tell folks that our tools are becoming less effective , we want to know about it so we can figure out what to do. I also dont think its the job of technical to tellthe American People how to do their job as innovators. We can celebrate stuff, stuff that i love. This is our job or their job to decide a question that is at the heart of how we govern ourselves. I think its the American Peoples job to find out how we want to live and govern ourselves. Have that conversation, which is really hard, we need to do a few things. We need to stop Bumper Sticker in each other. There are no evil people in this debate. All this effort to put the fbi against apple, even though there the number for employer and where the number five, there are an awesome company. I love their stuff. Theyare not evil people. They may weigh things differently than i do, thats okay. I see the world differently, maybe i see the world to darkly given what i see. Maybe they dont see it darkly enough , they dont know what they are the evil people in this conversation. They are people who share the same values. We need to stop Bumper Sticker in each other, stop tweeting at each other, we need to find the space to have a really hard conversation about how we want to be. We need time, we need space, we need information and we need an understanding that everyone is approaching this debate with an open mind and a genuine respect for the rule of law and for private and public safety. So my hope is thatwe dont drift. That we use the opportunity of a new year to have a fresh conversation about what can we do . What might mediate we do that optimizes both those values. Cyber threats we face are in or miss. I dont know if we can stay ahead of them. And i think to say otherwise would be humorous. Were standing in the middle of the greatest transformation in human history. All our lives are changing in incredible ways. I think it requires humility on the part of the fbi and on all of us who care about this issue to understand we may not know enough, we may not be smart enough or fast enough but starting from humility allows us to make better decisions. We have to be humble enough to know we are good but we can be a lot better. We need to ensure that Cyber Security is a priority for every enterprise in the United States at all levels. We need to get better and faster sharing information in appropriate ways. We need to make sure we have the right people to help us fight that threat and we need to build trust between government and the private sector. Most of all, we need to work with this together because the world has shrunk, making all of us, good people, next door neighbors as well. Thank you for being part of that conversation, thank you for being part of that solution, thank you for the your willingness to try and make us safer. I appreciate your questions. [applause] okay, i have 10 minutes. Ask me tricky questions. Yes sir. [inaudible]. And would you also have advice for the companies about using cyber for these dangerous places . The fbis business is not cyber offensive capabilities so im not expert enough or foolish enough to start answering that part of the question. I can answer your question about how companies should think about self help in that regard. Dont do it. Its a crime. Dont do it and its not only against the law but it is , it runs the risk of tremendous confusion in a crowded space. I know thats a frustrating answer often and maybe someday our country will change the law but the hacking would cause all kinds of complications for things we are trying to do to protect you so my ask would be, before you do Something Like that but before you consider it, you should talk to us and see what we might be able to do to help. From the table, sir . [inaudible]. [inaudible] what more can you do when you dont have the elevation to support this natural project. Thats a great question. The question is what more can we do, especially for small, Medium Size Enterprises . Find a way to be part of the many different ones, and information sharing Alliance Within your sector. And find a way to build a relationship , even if you are a small enterprise, in part for example of the info guard effort that we run where you will get information from us that is useful to you, i hope. Thats something i shouldve said. What were trying to do inside the bureau is to default to shift and that requires a cultural change for us. We want to share things with you because you are outside of us and we worry very much about sources and methods but what we come to realize is, whether its a small country, Medium Company or large company, you dont need to know our sources and methods just as we dont need to know whats in your memos. We need indicators of compromise. We need the fingerprints of the bad guys. Thats what you need from us and so we are working very hard to default to share this airline approach where you dont even know where we got it from, you dont need to know our evaluation, need to know for these ip ranges or indicators area thats a little more complicated than people may realize because oftentimes the information that we get is another agencys information so it comes to us, those of you who worked in the government would know it comes to us with an originator control observation attached to it where the fbi is not allowed to share with anybody else about going back to the original source and asking. So its bigger than just the fbi changing but i think were Getting Better at it. Thats what i would tell the Small Enterprises is connect to info guard, connect to an information sharing alliance of some sort, even if youre not part of either of those, get to know our Cyber Task Force people and we will get you the indicators that you needyes sir. [inaudible] healthy they thought we needed to be more proactive. Talk about risks with the fbi culture being so proactive and an important area. Thats a great question. Its a challenge that im sure youll understand even the tyranny of the urgent. Its often difficult for us to find the space and time, mind space to think beyond that inbox and what might be coming over the hill. Theres lots of different ways we are trying to do it, one is talking about it explicitly to make sure that we have a focus on strategic intelligence in every part of the fbi. We were rewrote our vision statement recently to make it short but also to capture this notion. We said we want to be ahead of the threat with leadership, agility and integration. Everybody in the organization has been forced to watch me on a video say this but i had of the threat in two ways. Ahead of the threat meaning the way the bad guys are trying to hurt people today, they are using different techniques. We need to adjust but as importantly, we need to be ahead of the threats we are not facing yet. Something is coming over the hill to hurt the American People that we cant see from our side of the hill. We have to have the space and time and the people to climb the hill and look out over to anticipate whats coming next. So i wont bore you withthe details of how were doing that but a big part of it is people. Deploying people and saying your job is not to work in case. Your job is not to be Intelligence Analyst supporting todays effort, your job is to sit there and think deep thoughts, to meet with academia, meet with the private sector and think about whats coming over the hill. And weve gotten better at that, weve had great talent for the organization and put them in an ivory tower, while the mall so we dont bug them during the day so we can think well but we are not as good as we need to be yet. Thats the best way to describe where we are. Mamma. [inaudible] i wonder if you could what messages in healthcare and critical infrastructure. Thats a great question. Healthcare enterprises face all the same challenges that the rest of us do. The recent plague is important for them to focus on and that is the ransom where plague. Oftentimes, we discover that a lot of hospitals and other medical facilities talk about the tyranny of the urgent are so busy and so shorthanded often, they dont have adequate backups for their systems so when they are hit with a ransom where attack and their files are all locked up, the reaction is oh my lord, we have to pay this ransom otherwise we cant deliver derivation so i think its a special need in the healthcare sector to focus on preparing for that day because its disastrous to pay the ransom. Because when you pay the ransom, the plague is going to spread to more of us and we are trying to find the people behind this and physically lock them up. But we have to make it unprofitable for them. Because theyve hit a few small hospital chains around the country and weve had some circumstances where people paid the ransom and then that led to more and more attacks as they suddenly see the healthcare sector as piggy banks so all the normal hygiene things i would talk about, patching and all that, please focus on your ability to recover from a ransom where attack it today, all your system was locked up with crypto locker, what would you do . I hope the answer is you would go to the backup because we back up multiple times a day so we have all the patient records there. In too many places, thats not true and thats a recipe for real problems. Ive now run out of time so thank you for this, i hope i will see you again this. Thank you for helping us this scourge. [applause]