Working with Our Private Sector Partners to Combat the Cyber Threat
Remarks as delivered.
Thanks, Barbara, for hosting me today. And my thanks to all of you for joining us. I know we’ve all just about had it with virtual meetings these days, but I’m glad today’s makes it possible for me to talk safely with so many business leaders at a single time.
Partnership with you and your peers has become an increasingly key part of how the Bureau operates. That’s why we now have a dedicated, headquarters Office of Private Sector; private sector coordinators in every field office across the country; and maybe most important, teams in operational divisions like Counterintelligence and Cyber thinking constantly about how to protect and work with industry on the specific threats they counter.
I’m hoping we’ll get into the broader national security landscape during our discussions today, but for my opening remarks, I’d like to talk to you about how we’re tackling the cyber threat. And not just because October is Cybersecurity Awareness Month, because at the FBI, every month is Cybersecurity Awareness Month.
Today, I want to talk about how we’re seeing the cyber threat evolve, and about the new approaches we’re taking to address it. I also want to discuss how essential it is for the FBI to work together with you, as partners, to combat the threat. And finally, I’d like to highlight some things you can do to protect your businesses.
Cyber Threat Overview
Over the past decade, the general public probably didn’t spend much time thinking about cyber threats. Every year, maybe one or two major cyber incidents captured the nation’s attention.
Sure, they noticed the Russian government’s election interference in 2016 and the Chinese government’s theft of nearly 150 million Americans’ PII from Equifax in 2017. But it wasn’t until this past year’s onslaught of high-profile cyberattacks that a lot more Americans really took notice.
We saw SolarWinds supply chain attacks by the Russian foreign intelligence service, the SVR, at the end of 2020. The SVR is back in the news this week, as you know. Then, the Chinese government’s Microsoft Exchange Server intrusions were revealed in March. And between May and July, we had ransomware attacks against Colonial Pipeline, JBS Foods, and customers of managed service provider Kaseya.
And while those five were some of the highest-profile attacks, they were actually just a few among thousands of incidents targeting businesses and other victims in the U.S. and around the globe. Today’s cyber threats are more pervasive, hit a wider variety of victims, and carry the potential for greater damage than ever before.
That’s why cyber is one of the FBI’s highest priorities. And it’ll stay near the top of our list as long as nation-states and cybercriminal syndicates keep innovating.
They’re constantly developing new ways to compromise our networks and get the most reach and impact out of their operations. That includes everything from selling malware as a service, making advanced hacking software broadly available to even unsophisticated criminals, to targeting vendors, evading a company’s defenses by compromising trusted outsiders with access to its network. Even accessing scores of victims by hacking just one managed services provider with privileged access to all of them.
We track and counter literally hundreds of national security and criminal cyber threats, every day. We’re laser-focused on ransomware schemes—particularly those targeting our nation’s critical infrastructure. Not only have they wrought havoc on company operations and caused devastating financial losses, but they’ve also crippled hospital systems, targeted the energy sector, threatened emergency services, shut down local government operations, and more.
They cause real-world harm, threatening national security, our economic vitality, and public health and safety. We’re investigating over a hundred ransomware strains today, and their impact has been growing. Whether you look at our IC3 stats on company losses from ransomware, or private sector numbers on amounts paid in ransoms, it’s fair to say that the harm more or less tripled last year from the year before.
I don’t have to convince this audience that the threat from criminal ransomware groups has become severe. You know all too well. But if there’s one thing the FBI understands, it’s taking down criminal enterprises.
Our strategy centers on prevention and disruption—hitting hackers before they attack or before their intrusions can cause major harm.
To dismantle them, we’re pursuing them on three fronts. First, we’re taking aim at the actors. Working with our foreign partners, we identify who’s responsible for the most damaging ransomware schemes.
And we take a broad view. Within ransomware groups, everyone from “administrators” (despite the bland name, the skilled coders and organizers of ransomware organizations) to the “affiliates,” (ransomware-as-a-service users paying administrators for the right to use the malware) to operators of services facilitating cybercrime like cryptocurrency tumblers, bulletproof hosting providers, and others—we’re hitting them with every lawful tool available: relentlessly seeking to extradite them to the U.S. to face justice, and arming our partners in other countries with the evidence to arrest and prosecute them abroad.
Second, we target their technical infrastructure—seizing or disabling their servers, domains, botnets, disrupting their operations, raising their costs, while gleaning valuable new intelligence on their activities. Like the international operation we led against the Emotet botnet earlier this year, taking down a key facilitator of ransomware and other attacks. Third and finally, we’re going after their money.
Knowing that virtual currencies are central to ransomware, we trace many transactions back to bad actors.
Where we can, we’re also seizing the funds, like you saw us do in the Netwalker takedown, and Colonial Pipeline attack, among other publicly known examples, or shutting down illicit currency exchanges. Actors, infrastructure, and money are all important individually, but we achieve the biggest impact when we disrupt all three together.
Protecting our Innovation
As grave as the ransomware danger is, I find myself reminding folks that it’s not the only serious cyber problem out there.
We don’t have the luxury of defending only against the most immediate threat. Our economic prosperity, and our national security, depend on innovation–and there’s an unrelenting assault on those ideas. We are constantly—constantly—notifying companies of breaches we’ve discovered, by adversaries looking for valuable information and IP to steal.
Stealing from every industry you can think of. Finance, semiconductors, biotech, power, you name it.
Unlike ransomware attacks, a lot of these intrusions often go undetected for weeks or months. We put a premium on getting to victims quickly. That’s a big part of why we put so much effort into building relationships with companies nationwide.
What we’ve seen is that it takes the full range of our resources to battle the threat to innovation.
Too often, when we see a cyber threat and start digging, we find the adversary is also working with an unwitting company’s insider to target the same sensitive and proprietary information or a foreign-controlled company trying to use a corporate transaction like a joint venture to gain access.
Most of the time, that threat is coming from the Chinese government or companies under its sway. And to say they’re well-resourced is an understatement. No company is armed to defend against that kind of multi-avenue threat alone.
That’s why we’ve got to work together.
Power of Private Sector Partnerships
In fact, most of what we strive to defend lives in the private sector. Not just our innovation, but our critical infrastructure, and our personally identifiable information are all with you.
So that’s where our adversaries strike and where the intelligence we need comes from. And that’s why we need the benefit of your insight, knowledge, and experience.
We’ve got to work against the threats affecting you together, and we’re open to being educated about the way that you see them. But information-sharing works best when it’s a two-way street.
So we’re just as eager to share with you what we’re seeing—indicators of compromise, tactics being used by cybercriminals, and strategic threat information.
That intelligence takes a variety of forms, from bulletins we share throughout the private sector to the thousands of one-on-one notifications we make to individual businesses.
Combining our intelligence with what you’re seeing puts you in a better security posture before an incident occurs. And when we share indicators with you and then you share what you find with us, we can do more work with that information and provide the results back to you again. We can create a virtuous cycle that makes us all stronger.
What Businesses Can Do
So I’ve talked a bit about the threat and your role in helping us combat it. I’ve also got a couple of suggestions for how you can protect your own companies.
First, it's vital to defend in depth. Think about it less as defending your network’s perimeter, and more as knowing what lies within and what’s most important to protect.
The days of hoping you can rely on building a high wall to keep intruders out are over. We do need high walls, but also to be constantly looking inward to scan for anyone who made it over or under them. Fortunately, companies have never had so many resources at their disposal, like mitigation and cybersecurity firms, to help do that.
Second, I know many of you have already developed partnerships with your local FBI field office. I want to ask that you continue building those relationships with the Bureau, and do so before a crisis strikes. Don’t wait.
One way you can do that is by partnering with our New York Field Office. You can also join the national institutions we’ve built up to make sharing more automatic
For example, we’re now co-located with U.S. and international partners in industry, academia, and the financial sector as part of the National Cyber-Forensics and Training Alliance, both here in New York and in Pittsburgh.
When you already know your FBI partners before the storm hits, you go in already understanding how we can help. How especially when we can start investigating right away, we can help stop the bleeding and enable faster remediation with our knowledge of actors’ techniques, their malware, and what they’ve done to other victims in the past.
It also ensures you understand how we actually operate, and sometimes just as important, how we don’t.
For example, we might not be able to tell you how we learned what we know, but we can usually get you what you need for action, and we’ll show the same sensitivity and circumspection with information you give us.
We’re not going to be descending on you in cyber raid jackets. We’ve even had companies out West ask us to show up in hoodies to blend in– and that’s just fine.
We’re not looking to vacuum up mass quantities of your information, and we’re not asking you for information so we can turn around and share it with regulators looking into the adequacy of your cybersecurity after a breach.
Our investigators are laser-focused on the bad guys. We’re looking for technical evidence so we can find those responsible, and work with our partners to disrupt their activity. Indeed, we’re often coming back to the private sector for help with those disruptions, too.
Like the Microsoft Exchange operation we led, combining our authorities and our relationships with Microsoft and other industry partners to slam shut back doors that Chinese-government hackers had propped open to the networks of hundreds of companies across America.
But we can only hit back against attacks we know about.
With more than 113 years in the business, the FBI’s earned its reputation as the world’s premier investigative agency. But even we can’t tackle this threat alone. We’re up against some daunting threats posed by nation-states, cybercriminals, and toxic combinations of the two. And we can only prevail with the help of our partners throughout the private sector—you.
Thanks for joining me today.
I look forward to continuing this discussion with Barbara and with all of you.