interview

Keith Mularski

Supervisory Special Agent of the Cyber Squad, Pittsburgh Division of the Federal Bureau of Investigation

Investigating Federal cyber crime (and why indictments matter)

November 17, 2014—Back in December of 2012 at a cyber community event in Baltimore, Special Agent Mularski described his experience breaking up organized cyber criminal gangs. This interview gives us a chance to catch up with him about recent developments in cyber law enforcement.

The CyberWire: Thanks for taking the time to speak with us. What's most on your mind with respect to cyber crime these days? Are you seeing any important trends?

Mularski: We're seeing a lot of continued use of financial malware. You'll recall the GameOver Zeus takedown over the summer. Since then we've seen new financial malware take its place. Right now the Dyre malware is among the most significant. The other big trend is point-of-sale malware, which has compromised some of the biggest companies in the United States. I'd say these two are the biggest trends in cyber crime, but we're also keeping a close watch on the rising tide of mobile malware.

The CyberWire: We've been hearing a fair amount about the criminal black markets' bargain basement, where sophisticated exploits can be bought at reasonable prices and used by relative non-specialists.

Mularski: Criminals are automating a lot of their processes. Exploit kits are part of that. After Paunch was arrested and Blackhole taken down, a couple of competitors have sprung up to take their place. We're also seeing automated vending carts—like Zappo's for crooks: you put the cards in your cart and go to the checkout.

The CyberWire: So black markets continue to mimic legitimate commerce?

Mularski: They do. Cyber criminals view themselves as businessmen. They even buy ads on underground forums.

The CyberWire: You were one of the Special Agents who penetrated and took down the international Darkmarket criminal-carding forum. What lessons would you advise businesses, whether they're mom-and-pop retailers or multinational corporations, to draw from recent retail data breaches?

Mularski: We have to understand that this is organized crime for the 21st Century. In their own way, they've got a lot in common with La Cosa Nostra in New York, back in the old days. They're no longer just hackers sitting by themselves in basements. They're organized efforts to make money, and they're very persistent. If they don't succeed today, they'll be back tomorrow.

The best thing a small business can do to protect itself is to segregate its systems. Have one computer you use for nothing other than financial transactions—don't use it for email, for social media, for surfing the Internet. Reserve it for payroll, payments, wire transfers, and so on.

The CyberWire: When you spoke in Baltimore, you described your experience investigating organized cyber crime and online fraud. You warned your audience to expect to see a convergence of ordinary hacking—hackers doing it for the lulz—and cyber crime. Have you seen this trend borne out?

Mularski: Yes indeed. As I say, it's become organized crime. People who may have begun as hobbyist hackers doing it for the lulz take a look at what they've done, see ways of making money from it, and then organize themselves to do just that.

The CyberWire: So then Sabu would be the 21st century analogue of Joe Valachi?

Mularski: That's right. That's a good illustration of what the FBI does. We've been excellent at penetrating organized crime. We look for the bigger picture, and we work to impact the whole enterprise.

The CyberWire: Some analysts think we're also seeing a convergence of hacktivism and cyber espionage. They cite, for example, the case of the "Syrian Electronic Army." Are you seeing the same thing? Or is the exploitation of hacktivism by state security services just an updated case of the familiar false flag covert operations we've seen for years?

Mularski: We'd be naïve to assume that some of these things weren't going on.

The CyberWire: Insider threats are also much on everyone's mind. You were one of the investigators of one of the biggest insider threats in US history—the Robert Hanson espionage case. Hanson was, of course, an old school threat, but cyber space gives malicious insiders even greater scope for their activities. What insights would you like to share on preventing, recognizing, and mitigating an insider threat?

Mularski: The insider threat is always something we're concerned about. It's so much easier to operate from the inside than to penetrate firewalls, intrusion detection systems, and the other elements of an enterprise's defense. You've obviously got to look out for the Snowden stuff. FBI.gov has a good section on counterintelligence that offers some tips on what to look for with respect to insider threats.1

The CyberWire: What motives stand out?

Mularski: With the insider threat to businesses, simple theft and revenge—hitting back when you're disenchanted with your boss or your company—seem to be the most common.

The CyberWire: Hanssen, of course, was one of the FBI's own. What does an organization go through when it uncovers that kind of betrayal?

Mularski: At a personal level, it's jarring to think that everything you've done has potentially been compromised. To have one of your own, someone you trusted, betray you has a great impact. Internally we're a trusting organization: we trust one another not only with our success, but also with our lives. It's very disheartening and hard to get over.

The CyberWire: Cyber law enforcement seems to require a great deal of information sharing. How's that coming along, both domestically and internationally?

Mularski: We've made so many great strides. When I look back seven years, I'm amazed how far we've come. The FBI's InfraGard outreach to, and partnership with, the private sector is one success.2 Two years ago the President signed an Executive Order that enabled the Federal Government to declassify cyber threat information and pass it on to industry. That's had a great, positive effect. We're establishing outreach tailored to different sectors—finance, energy, gas, and so on. And there's legislation pending that would make it even easier to share threat information.

Internationally we've made equally long strides. The world is coming to realize that cyber doesn't have boundaries, and that an attack on the United States will affect everyone. The enforcement actions against Silk Road, GameOver Zeus, and Blackshades are great examples of international law enforcement cooperation.

We've established an internship program that enables foreign law enforcement officers to embed with the FBI. We've deployed Cyber Assistant Legal Attaches, "Cyber ALATs," in a number of our embassies around the world, and we've also been able to deploy Special Agents internationally with local police agencies.

Europol has shown us some excellent cooperation, particularly through their EC3 program. They've been able to bring in national police and coordinate law enforcement activities across the European Union.

The CyberWire: You were one of the Special Agents responsible for the investigation that secured Federal indictments of five People's Liberation Army officers on charges related to industrial espionage. What can you tell us about your investigation?

Mularski: You know, the best details are laid out in the indictment. Our Pittsburgh FBI office saw foreign operators targeting intellectual property in Western Pennsylvania's industry—US Steel, the United Steelworkers, Alcoa, Westinghouse, and so on. This was having an effect on jobs, on the economy, and we couldn't just stand by. We investigated, laid out our case, and showed what was going on and why.

The CyberWire: Why Pennsylvania? Was it a location of opportunity where there were resources or expertise, or was the state's industrial base particularly targeted?

Mularski: I think our team in Pittsburgh was uniquely well positioned to conduct an investigation into cyber intellectual property theft. We have some of the best Special Agents in the cyber field. We wanted to show that theft of intellectual property is intolerable. The United States Government doesn't hack foreign intellectual property to hand over to United States companies, and we won't tolerate other nations' conducting industrial espionage on behalf of their companies. So we had the team to investigate the crime, the United States Attorney for Western Pennsylvania was ready, and the case came together.

The CyberWire: Former FBI Director Robert Mueller went on the record shortly after the indictments were announced to say that he thought they would have a healthy deterrent effect. He felt it particularly important, in cases like this, to get to what he called "the warm body at the keyboard." What do you think? Are those warm bodies important?

Mularski: I absolutely agree with Director Mueller. People say all the time, "we hear all these allegations, but where's the proof?" Well, in the United States, the best proof is produced in the courts. We lay out our case and show we're willing to go to court to prove it. At the end of the day, you've got to put a face to the hacking. If it's a crime, then the average person needs to understand that. Intellectual property theft isn't something that just happens by accident. Someone does it deliberately. And we need to show who did it, what they did, how they did it, the effect it had, and its impact on all of us.

The CyberWire: Some observers in the US, notably Ira Winkler in a May 29, 2014, post at Dark Reading3 , think the indictments frivolous if not actually dangerous. Winkler essentially argues that we indicted military officers who were following legal orders, which suggests (1) a superior orders defense, and (2) either that no US laws were violated or that foreign nationals can't under these circumstances be held to have violated US law. Without expecting you to comment on policy, can you explain the legal rationale for the indictments?

Mularski: I certainly respect Mr. Winkler's opinion, but I would have to differ. A number of things went into the indictment. We're not talking about conventional espionage. We're talking about the theft of United States intellectual property—twenty to thirty years of work stolen and given to state-sponsored competitors. We can't tolerate this. So, as I say, while respecting the contrary opinion, I would ask what they would propose we do to stop such theft.

The CyberWire: One supposes, at least, that since we're not at war with China, representing the hacking of intellectual property as a legitimate ruse de guerre is a bit of a reach?

Mularski: That's about right.

The CyberWire: Is there anything else you'd like to share with the CyberWire's readers?

Mularski: First, I'd like to thank them for their time and attention. Cyber is part of our lives, now and going forward. Its involvement in all aspects of our lives is the new normal. Look at how far we've come in the last few years, and imagine what our world will be like fifteen years from now.

The CyberWire: Thank you, Special Agent Mularski.

1"The Insider Threat: An introduction to detecting and deterring an insider spy." http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

2"InfraGard: Partnership for Protection." https://www.infragard.org/

3"Indicting Chinese Military Officers is a Huge Mistake," Dark Reading, May 29, 2014. http://www.darkreading.com/attacks-breaches/indicting-chinese-military-officers-is-a-huge-mistake/a/d-id/1269297?