Philip Celestini, section chief of the FBI’s cyber division, has a motto when it comes to talking about cyber security. “First I’m gonna scare you, then I’m going to scare you a little more, then I’m going to tell you at the end: it’s really not all that bad,” Celestini said recently before a crowded room of surveillance professionals at ISC East, the largest physical surveillance conference in the northeast.
Celestini, who has been with the FBI for almost 25 years, gave a wide-ranging talk focused on the threat of adversarial nation-states, terrorist and criminal groups, and to lesser extent, hacktivists and low-level cyberbullies. Unmentioned, however, were a host of serious concerns to Americans worried about their privacy online. Those anxieties are exacerbated by the fact that the incoming president-elect has shown himself as someone eager to exact vengeance on his enemies.
Celestini largely ignored the question of strong encryption and state-mandated backdoors in consumer devices – a debate that has raged since the FBI asked Apple to break into the encrypted phone of one of the San Bernardino shooters. Jim Comey, the FBI Director and Celestini’s boss, has publicly called on tech companies to insert vulnerabilities into their products so law enforcement would have access to otherwise hidden information. Security researchers say there is no way to do that without exposing users to any number of bad actors and weaken encryption across the entire Internet.
After the talk, Inverse asked Celestini if current laws around digital copyright are prioritizing corporate profits over security, as activists allege. As the law stands now, security researchers can face criminal penalties for disclosing flaws in copyright-protected software. Celestini, for his part, suggested that researchers would probably be safe from prosecution as long as they were acting in good faith.
“Anybody who’s trying to help, I’m not going to say you’re going to get a pass every time, but it makes it very difficult from an investigative and prosecutive [sic] standpoint to say, ‘they’re trying to help.’ Trying to prove criminal intent there is difficult,” Celestini tells Inverse. “I’m not saying it can’t be done, because there have been plenty of people who have done malicious things online and then when they get caught they immediately try to retreat behind, ‘oh no no, I was [penetration testing], or I was doing ethical hacking, I was trying to help increase security.’ If we can prove otherwise, we will.”
In his talk, Celestini briefly mentioned the Computer Fraud and Abuse Act, the 1986 anti-hacking law that many critics claim is woefully out of date. Under the CFAA, prosecutors threatened information activist Aaron Swartz with decades in prison for releasing academic journals to the public. Swartz committed suicide under the pressure, and activists have lobbied for an update to the CFAA named in Swartz’s honor. Swartz is far from the only person who faced draconian penalties under the law, however. Other well-known cases include the online troll Andrew “Weev” Auernheimer, and Matthew Keys.
When asked by Inverse if the CFAA needed an update, Celestini claimed ignorance, somewhat unbelievably given his position. “I can’t comment on that because it’s been so long since I even looked at it, it would not be appropriate for me to comment,” he says. “But it’s a great question.”