“We are not going to be able to successfully overcome a cyber threat without enlisting the support of the private sector,” said keynote speaker Robert S. Mueller III, who served as the United States’ sixth director of the FBI for more than 10 years.
Speaking before the 20th annual Property/Casualty Joint Industry Forum, Mueller, who was nominated by President George W. Bush and sworn in as director on September 4, 2001—just one week before 9/11—understands the intricacies of a breach, including the need for analysis and forensics for both government entities and corporations.
Mueller noted that there are two kinds of cyber threats: insider and outsider. “The biggest threat to companies is an insider threat—a Snowden type threat—that comes from a disgruntled employee who has administrator’s rights and wants to do damage.”
The biggest outside threats, he said, fall into five different areas. The first is “Hacktivists,” anonymous hackers who have as a goal embarrassing people or making a political point. Mueller cited as an example LulzSec, a computer hacking group that claimed responsibility for several high profile attacks, including a compromise of user accounts from Sony Pictures in 2011.
“The second threat are the criminal hackers, who are generally Eastern Europeans that are responsible for those breaches where the accumulation of money as a result of that breach is the goal of the attacker,” explained Mueller. He gave the example of the hacking of Target between Thanksgiving and Christmas three years ago, which affected a huge number of customers.
The third area of threat, Mueller said, is the theft of U.S. intellectual property, principally by the Chinese but also by the Russians. “The most prevalent hackers are the Chinese who look to steal our military and corporate secrets in an effort to move ahead.”
The fourth area of threat is terrorism, according to Mueller. “The fact of the matter is, ISIS has just dabbled in utilizing the Internet to attack. “You can be guaranteed of those 30,000 plus that have migrated into Northern Iraq or Syria, there are individuals there who have the skillsets, when applied, to undertake substantial attacks against the West, and we’re going to hear more about them,” he said.
The fifth area, Mueller explained, is the military. He gave the example of when Russia invaded Georgia several years ago, a country to the south of Russia. He said that before Russia sent their tanks across the border they knocked out Georgia’s military command and control center “so there was no opposition when they went in.”
Mueller said that by identifying these five areas the FBI—as well as private companies—can address, prioritize and understand what their vulnerabilities are. He said that companies can apply what the FBI has learned: “that you need to ensure the successful upgrade of your IT and you need to be actively engaged throughout the organization and recognize that it can’t be delegated.”
In preparing for breaches, Mueller warned that nobody is going to avoid being hacked, it’s just a question of how severe the breach will be. “If you’re a company that has been breached, the first is the analysis, the forensics. There are three questions the company needs to answer very quickly: How’d they get in? What did they take? And where are they? You can’t begin to deal with customers, your own employees or the media unless you have an answer to those three questions.”
Too often corporations hit the breach and they have no plan for doing the necessary analytics or how to get the attorneys involved. “By that time it’s too late. Getting the forensics on the ground floor is tremendously important so that when you get that breach you have persons in place with some independence and expertise to know where the malware came from and what to do about that malware,” said Mueller. “After that all the other considerations flow in.”
Mueller noted that all too often general counsels are focused on possible litigation down the road, but that the most important issue is “the survival of the corporation and bringing back your customers so you have the money to pay off the litigation expenses. Each one of those considerations in the cyber arena should be addressed prior to any breach.”
Mueller added that companies are not very effective at stopping a hack as it is happening. He said that hackers do a reconnaissance, noting that, “The average time in the networks, databases is 240 days before they are noticed. Where are they? Which particular networks are they in? It’s a long and murky fact-specific investigation to identify, which you can’t answer overnight.”
Mueller is currently a partner at WilmerHale in Washington, DC, where his practice focuses on investigations, crisis management, privacy and cyber security work.