The Cybersecurity and Infrastructure Security Agency, on one side of the spectrum, leads the government’s defensive capabilities, along with some aspects of the Defense Department and private-sector owners of national critical infrastructure.
On the other end of the spectrum, the intelligence community and DoD’s offensive cyber capabilities work to root out malicious actors and deter them from making attacks.
In between the two ends of that spectrum, Matt Gorham, the assistant director of the FBI’s cyber division, said the bureau sits in the middle, along with counterintelligence partners such as the Secret Service, the Naval Criminal Investigative Service, Air Force Office of Special Investigations and Army G-2 intelligence.
In that center space, Gorham said the FBI focuses on conducting investigations, collecting intelligence and engaging with its partners in and out of government.
Thursday’s discussion among FBI executives shed more light on the strategy’s key points. FBI Director Christopher Wray announced the launch of the strategy last month at CISA’s National Cybersecurity Summit, and described its focus as “making it harder and more painful” for hackers and criminals to operate by building up partnerships across the cybersecurity community.
As a law enforcement agency, Gorham said a key part of the FBI’s mission is attributing attacks to their source and imposing “risk and consequence” on cyber adversaries.
“At our core, we are an investigative body, and regardless of what tool we want to use to impose some type of risk and consequence on our cyber adversaries, attribution is key,” Gorham said in a virtual event hosted by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
While the FBI’s authority to arrest and indict suspected cybercriminals may come to mind as its primary response to threats, Gorham said the bureau’s new strategy considers that response as only one of many tools at its disposal.
“That’s one thing that we can do in our lane, in the center of that ecosystem, but it isn’t the only thing that we can do. And if we do it in isolation, we’re really not imposing maximum risk and consequence on our cyber adversaries,” he said.
Alternative responses, he added, may include working either with intelligence and national security partners to go after a threat, or work with CISA to release indicators of compromise that will lead to patches and updates to mitigate threats.
FBI Deputy Assistant Director Clyde Wallace, said much of the bureau’s new strategy focuses on its leadership of the National Cyber Investigative Joint Task Force, which has created hubs for the public and private sectors to build long-term relationships built around cyber threat information sharing.
Within the last six months, Wallace said the bureau has co-located all of its operational sections into the NCIJTF and restructured the task force into threat mission centers. A Secret Service senior executive, he added, now leads the NCIJTF’s criminal mission center as part of a “whole of government” approach to combatting cyber threats.
FBI Deputy Assistant Director Tonya Ugoretz said the bureau’s coordinating role with overt and covert cyber partners can be a tricky balance.
In one recent case, for example, Ugoretz said the National Security Agency asked the FBI to reach out to its international partners to help obtain additional information about a next-generation tool used by a Russian adversary.
“By using that type of process, we were able to blend our ability to gain that information at an unclassified level, marry that up with what NSA had learned, and then make the decision as an interagency,” Ugoretz said. “We wanted to take the step to expose this tool in order to have an impact on this adversary, to reduce their ability to use it to compromise U.S. and foreign networks, but also to serve as a warning that when we see that type of tool development that could be used against us, we are willing as the U.S. government to expose that activity and minimize the impact in that way.”