Brett Leatherman

The following podcast contains advertising to access an ad free version of the Lawfare Podcast. Become a material supporter of lawfare@patreon.com lawfare that's patreon.com Lawfair also check out Lawfare's other podcast offerings, Rational Security Chatter, Lawfare, no Bull and the Aftermath.

Podcast Advertiser 1

Imagine the merging of trusted intelligence into a unified experience. Imagine collaboration amongst teams and across continents. Imagine an empowered ecosystem designed to deliver actionable insights that inspire growth and sustainability. That's the power of the Connect Industrial Intelligence platform to help you see further, innovate faster accomplishments, accomplish more. That's the Connect effect.

Darina, Co-founder of OpenPhone

Learn more@thatsteconnecteffect.com hi, I'm Darina, co founder of OpenPhone. My dad is a business owner and growing up, I'll never forget his old ringtone. He made it as loud as it could go because he could not afford to miss a single customer call. That stuck with me when we started OpenPhone. Our mission was to help businesses not just stay in touch, but make every customer feel valued to no matter when they might call. OpenPhone gives your team business phone numbers to call and text customers, all through an app on your phone or computer. Your calls, messages and contacts live in one workspace so your team can stay fully aligned and reply faster. And with our AI agent answering 24. 7, you'll really never miss a customer. Over 60,000 businesses use OpenPhone. Try it now and get 20% off your first six months@openphone.com business and we can port your existing numbers over for free. OpenPhone no missed calls, no missed customers.

Olivia Manis

I'm Olivia Manis, associate editor of Lawfare, with an episode for the Lawfair archive for September 7, 2025. This week, the New York Times released an article detailing the alarming scope of the Salt Typhoon cyber attack. An almost two year long operation carried out by Chinese hackers which compromised a variety of telecommunications devices, gave Chinese operatives access to networks. According to former FBI officials, the campaign is likely to have affected almost every American, raising pressing questions about US Cyber defense capabilities. For today's Archive episode, I selected an episode for March 28, 2024, in which Natalie Orpet and Brandon Van Greck sat down with Brett Leatherman, deputy assistant director for Cyber operations at the FBI. They discussed the FBI's recent operations, threats from both state actors and criminal gangs, and the role of the private sector in US cybersecurity.

Natalie Orput

I'm Natalie Orput, executive editor of Lawfare, and this is the Lawfare Podcast. March 28, 2024 One of the gravest threats to US national security today, and also one of the newest is the risk of cyberattacks. They come in many forms and they can incapacitate companies, institutions, and even the government. To better understand these threats and how the government is responding to them, Lawfare contributing editor Brandon Van Grack and I sat down with Brett Leatherman, Deputy Assistant Director for Cyber operations at the FBI. We discussed the FBI's recent operations, threats from both state actors and criminal gangs, and the role of the private sector in US Cybersecurity. This is the latest episode in our special series the Regulators, co sponsored with Morrison Forrester, in which we talk with senior government officials working at the front lines of US national security policy. It's the Lawfare podcast. March 28, 2024 how the FBI is Combating Cyber Attacks with Brett Leatherman.

Brandon Van Grack

Here at the Regulators, where we focus on national and economic security. Really can't talk about those topics without having a robust discussion about cybersecurity. And everyone, and I think truly everyone, accepts that cybersecurity is an issue that affects national security, affects cybersecurity. But not everyone fully understands and dare I say, appreciates all that the the FBI and the intelligence community and others in the government are doing to address it. And that's why we're so thrilled, Brett, to have you on the Regulators as One of the FBI's senior officials really leading cyber operations. And at the outset, before we jump in, I will provide the major qualif that the FBI is not a regulator. This is not our program. Jumping the shark really into very new into our program, but actually reflective of the fact that how important cybersecurity is and the FBI is really, the FBI works with just about every regulator in this space. It's also when you talk about cybersecurity, an area that's ripe for regulation and in fact we'll talk a little bit about some of the different entities that are in fact regulating in this space. And then on top of that, there's so much engagement that you all have with the private sector in this space. And so with that qualifier which you can add to and enhance. Brett, wondering if you can actually start off by giving us some background in terms of how you found yourself into cyber operations.

Brett Leatherman

Yeah, thanks, Brandon. And thank you, Brandon and Natalie for having me on. Yeah, my background actually my undergrad was in business administration and computer information systems. I have a graduate degree in cybersecurity and work before the Bureau in the cyber discipline. So by, I guess, training and background, I've got A cyber background. And I was recruited into the FBI post 911 based on that cyber background. As the Bureau recognized this shift by all actors, terrorists, criminals, spies and others to shift to these digital platforms. The Bureau recognizes a need for technical personnel to investigate and work these complex matters. And so in 2001, of course, the 911 attacks happened. My wife and I lost a close friend from high school in the 911 attacks. And that was the catalyst for me saying, all right, what can I do different? How can I serve my country in a different way? How can I make a difference in preventing these kind kinds of things from happening in the future? And that was kind of a catalyst to me joining the FBI. I entered on duty in 2003 and it has been 20 years of just excitement and a job that you'll never get to experience anywhere else. Just every day is something different. And I've had the opportunity to work or manage work in every FBI discipline, be it counterterrorism, counterintelligence, cyber criminal investigations, undercover operations, and really cyber underpins all of those. And like you said, it is both a means by which criminals extort money from businesses or individuals, they monetize that cyber activity. But then we also have nation states engaged in tremendous hacking campaigns against US Government and private sector entities, which is a risk to US national security. And that's part of the FBI's mission is to both prevent and impose cost on those actors for engaging in those hacking campaigns.

Brandon Van Grack

And so I'm wondering if you can also sort of educate our listeners on what the Cyber Operations Branch is and what it does.

Brett Leatherman

Yeah, so the Cyber Operations Branch, those are my teams, deal with both criminal and nation state hacking. So the FBI is both a criminal investigative agency. Under criminal statute, we conduct investigations related to computer intrusions, obviously illegal activity under federal law. And so those are primarily criminal actors, ransomware groups, online extortion groups. But then we are also a member of the US Intelligence community and those are national security teams who conduct investigative work against the major threat countries out there. And so the Cyber Operations branch encompasses both both of those. The teams that look at criminal investigations, the teams that look at national security investigations, the teams that actually do the arrests of individuals domestically or overseas, as well as work with the intel community to impose cost on nation states and others for engaging in this hacking activity. And we also have within the branch the National Cyber Investigative Joint task force, or NCIJTF, which is the US government's investigative task force with over 40 agencies co located together to bring an all of government approach against these actors who are engaged in this hacking activity.

Brandon Van Grack

Well, and I want to spend a moment talking about really the operations side of this and a point that you raised, because I think when you talk about the FBI and its role with respect to cyber operations, I do think it's right to start with 911 and terrorism, because I think there's really an analogy there in terms of seeing the, the pivot of the FBI to addressing counterterrorism, its development. And I think really you would, you would be more of an authority than I would seeing about a decade ago a similar pivot with respect to cyber and cyber operations, which is why here at the Regulators, we wanted to spend some time, in fact, talking about some of those cyber operations. And I think before we jump into, into them, I'm just curious in terms of, like your own view in terms of that evolution.

Brett Leatherman

Yeah, it's, you know, it's been tremendous over, over 110 years ago, the FBI was founded and we were founded to conduct criminal investigations. But we have evolved. Our authorities and capabilities have evolved over time. If you look at, you know, going through World War I and World War II and developing some counterintelligence authorities as a result of those wars, and looking at the US national security landscape there, certainly investigating criminal enterprises, you know, the gangster era, and being able to go across state lines where some local PDs lack the authorities or capabilities to do that and pursue adversaries across the country, kind of the long arm of the law, if you will, and then going into 9 11, really becoming the nation's domestic intelligence service to prevent terrorist attacks from occurring here in the homeland. And as you indicated about 10 years ago or so, pivoting into the cyber realm in taking that status is the nation's domestic law enforcement and intelligence service. In fact, Presidential Policy Directive 41 designates the FBI is the lead threat response agency for cyber attacks for the United States government. And so the teams in the Cyber Operations Branch and in the Cyber Division and throughout our 56 field offices around the country, as well as our embassies around the globe, we have personnel dedicated to that mission and doing the best we can to pressure the adversary. And similar to 9 11, or similar to terrorism as a result of 9 11, to keep the attacks off the homeland the best we can to defend forward, which is military doctrine, to defend forward and to fight those fights in the virtual battlefield in an attempt to better prevent and detect the adversary early on domestically.

Podcast Host/Interviewer

So it's a tremendous amount of capabilities that you've mentioned. A lot of people Doing a lot of things and working really across agencies and across the government. I think it would be useful to ground the conversation now in some of the specific types of threats that you all are dealing with on a day to day basis. So of course, when we say cybersecurity, it is quite a large umbrella term that encompasses a lot of things. So we thought about a couple of significant issues that you all are dealing with that have really made the news of late. Critical infrastructure, ransomware, malware, and the role of the private sector. So we wanted to sort of tick through each of those and get your sense of just an explanation of really what the threat is as you understand it and what you all are doing to respond. So if we could get started with critical infrastructure, I think this is an issue that came to people's consciousness really only a year or two ago as a major threat. It's not necessarily intuitive that people working behind a computer keyboard are going to be able to affect pipelines, for example. Tell us about what the threat is to critical infrastructure, even the basics. How do we define what critical infrastructure is and, and what are the kinds of vulnerabilities that are being exposed?

Brett Leatherman

Yeah, that's a great question. And so critical infrastructure really is defined through sector specific agencies within the Department of Homeland Security. Think, you know, like you mentioned, pipelines, telecommunications, healthcare. And what we see is a combined threat environment against critical infrastructure. And what I mean by that is we see criminal actors targeting critical infrastructure in order to monetize that activity. Think ransomware, right? We've seen a tremendous amount of ransomware attacks, you know, go back to colonial pipeline. And there's an urgency sometimes within critical infrastructure to make payments to get potentially life saving or economically vibrant efforts back underway post ransomware breach. And so certainly the criminal threat is what we see as a tactical threat, meaning it's here and now we see that the more strategic threat is the national security threat. That national security threat to critical infrastructure and to the economy, I think is an existential risk to the United States standing as a world superpower. Because we're measuring in years, right, some countries have 20, 25, 50 year plans in place to dominate is a world superpower. And part of their efforts involve diminishing. The United States standing is a world superpower. And so recently, for example, on the national security side, the FBI and our partners engaged in an operation against Volt Typhoon actors. And Volt Typhoon is associated with the Chinese Communist Party. And that was an effort by the CCP to basically pre position malware on infrastructure in The United States, hundreds of devices compromised by the prc, the People's Republic of China actors with the intent of pre positioning on critical infrastructure. And so that is a tremendous liability because if there was some sort of red line crossed down the road, especially as it relates to potential military conflict with China, the ability for them to launch attacks on telecommunications or other infrastructure in the United States could have tremendous risk for us. And so that is demonstrative of the risk we face in critical infrastructure when it comes to the actual threat countries. The Chinese hacking apparatus represents the broadest, most active and persistent cyber threat to us today. That's what we assess. Just to give you a sense of the scale of their activity, if all the FBI's cyber agents and all the FBI cyber intelligence analysts focus solely on mitigating the threat to China and not on ransomware, not on the threat stemming from Iran or Russia, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1. But what many Americans may not be tracking as closely is what we just kind of talked about here, which is China's positioning of its enormous hacking enterprise, remember, 50 to 1, to give themselves the ability to physically wreak havoc on our critical infrastructure at a time of their choosing. That is, that is a significant risk that the FBI, our partners in the intelligence community, are continuing to pressure from a technical standpoint to make sure that we're defending the homeland while also informing decision makers on what that threat environment looks looks like.

Podcast Host/Interviewer

And you did, speaking of Volt Typhoon recently have quite a big accomplishment with respect to disruption. So can you talk about what that looked like and really how it worked?

Brett Leatherman

Yeah, absolutely. So in the case of Volt Typhoon as well as Dying Ember, I'll give you two examples here. Dying Ember if Volt Typhoon targeted infrastructure used by the PRC actors, Dying Ember targeted infrastructure that was co opted by the Russian gru. The GRU is the Russians military intelligence service. And now we've got two militaries targeting, you know, United States equities. In both those cases, the FBI leveraged Rule 41 of the Federal Criminal Code that allows us to pursue search and seizure warrants under the federal courts, under the purview of the federal courts. And what that lets us do is go into these devices all at once, identify malicious code used by the adversary that is basically their tools that they use to co op the infrastructure, remove or render that code inoperable so that the adversary no longer has access to that infrastructure and then build resilience, natural resilience, into those Devices without modifying them, which basically closes the doors to the adversary and locks it from them getting back in there. And so in the case of Vault Typhoon, that was hundreds of devices. In the case of Dying Ember, that was thousands of devices. And what that means is those devices are no longer able to be directed at critical infrastructure, private sector companies or anybody else is a result of that technical work.

Podcast Host/Interviewer

And what do you mean when you say devices? What are these specific devices that this malware is found on?

Brett Leatherman

Yeah, so in the case of both Dying Ember and Volt Typhoon, those are what we call soho devices or small office home office devices. So think about, you know, individual users at home. It could be a cable modem or a router at home or small to medium businesses who are running those small devices, less of an enterprise device that are end of life. And end of life means the company no longer supports, supports the device and its security. They are no longer pushing patches out there because the hardware is so outdated that it is likely the hardware can't, is not capable of having new software placed on it. And so end users don't typically know that's the case, but it gives the adversary away into those devices. And when they can find a vulnerability on one SOHO device like a router, then they will scan, they'll enumerate the, the IPv4 or IPv6 space, the Internet space for those vulnerabilities, and they'll identify those routers or devices, they'll weaponize them, they'll maintain persistence and presence on there, and then they'll use them to target American businesses, American critical infrastructure and government agencies.

Brandon Van Grack

Earlier this week, you all, you all being the FBI announced another disruption involving APT31. I'm wondering if you just want to sort of talk about that and sort of how it fits in the picture as well.

Brett Leatherman

Yeah. So the FBI and the Justice Department just announced the indictment or the charging of seven nationals associated with the People's Republic of China with conspiracy to commit computer intrusion and conspiracy to commit wire fraud for their involvement in basically hacking US based businesses and dissidents or others who are outspoken against the CCP in general for over 14 years. And so these individuals are associated with the Chinese Ministry of State Security or mss, which also has a hacking mandate by the PRC to engage in these kind of technical operations. And this is, you know, when we look at the technical operations against Volt Typhoon and then you pair that with these indictments against actual affiliates of the mss, this just shows the importance of taking this all of government approach to combating the threat. Technical operations have a tremendous disruption capability. We want to provide that relief to private sector and others when we conduct those technical operations. But we also want to acknowledge publicly what is happening so the public understands the impact of these hacking campaigns both to our economy, but also to the lives of people who are being hacked into because of their First Amendment rights to say what they want to say here in the United States in speaking out against another government. And so it's important for us to acknowledge that publicly and it serves as a deterrent to other actors who may be involved in similar activity hacking United States companies and individuals, in understanding that the US Government has tremendous attribution power through our authorities and that we can pursue indictments against individuals, even those associated with a foreign nation state, when they engage in this kind of activity against US equities.

Brandon Van Grack

Just in the last few minutes you've now talked about, we've now talked about, you know, three what appear to be sort of major disruptions in that that occurred arguably in the last three months. And I suspect you could probably name half a dozen other ones that have occurred over the last year. And I'm wondering why are we seeing this now, this cybersecurity, the threats that we're talking about at critical infrastructure, they have existed for a while, but we are now seeing, it seems like on a monthly and almost weekly basis, these actions. And I'm wondering if why now? What is it about our capabilities, our focus that have changed?

Brett Leatherman

Yeah, it's a great question, Brandon. What I would say is 2022 was kind of a banner year for us when it came to technical operations. 2023, just last year we had a record number of operations and early in 2024, we're talking three months into 2024 and we are already tremendously impacting the criminal in the state sponsored hacking environment here in the US And I think it's a realization by the intelligence community and law enforcement agencies as well as our international partners, that we have to do something now and not wait till later, because later it's very difficult to roll back some of the pre placement of malware and some of the footholds that the adversary gets. And I think you will also see just a very robust partnership like we've never had before with our partners across the USIC and law enforcement community. That's NSA, FBI, CIA, DHS, CISA, like all U.S. secret Service, all these partners working together to bring this combined authorities and capabilities apparatus to address the threat. But also our international partners, we just did A major disruption against the number one ransomware variant out there, lock bit. And that was with our partners at the National Crime Agency in the United Kingdom. And so our international partnerships and those who value norms in the global cyber fight, like our friends in the uk, we partner in that regard. But also unlike any other threat we face in the FBI, private sector is an equal player in this fight. And so when you see us do these disruptions or these operations, often it's with either the cooperation of victims who've been breached in advance, providing the FBI with indicators of compromise, tactics, techniques and procedures that the adversary is using in their environment. And that intelligence gives us the ability to pivot into the adversary in an offensive way, or companies who have unique visibility into the threat landscape. Some of the threat intelligence companies out there, and the major providers, cloud providers, ISPs and others that provide us intelligence that allow us to target malicious actors as well. So it's not just a whole government approach, it's a whole of society approach. And we have to partner together to build resilience domestically because the adversary is partnering or co opting their private sector to engage in these hacking campaigns. So I think what you've seen is just a sense of urgency on the US Government's part to really defend the homeland against an increasingly pervasive hacking environment by some of the rogue nation states and criminal enterprises.

Brandon Van Grack

As a public service announcement, ISP is Internet service provider. You mentioned two topics we're going to transition to both ransomware and the role of the private sector. But one follow up before we do, which is again, some of these, the disruptions you just mentioned are impressive in scale and scope. How do you measure the impact though? How, how do you both, as the FBI and the US Government determine, you know, the impact those, for example, three operations in fact have had to protect critical infrastructure?

Brett Leatherman

Yeah, so impact is important. Right. The FBI is a storied law enforcement organization. And as an FBI agent, I can speak on behalf of all the FBI personnel and saying that there's no greater impact that we like to see than actually putting handcuffs on somebody who has hurt other people and ensuring that they face the blind scales of justice here in the United States. But we recognize that with some of the safe haven countries out there, we cannot get everybody to face justice here. And so what is impact to us is twofold. What mitigates the cyber attacks against the United States, meaning what authorities can we bring to bear to disrupt the actors? And how can we do that in a sustained and enduring way where we can and number two, equally important to us is prioritizing victim engagement and ensuring that those who have been targeted by a cyber attack have the resources needed to contain the threat and to reconstitute after the threat. And we work closely with DHS in the Cybersecurity and Infrastructure Security Agency on that. So when we conduct what we call joint sequenced operations, those are our disruption efforts. We look at who is the best player to conduct an operation. And if the FBI's tools or the FBI's infrastructure can be used by the Department of Defense to have the most impact. And the FBI should allow DoD to take the take the first shot at the adversary. And likewise, I think if DoD or our, our partners indicate the FBI is best positioned we're the best player to do something, that we should do it, but we should do so looking not for a quick win necessarily, but looking for a way that brings respite to victims who are constantly under attack by these adversaries. Sometimes that looks like a temporary disruption and that's the best best we can do in the moment. Other times it's more of a dismantlement in which we are able to actually take the adversary's infrastructure off the battlefield. We're able to provide decryptors to victim companies to help them reconstitute. And so every operation is different, different. And we have to prioritize victims when doing this work.

Podcast Host/Interviewer

Did I talk too much?

Brett Leatherman

Can't I just let it go? I wish I would stop thanking so much.

Podcast Advertiser 1

Take a breath. You're not alone. Counseling helps you sort through the noise with qualified professionals. Get matched with a therapist online based on your unique needs and get help with everyday struggles like anxiety or managing tough emotions.

Podcast Advertiser 2

Visit betterhelp.comrandompodcast for 10% off your first month of online therapy and let life feel better. I'm no tech genius, but I knew if I wanted my business to crush it, I needed a website. Now. Thankfully, bluehost made it easy. I customized, optimized and monetized everything exactly how I wanted with AI. In minutes, my site was up. I couldn't believe it. The search engine tools even helped me get more site visitors. Whatever your passion project is, you can set it up with Bluehost with their 30 day money back guarantee. What have you got to lose? Head to bluehost.com to start now.

Podcast Advertiser 3

What makes a great pair of glasses? At Warby Parker, it's all the invisible extras without the extra cost. Their designer quality frames start at $95 including prescription lenses plus scratch resistant smudge resistant and anti reflective coatings and UV protection and free adjustments for life. To find your next pair of clothes, glasses, sunglasses or contact lenses, or to find the Warby Parker store nearest you, head over to warbyparker.com that's warbyparker.com.

Podcast Host/Interviewer

Okay, so let's switch gears a little bit just to take things back up to a 30,000 foot level. One of the other major types of threats that you've mentioned and touched on a bit is ransomware. And I think this is really demonstrative of the diversity of the threat because you're dealing not only with nation states, as you've mentioned, and sometimes quasi state actors, but also with just criminal gangs, people operating purely for pecuniary gain. So talk to us about the big picture threat of ransomware. What is it, what kind of threat does it pose and how are you all dealing with it?

Brett Leatherman

Yeah, I think, you know, earlier I defined ransomware really in the criminal environment is a tactical threat to us. It is something in our face. It's loud. It's unlike cyber espionage, which is very quiet. And the public doesn't always see. Ransomware is often an attack on US businesses or government agencies or nonprofits in a way that encrypts their data, makes their data unavailable. When you think about cyber attacks, they usually target the confidentiality, the integrity or the availability of data. Today's ransomware attacks really focus on exploiting both the confidentiality and the availability of data. And so the encryption itself makes the data unavailable to the end user who has to conduct business and can't because they don't have access to those systems or that data. And then what they do is they, prior to launching the ransomware variant to encrypt the data, they exfiltrate as much data as they can so that they can also extort the victim into providing some sort of ransom payment. And that can be sensitive information about mergers and acquisitions, sensitive emails, things that might be embarrassing to the business or C suite executives. And that is lucrative. And if the business doesn't pay up, they will often publish that information on websites in order to shame the victim. So you know, I mentioned lock bit earlier, that's a good example of a good disruption by the FBI. But it had tremendous impact. It was the number one variant we assess out there. And there were 150 affiliates of lock Bit around the world. And when I say affiliate, that's because LOCK BIT operated is what we call ransomware as a service. That is a model in which affiliates use the tools in the infrastructure of the LOCK BIT administration to coordinate their attacks. And they also employed a double extortion method by first encrypting victim data and then threatening to post, you know, exfiltrated data publicly. Global LOCK BIT exploitation, we assess, has resulted in ransom payments in excess of $144 million. Think about that kind of economy for an economy for a criminal enterprise, Right? When you get $144 million in ransom payments, there's a certain incentive to continue targeting US businesses as a result of that. So we know that LOCK BIT had attacked at least 1,600 U.S. victims. So NCA, our partners at national crime agency in the United Kingdom and US engaged in a coordinated operation to indict individuals of the lock BIT group, to sanction individuals of the lock BIT group to do an infrastructure disruption and to provide decryptors to organizations who had been impacted by lock bit. That's an example of a more sustained disruption that has real impact to those businesses. Think school districts, hospitals and others who are unable to function as a result of that data encryption. Now, that threat is not just to business systems, but ransomware can impact life safety implications. Certainly when you're talking about hospitals and medical records and the potential to impact law enforcement agencies, the ability to impact other individuals or entities within critical infrastructure, there's real kinetic effects associated with that.

Podcast Host/Interviewer

Yeah, and I'm glad you mentioned healthcare because of course another recent example, very prominent example of a ransomware attack was to the UnitedHealthcare system, which had really all awful effects on people needing life saving and life sustaining medical treatment. And a wide variety of healthcare providers were really paralyzed in their ability to deliver services because of the attack. And it seems to me, you know, healthcare systems are not really what you would think of in the first instance as a great target for making a whole lot of money. Nor does it seem like a great victim for a group that is interested in sort of naming and shaming. So I'm curious what you all think of the phenomenon that does seem to be an increasing threat that the FBI has identified its recent IC3 report. What is the purpose of targeting health care in particular?

Brett Leatherman

Yeah, I think there's two things the actors look at. Number one, there needs to be high availability of systems and data in the healthcare sector. And so there's not as much time to reconstitute as there is to maybe get a decryptor and start to decrypt systems to give patients the healthcare that they need or to help pharmacies fulfill prescription orders. And whatnot and so there's a certain action imperative by those operating within healthcare to make a payment, sometimes to get access to those systems back. The other thing I would say is the actors are very proficient at looking at what we call third party risk. And that's where in this case, they didn't target a specific hospital. Right. They targeted the third party of all these hospitals across the country and pharmacies. And these actors are becoming much more proficient at looking where that third party risk sits. Because if they can hit an organization that has cascade cascading impact across sectors and across the country, there is also some exigency as well for organizations to quickly reconstitute in some way, shape or form. And the actors know that. And so they look at those areas where there is that action imperative to try to get systems back up and running quickly.

Brandon Van Grack

Natalie mentioned the IC3 report. What does IC3 stand for?

Brett Leatherman

Yep. IC3 is the FBI's Internet crime complaint center. And that is a central point of intake for all things Internet crime, crime related and cyber intrusions. IC3.gov is the website that folks can go to to report if they are victims of criminal conduct. And what the IC3 does, in addition to providing a de confliction point for cybercrime tips, is they also put out an annual report to help the public understand what the trends in cybersecurity and fraud are from year to year.

Brandon Van Grack

Maybe to repeat the same question I asked with respect to critical infrastructure. Wonder if you could talk a little bit about the impact, because even you know, the FBI, you all have talked about when it comes to ransomware, it's a bit of game of whack a mole and you find groups like Lock bit sort of reconstituting themselves. So how do you measure the impact that these disruptions have had on ransomware groups?

Brett Leatherman

Yeah, I think again, this impact can vary from campaign to campaign. But I think in totality, when you look at the uptick in operations we've conducted against these actors, indictments we've obtained against these actors, sanctions against these actors, which has reduced the flow of money going into some of these malicious countries and into some of their hands, in totality, those have an impact. When we do technical operations like Lockbit, you go from probably 75% of ransomware attacks that are being conducted by Lock bit on any given day to almost zero. That shows real relief to victims for a period of time. And we're still sitting within that period of time where there's been a real decline in attacks. But long term, also I think that demonstrates a lack of operational security by the bad actors. And so they, I think the affiliate should recognize that, you know, there's, there are operational security shortfalls and we can identify who affiliates are, we can charge them with criminal conduct. And that should serve as a chilling factor for them in the long term to continue engaging in this activity. Now we know, similar to the gang problem we have in major cities, that we may never eradicate the threat itself, but we have to continue to pressure the threat. We have to continue to provide relief to victims and that's what we're committed to doing.

Brandon Van Grack

So just maybe one final question on ransomware, which is forcing you to answer the unanswerable, which is what do you foresee as, as, as next in terms of the evolution of the attacks? Is there a sector, is there sort of a type of attack that, that you sort of perceive as being that, you know, when we come back to, in a year from now that we're going to, we're going to be talking about.

Brett Leatherman

Yeah, I think we've touched on it briefly, which to me we are trending towards third party compromises where an organization has to recognize who has access to my data and who has access to my network because we are increasingly intertwined in the digital space. And what impacts your third party can have direct impact on your organization. That could mean encrypting your data that sits in a data center. It could mean encrypting your systems. If there is connectivity between the third party and your organization, we really have to look at that third party risk. And the second thing I would say pertains to both ransomware actors as well as state sports sponsored actors and that is the software based supply chain risk. And what I mean by that is we increasingly rely on software products across various spectrums. Think about SolarWinds for example, and the SVR's exploitation of the Orion platform within SolarWinds. That compromise of a development server is what we are looking at across all sectors is a major avenue of risk. Because if a threat actor can poison the well in one area, that pushes out updates, software updates to thousands or tens of thousands of customers, that is a lucrative environment to propagate malware in a very difficult way to detect.

Podcast Host/Interviewer

So one thing you've mentioned a number of times, and I do want to dwell on it for a while, is the significance of the private sector in this whole ordeal. There are so many things that only the private sector can manage here. So there are defensive things, there are just decisions like do I pay ransomware or Do I get law enforcement involved? So talk to us about how the private sector is a partner or needs to be a partner in dealing with these cybersecurity risks that you all are focused on.

Brett Leatherman

Yeah, that's a great question, Natalie. And I think the way I would start is saying that unlike other threats, the private sector sits on the front line of the cyber battle. And that is because in the United States, private sector innovates. We are a great country because of the innovation that happens within private sector companies. That leads America in vaccine research, that leads America in quantum computing. That really puts us on the forefront of disruptive technologies, which means the adversary has a vested interest in stealing that intellectual property to use and to compete with us with virtually $0 in overhead. Right. So, so that's a long term threat. And so it's the FBI and the US Government does not see initial indications often of adversaries on networks. It's private sector companies that see that if the private sector company identifies it and they remediate and they don't contact law enforcement, those organizations are going to continue to exploit other companies throughout the United States. If the organization suffers a breach and they reach out to their local FBI field office, we are either able to, using our law enforcement authorities and partnerships and voluntary submissions by private sector, get copies of indicators, technical indicators and adversary behavior that we can provide to either the sector or the country writ large to help them understand how to build resiliency into their network. I think it was John F. Kennedy that said a rising tide lifts all boats. That is true here. When a organization reaches out to the FBI and provides this information, we can provide it anonymously across the, across the country and share that in a way that builds resiliency and prevents exploitation from happening. The other thing you know, I mentioned, The FBI has 56 field offices and personnel located throughout the globe working this threat. Often an organization who suffers a breach, it may be the first time they've ever seen this actor or this malware in their environment. And they might be struggling to contain that actor. But the FBI does incident response 365 days a year. We are always viewing what adversaries are doing from the lens of prevention and detection. And we may bring intelligence or capabilities to bear early on in incident response for a company that might not otherwise be available, because we have both that intelligence community and that law enforcement mission. In fact, it may not be available to any other private sector company to have. So there's, there's value in calling the FBI early, but there's also value to the FBI when you do that and to the community writ large in doing that.

Podcast Host/Interviewer

Right. I mean, the thing that seems really tricky to me is that for using ransomware as an example, you know, it's not necessarily obvious, though it may seem ideal that it would be. It's not necessarily obvious for a victim of a ransomware attack to choose to contact the FBI because most likely the threat is going to involve a ticking clock and a very specific threat that is a very scary one to the business or the entity that's been that's under attack. And oftentimes they involve an indication that you should not get law enforcement involved. So I guess a two part question here. One is, how do you all incentivize companies or other entities that are subject to attack to get you involved, even though it seems that there is a risk that it may come at a cost to them? Thinking more broadly, it would be great if everyone had a public spirit about it, but we have to be honest about the incentive structures and the difficulties that these entities might be facing from their perspective. And a second related question. What is your estimate about, for example, the number of ransomware attacks that result in payments about which the FBI and other law enforcement entities are not made aware?

Brett Leatherman

Yeah, those are two great questions. And what I would say to the first question is the FBI is a law enforcement agency, not a regulatory agency, is bound by the Victims Rights act. And we treat victims of cyber compromises like victims. They have been victimized by criminal or state sponsored actors. The FBI recognizes that, that the information we collect is on is generally under law enforcement investigative work. And so it's covered by that law enforcement, those law enforcement equities. And then we also. The value proposition here is we also bring that intelligence that nobody else can to help with that remediation and intelligence work. I would say also, despite our best effort to message this, when we did the HIVE ransomware takedown, which I believe was last year, what we saw when we got into the HIVE admin panel is we saw victims who were being compromised and we would quickly identify decryptors and surreptitiously get those decryptors to the victims so they could decrypt while we maintained a presence on the Hive infrastructure. By the time we took the infrastructure down, we were able to have that disruption of the infrastructure. We identified that only about 20% of the victims of the Hive ransomware variant actually reported to law enforcement. So had we not seen them in the panel actually engaged in these negotiations with the HIVE actors, we would not have known that they were victimized when in fact we had that decryption capability. So I think they're reporting to law enforcement is important because we, while we won't always have decryption capability, we are experts at responding to crisis. Think about our counterterrorism mission, think about our criminal mission. We can help bring some calm to the storm that an organization may be facing and help them to understand kind of what the risk is to their enterprise and into their business. Bottom line, by not engaging law enforcement, we try to do that in advance. So I think there's a lot of benefit to bringing us in early on.

Brandon Van Grack

The topic of disclosure, we'd be remiss if we end a podcast without talking, in fact, about a regulator. And so, as we said at the outset, one of the areas of cybersecurity is the US Government is increasingly regulating the space and trying to identify regulation. And so one of the more recent ones was the securities and Exchange Commission at the end of last year implemented a rule that requires public companies to publicly disclose material cyber incidents within four business days. But there is an exception to this rule where if the attorney general determines that that disclosure would would be a threat to national security and public safety. And in fact, the FBI is part of that process and determination. So it really dovetails some of your, your comments earlier about disclosure of these incidents. And I'm wondering now that this SEC rule has been in place for about three months, in fact, what are you seeing in terms of those public disclosures? And in fact, have companies been coming to the FBI and DOJ to seek that exception?

Brett Leatherman

Yeah, that's a great question. And so, yeah, the sec, the securities and Exchange Commission, put this rule into place. I think it was December or January. Basically, when an organization identifies materiality, so not necessarily the breach itself, but when they determine there's materiality related to that breach, they have an obligation to report to the sec. And so they can go publicly report at whatever point they deem necessary. But if they believe there's a national security implication to that reporting, meaning if that report goes public, there may be impact to law enforcement investigations, they can consult with the FBI, and we have an intake form for them to do that. They can consult with the FBI to determine if they intend to seek a waiver from reporting to the attorney general. And so that intake form comes to the FBI. We do some assessments and have conversations with the company about that very transparently. We present that to the Department of Justice, and we work with the SEC to determine should there be a Delay, should there be a waiver in that public reporting or not? Right. And so ultimately DOJ makes that decision, not the FBI. But that is an example of, I think, an increased regulatory environment when it comes to recognizing these cyber breaches don't just have impact to organizations, but they have impact to stakeholders in different ways.

Brandon Van Grack

And are in fact like have, in fact you, in these few months, are companies reaching out to the FBI? Like, how has that process worked?

Brett Leatherman

Yeah, so two ways, right? So they can go right to the form and submit the form itself without even talking to the FBI. And that form will come into the FBI Cyber Watkins Center 247 watch floor, and then we will action that. Or more importantly, they can reach out to their local FBI field office and start having the discussion with a trusted partner within the local FBI field office to better determine if you know that that's something that should move forward or not. So that's what in part why we encourage businesses, local businesses to have a relationship with their local FBI field office before a breach happens. So that you have an FBI agent's number on speed dial when the time is right to either report a compromise or look at this SEC rule submission. We have engaged in dialogue with companies, I can't get into details about that, but we have engaged in dialogue with companies related to waivers in the national security space.

Podcast Host/Interviewer

So I think a good place to wrap up is, you know, coming back to something that Brandon mentioned at the top and, and in fact the, the fact that this SEC rule is quite new and a new initiative where, based on your work, are you seeing gaps where it would be particularly useful to have regulations that don't exist yet?

Brett Leatherman

Two areas, and this is less for having regulations because we're not a regulatory agency. It is more on what we can do, I think, to breed resilience across the country and to work together. Number one is for victims to report a cyber breach to their local FBI field office as soon as they identify an anomaly. And that is to help us understand what that threat environment is, to pursue the actors and to help with remediation activity. And I would say the other thing is those major cloud providers or major providers in general who have tremendous threat investigators working for them as they see shifts in and adversary tactics to reach out to us and let us know as well. We, we obviously view that from our intelligence community standpoint what, what those shifts are. But you know, there are major providers out there who, who have a great view of what the adversary is doing and how they're evolving. And we'd Love to hear that as well. So I think just generally contacting, engaging the FBI on this front really helps us to understand and helps us to defend the country. There is of course FISA 702 is a, a big discussion item here as of late. And what I will say is the FISA 702 carve out allows the US intelligence community to collect on adversary infrastructure in the United States when the adversary is located outside the United States. And what I mean by that is generally a foreign intelligence officer or military officer engaging in hacking against U.S. companies. When that officer sits in a foreign country but rides on US Infrastructure, that allows the FBI to be very nimble in the way we can transit infrastructure and collect on the threat. There's a lot of debate right now on the Hill related to that. That is a vital tool for us in the cyber fight. We're probably the top users within the FBI of FISA 702 capabilities. And that's because often indicate technical indicators change by the day, sometimes by the minute. And if we are not able to adequately follow the adversary across US Infrastructure, that's a risk to our investigators in being able to maintain that coverage and warn victims that are being targeted by those actors.

Podcast Host/Interviewer

So I'm wondering though, understanding of course, that you all are not regulators and are just enforcing what laws and regulations exist. Does it seem like we are ripe for, let's say a carrot or a stick sort of approach? Would we want to, would you think that it would be valuable to have regulations, for example, that would create some liability scheme for companies that fail to implement baseline defensive strategies into their cyber defenses? Would you want to see specific incentive structures, you know, in the form of, I don't know, for example, we will make sure that you are given you company that is disclosing and getting the FBI involved in your response to this ransomware attack? We will make sure that you get specific types of resources or benefits in exchange for engaging us at the earliest stages. What sorts of rules would be the most effective in your mind for getting private sector entities to be maximally cooperative and maximally useful partners in ensuring US Cybersecurity?

Brett Leatherman

Yeah, I'll give you kind of two thoughts on that. I think number one, we do need to increase baseline cybersecurity across the spectrum. And the reason for that is the actors, whether it's Volt Typhoon, whether it's Dying Ember or whoever, are doing what we call living off the land, which means they're getting into environments way too easily and using network or system tools to persist in that environment. And what that means is they do not have to spend millions of dollars on sophisticated tools to get into networks. We're making it very easy on them to get in. And so raising that baseline level of security is important, whatever that looks like. The second is that the Office of the National Cyber Director released, I think it was last year, the nation's cybersecurity strategy. And part of that strategy is placing some of the onus on the major providers because we can't rely on small and medium businesses to always be able to defend against the Russian gru or the PRCs PLA. Right. And so putting some of the onus on secure by design, building resiliency into the products themselves that the manufacturers are making, building resiliency into the backbone of American communication infrastructure that will help defend the country in, I think, a way that helps us move the needle. I do think also that if you just engage in cybersecurity practices to meet regulatory requirements, we're generally behind the ball. I think we've got to go beyond what regulation requires when, you know, mandating certain cybersecurity standards. I agree we have to reach those standards, but we have to go beyond those standards to build that resilience.

Podcast Host/Interviewer

Okay, I think we're going to have to leave it there. Brett Leatherman, thank you so much for joining us.

Brett Leatherman

Thank you.

Natalie Orput

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfair material supporter at our website, lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies and the Aftermath. Our latest Lawfare Presents podcast series on the government response to January 6th. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patia and your audio engineer. This episode was Kara Schillen of Goat Rodeo. Our music is performed by Sophia Yan. As always, thank you for listening.

Podcast Advertiser 1

With summer winding down, it's the perfect time to refresh your style for fall. And Nordstrom has everything you need for the season ahead. Discover top brands like Free People, Favorite Daughter, Reformation Mother and Veronica Beard. Plus the latest trends, Everyday essentials and beauty must haves you'll reach for again and again. It's easy too, with free shipping, free returns and in store order pickup. Shop today in stores and@nordstrom.com.