The Lawfare Podcast: "How the FBI is Combating Cyberattacks" with Brett Leatherman

Original Airdate: March 28, 2024 (Re-aired September 7, 2025)
Guests:

• Brett Leatherman, Deputy Assistant Director for Cyber Operations, FBI
• Natalie Orpet, Executive Editor, Lawfare (Host)
• Brandon Van Grack, Lawfare Contributing Editor (Co-host)

Episode Overview

This episode presents a deep dive into the FBI’s efforts to combat cyberattacks, focusing on both state-sponsored and criminal threats and highlighting the importance of public-private sector cooperation. Brett Leatherman provides insights into the evolution of the FBI’s cyber mission, operational case studies (including the Volt Typhoon and Lockbit disruptions), and the persistent challenges of defending U.S. critical infrastructure.

Key Discussion Points & Insights

1. Brett Leatherman’s Background and the FBI’s Cyber Mission

Timestamps: 05:58–07:59

• Leatherman’s career was inspired by the post-9/11 climate and a desire to prevent further attacks.
• The FBI recognized early the need for a technical workforce to confront digital threats.
• Cyber operations now underpin the Bureau’s counterterrorism, counterintelligence, and criminal investigations.

“...As the Bureau recognized this shift by all actors—terrorists, criminals, spies...to these digital platforms...”
— Brett Leatherman (06:29)

2. The Cyber Operations Branch Explained

Timestamps: 07:59–09:29

• Handles both criminal (ransomware, cybercrime) and national security (nation-state hacking) investigations.
• National Cyber Investigative Joint Task Force (NCIJTF) brings together 40+ agencies for whole-of-government responses.

3. The Evolution of Cyber Operations in the FBI

Timestamps: 10:17–12:07

• The Bureau has shifted from traditional criminal investigation to being a domestic intelligence service.
• Presidential Policy Directive 41 designates the FBI as the lead threat response agency for cyberattacks.

“...to keep the attacks off the homeland the best we can, to defend forward...and fight those fights in the virtual battlefield...”
— Brett Leatherman (11:41)

4. Threats to Critical Infrastructure

Timestamps: 13:39–17:18

• “Critical infrastructure” includes pipelines, telecommunications, healthcare, and more.
• Threats come from both criminals (for profit) and nation-states (for strategic advantage).
• Notable case: Volt Typhoon (China) and Dying Ember (Russia) as examples of pre-positioning for potential major disruptions.

“If all the FBI’s cyber agents and all the FBI’s cyber intelligence analysts focused solely on mitigating the threat to China ... Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
— Brett Leatherman (16:16)

5. Technical Operations: Disrupting Volt Typhoon, Dying Ember, and APT31

Timestamps: 17:18–22:28

• Leveraged legal authorities for coordinated removal of malware on thousands of devices.
• Focus on end-of-life “SOHO” (Small Office/Home Office) devices commonly targeted.
• FBI and DOJ recently indicted seven Chinese nationals for long-term cyber campaigns (APT31).

“When they can find a vulnerability on one SOHO device like a router...They’ll weaponize them, maintain persistence...and use them to target American businesses, American critical infrastructure, and government agencies.”
— Brett Leatherman (19:33)

6. The Pace and Scale of Cyber Disruptions

Timestamps: 22:28–25:56

• Surge in disruption operations since 2022, due to increased urgency and coordination.
• Partnerships now span all US IC, law enforcement, and international agencies.
• Private sector plays a unique and critical role—“whole-of-society” approach.

7. Measuring Impact

Timestamps: 25:56–28:49

• “Impact” isn’t just arrests; it includes reducing attacks, restoring systems, and victim engagement.
• Operations are tailored—sometimes a temporary respite, sometimes a complete infrastructure dismantlement.

8. Ransomware: Threats and Tactics

Timestamps: 30:18–34:26

• Ransomware is a visible, disruptive threat, contrasted with quieter espionage.
• “Double extortion”: criminals encrypt data and threaten public exposure.
• Lockbit example: Over $144 million in ransoms, 1,600+ US victims, FBI and UK NCA cooperative takedown.

“Today’s ransomware attacks really focus on exploiting both the confidentiality and the availability of data.”
— Brett Leatherman (31:36)

9. Sector Spotlight: Healthcare Under Attack

Timestamps: 34:26–36:41

• Attackers target healthcare for maximum operational urgency and leverage third-party risk.
• Consequences include interruption of life-saving medical services and cascading impacts.

“...They didn’t target a specific hospital. Right. They targeted the third party of all these hospitals...If they can hit an organization that has cascading impact...there’s also some exigency...to quickly reconstitute.”
— Brett Leatherman (35:54)

10. The Internet Crime Complaint Center (IC3)

Timestamps: 36:41–37:19

• Central FBI hub for internet crime reports and annual cybercrime statistics (ic3.gov).

11. Ransomware Resilience and Evolution

Timestamps: 37:19–40:50

• Despite takedowns, groups rebrand and reconstitute, making the fight ongoing (“whack-a-mole”).
• Future trends: Increase in third-party and supply-chain compromises (e.g., SolarWinds).
• Attackers “living off the land”—exploiting weak baseline security, not just advanced tactics.

12. The Critical Role of the Private Sector

Timestamps: 41:25–44:11

• Private sector is “on the front lines”; companies detect threats before the government does.
• FBI emphasizes benefits to both sides: unique intelligence and technical help for companies, broader threat visibility for government.

“...A rising tide lifts all boats. That is true here. When an organization reaches out to the FBI and provides information, we can provide it anonymously...builds resiliency and prevents exploitation...”
— Brett Leatherman (42:59)

13. Challenges: Incentives, Disclosure, and Underreporting

Timestamps: 44:11–47:41

• Companies often hesitate to involve law enforcement due to ransom threats and reputational risks.
• FBI estimates only 20% of ransomware victims report incidents.
• Early engagement can provide companies with vital decryption or remediation help.

14. Regulation: The SEC & FISA 702

Timestamps: 47:41–54:08

• New SEC rules require prompt cyber incident disclosures but allow national security exceptions (FBI/DOJ help determine this).
• Early dialogue with the FBI is encouraged for companies.
• FISA 702 is vital for surveilling foreign adversaries exploiting US infrastructure; the tool is under political debate.

“...We’re probably the top users within the FBI of FISA 702 capabilities...If we are not able to adequately follow the adversary...that’s a risk to our investigators in being able to maintain that coverage and warn victims...”
— Brett Leatherman (53:06)

15. Policy Recommendations & Final Thoughts

Timestamps: 54:08–57:08

• Raising cybersecurity baselines is crucial: adversaries exploit easy, preventable vulnerabilities.
• Manufacturers and major providers should build “secure by design” products.
• Meeting regulations is necessary but not sufficient—proactive resilience is needed.

“If you just engage in cybersecurity practices to meet regulatory requirements, we’re generally behind the ball...We have to go beyond what regulation requires...”
— Brett Leatherman (56:19)

Notable Quotes & Moments

• On the scale of the Chinese threat:
  “Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1.” (16:16)

• On international and private sector partnerships:
  “Private sector is an equal player in this fight...it’s a whole-of-society approach.” (24:18)

• On prevalence of underreporting:
  “...only about 20% of the victims...actually reported to law enforcement...” (46:44)

• On evolving tactics:
  “We are trending towards third party compromises...the software-based supply chain risk...” (39:27)

Segment Timestamps at a Glance

• 05:58 – Leatherman’s entry into the FBI and the evolution of cyber ops
• 13:39 – Defining critical infrastructure and foreign threats
• 17:18 – FBI takedowns: Volt Typhoon, Dying Ember, APT31
• 30:18 – Ransomware, Lockbit case
• 34:26 – Healthcare sector attacks
• 41:25 – Private sector’s crucial role
• 47:41 – Regulations and disclosure (SEC, FISA 702, need for baseline security reform)
• 54:08 – Policy recommendations and closing thoughts

Conclusion

This episode offers a comprehensive, boots-on-the-ground perspective on America’s cyber defense strategy. The FBI’s approach combines technical operations, intelligence, victim engagement, and partnerships at every level. The persistent message is that countering cyber threats requires resilient infrastructure, proactive private sector cooperation, and a readiness to exceed regulatory minima.

Listeners are left with clear calls to action:

• Report breaches promptly to the FBI
• Build relationships with law enforcement in advance
• Push for security “by design” in digital products
• Recognize that cyber threats are both a national security risk and a shared societal responsibility