Mar 08 2017

Former FBI Director: For Cybersecurity, Tough Questions Must Come from the Top

Robert S. Mueller III says that an organization’s leaders cannot afford to delegate IT security decisions and need to be fully engaged on the issue.

Former FBI Director Robert S. Mueller III, now a partner at Washington law firm WilmerHale, used to run an organization with 35,000 employees guarding some of the nation’s top secrets. The last thing he wanted was for the FBI to end up on the front page of The Washington Post or The New York Times because of a breach.

Mueller says now that he did not fully understand the gravity of the risks when he was the director, but he was lucky that he had deputies and a Chief Information Security Officer who did. He met with the FBI’s CISO at least once per quarter to assess the FBI’s ability to deter cyberattacks.

Speaking at the CDW Managing Risk Summit in Washington, D.C., Mueller notes that when he came on board in 2001 the FBI’s IT was “a mess” and was archaic. The bureau upgraded its networks and network backbone, which went fine, he says. However, the FBI’s plans to upgrade its software went awry.

The plan was to upgrade all of the FBI’s computers to the new software one day in July 2003. Mueller had been assured that everything would go smoothly. It didn’t. The FBI had a choice: pour millions more dollars into the contract or start over. The lesson for Mueller was clear.

“I delegated to my CIO getting this done,” Mueller says, even though in the back of his mind he knew it would be very difficult to upgrade all of the FBI’s software at once. “I never asked the hard questions. The lesson to me was, when it comes to IT and you’re running an organization, you better ask the hard questions and it better come from the top.”

Mueller says that an organization’s leaders can’t delegate the responsibility of upgrading IT or protecting their organization from hackers and other malicious actors. “You have to be engaged yourself,” he says. “And I must say, I find very few CEOs are engaged in that particular way — very few, disappointingly few.”

Transforming the Role of the FBI to Fight Cyberattacks

Mueller started his job as the FBI’s director a week before the terrorist attacks of Sept. 11, 2001. And although the FBI was forced to quickly transition itself into a counterterrorism organization instead of a more traditional law enforcement and crime fighting department, the FBI knew cyberattacks would be a new security challenge, according to Mueller.

The bureau needed to hire new kinds of agents that were not only computer literate but could act as intelligence agents to try and determine who was “sitting behind opposing keyboards” in the United States or other countries and directing cyberattacks. “We had to build a capability that we did not have in the past,” Mueller says.

So the FBI brought on board computer scientists to support those who may have the basic investigatory capabilities but needed a higher degree of expertise in the cybersecurity arena, Mueller says. Crucial to this transformation was the FBI’s partnership with other federal agencies, including the National Security Agency.

“I am fond of saying that you have to work with NSA because NSA has more geeks per square feet than any other institution in Washington,” he says. “And you want them working with you.”

Also crucial is the FBI’s partnership with state and local law enforcement agencies and businesses in the private sector. “I do not believe we can confront and take care of cyber without the relationship of the government service working closely with the private sector,” Mueller says.

Countering the Cybersecurity Threats of Today

In terms of the top cybersecurity threats the U.S. government faces today, Mueller laid out five threat vectors:

  • Protecting democracy from Russian hackers and others that want to undercut democracy
  • Insider threats in the federal government
  • Viruses like the “wiper virus” that hit oil company Saudi Aramco in 2012 and Sony Pictures in 2014
  • Ransomware, which is becoming simpler for hackers to purchase and deploy
  • Terrorists, who continue to pose a threat, although Mueller noted that groups like the Islamic State have not yet organized large-scale attacks on financial institutions or critical infrastructure.

Before Sony, much of what was done in cybersecurity was in the criminal justice arena, Mueller says. The attack, which the Obama administration attributed to North Korea, brought together in the White House the military, law enforcement community and national security apparatus for the first time, he says.

How can companies cope with such threats? Mueller notes that many companies need to get beyond three key “legacies.”

Most companies have security plans and officers but they tend to revolve around physical security, he says. “The governance has to be changed in order to recognize the necessity of giving the CISO or CIO what they need to do their job, and few corporations do that,” explains Mueller.

Similarly, he says, a company’s management needs to be more willing to boot out a longtime colleague who does not have the skill set to handle cyberattacks and bring in an outsider who does.

Finally, he says, companies need to upgrade legacy IT and networks that are more vulnerable to attacks.

What can the FBI do to help? Mueller notes 56 field offices around the country and 400 smaller satellite offices. Each of the 56 field offices has a “cyber squad,” if not a larger team that deals with cybersecurity issues.

Leaders of those offices know what industries are in their geographic territory and spend time developing relationships with those companies. About four or five years ago, the FBI prioritized protecting financial institutions and those that deal with critical infrastructure.

That way, the FBI can gain understanding of those companies’ networks and IT infrastructure, so the FBI and a company won’t be starting from scratch if the business gets hacked. “If you don’t know who the section chief is or the squad chief is who is handling cyber, you should,” Mueller says.

Phil Goldstein

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.