David Johnson, Associate Executive Assistant Director, Federal Bureau of Investigation, delivered a midday keynote on the threat stream, how it affects the automobile industry, what FBI's doing about it, and his view of the current state of public-private cooperation. He took his cues about the future of vulnerabilities from the venture capital community. The VCs see mobile computing, quantum computing, and autonomous vehicles as growth areas, and with those rapidly evolving technologies will come new sets of vulnerabilities.
He then reviewed the threats: nation-states ("the usual characters") are a threat, then organized crime, hacktivists, and cyber terrorists. We see complex attacks using multiple vectors, and we see a great deal of social engineering (don't forget the insiders). "Threat actors want access and advantage." The Bureau's perspective on risks to auto industry suggests to Johnson that increased networking and infrastructure connectivity means that industry must consider security in the design phase, in the supply chain, in transportation infrastructure.
The FBI is working, Johnson said, "to impose costs," a phrase that's become familiar in FBI and Justice Department presentations on cybersecurity. They seek to prosecute when possible, but at least to name and shame those responsible for attacks. The Bureau is also working to help state and local law enforcement get better at cyber law enforcement.
Johnson sounded another familiar theme, one intended to be reassuring to industry: if you're the victim of a cyberattack or a cybercrime, the FBI is committed to treating you as such, as a crime victim, not as the subject of an investigation. He asked business and industry to establish a relationship with the FBI in advance, before they're attacked. "The FBI needs your help, and wants to help you." Notify law enforcement when you have an incident, and remember that speed matters. The FBI understands your concerns about the marketplace, he said, and is committed to sharing as much information as quickly as it can.
Answering a question from the audience, Johnson said that the FBI is willing to help with the media, when appropriate. The Bureaus also has victim specialists. This is all the more reason to engage with FBI and sister agencies in the Department of Homeland Security in advance of an incident. Part of treating companies like victims, when they're hacked, Johnson added significantly, is not providing opinion or commentary to regulators.