FBI takes cyberattack fight in new direction

The FBI no longer wants to assign agents to handle cyber crimes based on the victim’s location.

A single criminal can conduct thousands of cyberattacks in all 50 states simultaneously, said FBI Director James Comey. That’s forever altered concepts of individual jurisdiction, and the FBI must adapt, Comey argued.

“Notions of traditional ‘my division, your division’ don’t really make sense in that environment,” Comey told an industry audience at the Overseas Security Advisory Council annual briefing on Wednesday.

What does make sense is assigning the worst cyber offensives to the most talented divisions at the bureau, “without regard to where we are seeing particular manifestation of that threat,” Comey said.

“For the first time at the FBI, we’re going to approach cyber by not being bound to traditional notions of area of responsibility,” he explained.

It’s part of the FBI’s broader cyber strategy to work around territorial limits on cyber investigations.

The bureau has been seeking the authority to remotely hack and spy on electronic devices, even if they can’t locate that device.

With a few exceptions, magistrate judges can only issue search warrants within their jurisdiction. If the FBI can’t locate a device, it can’t get a warrant.

The bureau is also asking the little-known Advisory Committee on Criminal Rules to let a single judge issue warrants allowing the FBI to search a network spanning myriad jurisdictions.

Privacy advocates worry such changes would give the FBI unrestrained, unconstitutional surveillance power. The FBI argues the changes are necessary for modern technical investigations.

“The bad guys have shrunk the world,” Comey put it Wednesday.

He said he wants his best agents on the worst bad guys — nation-state hackers, sophisticated cyber thieves backed by nation states and worldwide cyber crime syndicates — regardless of where the hacked company is located.

These "worst bad guys" are suspected in most high-profile hacks of private companies over the last year.

Data breaches at Target, Home Depot and JPMorgan exposed the personal data of hundreds of millions of customers.

“Normally, we’d be driven by the victims," Comey explained. "Which companies have raised their hand and said, ‘We’ve been hacked,’ and then we would assign the matter to that field office."

Instead, the threat will get assigned based on the dangerousness and complexity of the threat. Then, up to four regional field offices will be tasked with assisting local hacking victims after the initial threat has been assigned to

The strategy is not set in stone, Comey cautioned.

“We’re going to try that,” he said. “We want to get feedback.”