The FBI and the Private Sector: Battling the Cyber Threat Together
Remarks prepared for delivery.
Good afternoon—or morning or evening depending on where you’re joining from. I first spoke at this conference in 2018, only a few months into my tenure at the FBI. I gave my perspective as the new guy on the block, noting how profoundly cyber had evolved since I was last in government in 2005.
While cyber was certainly an issue all those years ago, both for the FBI and the Justice Department, it wasn’t remotely dominating conversations the way it is today. What was once a minor threat—that often consisted of young people hacking for fun or bragging rights—had, by the time I returned to government, evolved into full-blown economic espionage and lucrative cyber crime.
I said to this group then that the threat was now coming at us from all sides. And that part certainly hasn’t changed. But I’m struck by how much has changed just from 2018 to today—at how a fast-moving threat has also been a fast-evolving one.
We’ve seen criminal actors maximize the harm they cause to victims, leveraging a whole underground economy to take full advantage of criminal groups’ most skilled hackers. For example, by outsourcing victim communications and ransom collection to less technically-sophisticated actors, and by combining data theft and ransomware to get the most out of each successful intrusion.
We’ve seen criminal hackers exploit techniques pioneered by nation-state hackers, like compromising managed service providers to access the networks of potentially hundreds of victims through a single intrusion.
And this past year, we've seen both nation-state and criminal hackers shifting to target the most vulnerable in our society, like victims searching for PPE, or awaiting stimulus checks.
But just as the threat has changed over the past few years, so has our approach. We’ve evolved our cyber strategy at the Bureau, and that’s what I want to talk to you about today. I also want to highlight the continued importance of working together – government and private sector alike – to tackle the cyber threat. Then I’m looking forward to a conversation that dives deeper into some of these topics. But first, let me tell you about our strategy.
New Cyber Strategy
At the FBI, we’ve been fighting the cyber threat for many years now. We began our early high-tech crime effort in the mid-1990s, and created our Cyber Division almost 20 years ago, in 2002. We’ve become known for our efforts to call out destabilizing and damaging cyber activity by nation-state actors, like the indictment last summer of two hackers working on behalf of the Chinese Ministry of State Security, stealing intellectual property from companies in the U.S. and around the world while also targeting dissidents who spoke out against the Communist Party. And the charges we announced last fall against the Russian intelligence officers behind the most destructive cyber campaign ever perpetrated by a single group, including the NotPetya and Black Energy attacks.
But we’re also focused on the threat posed by cyber criminals. Schemes like ransomware have caused disruption and financial loss for many years, but today they’ve escalated to a whole new level—shutting down schools, interrupting key government services, crippling hospitals, and threatening critical infrastructure.
We’ve put our new cyber strategy in place to stay ahead of this ever-evolving threat landscape. Our goal is to impose risk and consequences on bad actors in cyberspace—whoever and wherever they are. We want to make it harder and more painful for hackers and criminals to do harm. And the way we’re doing that is by leveraging our unique authorities, our world-class capabilities, and our enduring partnerships—and using all three in service to the larger cyber community.
It’s a shift in mindset, focused on impact. We’ve got to change the cost-benefit calculus of both criminals and nation-states who believe they can compromise U.S. networks, steal U.S. financial and intellectual property, and put our critical infrastructure at risk—all without incurring any risk themselves.
Our sharpened focus on leveraging our partnerships is key. We might forego a law enforcement action, like an arrest or an indictment, if we can hit the threat harder another way. Information from our investigations gives Treasury officials the means to cut criminals off from the global financial system. It gives our global law enforcement partners the means to seize malicious infrastructure, and locate and arrest criminals hiding over in their jurisdictions. And, vitally, that information arms private sector network defenders around the world with technical indicators they need to protect their companies, as well as the ability to shut down criminal infrastructure and kick bad guys off their platforms and networks.
It doesn’t matter whose action leads to that impact. What matters is that we’re working together to ensure safety, security, and confidence, for all of us, in our digitally connected world.
Focus on Partnerships
The best way to understand our commitment to working through partners is to look at the institutions we’ve built to drive that cooperation. We’ve created unique hubs where members of the cyber community can work alongside each other and build long-term relationships. We’re working to build an atmosphere of trust and collaboration, the kind that only comes from sitting across the table from someone you know and really hashing things out.
Within government, that hub is the National Cyber Investigative Joint Task Force, the NCIJTF. Led by the FBI, the NCIJTF includes more than 30 co-located agencies from the Intelligence Community and law enforcement. We’ve pushed a significant amount of our own operational and analytical capabilities into the NCIJTF to strengthen its role as a core element of this nation’s cyber strategy. And last year we invited senior executives from other agencies to lead new threat-focused mission centers there. We also refocused the NCIJTF itself, so that it now coordinates multi-agency campaigns to combat the most significant cyber threats and adversaries.
But we know that government can’t do it alone. This fight requires a whole-of-society approach—government and the private sector, working together against threats to our national security and our economic security.
That’s why we’re co-located with partners in industry, academia, and the financial sector as part of the National Cyber-Forensics and Training Alliance in both Pittsburgh and New York City—not just sharing between government and private sectors, but helping our private sector partners share among themselves, too.
It’s why we created another hub to work with and facilitate cybersecurity collaboration among the defense industry, the National Defense Cyber Alliance, where experts from the FBI and cleared defense contractors sit together, sharing intelligence in real time. And it’s why agents in every single FBI field office now spend a huge amount of time going out to companies and universities in their area, establishing relationships before there’s a problem, and providing threat intelligence to help prepare defenses.
That includes information we’ve obtained from sensitive sources. Now, I’m sure you can appreciate there are times when we can’t share as much as we’d like to, but we’re working to get better and smarter about that, too. We might not be able to tell you precisely how we knew you were in trouble. But we can usually find a way to tell you what you need to know to prepare for, or stop, an attack.
And having a pre-existing relationship with a company or university invariably helps us do that faster. Talking with us before a problem strikes helps you understand how we actually operate, how we protect information provided by victims who face challenges on a whole bunch of fronts in the wake of a major intrusion, and how we work hard not to disrupt their operations. That kind of information is a lot easier to digest when things are calm, rather than in the midst of a crisis. It helps you better understand how we can help. For example, victims often ask us to flag their assistance for regulators like the FTC, the SEC, and state AGs, and when asked we’re happy to do so.
Ideally, we can create a flow of information that runs both ways, so we can get helpful information from you, too. We may come to a victim knowing one IP address used to attack them, but not another. If they tell us about the second one, not only can we do more to help them, but we may be able to stop the next attack, too. And we’re committed to giving you feedback on what you share with us.
We’re in this together, with all our partners. We all face the same dangers, and we won’t make any headway if we’re each off doing our own thing, instead of working in unison.
Our Unique Capabilities
Just as important as our commitment to partnership is what we bring to those who work with us. Given the gravity of the cyber threats we face, the government employs a whole ecosystem against them. And at the FBI, we play a central, core role in that ecosystem because we offer an unmatched range of abilities.
The FBI is both a law enforcement agency and an intelligence agency – with the range of authorities, capabilities, and relationships to match. Within the U.S. cyber ecosystem, the FBI uses our dual role to focus on threats. Not just investigating discrete incidents, but making it our business to understand who and where our cyber adversaries are, how they operate, and how we can weaken them.
We’re collecting and sharing intelligence from an enormous range of sources, to create opportunities for our domestic and international partners, making the most of our strong presence here at home and abroad.
We’ve got cyber squads with interagency partners in every FBI field office, and cyber agents in embassies around the world, working with both foreign law enforcement and intelligence services.
We’ve got a rapid-response force, our Cyber Action Team, ready to respond to major incidents anywhere, anytime.
And we’re leveraging our decades of experience across the FBI. For example, our Counterintelligence Division is filled with experts in combating a wide range of foreign intelligence threats on U.S. soil. Our Counterterrorism Division helps us anticipate how terrorists might develop the skills and plans to harm us virtually. And our Criminal Investigative Division helps us stop massive online criminal schemes and syndicates.
We’re taking all these tools and bringing them to the table to share, because a win for you is a win for us. And anything we can do—together—to put the bad guys on their heels is a victory.
Battling the Threat, Together
With all that in mind, I’d like to illustrate what our strategy looks like in practice, and how we’re attacking some of the most dangerous threats on the cyber front.
Against the cyber criminal threat, just in the last 36 hours, we and our international partners announced coordinated disruptions of the vast Emotet criminal botnet. As many of you know, Emotet has for years enabled criminals to push additional malware onto victim networks in critical sectors like healthcare, e-commerce, technology, and government. Emotet is one of the longest running and most pervasive malware delivery services out there. And even more dangerous than that suggests, because it frequently opens the door to the TrickBot Trojan, Ryuk ransomware, and the financial and operational devastation those tools increasingly cause together
With Europol, national partner services across Europe, and a number of providers, we used the detailed technical information obtained through our investigation to interrupt the botnet administrators’ control of their own servers. Applying lessons learned from disruptions of earlier botnets, we broke the server control chain at multiple levels—making it harder and slower for the botnet administrators to regain control. It’s the kind of disruption that demands cooperation—Emotet, like other major ransomware threats, spans the globe—and one with immediate, significant benefits for our whole community.
To take another example, the blended threat of state-sponsored economic espionage facilitated by cyber intrusions continues to grow. And we’re deploying our own and our partners’ tools against it, sequenced and synchronized, for maximum impact.
In September we unsealed charges against five Chinese nationals from the hacking group we call APT 41. They were targeting victim companies around the world from their safe haven in China. With our partners here and abroad, we arrested two of their co-conspirators in Malaysia, and seized or took down hundreds of the hackers’ accounts, servers, and domains. We also distributed a FLASH to our private sector and foreign partners with technical information to help detect and mitigate APT 41’s malicious activities.
On the Russia front, last year we and our partners at NSA uncovered and exposed highly sophisticated malware developed by Russian military intelligence. We used criminal process to get information that helped us better understand that malware, complementing the great work our fellow intelligence community colleagues at NSA had done. That information allowed us to release an unclassified report to warn the right people, and that public release was a painful disruption to a well-known adversary. It imposed a real cost on Russia, because they’d spent a lot of time and money developing the malware we outed.
Elsewhere on the same front, we’re working nonstop on the SolarWinds investigation through a task force, the Unified Coordination Group, with CISA and ODNI, and with support from NSA. As the lead agency for threat response, the FBI’s investigation is concentrating on identifying additional victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.
Responding to Your Needs
The way we do business today—and so many of the changes we’ve made to our strategy—are a product of our work with you. We’ve been listening to your concerns and to your suggestions, and we’ve taken them to heart. We’ve shifted the way we think and the way we operate so that we can make a more significant impact on our adversaries. We’ve taken steps to work better with our partners at every level. From vastly increasing our information sharing with the private sector, to being as unobtrusive as possible when we come out to work with a company, to placing some of our cyber agents at desks right next to their foreign counterparts to make it even easier to collaborate.
We’ve been listening to what our partners say they need and focusing more on meeting those needs, and all those efforts are paying off. But where do we go from here?
What can we do this year so that when I come back to Fordham again, I can talk about the next evolution in our work with you? That back-and-forth starts with building those before-the-storm relationships with us that I talked about earlier. Any suggestions you have for us will help us be a better partner to you, and to who knows how many others out there who might appreciate the same improvement.
We've got to keep improving our understanding of where we’re each coming from. The U.S. government learned after 9/11 that we had no choice but to work together. The threat posed by international terrorist organizations was so large and looming that we had to combine all our resources, our experiences, and our tools.
The same is true of the cyber threat. We knew the government had to do a better job of working together—and we are. Now we have to focus our efforts at working better with you in the private sector, every single day. And that’s one of my top priorities.
You may have heard what former Defense Secretary Mattis used to say about the Marine Corps—there’s “no better friend, no worse enemy” than the U.S. Marines. We’ve adopted a similar mentality. People should be able to say “there’s no better partner” than the FBI. We want that to be the case for all our partners—especially those counting on us to help protect them. We want you to turn to us because there’s no better partner in this common fight.
Thanks for taking the time to hear from me today.