Remarks as prepared for delivery.
Introduction
Thank you, Keri, and good morning, everybody.
I want to begin by thanking FBI Atlanta and Georgia Tech for cohosting today’s event.
It will come as no surprise that I’m always happy to have an opportunity to come back home to Atlanta. This is where my career in law—and, a few years later, law enforcement—really began. So it’s both an honor and a pleasure to be here with you this morning.
Getting so many industry leaders together in one room for the day is an invaluable opportunity to talk about the threats we’re seeing—and just as important, to discuss the ways we can work together to stay ahead of them.
We’ve got an impressive slate of speakers on today’s agenda, including Bryan Vorndran, who heads up our Cyber Division, and a host of other distinguished cybersecurity experts and partners from both government and the private sector.
And I know they’ll be doing an in-depth dive into the threat picture and some of the most important challenges we face.
So, I’d like to spend my time with you this morning talking about how the FBI sees the cyber ecosystem—how the threats have evolved over the years, and how we mitigate them.
The Cyber Threat
I don’t think it’s a stretch to say a lot has changed since the FBI was founded in 1908.
Back then, not even H.G. Wells could’ve conceived that we’d one day be battling threats online, in an entirely new universe called cyberspace. But today, that’s the source of some of our most complex, most severe, and most rapidly evolving threats.
And for more than two decades, we’ve had an entire Cyber Division—and a cadre of cyber experts throughout the field—all devoted to identifying and mitigating those threats.
What they know—and what everybody in this room knows, too—is that today’s cyber threats are more pervasive, hit a wider array of victims, and carry the potential for greater damage than ever before.
As I speak, the Bureau is investigating more than 100 different ransomware variants, each with scores of victims, wreaking havoc on business operation, causing devastating financial losses, and targeting everything from hospitals and emergency services to the energy sector and state and local government.
At the same time, we’re dealing with a host of unique cyber threats posed by nation-states, and it’s becoming increasingly difficult to discern where cybercriminal activity ends, and adversarial nation-state activity begins.
And the line between the two continues to blur.
Like when we see foreign intelligence officers moonlighting—making money on the side, through cybercrime, or hackers who are profit-minded criminals by day, and state-sponsored by night.
Among nation states, China, in particular, poses a formidable cyber threat, on a scale unparalleled among foreign adversaries. It’s got a bigger hacking program than every other major nation combined, and it’s stolen more of our personal and corporate data than all other nations combined.
Let me give you a sense of the scale of their operations: If each one of the FBI’s cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50 to 1.
Let me say that again—50 to 1.
And, of course, the Chinese government’s not the only hostile nation-state we’re contending with.
Russia is near the top of the list, too—a threat you’ll hear more about from our next speaker, Mr. Zhora of the State Special Communications Service of Ukraine.
Although Russia’s invasion of Ukraine may be taking place on physical battlefields halfway around the world, we’re seeing the effects of the invasion right here at home.
For instance, we’ve seen Russia conducting reconnaissance on the U.S. energy sector. And that’s particularly worrisome because we know that once access is established, a cyber actor can switch from using that access to collect information to using it to conduct a destructive attack quickly and without notice.
Complicating matters even further is the constant development of new and emerging
technologies.
For example, I know none of you will be shocked to hear that content enabled by artificial intelligence is ripe for potential misuses—and that machine learning models have already been exploited by criminal actors.
And while generative AI—enabled by platforms like ChatGPT—can certainly save law-abiding citizens time by automating tasks, it also makes it easier for bad guys to, say, generate deepfakes or malicious code.
In just one example earlier this year, a darknet user claimed to have produced such code with the assistance of ChatGPT and then instructed other cybercriminals on how to use it to recreate malware strains and techniques based on common variants.
But that’s really just the tip of the iceberg.
We assess AI will enable threat actors to develop increasingly powerful, sophisticated, customizable, and scalable capabilities—and it won’t take them long to do it.
That goes double for China, which as I mentioned earlier has spent years stealing both our innovation and massive troves of data that’s perfect for training machine learning models. And now they’re in position to close the cycle—to use the fruits of their widespread hacking to power, with AI, even-more-powerful hacking efforts.
Importance of Partnerships
So it’s clear that the threat environment—and the threat actors we’re up against—are continuously evolving, growing more complex and more dangerous every day. And we need to lean on a wide variety of tools and techniques to combat them, because the threat is too great for any one agency—or any one business—to fight alone.
Which is why we rely more heavily than ever on partnerships—with our colleagues throughout the intelligence, law enforcement, and international communities.
Together we work to execute joint, sequenced operations, leveraging our collective efforts to exert the maximum impact on our adversaries.
But we’re also relying heavily on our partnerships with all of you in the private sector.
We’re pushing out threat alerts and developing relationships—both on a one-on-one basis and through organizations like InfraGard and the Domestic Security Alliance Council—to expand our engagement with U.S. businesses.
We’re providing defensive briefings to help keep your data and networks safe from cyberattacks.
And we’re declassifying and sharing as much information as possible to keep potential victims informed as the threats continue to evolve.
But it’s not a one-way street.
At the FBI, we can’t build a comprehensive picture of the cyber threat landscape alone.
We know that an enormous amount of information about the cyber threat landscape exists on the systems and servers of U.S. businesses. So, we work hard to use the information one company gives us to develop analysis about who an adversary is, what they’re doing, and where, why, and how they’re doing it, taking pains to protect that company’s identity, just as we do with our confidential human sources. And then we pass what we’ve developed to our fellow U.S. and foreign intelligence services, foreign law enforcement, CISA and sector risk management agencies, and service providers. And they use it to provide us with even more information, enhancing our global investigations.
Ultimately, that helps us discover malicious infrastructure we can target and means we can then alert you to new threats so you can better remediate and protect yourselves.
It’s what we like to refer to as a virtuous cycle—and it’s only possible when we’re working together.
So as you can see, we’re not just collecting information to put it into a database somewhere—we’re acting on it.
Another example—earlier this year, we announced the culmination of a year-and-a-half-long campaign to disrupt the Hive ransomware group.
Hive’s attacks were extensive and financially devastating.
The group extorted victims around the globe—both big businesses and small ones—for more than $110 million in ransom payments.
But last July, we took the fight to them.
Our field office in Tampa gained access to Hive’s control panel—in effect, hacking the hackers—and for seven months, we exploited that access to help victims. And we did it all while keeping the Hive actors in the dark.
We used our access to identify Hive’s targets and offered more than 1,300 of those victim businesses keys to decrypt their infected networks.
Saving victims an estimated $130 million in ransom payments. Then, working hand-in-hand with our European partners, we seized control of the servers and websites Hive had been using to communicate with their members, shutting down Hive’s operation and their ability to attack and extort any more victims.
That’s a huge success story—and a testament to the power of partnerships, across the private and public sectors, and around the world.
FISA 702 Reauthorization
But information we receive from our partners is only one piece of the puzzle.
We also rely on our authorities under the Foreign Intelligence Surveillance Act, or FISA—and specifically under FISA Section 702.
It’s up for reauthorization by Congress at the end of the year, and it’s been in the news a lot lately, so you may already have heard this.
But Section 702 gives members of the Intelligence Community like us the authority to collect communications of foreign adversaries operating outside the U.S.
Let me be clear: Not Americans—foreign targets.
And Section 702 is critical to our ability to obtain and action cyber intelligence.
With 702, we can connect the dots between foreign threats and targets here in the U.S., searching information already lawfully within the government’s holdings, so we can notify victims who might not even know they’ve been compromised, maybe warn them before they get hit.
You might be surprised to hear that malicious cyber actors have accounted for over half of our Section 702 targeting.
And, in the first half of this year, 97% of our raw technical reporting on cyber actors came from Section 702.
That’s intelligence we can action through threat alerts and defensive briefings—intelligence we use to help cyber victims.
Because of 702, we verified the identity of the hacker responsible for the ransomware attack on Colonial Pipeline in 2021 and recovered most of the $4.4 million ransom Colonial paid.
Because of 702, we saved a U.S. nonprofit from an Iranian ransomware attack last year and recovered their stolen information—so they didn’t have to pay a ransom at all.
And because of 702, we identified intrusion efforts by Chinese hackers against a transportation hub in the U.S, preventing the loss of millions—possibly billions—of dollars, avoiding transit disruptions, and most importantly, keeping the American public safe.
The intelligence we obtain through our 702 authorities is absolutely vital to safeguarding the American public and American businesses.
And I’m not a guy who’s prone to overstatement, so when I say that it’s vital—not important, not helpful, but vital–know that I mean it.
Conclusion
For 115 years—today, actually, is the FBI’s birthday—the Bureau has been charged with protecting the American people and upholding the Constitution.
And the men and women of the FBI work tirelessly every day to fulfill that mission.
But we couldn’t do it without partners like you.
So, I want to thank you again for making the time to join us today.
And I want you to know how grateful we are for your commitment to collaboration and cooperation as we work together to keep the country safe.
We’re honored to call you our partners.
Thank you.