Written by Sean Lyngaas
While dealing with a massive cyber-espionage campaign against the U.S. government, the FBI is trying to quietly implement a new strategy aimed at better tracking foreign hackers.
FBI officials last spring gave the head of the National Cyber Investigative Joint Task Force (NCIJTF) — a group of intelligence, law enforcement and defense officials who track hacking threats — a more senior role within the bureau, according to Tonya Ugoretz, deputy assistant director in the FBI’s cyber division. The result is that a senior FBI official now leads an interagency group whose work could lead to offensive cyber-operations, sanctions or State Department démarches — or all three. Herb Stapleton, the former head of the FBI’s the head of FBI’s Cyber Crime Operations, is filling that role.
The goal of the strategy, which the FBI unveiled in September, is to disrupt foreign cyber operations against U.S. assets by “changing the risk calculus” of adversaries, as Ugoretz put it. FBI officials have set up “mission centers” within the bureau to focus resources on “the top nation-state [cyber] adversaries,” along with ransomware gangs, she said. A senior NCIJTF official from a different intelligence or defense agency leads each “mission center” so that threat data can be shared more easily, she said.
The update comes at a humbling moment for cybersecurity personnel at the FBI, the Department of Homeland Security and U.S. intelligence agencies.
A long-running alleged Russian hacking operation has used tainted software made by contractor SolarWinds, a federal contractor, to infiltrate multiple federal agencies, including the departments of Justice and Treasury, and the U.S. federal court system.
The espionage campaign has exposed glaring weaknesses in American defenses while also affecting corporate America, and will likely take months to clean up. It seems to represent the kind of activity the FBI’s cyber efforts would aim to mitigate.
Ugoretz declined to comment on the details of the SolarWinds hacking campaign, but she did say it underscored the importance of the strategy.
“We can use our law enforcement and intelligence authorities both to support those defending networks and conducting offensive activities, and to attribute the activity and [hold] nefarious actors accountable, leading to greater deterrence,” she said.
The new FBI approach to disrupting adversaries will mean training personnel who, in the course of investigating an intrusion, know which pieces of data might be useful to U.S. intelligence agencies considering offensive cyber-operations, for example. It could also mean expanding the number of cyber-focused personnel the bureau has at U.S. embassies.
There are other changes in cybersecurity personnel afoot at the FBI. Matt Gorham, the most senior cybersecurity official at the FBI, plans to retire on Feb. 5. Gorham’s retirement was not a surprise, a bureau official said, as he was eligible for retirement after spending 25 years at the bureau. The FBI has yet to name a replacement for Gorham.
‘Understanding the totality of the activity’
Cyber-espionage is inevitable, but the FBI and other U.S. agencies try to make it harder for spies to successfully exploit — and therefore undermine trust in — large segments of the software supply chain on which major U.S. corporations rely. The FBI was implementing its strategy as the suspected Russian spies were lurking in federal agency networks over the last several months.
The FBI began putting key pieces of the strategy in place in the spring of 2020, months after the suspected Russian hackers had begun tampering with SolarWinds software.
For the FBI and U.S. intelligence agencies, the espionage campaign is a case study in the tradecraft and ambitions of state-backed hackers. It is important for the bureau to understand an attacker’s intent in these types of complex hacking incidents, Ugoretz said.
“It’s not just about, for FBI, responding to a specific intrusion but understanding how the totality of the activity supports what the adversary is trying to achieve,” she said.
The FBI, along with the Department of Homeland Security and intelligence agencies, said in a Jan. 5 statement that the SolarWinds espionage operation was “likely Russian in origin.” Ugoretz would not comment further on the attribution of the SolarWinds campaign, citing an ongoing investigation. But she pointed to recent cases of U.S. officials attributing election interference activity to Iran as examples of “what we’re trying to achieve through our strategy” to support “rapid attribution” of cyber activity.
As for the strategy itself, Ugoretz said it will live on in the Biden administration.
“It is the FBI cyber strategy…which transcends any individual or group leadership team that’s in place at any one time,” she said.