Special Editions 9.13.22
Ep 45 | 9.13.22

A conversation with members of Baltimore FBI: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden.


Dave Bittner: The U.S. FBI is actively engaged in outreach with businesses of all sizes across the nation, bringing their resources and expertise to bear to help defend against cyber threats. I recently met Thomas J. Sobocinski, special agent in charge of the FBI Baltimore Field Office, and Supervisor Special Agent Tom Breeden, who heads up cyber operations at the Baltimore Field Office. Special Agent in Charge Sobocinski speaks first.

Thomas J Sobocinski: Yeah, I think we are improving. And we're doing really well. And so I think what the FBI - obviously we have been around for over a hundred years now and have a really robust background in investigations and collaboration, both with our federal law enforcement partners and state partners, but also with corporations. And so using those skills, we were and are continuing to leverage that now in the cyber realm. And I think that it is obviously growing and will continue to grow and things like this podcasts allow us to have that conversation with a wider audience. 

Dave Bittner: Tom Breeden, in terms of the actual cyber part of the mission, that specialty, where do you plug in to that? 

Tom Breeden: From the cyber point of view, you know, I think there is sometimes the hesitation. Do you think only the FBI as violent crime or counterterrorism? But we really believe strongly that we have a huge role to play with any organization's cybersecurity program, and particularly from everything from providing a threat picture of actors, but also, if there's been some activity on the network, that aberration, that strange activity on the network, we believe that we can help any organization provide context to that threat activity and, in essence, beef up their cybersecurity program in general. 

Dave Bittner: So my understanding is that a big focus for your organization lately is collaboration, really a two-way street between organizations and yourselves. 

Thomas J Sobocinski: That's absolutely true. I mean, I think there is a stereotype of the FBI that was well-earned for generations of the FBI is going to come in and take over. And so whether it would be bank robberies back in the '30s and '40s and then, you know, 9/11 happened. And I think that that forced us to work with other entities and other individuals that we never would have worked with before. And I think we were - whether it was pleasantly surprised or just surprised, we found out that that made us better as an organization. And so we've now got 20-plus years of really understanding that collaboration matters, and it makes us better. It makes the country safer. And so we now are - that is who we are. That's the culture that the FBI now has. And so as cyber kind of started to come up and become a bigger priority for the FBI, we are now just organically having that become part of how we do business. 

Dave Bittner: Well, help me understand then, how does that relationship work? If I'm a business, is this a matter of reaching out and introducing myself to my local field office? What's the ideal situation as far as you all are concerned? 

Tom Breeden: There are 56 FBI field offices across the U.S. And there are FBI personnel in U.S. embassies across the U.S. And that's really what we think our strength is. It's our ground game, so to speak, where in the U.S., I mean, we have cyber specialists at every field office. And that's in, I mean, everywhere from New York to Maryland to Florida - name it, right? - California, we have agents there that are cyber specialists. If you can - if a business can develop that relationship before an incident happens, it's only going to strengthen their security posture, because when that incident happens, they'll know someone to call. And it won't be like, let me introduce myself. Sometimes there's several layers of legal counsels and cybersecurity teams and firms and in between. And that information can go smoothly when those relationship are already established. 

Tom Breeden: SAC Sobocinski mentioned about how far we've come. I remember when I started work in cyber, we would do what we call victim notifications. And a lot of your listeners have - some of your listeners have had an FBI agent knock on their door or send an email or, hey, I want to talk to you about a threat in your network. And there were times we responded with very little information. And there were times when we would - unfortunately back, you know, a decade or so ago, we would say - something on your network, we can't really tell you what it is, but can you look and see if you see anything strange? Those were tough times. Those were hard interactions. We really - I think we've learned a lot since then. And one of the feedbacks that we would receive, I remember from some CISOs, will say, I love that you came to my door. You're trying to help. I need context of this threat information. And that's what - when you're working with the FBI, when you're collaborating with us, that's - we're going to work as hard as we can to - so your company can be as strong as it could be. 

Thomas J Sobocinski: Yeah. I just want to add to that. I mean, I think, going back to the question, which is when do you want to be reaching out to us? It is absolutely before the event. And so we want to have a relationship with you. We want to be providing some of your listeners the information that they need to protect themselves, not to just deal with something negative once it happens. And so it's really important to have that relationship. Now, obviously, we can't do that for everyone at the same level. So there are certain industries that are really important to us - obviously, clear defense contractors for obvious reasons, but then also other critical infrastructure entities are really important. And then there's a third piece that is also important, which is industries that are developing that may be vulnerable to other foreign actors. And that's a piece that is - you know, changes minute by minute. And so, you know, clear defense contractor - obviously, that's classified information. They're storing it a certain way. They know to predict this. 

Thomas J Sobocinski: But there are also industries that are creating new and really exciting products, software, things in the - in certain industries that could ultimately be used in a classified environment. They just don't know it yet. And so it's important for us to have the relationships with them so that they know in advance how they can protect this information. I mean, it's pretty clear that this is a growing problem, number one. And it's an expensive problem. It's an expensive problem if you are a victim. But it's also an expensive problem to keep yourself from becoming a victim. And there are there are ways that we, the FBI, can help you do that. That is now part of our mission. It's what I have Tom and his team doing on a daily basis, not just the reaction to that problem. 

Dave Bittner: About - you know, I'm thinking about that CISO who wants to have the proactive relationship with you all, needs to make that case with the various powers that be within the organization - you know, particularly legal, you know? You go anywhere on the internet, and they say, don't talk to the police. Well, you guys are the police, you know? And so how do you assure people that while you're helping out, you know, you're not going to be rifling through a filing - you know, the people's worst nightmares about opening up a can of worms. 

Tom Breeden: Yeah. So I would say give us a chance for a dialogue first off. And we can come in as a one-way street, you receiving all the information. That's no problem at the beginning. And if you like what you see, then maybe there's something there that you're missing in your picture. And you say, I'd like to learn more about that. And so it starts with trust, Dave. I mean, we're under no illusions. This badge, it means a lot of things to a lot of different organizations and different people. So we understand that there is certain viewpoints in that. But my response to that would say, give us a chance to have a discussion. And I believe that what you'll find, the strengths we bring to bear, is not something you're going to get from even a cybersecurity company, I would argue, because the bureau will have some of that, but it'll have elements - we'll bring something to the table that really no other organization in the world can really bring. So I would say, try and find out, I guess, to - would be my response. Yeah. 

Thomas J Sobocinski: I would also add - I mean, let's use a very basic analogy - but a bank robbery. So if a bank robbery happens, the FBI is going to come. You're going to want the FBI to come. And we're going to investigate the robbery. We're not going to investigate your bank - your records. We're not going to go through other areas of your business that aren't affected by that robbery. And so I think for companies to recognize that we have a really focused mission and that, if you are that victim, we are here to help you - and I think the one thing that I would say is the sooner you do that and you get through the layers of legal and other issues within your company when you are a victim, the more we're going to be able to do for you. There are still things that we - I mean, obviously we can't go into the details of, but there are absolutely techniques and things that the FBI can bring to your company to potentially reduce the vulnerability that you face, whether it's financial or with intellectual property. 

Dave Bittner: Can we talk some more about that local element because, you know, the FBI has the IC3 for reporting things? And that is a useful way to get that information, but it strikes me that - again, it's that local relationship. If I can pick up the phone and call one of you, even just to say something doesn't feel right, that's a much more effective way to get a response than, you know, sending an email off into the ether, right? 

Tom Breeden: Yeah. So that's the proactive sharing. That's the next level, I guess, of, I think, where a security program should be. So it's not just waiting for, OK, we got to activate our incident response plan. It's - there's an aberration on our network. We're interrogating that end point. In the meantime, let's see if we can get feedback from the FBI on this. And if you've got that proactive relationship, you're right, Dave. That's not an IC3 complaint, necessarily. That's reaching out to your local office, engaging that. And then there's a dialogue back and forth. And again, we're not there to look - can continue with SAC Sobocinski's analogy, we're not there to look at the bank robbery - we're not there to look to the lending department - right? - and look for something there. We're there to look for the evidence of the threat actor. 

Thomas J Sobocinski: And if you're a CISO, you should have the FBI already input into your crisis response plan, whatever that is. If you're the executive over that CISO, if you're the CSO, you need to make sure that we are already in that plan. My next question would be, when's the last time you talked to the FBI? And who is that person that you've talked to? And so I spend a lot of my time meeting with various executives - like, after this, we're going to go meet with another one - on issues just like this. And so we are there for you. We're expecting that dialogue. But also, we need to know if you're interested in it and if it's something that you want to engage with us. So it is absolutely a two-way street. 

Dave Bittner: Where do you all feel like the agency stands right now in terms of being able to meet the need that's out there? Are you feeling, you know, you're well-resourced, supported? I mean, obviously, cybersecurity is one of the few things that has bipartisan support at all levels as being recognized as something that is absolutely necessary to defend our nation. Everybody always wants more. But is there a sense for where we stand right now? 

Tom Breeden: Well, I would say a strength we have now that I've seen evolve over the past, I would say, four years is the joint bulletins that we issue. You'll see, if your user - or your listeners track some of the FBI pins and flashes, the joint bulletins with CISA and NSA. So that's a reflection of the current state of how the U.S. government views the cyber threat. So the bureau is not - we're not in a vacuum. Those days are gone. We're - I mean, I think that's a reflection. We're collaborating with CISA. We're collaborating with NSA. And that's just - and sometimes you'll even - you'll see NSA collaborating with a foreign partner. So I think that's a reflection of how quickly we've moved in such short a time of collaborating within governments. So that's a pro. You know, sometimes we go - the bureau comes in, and we talk about the doom and gloom of how bad things are. 

Dave Bittner: Right. 

Tom Breeden: You know, that's a reflection of really a great trend that I think will just continue. 

Thomas J Sobocinski: I'll also answer that question by flipping that question, which is, you know, your corporate listeners - are they struggling to get the experts they need in this industry? And I think the answer is yes. And so for me, it is - you know, the expectation to be a specialist in this area is really high. The expectations to be a specialist working for the FBI are even higher. And so we are doing, you know, an adequate job of getting the people to come in, but then how do we train them? How do we keep them cutting-edge? Those are the issues that I think we are continually struggling with but trying to meet that. But it is absolutely an area - if I was 18 years old starting college, this is an industry that I think there's a lot of growth in in areas that, you know - I don't think people join - go in to be a data scientist or a computer engineer thinking you're going to go work for the FBI. But absolutely I would love to have you come work for the FBI. 

Dave Bittner: What do you suppose the future holds as we look, you know, 10 years down the road at the mission of the FBI when it comes to cyber? Where do you all, you know, see yourselves continuing and growing? 

Thomas J Sobocinski: I think the FBI is the premier investigative agency in the world. And, I mean, I can say that immodestly, but I really do think we are. And as this space kind of creates more solid lanes in the road and individuals and organizations start to specialize a little bit more, I think we will remain the investigative expert for this area. And so that doesn't mean that we won't grow. But I definitely do not think it's going to reduce in any way. 

Tom Breeden: And just to tack on to that, I 100% agree. I think how that's going to play out - it's going to play out through deeper collaboration, even more so. I mean, we've highlighted a few there. But I think you're going to see more integration with our foreign partners. I think those walls are going to turn into glass walls. And then it may be just barely barriers because the attackers - if they're attacking the U.S., they're probably attacking a Five Eye partner. 

Tom Breeden: I think secondly, you'll see the tech sector and the security tech sector and the FBI - more collaboration there also, because, again, there's so much information in both those entities that I think that collaboration will continue. And, you know, I can remember when I first started working cyber, literally cybercriminals were using Western Union to move money. And look where we're at now. It's - not only is it virtual currency. It's maybe Monero, even, that is a challenge. So there's a lot of challenges out there. And I'm confident that we're going to keep growing and keep advancing to be ready to keep pursuing the threat actors. 

Thomas J Sobocinski: Yeah, and we're not unique. I mean, I think the U.S. government in general is growing. And so you have organizations like CISA that didn't exist 10-plus years ago. And so what are they going to develop into? How do we mature with them not to compete with them, to work with them? I think that space is moving forward in a way I like. I mean, you know, obviously, as I talked about earlier, you know, the FBI were going to come take over. This isn't a space that we're able to just do that. And so working with all of these other partners is going to become more and more important as we move forward. 

Dave Bittner: For that CISA who wants to start that relationship, what's your advice? What's the best way to get started? 

Tom Breeden: Yeah. Call your local FBI office. If you're in Maryland or Delaware, it's called the local office here. We're here. And we will get you connected to a cybersecurity investigator - and the same throughout the whole U.S. Call your local office, and I think you'll be - it will add to your program. And I think you will - it'll help with your business. 

Dave Bittner: That's supervisor Special Agent Tom Breeden from the FBI's field office in Baltimore, joined by Tom Sobocinski, special agent in charge of the Baltimore field office.