Cryptography is the science of confidence in confidentiality. Law enforcement in the United States, as constitutionally charged, is in part the function of collecting and revealing secrets. In an earlier era, a keynote discussion with FBI Director Christopher A. Wray at the RSA Cybersecurity Conference might have drawn skepticism, but in 2019 his remarks instead at times drew loud applause.
Wray, whose remarks came in conversation with Lawfare Executive Editor Susan Hennessey, opened by listing a variety of threats, first by the specific names of the bundles of code, and then broadly framing a picture of a dangerous and anarchic domain.
“We’re seeing an uptick in the threats from various foreign adversaries, and the blended threat, where foreign power enlists criminal hackers, essentially as mercenaries,” said Wray.
How can a state, specifically the U.S. government, adapt to and counter such a field of threats? By working closely with the private sector, Wray argued, noting that 90 percent of U.S. critical infrastructure is privately held and that any defense requires partnerships between law enforcement and business. Wray specifically mentioned that one way companies can do this by working with local FBI offices in the United States, and also with the FBI’s dozens of offices abroad, to proactively form relationships and work on mitigation, enabling the FBI to work closely with companies when a crisis comes.
Opt-in cooperation works when interests between the FBI and companies align. That’s not always the case and, in the past, the FBI has come under fire for seeking a way around cryptographic protections in cases where those interests don’t align.
“We’re not seeking backdoors any more than we think people on the other side are trying to actively weaken public safety,” said Wray, noting that there is much that cybersecurity protects on behalf of legitimate interests. But, continued Wray, we “cannot have a stable endstate where there is entirely unfettered space beyond the reach of law enforcement.”
Wray offered no specifics of how to get law enforcement into that unfettered space. Instead, the conversation turned to threats the FBI is actively monitoring and tackling. Wray noted that while the 2018 midterms in the United States saw no material impact on election infrastructure, they instead saw the continuation of a malign foreign influence campaign designed to sow discord and pit Americans against each other. How that differs from the default nature of political campaigns in the 2010s was also not addressed.
Wray emphasized a renewed focus on counterintelligence at the FBI, meant to counter specific espionage from China across every sector of the economy and institutions like academia, noting that counterintelligence efforts had been under-prioritized for too long. Wray noted that people were charged in conjunction with this counterintelligence effort, which prompted Hennessey to ask if the high-profile arrests had been driven by considerations of ongoing trade negotiations between the United States and China.
“The arrests were not driven by trade, not driven by politics, not driven even by diplomacy ... they were driven by facts,” Wray said, to applause from the attendees. “If we find somebody committing federal crimes against American businesses, we’re going to go after them.”
That law enforcement is inextricably linked to rules set about trade, conditions produced by politics, and the roles performed by diplomats in a country were left undiscussed. Asked about the deterrent effect of indictments on hackers, Wray pointed to the impact being indicted had on specific bad actors.
“I will say that one thing that hackers of all shapes and sizes love most is anonymity; by indicting publicly you strip them of that,” said Wray. “Particular hackers have become personas non grata. They have been unable to find work.”
That’s a compelling case for deterrence on the individual level, though it doesn’t address the broader actions of states that institutionalize organs of cyber espionage, nor does it broadly change the dynamic of countries specifically contracting or enlisting criminal organizations to do their dirty work.
Wray may be plotting a path where the FBI can enter those unfettered spaces, but his answers on the floor of RSA spoke to a philosophy of individual capture and punitive expeditions. The problems facing a world built on cryptographic architecture are impossible to solve by law enforcement alone.