The Lawfare Podcast: How the FBI is Combating Cyberattacks, with Brett Leatherman

[Audio Excerpt]

Brett Leatherman

But we also want to acknowledge publicly what is happening so the public understands the impact of these hacking campaigns, both to our economy, but also to the lives of people who are being hacked into because of their First amendment rights to say what they want to say here in the United States in speaking out against another government. And so it's important for us to acknowledge that publicly, and it serves as a deterrent to other actors who may be involved in similar activity, hacking United States companies and individuals, in understanding that the U.S. government has tremendous attribution power through authorities and that we can pursue indictments against individuals, even those associated with a foreign nation state when they engage in this activity against U.S. equities.

[Main Podcast]

Natalie Orpett

I'm Natalie Orpett, Executive Editor of Lawfare, and this is the Lawfare Podcast, March 28th, 2024. One of the gravest threats to U.S. national security today, and also one of the newest, is the risk of cyberattacks. They come in many forms, and they can incapacitate companies, institutions, and even the government. To better understand these threats, and how the government is responding to them, Lawfare Contributing Editor Brandon Van Grack and I sat down with Brett Leatherman, Deputy Assistant Director for Cyber Operations at the FBI. We discussed the FBI's recent operations, threats from both state actors and criminal gangs, and the role of the private sector in U.S. cybersecurity. This is the latest episode in our special series, The Regulators, co-sponsored with Morrison Foerster, in which we talk with senior government officials working at the front lines of U.S. national security policy.

It's the Lawfare Podcast, March 28th, 2024: How The FBI Is Combating Cyberattacks with Brett Leatherman.

Brandon Van Grack

Here at The Regulators, where we focus on national and economic security, we really can't talk about those topics without having a robust discussion about cybersecurity. And everyone, and I think truly everyone, accepts that cybersecurity is an issue that affects national security, cybersecurity.

But not everyone fully understands and, dare I say, appreciates, all that the FBI and the intelligence community and others in the government are doing to address it. And that's why we're so thrilled, Brett, to have you on The Regulators as one of the FBI's senior officials really leading cyber operations.

And at the outset, before we jump in, I will provide the major qualifier that the FBI is not a regulator. This is not our program jumping the shark, really, into very new into our program, but actually reflective of the fact that how important cybersecurity is, and the FBI is. Really, the FBI works with just about every regulator in this space. It's also, when you talk about cybersecurity, an area that's ripe for regulation. And in fact, we'll talk a little bit about some of the different entities that are, in fact, regulating in this space. And then on top of that, there's so much engagement that you all have with the private sector in the space.

And so, with that qualifier, which you can add to and enhance, Brett, I’m wondering if you can actually start off by giving us some background in terms of how you found yourself into cyber operations.

Brett Leatherman

Yeah, thanks, Brandon, and thank you, Brandon and Natalie, for having me on. Yeah, my background, actually my undergrad was in business administration and computer information systems. I have a graduate degree in cybersecurity and work before the Bureau in the cyber discipline, so I guess my training and background, I've got a cyber background. And I was recruited into the FBI post-9/11 based on that cyber background. The Bureau recognizes this shift by all actors--terrorists, criminals, spies and others to shift to these digital platforms. The Bureau recognizes a need for technical personnel to investigate and work these complex matters.

And so, in 2001 of course, the 9/11 attacks happened. My wife and I lost a close friend from high school in the 9/11 attacks. And that was the catalyst for me saying, all right, what can I do different? How can I serve my country in a different way? How can I make a difference in preventing these kinds of things from happening in the future? And that was a catalyst to me joining the FBI. I entered on duty in 2003. I entered on duty in 2003. And it has been 20 years of just excitement and a job that you'll never get to experience anywhere else. Just every day is something different and I've had the opportunity to work or manage work in every FBI discipline, be it counterterrorism, counterintelligence, cyber, criminal investigations, undercover operations.

And really, cyber underpins all of those. And like you said, it is both a means by which criminals extort money from businesses or individuals. They monetize that cyber activity, but then we also have nation states engaged in tremendous hacking campaigns against U.S. government and private sector entities, which is a risk to U.S. national security. And that's part of the FBI's mission, is to both prevent and impose costs on those actors for engaging in those hacking campaigns.

Brandon Van Grack

And so I'm wondering if you could also educate our listeners on what the Cyber Operations branch is and what it does.

Brett Leatherman

Yeah, so the Cyber Operations branch, those are my teams, deal with both criminal and nation state hacking. So the FBI is both a criminal investigative agency. Under criminal statute, we conduct investigations related to computer intrusions, obviously illegal activity under federal law. And so, those are primarily criminal actors, ransomware groups, online extortion groups. But then we are also a member of the U.S. intelligence community. And those are our national security teams who conduct investigative work against the major threat countries out there.

And so, the Cyber Operations branch encompasses both of those--the teams that look at criminal investigation, the teams that look at national security investigations, the teams that actually do the arrests of individuals domestically or overseas, as well as work with the intel community to impose cost on nation states and others for engaging in this hacking activity. And we also have within the branch the National Cyber Investigative Joint Task Force, or NCIJTF, which is the U.S. government's investigative task force with over 40 agencies co-located together to bring an all-of-government approach against these actors who are engaged in this hacking activity.

Brandon Van Grack

I want to spend a moment talking about really the operations side of this, and a point that you raised, because I think when you talk about the FBI and its role with respect to cyber operations, I do think it's right to start with 9/11 and terrorism. Because I think there's really an analogy there in terms of seeing the pivot of the FBI to addressing counterterrorism, its development, and I think really, and you would be more of an authority than I would, seeing about a decade ago, a similar pivot with respect to cyber and cyber operations, which is why here at The Regulators, we wanted to spend some time, in fact, talking about some of those cyber operations. And I think before we jump into them, I'm just curious in terms of your own view in terms of that evolution.

Brett Leatherman

Yeah, it's been tremendous. Over110 years ago, the FBI was founded, and we were founded to conduct criminal investigations, but we have evolved. Our authorities and capabilities have evolved over time if you look at going through World War I and World War II and developing some counterintelligence authorities as a result of those wars and looking at the U.S. national security landscape there. Certainly investigating criminal enterprises, the gangster era and being able to go across state lines where some local PDs lack the authorities or capabilities to do that and pursue adversaries across the country, the long arm of the law, if you will. And then going into 9/11, really becoming the nation's domestic intelligence service to prevent terrorist attacks from occurring here in the homeland. And as you indicated, about 10 years ago or so, pivoting into the cyber realm, and taking that status is the nation's domestic law enforcement and intelligence service. In fact, Presidential Policy Directive 41 designates the FBI as the lead threat response agency for cyberattacks for the United States government.

And so, the teams in the Cyber Operations branch in the cyber division and throughout our fifty six field offices around the country, as well as our embassies around the globe, we have personnel dedicated to that mission and doing the best we can to pressure the adversary and similar to terrorism as a result of  9/11 to keep the attacks off the homeland the best we can, to defend forward, which is a military doctrine, to defend forward and to fight those fights in the virtual battlefield in an attempt to better prevent and detect the adversary early on domestically.

Natalie Orpett

So it's a tremendous amount of capabilities that you've mentioned, a lot of people doing a lot of things and working really across agencies and across the government. I think it would be useful to ground the conversation now in some of the specific types of threats that you all are dealing with on a day-to-day basis. So, of course, when we say cybersecurity, it is quite a large umbrella term that encompasses a lot of things. So, we thought about a couple of significant issues that you all are dealing with that have really made the news of late: critical infrastructure, ransomware, malware, and the role of the private sector. So we wanted to tick through each of those and get your sense of, just an explanation, of really what the threat is as you understand it, and what you all are doing to respond. So if we could get started with critical infrastructure, I think this is an issue that came to people's consciousness really only a year or two ago as a major threat. It's not necessarily intuitive that people working behind a computer keyboard are going to be able to affect pipelines, for example. So tell us about what the threat is to critical infrastructure, even the basics, how do we define what critical infrastructure is and what are the kinds of vulnerabilities that are being exposed?

Brett Leatherman

Yeah, that's a great question. And so critical infrastructure really is defined through sector-specific agencies within the Department of Homeland Security. Think, like you mentioned, pipelines, telecommunications, healthcare, and what we see is a combined threat environment against critical infrastructure. And what I mean by that is we see criminal actors targeting critical infrastructure in order to monetize that activity. Think ransomware, right? We've seen a tremendous amount of ransomware attacks, go back to Colonial Pipeline. And there's an urgency sometimes within critical infrastructure to make payments to get potentially lifesaving or economically vibrant efforts back underway post-ransomware breach. And so, certainly the criminal threat is what we see as a tactical threat, meaning it's here and now. We see that.

The more strategic threat is the national security threat. That national security threat to critical infrastructure and to the economy, I think, is an existential risk to the United States standing as a world superpower because this is what we're measuring in years, right? Some countries have 20-, 25-, 50-year plans in place to dominate as a world superpower and part of their efforts involve diminishing the United States’ standing as a world superpower. And so recently, for example, on the national security side, the FBI and our partners engaged in an operation in against Volt Typhoon actors, and Volt Typhoon is associated with the Chinese Communist Party. And that was an effort by the CCP to basically pre-position malware on infrastructure in the United States, hundreds of devices compromised by the PRC, the People's Republic of China actors, with the intent of pre-positioning on critical infrastructure. And so that is a tremendous liability because if there was some red line crossed down the road, especially as it relates to potential military conflict with China, the ability for them to launch attacks on telecommunications or other infrastructure in the United States could have tremendous risk for us. And so, that is demonstrative of the risk we face in critical infrastructure.

When it comes to the actual threat countries, the Chinese hacking apparatus represents the broadest, most active, and persistent cyber threat to us today. That's what we assess. Just to give you a sense of the scale of their activity, if all the FBI's cyber agents and all the FBI cyber intelligence analysts focus solely on mitigating the threat to China, and not on ransomware, not on the threat stemming from Iran or Russia, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1. But what many Americans may not be tracking as closely is what we just talked about here, which is China's positioning of its enormous hacking enterprise. Remember 50 to 1, to give themselves the ability to physically wreak havoc on our critical infrastructure at a time of their choosing. That is a significant risk that the FBI, our partners in the intelligence community are continuing to pressure from a technical standpoint to make sure that we're defending the homeland while also informing decisionmakers on what that threat environment looks like.

Natalie Orpett

And you did, speaking of Volt Typhoon, recently have quite a big accomplishment with respect to disruption. So can you talk about what that looked like and really how it worked?

Brett Leatherman

Yeah, absolutely. So in the case of Volt Typhoon, as well as Dying Ember, I'll give you two examples here. Dying Ember, if Vault Typhoon targeted infrastructure used by the PRC actors, Dying Ember targeted infrastructure that was co-opted by the Russian GRU. The GRU is the Russian's military intelligence service. So now we've got two militaries targeting United States equities. In both those cases, the FBI leveraged Rule 41 of the Federal Criminal Code that allows us to pursue search and seizure warrants under the federal courts, under the purview of the federal courts. And what that lets us do is go in to these devices all at once, identify malicious code used by the adversary that is basically their tools that they use to co-opt the infrastructure, remove or render that code inoperable so that the adversary no longer has access to that infrastructure, and then build resilience, natural resilience, into those devices without modifying them, which basically closes the doors to the adversary and locks it from them getting back in there. And so in the case of Volt Typhoon, that was hundreds of devices. In the case of Dying Ember, that was thousands of devices. And what that means is those devices are no longer able to be directed at critical infrastructure, private sector companies, or anybody else as a result of that technical work.

Natalie Orpett

And what do you mean when you say devices? What are these specific devices that this malware is found on?

Brett Leatherman

Yeah, so in the case of both Dying Ember and Volt Typhoon, those are what we call “soho” devices or small office home office devices. So think about individual users at home. It could be a cable modem or a router at home, or small to medium businesses who are running those small devices, less of an enterprise device that are end of life. And end of life means the company no longer supports the device and its security. They are no longer pushing patches out there because the hardware is so outdated that it is likely the hardware is not capable of having new software placed on it. And so end users don't typically know that's the case, but it gives the adversary a way into those devices. And when they can find a vulnerability on one soho device like a router, then they will scan. They'll enumerate the IPV4 or IPV6 space, the internet space, for those vulnerabilities and they'll identify those routers or devices. They'll weaponize them. They'll maintain persistence and presence on there, and then they'll use them to target American businesses, American critical infrastructure, and government agencies.

Brandon Van Grack

Earlier this week, you all--you all being the FBI--announced another disruption involving APT 31. I'm wondering if you just want to talk about that and how it fits in the picture as well.

Brett Leatherman

Yeah, so the FBI and the Justice Department just announced the indictment or the charging of seven nationals associated with the People's Republic of China with conspiracy to commit computer intrusion and conspiracy to commit wire fraud for their involvement in basically hacking U.S.-based businesses and dissidents or others who are outspoken against the CCP in general for over 14 years. And so these individuals are associated with the Chinese Ministry of State Security, or MSS, which also has a hacking mandate by the PRC to engage in these technical operations.

And when we look at the technical operations against Volt Typhoon, and then you pair that with these indictments against actual affiliates of the MSS, this just shows the importance of taking this all-of-government approach to combating the threat. Technical operations have a tremendous disruption capability. We want to provide that relief to private sector and others when we conduct those technical operations. But we also want to acknowledge publicly what is happening so the public understands the impact of these hacking campaigns, both to our economy, but also to the lives of people who are being hacked into because of their First Amendment rights to say what they want to say here in the United States in speaking out against another government. And so, it's important for us to acknowledge that publicly and it serves as a deterrent to other actors who may be involved in similar activity, hacking United States companies and individuals in understanding that the U.S. government has tremendous attribution power through our authorities and that we can pursue indictments against individuals, even those associated with a foreign nation state when they engage in this activity against U.S. equities.

Brandon Van Grack

Just in the last few minutes, we've now talked about three, what appear to be, major disruptions in that occurred arguably in the last three months. And I suspect you could probably name half a dozen other ones that have occurred over the last year. And I'm wondering why are we seeing this now? Like the threats that we're talking about are critical infrastructure. They have existed for a while, but we are now seeing, it seems like on a monthly and almost weekly basis, these actions. And I'm wondering, why now? What is it about our capabilities, our focus that have changed?

Brett Leatherman

Yeah, that's a great question, Brandon. What I would say is 2022 was a banner year for us when it came to technical operations. 2023, just last year we had a record number of operations. In early 2024, we're talking three months into 2024, and we are already tremendously impacting the criminal and the state-sponsored hacking environment here in the U.S. And I think it's a realization by the intelligence community and law enforcement agencies, as well as our international partners, that we have to do something now and not wait till later because later it's very difficult to roll back some of the pre-placement of malware and some of the footholds that the adversary gets. And I think you will also see just a very robust partnership like we've never had before with our partners across the USIC and law enforcement community. That's NSA, FBI, CIA, DHS, CISA, U.S. Secret Service, all these partners working together to bring this combined authorities and capabilities apparatus to address the threat. But also our international partners. We just did a major disruption against the number one ransomware variant out there, LockBit. And that was with our partners at the National Crime Agency in the United Kingdom. And so our international partnerships and those who value norms in the global cyber fight, like our friends in the UK, we partner in that regard.

Also, unlike any other threat we face in the FBI, private sector is an equal player in this fight. And so when you see us do these disruptions or these operations, often it's with either the cooperation of victims who've been breached in advance, providing the FBI with indicators of compromise, tactics, techniques, and procedures that the adversary is using in their environment. And that intelligence gives us the ability to pivot into the adversary in an offensive way. Or companies who have unique visibility into the threat landscape. Some of the threat intelligence companies out there and the major providers, cloud providers, ISPs and others that provide us intelligence that allow us to target malicious actors as well. So it's not just a whole-of-government approach, it's a whole-of-society approach and we have to partner together to build resilience domestically because the adversary is partnering or co-opting their private sector to engage in these hacking campaigns. So I think what you've seen is just a sense of urgency on the U.S. government's part to really defend the homeland against an increasingly pervasive hacking environment by some of the rogue nation states and criminal enterprises.

Brandon Van Grack

As a public service announcement, ISP is internet service provider. You mentioned two topics, we're going to transition to both ransomware and the role of the private sector. But one follow-up before we do, which is, again, some of the disruptions you just mentioned are impressive in scale and scope. How do you measure the impact, though? How do you both, as the FBI and the U.S. government, determine the impact those, for example, three operations, in fact, have had to protect critical infrastructure?

Brett Leatherman

Yeah, so impact is important, right? The FBI is a storied law enforcement organization, and as an FBI agent, I can speak on behalf of all the FBI personnel in saying that there's no greater impact that we like to see than actually putting handcuffs on somebody who has hurt other people and ensuring that they face the blind scales of justice here in the United States. But we recognize that with some of the safe haven countries out there, we cannot get everybody to face justice here. And so what is impact to us is twofold. What mitigates the cyberattacks against the United States, meaning what authorities can we bring to bear to disrupt the actors, and how can we do that in a sustained and enduring way where we can? And number two, equally important to us is prioritizing victim engagement and ensuring that those who have been targeted by a cyberattack have the resources needed to contain the threat and to reconstitute after the threat. We work closely with DHS and the Cybersecurity and Infrastructure Security Agency on that.

So, when we conduct what we call joint sequenced operations, those are our disruption efforts, we look at who is the best player to conduct an operation. And if the FBI's tools or the FBI's infrastructure can be used by the Department of Defense to have the most impact, then the FBI should allow DOD to take the take the first shot at the adversary. And likewise, I think if DOD or our partners indicate the FBI is best positioned, we're the best player to do something, that we should do it. But, we should do so not looking for a quick win necessarily, but looking for a way that brings respite to victims who are constantly under attack by these adversaries. Sometimes that looks like a temporary disruption and that's the best we can do in the moment. Other times it's more of a dismantlement in which we are able to actually take the adversary's infrastructure off the battlefield. We're able to provide decryptors to victim companies to help them reconstitute. And so, every operation is different, and we have to prioritize victims when doing this work.

Natalie Orpett

Okay, so let's switch gears a little bit just to take things back up to a 30,000-foot level. One of the other major types of threats that you've mentioned and touched on a bit is ransomware. And I think this is really demonstrative of the diversity of the threat because you're dealing not only with nation states, as you've mentioned, and sometimes quasi-state actors, but also with just criminal gangs, people operating purely for pecuniary gain. So talk to us about the big picture threat of ransomware. What is it? What kind of threat does it pose? And how are you all dealing with it?

Brett Leatherman

Yeah, I think earlier I defined ransomware really in the criminal environment is a tactical threat to us. It is something in our face. It's loud. It's unlike cyber espionage, which is very quiet, and the public doesn't always see. Ransomware is often an attack on U.S. businesses or government agencies or nonprofits in a way that encrypts their data, makes their data unavailable. When you think about cyberattacks, they usually target the confidentiality, the integrity, or the availability of data. Today's ransomware attacks really focus on exploiting both the confidentiality and the availability of data, and so the encryption itself makes the data unavailable to the end user who has to conduct business and can't because they don't have access to those systems or that data. And then what they do is, prior to launching the ransomware variant to encrypt the data, they exfiltrate as much data as they can so that they can also extort the victim into providing some ransom payment. And that can be sensitive information about mergers and acquisitions, sensitive emails, things that might be embarrassing to the business or C-suite executives, and that is lucrative. And if the business doesn't pay up, they will often publish that information on websites in order to shame the victim.

So I mentioned LockBit earlier. That's a good example of a good disruption by the FBI, but it had tremendous impact. It was the number one variant we assess out there, and there were 150 affiliates of LockBit around the world. And when I say affiliate, that's because LockBit operated as what we call “ransomware as a service.” That is a model in which affiliates use the tools in the infrastructure of the LockBit administration to coordinate their attacks. And they also employed a double extortion method by first encrypting victim data and then threatening to post exfiltrated data publicly. Global LockBit exploitation we assess is resulted in ransom payments in excess of $144 million. Think about that kind of economy for a criminal enterprise. When you get $144 million in ransom payments, there's a certain incentive to continue targeting U.S. businesses as a result of that. So we know that LockBit had attacked at least 1,600 U.S. victims.

So, NCA, our partners at National Crime Agency in the United Kingdom, and us, engaged in a coordinated operation to indict individuals of the LockBit group, to sanction individuals of the LockBit group, to do an infrastructure disruption, and to provide decryptors to organizations who had been impacted by LockBit. That's an example of a more sustained disruption that has real impact to those businesses. Think school districts, hospitals, and others who are unable to function as a result of that data encryption. Now that threat is not just the business systems. But ransomware can impact life safety implications. Certainly when you're talking about hospitals and medical records and the potential to impact law enforcement agencies, the ability to impact other individuals or entities within critical infrastructure, there's real kinetic effects associated with that.

Natalie Orpett

Yeah, and I'm glad you mentioned healthcare because, of course, another recent example, very prominent example, of a ransomware attack was to the UnitedHealthcare system, which had really awful effects on people needing lifesaving and life-sustaining medical treatment and a wide variety of healthcare providers were really paralyzed in their ability to deliver services because of the attack. And it seems to me healthcare systems are not really what you would think of in the first instance as a great target for making a whole lot of money, nor does it seem like a great victim for a group that is interested in naming and shaming. So I'm curious what you all think of the phenomenon that does seem to be an increasing threat that the FBI has identified in its recent IC3 report. What is the purpose of targeting healthcare in particular?

Brett Leatherman

Yeah, I think there's two things the actors will get. Number one, there needs to be high availability of systems and data in the healthcare sector. And so there's not as much time to reconstitute as there is to maybe get a decryptor and start to decrypt systems to give patients the healthcare that they need or to help pharmacies fulfill prescription orders and whatnot. And so, there's a certain action imperative by those operating within healthcare to make a payment sometimes to get access to those systems back. The other thing I would say is the actors are very proficient at looking at what we call third party risk. And that's where, in this case, they didn't target a specific hospital, right? They targeted the third party of all these hospitals across the country and pharmacies. And these actors are becoming much more proficient at looking where that third party risk sits because if they can hit an organization that has cascading impact across sectors and across the country, there is also some exigency as well for organizations to quickly reconstitute in some way, shape, or form and the actors know that. And so they look at those areas where there is that action imperative to try to get systems back up and running quickly.

Brandon Van Grack

Natalie mentioned the IC3 report. What does IC3 stand for?

Brett Leatherman

Yep. IC3 is the FBI's Internet Crime Complaint Center. And that is a central point of intake for all things internet crime-related and cyber intrusions. IC3.gov is the website that folks can go to report if they are victims of criminal conduct. And what the IC3 does, in addition to providing a deconfliction point for cybercrime tips, is they also put out an annual report to help the public understand what the trends in cybersecurity and fraud are from year to year.

Brandon Van Grack

Maybe to repeat the same question I asked with respect to critical infrastructure. Wondering if you could talk a little bit about the impact? Because even the FBI, you all have talked about when it comes to ransomware, it's a bit of a game of whack-a-mole and you find groups like LockBit reconstituting themselves. So how do you measure the impact that these disruptions have had on ransomware groups?

Brett Leatherman

Yeah, I think again, this impact can vary from campaign to campaign, but I think in totality, when you look at the uptick in operations we've conducted against these actors, indictments we've obtained against these actors, sanctions against these actors, which has reduced the flow of money going into some of these malicious countries and into some of their hands, in totality, those have an impact. When we do technical operations like LockBit, you go from probably 75 percent of ransomware attacks that are being conducted by LockBit on any given day to almost zero. That shows real relief to victims for a period of time, and we're still sitting within that period of time where there's been a real decline in attacks. But long term also, I think that demonstrates a lack of operational security by the bad actors. And so, I think the affiliate should recognize that there are operational security shortfalls, and we can identify who affiliates are. We can charge them with criminal conduct and that should serve as a chilling factor for them in the long term to continue engaging in this activity.

Now we know, similar to the gang problem we have in major cities, that we may never eradicate the threat itself. But we have to continue to pressure the threat. We have to continue to provide relief to victims and that's what we're committed to doing.

Brandon Van Grack

So just maybe one final question on ransomware, which is forcing you to answer the unanswerable, which is what do you foresee as next in terms of the evolution of the attacks? Is there a sector, is there a type of attack that you perceive as being, that when we come back to in a year from now that we're going to, we're going to be talking about?

Brett Leatherman

Yeah, I think we've touched on it briefly, which to me, we are trending towards third party compromises where an organization has to recognize who has access to my data and who has access to my network because we are increasingly intertwined in the digital space, and what impacts your third party can have direct impact on your organization. That could mean encrypting your data that sits in a data center. It could mean encrypting your systems if there is connectivity between the third party in your organization. You really have to look at that third party risk.

And the second thing I would say pertains to both ransomware actors, as well as state-sponsored actors, and that is the software-based supply chain risk. And what I mean by that is we increasingly rely on software products across various spectrums. Think about SolarWinds, for example, and the SVRs exploitation of the Orion platform within SolarWinds. That compromise of a development server is what we are looking at across all sectors as a major avenue of risk. Because if a threat actor can poison the well in one area that pushes out software updates to thousands or tens of thousands of customers, that is a lucrative environment to propagate malware in a very difficult way to detect.

Natalie Orpett

So one thing you've mentioned a number of times, and I do want to dwell on it for a while, is the significance of the private sector in this whole ordeal. There are so many things that only the private sector can manage here. So there are defensive things. There are just decisions, like do I pay ransomware, or do I get law enforcement involved? So talk to us about how the private sector is a partner or needs to be a partner in dealing with these cybersecurity risks that you all are focused on.

Brett Leatherman

Yeah, that's a great question, Natalie. And I think the way I would start is saying that unlike other threats, the private sector sits on the front line of the cyber battle. And that is because in the United States, private sector innovates. We are a great country because of the innovation that happens within private sector companies that leads America in vaccine research, that leads America in quantum computing, that really puts us on the forefront of disruptive technologies, which means the adversary has a vested interest in stealing that intellectual property to use and to compete with us with virtually zero dollars in overhead, right. So that's a long-term threat.

And so, the FBI in the U.S. government does not see initial indications often of adversaries on networks, it's private sector companies that see that. If the private sector company identifies it, and they remediate, and they don't contact law enforcement, those organizations are going to continue to exploit other companies throughout the United States. If the organization suffers a breach and they reach out to their local FBI field office, we are either able to use in our law enforcement authorities and partnerships and voluntary submissions by private sector, get copies of technical indicators in adversary behavior that we can provide to either the sector or the country writ large to help them understand how to build resiliency into their networks. I think it was John F. Kennedy that said, “A rising tide lifts all boats.” That is true here. When an organization reaches out to the FBI and provides this information, we can provide it anonymously across the country and share that in a way that builds resiliency and prevents exploitation from happening.

The other thing--I mentioned the FBI has 56 field offices and personnel located throughout the globe working this threat. Often an organization who suffers a breach, it may be the first time they've ever seen this actor or this malware in their environment and they might be struggling to contain the actor, but the FBI does incident response 365 days a year. We are always viewing what adversaries are doing from the lens of prevention and detection, and we may bring intelligence or capabilities to bear early on in incident response for a company that might not otherwise be available because we have both that intelligence community and that law enforcement mission. In fact, it may not be available to any other private sector company to have. So there's value in calling the FBI early, but there's also value to the FBI when you do that and to the community at large in doing that.

Natalie Orpett

Right. I mean, the thing that seems really tricky to me is that, using ransomware as an example, it's not necessarily obvious, though it may seem ideal that it would be, it's not necessarily obvious for a victim of a ransomware attack to choose to contact the FBI because most likely the threat is going to involve a ticking clock and a very specific threat that is a very scary one to the business or the entity that's under attack, and oftentimes they involve an indication that you should not get law enforcement involved. So, I guess a two-part question here. One is, how do you all incentivize companies or other entities that are subject to attack to get you involved, even though it seems that there is a risk that it may come at a cost to them? Thinking more broadly, it would be great if everyone had the public spirit about it, but we have to be honest about the incentive structures and the difficulties that these entities might be facing from their perspective. And a second related question, what is your estimate about, for example, the number of ransomware attacks that result in payments about which the FBI and other law enforcement entities are not made aware?

Brett Leatherman

Yeah, those are two great questions. And what I would say to the first question is the FBI is a law enforcement agency, not a regulatory agency, is bound by the Victims’ Rights Act, and we treat victims of cyber compromises like victims. They have been victimized by criminal or state-sponsored actors. The FBI recognizes that. The information we collect is generally under law enforcement investigative work, and so it's covered by those law enforcement equities. And then the value proposition here is we also bring that intelligence that nobody else can to help with that remediation and intelligence work. I would say also, despite our best effort to message this, when we did the Hive ransomware takedown, which I believe was last year, what we saw when we got into the Hive admin panel is we saw victims who were being compromised and we would quickly identify decryptors and surreptitiously get those decryptors to the victim so they could decrypt while we maintain a presence on the Hive infrastructure. By the time we took the infrastructure down, we were able to have that disruption of the infrastructure. We identified that only about 20 percent of the victims of the Hive ransomware variant actually reported to law enforcement. So had we not seen them in the panel actually engaged in these negotiations with the Hive actors, we would not have known that they were victimized when, in fact, we had that decryption capability.

So I think their reporting to law enforcement is important because while we won't always have decryption capability, we are experts at responding to crisis. Think about our counterterrorism mission. Think about our criminal mission. We can help bring some calm to the storm that an organization may be facing and help them to understand what the risk is to their enterprise and into their business bottom line by not engaging law enforcement. We try to do that in advance. So I think there's a lot of benefit to bringing us in early.

Brandon Van Grack

On the topic of disclosure, we'd be remiss if we end a podcast without talking, in fact, about a regulator. And so, as we sit at the outset, one of the areas of cybersecurity is the U.S. government. It’s increasingly regulating the space and trying to identify regulation. And so, one of the more recent ones was the Securities and Exchange Commission at the end of last year implemented a rule that requires public companies to publicly disclosed material cyber incidents within four business days. But there's an exception to this rule, where if the attorney general determines that that disclosure would be a threat to national security and public safety, and in fact, the FBI is part of that process and determination. So it really dovetails some of your comments earlier about disclosure of these incidents. And I'm wondering now that this SEC rule has been in place for about three months, in fact, what are you seeing in terms of those public disclosures? And in fact, have companies been coming to the FBI and DOJ to seek that exception?

Brett Leatherman

Yeah, that's a great question. And so, yeah, the SEC, the Securities and Exchange Commission, put this rule into place, I think it was December or January, basically when an organization identifies materiality. So not necessarily the breach itself, but when they determine there's materiality related to that breach, they have an obligation to report to the SEC. And so they can go publicly report at whatever point they deem necessary, but if they believe there's a national security implication to that reporting, meaning if that report goes public, there may be impact to law enforcement investigations, they can consult with the FBI. And we have an intake form for them to do that. They can consult with the FBI to determine if they intend to seek a waiver from reporting to the attorney general. And so that intake form comes to the FBI. We do some assessments and have conversations with the company about that very transparently.  We present that to the Department of Justice, and we work with the SEC to determine should there be a delay, should there be a waiver in that public reporting or not? And so ultimately, DOJ makes that decision, not the FBI, but that is an example of, I think, an increased regulatory environment when it comes to recognizing these cyber breaches don't just have impact to organizations, but they have impact to stakeholders in different ways.

Brandon Van Grack

And have, in fact, you in these few months, are companies reaching out to the FBI? Like, how has that process worked?

Brett Leatherman

Yeah, so two ways, right? So they can go right to the form and submit the form itself without even talking to the FBI. And that form will come into the FBI cyber watch center, 24/7 watch floor. And then we will action that. Or, more importantly, they can reach out to their local FBI field office and start having the discussion with a trusted partner within the local FBI field office to better determine if that that's something that should move forward or not. So that's, in part, why we encourage local businesses to have a relationship with their local FBI field office before a breach happens so that you have an FBI agent's number on speed dial when the time is right to either report a compromise or look at this SEC rule submission. We have engaged in dialogue with companies. I can't get into details about that, but we have engaged in dialogue with companies related to waivers in the national security space.

Natalie Orpett

So I think a good place to wrap up is coming back to something that Brandon mentioned at the top and, in fact, the fact that this SEC rule is quite new and a new initiative. Where, based on your work, are you seeing gaps where it would be particularly useful to have regulations that don't exist yet?

Brett Leatherman

Two areas. And this is less for having regulations because we're not a regulatory agency. It is more on what we can do, I think, to breed resilience across the country and to work together. Number one is for victims to report a cyber breach to their local FBI field office, as soon as they identify an anomaly, and that is to help us understand what that threat environment is to pursue the actors and to help with remediation activity. And I would say the other thing is those major cloud providers or major providers in general who have tremendous threat investigators working for them, as they see shifts in adversary tactics, to reach out to us and let us know as well. We obviously view that from our intelligence community standpoint, what those shifts are, but there are major providers out there who have a great view of what the adversary is doing and how they're evolving, and we'd love to hear that as well. So I think just generally contacting, engaging the FBI on this front really helps us to understand and helps us to defend the country.

There is, of course, FISA 702 is a big discussion item here as of late. And what I will say is the FISA 702 carve-out allows the U.S. intelligence community to collect on adversary infrastructure in the United States when the adversary is located outside the United States. And what I mean by that is generally a foreign intelligence officer or military officer engaging in hacking against U.S. companies when that officer sits in a foreign country but rides on U.S. infrastructure. That allows the FBI to be very nimble in the way we can transit infrastructure and collect on the threat. There's a lot of debate right now on the Hill related to that. That is a vital tool for us in the cyber fight. We're probably the top users within the FBI of FISA 702 capabilities. And that's because often technical indicators change by the day, sometimes by the minute, and if we are not able to adequately follow the adversary across U.S. infrastructure, that's a risk to our investigators in being able to maintain that coverage and warn victims that are being targeted by those actors.

Natalie Orpett

So I'm wondering, though, understanding, of course, that you all are not regulators and are just enforcing what laws and regulations exist, does it seem like we are ripe for, let's say, a carrot or a stick sort of approach? Would you think that it would be valuable to have regulations, for example, that would create some liability scheme for companies that fail to implement those baseline defensive strategies into their cyber defenses? Would you want to see specific incentive structures in the form of, I don't know, for example, we will make sure that you are given—you, company that is disclosing and getting the FBI involved in your response to this ransomware attack--we will make sure that you got specific types of resources or benefits in exchange for engaging us at the earliest stages. What sorts of rules would be the most effective in your mind for getting private sector entities to be maximally cooperative and maximally useful partners in ensuring us cybersecurity?

Brett Leatherman

Yeah, I'll give you two thoughts on that. I think number one, we do need to increase baseline cybersecurity across the spectrum. And the reason for that is the actors, whether it's Volt Typhoon, whether it's Dying Ember, or whoever, are doing what we call “living off the land,” which means they're getting into environments way too easily and using network or system tools to persist in that environment. And what that means is they do not have to spend millions of dollars on sophisticated tools to get into networks. We're making it very easy on them to get in. And so, raising that baseline level of security is important, whatever that looks like. The second is that the Office of the National Cyber Director released, I think it was last year that the nation's cybersecurity strategy, and part of that strategy is placing some of the onus on the major providers because we can't rely on small and medium businesses to always be able to defend against the Russian GRU or the PRC’s PLA, right? And so putting some of the onus on secure by design, building resiliency into the products themselves that the manufacturers are making, building resiliency into the backbone of American communication infrastructure, that will help defend the country in, I think, a way that helps us move the needle.

I do think also that if you just engage in cybersecurity practices to meet regulatory requirements, we’re generally behind the ball. I think we've got to go beyond what regulation requires when mandating certain cybersecurity standards. I agree we have to reach those standards, but we have to go beyond those standards to build that resilience.

Natalie Orpett

Okay, I think we're going to have to leave it there. Brett Leatherman, thank you so much for joining us.

Brett Leatherman

Thank you.

Natalie Orpett

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our music is performed by Sophia Yan. As always, thank you for listening.