Silicon Valley FBI cybersecurity chief aims for better cooperation with tech giants

26 May 2017. By Mike Swift.

When M.K. Palmore arrived in Silicon Valley in early 2014 to assume leadership of the FBI's efforts against hacking, ransomware, DDoS attacks and the innumerable other variants of cybercrime, the Valley didn't quite throw rose petals beneath his feet.

In the days just after Edward Snowden's revelations in 2013 about bulk data collection by the government, and about the National Security Agency's "direct access" to data stored by Google, Facebook, Apple and other US Internet giants, relations between Valley tech companies and the US government had rarely been more sour.

"I thought it would be an easy transition. What I experienced when I came in January 2014 was a very, very cold environment. I'm not parsing words here," Palmore said.

Palmore, the FBI Assistant Special Agent in charge – Cyber in Silicon Valley, has spent much of the past three and a half years working to rebuild the FBI's rapport with the technology industry. He said he has made substantial headway in that diplomacy, adding that the cooperation the FBI gets from many companies is "robust" and that the FBI now has "fairly vibrant relationships built on trust" with many tech companies.

But not always. In the wake of the Snowden disclosures, many tech companies were furious that their users might think they were complicit in bulk surveillance by the NSA and foreign spy agencies such as Britain's GCHQ. Some of that feeling remains, and Palmore says that he isn't fully satisfied with the state of relations, particularly with more technically advanced Internet companies.

Too often, Palmore said this week, he finds himself arguing with tech company general counsels about whether the FBI investigators will be granted full access to computer logs that would reveal the changes made in computer networks by outside intruders, rather than just a static image of a compromised server in the aftermath of a data breach.

"It's like they give us a piece of the puzzle to look at, without giving us the whole puzzle," Palmore said in an interview at the FBI's Silicon Valley offices, in a non-descript, unsigned building near a shopping center not far from the interchange of several freeways. He declined to discuss interactions with specific companies.

That is a mistake, Palmore says, because of the international cyber-threat intelligence the FBI offers to Internet companies, which generally want to do business globally. Frequently, hackers operating from outside the United States leave the equivalent of a digital signature, based on the methods they use to break into networks. No matter where those people are in the world, "we're pretty good at understanding exactly who is on the other end of the keyboard," Palmore said.

"We have a much wider view of the threat landscape than these independent companies," Palmore said. And that landscape is a frightening one.

"These guys are talented," he said. "They are smart."

Since late last year, Palmore can point to several significant international data breach investigation successes, as the FBI found and enabled law enforcement in Canada and the Czech Republic to arrest suspects who are accused of hacking Yahoo, LinkedIn and Dropbox, some of the biggest breaches in tech history.

Although it didn't specifically say the FBI was the source, Yahoo has said in securities and court filings that it wouldn't have even detected one of three breaches it suffered, in August 2013, had it not been tipped off by law enforcement. "The company has not been able to identify the intrusion associated with this theft," Yahoo said in a filing in December.

Such cyber-intrusions are called Advanced Persistent Threats, or APTs, in which intruders break into a network, often by tricking someone with access to the network to share their access credentials. The attackers may insert malicious software that can lie in wait for months or even years, the digital version of an undetected tumor, before the malware is called to life to begin copying and exporting sensitive data.

The men indicted for hacking Yahoo — Karim Baratov, a Canadian and Kazakh national — and for breaking into LinkedIn and Dropbox — Yevgeniy Aleksandrovich Nikulin, a Russian national — are still in custody, awaiting extradition to the US. Both criminal cases will be tried in San Francisco federal court, if the suspects are successfully brought to the US. But there's a complication with Nikulin's extradition from the Czech Republic.

"The Russian government has asked that he be returned to Russia," Palmore said, meaning the outcome of his extradition remains uncertain.

In addition to investigating high-profit breaches of Internet companies, Palmore's agents are also charged with carrying out requests from foreign law enforcement for digital evidence stored by large global Internet platforms with headquarters in Silicon Valley. Because of its location, Palmore said his office handles "the lion's share" of the requests for digital evidence from foreign police to US Internet companies under the Mutual Legal Assistance Treaty system.

The MLAT system is widely recognized as an outdated and badly overburdened system, and the Senate Judiciary Committee held a hearing this week to consider potential reforms that could allow foreign law enforcement to access digital evidence directly from US tech companies. If that were to happen, "I think a lot of people would sleep easier," Palmore said.

In another sensitive issue — whether the government could require companies like Apple and Google to build "back doors" into the encryption they use to protect data stored on mobile devices — Palmore said he understands that the existence of a backdoor could undermine the security of those devices. The issue came to a head last year in a standoff between Apple and the US Department of Justice over an encrypted iPhone used in the terrorist attacks in San Bernardino, California.

But a decision to retain the current status quo, where law enforcement will have an increasingly difficult time accessing evidence on encrypted devices, will require a public trade-off, Palmore said.

"You have to understand if that is going to be the case, there will be things that law enforcement misses," he said in public remarks at the Computer History Museum in Mountain View, California. "As long as everyone understands that, I think, ultimately, the issue of privacy will win out over government intervention."

A major legal problem for large social media platforms has been finding ways to limit or block use by terrorist organizations and other criminals. Google, Facebook, and Twitter have all been hit by litigation challenging the companies' immunity from liability for third party content under Section 230 of the Communications Decency Act.

Palmore praised efforts by Facebook to hire staff who would weed out terrorist content, but he also suggested the companies might have waited too long to take that step.

"This is long overdue. The problem is the horse is long out of the barn, and now it becomes a resource issue. The fact of the matter is they don't have enough people to properly review the questionable content," he said in those public comments in Mountain View. "I just think in this digital age, it will be part of doing business. I think social media companies recognize that."

Countdown to the GDPR