Tackling the Cyber Threat Through Partnerships and Innovation
Remarks as delivered.
Good morning. It’s an honor to be here today. This is the FBI’s fourth year co-hosting this conference with Boston College. I couldn’t be here last year, and it’s great to be back. This has become one of the most unique gatherings of voices, thinkers, and policy makers in the cyber realm. And it’s one we’re really proud to be a part of at the FBI.
In my first two years as FBI Director, I’ve traveled around to all 56 field offices, and I’ve met with folks from every division at Headquarters. I've met with scores of our foreign law enforcement and intelligence community partners, with leaders of small and large businesses and community leaders, with judges, law enforcement leaders from all 50 states, and with crime victims and their families.
And while doing so, I’ve been taking stock of how things compare to my last tenure in government, when I was responsible for the DOJ Criminal Division’s cyber program, overseeing, among other things, the Computer Crimes and Intellectual Property Section. In those days, before the creation of the National Security Division, I oversaw the counterterrorism and counterespionage programs as well. Coming back to government after 12 years away in 2017, to a Bureau responsible for combating a wide array of threats, it’s fair to say that none has evolved as dramatically as the cyber threat. We all know about the data breaches, the theft of PII, online scams, and the like.
But coming back to law enforcement, I saw how much the cyber threat had grown—in its complexity, its sophistication, and its scope. Cyber capabilities have become a more powerful weapon than ever for some pretty dangerous people—and dangerous nations, too. So we’re working to make sure we’re even more thoughtful, driven, and agile than they are when it comes to harnessing emerging technology and innovation—to keep our people, our intellectual property, and our data safe.
Today I want to talk about the cyber threat writ large. I want to focus on what we’re doing in the FBI to address that threat. I want to highlight the need for strong partnerships at every level. And I want to talk a bit about institutionalizing innovation—how we can take a more high-level and creative approach to this growing threat. Because we can’t just fight this threat one by one: One bad guy at a time, one syndicate at a time, one victim company at a time. We’ve also got to tackle the cyber threat as a whole, applying our capabilities, our intelligence, and our partnerships to their full extent.
So let’s start with the threats. In some ways, the nature of the cyber threat hasn’t changed that much over the past few years, at least. But the scope has changed, the impact has deepened, and many of the players have become more dangerous. We’re still seeing hack after hack and breach after breach. We hear about it daily in the news. The more we shift to the Internet as the conduit and the repository for everything we use and share and manage, the more danger we’re in.
Today we’re worried about a wider-than-ever range of threat actors, from multi-national cyber syndicates to nation-state adversaries. And we’re concerned about a wider-than-ever gamut of methods continually employed in new ways, like the targeting of managed service providers—MSPs—as a way to access scores of victims by hacking just one provider.
China’s MSS pioneered the technique—we indicted two MSS officers for hacking a slew of MSPs in December 2018. But now criminal hackers do the same. We’re seeing them take advantage of the ability to hack a single managed service provider to steal—or in the case of ransomware, encrypt—data belonging to many of the provider’s customers—in effect, grabbing the janitor’s entire big key ring instead of a key to just one apartment.
In addition, we face the increasingly blended threat of state-sponsored economic espionage facilitated by cyber intrusions. More than ever, our adversaries’ targets are our nation’s core economic assets—our information and ideas, our innovation, our research and development, our technology. No country poses a broader, more severe threat to those assets than China.
As I know this audience is well aware, they’re not just targeting companies related to our defense industry—they’re targeting companies producing everything from proprietary rice seeds to software for wind turbines to high-end medical devices. And they’re not just targeting innovation and R&D. They’re going after cost and pricing information, internal strategy documents, bulk PII—anything that can give them a competitive advantage. Their intelligence services increasingly hire hacking contractors, who do the government’s bidding, to try to obfuscate the connection between the Chinese government and the theft of our data.
We see Chinese companies stealing American intellectual property to avoid the hard slog of innovation and then using it to compete against the very American companies they victimized—in effect, cheating twice over. To be clear: This threat is not about the Chinese people as a whole, and certainly not about Chinese-Americans as a group, but it is about the Chinese government and the Chinese Communist Party.
China is by no means the only country stealing our intellectual property for their own advantage. But nor is that the only cyber threat presented by the PRC government. They’re working to obtain controlled defense technology and developing the ability to use cyber means to complement any future real-world conflict. In those areas they have plenty of company as well. Russia, Iran, North Korea. All of them, and others, are working to simultaneously strengthen themselves, and weaken the United States. And we’re taking all these nation state threats very seriously.
But as dangerous as nation-states are, we don’t have the luxury of focusing on them alone. We’re also battling the increasing sophistication of criminal groups that places many hackers on a level we used to see only among hackers working for governments. The proliferation of malware as a service, where darkweb vendors sell sophistication in exchange for cryptocurrency, increases the difficulty of stopping what would once have been less-dangerous offenders. It can give a ring of unsophisticated criminals the tools to paralyze entire hospitals, police departments, and businesses with ransomware. Often the hackers themselves haven’t actually gotten much more sophisticated—but they’re renting sophisticated capabilities, requiring us to up our game as we work to defeat them, too.
We’re having to fight these increasingly-dangerous threats while contending with providers increasingly shielding indispensable information about those threats from any form of lawful access—through warrant-proof encryption. We are all for strong encryption—and contrary to what you might hear, we’re not advocating for “back doors.” We’ve been asking for providers to make sure that they themselves maintain some kind of access to the encrypted data we need, so they can still provide it in response to a court order. When they can’t, they’re often blinding us to vital evidence showing who’s behind an intrusion, or what they’re going to do next.
Premier Cyber Investigative Agency
Thankfully we don’t face this wide array of threats alone—far from it. Befitting the scope of the danger, America deploys a whole cyber ecosystem against it. And at the FBI, we play a central, core role in that ecosystem. Our shared goal is to ensure safety, security, and confidence in our increasingly connected world. That sounds good but it’s a lot harder to actually do day after day.
At the Bureau, we’re particularly focused on imposing risk and consequences on cyber adversaries. And we’re doing that by going after them using a blend of world-class capabilities and enduring partnerships—building on a century of innovation.
Let me break that down a bit. First, our capabilities. Our unique authorities allow us to conduct investigations, collect and share intelligence, and engage domestic and international partners, as well as victims, enabling us to attribute cyber crimes and attacks, determining and showing who’s responsible—often right down to knowing who’s on the keyboard. That attribution allows us and our government partners to leverage the instruments of state power to bring pain and consequences to adversaries. And attribution, with the evidence we collect on those adversaries—what they’re doing, where they are—also allows us to disrupt them in progress.
As both a law enforcement and intelligence service, we’re able to capitalize on a uniquely broad range of information sources. Here in the U.S., most of the evidence we need to further our investigations requires either an explicit order from, or supervision by, a court. We serve and execute criminal legal process like search warrants and subpoenas. We also work under the supervision of the Foreign Intelligence Surveillance Court—the FISC.
FISA is one of the most important investigative tools we’ve got in preventing our adversaries from harming our country. We can’t leverage our role in the intelligence community without it—FISA is what allows us to target nation-state threats that are close at hand, right here in America, that we learn of from U.S. and allied intel partners or other sensitive methods. Our Constitution in many situations rightly demands a warrant or order before we take investigative steps. And the FISC provides that vital, independent oversight. FISA is a powerful tool—and we’ve got to be sure we’re using it properly, at every step in the process. But we couldn’t do our jobs without it.
We also leverage human sources where appropriate, who can provide key insights into our adversaries’ actions, plans, and intentions. And, vitally, we maintain capabilities that come from partnerships in the U.S. government, across America, and around the world.
We have a strong cyber presence both domestically and overseas. In each of our 56 field offices we’ve got cyber squads enhanced by interagency partners who collaborate with us on investigations. We can be quickly on site at dozens of locations at the same time, with agents and other technical experts trained to investigate cyber incidents. Having that presence all across the country means that businesses have local FBI points of contact close by in the event of an incident.
And because the cyber threat has no borders, we’ve got to maintain a global reach. We now have FBI cyber assistant legal attachés stationed in many key embassies around the world. They’ve helped build coalitions of like-minded countries to stand with the U.S. against our adversaries. And they facilitate the law enforcement and intelligence sharing essential to countering actors who almost invariably employ foreign infrastructure—from servers to money mules and payment firms to darkweb hacking tool providers—in their attacks. Our overseas cyber ALATs are also central to the disruptions our investigations enable. When there’s a botnet to be taken down, tackling just the domestic parts of it is typically not going to work.
We need to coordinate closely with international partners, right down to tightly-coordinated execution of seizures, searches, and arrests, so that instead of capturing a single criminal, we’re taking down an entire enterprise. And that takes people on the ground, people who increasingly have their own desk at our foreign partner agencies.
We’ve also got a Cyber Action Team, an elite, rapid response force—the best of the best. They’ve deployed to more than 80 major incidents here and abroad over the past several years.
But the cyber threats are invariably multi-disciplinary. So we’re leveraging our decades of experience across the Bureau on lots of related fronts, for example, our Counterintelligence Division, the experts in combattng foreign intelligence threats on U.S. soil. We benefit greatly from our ability to look at nation-state cyber threats as part of a broader counterintelligence threat. Our Counterterrorism Division, helping us anticipate how terrorists might develop the skills and plans to harm us virtually—away from the battlefield. And our Criminal Investigative Division, working to stop massive online criminal schemes that threaten ordinary Americans’ life savings, and our companies’ success—and in some cases, those companies’ very existence.
But what does it really mean to impose risks and consequences, and how do we do it?
For a long time, we’ve been focused on indicting and arresting cyber actors. And sometimes that’s the best choice. Because we’ve got to hold criminals accountable, no matter where they are. There are those who say, well, you’ll never get your hands on bad guys in China, Russia, or Iran, for example. To which I say, don’t be so sure—maybe not today. But one day, they slip up, and we’re there. We’re not going anywhere—the FBI’s got a broad reach and an even longer memory.
The headlines speak for themselves. There are an awful lot of cyber criminals now in prison because of our work and that of our DOJ partners. And many of those criminals were confident they were safe – right up until the cuffs went on.
There are also indicted cyber criminals who have so far avoided prison, but are now exposed, a lot less employable than they were when they were in the shadows, and now serving as living warnings to the next wave of hackers of the costs you risk when you violate our laws.
But as powerful a tool as indictments are, we have many others in our arsenal. What if the hackers are in China or Russia, where they’re not being arrested, but are trying to sell stolen data? Our Treasury Department may be able to sanction them, or the companies we find using the stolen IP, or the cryptocurrency exchanges moving their money. But first, we need to show who’s actually responsible for the criminal conduct. FBI investigations inform the broader government’s assessment of where sanctions can be effective, and provide a factual basis for leveling those sanctions.
But we don’t stop there, because the threat keeps growing. So we’re continually asking ourselves what more we can do. Can we leverage the FBI’s unique intelligence, along with our USIC partners, to go on offense? Can we provide the evidence we obtain through our investigations to our foreign partners to help them arrest those bad guys we might not be able to reach ourselves?
To understand the FBI’s role in the cyber ecosystem, you have to always keep partnership in the front of your mind. We sit operationally at the intersection of DHS and CISA, on the one hand, and our partners in the intelligence community and the DOD, on the other hand.
To put it in simple terms, DHS and CISA focus on prevention and remediation. That often demands threat intelligence—to know what tools the bad guys are developing, what IP addresses and domains they’re using, who else they’ve been targeting. The intelligence community and those in the military—including U.S. Cyber Command—focus on overseas angles. In that world we can take the insight of the U.S. intelligence community and our security partners abroad, and combine that with an ability to work with foreign law enforcement and prosecutors—the people who arrest hackers, seize criminal infrastructure, and provide evidence for our own prosecutions
We sit right in the middle of this ecosystem, because of our cross-cutting law enforcement and national security authorities. And that gives us a deep knowledge of the threats, and, with our partners, a wide range of options to choose the best weapon available.
The 2018 SamSam Ransomware indictment is a good example of how we do this. SamSam was sophisticated malicious software used to hack into the networks of hospitals, schools, companies, government agencies, and a number of other entities, and to encrypt their computers. There were more than 200 victims—including the City of Atlanta, the Port of San Diego, and MedStar Health.
To identify the actors, we needed more than just our own intelligence. We needed information from victims across the country, and intelligence and investigative information from foreign partners and private sector entities who were also tracking SamSam. With all those pieces of the puzzle, we were able to attribute the attack to two Iranians.
More puzzle pieces helped us determine the actors were working for personal profit, rather than on behalf of the Iranian government. DOJ unsealed an indictment in November 2018. And the investigation also enabled the Treasury Department to issue sanctions against two bitcoin exchangers, and for the first time warn the private sector about some of the criminals’ virtual currency addresses.
Since the indictment and sanctions, we haven’t seen any SamSam activity. Partnerships are what made all of this possible.
The head of our Cyber Division, Matt Gorham, likes to say that cyber is the ultimate team sport. Matt uses a great analogy to describe it. Cyber is like a tapestry. Each agency is an independent—but also interdependent—thread in that tapestry. Each thread is formidable on its own. But together, we make up a strong, interwoven fabric—far stronger than any single thread. And when you weave in the threads of our foreign partners, the private sector, and academia, that fabric becomes unbreakable.
Working with Victims
Given the esteemed private sector audience we have here today, I don’t want to pass up the opportunity to say a few words about how we work with victims and potential victims. The recognition that we have to fight these problems as a team is central to how we work with the private sector—from companies of all sizes, to universities, to NGOs.
Our folks are working their tails off every day to find and stop the criminals and nation-state adversaries targeting our companies and institutions. But we and our U.S. and foreign government partners can’t do it on our own. This fight requires a whole-of-society approach—government and the private sector, working together. That’s why agents in every single FBI field office spend a huge amount of time going out to companies and universities in their area, establishing relationships before there’s a problem, and providing threat intelligence to help prepare defenses. That can be as specific as warning a company that we see hackers, right now, preparing to compromise their network, and letting our contacts at the company know that if they were trying to decide the best time to update their system patches, we would suggest “today.”
We get threat information to affected companies as fast as we possibly can. That includes information we’ve obtained from sensitive sources. We might not be able to tell you precisely how we knew you were in trouble—but we can usually find a way to tell you what you need to know to prepare for, or stop, an attack.
We don’t always get there as quickly as we’d like. The flood of cyber intrusions and attacks is unrelenting. But we’re doing everything possible to get timely, actionable, and relevant information to you as fast as we can. And we find that having a pre-existing relationship with company or university leadership invariably helps us do that faster.
For private sector leaders, talking with us before a problem strikes helps you understand how we operate—how we protect information provided by victims who are often embroiled in difficulties on many fronts in the wake of a major intrusion. And how we can help—regulators like the FTC, SEC, and state AGs often want to know whether a company is cooperating with law enforcement, and if a company asks us to, we’re happy to flag its assistance in our efforts.
Ideally, we can create a flow of information that runs both ways, so we can get helpful information, too. We may come to you knowing one IP address used to attack you, but not another; if you tell us about the second one, not only can we do more to help you, maybe we can stop the next attack, as well.
Since coming back to government, I’ve been encouraged by how much more energy and enthusiasm today’s FBI places on partnerships with other law enforcement agencies, here and abroad, and in particular with the business and academic communities.
You may have heard what former Defense Secretary Mattis used to say about the Marines Corps—there’s “no better friend, no worse enemy” than the U.S. Marines. We have that same mentality in the FBI—people should be able to say “there’s no better partner” than the FBI. We want that to be the case for all our partners—especially those counting on us to help protect them.
When thinking about cybersecurity, people often focus on tech fixes. But our experience shows that the human factor is equally important—and that trust built over time is key to effective information-sharing between government and industry. Let me give you an example of the good that can come from cooperating and building a relationship with the Bureau before the storm hits, and the good that comes from looping us in quickly.
You’re probably aware of the intrusion that Capital One suffered not long ago. No company wants to go through something like that. The good news is, Capital One had already built a strong relationship with the FBI over the course of several years. Because of that relationship, they promptly reported the intrusion to us. Their transparency and cooperation, along with our investigative work, led to the suspect being taken into custody and the stolen data being secured less than two weeks from the time Capital One became aware of the breach.
Think about what would’ve happened if they hadn’t reported it to us right away. The suspect could still be hacking into networks illegally. And terabytes of sensitive data belonging to the victims might never have been secured. Who knows where all that sensitive data would be now?
I also want to make sure people understand that our work in the cyber realm is about more than just big, publicly-traded corporations. We’re here to help the Capital Ones of the world, but we also want to help everyday citizens—and everyone in between.
I’m really proud of the work of our Recovery Asset Team. As Joe mentioned a bit ago, it’s now part of our Cyber Division’s Internet Crime Complaint Center, or IC3, after being initially developed right here in Boston. A great example of the kind of innovation I want to turn to in a minute.
The Recovery Asset Team—with the unfortunate acronym of RAT—helps victims of business email compromise or email account compromise who lose money due to fraudulent wire transfers. Since that team was created in February 2018, they’ve recovered more than $512 million—a 78% recovery rate. But those figures only tell part of the story about the actual impact. Let me give you a couple of examples.
In 2019, a small city in Alaska made multiple vendor payments to fraudulent accounts over the course of a few months. Our Recovery Asset Team worked with the bank to recover $2.6 million. That loss, for a municipality that size, would have bankrupted it.
On the other end of the spectrum, an individual who was closing on a house wired $56,000 to a fraudulent account, after receiving a spoofed e-mail from someone she thought was her lending agent. Our Recovery Asset Team worked with the bank’s fraud department to freeze the funds—which were part of the victim’s inheritance when her mother died. Our getting the money back for her is what made it possible for her to purchase her home.
Those are just two cases out of hundreds, but they illustrate my point. Whether you’re the corporate victim of a massive data breach or your personal life’s been turned upside down by fraud, we’re here for you. The reality is that the threats we face today are too diverse, too dangerous, and too all-encompassing for any of us to tackle alone. We’ve got to figure out how we can match strengths—so that our two plus your two equals not just four, but five or six or seven. That’s the essence of the most effective partnerships.
Earlier I mentioned that I’ve been on a pilgrimage to every FBI field office over the past two years, many of them now more than once. One of the main topics I’ve been talking about in those visits is innovation.
An audience like this recognizes that the old approach of tackling the cyber threat one case at a time isn’t going to work. As soon as we find and stop one cyber criminal, another one pops up. So with threats like ransomware and business email compromise increasingly rampant, we’re taking an enterprise approach. We don’t want to just keep the cyber criminals at bay, we want to burn down their infrastructure.
Instead of Whack-a-Mole, think of it more like Carl the groundskeeper versus the gopher in the classic movie Caddyshack. I know I’m dating myself here. No, we’re not going after cyber criminals with plastic explosives, like Carl. But we’re working to get to the root of the operation, to take down their ability to act. And that requires creative thinking. For example, when we see criminals leasing malware as a service, we target the bottleneck— the service providers, the darkwebsites that host malware and hacking support, the payment services that enable criminal customers and criminal service providers to make a deal.
The urgency of our mission keeps us laser-focused on our day-to-day work of keeping people safe. After all, we’re investigators, we’re operational, we have to live in the world of today—for good reason. But we are also working hard to position the FBI to meet this threat five years down the road, 10 years, 20 years—long after I’m out of this role.
We’ve got to keep finding new ways to be more efficient, more nimble, more agile, more resilient. We’ve got to keep making sure we’re leaving the FBI even better, even more formidable than we found it. Not just technological innovation, but also things like process improvements, new strategies, and new ways to work together. Thinking outside of the box. Inside the rules, but outside of the box.
Innovation has always been a big part of who we are at the FBI. Things like the FBI Lab, our cyber assistant legal attachés abroad, or our Joint Terrorism Task Forces—these may seem like old news to us now, but they were really innovative when they were created, and they set the gold standard for law enforcement. So we take a lot of inspiration from our history.
Over 111 years, we’ve built a track record of pivoting to counter each new, dangerous threat to the American people, like when we changed gears in our fight against terrorism after 9/11. Among other benefits, that history helps us find and hire the kind of independent-thinking, hard-charging, creative people that keep pushing us forward. And it gives us an edge against our adversaries in the cyber world
* * *
I know I’ve talked for a long time, but I still only covered a fraction of what the FBI has to offer as we work to counter the cyber threat from both criminals and dangerous nation-states.
I know there are some students in the audience, and I wouldn’t be doing my job if I didn’t mention what an incredible place the FBI is to work. There’s nothing more fulfilling than helping and protecting people.
But don’t take it from me at the podium—just look at our workforce. It’s hard to get a job at the FBI—our application rates are through the roof these days. Last year, three times as many Americans applied for agent positions as in any of the several preceding years—and it’s not just agents. Even our intern applications are surging, despite a strong economy.
And when people succeed in joining, they stay. Last year our agent attrition rate was 0.5%—and it’s down again this year. The people who join us become addicted to our mission.
There aren’t many places where you get to do work as important as what our people are doing, day in and day out. So if our mission to protect the American people and uphold the Constitution appeals to you, please consider joining us. You won’t regret it.
Thank you for being here; I hope you find the conference enlightening and useful.