A

Welcome to Advancing Health. Coming up, in part one of this special two part conversation with FBI leaders, we learn about Operation Winter Shield, the FBI's new 60 day nationwide effort to protect against cybercrime. Hello, everybody. I'm John Riege, your national advisor for Cybersecurity and risk at the American Hospital Association. What a great conversation we have lined up for you today. So proud and privileged to have two of my very good friends from the FBI here with me today to talk about the latest cyber threats and what we can do to help defend against the threats and how we share information with the FBI for the greater good. So here with me today is my good friend, longtime friend, FBI Assistant Director Brett Leatherman, who leads the FBI Cyber division. We also have my longtime and good friend, FBI Assistant Director Director Gretchen Burrier, who leads the Office of Private Sector. Thank you both for being here today.

B

Thanks, John. Happy to be here.

C

Yeah, John, thank you so much for having us. It's really great to be here today.

A

Great to have you, Gretchen and Brett. Brett and I actually worked together in cyber division over 10 years ago. Seems like a lifetime ago, right, Brett? So much has changed.

B

Yeah, a lot changes in cyber in 10 years, right?

A

Sometimes it seems like in 10 minutes it changes. Brett, if I could start off with you again, thank you for being here. And coincidentally, at the time of this recording, you and the FBI have announced the launch of Operation Winter Shield. Could you tell us a little bit about that and why it's relevant for the nation's hospitals?

B

Thanks, John. And thanks for the invite to participate in the podcast. Operation Winter Shield launched February 1st and it's a 60 day campaign to defend the homeland against malicious cyber activ. What's unique about Operation Winter Shield is most FBI enforcement action or operations involves federal, state and local partners in support of, you know, reducing violent crime or some sort of enforcement action that the FBI has jurisdiction in. Operation Winter Shield is different in that it requires all of us, everybody listening to this podcast to come together and work together to reduce risk to critical infrastructure, to healthcare and to the homeland from both state and criminal cyber actors. So what it does is it distills the FBI's visibility in this space pursuant to our law enforcement and intelligence community mission into the top 10 controls that we recommend organizations apply to their environments. Based on that work that we do today, 95% of the breaches continue to exploit one of these controls, at least one of these controls. And so we believe that really spending the next 60 days firming up the ability to defend against these attacks by Advertising these controls to Fortune 100 organizations, down to small mom and pop businesses, and especially in health care can measurably move the needle in increasing resilience against these cyber attacks. The one thing I would add is that we know that nation states in general who target us now use a whole of society approach to target the homeland through these cyber operations. And this requires a whole of society approach to defending it. And this is meant to pull all of us together in support of that national defense and national security mission.

A

You and I have chatted many, many times and Gretchen, over the years of the value of private sector cooperation. I love this expression whole of society. We used to talk about whole of government approach, but you're absolutely right. Private sector must be a partner with the government on these task forces to help defend the nation. Whole of nation, whole of society approach. Brett, getting back to Operation Winter Shield, just briefly give us a sampling of, let's say maybe the top five controls that you think all critical infrastructure should implement.

B

Yeah, and none of these are going to come to a surprise to many folks. Right. The issue is we continue to see the actors exploiting these. So things like adopting Phish resistant authentication, incredibly important. Implementing a risk based vulnerability management program, incredibly important. We've continued to see nation state actors targeting end of life edge devices. So one of the controls is understanding how to track and retire end of life technology on a defined schedule. And for health care, that's incredibly important. Health care continues to be, you know, according to a lot of reporting out there, the number one targeted entity within critical infrastructure. I saw one report that showed the average cost of a data breach within health care is $7.42 million. And so there's a low tolerance for downtime because there is patient and life safety implications. So for example, control number six within Winter Shield is maintain offline in immutable backups. That is incredibly important for health care when it comes to resiliency and being able to get, you know, health and safety data and systems back online during a breach.

A

Totally agreed, Brett. In fact, when the AHA myself worked with the previous administration to help develop the cybersecurity performance goals version 1.0, what we did is we looked at the threat reporting coming from the FBI and says I said let's look at how we are getting beat. And it's the same controls that you just described as the best mitigating practices challenge for us in healthcare, for all our listeners, you all know this better than I is the financial constraints that we are faced with as well. We Know what to do. This reinforcement from the FBI really gives validation to that. But within an operating environment under severe financial pressure. Brett, you just mentioned the nation states. Talk to us a little bit about China and their typhoon campaigns targeting critical infrastructure.

B

Yeah, we talked about these end of life devices. And if you look at Volt Typhoon, Flax Typhoon, Both campaigns between 2024 and 2025 that are PRC sponsored campaigns, they target those end of life devices. The reason they do devices sit here in the United States. They're global botnets. But the, the ones that are have real impact here are devices that sit here in the US they sit on trusted IP space within the United States, meaning the actors can quickly pivot from that space to target other organizations like healthcare. So the PRC understands that the path of least resistance is the way to go. They don't want to deploy their most sophisticated capabilities when they can start to target things that these controls to address. You know, it's incredibly important that we come together and really understand how we plug those gaps in our exposed infrastructure to reduce the likelihood of compromise.

A

Really key point you made, China and Russia, Iran, North Korea, as sophisticated as they may be, they're not using highly sophisticated zero days to attack us. That's why these basic controls are so important to help mitigate the threat. Getting back to nation states a little bit, we talked about China, what about Russia, Iran and North Korea?

B

Yeah, Critical infrastructure is a target for each of those entities for a variety of different reasons. Number one, for organizations who want to pre place capability in the United States, healthcare is a key area to do that. Right. And so the electric grid, the financial services sector, healthcare, all of those areas would have real impact should a nation state decide to launch some sort of cyber attack against the homeland. And so each of these nation states possess different capabilities in this space, but each of them will also follow the model of that path of least resistance. And it doesn't matter if these are actors sitting in Iran, if they're actors sitting in North Korea, in Russia or China, they're going to continue to target credentials, stolen credentials, for example, to get into environments where there's no multi factor authentication. So if there is remote access to your environment, every one of these state actors on top of criminal actors are going to target that. Same with the end of life devices. They're going to target those because they're easy to get into. And so each of these actors are sophisticated, but often they won't take the sophisticated way in if they can target one of these controls.

A

Great points. And again, pointing out to everyone at this time of the really increased geopolitical tensions with all these nations, China, Russia, Iran, North Korea, understanding that they do possess first world highly sophisticated cyber capabilities. And the question is, would they use that against us or some proxy at their direction to launch some type of unattributable attack? Things we're all concerned about. Brett, I appreciated your advisory in early December talking about pro Russian hacktivists being directed by the Russian military intelligence service, the gru. We in healthcare and hospitals need to understand the geopolitical risk environment because it directly translates to cyber risk. Brett, last question for you. At this moment we talked about the disruption to healthcare delivery by particularly these Russian based or Russian speaking ransomware groups that disrupt and delay healthcare delivery, posing a direct risk to patient and community safety. Can you talk to us a little bit about the most significant Russian groups or ransomware groups that the FBI is tracking at the moment?

B

Appreciate that question. Because the ransomware groups operating globally continue to target the underlying ecosystem of healthcare, meaning where they can identify points of targeting that is not just one hospital, but has cascading impact across healthcare, hospitals, pharmaceuticals, they'll target that. And so we've seen attacks in the past change. Healthcare is an example. And so these supply chain breaches are incredibly important. And that goes back to one of our Winter Shield advisory statements which is to analyze third party risk, to understand the third parties who have access to your data and your systems and your networks and work with them to build resilience there. It's incredibly important that we also assess detection capability. We're so focused sometimes on prevention in we do want to prevent cyber attacks from happening, but we've also got to detect the adversary when they get in. We can't stop them 100% of the time. And these groups are very good at in some cases, for example, scattered spider, socially engineering their way into our help desk, getting legitimate credentials and getting into our environments. So if we can focus on detecting them earlier, it's incredibly impactful to reducing that blast radius in healthcare. I think it's over 270 days on average. It takes right now to detect an actor in a healthcare environment. And so we've got to reduce that dwell time significantly.

A

Totally agreed Brett. And this again, the continuing threats that we face wholesale here. Third party risk is a major area of risk exposure we talk about constantly. We can do the best we can to defend our own systems and networks. Then we get exposed through these third party technology and providers and supply chain. Gretchen, turning to you, given all these threats that Brett just described. Could you tell us about your division's extremely important mission in helping counter these threats and the value of information sharing with the private sector?

C

Absolutely. And first, John, it's a privilege to be on your podcast. I love listening to it regularly. So to be on your show, it's very exciting. But to answer your question, you know, the reality today is that the front lines of national security, they're increasingly running through the private sector. Whether it's cyber intrusions, ransomware, intellectual property, or foreign malign influence, US Companies are often the first to see these threats and sometimes the first to feel the impact. So the mission and focus of my team and the FBI's Office of Private Sector is to make sure these companies don't face those threats alone. We serve as the connecting bridge between the FBI's operational divisions and the businesses that own and operate, you know, the systems, the data and infrastructure our country relies on. And if you don't know who to connect with in the FBI, you can reach out to our team and we'll make sure you get the help you need. We also have in the FBI private sector coordinators, at least one in every field office across the country. You can pick up the phone, call the field office, and ask to speak to the private sector coordinator for help and assistance. They're the best at what they do, and they fully believe in partnering with industry. And just to touch on your comments about, you know, information sharing, it's at the heart of what we do and it's at the heart of our work. When companies share what they're seeing with the FBI, whether that's a suspicious cyber incident or unusual activity on their networks. Barrett's team can connect the dots across sectors and across investigations. And that allows the FBI to provide context, warn others, disrupt adversaries, and in many cases, prevent the next victim. And at the same time, you know, Ops is dedicated to giving value back through threat briefings, various engagements, webinars, other tailored information so that companies can make better risk decisions in real time. And we do this, of course, in coordination with our operational divisions, just to give a quick plug too. We have two key partnership programs through the Office of Private Sector, the Domestic Security Alliance Council and InfraGard. And those wishing to learn more can visit dsac.gov and infragard.org Brett and I really do see this as a two way partnership. And John, I know you do as well. And when the private sector and the FBI work together, we're absolutely faster, we're more resilient, and we make it harder for criminals and foreign adversaries to succeed.

A

Thank you Gretchen. Appreciate your continued support. And for all of the private sector coordinators in the field, everywhere we go, and we go a lot of places to help hospitals, we invite the FBI, we invite cisa, we invite Secret Service. The Office of Private Sector Coordinators have been outstanding. Just recently I did a four hour exercise for the leadership of one of the largest health systems in the country. Over 100 C suite executives there. Two FBI agents from the local field office stayed the entire time and really contributed significantly. So you talk about the partnership. It is real world, side by side and the reality is a lot of the expertise and experience and evidence in intel lies with the private sector on our network. So it really is a tremendous partnership. Brett and Gretchen, thanks for an amazing conversation. We have so much more to discuss. I think what we're going to do is part two of this amazing conversation. So for our listeners, stay tuned for part two. Until then, Brett and Gretchen, thank you and all the men and women of the FBI for what you do every day to secure our nation in health care. And to all our frontline health care heroes, thank you for what you do every day to defend our networks, care for our patients and serve our communities. Stay safe everyone. Thanks for listening to Advancing Health.

B

Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.