Topics:   Compliance,Corporate Governance,Cybersecurity,Technology

Topics:   Compliance,Corporate Governance,Cybersecurity,Technology

October 11, 2018

FBI Director to Corporate Directors: “We’ve Got to Build These Relationships Now”

October 11, 2018

When it comes to cyber threats and challenges, the Federal Bureau of Investigation (FBI) stands ready to work shoulder-to-shoulder with its private sector partners.  This according to Christopher Wray, who has served as director of the FBI since the summer of 2017. Director Wray joined more than 1,700 corporate directors at NACD’s annual Global Board Leaders’ Summit in Washington, DC, and discussed the agency’s priorities.

Nicholas Donofrio, left, interview FBI Director Christopher Wray at the 2018 Global Board Leaders’ Summit.

Speaking with Nicholas Donofrio—former executive vice president of innovation and technology at IBM and director at Aptiv, MITRE, and NACD—Wray shared the FBI’s approach to partnering with companies across industries and sectors to foster cybersecurity and prevent economic espionage, and talked about his hopes for closer cooperation between the FBI and the private sector.

Highlights of the most important points for boards to consider follow.

  • Cybersecurity is an urgent corporate issue, and a critical FBI priority. According to Wray, no threats to the United States’ economy and security have evolved more dramatically over the past 10 to 15 years than have cyber threats, an evolution he attributes to the ever increasing connectivity of our companies, systems, devices, and assets. Wray urged companies to recognize that “every single bit of information, every system, every network is a target [and] every link in the [supply] chain is a potential vulnerability” – including vendors, contractors, subcontractors, and any other point of entry or exchange along supply chains.Wray added that employees also present a growing risk, with increasing incidents of company insiders attempting to take and transfer proprietary information to business competitors and/or foreign governments.
  • The FBI is focused on nation-state-sponsored intrusions. There is growing concern at the FBI about the long-term threat China poses to the United States’ national security and economic interests. Beijing has unveiled a formal plan to achieve dominance in high-technology industries, known as its “Made by China 2025” campaign. In its quest to lift its industries up the value chain, China has shown not only a willingness but also an ability to seek a competitive advantage through both lawful and unlawful means, Wray remarked. In fact, the FBI chief said investigations into economic espionage linked to China were open in all FBI field offices across the country, which drove home the reality and gravity of the threat to the directors in the audience.
  • The government and the private sector are in this fight together. Cyber risk and technology theft are generational threats that will have wide-ranging political and economic repercussions for decades to come. As Wray put it, “Technology, geopolitics, and crime have all converged.” Addressing these issues will require closer cooperation not just among government agencies, but also between the public and private sectors. The FBI is already working closely and diligently with agencies such as the Departments of State, Homeland Security, and Commerce to deal with cyber threats and cyberattacks as quickly as possible. The FBI is also working to strengthen partnerships with US companies, according to Wray.To facilitate this process, the agency has created cyber task forces in all of its field offices. Every field office has a Private Sector Coordinator dedicated to engaging with companies. The FBI also runs a Chief Information Security Officer Academy at the FBI Training Academy in Quantico, VA, which covers cybercrimes ranging from nation-state-sponsored attacks to insider threat incidents. Companies may also partner with the FBI through its General Counsel (GC) Summit, where GCs can get expert guidance around cyber issues.
  • An effective response to cyberattacks will require a greater level of public-private information sharing. For many companies, it’s a matter of when, not if, they will suffer a cyberattack. When such an attack takes place, “getting the FBI involved early allows [the agency] to mitigate ongoing damage to [a company’s] data, . . . [provides the company with] the information need[ed] to understand what happened, helps mitigate risks to [a company’s] reputation from a delayed notification, and helps identify other potential victims,” Wray said. This is especially important if a breach has the potential to impact national or economic security or public health and safety, or if critical infrastructure is affected. That said, companies should not wait until a crisis strikes to connect with the FBI.“Too often, [organizations] confuse the idea that the harm is waiting until theft has occurred or systems have shut down. But the problem can happen much earlier. One of the points [the FBI] makes is that while prevention is important, detection and mitigation are even more important,” Wray said. To bolster such efforts, Wray advised organizations to reach out to the FBI and establish a trusting and reliable working relationship. “The best time to patch a roof is when the sun is shining,” he said.

Wray pointed out that the information flow goes in both directions: the FBI and other law enforcement agencies can serve as useful sources of data about emerging trends and developments in the fast-changing cyber-risk landscape. “We’re sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information whenever we can,” he said.

At a time when a critical mass of people and businesses around the world rely on the Internet to store, access, and protect their digital assets, effectively securing this information has never been more imperative. The proliferation of cyber risks is placing a higher burden on directors—and their executive teams—to actively oversee this ever-evolving threat, according to Wray. As stewards of long-term value creation, boards should make sure their companies are balancing efforts to mitigate short-term concerns with efforts to deal with ongoing risks in the long term. Directors need to ensure that their organizations’ management teams implement effective, enterprise-wide cyber-risk frameworks and have adequate crisis response plans in place.

At the end of the day, the FBI director remains sanguine about the resilience of American businesses. He ended the conversation by remarking, “When I look at the dedication and commitment to [cybersecurity, as well as] the sophistication and entrepreneurial spirit that extends [across] our private sector, I would stack [our companies] against those of any other country in the world.”

Related Resources:  NACD’s Director’s Handbook on Cyber-Risk Oversight  and Cyber-Risk Oversight Certificate Program are designed to help board members stay on top of cybersecurity matters.  Our online Cyber-Risk Oversight Resource Center has additional guidance, commentary, and tools for directors.