In a broad appeal for greater cooperation with the security community in the private sector, FBI Director Christopher Wray blasted the prevalence of unbreakable encryption, calling investigators' inability to access the contents of thousands of devices "a major public safety issue."
In fiscal 2017, FBI investigators were stymied in their attempts to obtain the contents of 7,775 devices involved in investigations in which a judge had authorized access, Wray said in a keynote address here at Boston College's second annual cybersecurity summit on Wednesday.
Wray made an impassioned appeal for help from the tech sector and the security community to address a familiar but stubborn problem, urging a good-faith collaboration from all sides to strike a balance that respects strong privacy and security without unreasonably hindering law-enforcement investigations.
"The FBI supports information security measures. We support strong encryption," Wray said. "But, information security programs need to be thoughtfully designed so that they don't undermine the lawful — underline the word lawful — tools that we need to keep the American people safe."
The thoughtful design that Wray envisions would necessitate a thaw in relations between the public and private sectors. The friction between the two is longstanding, and memorably flared up with the FBI's long struggle to gain access to the contents of the iPhone of one of the shooters in the 2015 massacre in San Bernardino, California.
That standoff between the FBI and Apple brought attention to the debate over the utility of metadata in criminal investigations. Metadata — information detailing things like when and where phone calls were made or text messages were sent — can be obtained without having to crack open the device to view its contents, Wray acknowledged. But in building a criminal case, metadata only goes so far.
"To be fair, while there's certainly some things we can glean from that, if the purpose is to actually prosecute terrorists and criminals, to actually prevent attacks and save lives by arresting and prosecuting people, words, content can be evidence," Wray said. "Mere associations are not going to get us very far in keeping the American people safe."
Wray offers no prescription for what a product that satisfies tech companies' insistence on security and user privacy, while still affording law enforcement the access it needs, would look like. He envisions solutions arising from technical innovation, and potentially varying from one type of device to another, but emerging as the result of an ongoing dialogue between two camps whose positions sometimes have seemed too hardened to find room for compromise.
"I'm convinced that we're going to need — and we want — the private sector to help. We need them to respond to lawfully issued court orders in a way that's consistent both with the rule of law and strong cybersecurity," Wray said. "I just do not buy the claim that we should throw up our hands and say that's impossible."
The appeal for greater information sharing comes as the FBI observes a spike in attacks that are the product of a collaboration among what traditionally have been distinct adversaries. Increasingly, agents of a foreign government are enlisting criminal groups to orchestrate an attack against a government or corporate target, according to Wray.
"We've also been seeing more and more of what we refer to as blended threat — nation-states using criminal hackers to do their dirty work," he said.
Wray amplified his call for cooperation on the encryption issue with a more general plea for companies to work with law enforcement to report attacks and provide information about emerging threats. Within the law enforcement agencies at various levels of government, many of which have historically resisted the very information sharing that Wray is advocating, longstanding barriers have been leveled in response to the rapidly evolving threat landscape.
"The threat is moving so quickly that if there was ever a place for turf battles, that time is long, long, long gone," he said. "We're much less concerned about who you call than that you call, and that you call as promptly as possible.