Encryption and explain why that matters so much to the fbi and why we are determined to continue to talk about it. First, our cyberstrategy. To state the obvious for this room, all the threats the fbi is responsible for come at us through the internet. Counter intelligence, all the criminal threats we are responsible for and terrorists in the following way. To prosser teletize, to communicate, to inspire, to direct. Not yet to use the cybervector as a way of doing actual harm, inflicting harm on infrastructure. Logic tells us that is inevitable for the terrorist mind to find that vector. All the threats the fbi is responsible for come at us in that way. The first part of our strategy is humility. We are standing in the middle of the greatest transformation, i think, in human history, the way we learn, the way we work, the way we love, the way we connect, the way we believe, all is affected by the digital era, the digital revolution. We stand there with an attitude of humility, because it would be foolish to say, we know how the fbi should grow and change and adapt to meet a transformation that has never happened in human history. We dont know for sure. What we are trying to do are things that are thoughtful, that make good sense to us and then get feedback from our own people, from our partners and from our colleagues around the world about whether it is making sense. Then, we will it ter rate. Our strategy has five parts. Two parts i want to spend some time on. First part of our strategy is, we want to focus ourselves. There are two aspects of the way in which we are trying to focus. The first is the way we assign the work in the fbi. Traditionally, in the fbi, the physical manifestation of an event is what drives who works on it. So if the bank robbery happens in chicago, the Chicago Field Office works the bank robbery. If the fraud is based in seattle, the seattle office. We have come to the conclusion that the physical manifestation of a cyberintrusion, specially, isnt all that meaningful. It is being committed likely by somebody far away from the physical manifestation. It is being committed at the speed of light and it may be quite random as to where the intrusion pops first. So were approaching our work in a very different way for the fbi. We now assign computer intrusion work whether thats a nation state, whether it involves a criminal cindy cat, a criminal cindy cat working for a nation state, whether it involves activists or somebody else, the motley crew of people that are engaged in intrusions. We assign it based on talent. We make judgment as to which field office is showing the best chops as to the threat proposed by a nation state and assign it there, because they have demonstrated the ability. Because physical manifestations of intrusions are part of the real world, there really is a chief Information Security officer and there really is a cfo and a ceo of a company thats been victimized, we are not blind to physical manifestations. So we assign the threat to the talent and snanyone we allow upo four other offices to help. The first office is called a strat office for strategic. The other offices are called tac offices for tactical and we air Traffic Control from washington. This has great effect inside the fbi, because it has fostered an intense Competition Among field offices to demonstrate, generate and demonstrate the talent against various dimensions of the threat. So little rock shows us they are best against a particular intrusion set from a foreign nation. It goes to little rock regardless of where the hits are from that intrusion set. So far, it is work pretty well. So far, the air Traffic Control has worked well. Again, we stand here with humility. If it isnt working in some way, we are going to iterate. Thats the way we are assigning the work. The second way we are trying to focus ourselves is on stealing your talent. Here is what i mean. The challenge we face from the fbi is to have a special agent working cyber, we need a variety of things, high integrity. We need fitness. We are going to give you a firearm on behalf of the fbi. You have to be able to run, fight, and shoot. We need integrity, fitness and then we need smarts, intelligence and then we need Specialized Knowledge to make you a cyberagent. That collection of attributes is rare in nature. We may find integrity, somebody who cant do a pushup and who has great sfepecialized in genel intelligence or somebody with Specialized Knowledge that can pump out a pushup and wants to smoke weed on the way to the interview. So we stare at the pool of talent. We have two reactions to the pool. We cant compete on money. In the pry sivate sector, you h more money than we. We acknowledge that to the people we are trying to recruit. Make sure they understand life with you is soulless and empty. He said, half kidingly. If you want to do work with moral content, come to us. It is not about the living. It is about the life. A pitch that i know worked for a lot of you in this room of ours. So we try and recruit on moral content and then we are trying to think differently about how might we generate that talent in a number of different ways. We are considering, do we really need gun carrying special agents making up an entire squad. We have squads of eight. Should we have six and people of integrity, high intelligence and Specialized Knowledge. We dont give them guns because they dont have that physical attribute. If we can find that integrity, that physicality and basic high intelligence, should we grow our own . Should we build our own university to take that talent and raise it up to be cyberta cybertalent. Should we also do Something Else . Should we try to make the barrier between us and the private sector semi per meable so that special agents might work for the fbi and work in the private sector and come back. The current rule requires anyone that leaves for 24 months to go back through quantico. Thats a painful experience for people in their 40s. They all want to come back, because they discover your lives are empty and soulless. They want to come back. We have made real barriers to their returning. Might we be able to encourage people in the private sector to come work with us as that Something Else, dont have to go through quantico to learn to run, fight, and shoot and then return to the private sector. Our minds are open to all of these things because we are seeking talent in a pool that is increasingly small. You are going to see us experiment with a number of different approaches to this. I hope when you see us doing something that doesnt make sense, you will tell us and when you see us doing something we ought to do more of, you will tell us that as well. It will be met with an attitude of humility. Focusing on our work and how to get our best talent is the first part of our strategy. The second part is we need to make sure that we, inside the government, have our act together in such a way that it doesnt matter to whom a victim of an intrusion or a cryptowear attack or some other attack, it doesnt matter who they tell in the federal government. We are in that place when it comes to counter terrorism. You walk up to an fbi agent, a deputy sheriff, a Police Officer with a piece of information about counter terrorism, about terrorism threats, it will get to the right place very, very quickly. It doesnt matter who you tell. We have to get to that place inside the federal government. We made a lot of progress trying to understand the rules of the road. We still have work to do. The third thing we are trying to do is impose costs. I dont know the cyberintrusion that has ever been committed high on crack or inflamed by finding a lover in the arms of another. These are crimes, these are intrusions. These are attacks that are committed with reflection and calmness at a kay board. We think thats an opportunity for deterrence, for influencing behavior. We are keen to make sure that that attacker, whether it is somebody sitting in a Government Office halfway around the world or in a basement somewhere in the pacific northwest, that they feel our breath on the back of their necks, maybe literally but at least metaphoricily as they begin that infrugs activity. We think we can shape behavior by locking people up and when we cant, by sending messages of pretty scary deterrents, faces on wanted posters. People sometimes say to me, yeah, but the hacker is somewhere halfway around the world working for another government or they are sheltered by a government. How are you ever going to get them . My response is, life is long, the world is short. We are dogged people. We just gave up on d. B. Cooper and that took us about 52 years, i think. For those of you who were young, a guy that jumped out of an airplane over the pacific cascades. We are pretty sure he is dead now. We are giving up. When your face goes on a wanted poster, we are not going to give up in your lifetime. That can change behavior. You will see us trying to send those messages to shape people as they think about intrusions. The fourth aspect of our strategy, i wont spend a lot of time on, is to help our brothers and systems in state and local Law Enforcement raise their digital game because everything they do requires digital literacy. In the good old days, a narcotics detective would roll up on a location, execute a search warrant at a drug house and find not just drugs and money but one of the black composition notebooks and the dealers would have written who got how much and how much they were and that had to be photo copied and exhibit sticker put on it. There noise black composition notebook but a pda, a thumb drive, a laptop. There is a digital device. We have to help our colleagues get to that work in a quality way, because there is simply no way the fbi could be part of helping with all of it. Im told people get emails from me when im in nigeria asking for money to be wired. I usually identify myself as the president of the federal bureau of investigation. Dont send me any money. People do get ripped off. The bureau cant reach all of that. The fourth part of our strategy is, help our partners raise their game. There is a lot behind it. I will leave it there. The fifth thing, which is the one i want to spend a few minutes on. We must get better at sharing information across the boundary. There should be a boundary between the Public Sector and the private sector. We have to find ways consistent with law and policy and tradition and culture to make the barrier between us and the private sec for semi perm eable in some fashion. Nearly all of the activity hits the private sector, all the victims are in the private sector. All the indicators are in the private sector. All the evidence if we want to go criminal is in the private sector. We are not nearly good enough at getting information from the private sector to us and getting information from us to the private sector. This,ib this,ible, i believe is a probt so much of law but of lore. The biggest problem is that people like i was who are spotting risks and calling them out. If we give that information to the government, will it be used against us in a competition . Will it be disclosed to congress in some way that becomes public . Will we get sued . What will our Share Holders say . How will this hurt the enterprise . I see too many risks. You ought to hire one of the firms that can help us remediate and get back on with our business. Yes, our files are locked up with ransomware. Lets pay the ransom and get on with it. Most of the intrusions in this country are not reported to Law Enforcement. Thats a very bad place to be. People are foolish and short sighted to think that their interest in the private sector are not aligned with ours when if comes to this. You are kidding yourself if you dont realize that the hackers will be back, if not to you than tower subsidiaries in your supply chain. Those with the ransomware will be back, specially if you paid them off. Our interests are aligned. The challenge we face, is having the private sector know us well enough to realize we understand what a victim is and we treat victims for what they are, which is victims. We do not revictimize people. Whether thats a Sexual Assault case or an Armed Robbery case, a mafia or computer intrusion case, we have lots of practice at this. Our challenges, people dont know us well enough. Too much confusion and skepticism and distance derived from miss undersfaning and myths. The fbis mission is to get out and talk to the private sector and let you know what we are like. Now, i liken this actually to a journey that the cia and the fbi traveled since the mid 1980s. Thats what i mean by the difference between law and lore. Most of the people in this room know that in the mid 1980s, the classified information procedures act was passed that offered us certainty about how sources and methods would be treated and protected if the government decided to use a criminal prosecution to incapacitate, to reassure the Intelligence Community that we are not going to blow sources and methods. There is this framework. Here is how it will work. That did not get the job done. That is law. It took us 20 years of building trust, case by case by case. So the Intelligence Community came to realize, this really works. We really can trust the fbi to protect our sources and methods, to use these tools that have been on the book since the 1980s and use them in a way that protects us. That took us two decades to build that trust. It is in a very healthy place today. It is not in a healthy place when it comes to the private sector. My ask,those of you who run companies, who are the chief security officers, the general councils, the cicos, if you dont know someone at the fbi office where your facilities are, you are failing. You are pushing on an open door. Come and talk to us to understand in the event of an intrusion, in the event of an attack, what is it we need . You will discover, we dont need your memos or your emails. We need indicators of compromise. We need to know how did the bad guys come, what are the signals, the indicators that we can use to tribute and impose costs and help you get over this attack. The sony attack was a vicious, hugely damaging attack. It would have been worse if sony hadnt invested the time to know us before the attack. Every single one of you works in a facility that your local Fire Department knows the general layout of. They dont know your intellectual property. They dont know your secrets but they know where your stand pipes are and where your elevators are. They know the general layout so that in the midst of a smokey disaster, they can save lives. We knew sony in the same way. We didnt know their secrets or their intellectual property. We knew the key people, the facilities and the layout of their network generally. That day, within hours, we were on the ground helping to stop the bleeding. The private sector has to get to know us better if we are going to be more effective. It doesnt stop there. It is bad that people dont share information with us. We dont do a good enough job of pushing information to the private sector. We have a cultural impediment, which is, which is we have this information. If i give it to them, are they going to jeopardize sources and methods . Sometimes we forget you dont need the sources and methods. You need indicators of compromise so you can figure how they are coming at you. And all of you in the room know this, oftentimes private sector partners dont realize what orcon means. Often thiems the fbi will have a piece of information, we cant just give it over to you. We have to go back to the people that own the information and gave it to us, but we can do that so much better than were doing today. We will get better. I hope youll help us get better, as well. And the last thing i want to leave before i start avoiding mike leiters questions is this, i intentionally did not talk a lot last year about the challenge we face from ubiquitous strong encryption. Our option at the fbi was this was a complicated issue with legal aspects, technical aspects, policy aspects, values, it was too complicated to discuss during an election year. But we decided that we would not force a conversation about it, but we would use the time to try to collect data so we could show people whats happening to our world, and heres whats happening. If you imagine we work, the fbi works in a room. The corner has been dark 50 years. Sophisticated actors could always find encryption. Sophisticated actors, nation states, near nation state actors. Whats happened since the summer of 2013 is, that dark spot has started to spread through the entire room. Ubiquitous default encryption on devices. Ubiquitous has spread the shadow so its starting to cover more and more of our room. Ill demonstrate this from facts with our encounters with devices. October, november, december, 2,800 devices were presented to the fbi in the United States with Lawful Authority to open them. Some from fbi investigations, others from state and local partners. They gave them to the fbi saying, we have a court order, can you help us . In 43 of those cases, we could not open those devices with any technique, any technique. That is the shadow falling across our work. You may say, who cares . I dont know, but i think America Needs to have a conversation about this, because i care deeply about privacy, treasury, i have an Instagram Account with nine followers, they are all immediate relatives and one daughters serious boyfriend. I let them in because they are serious enough. I dont want anybody looking at my photos, but i treasure my privacy and security on the internet. My job, like a lot of people in this room, is public safety. Those two values, privacy and safety, are crashing into each other, but i believe something more fundamental is happening. Especially with regard to devices, those devices contain so much of our life. Our lives are on those devices we wear on our hip and carry in our pockets. Thats a great thing. Thats made us better in lots of different ways, but its also introduced with ubiquitous default encryption a concept new to america, which is absolute privacy. Weve never had absolute privacy in this country. This country was founded on a bargain, which is your stuff is private unless the p