FBI Director Comey Hates "Evil Layer Cake" of Cybercrime

FBI Director James Comey compares cyber-threats facing the US to "an evil layer cake." The layers on which the FBI is focusing its resources are the top layer, nation-state actors, and second layer, large criminal syndicates, terrorists and big botnets. Comey talked cybersecurity with WilmerHale partner Benjamin Powell during the third annual Georgetown Cybersecurity Law Institute this week.

What's the FBI's approach to cybercrime? Imposing costs, says Comey, left. Where they can't lock people up, he says, the attempt is to name and shame or impose economic sanctions. When the topic changed to GCs' role in cybersecurity, Comey jokingly called GCs "mostly obstructionist weenies," and included himself in the bunch (he's the former GC of Lockheed Martin and Bridgewater Associates). But when it comes to concerns about sharing information with the government, he says the benefits "dramatically outweigh the risks," and the FBI has proven time and time again, most "recently in Sony, that cooperating early is in the company's interest, and that we treat information very, very carefully." (It will take time to get past the cultural impediments to cooperation, he acknowledged, which he attributes to "the post-Snowden wind.") 

WilmerHale cybersecurity practice co-chair Benjamin Powell, left, interviewed Director Comey. We snapped him with FBI assistant director for public affairs Michael Kortan, FBI Cyber Division assistant director James Trainor, and FBI supervisory special agent Nickolas Savage. The FBI is sharing cybersecurity information with the private sector as well, says Comey. Through a partnership with the private sector called InfraGard, it's piloting private-sector access to "The Malware Investigator," a database of all of the malware the FBI has ever seen. Already participating are hundreds of companies, which can connect directly to the database and input their own malware samples. Comey says his vision is that it'll continue to grow.

The two-day conference, which was covered by C-SPAN, was attended by 300 people from eight countries. Following the FBI Director, we heard from Assistant Attorney General Leslie Caldwell, head of the DOJ's Criminal Division. "We need to have a real sense of urgency when we talk about cybercrime," she says. She discussed the DOJ's new Cyber Unit and emphasized the need for private sector and international cooperation. She pointed out that about a dozen cybercriminals have been extradited from all over the world in the last year. One of them was a hacker from Russia on vacation in the Maldives. Don't think that the US can't get to international cybercriminals," Leslie says. "It's a long winter in Russia."

Here, recently retired Hon. John Facciola, Magistrate Judge for the US District Court for the District of Columbia, and Georgetown CSLI co-chair and founder Tina Ayiotis. Judge Facciola spoke on a panel about ethical and security issues in moving to the cloud. Lawyers have to be aware of the negative effects of technology, said Judge Facciola. If moving information to the cloud, ask questions including, "When was the cloud provider last audited? How did it react when it was last breached? What happens if the cloud provider goes out of business?" Judge Facciola also brought up the potential for hacking in the "Internet of Things" and self-driving cars.

In the Hart Auditorium, we snapped Hogan Lovells partner and former IBM chief privacy counsel Harriet Pearson, a Georgetown CSLI co-chair; Crowell & Moring senior counsel Harvey Rishikof (the firm announced his move Thursday from the National War College, where he'd been the dean of faculty); and Georgetown Law assistant dean Larry Center. Harriet led a panel on "10 Things You Need to Know About Cybersecurity," which includes companies' balancing security with privacy, considering the growing use of cyber insurance, and how to maintain preparedness for an incident.

During a post-conference reception, we spotted WR Grace assistant GC for litigation and global privacy Dori Anne Kuchinsky, who spoke on the panel about moving to the cloud (along with Judge Facciola, Northrop Grumman assistant GC Maureen Kelly and FBI supervisory special agent Nickolas Savage); Hilton Worldwide VP Courtney Ingraffia Barton, and XO Communications VP and assistant GC C.M. Tokë Vandervoort, who moderated a panel about cybersecurity risk management in vendor and supply chains. 

Nothing underscores the importance of cybersecurity like the announcement of a data breach during the conference: on Thursday, it became public that 1.1 million CareFirst customers' information was accessed. Here, SRA International VP, deputy GC and chief privacy officer Peter Adler with MITRE cyber policy counsel Michael Aisenberg. On the panel covering supply chain risks, Peter said that companies need to go through their vendors—including law firms—and make sure that none is the weak link, and that you are all under the same controls. He spoke with Dori, Rogers Joseph O'Donnell DC head Bob Metzger, and GSA senior adviser for cybersecurity and resiliency Emile Monette.