 All right. Hello everybody. How are we doing? I like that. That's actually good energy for like afternoon in the dark in February. So thank you. Hi, I'm Becca. You see your programs. I'm the director of community for the Berkman Klein Center here at Harvard University. We're really grateful that you're here to join us. We want to start by acknowledging that Harvard is located on the traditional ancestral land of the Massachusetts, the original inhabitants of what is now known as Boston and Cambridge. We pay respect to the people of the Massachusetts tribe, past and present, in honor of the land itself, which remains sacred to the Massachusetts people. And I'm pleased to introduce you to our speakers. We have Brian Vordren and Alan Rall who are speaking us today about the Federal Bureau of Investigations Cyber Division, their strategy and we'll talk to you in case studies. This is the fifth in a series of events sponsored by the ORC Fund for the Colloquium on Cybersecurity and Cyber Law. Okay, bios. Brian Vordren was named assistant director of the Federal Bureau of Investigations Cyber Division in March 2021, having most recently served as the special agent in charge of the Noor-Leans field office. He joined the FBI as a special agent in 2003. In 2008, he was part of the international contract corruption task force in Afghanistan. He was promoted to supervisory special agent in 2009 and was assigned to the counterterrorism division at headquarters. He was promoted to unit chief in 2012. In 2013, he led the Washington field office's joint terrorism task force. He was promoted to assistant special agent in charge of the cyber and counterintelligence programs at the Baltimore field office in 2016. The next year, he was promoted to chief of the strategic operations section of the counterterrorism division at headquarters. He was named deputy assistant director of the criminal investigative division in 2018 and is an adjunct professor at Johns Hopkins School of Advanced International Studies. Alan Rall serves as a lecturer in law at Harvard Law School here. He's the founder of Sidley Law Firm's highly ranked global privacy and cybersecurity practice and is a member of the firm's top ranked crisis management and strategic response team. He represents companies on U.S. and international privacy, cybersecurity, artificial intelligence and technology issues. He's represented a number of leading technology internet companies whose devices, software or users have been exploited by state sponsored threat actors. He typically involves extensive, which typically involves extensive coordination with U.S. and international law enforcement, cybersecurity and regulatory agencies and intelligence services. So you guys know a lot about what you're talking about. We're so grateful that you're here with us and that we'll learn with you tonight. To our virtual attendees in the ceiling, hello. Please note that this event is being recorded, but you as audience members will not be seen. And finally, we strive to create inclusive accessible events here at the Berkman Client Center. For any questions, comments, concerns or ideas for future gatherings, please contact events at cyber.harvard.edu. Your feedback is critical to our success and that's a really welcome, any engaged thoughtful feedback that you have so share with us. With that, thank you again for joining us today and let me hand over to the floor. I'll take it momentarily. Thank you for the introduction. Thank you all for joining in person and those of you virtually at the Berkman Client. Thanks for posting this event, this very timely event on challenges that the FBI is facing and fixing in many cases. And we're going to hear about that in line with the introduction that we just provided. I've had the privilege to engage in what was it, the extensive coordination and interaction with law enforcement and in the person of one assistant director, Brian Gorgon, sitting to my left. And as I said, we had a chance to discuss with my class on cybersecurity before the really the success that the private sector very often has in working with the Federal Bureau of Investigation and Cyber Investigations where the companies and organizations that find themselves on the wrong side of a cyber threat actor engage with the FBI, not in the same context. You're talking a little bit about the class of law students that the FBI is not a regulatory agency, it's a law enforcement agency and also an intelligence part of the intelligence community and treats the victims of cyber attacks. In fact, as victims, not as perpetrators, the FBI leads that to other agencies and federal government to provide that treatment to companies that again are the sorrow of being victim of a cyber attack. So it really is an honor certainly for me personally for Harvard broadly to have the cyber lead at the FBI join us today, especially at a time when there's so much going on that the FBI and the US government is involved in fending off and taking down cyber attacks against US interests. So with that, I'll turn it over to Assistant Director Warren, he's been he has some slides then I'll probably ask a question or two and open it up to the questions from the in-person audience. Sadly, we're not logistically able to take questions from the virtual audience, but I trust that there'll be lots of questions here. So with that, turn it over to Assistant Director Bordran for slides and then move on. Good evening, everyone. I'm going to stand. I'm going to power through some slides so we can get to the Q&A. Director Chris Ray testified yesterday and open hearing in front of the Chinese subcommittee in the House. And if anyone had the opportunity to listen to that testimony, it's very, very well done. It's a very active depiction of current threat environment we face with China specifically. I'll be more broad than that. My goal tonight in the foundational side is really to walk you through the authorities that underpin how we do our work and then walk through some case examples. Just really briefly, we're spread throughout the United States. We have 300 offices. We obviously have a deep international portfolio as well, we're in about 70 countries worldwide. We have dedicated cyber capability in 16 countries with a growth plan to get to 22 by the end of the calendar year 24. I just share that because I think it's important to understand where we fit domestically and internationally. So I just want to really briefly go through the interagency. So the interagency within the U.S. government and the intelligence committee when it comes to cyber is complicated, but when you distill it down and understand the policies and authorities that define each of our missions, it's actually very clearly defined. So in no particular CIA is obviously the foreign intelligence arm of the U.S. government. CISA has responsibility for net defense here in the United States. So essentially producing, providing, sharing intelligence, taking best practices to raise the net defense capability of all public and private sector organizations in the United States. NSA, I think speaks for itself. The National Security Council has a very, very active role in the cyber ecosystem within the U.S. government because of the interplay with the diplomatic channels that the U.S. government finds itself in. OFAC is the sanctions entity, U.S. Secret Service traditionally works financial crimes. They touch base into the cyber ecosystem a little bit with traditional investigations. And then our role, I just put our mission statement, which is derived from our strategy. It's essentially work with public and private sector partners both domestically and globally to design strategic disruption plans to impose costs on our adversaries. We'll talk about the forms that that dates here briefly. Okay, I want to go into this is really important. I'm not trying to be a policy wonk here, but I think this is really, really, really important. Okay, the FBI's authorities, what actually allows us to legally do the work that we do, this is what the slide speaks to. We have broad title 18 investigative authority. That matters because section 1030 of the U.S. Code in the legal world, it talks about unauthorized access to a computer network, computer systems, right? That's where we reside in the FBI cyber program. Almost every one of our cases is focused on that criminal activity. Rule 41 search and seizure becomes really, really important. And we'll touch on the case about this later in the conversation. The rule 41 has a very important clause in it that says, the FBI can seize quote unquote instrumentalities of a crime. When we think about that, we think about in terms of the physical world. So we would say, of course, the FBI can seize a weapon that was used to commit a crime. But we would also articulate that now we're surreptitiously installed by the Chinese on U.S. infrastructure is an instrumentality of a crime. And therefore, we can seize that as well. And we'll provide an example of that. We have broad counterintelligence authorities that basically say anytime a nation state adversary targets a U.S. organization, the FBI has a role in that. Broad domestic intelligence authorities that show in the presence of executive order 12 triple three and title 15 post 9 11, broad title one title three visa, which essentially says we can conduct search and surveillance of foreign persons here in the United States that are tied to a nation state. And then five is a 702, which says if we can prove that an individual doesn't have pus per standard and approved that an individual is not located in the United States, we can collect on them under 702. One really important note on that. If an individual is not based in the United States, does not have constitutional protections here, but is using U.S. communication infrastructure to facilitate activity, we can collect on that, you know, it's on the U.S. infrastructure. Okay, how do we approach doing our work in the FBI from a cyber perspective? We distilled it down into these four key slides, right? We will always play the long game of traditional rule law, right? We will always try to take players off the field through traditional prosecutions. That's in our DNA. It's something we'll always pursue. But we're also under no illusions that we're going to indict and arrest our way out of a global problem. It's not going to happen. But I think the American people should reasonably expect that we will always keep our eye downrange to understand what we can do for our traditional law enforcement parties. Secondly, we need to leverage our domestic intelligence collection to inform private sector, to inform public sector, to inform our domestic and international partners about, in my world, how the cyber threat is presenting itself here in the United States. That is an authority given to us post 9-11 that is extremely, extremely important for us to fulfill from a mission perspective. It's something we take very, very personally and very professionally. Number three is pressure the threat. We need to initiate joint sequence operations with public and private sector partners both domestically and globally to impose costs on our adversaries. I describe it as anything from a small speedbuff to a high hurdle that causes the adversary friction, causes the adversary to slow down, causes the adversary to move off infrastructure, causes the adversary to move off infrastructure. Number three is pressure the threat. Lastly, victim engagement. We are, and I believe this to be true, a victim-centered organization and our commitment to victims is very, very personal to us. A victim of a cyber crime remains a victim. We will treat those individuals that way. We don't share their information outside the FBI and we treat them that way. The reason that is so important is because the victims of cyber crime possess really critical intelligence that allows us to do our jobs better so to enable that sharing from a victim to the FBI of critical intelligence is a very, very important part of our value proposition that we try to hit every day. Okay, I'm going to go into a little bit of a different presentation I usually give. I'm just going to go through the ransomware ecosystem here really well because I think, especially for this audience, they actually find it quite interesting. So the gig economy, right? Shared and access, right? So we know it in terms of DoorDash, Uber, Grubhub, where you have CAR-A, CAR-B, CAR-C that are running on those apps, right? They're going to use, the driver's going to use the app that probably is most reliable and makes them the most money. When we look at the ransomware ecosystem, it is identical, okay? You have your affiliates, your actors or teams around the bottom that essentially is equivalent to the cars in the previous slide. They're going to use the different ransomware variants that are most reliable, that are most effective and that make them the most money. It's a shared economy model. We go a little bit deeper and look at the comparison. If you look at Uber's model of the app and the leadership of Uber, how the app ties into the platform, how the car ties into the transportation provider in terms of who owns, who drives the navigator, et cetera, it's almost identical to the business model of ransomware, right? You have the high ransomware variant. There is leaders and developers of that variant and that malware. You have the panel, the payload, the wheat site that is tied to the platform and you have the affiliate where the team, it's time to the team leader, open source intelligence, et cetera. The models are almost identical. When we look at the affiliate model of ransomware, the key developers of each ransomware variant essentially take a 20% cut, okay? So they sit in a cordoned off kind of royalties environment where they develop the malware, they make it available for affiliates to use and deploy, they manage the communications with the victims, but they remain cordoned off and they take a 20% cut essentially of the ransomware payment that comes through. The affiliate or the affiliate team will take 80% of the ransom that's paid. You have an affiliate team model which is on the right side of the screen. Look at the specifics of the breakdown. The team leader of that team is going to get a 30% cut. The payload of the employer is going to get a 20% cut. The pen testers, et cetera. The point is it is a very, very, very sophisticated business model that is run by very capable adversaries in the criminal space. It's actually a fascinating business study for those who may be tied to the business school. So what do we do? Our approach is really four pillars, right? How do we target this? We target it through malware and delivery. We target it through the infrastructure. We target the communications and we target the financials, right? Those are the four pillars that we believe we have to attack whenever we're looking at an adversary to impose costs. Not in every operational outcome are we able to impact every one of those four, but our goals always impact every one of those four. So let's look at Hive. Hive was a very, very prolific ransomware variant in 2022. It started primarily by targeting the healthcare industry. It's a traditional ransomware as a service model where you have key developers that are core docs, safety and status in Russia undoubtedly, and you have an admin and affiliate model where you have an 80-20% financial split, 80% of the proceeds are going to the affiliates, 20% are going to the leadership. The first victim that we actually knew of in the FBI is in July of 2021, and the case was run by our FBI Tampa Field Office because of the location of the first victim. So in July 2022, we actually were able to manufacture back-end access through the API and actually pull the decryption keys for every victim. So what that means is when there's a ransomware attack, there's really two levels of extortion, right? You'll have an exfiltration of data, and the adversary will hold that data to threaten the spilling of that data on the public internet, which forces a payment. The second extortion arm is an encryption event where the adversary will encrypt as many systems as it can in an organization. So we were able to basically manufacture back-end access to get the decryption keys so that we could share the decryption keys with victims so they didn't have to pay for that second leg of the extortion. That's usually the biggest payment portion for a victim. So what were we able to see? Obviously we were able to extract decryption keys, we were able to identify victims in process, which is hugely powerful for us and for victims. We were able to identify malware hashes, which allowed us to look at how we can defeat the malware and a bunch of other intelligence that really helped us. So because of the ability to pull those decryption keys, we essentially saved victims about $130 million over seven months in ransomware payments. And when I talk about being victim-centered, these are good days for us, right? There is nothing more important that we do in our organization in helping victims in need, whether that's a victim of a violent crime, cyber crime, it doesn't matter, that's why all of us joined, that's why all of us were there. So to be able to provide 1,100 decryption keys and relieve $130 million in potential extortion payments, that's a good day for us. These charts get a little bit confusing, but we estimate that the profits that I've made before we were able to decrypt their encryption events were about $110 million. That's a lot of money, right? That is a lot of money from a criminal conspiracy perspective. So, you know, I'm not going to go into all the details. I think one thing I would like to touch on is this. There's new, Cercilla is essentially a new law coming into effect probably May of 2025 over the year, where it forces critical infrastructure to report to the U.S. government when they suffer material cyber intrusion. The reason that's so important is because there's massive under reporting of cyber crime to the U.S. government, which impacts our ability to have a common operating picture of what is actually happening in the victim space in the United States. Here's probably the most concerning part, though. Only 50% of hives to U.S. victims were critical infrastructure. So, we're going to move with Cercilla from 25% to 50% full. We're still going to have a gap, right, in terms of reporting that is mandated, which improves our common operating picture, but it's not going to get us to where we need to be. That's just an evolution that we as a society are going to have to continue to do, especially more. This is just a real brief heat map of high victims. 48 states in the United States have victims in it, and 88 different countries. The most targeted critical infrastructure sector is healthcare, IT, government, commercial, critical manufacturing. Great case. This is what we love doing. All of our operational outcomes, our victim relief, is base and a result of really good investigative work. I think sometimes we lose sight of how did this actually happen? This happened by people grinding it out, by doing core investigative work in our Orlando resident agency in the Tampa Field Office. We continue to find opportunities which led to the back end access, which led to the operational outcomes. It's a really, really good example of how we approach the infrastructure to take those. Okay, Genesis Marketplace. Genesis Marketplace in the start of 2023, the largest criminal marketplace on the internet. It operated on both the open net, the internet, as well as the dark web. It's an illicit marketplace that essentially provided accounts, passwords, cookies, and digital fingerprints, which I'll explain here in a minute. It also was critical in providing initial access for onward ransomware attacks, and I'll give you an example here in a minute. Proprietary software, exceptionally well designed by the adversary. And for the first time, we saw US based users at scale. And so in probably April or May of this year, internally, our conversation shifted from this is a non US problem to the problem is now starting to be present, not necessarily based, but present in the United States. And that has undoubtedly continued for the rest of 23 and into 24. Okay, for those of you who use automatic password storing on your computer where it defaults your username and your password, which I assume everybody in here probably does. This is what could happen. Okay, this is one example of a computer that was compromised by this what we call steal or malware of Genesis. And through compromising the computer in the upper left, it gave the actors access to all these stored usernames and passwords for every account that this individual used on their computer. Okay. And so it's a really, really important example about what happens if your personal computer actually gets compromised and what can be done with the browser history. Right. So just take some time when you have some time to think about how you want to mitigate that because it is a legitimate risk to all of us. Now on here, you see examples like Sony entertainment, Amazon, Google, and you may say, Hey, that's not that big of a deal in terms of vulnerabilities to be as an individual. Well, what happens when I'm logging into FBI accounts from my personal computer and steal or malware takes my browser history and takes my credentials for my FBI account or for my other for my John's Hopkins account. Then that gives the adversary an immediate way in through legitimate credentials to start to escalate privileges to gain persistence. And that's what happened with Genesis at scale. So this is an example of EA games. EA games anybody who's in the gaming world knows FIFA, you know, these games, EA is behind those games and has a long history for $10. Some adversaries brought credentials off of Genesis marketplace that gave them access to the EA Slack channels that allow them to manipulate access to EA, which allowed them to steal all the A's and all that. That's how easy it can be. The end users, right, legitimate hackers, drug networks, and then script kitties. Script kitties didn't our world mean somebody that doesn't really have the skills to write their own malware code. So they steal it or leverage somebody else to write it from that movie. So you have these three types of aggregates using Genesis. I was joking before I got in here. Some of the best parts about working with the FBI is how we name our operational takedowns. So this one was Operation Cookie Monster. Obviously cookies be on a play on cookies and the derivative ties to your browser history. So we had three objectives when we targeted Genesis, right? Pillar one, identify, target and arrest Genesis administrators. Pillar two, identify, target and arrest C's users and cryptocurrency, both domestically and globally. In the FBI we say conus and oponus, continental United States and outside continental United States. And pillar three C's infrastructure. We were largely very successful on pillar two and three with this disruption that essentially forced Genesis administrators to completely walk away from their infrastructure. Let's just talk briefly about Hathmium. Hathmium is a China based group that operates at the different direction and command and control of the Chinese government. And so this is my example of the value of rule 41 to protect US infrastructure. And so we'll walk through it. So in December of 2020, there were three vulnerabilities found in Microsoft Exchange. January 2nd, January 6th, Microsoft essentially releases public disseminations about the presence of those vulnerabilities. And they ultimately on March 3rd issued patching and remediation guidance for those vulnerabilities. On March 10th, the FBI with CISA, which is part of DHS, releases cybersecurity advisory to amplify the remediation and patch guidance from Microsoft. We in the FBI have a preference to move from least intrusive to most intrusive techniques, and I'll explain what that means here. But we have to be loyal to our mission to deal with the adversary from a mission perspective and completely neutralize their very impact the United States. And so our North Star is always mission focused, neutralize the adversary's capability to do harm. Within that our preference is always to move from least intrusive to most intrusive, but the least intrusive to most intrusive always isn't an option. But in this case it was. We issue the cybersecurity advisory, then we go into mass victim notification, and I don't want to get too mired down in details here. We don't necessarily see intelligence that says this computer at this location was compromised by the Chinese. What we see is an ISP level piece of intelligence, and we have to dig into that through grand jury subpoena after grand jury subpoena to get to the end user level, right? That could take weeks, right? That's time exaggeration because they have five, six, seven rounds of grand jury subpoenas. It brings into this the element of time. So when these vulnerabilities were identified, the Chinese essentially scan the internet and drop 10,000 power shells on U.S. servers and U.S. networks. The power shell gives them remote back-end access to gain persistence into any place there's a power shell, right? That's what it does. So the cybersecurity advisory is issued on March 10th. We do massive amounts of victim notifications. And then within those two constructs, we have not done anything overly intrusive, right? We've notified the public through the cybersecurity advisory. We've not done a problem. We're able to reduce the attack surface by 94%, okay? So the question comes with 700, 800 networks and servers was still having Chinese power shells on them. Is that a big enough attack surface for the Chinese to do damage to people in the United States? Our answer to that question is going to be yes, right? And if we have a legal way to deal with that, we're going to neutralize the attack surface. We're going to do that as long as we can do it within the Constitution. And in this case, we swore out a warrant in the Southern District of Texas that allowed us to essentially go in with precision code and delete the malware that the Chinese solved to break the communication with the commanding control back to the Chinese. Technically, we actually copied it first for evidentiary purposes. And then we deleted it and the removal of that malware broke the communication back to the Chinese. So I'll just reflect back to rule 41 when I said instrumentalities of a crime. Would we all agree that malware installed on US infrastructure surreptitiously by the Chinese, by the Russians or someone else is an instrumentality of a crime? I think all reasonable minds would say it's an instrumentality of a crime. When we do this work, right, it's through traditional probable cause. So there's an affidavit that any of you can go read, right, that underpins the establishment of probable cause to give us the ability to do that search and seizure on that infrastructure. And then I was just asked to touch briefly about the Securities and Exchange Commission. The SEC published a new rule that went into effect just within the last couple months. That requires SEC regulated entities, which is essentially any publicly traded company here in the United States to report a material cyber intrusion to the SEC for transparency purposes to shareholders. As part of that, there's a law enforcement national security, sorry, a law enforcement public safety delay provision where those regulated companies who become victims, if they want to delay notification, they can engage with the FBI to essentially do an equities chat to see it meets certain criteria. Anybody that wants additional information on that or may work for a relationship with any publicly traded company, there's a website on epi.gov slash sec which spells all this out. There's now an intake form which allows users to pretty simply answer about eight different questions. We take that, we square with the interagency from an equities perspective and see if it meets certain criteria. The criteria that would be most relevant is this. If you suffer a compromise and there is an unpatched zero day vulnerability that exists as a result of that compromise, obviously amplifying the presence of that cyber intrusion when no one else is closed to zero day, zero day vulnerability is a big public safety issue for many of us in the United States. Those are the types of things were evaluated. So I think that brings me to the end and to I'll pause there, get a drink and take some questions. Terrific. Well, thank you. Fascinating and frightening at the same time, although you have a lot of success. So it's also exciting to hear about the different successes you've had in bringing down the ransomware networks like pie. I'm really interested in the business model that you described. You say, I don't know if there are any business school students here, but how do these criminals, there's the kind of old axiom that there's no honor amongst these. How do they actually get together and split the profits and what sorts of insights do you and the FBI have about all of those machinations? So the traditional business model would be that your experts that are coding the malware generally are going to have safety and status physically or be cordoned off from the rest of their ecosystem so that their identity is part of it. And so from there, they publish malware and a lot of these affiliates that deploy the malware are always interested in the most effective and the highest return on investment financially. And those affiliates earn their own reputations, no different than many of us would in different social media applications, and they become trusted. But when you look at the engagements with the victims, when you have a successful encryption event or a successful data encryption event, all the communications with the victim, even though it's happening with a different affiliate, are still flowing back through the centralized database for the malware developers. So they're able to see the actual negotiations in real time and what the financial payment agreement is. And the payment comes to them first and then they cut off 80% for the approach. So it's a very sophisticated model, a lot of credibility in terms of capabilities, in terms of the malware developer ecosystem, but also the approach. Sort of trust but verified. Sure. You mentioned all the different agencies you had on one slide, you know, the cybersecurity and infrastructure security agencies, the national security agency, CIA, Secret Service. This is a kind of a very basic question, but do you have a coordination council? Is there a kind of a body that convenes with some regularity and formality or is it just ad hoc, case by case? It's more ad hoc case by case, but not in an unified way. We have extremely mature relationships at the personal organization level with all those agencies and their personnel. So for example, if there's a critical infrastructure compromise thinking airport, we will almost always engage that entity with at the high assistive work. If there is a global disruption of a botnet to take down, we will work on that with cyber command, because we would have traditionally the domestic element of disruption cyber command. Cyber command is part of NSA. It's not a big DOD construct, but it's technically separate. And so we have very, very mature relationships ongoing dialogue about strategic intent. So that's how it works. You spoke and the slide on legal authorities that you operate under. One of them is Section 702 under the Foreign Intelligence Surveillance Act. You mentioned how it allows access to foreign communications passing through U.S. networks. That is rather well known these days for lots of reasons, but including its reauthorization status, Director Ray and others have spoken about how 702 is essential to U.S. national security and intelligence operation, but in particular for cyber, what is the cyber dimension that is to say for cyber security investigations and disruptions? How does the 702 data factor in it? So I just want to be really careful here, because we're all under very strict guidelines about what we can and can't say on 702. I would just say this. It is the most agile and effective tool we have in the intelligence community for large. And so that's not at the eye-specific statement. It is truly a irreplaceable tool in the intelligence community. And then I think it's was it extended? I think maybe it was extended briefly, but we'll come up again. It would have sunset in just the end of last year. There was some consensus extension, and it is still not definitively reauthorized, is my understanding. The director spoke, you mentioned the House Committee on the Chinese Communist Party on Vault Typhoon. That was another success that was, I think, formally announced, I believe, just yesterday. What was the nature of that? What threat did the U.S. face from that? So Microsoft started publishing on Vault Typhoon in about mid-2023, and the Chinese's successful intent to compromise U.S. critical infrastructure here and to gain consistent footholds in that critical infrastructure. And so the conversation yesterday on Capitol Hill with the director and General Montessoni and director Easterly and others was about the persistence of the Chinese threat targeted in critical infrastructure to essentially gain more and more persistence to impact our critical infrastructure. We had a role as detailed in the disruption announcement in terms of dealing with one of the optimization networks under Rule 41, as we just described. It's tremendous work by our team. We're very, very proud of it, but the reality is there's a lot more to do. I know that, we've talked a little bit about this with the cybersecurity class, but for other take-downs, one of the experiences that I've had is that not that I'm in a position to evaluate it, but the technologists and companies that I work with have been just supremely impressed with the technical capabilities of many of your colleagues at the FBI and public may not understand that you have this technical capability that is critical to a lot of the successful take-downs, disruption activities. Where do they come from? I mean, do they go through the same training? I'm just saying, I've been with the FBI for over 20 years, which is hard for me to believe at this point, but most of us in my era joined post-9-11 because of 9-11, and I think many of us believe that the reason we all applied is because of the mission, which is true. It's a phenomenal mission, and the mission causes you to stay, but the people are just wonderful, and the people are what keep all of us there and happy, and I think our retention rate is somewhere near 99.7%, which is extremely high, but I think we're really proud of that, and we're really proud of the people that we have to work with, and the technical skills that you're describing, I think they're true. They just happen to be some of our talent that we have throughout the organization. I'm going to open it up in the room after just a question about coordination. You talked about the domestic agencies with which you collaborate. Is there work pretty smoothly with counterparts, and who are the counterparts that you work with? We have tremendous relationships globally. I mean, none of the countries that I would list here are going to surprise anyone. We have tremendous working relationships with the Five Eyes and with some of the traditional strong cyber capabilities, the Dutch, the Germans, Poles, etc. We have tremendous working relationships. They're tremendously capable partners as well, and fostering and maturing those relationships against the global threat is just supreme. Okay, let's have you wait for the microphone. Hi, I have a question about Bureau's case assignment model. I understand cases are signed based off of where malware is first detected, but the different RAs and field offices will have different levels of or different amounts of technical staff, different amounts of computer scientists, you know, familiarity with filling out requests for FISA warrants. I'm curious if there have been any discussions about adjusting the case assignment model in the cyber domain so that, you know, their smaller RAs don't feel pitted against nation state adversaries. All right, you obviously know something. What I would say is that some of what you said is true, but I want to, of course, correct a few things. Assignments of cases on the criminal side are varied about how they actually sync with the field office. Sometimes it's based off of first victim, which deals with the venue issue from a cost-cuter perspective, which becomes an important derivative conversation. Sometimes it's that we see that the business model of a new variant is tied to a previously known ransomware gang that ran on a variant under a different brand and wanting to couple that together whether there's expertise over these rights. What we've learned in terms of assignments is this, that we need scalability, right? So, for example, the most prolific ransomware variant right now is locked at 3.0. Locked at 3.0 is run by the FBI Newark field office. If we had that assigned, let's use my previous background, a lot of the people in New Orleans. If we had that case assigned to the FBI New Orleans division, there's no way they have staff in terms of volume to deal with that size of the case. So, some of this becomes a scale issue. In terms of the comment about pitted against each other, I would need to talk to you more about what that means. I think that we are trying to grow capacity and capability in real time, and that remains a goal of mine and of the bureau at very large. So, I'd be interested to know a little bit more about that. Oh, my apologies. I meant pitted against nation state adversaries as a smaller office. Yeah, well, again, I would need to know is the exact example, but what we're trying to do is on the nation-state side, we have a very specific model that couples different size field offices to work together to bring a force multiplier effect to the nation-state. I think we have made some internal tweaks to that model recently to gain efficiencies, but like everything, nothing is going to be perfect organizationally, and it's just an evolution for us. I think the best number I can give you is this. It's, you know, director writing this testimony yesterday said just for China, right? Best case scenario, we're outnumbered 50 to 1. Best case scenario, that's not an FBI statement, that's a broader statement. And so, when you look at that, it's just a scale issue for all of us. Thank you so much. Thanks for being here. Sure. You mentioned that retention is 99 plus percent across the FBI. I'm wondering what it is specifically in the cyber division. So, it's a great question. So, we have less of the number for our cyber personnel is smaller than the 99.7 percent it is, but it's not a significant drop. I don't know the exact numbers. I don't want to say it publicly because I don't know. But where we have retention problems, we almost have no ability to compete. So, for example, we've lost people because some of the big strategic have come to them and said, what do you want to include salary? What do you want in terms of benefits? What do you want in terms of work-life balance in terms of work from home? Which you probably offer work from home in a classified environment is very, very challenging, right? We're never going to compete with that and we're not going to try to compete with that. We're going to try to compete on mission. We're going to try to compete on the FBI experience as an employee and you have a well rounded out career. And so, we're dealing with high pay scenarios where we just try to compete. I mean, the factors are two and a half, three x different, right? But, you know, we're doing pretty well, to be honest with you. I think where we're having challenges is bringing people into the organization and cyber because it's so difficult to attract that talent initially at a young age for a lower salary than if you get some benefits. So, once we're getting people in, they're fairly successful, but sometimes getting people in proves to be a challenge. Do you provide training? I mean, in other words, do you grow in that capability organically? Absolutely. Does that help? Yeah. Hi. Yeah, you clearly had some amazing successes. I guess my question is, what's on your wish list? If you could, you know, wave a magic wand and give you what you wanted to improve your capabilities of responding to cyber risks, what would it be? Would it be resources? Would it be the policy environment? Would it be international cooperation? Like, what would be the places that you would be pushing most for improvement? For me, the number one great advocate is liability and privilege protection to engage with victims. And so, that CERCEA, which is the critical infrastructure reporting requirement that's been published that will become law in roughly a year and a half, that gives liability and privilege protection for victims to engage with certain other government agencies, but not the FBI. And I think that's really, that's just, it's not even an FBI statement. If we want victims to come forward, we should give them broad liability and privilege protections period to engage with the U.S. government. Right now that doesn't exist. And I think that is a no-cost option that is legislatively challenging, right? But it's a $0 solution that would be have an outsized impact. Thank you very much for your time today. Can you talk a little bit about the dynamic in the Bureau, specifically in the cyber division of the, I'd say, like competing incentives for law enforcement and counter-insult? It seems like one is going to be short term, one might be long term. And where do you think that's going to go in the future? I'm not sure I understand your phrase that. Well, from the slides, it seems like the Bureau has made like a pretty significant shift away from like name and shame and kind of the indictment approach to combining strategic cyber threats. Do you imagine that that's going to stay the same? It seems like from the slides, it's more like a strategic counter-intel. I don't want to say like shift, but kind of the emphasis. Do you think that's going to continue to stay that way? So I think, so two answers, right? I think it's going to stay that way because the interagency and when I talk about the interagency and really talking about those of us with operational authorities, right, to those costs have really rallied around the imposition of cost model, right? And so when we talk about how we degrade adversaries, we're all coalesced around that language, which is directly derivative of our strategy, NSA strategy, cyber command strategy. And so I don't think that's going to change. It's becoming more and more and more solid over time. And the relationships are maturing in a way that's fair with where we are in time. Like three years from now, we'll be better with our interagency partners and they'll be better with our assembly right now. That's not because none of us are trying. It's just the evolution of organizations. Where I think there's going to be a shift is you're going to see more and more presence of cyber-cable actors here in the United States. And I think that is going to bring back into focus our traditional rule of law enforcement approach. That will be coupled with that, but be still derivative of all of our investigative work. Okay, well, people are thinking of other questions. Let me follow up on one of your responses about the wish list, which is to facilitate interaction with the private sector. One of the very prominent areas of public communication from the FBI, from the cybersecurity and infrastructure security agency, is public-private cooperation and collaboration. You were featured in the Wall Street Journal, along with your boss, the director of the FBI, on this question and you talked about the level of interaction and the quality of those interactions. I think you maybe described it as providing Ritz-level interaction in that Wall Street Journal, article, good picture, by the way. And one of the points that the FBI mentions, you mentioned, is that the companies that fall victim to cyber attacks are, in fact, victims and deserve to be treated with respect for the information that they share. How does that, I know that you mentioned that the privilege, the liability for sharing privilege of a possible waiver or diminution of the confidentiality of the information. How do you deal with that in terms of making the private sector that you need to collaborate with feel comfortable in working with you and letting you be useful to them and, again, helping your mission? Generally when I talk in groups like this, I talk a lot about the before intrusion phase, right over the relationship. And, you know, those relationships have to be familiar between an organization and the FBI at the human main level, not at a rival, not a squad level, but a person level. And they have to be built on trust, primarily through expectation sharing and then bilateral sharing of intelligence before intrusion, so that everyone understands how do you want the FBI to engage with you when intrusion happens? What is the FBI going to ask for? Is it a company or an organization actually willing to provide that? Many are not and we understand that there is no statutory obligation. And so it just becomes this trust based relationship conversation that starts long, long, long before the intrusion actually happens. And we still have organizations that engage us during an intrusion and they say, hey, we're ready for the FBI to come in and remediate all our systems. The FBI has never done that. We're never going to do that. We don't have the capability to do that. And there's a multi-billion dollar industry built around doing that. And so that's just an example of where the proper conversations haven't been had about expectations on all sides. So some simple questions, you know, if there's an intrusion, who do you want the FBI to engage with? Do you want it to be in person? Do you want it to be on the phone? Do you want to be through another medium? Do you want to be set up at the request of the FBI or at a timeline that you're okay with as an organization? Like all these questions and these conversations lead to comfort and trust. So that's how we start. What are they doing? Another question? So we have some questions from those in the ceiling, our remote viewers. May I ask two? I mean, I have two of all of them. There's a bunch of good ones. The first is, can you talk about the implications or differences related to protecting software's service versus platform as a service versus traditional infrastructure and how that changes your approach? So that's one question. And then the second question is, do you ever release your tools for researchers? I think that's a good way to run this. I'm thinking about how the academic community might be in dialogue with you. Are there things that we might, we as academic communities might have access to, especially for the question answer related to malware and analyzing malware? Sure. We take the first one first. Take a little different spin on it because I think it may be more relevant. We don't see software as a service, platform as a service, third-party application. We see them all as types of supply chain risks because of the updated processes. And so the example I use is this. We often talk in whether it's the academic environment, whether it's corporate America about competitors. And I think the better term when it comes to cyber is peers. And so what third-party applications are your peers using? That if an adversary knew that this group of peer companies or peer procedures academic universities were using, that if they compromise that they would have an outsize impact because they could compromise all the peers using that third-party application. It's a really, really healthy conversation for many, many different people and one that I find isn't had enough. In terms of sharing tools, we don't share tools, but we do share malware executables when we get our hands on them. And so there's a host of reasons we do that, to inform the research community, to inform those writing patches and code, to protect against those. And we share that fairly, I don't want to say narrowly. We share that pretty broadly with those in that ecosystem. And so that was true in 2023 on at least three occasions that I know. It's okay. Technology. I have one final question for me if I could. I know we still have a couple minutes. What advice do you have for students who might be looking to engage with this work at any level? Are there things to look out for and be worried about ethical concerns that you might have as you engage with this work? Things that you wish you knew when, when you started for the students in this room and outside this room who might be watching? Do you have any words of wisdom? I would just say there is a obviously heavily, heavily reported on research and reported on that the gap in cybersecurity and cyber operational positions that exist in America, not necessarily in the government. And the number of people who are qualified or interested in doing that, that gap is even more necessary. And there is a growing need for that as we go into the generative AI space and the broader ML space. Many of those same academic programs apply to those individuals. What I would say to your core question is this. The Cyber Safety Review Board is in its third iteration. It was a board set up in 2021. I have a role in that board with all of my colleagues in the federal government and the big agencies as well as many in the private sector. And the first study was the log for J log for shell vulnerability, which was a massive Apache vulnerability and open floating environment, a very, very difficult vulnerability patch because, you know, it's scripted throughout entire operating systems. One of the findings that I think is most interesting in that report is that there are no academic standards for secure coding in the United States. And so when you equate that to either civil engineering degree, imagine the day where we said there are no safety standards for civil engineers to build bridges, right? That's the analogy, right? We would be like, that's ridiculous. Well, there are no standards within the academic system in the United States for secure coding. And that's probably something that needs attention as we do secure by design work over the next decade. And something that I think I would encourage all of you to be part of that solution. Where do you think that solution comes from? Well, I think that that's a big and important order for many of us to take up in our work. I want to thank you both so much for joining us tonight, for sharing so much, and thank you all for coming. Those in the room, those in the ceiling, those in the future, thank you all again.