FBI Strives to Keep Ahead of Cyber Adversaries
A rapidly changing threat environment compels increased cooperation.
The FBI is increasing its cooperative efforts with U.S. government agencies and overseas allies as it wages an unending battle against growing cyber adversaries with escalating capabilities. Joining four major nation-states on the cyber threat list are terrorists and criminal organizations that constitute a mounting threat to U.S. national security, including the economy. The FBI faces the challenge of keeping up with these enemies, while knowing that they are relentless in their pursuit of cyber supremacy to achieve their goals.
The bureau serves as the lead federal agency for investigating cyber attacks, whether by domestic criminals or overseas adversaries. But it seeks to exploit complementary cyber capabilities among other relevant government agencies. “We really think it’s important to look at this whole effort as an ecosystem, and look at how we ensure that each component of the government … has the resources and capabilities it needs to support the entire ecosystem,” says Tonya Ugoretz, deputy assistant director, FBI Cyber Division.
The FBI works closely with other government intelligence organizations. The information it collects, whether through domestic intelligence or traditional law enforcement activities, is fed to partners such as the Defense Department and intelligence community agencies with operational responsibilities.
While the FBI never will be the size of the Defense Department or the U.S. Cyber Command, it must ensure parity in its partnerships, Ugoretz continues. Each government organization must have the resources it needs to enable the others to perform their cyber roles. “We will only be able to match our adversaries’ capabilities if that woven fabric of the U.S. government agencies is strong,” she emphasizes.
Russia, China, Iran and North Korea are the “big four” cyber threats the FBI is focusing on for its cyber protection efforts. Yet the number of countries developing offensive cyber capabilities is growing dramatically. “We want to be alert to how those countries develop those capabilities and, if at any point they were to indicate an intent to use those for some purpose that affects U.S. equities, that’s something we would be concerned about,” Ugoretz says.
Ugoretz allows that the FBI views the cyber threat environment as a whole, and this includes national security as well as cyber crime threats. “Increasingly, the line between those two is blurred,” she says. Tools and capabilities that are available to cyber actors, regardless of affiliation or motivation, are proliferating. In addition to Russia, China, Iran and North Korea, the cyber threat is growing among other nation-states. “We can’t take our eye off of how other states are looking at how cyber threats have been evolving and how they might also use those capabilities for their strategic objectives,” she says.
The U.S. government has improved the ability of its agencies to cooperate in confronting cyber threats, she says, describing it as “an area of growth that requires constant evolution as the threats are evolving.” The issues of speed and scale depend largely on how quickly adversaries adapt, she points out. Even while government now can adapt quickly, adversaries often can outstrip government capabilities.
“Our greatest challenge is not only to address what is happening today, but also to be able to obtain focus at a higher leadership level in the government on the capabilities we all need to develop now to meet the threat where it is going,” Ugoretz states. “We need to be able to pull up from the day-to-day to look at where the threat is headed and how we invest resources now in order to be prepared and meet the threat where it is going.”
The FBI also works with the private sector and the public to mitigate cyber threats. Outside of federal networks, much of the FBI’s cyber concerns focus on individuals, local governments and organizations whose networks reside in private hands. Ugoretz cites U.S. municipalities targeted by ransomware and other types of cyber attacks that target the private sector largely from overseas. The foreign nature of these attacks challenge the bureau’s ability to counteract them, she notes.
Because of the private sector ownership of these networks, the government cannot be residing on them watching data flow. Ugoretz notes that the FBI must rely on the private sector owners to work with the bureau by reporting the malicious activity they observe on their networks.
The same holds true for the Internet backbone in the United States. This does not hold true for every nation, she observes, so U.S. Internet service providers and commercial cybersecurity companies possess unique insight into network activity. “It’s a critical piece of the puzzle to be able to have insight into what they’re seeing to match up with what the U.S. government sees,” she says. “Bringing that picture together gives us the best chance of combating the [malicious] activity. So, it’s critical for us to be able to do so, whether it’s an individual in a community, a municipality, an owner of an Internet service provider or an owner of a Fortune 500 company—if they are seeing malicious activity or are suffering an attack, that they are bringing that information to the government and working with us so we can identify who’s responsible, prevent additional victims from being targeted and, ideally, hold the perpetrators responsible,” she declares.
Ugoretz allows that the private sector expresses concern over liability protection and reputational harm if a company’s victimization were to become known. “I don’t know if there are many other areas where, if someone were to admit they were the victim of a crime, somehow they’re held responsible,” she offers. Given this, companies are concerned that bringing their experience to the government and having it become public reflects poorly on their own reputation.
But Ugoretz offers an opposite point of view. “In terms of their ability to protect their customers, we think it actually works to their benefit to be sharing with the government, trying to mitigate the impact of what occurred and trying to identify who was responsible and help ensure it doesn’t happen again, either to them or to anyone else,” she declares.
Foreign cooperation is just as critical as with the FBI’s domestic counterparts, she attests. The FBI’s cyber overseas assistant legal attachés are the conduit for this cooperation, and Ugoretz notes that some bureau offices have assistant legal attachés that are dedicated just to cyber cooperation. These specialists are cyber-trained, familiar with responding to cyber incidents and serve as forward-deployed forces working directly with foreign counterparts.
In addition to sharing intelligence on cyber threats, this construct is particularly helpful in dealing with adversaries in their own geographical area. Ugoretz states that some of the major adversaries are more active in their immediate area, sometimes using that area as a testbed. She cites various Russian cyber attacks against Ukraine as an example. “We work with foreign partners to look at that to help us prepare for what an adversary might eventually have the capability or intent to do against us,” she says.
The same holds true with elections. “Russia certainly has a high interest in elections in their immediate AOR [area of responsibility] in the former Soviet Union and has been very active in trying to influence those elections,” she reports. Observing Russian meddling in elections in its AOR gives a hint of what U.S. elections might face, she notes.
On the international crime front, knowing what is happening overseas can help the FBI take down the infrastructure used by a cyber criminal organization, Ugoretz says. This could be a global botnet or a marketplace that trades in tools and exploits, for example. She offers that the bureau cannot do this effectively on its own because that infrastructure may lie in foreign countries. But working with law enforcement partners in those countries allows the FBI to plan and sequence activities, even making arrests and seizing servers in multiple countries. These can be done in a matter of hours, which denies the adversaries time to react, she adds. “Rather than just taking one person off the playing field, you’re taking down the whole enterprise,” she states.
Ransomware has become a profitable tool for both international criminals and nation-states. Ugoretz expresses the prevailing sentiment among law enforcement, saying that the FBI does not recommend paying ransom. Most ransomware attacks have been conducted for the profit motive inherent in extortion, yet she points out that any type of malware could potentially be used to target a variety of systems. Russian cybermarauders launched a destructive cyber attack masquerading as ransomware in the 2017 NotPetya attack, which reportedly caused billions of dollars in losses.
“No matter what type of threat we work on at the FBI—whether it’s terrorism, or cyber, or general crime—our adversaries learn from one another,” she points out. “They are looking at what’s in the news, what their competitors among criminals and nation-states are doing, and they adapt their toolkit in response. We’re always looking at the field of play at the moment and assessing the risk that might come from someone looking at what someone else is doing and trying to adapt that for their purposes.”