There are lots of reasons to be concerned about James Comey’s sudden firing from his post as FBI director in the midst of investigating ties between Russia and Trump’s campaign and administration. But even though the circumstances of the firing are deeply troubling, there are still legitimate reasons to criticize Comey’s legacy. In particular, it’s a moment to take stock of how badly he misjudged public perception of the FBI’s use of technology and investigations of cybersecurity incidents—and how much that damaged the agency’s reputation and credibility.
Comey’s time at the FBI began with a major technological triumph. In June 2014, less than a year after he began as director, the agency announced one of its most sophisticated technical operations ever—an elaborate, multistage takedown of one of the world’s largest botnets, GameOver Zeus, a network responsible for spreading a major piece of malware. The takedown, dubbed Operation Tovar, may not have been quite the unparalleled success the FBI made it out to be—the eventual resurgence of the malware suggested the criminal operation had been damaged but not destroyed. But it was, nonetheless, a significant milestone for the FBI. Operation Tovar showed that the agency could work effectively with private industry partners to reverse-engineer complicated malware. It coupled that technical work with old-school investigation and cleverly targeted court orders to undermine a massive online criminal operation.
The FBI’s reputation for tackling computer technology has fallen considerably since the days of Operation Tovar—even though strengthening law enforcement’s technological capabilities was a major theme of Comey’s tenure. His leadership was marked by a series of aggressive efforts to harness technology and publicly demonstrate his agency’s mastery of it. But due to some major missteps, he leaves behind an FBI with more technical expertise and less technical credibility than ever before.
Operation Tovar was a high point for the FBI’s technological reputation not just because of what the bureau accomplished but also because of how much information it released about the investigation. In the documents made public after the takedown—which included declarations by special agents, court orders, and indictments—the FBI laid out clearly what it had done and what tools and assistance it had relied on. People who read those documents could appreciate the FBI’s expertise while the partners they worked with in industry touted the collaboration to others at tech conferences and meetings—the FBI’s stock with the tech community had rarely, if ever, been higher.
Compare that with two of the other highest-profile cybersecurity investigations the FBI undertook under Comey’s leadership: the 2014 breach of Sony Pictures and the 2016 Russian interference in the U.S. elections. In both cases, the FBI made public statements placing blame for cybercrimes squarely on the shoulders of foreign governments while providing minimal evidence for their conclusions and undermining their own technical knowledge.
In attributing the Sony breach to North Korea, for instance, the FBI cited similarities between some of the malware used in the breach and other code that the bureau knew to have been developed by North Korea. Comey also stressed that some emails and online posts ostensibly from the responsible “Guardians of Peace” group originated from North Korean IP addresses.
IP addresses are notoriously easy to forge and manipulate online—the idea that they could be considered conclusive evidence for determining the identity of an attacker is frankly ridiculous. But Comey told NPR in January 2015: “We could see that IP addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans … that was a very clear indication of who was doing this.”
That doesn’t mean the FBI was wrong in its attribution, or that it didn’t have classified conclusive evidence linking the breach to North Korea—but the refusal to give any technical detail beyond an invocation of suspicious IP addresses made it sound like it was making a very strong claim based on relatively weak evidence. The FBI’s certainty in attributing the breach to North Korea was all the more striking given its earlier skepticism about the country’s involvement. To make such an about-face in the course of a month, it must have either discovered some truly damning evidence it didn’t want to share—or it decided to give the impression that it could perform attribution online with absolute confidence.
That same confidence was on display earlier this year, when the FBI, in partnership with the NSA and CIA, released an incredibly vague summary of the technical evidence that had led them to conclude (with “high confidence”) that Russia had interfered with the 2016 U.S. elections. Making matters worse for the FBI, it turned out that in one of the key incidents referenced in the summary—the theft and public release of information stored on Democratic National Committee servers—the FBI had never even directly investigated the breached servers but instead relied on a third-party firm to collect the evidence for them.
And then there was the FBI-Apple showdown over encryption—a demonstration of the FBI’s remarkable, often misguided confidence in its ability to win over the public on technology-related matters. In February 2016, the FBI attempted to leverage the 1789 All Writs Act to force Apple to help it circumvent the protections on an iPhone belonging to Syed Farook, one of the shooters in the 2015 San Bernardino, California, attack. In initiating a big public fight with Apple over this demand, the FBI presumably believed it had found an indefensible target. How could anyone fight to protect the phone of someone who, before he died, had been a mass murderer?
But the Apple-FBI controversy backfired for the FBI in an extremely public and embarrassing fashion—breaking into the phone of a dead killer did not strike many people as especially urgent. Moreover, the public quickly put together the fact that the FBI was asking not for a way to get into one particular person’s iPhone but instead a mechanism that could be used on many, many phones. In a Reuters/Ipsos poll taken shortly after the dispute, 46 percent of Americans supported Apple, compared with only 35 percent who said they disagreed. (An additional 20 percent said they didn’t know.)
The FBI vastly underestimated people’s ability to understand the full technical consequences of what it was demanding or the processes it was attempting to circumvent in making use of the generic All Writs Act powers. It certainly wasn’t the first time law enforcement agencies, including the FBI, had attempted to fight for easier access to encrypted data. Comey’s predecessor, Robert Mueller, pushed for legislation that would require tech companies like Apple to provide the FBI with decrypted device contents. But Comey’s relationship to technology was different. Rather than enter into a long, slow legislative fight, he wanted access to encrypted iPhones immediately and would go after it using whatever tools were at his disposal.
This aggressive approach, like the absolute certainty of his pronouncements on who was responsible for security incidents, cost the FBI considerable credibility. Comey made a big public fuss over the agency’s inability to access encrypted devices—but when the dispute with Apple got hairy, the FBI abandoned it and instead paid a private company to unlock the device for them. He repeatedly gave the impression that the FBI was impatient, occasionally careless, and above all overconfident in its efforts to gather and draw conclusions from digital data.
It was a disheartening decline from the thorough, knowledgeable efforts of Operation Tovar that marked the beginning of his tenure. But the FBI is still more than capable of careful, sophisticated technical work. The next FBI director will have to encourage that work and bring it front and center, in all of its complexity and detail. That will go a way toward reminding the public that the bureau can use computers to do more than just investigate emails.