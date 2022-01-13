MR. SHERIDAN: Good morning. Thank you for having me.
MS. NAKASHIMA: So, Assistant Director, the Secret Service is over 150 years old. It’s older than the FBI, which is a mere youngster at about 113 years old. Tell me, in cyber, how does your investigative mission differ from that of the bureau's, briefly?
MR. SHERIDAN: Yeah, well, we were founded on an investigative mission to combat counterfeit currency. As the threat to our nation's financial infrastructure has grown into the cyber realm, we have grown with it. We do have differences between us and the FBI. But I want to be clear that those differences aren't divisions. We have a phenomenal partnership with the FBI through our field offices across the globe, the multiple taskforces we are assigned with them on, primarily the National Cyber Investigative Joint Task Force, where we run the criminal mission desk. And we are linked. We are the only two federal agencies named by statute to investigate crimes against the Computer Fraud and Abuse Act.
But the difference between us and the FBI really relates to mission and investigative focus. We have, you know, differences in structure and strategy. But our focus in the Secret Service is just on the investigations related to protecting the nation's financial infrastructure and financial payment systems. Their statutory authority is much broader in scope.
MS. NAKASHIMA: Right.
MR. SHERIDAN: And they have a more national security, counterterrorism, and terrorism type investigative focus.
MS. NAKASHIMA: Great. So in the area of ransomware, I'm sure the two of you team up quite a bit. Look, it's pretty clear the threat landscape is growing exponentially as more and more devices are connected to the internet. Briefly give us some insight as to how you're seeing cyber threats evolve.
MR. SHERIDAN: So, there are a host of evolutions that we are concerned about, and in areas where we see potential vulnerabilities moving forward. Some of those are long term as it relates to quantum computing or AI and ML. But in a more immediate sense, we're certainly focused on the application and advent of 5G technology. We think that implementation will introduce vulnerabilities into a host of networks, supply chains, and network security, particularly if the components manufactured there are from questionable entities or adversarial countries. The proliferation of 5G and infrastructure will provide a greater attack surface, certainly, and integrating 5G onto, you know, the backbone of existing vulnerabilities within 4g LTE could create additional problems.
I think more broadly the continued growth and expansion of transnational criminal organized groups, as you mentioned, as they become more complex and more advanced is certainly going to challenge us investigatively. They may move from profit motivated cybercrimes that we've seen recently to more kinetic attacks. Our secretary refers to these as killware, and we've seen some initial examples of this recently in Oldsmar, Florida, where the cyber actor held a network not for payment for ransom but had unauthorized access solely to introduce lye into the water system.
Also, increased anonymity is certainly a concern for us as we move forward. You know that we see the darknet market expanding. We see peer-to-peer networks, privacy coins, automated chatbots, encrypted communications, all of which will challenge us in our investigative mission.
MS. NAKASHIMA: Indeed. So, let's turn to ransomware for a moment, which was a big story of last year in cyber. What is the overall trend you're seeing now, Assistant Director? Are the attacks increasing, decreasing, holding steady?
MR. SHERIDAN: Yeah, we're starting to see certainly increase in volume, I think most notably an increase in profitability of these attacks, which is one of the greatest contributors to why they're increasing in number. You know, all crime needs certain elements, and motive is at really the foundation of criminal activity. The motive for increased profit, increased revenue for these criminal actors continues to grow. It's contributed to by the proliferation and growth and value of digital money platforms that criminals use as a means to facilitate these crimes. So, we do see ransomware and other types of cybercrime malware to continue to grow for a variety of reasons.
MS. NAKASHIMA: So, we haven't seen a major attack, ransomware attack like the one we saw on Colonial Pipeline or JBS last year, yet we are seeing a steady increase in overall ransomware attacks, right? What do you think's happening there, and why? I mean, do you think that the--go ahead.
MR. SHERIDAN: Yeah--I'm sorry to interrupt. I do think that the cybercriminals have a risk calculus. I think the global and nationwide response that resulted from the Colonial event spoke to them, certainly. And great credit to our partners at the FBI for seizing the crypto assets involved in that case. Those types of consequences, I think, sent a very clear message. So, I don't think that those large-scale type of attacks will be necessarily on the same level of increased frequency as the intermediate or low-level attacks to individual networks, individual end users, individual systems, because those types of attacks don't generate the same notoriety, same exposure of the cybercriminal. And they are certainly very profitable. But I think it speaks to the benefit and the need for a collaborative international global law enforcement response to arrest and conduct asset forfeiture and seizure operations in order to combat this growing threat.
MS. NAKASHIMA: So, let's talk a little bit about those seizures and recoveries. The FBI last year recovered millions of dollars in ransom paid, and Assistant Director Bryan Vorndran this morning actually said, on a Silverado press conference that more than has been publicly disclosed was actually seized. Are you, the Secret Service, part of those recoveries? Can you talk a little bit about what role you play in those?
MR. SHERIDAN: Yeah, absolutely. I mean, we--as I said, we partner with the FBI at the NCIJTF--National Cyber Investigations Joint Task Force. So, we contribute, along with a host of other law enforcement entities, substantive investigative information as part of those cases. We also have a variety of investigations within our organization that we are the lead agency on, notably a case recently of two Russian nationals where we identified them as creating fictitious web domains to mimic legitimate virtual currency platforms in which users would log on, provide login credentials and account information, wallet address information. And these individuals would use that data from the individual user to siphon off their accounts.
And as a result of our investigation, we were able to seize millions of dollars of cryptocurrency as well as fiat currency, work with regulators within the crypto exchangers, the legitimate exchangers to apply consequences and judicial action against those individuals. You know, we have over 727 or so network intrusion cases that we investigated last year. We conducted more than 1,200 seizures, returned $60 million to victims of cybercrime, and seized nearly 1.3 billion in total in terms of overall seizures.
MS. NAKASHIMA: So, you mentioned the cryptocurrency exchanges that you work with to help identify the criminals. What about those cryptocurrency exchanges that traffic in illicit, you know, money laundering that--and that aren't--they’re offshore, they aren't following the know your customer money laundering rules that onshore American exchanges follow or others in Western Europe? Do you favor sanctions on such exchanges? Do you think those will--such sanctions might have an impact in deterring crime? Or will they drive the criminals to harder to track methods of moving money?
MR. SHERIDAN: Yeah, that's a really important point, because I think the environment and ecosystem around cryptocurrencies is sometimes misunderstood. You know, these are the means to commit the crime for really the overwhelming majority of cyber criminals. They're global, instantaneous, pseudo-anonymous, and they've experienced massive growth.
It's important to note though, that less than one half of 1 percent of transactions related to crypto are in the illicit realm--in fact, the comparatively smaller to the amount of illicit transactions that occur in traditional financing institutions. And as you said, this is really a small group. This is not a deluge of individuals leveraging cryptocurrency platforms for criminal activity. You know, by means of data in 2020--and we’re still compiling 2021 information--but five funds received 55 percent of all crypto moved from illicit addresses, and just over 1,800 deposit addresses received 75 percent of all crypto sent from illicit addresses in that year. It's not lone actors flying under the radar. These are small groups that are leveraging, as you said, these illicit nested services in illegal crypto exchanges, and we've, you know, dismantled several of them in the Secret Service ourselves.
So, you know, our job is to enact consequence, to arrest and seize those funds and digital money that are being flowed through these illicit exchanges and also to partner with the legal and licit exchanges, if you will, that leverage regulation for the purpose of protecting customers and preventing illicit transactions.
MS. NAKASHIMA: Do you think that legislation or law is needed in the U.S. and in Europe to further crack down on these illicit exchanges? Or do you think the tools you all have right now are sufficient?
MR. SHERIDAN: No, we definitely can use additional authorities, especially related to investigating unlicensed money transmitters, structured payments, you know, money laundering, as a root crime and a precipitating crime. We certainly need more authorities on that front.
MS. NAKASHIMA: You mentioned earlier more secret payments. There are new forms of cryptocurrencies that are even harder to track with anonymous privacy protection mechanisms. And even the encrypted app Signal has just introduced a new cryptocurrency payment protocol. How concerned are you about the evolution of these tools to transfer money in anonymous ways? How will that complicate your job?
MR. SHERIDAN: Yeah, it certainly makes it more challenging. The adversary is an early adopter of technology. They move very quickly. They are becoming more technically complex at a very rapid pace. You know, within law enforcement, within government as a whole, just as a consequence of budget and procurement actions, we are challenged to maintain that pace. There is increased decentralization, as you said further anonymization through peer-to-peer networks, and privacy coins. There's automated chatbots, encrypted communications, and so forth. And that certainly does challenge our investigative mission.
But the Secret Services, as well as our federal law enforcement, state, local and territorial law enforcement partners, have demonstrated success. You know, we have a host of mechanisms in place in order to combat this through our Cyber Fraud Task Forces located across the globe. Our partnerships with other law enforcement, private sector, academia, our relationships with the legal exchanges, our National Computer Forensics Institute that is training and equipping state and local law enforcement, as well as our Global Investigations Operation Center that is standing up a crypto unit to be staffed with subject matter experts.
MS. NAKASHIMA: So, some of these transnational criminal groups have gone dark, like REvil and DarkSide. At the same time, some say that the alpha black hat ransomware may be the work of say, DarkSide. Have you seen any signs of these groups’ reappearance? What do you think?
MR. SHERIDAN: So, I think, as I said, with these small groups working with illicit exchanges, there's an expression that a colleague of mine uses. It's the same 200 people chasing the same 200 people. There are certainly the influx of new actors in this space. But a lot of times what we see with a new variant or a new cyberattack, it's the same developers who have just changed, you know, their technology to some degree, but are still utilizing the same ransomware notes or the same techniques or the same access to vulnerable systems. It's not necessarily a new wave of cyber criminals. It's just a maturation, evolution, or adjustment by existing criminals based on, you know, targeted enforcement and consequences that that are occurring to them.
MS. NAKASHIMA: So, do you think that that you there are signs that these groups, like in particular DarkSide or REvil, have reappeared?
MR. SHERIDAN: I don't want to comment on specific groups, because I think that limits, you know, the focus on a particular circumstance. You know, this crime continues to evolve. Those individuals, whether it's the developers of, you know, the particular strain that has hit recent affected organizations, or those that they recruit, have trained, have provided safe harbor to, provided resources to, utilized for money laundering purposes or affiliated crimes, those still exist and aren’t going away. We will continue to bring consequences regardless of where these actors are with our law enforcement partners. But this is a threat that is going to continue, and we will continue to evolve with it, to defend it, and bring justice to it.
MS. NAKASHIMA: Great. Okay. And I guess final question as we wrap up here is, looking ahead in 2022, are you--what do you forecast in terms of the threat landscape. You mentioned at the top killware and the, you know, move toward kinetic attacks. Do you expect to see more of those? What do you think?
MR. SHERIDAN: I certainly think those are a vulnerability moving forward. But what I would estimate as next wave, if you will, is attacks on extended digital money transactions. You know, we certainly have seen standard attacks on digital money, cryptocurrency as scams or, you know, spoofing that I mentioned earlier. But some of the smart contract fraud that we're starting to see emerge, wherein an individual user links their wallet to an exchange or a liquidity pool through staking or liquidity mining, we've seen cybercriminals be able to insert themselves in that bonding or that unbonding of that loan process in order to commit scams, commit fraud, or do takeovers of the crypto value and take it from the initial investor. So, the increasing technological capabilities of the cyber actor as the more advanced digital money transactions evolve certainly will be something I see more of in the future.
MS. NAKASHIMA: Assistant Director, we will have to leave it there. But thank you so much for joining us today.
MR. SHERIDAN: Thank you very much for having me.
MS. NAKASHIMA: I will be right back with my next guest, Tonya Ugoretz of the FBI. Stay with us.
MS. KELLY: Hi, there, I'm Suzanne Kelly. I'm the chief executive officer and publisher at The Cipher Brief, and we are here today to talk for just a couple of minutes about the state of cybersecurity. And I'm thrilled to be welcoming Google Cloud CISO Phil Venables. Phil, thank you so much for joining us to talk about this today.
MR. VENABLES: Yeah, great to be here. Thank you.
MS. KELLY: You know, 2021 was really a tumultuous year when it comes to cybersecurity in the industry. I'm sure you would agree with that. It's across both the private and the public sectors as well, from SolarWinds and Microsoft Exchange in the early part of the year, to rounding out 2021 really with a discovery of this major vulnerability in the open source Apache Log4j utility. Can you kind of talk me through your view on where you think we are right now when it comes to cybersecurity and where do you think the industry needs to go from here?
MR. VENABLES: Yeah, sure. So, I mean, it's been interesting. I mean, it's about this time last year that security researchers uncovered one of the most significant breaches in recent memory. This is where a Russian based campaign against the servers of a relatively unknown but now widely known network management provider, SolarWinds, they exploited them in a range of Microsoft vulnerabilities. And you know, this was--this later would be confirmed that this was a significant breach of a large number of companies and a number of government agencies. And this was described as a moment of reckoning for the U.S. in terms of its approach to cyber. And shortly after the Biden administration in a--in a sequence of really good steps created an executive order for cyber and convened the CEOs of major tech companies, including us, at the White House, to really set a fresh direction.
But despite all of these necessary actions and progress in the last year, the unfortunate reality is there's still plenty of chances that another event could occur like SolarWinds. And this is in large part because many organizations, including public sector and critical infrastructure, rely on hard-to-defend outdated legacy systems and software.
MS. KELLY: I hear a lot of complaints, particularly from folks in government, about the issues surrounding legacy systems and just how difficult that can be. You know, I'm wondering what you can tell us about specific technologies or concepts that governments and organizations can adopt now in order to kind of modernize that IT so they're not so vulnerable?
MR. VENABLES: Yeah, I mean, I think all governments and businesses, they have got a really good opportunity to reshape their thinking on cyber. And you know, and the situation persists today, you know, because it's a matter of not good security versus bad security, but a matter of legacy versus modern security practices. And many organizations and governments today are trying to defend indefensible systems.
You know, and to pick an example, it's an example of the lack of defense in depth in the environment where one vulnerability can lead to a breach. A more modern defense in-depth architecture will realize a point where you don't have to rely on everything being perfect to being--to having that combination defense. And again, I think organizations can really accelerate their modernization by investing in the use of public cloud environments in particular that are designed with built-in, not bolted-on security protections.
MS. KELLY: Which is I think what everyone's looking for those answers right now. You know, if you were to forecast the next wave of major threats, what are they? And how can industry help mitigate those risks now before it's too late?
MR. VENABLES: Yeah, I mean, I think--I think a lot of stuff coming--and as we've seen in the recent past as well--is a lot of focus on opensource software security in relation to software supply chain and more broadly. And I think, again, future areas of focus for the industry is really about how do we mitigate those security risks in open source, how do we think about that broader impact, and really looking across the open source ecosystem.
And I think it's reasonable to assume that that many of the vendors and the open source projects are going to continue to increase our level of security in response to this security. And enhancing the state of open source security is going to continue be a focus for us. I mean, at Google, we've been at the forefront of contributing to and supporting open source software development. We've made commitments, for example, recently $100 million to this space as part of our overall $10 billion dollar investment in cyber. And so we're going to continue to focus on that as well--as well as software supply chain risk. And ultimately, it's going to be all about how do we help organizations modernize their IT onto a more defensible platform where security's designed in and not bolted on after the fact.
MS. KELLY: Yeah, so we really know what the problem is. Now it's time to get down to those solutions. Google Cloud Chief Information Security Officer Phil Venables, thank you so much for being here to chat about this today.
MR. VENABLES: Yeah, thank you, anytime.
MS. KELLY: And now back to you at The Washington Post.
MS. NAKASHIMA: Welcome back to Washington Post Live. For those joining, I'm Ellen Nakashima, a national security reporter at The Post. Joining me now to continue this conversation about the future of securing cyberspace is Dmitri Alperovitch, co-founder and chairman of the Silverado Policy Accelerator, which describes itself as a think tank devoted to turning policy ideas into action.
Deputy Assistant Director Ugoretz will be joining us after this. We were having a little bit of sound difficulties there with her.
But, Dmitri, welcome to Washington Post Live. Top of mind for this conversation is cyber and foreign policy. The big geopolitical crisis of the moment is Russia, which is massing close to 100,000 troops on Ukraine's borders. And there's been reporting about stepped-up Russian cyber-probing of Ukrainian critical network recently. You've been publicly quoted saying you're seeing such increased activity. What does that signify to you, Dmitri?
MR. ALPEROVITCH: Well, first of all, I do think that unfortunately the situation is quite dire. The talks that we just had in Europe, the three rounds of talks in Geneva, and with NATO, and with the OSCE, have not gone exceptionally well. Russia keeps insisting on its maximalist position that it gets ironclad legally binding guarantees that NATO will not expand further to the east, in particular include Ukraine and Georgia, which has been rejected out of hand by the U.S. administration. So, we appear to be at an impasse, and the troops continue to mass on Ukraine's borders.
But as you rightly mentioned, Ellen, we're also seeing increased cyber intrusions that appear to be intelligence collection for potential execution of a kinetic operation by the Russians. So, all in all, I think it's very, very worrisome. I think a lot of people, myself included, expect that very likely an invasion of Ukraine to occur in the next month or so, possibly late January or early February. And cyber will play a supporting role in that conflict. I don't think it will play a main role in any shape or form, because kinetic capabilities will be used by Russia to suppress Ukraine defenses and to destroy any artillery units and other units that will be used to try to stop the Russian invasion.
But cyber can be very helpful in identifying population elements that could potentially be trying to organize an insurgency. It could also be helpful to identify people that have pro-Russian sympathies that the Russians can tap to run administrations in cities that they take over as part of their invasion plan.
MS. NAKASHIMA: So, it can play an enabling role in a leadup to an invasion and during an invasion, but it's not necessarily the knockout, you know, strategic blow. Some--there's been some reporting about potential disruption of Ukraine's power grid, for instance, which is what Russians did in, you know, 2015, winter of 2015 and in 2016 briefly in eastern Ukraine and Kiev. Do you think this stepped-up activity also indicates that Russia's preparing for a similar disruption of critical infrastructure in Ukraine, like their grid or some other critical sector?
MR. ALPEROVITCH: I think it's possible that they’ll do it. They certainly have plenty of experience in going after critical infrastructure. They've attacked on two occasions, as you mentioned, the electric grid in Ukraine. They've attacked an oil refinery in Saudi Arabia a few years ago. So, they do have a lot of capability there.
But you know, the challenge, Ellen, with cyberattacks of this nature is it's really hard in many cases to have a lasting effect. Sure, you can turn off the power through a cyberattack for a few hours. But ultimately, if the Ukrainians get to the substations and flip the circuits, they'll get it back on. So, from a military standpoint, if you want to shut down power generation to a city block, or perhaps potentially an artillery unit, you want to make sure that it's truly down and it's going to be down for a while. And the only way to assure that is through kinetic action. And I think that's going to be their preference, to the extent that they want to achieve those military objectives. And cyber really will be mostly a sideshow.
The U.S. government this week issued an alert to American critical infrastructure firms that they should be sort of on the alert for Russian cyber threats. They also pointed to these past Russian attacks in Ukraine. How likely do you think such an attack on American critical infrastructure by Russian will be--might be?
MR. ALPEROVITCH: So, I think it's always good to be--it's always good to be prepared. And I want to applaud the NSA and CISA and FBI and others that have been putting out this guidance.
But let's be realistic here. In the event of an invasion of Ukraine, Russia is going to have its hands full. The last thing you'll want to do is escalate by attacking the United States and risk severe retaliation having to fight on two fronts. So, I don't think it's very likely that they're going to take that escalation measure. It might be possible that you will have a NotPetya style attack. NotPetya famously was the attack on Ukraine in 2017 that had a worm-like functionality to spread into many networks, and as a result of that, spread into western networks, actually spread into Russian networks as well, and took down a number of companies around the world well beyond Ukraine. You might have something like this take place whereby accident you have an attack that becomes much broader than its tactical objective. But I don't think that that's particularly likely.
MS. NAKASHIMA: Silverado this morning, Dmitri, unveiled, you know, your legislative proposals for the year. Among them and primary--perhaps top-most priority is getting cyber incident--mandatory cyber incident reporting to the federal government to happen. Tell me--talk a little bit about your--the highlights of these proposals.
MR. ALPEROVITCH: Yeah, so we just issued six key proposals for Congress and the administration for 2022, the key issues that we think are really important to enact either through legislation or executive action to drive forward cybersecurity across the nation.
As you mentioned, the cyber incident reporting legislation, which almost passed last year--in fact, it is so disappointing that the last minute when the agreement was achieved on a bipartisan basis between the Senate and the House on this legislation, they just ran out of time to include it in the NDAA.
But this morning we had an event at Silverado, a virtual event with Representative John Katko from the House Republican side and Representative Yvette Clarke from the Democratic side, who both endorsed the legislation on a bipartisan basis and told us that they are very bullish, that they'll find a way to pass it by attaching it to some other piece of legislation, critical legislation that has to pass this year.
That legislation is broadly supported across industry, and most importantly the government. There is a bit of controversy about that legislation from the FBI/DOJ perspective. In fact, we had Bryan Vorndran on, who is the cyber assistant director of the FBI this morning. And he made it very clear that the FBI’s position is that the legislation should include clear language that while CISA will receive the reports from industry about breaches that are taking place, that information will be immediately shared with the FBI. The FBI would like that codified in law.
DHS--and we had Rob Silvers on, who’s undersecretary for policy at DHS--responded by saying that they're fully supportive sharing with the FBI. And regardless with what happens in legislation, they're going to ensure that as soon as CISA receives the reports, they'll immediately share that information with the FBI. So hopefully, we'll find a compromise on that issue, because it seems like everyone's supportive of the overarching goal to make sure that the information goes as broadly as possible to agencies within the government.
But we do need one central place to collect it. We don't we don't need industry to submit it to 50 different places. CISA is a natural ingest point. So, I think we'll see something like that pass.
And it's really critical because the federal government needs to know about what breaches are taking place. You look at something like SolarWinds, which happened a year ago, and if Kevin Mandia, the CEO of Mandiant, had had not come forward and announced this breach, we may not know even to this day about the implication of that attack. So, it's absolutely critical.
And then the other key priorities I would just briefly want to mention, one is on CISA itself. One of the things that I think is really important is to define--
MS. NAKASHIMA: CISA is the--
MR. ALPEROVITCH: Cybersecurity Information Security Agency that was created a few years ago by Congress within DHS--that, you know, from a name is the agency that you think is responsible for securing at least the government, if not the nation. And in reality, it just does not have the authorities it needs to fully execute on that mission. I think we need to define the vision for what does CISA look like 5-10 years from now.
And from Silverado’s perspective, it makes total sense for us to make CISA the "CISO," if you will--the chief information security office within the government that is responsible for securing most of the civilian government networks so that we don't have a hundred different executive branch agencies trying to do their own thing in cybersecurity with varying results. You have it centralized in one location with the best talent you can find in government, with the best technologies that they can procure, and they are responsible for that mission. Just like in companies today, you don't have cybersecurity teams that are within the marketing department and engineering department and sales department. You have one cybersecurity team that protects the company. We need to start taking that approach within the federal government.
MS. NAKASHIMA: That's interesting. So earlier in the hour, Assistant Director Sheridan and I talked about the Secret Service's work regarding crypto and the rise of ransomware attacks. You've said banning crypto isn't the answer. Why not?
MR. ALPEROVITCH: So, I think, you know, you're not going to ban crypto at this point; the horse has left the barn. And listen, there are potentially useful applications for crypto, or Web3 as it's now being called. The whole DeFi decentralized finance ecosystem is really, really interesting and could potentially create a lot of innovation in the finance sector. So, you don't want to ban a new technology just because it has some albeit be very significant downsides.
But you do want to regulate it, and we are regulating it. In fact, if you’re a cryptocurrency exchange in the United States today, you have to abide as a financial institution by KYC--know your customer-- regulations, and AML, anti-money laundering regulations.
But foreign exchanges do not have to do that, and many of them don't. In fact, the exchanges that are based in countries like Russia have been notorious about dealing with cyber criminals, not validating their identities, not caring about their identities, not doing any anti-money laundering checks. And one of the other priorities that we push at Silverado is broad sanction authority be granted to OFAC, the agency within the Treasury Department that is responsible for sanctions, to apply sanctions to any cryptocurrency exchange internationally that does not abide by those regulations so that you're, one, going after exchanges that are dealing with these criminals or looking the other way, but, two, you're also leveling the playing field and allowing the U.S. financial sector in the cryptocurrency ecosystem to be competitive because they have all these onerous regulations that they have to abide to and the foreign companies don't.
MS. NAKASHIMA: Well, thank you very much, Dmitri. I think we are just about out of time. But we have Deputy Assistant Director Tonya Ugoretz coming up next. So, stay tuned, everyone.
And Dmitri, thank you so much for joining us here. Always great to talk with you.
MR. ALPEROVITCH: Thank you.
MS. NAKASHIMA: Hello, and welcome back to Washington Post Live. For those just joining, I'm Ellen Nakashima, a national security reporter here at The Post. My next guest is Tonya Ugoretz, deputy assistant director for the FBI Cyber Policy Division. Deputy Assistant Director Ugoretz, welcome to Washington Post Live.
MS. UGORETZ: Thanks, Ellen. It's great to see you again.
MS. NAKASHIMA: Let's start with current events. This week, the FBI and two other U.S. agencies issued an alert to critical infrastructure companies on Russian cyber threats. Dmitri Alperovitch, just--our guest just prior to you, said he didn't think that there was anything--any specific threat there. But what--tell us a little bit about the thinking behind issuing this advisory now. Why now is this, say, strategic message--what’s behind this timing?
MS. UGORETZ: So it's not unusual for the FBI and especially our partners in the Cybersecurity and Infrastructure Security Agency, CISA, to join forces to warn the public and the private sector about actions they can take to better protect their systems. In this case, this was a joint advisory that we issued to warn of the persistent threats from Russian cyber activity that we see and to offer some tangible steps that companies can take to not wait for something to happen, but to proactively [unclear] to reduce the risk to their networks now by looking at some common indicators, tactics, procedures that we see Russian cyber actors use, and act now, have a heightened sense of awareness.
As I mentioned, you know, when we factor in the broader geopolitical environment, it's not unusual to share indicators and share things that companies can do proactively in that environment. You might remember a few years ago, for example, similar advisories coming out from FBI and CISA around the time of the death of General Soleimani in Iran. More than anything, it's an opportunity. It's an opportunity for us to reengage with critical infrastructure owners and operators and other private sector partners, remind them of some of the persistent vulnerabilities that are out there that they can take action now to help mitigate, and then also just remind folks to keep aware of what's happening around them and be prepared.
MS. NAKASHIMA: Great. Last year was a busy year for malicious cyber activity at SolarWinds, Microsoft Exchange, Colonial Pipeline. Take a minute and tell us what you see as noteworthy about where we've been, and where you think we're headed.
MS. UGORETZ: Yeah, 2021 I think will really go down as a landmark year in cybersecurity. I think in a normal year, quote, unquote, normal, as recently as maybe four or five years ago we would see one major cyber incident that would capture the attention of the government at least, if not the public. We would marshal all our resources to respond to it. But then pretty quickly, especially when it comes to the public's attention to it, it would fade from view.
That certainly was not the case in 2021. And honestly, unfortunately, I don't think it will be the case going forward. As Dmitri mentioned, we started off the year responding to the SolarWinds intrusion. That was quickly followed by a very widespread vulnerability identified in a Microsoft Exchange server that we saw cyber actors affiliated with China's Ministry of State Security very quickly moved to exploit.
And then that was followed by similar high-profile wide-ranging vulnerabilities and incidents, and then ransomware, which really wasn't necessarily new in 2021, but certainly catapulted to the top of both the public and cybersecurity professionals’ attention due to some of the high-profile incidents, like the ransomware attack that disrupted Colonial Pipeline.
So, as we go forward, you know, I think a lot of times, even in the way I just mentioned, we all tend to look at these incident by incident. But the start of the year is always an opportunity for us to take a step back and look at those broader trends.
And I think for me, what concerns me as I look across that range of activity is the combination of both stealth and then really the audaciousness that we saw from some of these actors. And that certainly informs the way that we are marshaling our resources across not only U.S. government agencies but also with international partners to detect and disrupt these threats.
MS. NAKASHIMA: Let's talk a little bit about that. Last year, you know, from just what's been made public, you, the FBI, and DOJ, and I gather Secret Service, in some cases, were able to recover millions of dollars. The FBI at least 8 million in ransoms paid to Russian hackers, more than 2 million of that paid by Colonial Pipeline. And your assistant director, Vorndran, this morning said that actually a lot more was seized. It’s just not been made public. In a general sense, can you give us a sense of how much? Is it tens of millions that has been recovered? And does that suggest that ransom recovery is a tool that scales?
MS. UGORETZ: So, ransom recovery is really just one example of the benefit that comes from reporting suspicious cyber activity and incidents quickly to an agency like the FBI that has the authorities and the nationwide presence to act quickly. So, in the instances of the cryptocurrency seizures, those really were enabled by a unique set of circumstances in each case where the victim companies not only notified us quickly but worked with us.
And while quick notification is incredibly important--because if we don't know that something's happened, we can't act--it's that second piece, too, that willingness to work with us, to partner with us, and to explore what together we can do to mitigate the damage of the attack, help the company restore itself most quickly, but also, by virtue of our unique set of criminal and national security authorities, look at what are other things that either the FBI could do or that we could help enable some of our other partner agencies to do to take the fight back to these adversaries, and in this--the cases you mentioned, to help recover some of that ransom.
And it's not only confined to ransomware. You're probably familiar with our Internet Crime Complaint Center, IC3, which is the public-facing web portal where we encourage everyone, whether companies or members of the general public, to report cyber incidents. We have a team there that's dedicated to acting on cyber incidents in which both individuals and often small- to medium-sized companies in our communities are being defrauded from tens of thousands to tens of millions of dollars. And that team acts quickly with financial institutions to help those institutions freeze the funds, which then makes it possible in some but not all instances to recover those funds for the victims. And that occurred to the tune of $400 million in 2020. But that only happens when we've learned about the incident, and we learned about details of it in a very quick time window.
MS. NAKASHIMA: So that goes to the urgency of this cyber incident reporting law that almost passed last year and that you’re all hoping to get passed this year. I think one of the other things Director Vorndran mentioned was that it's not critical that the law say that the company must report to both CISA and the FBI, but rather can report primarily to CISA, as long as CISA shares this information in real time with the bureau. Is that correct? Is that your view?
MS. UGORETZ: Our view is that the legislation ideally would say that that information would be shared by CISA simultaneously and unfiltered with the FBI. And here's why. You know, there--as you know, there are a number of agencies in the U.S. government with various cybersecurity responsibilities. But there's only two agencies that are identified as responsible for responding to cyber incidents, and that’s CISA and the FBI.
And as I just mentioned, speed is of the essence when we're talking about response to these cyber incidents. So, while we have an incredibly good relationship with our counterparts at CISA, and we trust that they will share incident reporting information to us, it's the speed in which that is shared. We are stronger when we can respond together on the basis of the same information. That's how we try to operate in all cases now. And the speed of our being able to get that information makes a difference.
The other key point is providing clarity to the private sector. We already, because of the draft legislation that had been introduced previously last year, we had partner companies coming up to us saying but what does this mean? We're going to report to this new reporting entity, but if it doesn't say that FBI is also going to receive the information, we want you to receive the information. So, do we still have to report to you separately? How are we going to know that you're receiving this information, if it doesn't say that in the legislation?
And one of the goals of all of this is to reduce confusion for the private sector, to provide clarity so they know exactly what's going to happen with their information when they share it. So, we think just a few--literally just a few words in addition to the draft legislation will make that difference.
And I just want to close on this by applauding the members of Congress and all those advocating for this legislation. Because, you know, we often get asked questions about are attacks increasing, decreasing, what changes are you seeing. But we know we're only aware of a small fraction of the cyber incidents that are out there. And we won't be able to adequately answer that question or provide response and help identify and warn additional victims if we don't have that information.
MS. NAKASHIMA: Well, let me give you an opportunity now to make a really good case to the private sector for quick, immediate cyber reporting, cyber incident reporting. If you can talk--are you saying--I mean, can you assure them that the more--the more quickly they report, with the more information they give, and the most sort of cooperation they give you, the better you will be able to help maybe try and recover the ransom or even, you know, help prevent the situation where they're forced to pay a ransom? And is that something that you can say that?
MS. UGORETZ: Absolutely. You know, I think it's fairly straightforward that if we don't know about something, we can't help.
MS. NAKASHIMA: Yeah.
MS. UGORETZ: I think what really distinguishes the FBI in this space is that we have both the authority to take action, as well as the nationwide presence to immediately help. I mean, we have cyber-trained investigators, intelligence analysts, computer scientists, in every one of our 56 field offices scattered throughout the country. That decentralized model is not just for the FBI’s benefit. It's for the whole of governments benefit, as well as the community's benefit. When I say whole of government, I mean that a key part of our strategy is that as we're engaging with victims, we are able to not only support them, but also gain information that helps feed into kind of the broader U.S. government picture of who was responsible for activity, who might be hit next, what kind of tactics they’re using, and then that all ultimately feeds up into our policymakers’ decisions about how to respond and how we can hold them accountable. And that's in addition to the immediate support we provide to victims.
So, I'll give you an example. A major financial institution notified us when they were the victim of a breach in which the personally identifiable information of all of their clients was stolen and was threatened to be exposed, and it was only because they very quickly engaged us that we were able to not only identify and arrest the person responsible, but also identify the infrastructure, the sites where that stolen data was being housed so that we could seize it and prevent it from being exposed. So not only helping the company restore its operations but preventing I think either tens--tens of millions of customers’ information being publicly exposed.
MS. NAKASHIMA: Tonya, I just want to go back real quickly to a question I asked earlier and to see if you can give us a little more clarity about just the amount of ransom seized by the FBI last year, not, you know, in absolute terms, but just sort of a general sense of how much that was. Can you give us a sense?
MS. UGORETZ: Yeah, I don't have an exact number to give you. I will say that the types of ransomware seizures that you saw us undertake with the Department of Justice last year are certainly things we want to replicate, and like you mentioned, try to scale. As I noted, those do depend on very specific circumstances for which we work with victims, but also the information that we have available. I think the Department of Justice, through their Ransomware and Digital Extortion Task Force, and the amount of resources and focus they have put nationwide through their U.S. Attorneys’ Offices to help focus attention on this has been a great benefit, as well as kind of the work we're doing with other U.S. federal agencies to be able to spot information about these ransom activities, the associated wallets, the ransomware affiliates and developers, and then now that we've done this a few times, be able to kind of create a playbook for doing this quickly when we find the opportunity the next time.
MS. NAKASHIMA: Would it be fair to say, though, at least, you know, 100 million? More than 100 million? Tens of millions?
MS. UGORETZ: I don't have that number at the moment.
MS. NAKASHIMA: Okay. Well, you're--one more question on the on the ransomware--on the ransom payment issues. The FBI's position is that it doesn't support paying ransoms, as that just further encourages the criminals. Do you support legislation that would outlaw paying ransoms by victims?
MS. UGORETZ: So as you noted, our position on paying ransoms is exactly as you said. We don't advise it because it does encourage the criminal activity, and it doesn't come with any guarantee that a victim company is going to be able to recover their information or their networks. Outlawing that is not really the approach we'd recommend in terms of payment of ransom, because our entire way of doing things is working collaboratively with victims. And as I mentioned, the more of an open engagement and dialogue that we can have with them, the better chance that we're going to have of helping to support their recovery and remediation and identify the information we need to then hold the actors accountable.
We're not interested in any activity that's going to kind of drive this whole ecosystem further underground, which sometimes is the inadvertent consequence of criminalization. So, we are looking to create opportunities for companies and victims to feel positive about reaching out to their local FBI office. We encourage them to have relationships with their local cyber squad well before something happens. That helps us make sure that we are sharing information with them regularly and that they know who to call when they have that bad day.
MS. NAKASHIMA: Well, thank you very much, Deputy Assistant Director Ugoretz. That was very informative. Appreciate you taking the time. We'll have to leave it there for now. Thanks again for joining us at Washington Post Live.
MS. UGORETZ: Thanks, Ellen.
