Director Wray's Remarks at the FBI and University of Kansas Cybersecurity Conference
Remarks as prepared for delivery
Thanks very much, Sen. [Jerry] Moran, and thanks to [University of Kansas] Chancellor [Douglas A.] Girod and KU for hosting me again today on your beautiful campus.
And most importantly, thanks to all of you for joining us.
For a long time now, the FBI’s placed a premium on collaboration with our academic partners. The strong relationship we’ve built between KU and our FBI field office in Kansas City—and this conference, which brings together so many leading experts in cybersecurity—demonstrate the kinds of great things we can accomplish when the Bureau and academia work together.
I’m looking forward to our chat this morning, but first, I want to spend a few minutes talking about how the FBI sees the diverse and constantly evolving cyber threats we’re up against, about some of the innovative ways we’re beating them, and about what we need from everybody here to sustain and build on that momentum.
FBI Countering Cyber Threats Through ‘Joint, Sequenced Operations,’ Director Says
FBI Director Christopher Wray described the Bureau’s aggressive efforts to counter cyber threats and go after attackers in an April 4 speech at a conference of leading cybersecurity experts.
Cyber Threat Overview
I think everyone in this room has a pretty good sense of how complex, persistent, and severe today’s cyber threats have become. They’re more pervasive, hit a wider array of victims, and carry the potential for greater damage than ever before.
Today, we’re investigating more than 100 different ransomware variants, each with scores of victims. Cybercriminals are using ransomware to wreak havoc on business operations, cause devastating financial losses, and target our critical infrastructure. Everything from food distributors to 9-1-1 call centers, police departments and schools to hospitals—something I know two of our special agents, Kyle Neuberger and Dylan Meadows, will discuss in more detail this afternoon.
At the same time, we’re dealing with a host of unique threats from nation-states aimed at disrupting our democratic society. Now more than ever, foreign adversaries like the governments of China, Russia, Iran, and North Korea are using cyber operations to undermine us and achieve their strategic objectives.
They’re growing stealthier—for example, “living off the land” by corrupting native software tools that already exist on victims’ computers (and, thus, don’t raise alarms when they’re in use) rather than uploading big chunks of malicious, and suspicious, code to their victims’ networks. They’re constantly developing new ways to get the most reach and impact out of their operations.
And, on top of all that, it’s getting more and more difficult to discern where cybercriminal activity ends and adversarial nation-state activity begins, as the line between the two grows increasingly blurred.
These days, we see foreign intelligence officers who are moonlighting—making money on the side, through cybercrime—as well as hackers who are profit-minded criminals by day and state-sponsored by night—effectively cyber mercenaries.
What Success Looks Like
So the threat environment is pretty daunting, but the good news is that at the FBI, we’ve learned, and shown, what success looks like.
The Bureau has been focused on what I consider one of our most valuable tools, and the core of the cyber strategy we rolled out not long ago: leading joint, sequenced operations, executed with our partners and designed to maximize impact on our adversaries.
I’m talking about things like Operation Medusa, where we targeted Snake—the Russian FSB’s [Federal Security Service's] most sophisticated malware—and, by using technical means our folks developed, forced it to effectively cannibalize itself. You’ll hear more about that operation from Supervisory Special Agent Joe Lawlor later this morning, but the end result is that, with Medusa, we took down Snake in over 50 countries with the help of our U.S. partners and those from more than half a dozen other nations.
Or another example: the year-and-a-half-long campaign we waged, with our European partners, to hack the hackers of Hive, a ransomware group targeting hospitals, schools, and emergency services. We lawfully compromised their command and control network and used what we learned to seize and shut down their servers and websites, and to build a decryption capability we shared with victims that saved them from tens of millions in ransom payments.
Or how about the joint, sequenced operation that dismantled Genesis Market, where—working with our law enforcement counterparts in a dozen nations—we accomplished our biggest takedown ever of criminals dealing in stolen digital credentials?
In January, there was Operation Dying Ember. For that one, we worked with our U.S. and—again—worldwide law enforcement partners. We ran a court-authorized technical operation to kick the Russian GRU [military intelligence] off well over 1,000 home and small business routers and lock the door behind them. That killed the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world—including America and our allies in Europe.
And, in February, we announced the disruption of LockBit, one of the world’s most active ransomware groups. LockBit has targeted thousands of victims across all sectors and collected millions of dollars in ransom payments. But another joint, sequenced operation—this one among 10 countries—disrupted LockBit's front- and back-end infrastructure in the U.S. and abroad. As part of that technical operation, the FBI seized four servers here in the U.S., and our investigation led to federal charges for five LockBit affiliates.
And that’s without getting into all of our work against Beijing—including a steady stream of operations against their military and intelligence services. As you’d expect, given that China wields a bigger hacking program than those of every major nation combined, we’re confronting them across the country and around the world, literally every day.
We’re developing all these operations based on decades of experience battling nation-state and criminal threats across high- and low-tech domains, now applied in a world where we’re running court-authorized, on-network technical operations at the cutting edge of cyber.
Take cybercriminals. We know, and we go after, everything that makes criminal organizations tick, going after their people—a term we define broadly, to include not just ransomware administrators and affiliates, but also the facilitators they depend on, like bulletproof hosters and money launderers; going after their infrastructure—like their servers and botnets; and going after their money—the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates, and lease infrastructure.
We use a wealth of hard-earned experience to design operations to hit them everywhere it hurts and put them down, hard.
Who Gets the Job Done
Most of our work on those joint, sequenced operations takes place in our 56 field offices all across the country.
And to make sure we’re getting the job done, we’ve put in place what we call the Model Cyber Squad Initiative: bringing together in every field office a team of about a dozen people, special agents and intelligence analysts, as well as computer scientists, data analysts, and other technically skilled personnel. In other words, the perfect blend of investigative, technical, and analytical know-how to both identify cyber threats and take them down.
Thanks in significant part to the committed support of Sen. Moran, we’ve been working hard to stack our offices nationwide with key cyber skills and abilities.
We’re aiming to have at least one Model Cyber Squad in every FBI field office. With that, we can remain focused both on responding to cyber incidents and helping victims and on staying ahead of even the most dangerous foreign adversaries and the most damaging cyber threats.
To do all that, we need even more smart, driven, talented people in the field to do the work—people with the technical skills to keep our cyber workforce world-class.
So, while I’m here at KU, among some of our nation’s best and brightest students about to enter the workforce, here’s a plug: We need more people like you.
We need more people to be one of that elite team determining who’s responsible for cyberattacks; planning and running those joint, sequenced operations to knock our adversaries back; working with victims; and often doing all those things in the same day.
We need talented people on our rapid-response Cyber Action Team—deploying across the country often within hours to respond to major incidents—and working with international partners in our legal attaché offices overseas, seeking justice for victims of cyberattacks.
A job with the FBI could take you anywhere, from New York to New Delhi—or it might even land you right here, in Kansas.
In fact, just yesterday, I cut the ribbon on our brand-new Kansas City Field Office, and I can assure you it’s absolutely state-of-the-art. And it needs to be, too.
In a city as connected as Kansas City—and in offices across the country and around the world—the FBI needs people who want the opportunity to do some really amazing cyber work in support of an incredibly important mission.
Conclusion
For years, the Bureau has been laser-focused on hitting as many adversaries as we can and on getting the most bang for our buck out of every operation.
But with the cyber threat growing increasingly severe and complex, we’ve got both the room, and the need, to grow.
So I hope some of you will apply to join us.
There’s no better way to serve a mission you’re proud of, while doing work that’s the envy of your friends slogging it out elsewhere.
The FBI doesn’t do easy. We focus on what’s hard, what no one else can do—measured both in our own work and in the adversaries we go up against: the most dangerous intelligence services and criminals in the world.
I look forward to continuing this discussion with you this morning.
Thanks again for having me.
