Source: Federal Bureau of Investigation FBI Crime News
You’ve heard me say several times now this afternoon that private companies, like those represented here, and academic institutions like Vanderbilt are exactly the kinds of partners that have important roles to play when it comes to protecting our most essential networks—and not just as key participants in many of those joint, sequenced operations I mentioned.
The private sector owns the vast majority of our critical infrastructure, so it plays a central defensive role, and also generates vital information about what adversaries are doing—or preparing to do—against us.
But the first thing private industry can bring to the table is vigilance because everything we do in the government and law enforcement space has to be combined with the public’s role in being more discerning and more cyber-literate.
That includes resiliency planning—things like developing an incident response plan, actually testing and exercising that plan, and fortifying networks and devices to make the attack surface as inhospitable as possible. Companies need to familiarize themselves with each specific threat and its particularities, create a plan tailored to each of those threats, and then actually run through those plans with tabletop exercises. Most importantly, know where your crown jewels are, know how to get back up and running in the event of a breach, and know at what point you’re going to call the FBI for help.
There’s also hardware and supply chains to worry about. I’m sure many of the folks here today are familiar with Solar Winds, the Russian SVR’s supply chain campaign that compromised widely-used IT software and caused thousands of Solar Winds customers to upload malicious backdoors hidden in innocuous-looking software updates. Vetting your vendors, their security practices, and knowing who’s building the hardware and software you’re granting access to your network is crucial, so push for transparency into what vendors and suppliers are doing with your data and how they will maintain it.
That brings me to the final thing we need to build a strong defense, and that’s solid partnerships—as we’ve discussed, the very foundation of our work confronting Beijing.
When something goes awry, we need victims to reach out to us immediately because that first victim who reports an intrusion can supply the key information that will enable us not just to help them recover, but also to prevent the attack from metastasizing to other sectors and other businesses. In fact, Volt Typhoon was taken down thanks, in part, to help from the private sector—to companies coordinating with us.
We’ve seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem because that put everyone on the same page and contributed to the company’s readiness. And it’s not just companies. The FBI has long put a premium on building relationships with academic institutions, too.
Building those partnerships means that we can better understand the issues academia faces every day interacting with the PRC, and academia can get a better understanding of national security threats and make informed decisions about how to deal with them.
Speaking of academia, since I find myself here at one of the top universities in the country, I’d be crazy not to talk a bit about the people we need to keep hiring to do all this vital, cutting-edge work.
We need even more smart, driven, talented people in the field to keep America safe—people with the technical skills to keep our cyber workforce world-class.
So, while I’m here at Vandy, among some of our nation’s best and brightest students about to enter the workforce, here’s a plug for both them and the professors in the audience that those students look to for guidance: We need more people to join our elite team, determining who’s responsible for cyberattacks; planning and running those joint, sequenced operations, to knock our adversaries back; working with victims; and, often, doing all those things in the same day.
We need talented people on our rapid-response Cyber Action Team—deploying across the country often within hours to respond to major incidents—and working with international partners in our offices overseas, seeking justice for victims of cyberattacks.
A job with the FBI could take you anywhere, and there’s no better way to serve a mission you’re proud of while doing work that’s the envy of your friends slogging it out elsewhere.
The FBI doesn’t do easy. We focus on what’s hard, what no one else can do—measured both in our own work and in the adversaries we go up against: the most dangerous intelligence services and criminals in the world.
As we’ve talked about today, the threats America faces—from the PRC and many others besides—are immense, and we’re confronting them right now.
Our way of life—and, in some cases, our very lives—need defending, so think about applying to join us or sending your best and brightest our way.
In the meantime, thanks again for having me, and I look forward to our discussion.