Q&A With FBI's Cyber Division Chief
At the end of the Black Hat hacker convention in Las Vegas a week ago Thursday, I had a few minutes to sit down with James Finch, head of the FBI's Cyber Division. What follows is an excerpted Q&A from that discussion, in which Finch describes himself as a serious geek who refuses to be spooked by organized cyber criminal gangs that target online banking customers and other 'Netizens.
Q: I see you've got a nice MacBook Pro there. Are you a pure Mac user?
A: No, I am not. I raised my daughters on Windows machines, but my 4-year-old son, I'm raising him on a Mac. I just bought him an iMac. I prefer flavors of Unix over Windows.
Q: Which flavors?
Q: So what does the director of the FBI's cyber crime division like to do in his spare time?
A: Build computers, learn new operating systems. One thing this job doesn't give me enough time to do is spend quality time with my computers. I was a gamer before gaming was cool, playing games like Doom, Quake, Half-Life, [Castle] Wolfenstein. I have quite a few newer games and because of the faster video cards....the last machine I built was a water-cooled video card as well as the processor. In the wintertime, it's great. Keeps the processor cool, but just heats up the room, and I haven't' even put the other video card in it to run in SLI mode.
Q: Are you a coder, or...?
A: No, I'm not. I started out as a computer science major in college. Back then, the required courses were Fortran, COBOL, Pascal...all the things that don't exist anymore [laughs]. And, so any programming experience I have is obsolete. I've bought the books to do some self-teaching for Java, but I just haven't had the time to sit down and start picking it up.
Q: So why do you prefer Linux?
A: I just think it's more efficient. To me, it's more powerful. You don't need this huge powerful processor because of the efficiency associated with the Unix operating system. I believe it's closer to how we should be computing. But, you know, it's not to really..I don't want to dismiss Windows, because it's serving a very useful purpose. Because of Microsoft, you have people who wouldn't otherwise be using computers.
Q: Right, but of course part of the problem with the situation we're in right now with botnets and peoples' computers being used for all kinds of cyber crime seems to be a direct result of that.
A: That's true, but my thought is, they shouldn't have to be so concerned. It's kind of like driving. There are those cars that really require a lot of attention because they have safety issues. But you can drive them without any real concern of anything happening. People shouldn't have to be concerned about someone stealing their information, but then the Internet wasn't created with security in mind, and unfortunately before we connected everything to it, all of our information to it, governments...military, we should have ensured that it was secure. Instead, we jumped right in there headfirst, and now it's too late.
Now, we have a foundation that is what I consider...I don't want to say unstable...but not prepared for the level of use that it is currently receiving, and it is the ideal environment for what I consider people selling snake oil solutions. And I don't mean that in a bad way, but when you offer security on the Internet, how much permanence is there? If you're talking strictly information security, I come in to sell you border routers, intrusion detection and intrusion prevention devices, and I tell you that this will help you secure your system...but for how long? Until a hardware or software vulnerability is discovered in one those appliances? And that's another issue. If we can't secure the applications, where you should start out with security in mind...but there's so much rush to market and pressure on those creating software.
Q: Do you do online banking?
A: Yes, I do.
Q: How long have you been doing that?
A: Maybe ten years?
Q: And you don't get freaked out by what you see every day? I certainly do.
A: Yeah, so does my wife. I do online banking. I pay my bills online. I file my taxes online. I truly believe in the Internet. Do I believe it's a scary place? Without a doubt. I'm in law enforcement, and I run the cyber division for the FBI. I don't want to say that I'm so intimidated by the bad guys that I am going to allow them to dictate taking full advantage of what I consider to be the benefits of the Internet. Yes, there are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it.
Q: There are some people who say the threat from cyber crime, the financial threat and threat to our economy, that this is over-hyped. What do you think?
A: I don't think it's over-hyped. The Internet works the same for everybody, bad guys included. If you take the time to understand the Internet, let me tell you there aren't many things you can't peel back and look behind. Whether that requires decrypting encryption or undermining some of the safeguards we have, there's a way to do it.
A lot of people just don't take the basic precautions, or don't know how to take them. Many people just don't have the level of knowledge needed to safeguard themselves. The bar is raised every day. So how do you as a common user keep up with the necessary safeguards? How do you configure it? Should I let this in or not? Who's going to know unless they have some basic information security knowledge.
Q: The financial industry has taken heat from some people, who say the industry as a whole is not doing nearly enough to help protect customers from having their accounts taken over online. The perception is that the banks are very good at counting costs, and they know that as long as the fraud costs stay below a certain threshold, then there is no financial incentive for them to adopt more secure methods. What do you think?
A: Well, I really can't speak to that because, see, that's a business. And I think, as with any business, if they don't offer a service that is attractive, they will cease to exist. It's a competitive environment. The banks that are doing more...I'm sure they will see the benefits of their actions in a competitive market.
Q: I'm curious if you're at all concerned that - the U.S. financial institutions -- by waiting until some magical pain threshold is reached, that the banks aren't somehow encouraging...well, an industry that needs no encouragement? In other words, are you concerned at all that by the time the banks get around to rolling out new anti-fraud systems, that they will have allowed these cyber crime groups feeding off the low-hanging fruit to become far fatter, wealthier, more powerful and organized than they are today?
A: That's a business decision. And do I believe that waiting will cause more harm? I think that would be a pretty hard label to place on that industry. The decision I would make as a law enforcement official...might not be based on a cost-benefit analysis. For example, when I look at the resources the government uses to apprehend just one person, or one organization that might consist of 50 people? From a business perspective, would that sort of activity be beneficial? In a lot of cases, businesses might not say that's worth it.
The banking industry has done a lot to safeguard its position. However, as I have said before, the skill set of those who are out to do harm to those systems...their skill set increases fairly quickly, and it's something the banks and most other industries connecting to the Internet have to consider.
Q: I think in your talk yesterday you said you manage about 500 to 600 cyber agents?
A: Yeah, it fluctuates.
Q: Any luck recruiting here?
A: We don't really make too much of an effort to recruit here. My purpose in being here is to provide the FBI cyber perspective. That said, we are always looking for employees that meet our requirements.
Q: Is the older age and current skill set of the cyber agents you have...is that a concern for the FBI in facing today's cyber threats?
A: We're getting some really bright people coming in. Frankly, what I'm very happy to see is we're getting people who were raised on the Internet. Raised in an environment that is not foreign to them, and so trying to play catch-up is not an issue. It's a part of their existence. To them, it's no different from an MP3 player or any other piece of technology. Rather than looking at traditional methods, they are looking at technology solutions than can be applied or overlaid onto the traditional methods. And a lot of these problems require a technology solution, and so it's a not a struggle for them. They understand those solutions. They understand how the Internet works behind the curtain. They understand DNS, ARP, proxies, and so they get it. That's refreshing to me.
Q: Do you see there being an evolving approach to some of the techniques the FBI teaches in how to go after today's cyber criminals?
A: Well, not really, because many of the techniques are using standard network tools. We apply those in the same way a systems administrator would apply those tools.
Q: I'd like to hear about some of the ways the FBI is evolving to keep pace with cyber criminal gangs. Can you talk about--
A: First of all, one of the things I try not to do...and I've asked this of several reporters...I said how many bad guys do you interview who tell you their techniques so that it helps us catch them.
Q: Well, actually, quite a few.
A: But, you would prefer to put our techniques out there so that they can avoid being caught? It doesn't seem very patriotic. It doesn't seem like the right thing to do.
Q: Sure, but maybe you could talk about any innovative ways that the FBI is using to go after--
A: Brian, we have to adopt innovative ways of doing what I believe the public expects us to do. And that is to apprehend those people who have violated our electronic communications laws. In terms of being very detailed in how we do that, I don't think the public would appreciate us letting the bad guys know. I often times wonder why the press tends to put these tactics out there, and then it's cloaked as, well, the public has a right to know.
Q: Can you give me an example of what you mean there, or of the last time that happened?
A: You mean, computer-related? Child exploitation-related? Terrorism-related? I'd have to sit down at my computer, but I'm sure I could pull up numerous examples. I know it's a job you guys do, and I have no problem with that. I know the press often gets things out there that we want people to know. But there are times when the press will get things out there that really don't help our cause when it comes to making the world a safer place, making the Internet a safer place.
Q: At the "Meet the Feds" talk at Black Hat yesterday, someone raised a question that I wanted to follow up on. It speaks to the issue of how we tackle cyber crime that originates from other countries. The common perception is that we're not getting terribly good cooperation from similar authorities in Eastern Europe and Russia in particular, and I'm curious whether--
A: Look, I've had good cooperation from most countries we've worked with. I really have. To include those...countries people believe we really don't get good cooperation from. Now, I'm not sure why, and I don't really know if people believe that -- that we're not getting the cooperation that we need. I have...I've traveled to various parts of Eastern Europe and Romania to set up task forces there, and I've made arrests in intellectual property cases with the Chinese.
Q: Well, since you mentioned these intellectual property cases, I wonder if you think it would be helpful to build in some kind of cyber security component into treaties we have with other countries, as we have done with intellectual property and software and so on?
A: One of the things I get real concerned about is...the point, shoot, aim type of action when it comes to writing certain clauses into various agreements. I don't want to get into the State Department's area or the Justice Department's area, but because we are at what I consider to be the infancy of the Internet...we're veering into a point where a lot of things will be Web-based, we're probably going to see some things that will make us probably regret acting too quickly in terms of writing things into trade agreements.
Q: But what's the harm there? Is it maybe because it might make it easier to extradite U.S. citizens accused of cyber crimes against other nations?
A: Well, when you start talking about trade agreements, and look at the state of our economy right now, there's a reason why we have much of our manufacturing right now outside of the United States. If you make that difficult, I'm not sure that will be a good thing in the long-term for our economy.
Q: Should the federal government be doing more to educate people about how to use the Internet safely?
A: Why is it that people always turn to the government, saying the government should be doing more? Brian, wait a minute. Is it the government's fault? Is that what you're saying?
Q: No, I'm asking a sincere question. Do you think the government has a bigger role to play here in educating people in what they need to do and the attitudes they should adopt in order to stay safe online?
A: I think the government...if you look at the various agencies and the type of outreach they have, I think the government is doing a fairly good job of reaching and making people aware. Take, for example, www.lookstoogoodtobetrue.com, or www.ic3.gov, those are public awareness sites. Other agencies have public awareness sites on cyber. What do you want, the government to teach classes? I mean, the number one criticism in many cases is that the government has overreached, they're reaching into our privacy, into our lives, they're interfering too much. Well, what more do we do than to try to make people aware, provide them with a place to go if they believe they've been harmed on the Internet. We can't force people to become more aware.
Q: On the other hand, it does seem like the whole Web 2.0 evolution could be helping law enforcement, what with people putting so much more information about themselves out on the Internet. Is that helpful to your job? Are you finding the abundance of information on social networking sites and so on becoming useful in investigations?
A: The Internet has made information in general more available. Is it easier to find certain things now? We were generating intelligence and finding things long before the Internet. The Internet becomes just another tool. Does it make it easier? I don't know I would say that. Just means there's one more available source of information.
Q: It appears that a huge number of people committing crimes are doing so through botnets and distributed proxy and anonymization networks. Can you talk about the challenges that development poses and how the FBI is addressing it?
A: Well, botnets do create an identification problem. It's a challenge. Reason being, you have computers that are unwittingly being used to commit crimes, and so when the owner of the computer doesn't know his or her PC is being used to commit a crime, it makes it difficult...well, you can't go after that person for that crime. If the attempt is to put someone out of business and going to execute a DDoS [distributed denial of service] attack against a business....
Q: Is DDoS a crime you're seeing a lot more of now?
A: Actually, no. It's kind of like buffer overflows, in programming. We used to see a lot of buffer overflows. But now, software writers and intrusion detection systems are protecting against those things, so we don't see much of that. DDoS? We still see some DDoSing, but not as much as we used to.
Q: Are there threats you see emerging that keep you up at night? Or is it more of the same old stuff?
A: Peer-to-peer botnets are becoming more prevalent, like Storm and Kraken. A lot of these are being created so that they avoid detection by anti-virus software, so they're hiding better. For the average user, if their anti-virus can't find it, then they don't have the background to delve deeper into the operating system to detect it.
Q: What about Operation Bot Roast? That's ongoing, no?
A: It is, yes.
Q: Can you talk about some of the ongoing actions in that?
A: Well, no, I can't. But I can tell you that it's far from over, because bots are evolving. It used to be IRC command and control, now it's predominantly peer-to-peer command and control, and botnets are now much more resilient.
Q: Do you get a sense that...just going back to the online banking question, that the problem is-
A: ...You know this article....now they're going to hack my account because of what I've said here...
Q: [Laugh]. But you're not worried about that, right?
A: You know a couple of years ago, my acting (director) came home and found his bank account had been cleared out.
Q: Really? Have you ever been the victim of cyber crime?
A: Don't put that in there!
Q: No, seriously.
A: No, I haven't.
Q: You're joking, right? I don't think I know anyone who hasn't had his credit card compromised at some point.
A: Well, I had one time a couple of years ago, one of the major banks reported to me a server was compromised and my card number might have been compromised, but I never saw any unauthorized activity as a result of that. If I was victimized, it wasn't noticed.
Q: I've been spending quite a bit of time recently at various online forums that cater to identity theft and all kinds of cyber crime, and one of the things that is very hard to ignore is that the bad guys appear to be using online gambling sites to launder their stolen credit cards. I know the Justice Department has long asserted that this activity was going on, but what are you seeing in this regard?
A: I don't really want to talk about this area too much, because I don't want to risk compromising any ongoing investigations we may have. I can tell you, however, that we have suspected money laundering through online gambling for some time now. And that's all I can really say about that for the time being.
Q: Someone told me you were getting close to retiring. Any idea what you'd like to do when you retire?
A: I would like to work in information security. Hopefully, for a company providing information security. It wouldn't bother me to have both information and physical security because I believe the two have to work hand in hand to provide an overall solution.
[We are interrupted by a passerby who engages Finch in a conversation, and our interview ends shortly thereafter].
Posted by: antibozo | August 18, 2008 12:33 PM | Report abuse
Posted by: RK | August 18, 2008 12:57 PM | Report abuse
Posted by: anti-antibozo | August 18, 2008 1:19 PM | Report abuse
Posted by: anti-antibozo | August 18, 2008 1:20 PM | Report abuse
Posted by: PSolus | August 18, 2008 1:40 PM | Report abuse
Posted by: Bk | August 18, 2008 1:51 PM | Report abuse
Posted by: SSMD | August 18, 2008 1:54 PM | Report abuse
Posted by: antibozo | August 18, 2008 2:16 PM | Report abuse
Posted by: Terry Wrist | August 18, 2008 2:17 PM | Report abuse
Posted by: Terry Wrist | August 18, 2008 2:19 PM | Report abuse
Posted by: Bk | August 18, 2008 2:20 PM | Report abuse
Posted by: JBV | August 18, 2008 2:46 PM | Report abuse
Posted by: Bk | August 18, 2008 3:02 PM | Report abuse
Posted by: tom | August 18, 2008 3:24 PM | Report abuse
Posted by: Edsger Dijkstra | August 18, 2008 4:19 PM | Report abuse
Posted by: DC consultant | August 18, 2008 4:41 PM | Report abuse
Posted by: mafreeh | August 18, 2008 10:20 PM | Report abuse
Posted by: Rich Gibbs | August 18, 2008 11:26 PM | Report abuse
Posted by: What is Finch smoking? | August 19, 2008 12:32 AM | Report abuse
Posted by: cnalie | August 19, 2008 2:13 AM | Report abuse
Posted by: Munyaradzi | August 19, 2008 3:52 AM | Report abuse
Posted by: jobx | August 19, 2008 9:12 AM | Report abuse
Posted by: um | August 19, 2008 9:31 AM | Report abuse
Posted by: skylarknetworks | August 19, 2008 10:49 AM | Report abuse
Posted by: Eponymous | August 19, 2008 11:40 AM | Report abuse
Posted by: critical bundy fan | August 19, 2008 12:50 PM | Report abuse
Posted by: coder | August 19, 2008 1:09 PM | Report abuse
Posted by: OGod | August 19, 2008 1:54 PM | Report abuse
Posted by: jwh | August 19, 2008 3:35 PM | Report abuse
Posted by: rchrd | August 19, 2008 6:26 PM | Report abuse
Posted by: GTexas | August 19, 2008 7:04 PM | Report abuse
Posted by: Max Anderson | August 19, 2008 8:26 PM | Report abuse
Posted by: JPR | August 19, 2008 9:16 PM | Report abuse
Posted by: D CHATTERJEE | August 19, 2008 9:27 PM | Report abuse
Posted by: Ed Deppe | August 20, 2008 8:33 AM | Report abuse
Posted by: Rick | August 21, 2008 6:53 AM | Report abuse
Posted by: Rick | August 21, 2008 6:56 AM | Report abuse
Posted by: Rick | August 21, 2008 6:58 AM | Report abuse
Posted by: SeanC | August 21, 2008 12:23 PM | Report abuse
Posted by: Pete from Arlington | August 21, 2008 1:18 PM | Report abuse
Posted by: Sean from Alexandria | August 22, 2008 2:35 PM | Report abuse
The comments to this entry are closed.