Director Wray's Remarks at the Mandiant/mWISE 2023 Cybersecurity Conference
Good afternoon, everyone. I first want to thank Kevin Mandia for hosting this conference and for inviting me here to speak with all of you today. Any time so many leaders—from the private sector, and the government, and around the world, both managers and front-line defenders—get together in one room, cyberspace becomes a little bit safer.
I firmly believe that the best way to build our collective defense is by having dialogue about the threats we're seeing and having creative conversations about the ways we can work together to stay ahead of them, which is explicitly the FBI's vision: to stay "ahead of the threat."
Now, I understand you've already been discussing ways to do just that, hearing from Kevin and a threat intelligence panel earlier today, and with plenty of other events over the next couple days. But I'd like to spend my time with you this afternoon talking about the FBI's strategy to counter threats in cyberspace, what those threats are that we're countering, and giving you a couple examples of how we form a virtuous cycle with our partners—both foreign and domestic, across government and the private sector—to use the information we receive to take the fight to our adversaries and to protect each other, because everyone here knows it's simply not an option to sit back on our heels in today's environment.
My hope is I can get you to leave here feeling encouraged by what we at the FBI are doing and wanting to be a part of our virtuous cycle.
When the FBI was born 115 years ago, we could've never predicted the threats we're facing today. Back in 1908, we were focused on the first Model Ts hitting the streets and celebrating the Chicago Cubs' second-straight World Series title—which was sure to be the beginning of a dynasty. But if there's one thing we at the FBI have excelled at throughout our history, it's innovation. As the threats have changed, we've changed with them.
One of the biggest inflection points in the Bureau's history, of course, was September 11, 2001. Last week, we commemorated yet another anniversary of that tragedy—a day that dramatically changed the FBI's work and the way we do it, maybe more than any other. Those attacks showed us how much our nation's safety depends on partnerships and on information sharing. So, in the aftermath of 9/11, we made innovative changes that started in our counterterrorism program, and since then, have come to inform every type of investigation we conduct in every community we serve, and cyberspace is no exception.
For more than two decades now, we've had an entire Cyber Division—with cyber squads spread across the country throughout our 56 field offices—all devoted to identifying and mitigating cyber threats. So, while this topic is not new to us at the FBI, our approach to countering the cyber threat has certainly changed over that time.
Today, our strategy is informed by where we sit at the center of a cybersecurity ecosystem that stretches on the defensive side from, most importantly, the private sector, but also sector risk management agencies and CISA [the Cybersecurity and Infrastructure Security Agency] to the NSA [National Security Agency], CIA [Central Intelligence Agency], CYBERCOM [U.S. Cyber Command], and our foreign partners on the offensive side.
What the FBI does is take in information from partners across that spectrum, investigate, develop leads, and share what we have with whoever can use that information to have the greatest impact on our adversaries. That might be a foreign law enforcement agency or intelligence service joining an operation with us. It might be NSA, it might be CISA, but very often, it's the private sector. Whether that's a specific victim that needs a heads-up or a whole industry, we can warn through a bulletin or, increasingly, a provider or other sophisticated partner actually joining one of our operations.
Our goal is to plan and conduct joint, sequenced operations—where we're all on the same page, and each step is taken strategically and with purpose, where it doesn't matter who gets the credit as long as the job gets done.
Often, the FBI is the agency in the best position to make an impact because we have a wide and unique combination of both law enforcement and intelligence authorities, and we're using every one of those authorities and every combination of our tools to impose the greatest possible costs on our enemies. We're doing that by going after the actors and the services that support them—their finances, their communications, their malware, and their infrastructure.
Like earlier this year, when we announced the culmination of a year-and-a-half-long campaign to disrupt the Hive ransomware group. Hive had been extorting victims all around the globe, but we silently and secretly gained and exploited access to their control panel. In effect, we hacked the hackers, and we used our access to help Hive victims decrypt their networks, saving them about $130 million in ransom payments. Then, working with our European partners, we were able to seize Hive's servers and websites, shutting down the criminal group's ability to function.
But we know these operations often don't completely eradicate the threats we're facing, so the process continues. When we do get information about the threat from one company, we work hard to develop analysis about who the adversary is; what they're doing; and where, why, and how they're doing it—all while taking pains to protect that company's identity.
And then, we pass what we've developed to our partners, and they ball that up with what they know and their reporting and, in return, provide us with even more information and actionable leads, enhancing our global investigations.
Ultimately, that helps us discover malicious infrastructure we can target. It helps us discover victims two, three, four, and five that we can help because of victim 1. It helps us run new operations with new partners against the same adversary.
Then, the process repeats itself. That's the virtuous cycle I mentioned earlier—and it's only possible when we work together.
Each piece of data is one part of a larger, longer-term puzzle. And while, by its very nature, work like that is never complete, we've had some real successes in recent years.
Take an operation we executed in 2022, for instance, when we remotely disrupted Cyclops Blink, a widespread botnet built by Russia's GRU—its military intelligence agency—before the botnet could do any harm. We did that by creatively combining a traditional federal search warrant and extraterritorial law enforcement authorities, but we were only as successful as we were because of willing and able private sector participation. In that case, the GRU's Sandworm team had managed to implant malware on thousands of firewall devices worldwide. Those devices were largely used by small and medium-sized businesses and produced by WatchGuard Technologies.
But, we were able to alert WatchGuard about the malware targeting their devices and collect additional samples from other victims. That allowed us to reverse-engineer the malware, and develop and execute a sophisticated technical operation, severing the GRU's ability to communicate with the botnet's command-and-control layer, all while working with CISA and WatchGuard on mitigation efforts. Because of that collaboration, we were ultimately able to cut off the GRU's ability to control the botnet, remove the malware from the affected devices, and shut the door on our way out so the Russians couldn't get back in.
That type of collaborative, public-private operation is the present and the future for the FBI, and it will only become more important as the threats continue to evolve, just as they have for the past 115 years. Because the TTPs—the tactics, techniques, and procedures—cybercriminals and nation-states use to attack our networks and our digitally connected way of life are constantly evolving, the intelligence and operational briefings I get from our team every day make it pretty clear—as I'm sure this group can guess—that our cyber program is where we're facing some of our most complex, most severe, and most rapidly evolving threats. And what our team knows—and what everybody in this room knows, too—is that today's cyber threats are more pervasive, hit a wider array of victims, and carry the potential for greater damage than ever before.
On top of that, there always seems to be a new danger on the horizon.
Of course, at the front of everyone's minds today are the artificial intelligence capabilities being developed here in the U.S. and around the world. I'm sure none of you will be shocked to hear that AI is ripe for potential abuses—and that criminals and hostile foreign governments are already exploiting the technology. And while generative AI can certainly save law-abiding citizens time by automating tasks, it also makes it easier for bad guys to do things like generate deepfakes and malicious code and can provide a tool for threat actors to develop increasingly powerful, sophisticated, customizable, and scalable capabilities.
So, to stay ahead of the threat, at the FBI, we're determining how we can ethically and legally leverage AI to do our jobs, but we're also identifying and tracking our adversaries' and criminals' uses of AI, while protecting American innovation in the AI arena.
Because, as we've been telling anyone who will listen, the Chinese government has been stealing American intellectual property and data for years, and you can be sure they're not going to stop now and sit back and watch while American companies develop technologies that can change the world. China already has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI's cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50:1. Let me say that again: 50:1. With AI, China is now in position to try to close the cycle—to use the fruits of their widespread hacking to power, with AI, even-more-powerful hacking efforts.
And it's not just China: The Russian, Iranian, and North Korean cyber programs are also relentless.
And it's becoming increasingly difficult to discern where cybercriminal activity ends and adversarial nation-state activity begins. Like when we see foreign intelligence officers moonlighting—making money on the side through cybercrime—or hackers who are profit-minded criminals by day and state-sponsored by night, or nation-states using cybercriminal tools to conduct state-sponsored attacks because they think it gives them some plausible deniability or will hide who's behind the attacks. These threats are why we want and need your help, and when we work together, we're able to strike some serious blows against these actors.
Just last month, we announced the results of a worldwide, FBI-led operation that crippled Qakbot, one of the longest-running botnets ever seen. The botnet compromised everything from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. It was used by cybercriminals to attack a publishing company two years ago, which then had to pay $4.9 million in ransom. Last year, malicious actors used the botnet to steal gigabytes of private information from a healthcare provider and later leaked that information on the darkweb.
Then the FBI and our partners stepped in, working with five other countries. We neutralized Qakbot's command-and-control servers, redirected botnet traffic to an FBI-controlled server, quickly notified victims they had been compromised, removed Qakbot malware from infected victims, seized and dismantled the botnet's support infrastructure, and seized millions of dollars of cryptocurrency. These are the key services I mentioned earlier that we're targeting.
So even though this botnet was one of the world's largest, we showed that our own network—and our own capabilities—are more powerful. And we're going to continue using all lawful methods to put constant, proactive pressure on our adversaries. We're going to go after all parts of their organizations, all parts of their operations, and we're going to keep imposing consequences for their illegal action.
So I hope all of this has been informative, but I also hope it's shown you the benefits of working with the FBI, which is, admittedly, part of why I'm here today: to recruit you to partner with us. One more plug: Just by coming here this week, it's clear you and your organizations take cybersecurity seriously and share our goal to make cyberspace a safer place for everyone.
So you've likely also been planning ahead for when you're targeted or compromised by a cyberattack. To take that one step further, my request is not just that you make an incident-response plan, but that you make us at the FBI part of that incident-response plan.
We know the private sector hasn't always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won't be showing up in raid jackets. Instead, we'll treat you like the victims you are—just like we treat all victims of all crimes.
To make that even easier, give our folks a call today and build a relationship with your local FBI field office now. If you know who to call, and we know who you are, that will make information sharing easier both ways and will make everything a lot more efficient if and when a crisis comes. Then, once we build these trusted relationships, we can possibly bring you in on close-hold operations and we can more confidently provide you with sensitive leads.
But none of this works if compromises don't get reported to us in the first place. We just cannot help you if we don't know there's an issue, nor can we warn and protect others.
So our approach is victim-centered, because it helps us help you. It helps us help others who may be in danger, and it helps us use the intelligence we receive to take actions and run operations to defeat our adversaries.
Through that process—that virtuous cycle where we share, analyze, repeat—we can protect our nation's networks.
As an example, many of you probably remember the cyberattack on Colonial Pipeline in 2021, which led to a fuel panic along America's East Coast.
Once Colonial was compromised, they quickly engaged Mandiant to help with incident response, and as a result of their combined cooperation with the FBI—and the fast, open sharing of timely, relevant, accurate information—we were able to focus on our investigation and quickly make substantial breakthroughs. At the same time, the information shared by Colonial and Mandiant allowed the FBI and our government partners to publish information related to the cybercriminals responsible for the attack—and helped the public better prepare for possible future attacks.
And Colonial benefitted, too. Because Colonial reached out so quickly, we were able to identify and seize the virtual currency wallets belonging to the hackers, giving back most of the ransom to Colonial and depriving the bad guys of their ill-gotten gains. That's the type of success that's possible when we all work together toward common goals, even if we may be approaching those goals from different angles.
For those 115 years I mentioned earlier, the Bureau has been charged with protecting the American people and upholding the Constitution. I tell this to every class of new agent graduates I speak to: it's a simple mission to say, yet profound to actually execute, and the FBI workforce goes to the ends of the earth, literally, every day to achieve that mission.
It's inspiring to watch and inspiring to be a part of, but we know we can't accomplish it on our own. We cannot do what we do—we cannot protect the American people—without partners like you. So, I want to thank you again for taking the time out of your busy schedules to come to Washington to listen to my thoughts and my requests of you, and to talk with each other about how we can strengthen our collective defense. And I want you to also know how grateful we are for your commitment to collaboration and cooperation and your willingness to share what you know with us as we work together to keep the country and the world safe. Thank you.