Thank you, and good morning, everyone. It is an honor to be here with you today.
I want to begin by thanking Boston College for hosting this event, now in its seventh year, and for your continuing partnership and collaboration with the FBI. The relationship we share with BC would not be possible without the tremendous support we have received over the years from both Mike and Kevin, and the Bureau is grateful for it.
I would also like to thank SAC Joe Bonavolonta, who many people in this room have had the privilege of working with during his time as the leader of our Boston Field Office and throughout his career. Joe and his team have always made FBI participation and support for this conference a priority, just as they have made it a priority to build strong relationships with our partners throughout the intelligence and law enforcement communities, academia, and the private sector.
You might have heard that Joe is set to retire at the end of this week after a distinguished career. While some might have been tempted to spend their last few days making an easy transition, not Joe. Clearly, he is working hard up until the very last minute of his time with the Bureau. So I want to take this opportunity to thank him for the long career he has dedicated to the FBI and to public service.
Further, I would like to thank all of you for joining us here today, and for your participation in the work we do together. Getting cybersecurity leaders like you—from not just government and the military but also from corporations and research institutions—together for a day is an invaluable opportunity to talk about the threats and trends we are all seeing and the best ways to stay ahead of and defeat them.
So I’d like to start off by discussing where the FBI sees the cyber threat today. Then we can get into how we are changing our calculus to get the most impactful results and about the tools we rely on to get the job done.
All of us here know that today’s cyber threats hit a wider array of victims and carry the potential for greater damage than ever before. The threats are evolving rapidly, and the stakes have never been higher. And more and more, it is becoming difficult to discern where cybercriminal activity ends and adversarial nation-state activity begins, as the line between the two has become blurred, and hybrid models have formed.
Over the past two years, the FBI has seen a wider-than-ever range of malicious cyber actors lawlessly threatening U.S. economic and national security. Today, we are investigating more than 100 different ransomware variants, each with scores of victims, wreaking havoc on business operations, causing devastating financial losses, and targeting everything from hospitals to emergency services to the energy sector and state and local governments.
At the same time, we are dealing with a host of unique threats from nation-states aimed at disrupting our democratic society. Foreign adversaries like the governments of China, Russia, Iran, and North Korea use cyber operations to illegally achieve their strategic objectives. Their objectives include financial gain, theft of information and intellectual property, malign influence campaigns, and advanced preparations to disrupt our critical infrastructure.
They are growing stealthier, and they are constantly developing new ways to compromise networks and get the most reach and impact out of their operations.
China, in particular, poses a formidable cyber threat on a scale that is unparalleled among foreign adversaries. It has a bigger hacking program than every other major nation combined, and it has stolen more of our personal and corporate data than all other nations, big or small, combined.
To give you a sense of the scale of the China cyber threat, if each one of the FBI’s cyber agents and intelligence analysts focused on it exclusively, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1.
But the government of China is not the only hostile nation-state using cyberattacks to take aim at U.S. victims. This time a year ago, hackers sponsored by the Iranian government were in the news when we revealed a particularly appalling cyberattack they’d attempted in 2021 on the Children’s Hospital right here in Boston.
Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And by working closely with the hospital’s staff, we were able to identify and defeat the threat, protecting both the network and the children—the patients depending on it for life, health, and safety.
But in addition to China and Iran, the cyber threat posed by Russia has also recently come to the forefront. Since the Russian invasion of Ukraine began, we have taken unprecedented steps to identify, report on, and take action to help and assist in addressing cyber threats targeting Ukraine, building on years of close work with Ukrainian partners to combat Russian cyber threats.
And that is not just because we’re trying to be good international partners, but it is also because while Russia’s invasion may be taking place halfway around the world, its effects can be felt right here at home.
We have seen, for instance, Russia conducting reconnaissance on the U.S. energy sector. That is particularly worrisome because we know that once access is established, a cyber actor can switch from information gathering to attack quickly and without notice. So we have been working with our partner agencies to provide advance warning and work with companies being targeted by Russia.
And that work is being carried out by FBI field offices across the country, including right here in Boston because even when a threat is global in nature, the response to it must take place on a local level as well.
We have also been providing our public- and private-sector partners with defensive briefings to help keep their data and networks safe from Russian cyberattacks, declassifying and sharing as much information as possible to keep potential victims informed as the threat continues to change.
And last month, we dealt another blow to Russia’s cyber apparatus. Leveraging the technical capabilities of our cyber personnel and our strong partnerships, we conducted a court-authorized operation to dismantle a long-standing cyber tool of the Russians’ known as Snake—sophisticated malware that Russia’s security service, the FSB, had used for long-term intelligence collection on sensitive targets like journalists, research facilities, and government networks across 50 countries.
As cyber threats have been evolving, we have had to evolve to keep up with—and ahead—of them.
Traditionally, the Bureau measured success mostly in arrests—in the number of criminals we put behind bars. But the cyber strategy Director Wray announced in 2020 now keeps us focused on disrupting not only the actors but also their infrastructure and their money. So while we are still committed to identifying key criminals and working with our partners to arrest them, whether it is here in the U.S. or overseas, we are now just as focused on what we can seize or disable to disrupt attacks and glean intelligence and prevent future harm.
And we are equally intent on making cybercrime less profitable and taking away the funds used to run new illicit operations.
For example, in January, the Bureau announced the culmination of a year-and-a-half-long campaign to disrupt the Hive ransomware group. Hive’s attacks were extensive and financially devastating. The group extorted victims around the globe for more than 110 million dollars in ransom payments. But last July, we took the fight to them.
Our field office in Tampa gained access to Hive’s control panel, and for seven months, we exploited that access to help victims while keeping the Hive actors in the dark. We used it to identify Hive’s targets and offered more than 1,300 of them keys to decrypt their infected networks, preventing at least an estimated $130 million in ransom payments. In collaboration with our European partners, we then seized control of the servers and websites Hive used to communicate with its members, shutting down the operation and their ability to attack and extort any more victims.
That is just one example of how we have shifted our thinking when it comes to cyber strategy.
Of course, we are still putting a lot of criminals—and cybercriminals—in jail because we know that sometimes, the best way to stop an ongoing threat is to arrest someone. But other times, the answer is to seize or dismantle the adversary’s infrastructure and help victims recover.
Adopting this strategy has allowed the FBI to usher in a new era for our cyber
program—one accompanied by our focus on what is most essential to combating cyber threats: the who, the what, and the why of our work.
First, with regard to who: It means going after the biggest targets—the platforms, administrators, and users causing the greatest damage. Second, the what: That means playing offense by taking on operations of extraordinary size and scope. And third, the why: That means ensuring the bold moves we are making all inform and elevate our overarching strategy.
All three were on display this past spring.
First, in late March, we struck a serious blow to the cybercrime ecosystem with an operation targeting BreachForums. Likely the world’s biggest data leak platform, BreachForums hosted a large group of what are known as initial access brokers. Those brokers traffic in stolen data that cybercriminals can use to launch ransomware attacks, gain unauthorized access, steal intellectual property, and conduct tens of millions of dollars of fraud.
BreachForums had more than 300,000 members looking to make use of the more than 14 billion illicitly obtained individual records the site hosted. Once we put its founder in jail, the platform shut down because its new administrator said it could no longer operate safely.
Imagine that: A cybercriminal, selling millions of dollars worth of victims’ stolen data, worried about safety.
Less than two weeks after the BreachForums operation, the Bureau took down another initial access broker called Genesis Market, a global criminal marketplace used to steal and sell victim account credentials—things like usernames and passwords for email, bank accounts, and social media. Genesis Market sold those on a grand scale, giving users access to more than one-point-five million different compromised computer systems and holding over 80 million access credentials.
We conducted a coordinated operation with our international and domestic partners from both government and private sectors to seize Genesis Market, make more than a hundred arrests, and shut the platform down.
So what makes these takedowns different from what we have done in the past? The who, the what, and the why.
As for the who—the platforms and the people we went after—BreachForums and Genesis Market were key players in the cybercrime environment and, specifically, in the initial access broker space.
Now, it is nearly impossible to overstate the outsized role those brokers play as key enablers of cybercrime as a service, selling access to other cybercriminals—access to corporate networks, stolen credentials, and other data stolen from victims. The access these marketplaces offer is the lifeblood of many other types of cybercrime. BreachForums and Genesis Market were two of the largest sources of initial access, and we dismantled both.
We are going after the biggest players in the ecosystem. And we are pursuing more than just key administrators.
With the operations targeting Genesis Market, the Bureau collected information that helped identify and arrest many of the users of these illicit services, too—the users who likely caused tens of millions of dollars in financial losses. And they, and their victims, were located in countries all around the world.
That brings me to the second thing that sets these takedowns apart: the what.
The scope of these operations, and that which was accomplished, was unprecedented. Disrupting and dismantling Genesis Market required carefully planned and coordinated worldwide operations—ones we could not conduct alone.
We relied heavily on our overseas partnerships, collaborating with our law enforcement counterparts in more than a dozen countries, as well as Europol and Eurojust, to collect intelligence, identify infrastructure, and coordinate a global takedown of the marketplace.
Because victims could be found in almost every country in the world, including in the U.S., we relied on our field offices across the country, too. Here in Boston, for example, personnel in this field office pursued leads across Massachusetts, Maine, New Hampshire, and Rhode Island, typically working in tandem with our state and local law enforcement partners.
The end result was the biggest takedown the FBI has ever conducted of criminals dealing with stolen digital credentials. That brings us to number three: the why.
With these takedowns, we have operated, and will continue to operate, globally to take action against cybercriminal threat actors, wherever they may be, because putting pressure on the adversary is a huge and important part of our overarching strategy. It is all part of the proactive, disruptive spectrum of activities we are taking against cyber threat actors and the illicit services that support their activity.
With regard to the wide range of cyber threats I mentioned earlier, we are taking aim at the entire ecosystem that supports and enables them, from ransomware and nation-states’ illegal conduct to business email compromise and elder fraud schemes and everything in between. Without the services of platforms like BreachForums and Genesis Market, it will be much harder for these actors to engage in illegal cyber activities. Of course, given the range of threats we are facing and the pace at which they are evolving, we need to make the best use of every tool at our disposal to stay ahead.
Primary among those are the partnerships we share, throughout law enforcement, with our international allies, with the academic community, and with the private sector. For instance, the criminal cyber squad here in Boston conducts nearly every one of its active investigations with international partners.
The office’s Cyber Task Force, like those in every field office across the country, includes federal, state, and local law enforcement partners who share their resources, authorities, and capabilities in support of the work we do together.
And through robust outreach by every field office, we work hard to build and maintain relationships with businesses and academic institutions to share information, respond to cyber incidents, and help lock down network defenses.
But aside from those more traditional tools we use to support our cyber work, we also rely on our authorities under the Foreign Intelligence Surveillance Act or FISA—and specifically under FISA Section 702.
Our use of 702 has received increased attention recently, and I want to take this opportunity to shed some light on what it means for the Bureau and our mission. Section 702 enables the FBI to identify, investigate, and mitigate threats to our homeland coming from foreign adversaries operating outside our borders.
When dealing with cyber threats, 702 is the tool we use to collect foreign intelligence by targeting, say, a hacker in China—a non–U.S. citizen located outside of the U.S. who is not covered by the constitutional protections we enjoy as Americans.
702 further allows the FBI to lawfully run searches against that collection and see who that foreign-based hacker may be working within the United States to identify potential victims who might not even know that they have been compromised or are being targeted and to warn those who might be targeted next.
It is how we connect the dots between foreign threats and targets here in the U.S., using information already within U.S. government holdings—information that was previously lawfully obtained.
FISA 702 keeps us agile and efficient, and it is absolutely critical for the FBI to continue protecting the American people—not just from cyberattacks but also from terrorist attacks, foreign spies, and a host of other hostile threats.
702 is up for renewal by Congress at the end of this year, and we cannot afford to lose it. So to make sure we are using our authorities correctly and appropriately, we have put in place an entire slate of important reforms to our processes, electronic systems, training, and oversight. And we are committed to being good stewards of this tool and to use it transparently to ensure the public’s trust because, considering the complexity and severity of the cyber threat alone, we need every tool we can lawfully bring to bear.
We are no doubt up against a host of incredibly daunting threats and challenges, and the Bureau, like all of you, is doing our best to evolve and innovate as quickly as our adversaries. But with successes like those we have been seeing and with the valuable partnerships we have with all of you, the outlook is positive and optimistic, and our chances of success are great.
Thank you for your work and your commitment to collaboration, to partnership, and to cybersecurity—to protecting our country and to keeping people safe.
We in the Bureau are honored to work alongside you and are grateful for everything you contribute to the fight. And I look forward to taking a few questions now.