Christopher Wray
Federal Bureau of Investigation
Detroit Economic Club
Detroit, MI
March 22, 2022

FBI Partnering with the Private Sector to Counter the Cyber Threat

Remarks prepared for delivery.

Thank you, Peter, for that kind introduction and to you and the club for the invitation to speak with you today.

I want to focus this afternoon on partnerships and, in particular, the critical importance of the FBI and the private sector working together to tackle today’s threats. But I want to start in what might seem like a strange place, the terrorist attacks of 2001. On that day—after years as a career prosecutor—I was a new appointee at the Department of Justice and spent most of September 11 in a packed command center at FBI headquarters. Everyone was trying to help, while at the same time struggling to comprehend the horrific reality of what was unfolding

I also remember in the months that followed struggling to understand how 19 terrorists had been inside the U.S., plotting a complicated, synchronized attack, and yet government agencies hadn’t discovered their plans or been able to stop them.

The 9/11 Commission wrote that this stemmed, in part, from the fact that our intelligence and law enforcement agencies working to counter terrorism weren’t sitting down together. They wrote, and this is a quote, “No one component holds all the relevant information,” and without everyone sharing, it wasn’t possible to “connect the dots.”

Twenty years later, I’m proud of how the law enforcement and intelligence communities responded. We broke down barriers across government and strengthened relationships with law enforcement and intelligence partners both here and abroad.

Through our Joint Terrorism Task Forces, the FBI deepened relationships with state and local law enforcement, whose eyes and ears in their communities help us better prevent attacks.

Those transformational changes in how we carried out our mission after 9/11 made us stronger and better and our country safer, but the world and the threat landscape have evolved over the past 20 years. Think about the fact that, really until 2002, not even BlackBerry made a phone that could send e-mail, that back then most people got online with dial-up, and that no one used “google” as a verb.

Twenty years ago, the FBI was laser-focused on the threat of coordinated, complex physical attacks on things like buildings, shopping malls, and bridges. That threat is still with us, but today, we’ve also got to be vigilant against someone half a world away trying to shut down an entire sector of our society with a piece of code, and I don’t use the words “shut down” metaphorically.

As you all know because many of you work in these industries, we have assets, systems, and networks so vital that losing them could have devastating effects on our national security, our economic security, our public health and safety, the kind of harm that we would all feel in our everyday lives, not just something we read about in the news. That’s what I want to talk with you about today: the hidden threats our cyber adversaries pose to businesses and institutions, things we often take for granted, and the need to bring private sector partners, all of you, to the fight.

We’re seeing both profit-minded criminals and nation-state adversaries, and sometimes the two working in a toxic tandem, attacking or threatening those hurt-us-at-home targets. Ransomware groups, because they know the harder they squeeze the more they can get paid; we’ve seen them compromise networks for oil and gas pipelines, hospitals, grade schools, 9-1-1 call centers.

All of you will likely remember when Colonial Pipeline, one of our nation’s largest oil pipelines, got hit by a ransomware attack by the DarkSide hacking group last year. That attack impacted billing systems and IT systems used to monitor the pipeline, not operational systems that actually transport fuel, but being appropriately cautious, Colonial shut down their pipeline operations until they confirmed that the operational systems were safe.

In the days that followed, people across the Southeast panicked, and gas stations all the way up to DC completely ran out of gas. The President had to declare a state of emergency. If that’s not a hurt you feel at home, I don’t know what is. Bottom line, I can’t think of anything ransomware groups would consider off-limits, and they’re hitting us more and more all the time. In total, between 2019 and 2021, the number of ransomware complaints reported to the FBI increased by 82 percent.

And just to give one example of what these ransomware groups can do, since we opened our investigation into the Russia-based REvil hackers in August 2019, they’ve attacked more than 40,000 US-based victims and received over 150 million dollars in ransoms through virtual currency systems Bitcoin and Monero.

To put things in perspective, last year, we saw ransomware incidents against 14 of 16 U.S. critical infrastructure sectors, and that’s just ransomware. Like last May, when a ransomware attack on JBS, the world’s largest supplier of beef, chicken, and pork, resulted in a complete stoppage at their meat production facilities in the U.S., Canada, and Australia. You may remember prices spiking and meat counters looking sparse. The JBS attack showed that cyber criminals could literally affect our ability to put food on the table.

Targeting of those vital networks is in some ways even more dangerous when it’s done by nation-states. Their efforts may look the same as a criminal attack at first. For example, if they’re using ransomware, you see a notice that your data is encrypted, but when a nation-state is responsible, there may not be a decryption key available at any price.

Last June, hackers sponsored by the Iranian government compromised a U.S. children’s hospital. Let me repeat that: a children’s hospital.

And in 2017, the Russian military used purported ransomware called NotPetya to hit Ukrainian critical infrastructure with what was supposed to look like a ransomware heist but was actually designed to destroy systems. They targeted Ukraine but ended up also hitting systems here, throughout Europe, and elsewhere. That attack ended up causing more than 10 billion dollars in damages, one of the most damaging cyberattacks in the history of cyberattacks, and went global before anyone knew to do anything.

Today, with the ongoing conflict raging in Ukraine, we’re particularly focused on the destructive cyber threat posed by the Russian intel services, and cybercriminal groups they protect and support. We have cyber personnel working closely with the Ukrainians and our other allies abroad, and with the private sector and our partners here.

But we’ve also got to keep a close eye on other nations with a history of threatening us, not just Russia and Iran. We’ve seen North Korea take destructive cyber action as well, and the Chinese government has hacked more than a dozen U.S. oil and gas pipeline operators, not just stealing their information but holding them, and all of us, at risk—an awfully dangerous threat from a massive, sophisticated hacking program that’s bigger than those of every other major country combined.

Beyond ransomware, the cyber threat to intellectual property, to our economic vitality, is also growing. That’s compounding the more-easily-visible economic damage from ransomware attacks. Actors like the Chinese government are working to dominate entire technology sectors by stealing corporate ideas and innovation. They typically do this by simultaneously corrupting your trusted insiders and conducting direct cyber intrusions.

To put it simply, whatever makes an industry tick, they target. When they’re successful, that results in job losses and devastates local economies, hurting Main Street as much as Wall Street, and taking food off the table in a whole different way than the JBS Foods attack did.

The scale is staggering. To pick just one example, a year ago, hackers with China’s Ministry of State Security targeted a vulnerability in the Microsoft Exchange Server, software widely used in corporate e-mail systems. They compromised tens of thousands of computers worldwide, and left back doors so they could return whenever they wanted. And to give you a sense of how common that kind of theft is, just using cyber means, Chinese government hackers have stolen more of our personal and corporate data than all other countries combined.

Fortunately, in each of the cases I just cited, FBI action helped lessen the damage. That children’s hospital? We raced there within hours, gave them intelligence and indicators about the attack, and helped them stop it before their systems were locked up and their young patients harmed. We attributed the NotPetya attack to a Russian GRU unit, and we’ve been pushing indicators about its activities to industry, foreign partners, and social media companies. Those back doors the Chinese intelligence service left across America in the Exchange hack? We ran an operation, in collaboration with Microsoft, to slam them shut.

And we’re disrupting attacks like these every day. Right here in Detroit, our field office has been countering a significant ransomware strain, and they’ve helped protect a number of businesses by decrypting their networks for them, important employers around the region like a rail infrastructure firm, a packaging company, a shipping company.

That Colonial ransomware attack? It was bad, but it could have been so much worse. If the hackers had gained access to the operational systems running the pipeline, we wouldn’t have been looking at a five-day shutdown, but something with potentially lasting effect.

Thankfully, shortly after they realized what was happening, Colonial called the FBI field office in Atlanta, where they had an established relationship, and Atlanta knew that our field office in San Francisco had been investigating the DarkSide group for more than six months already. Within hours of their initial report, we were pushing Colonial relevant technical information, along with remediation tactics, techniques, and procedures, and we quickly engaged with DHS’s Cybersecurity and Infrastructure Security Agency and the Department of Energy to bring their resources into the fold. We were well-positioned to handle all this coordination so that Colonial could focus on their own systems.

Our San Francisco office did the forensic examination that helped identify the intrusion vector, a specific compromised company VPN account, which in turn helped Colonial’s cybersecurity firm, Mandiant, make sure that hole was plugged. Because Colonial reached out so quickly, we were also able to identify and seize the virtual currency wallet belonging to the hackers. Colonial got back most of the ransom it had paid, and the bad guys were deprived of their ill-gotten gains, and we provided the indicators of compromise we learned from working with them more broadly to network defenders, sparing countless potential other victims a similar fate.

But what I want to emphasize today is that we’re not doing all this alone. We learned important lessons from 9/11 and the ongoing fight against terrorism and we’ve applied those lessons to everything else we do. Just as we expanded our Joint Terrorism Task Forces to many more cities after 9/11, we’ve now set up Cyber Task Forces in all of our 56 FBI Field Offices across the country, so, if you ever call for help, you’re going to get a whole team with specialized expertise to help you and with jurisdiction to go after any cyber bad actor. That’s at every FBI field office.

The biggest difference between the model we built to fight terrorism and the way we battle cyber threats is the importance of the private sector. Private networks, whether they belong to a pipeline operator, some other kind of victim, or an Internet service provider, are most often the place we confront adversaries. We share information with the private sector whenever we can through one-on-one outreach, though cyber threat bulletins, and through our many partnerships, like with the 627 Fortune-1000 companies who belong to DSAC, our Domestic Security Alliance Council, and the more-than-70,000 professionals in our InfraGard program—all of whom are focused on protecting critical U.S. infrastructure. We may not always be able to tell you how we know what we know, but we can get you what you need to protect yourself.

But we also need what the private sector sees to protect companies, schools, universities, of all kinds. If American businesses don’t report attacks and intrusions, we won’t know about most of them, which means we can’t help you recover, and we don’t know to stop the next attack, whether that’s another against you or a new attack on one of your partners. We like to say that the best way to protect one business is to hear from others, and the best way to protect others is to hear from that one.

Fortunately, over the past few years, we’ve been getting thousands of intrusion reports from companies annually. That sharing kicks off a virtuous cycle. We use it to develop information about who the adversary is, what they’re doing, where, why, and how, taking pains to protect the information we get from companies the same way we carefully protect our sources when we get info from our investigations, NSA, foreign partners, etc.

We pass what we develop to partners here and abroad, our fellow U.S. and foreign intel services, foreign law enforcement, providers like Microsoft, CISA, sector risk management agencies. Those partners can then in turn use what we’ve given to provide us with more information, feeding our global investigations, helping us discover more malicious infrastructure we can target ourselves or alert private sector partners to more disruption and arrest opportunities, which leads us to more useful information to pass back to that first company, to better remediate and protect itself, maybe find more technical info it can share back to us and to our partners, to take further steps and so on.

It’s why we’re deployed across the country and in nearly 80 countries around the world. What partnership lets us do is hit our adversaries at every point, from the victims’ networks back all the way to the hackers’ own computers, because when it comes to the FBI’s cyber strategy, we know trying to stand in the goal and block shots isn’t going to get the job done.

We’re disrupting three things: the threat actors, their infrastructure, and their money. And we have the most durable impact when we work with all of our partners to disrupt all three together.

Going after the actors: We work with like-minded countries to identify who is responsible for the most damaging ransomware schemes and take them out of the game, and we cast a wide net: not just going after the ransomware group’s administrators and affiliates but also the money launderers, malware developers, bulletproof hosting providers, and others that enable them. That may mean arresting and extraditing them to the U.S. to face justice, or it may mean prosecution by a foreign partner, or finding other ways with our intelligence community partners to pressure and disrupt them.

Simultaneously, taking down cybercriminals’ technical infrastructure, their servers, domains, botnets, malware, etc., disrupts their operations. Just last year, the FBI led an international operation that seized control of a botnet called Emotet—consisting of tens of thousands of infected computers, used in a range of cybercrime schemes including ransomware.

Going after their money: When we seize virtual wallets and return stolen funds, that not only helps the victims but takes resources away from the bad guys, helping to prevent future criminal operations.

But like I said, the FBI and the government as a whole needs your help to make these operations work. Together, we can protect your companies and our critical infrastructure, and shut down malicious activities before they hurt anyone else. With that in mind, I’ll ask the business leaders listening today to develop a formal cyber incident response plan, if you haven’t already, and include the contact information for your local FBI field office somewhere in that plan.

For our part, I and the leaders in all 56 FBI field offices have spent a huge amount of time reaching out to critical partners in the private sector, like those of you here, because to me, success looks like strong relationships between all of you and your local FBI field offices, here in Detroit or elsewhere, so that in the unfortunate event of an intrusion, you’ll already have a relationship with the guy or gal who can be on your doorstep in hours to help you get your systems, information, and resources back. So, I’m looking forward to continuing our conversation this afternoon, and more importantly, for the work we’ll do together, going forward.