SpyCast 11.22.22
Ep 565 | 11.22.22

“The FBI & Cyber” – with Cyber Division Chief Bryan Vorndran (Part 1 of 2)


Andrew Hammond: Hi, and welcome to "SpyCast." I'm your host, Dr. Andrew Hammond, historian-curator here at the International Spy Museum in Washington, D.C. "SpyCast's" sole purpose is to educate our listeners about the past, present and future of intelligence and espionage. Every week, through engaging conversations, we explore some aspect of a vast ecosystem that looms beneath the surface of everyday life. We talk to spies, operators, mole hunters, defectors, analysts and authors to explore the stories and secrets, tradecraft and technology of the secret world. We are "SpyCast." Now sit back, relax and enjoy the show.

Andrew Hammond: When Bryan Vorndran attended the FBI Academy in 2003, cyber was not on his personal radar, nor was it in Quantico's vigorous training schedule or really a part of the FBI's culture. Now, almost 20 years later, Bryan serves as the assistant director of the FBI's cyber division. This year, both the FBI's cyber division and the International Spy Museum celebrate 20 years in operation. That's 20 years of change, adaptation and progress towards our respective missions. What's changed in those 20 years? How have the tactics and strategies used in this field evolved alongside the ever-changing face of cyber? What does the FBI do in the wee small cyber hours to keep you, your business or the nation safe? Tune into "SpyCast" this week and next to find out. As Bryan says, this is not your grandparents' FBI. Remember that we provide full transcripts of each of our episodes at thecyberwire.com/podcasts/spycast. There you'll also find show notes that will direct you to resources so that you can learn more. Thank you for your continued support of "SpyCast," and we hope you enjoy this week's episode and the holidays. 

Andrew Hammond: One of the things that I wanted to start off with asking, just before we come to some of the more substantive questions, was - so you joined the FBI in 2003. Was cyber on the radar when you joined the FBI? Was it part of the training, or was it something that people were discussing or was it still not really part of the culture at the time? 

Bryan Vorndran: Yeah, it was not even part of the culture back in 2003. I mean, ironically, the FBI was never on my radar before 2001, but had a intervention, I guess, with a good friend who steered me in that direction. But in 2003, when I went through the academy, no cyber training at all. Certainly digital forensics were on the radar, and the FBI has been heavily invested in there. But true cyber intrusions, as we view the problems, that - were not here yet. 

Andrew Hammond: Wow. That's really fascinating. And for cyber, I've heard people say that that's not what the FBI is about. We're about slapping handcuffs on people and so forth. So help me understand, just before we dig into it a little bit more, the culture as you've seen it change since 2003. So you joined up, it wasn't on the radar and now you're the assistant director for cyber. So clearly something has changed along the way. How have you experienced that change in terms of your career? 

Bryan Vorndran: A few things come to mind. When we look at the evolution of cyber, even when you go back 10 or 15 years, cyber, at that point, the FBI defined within the crimes against children realm with the proliferation of the internet. And so as time has gone on over the last 15 to 20 years and we've matured, we look at that as computer-enabled, internet-enabled crime versus traditional cyber. And at a very technical level, not to bore your audience, but we define cyber within title 18, section 1030, which is computer intrusions. And so that's how we look at it. 

Bryan Vorndran: The other major evolution for the FBI is post-9/11, and that's the integration of intelligence. And the integration of intelligence now is part of our DNA as an organization, and we are the lead domestic intelligence agency for intelligence in the United States. Very much part of our every day, every week, every month work as that line of effort has matured and the intelligence and the bureau's matured in the intelligence community, we have opened our aperture from traditional just arresting people and that being our primary mindset to a mindset of how do we impose cost on our adversaries, especially in the counterintelligence and the cyber realm. But the intelligence function really informs the totality of those options. 

Andrew Hammond: So there's a difference between cyber-enabled terrorism, cyber-enabled crime, cyber-enabled drug trafficking and cyber, as you defined it. Is that correct? 

Bryan Vorndran: Absolutely. When you look at the broad bucket that is online frauds - think romance scams, business email compromises, all other types of online frauds - we don't define that as cyber. At times, there will be a very sophisticated business email compromise investigation or conspiracy that we are investigating that may filter into the cyber world as we define it. But largely, those items are separated. 

Andrew Hammond: So that must be quite helpful for making sure that you don't end up in arguments with other assistant directors where they are doing counterintelligence, and you're like, well, that's cyber. It must be - it sounds like that's helpful for the division of responsibilities. Is that fair? 

Bryan Vorndran: Of course. And that plays out in the public partnership space, as well, between FBI and NSA or FBI and CIA and Cyber Command. And the list goes on to include Treasury and State. All of those lanes in the road, whether internal to the FBI or external to the FBI, are really important for efficiency. And that is something that I think we've really matured into. But that is an evolution. And in 20 years from now, it'll be different than it is today. And we'll need to continue to mature with that from an organizational perspective. 

Andrew Hammond: And the cyber division - how long has that been around? 

Bryan Vorndran: So the cyber division - we just hit our 20th anniversary in January of this year. So it began in January of 2002. But again, the nature of the work done within the cyber division is vastly different today than it was 20 years ago. Twenty years ago, more of the computer-enabled crimes as we went into the maturity of post-five years of the internet - and then crimes against children, which really proliferated on the internet. Today, the cyber division in name certainly exists from 20 years ago, but the nature of the work we do today is vastly different. 

Andrew Hammond: Wow. And what's the FBI's cyber strategy? What's kind of going on there? 

Bryan Vorndran: Yeah. When I talk about this, I say when it comes to the FBI cyber program, we are not your grandparents' FBI. We are not in the game of just arresting people because it is a global problem. We know that. We know where the hotbeds of activity are. And the ability to get adversaries, whether nation-state actors or criminal actors, out of those regions is very, very difficult. And so internally and externally, we talk about, we are a law enforcement agency when it comes to cyber. We are an intelligence agency when it comes to cyber. But then what I like to say is we also want to put pressure on the threat through any means possible. 

Bryan Vorndran: So when we talk about our strategy, we talk about it in this way - our role is we see ourselves at the center of a circle. We have international and domestic public partners. We have international and domestic private partners. Our job is to take our intelligence and the evidence we have from our investigative responsibility and to join forces with those partners, whoever is best positioned to develop a joint sequence operation and impose maximum cost on the adversary. At times, that's an extradition - an arrest and an extradition. At that - at times, that's seizing cryptocurrency. At times, that's degrading the communications channels that our adversaries communicate on. There is no one size fits all. It is, who is in the best place from the interagency within the U.S. government but, more broadly than that, the international arena, both public and private, and how can we combine forces to impose costs on our adversary? 

Andrew Hammond: Can you give us a couple of examples? 

Bryan Vorndran: Sure. The ones that come to mind immediately - let's stick with the traditional law enforcement realm. There was a significant compromise in July of 2021 of a U.S.-based company, and the actor was affiliated with a ransomware-as-a-service group known as Sodinokibi, also known as REvil, R-E-V-I-L - very, very prolific ransomware-as-a-service conspiracy, most likely based in the Russia territory. I had hundreds, if not thousands, of U.S.-based victims. We were able to very quickly identify through our investigative authorities exactly who conducted that attack against the U.S.-based company. 

Bryan Vorndran: And this is broadly reported on in the press already, but the name of that individual was Yaroslav Vasinskyi. And through our relationships with international partners, the Poles were able to take him into custody. And then we extradited him here to the United States, and he now is in prison here in the United States. That would just be a traditional law enforcement angle of what we do. When we talk about domestic intelligence, you know, I could spend hours on this, but I'll spare you. We do all types of industry notifications, what we consider private industry notifications or other main cybersecurity advisories that cover what we would call net defense imperatives. We do a lot of this work with CISA on a routine basis, and CISA... 

Andrew Hammond: And CISA - yeah, sorry. CISA is... 

Bryan Vorndran: The Cybersecurity Information Security Agency - they joke the only agency with security in their name twice. But nonetheless, we do this work on a routine basis based on our investigative authorities and the intelligence we collect, and we share things about the latest malware signatures, the latest TTPs, the tactics, techniques and procedures that are being used by the North Koreans. And there's hundreds of these documents that are publicly disseminated on a very routine basis. 

Bryan Vorndran: On more of the joint and sequence campaigns, you know, the best example I can give you is just to say, again, with the same ransomware as a service group in the fall of 2021, Sodinokibi, there was tremendous work done by the FBI and very specific partners in the U.S. government that essentially caused them to go to ground for nine months because it just got too hot for them. It became too difficult for them. And we know that we are never going to take this group of people out of the work they do. It's too profitable is the story for them. It's too profitable to step away permanently. But if we can get them to go to ground and remove one attack surface or one set of adversaries, that is helpful to the American public and the global community. So those would be just a few examples. Certainly can go deeper on other examples as we get into the conversation. 

Andrew Hammond: So it's just like organized crime in the sense of you're never going to get rid of organized crime, but you still want to take down organized criminal networks when you come across them, right? 

Bryan Vorndran: We essentially boil it down into five buckets. You have your traditional criminal threat. You have your threat from China, your threat from Russia, your threat from North Korea and then your threat from Iran. Let's just talk about criminal for now. That is an organized crime syndicate. That is how they are constructed. Most of them are constructed in what we would refer to as a ransomware-as-a-service organizational structure, which means you have very, very capable malware developers who also build platforms for affiliates to leverage the malware, deploy the malware. And then the developers of that variant - whether it's Conti, whether it's Hive, it doesn't much matter - they get a cut of the proceeds from the work that others are doing. 

Bryan Vorndran: So we would think about it as similar to chain restaurants, right? You open the chain restaurant. You pay royalties back to the parent company to have that name. It's the same thing. You have a very good piece of malware. Almost anybody can gain access to it and deploy it as long as it's part of that organized conspiracy. And then they provide a cut of their, essentially, ransom that victim would pay back to the enterprise. And it's very, very profitable. 

Andrew Hammond: And for the first the example you gave, was he a Russian citizen or a Polish citizen who... 

Bryan Vorndran: You know, I think he's a Russian national that at the time was living in Ukraine, if memory serves. 

Andrew Hammond: For this particular case, how long is this guy away for? Like, how - in terms of the traditional stuff that the FBI has done, is the sentencing comparable, or is it lighter or heavier, or is that the wrong question? 

Bryan Vorndran: No, it's not the wrong question. In this case, the answer is we don't know because it's still in court proceedings. But what I would say is that when you look at the traditional judicial process, the people getting the heaviest sentences are those who commit crimes of violence, which I think we would understand. The people who get the next-heaviest sentence are those who essentially are taking advantage of innocent victims. And I think the judicial system, if you look historically, has largely been sensitive to that. 

Andrew Hammond: Just when you were talking there about violence and then taking advantage of someone - so this would be in the taking-advantage-of-someone category, so we could expect it to be similar to that. 

Bryan Vorndran: Yeah. I mean, I think that's a good starting point for the conversation. But again, the court process will bear itself out over time. 

Andrew Hammond: Sure. And for this as well, I remember when I first found out that people would write viruses for computers. And I was like, that is weird, you know, when computers were first around, or when I first came across them. I was like, why would you do that? And sometimes it was just for no reason. And for law-abiding citizens, it's like, why would someone be so malevolent that they just want to screw up someone else's computer? And I know that - and the FBI are used to dealing with the kind of mindset of people that do this type of thing. But why do these people write malware? Is it just for money, or is it just malevolence, or is it something else? Or can they be coerced into it? Or does it just depend on the context - it can be all of those things? 

Bryan Vorndran: I would think - a couple thoughts, right? They definitely can be coerced into it - is a highly technical field. It has been regionally located for most of the last 20 to 30 years. But we do start to see an expansion into different regions that causes us a concern. But it's all profit driven, at the end of the day. It is a very lucrative, profitable business for the cybercriminals, and that is why they do it. 

Andrew Hammond: OK. 

Bryan Vorndran: Now, obviously on the nation-state side - different set of values proposition, right? - whether traditional espionage, whether it's understanding U.S. government policy positions, whether it's stealing intellectual property. There's a whole other assortment of driving factors on the nation-state side. But on the criminal side, those not affiliated with nation states or with other governments, it's all profit. 

Andrew Hammond: OK. So that's also a little of analogous to the drug trade in that, sure, this may wreak havoc in our city, or it may lead people to an early grave, but I don't really care. The profits are just so astronomical, and this is so far removed from me that I'm happy to do it. It's a similar kind of mindset. 

Bryan Vorndran: It is. 

Andrew Hammond: Yeah. Wow. I mean, this must be interesting because the types of people that you've been investigating and catching and convicting in the past are - they've been doing crimes that have been relatively stable for quite some time but this is, like, a whole - do you find this, like, a new kind of category of criminal that you're dealing with? Is it different demographics, different levels of education, or is it just the same type of people that you've always been catching, now they're doing something different? 

Bryan Vorndran: Yeah, no, I don't think so. I mean, when we look across the FBI's broad investigative portfolio - whether that's nation-state counterintelligence, whether that's counterterrorism, whether that's criminal, everything from crimes against children to gang work to traditional violent crime, drug conspiracies, white-collar conspiracies - there's always norms but there's also always deviations from the norm. And so certainly, we do understand generally who we're facing from an adversary perspective, but - and some of those people are very young. Some of them are older. Some of them already have very significant wealth. Some of them don't, right? And it does cross many different areas. 

Andrew Hammond: We'll be right back after this. 

Andrew Hammond: And what authorities does the FBI have in - with regards to cyber? So help me understand this. When I talk to people about it, sometimes their eyes glaze over. They're like, I don't know who's doing what for who and how it all relates together. So just in terms of the FBI and the cyber division, tell us what your authorities are. 

Bryan Vorndran: Sure. No problem. It's a great question. I'll try not to bore your audience with the... 

Andrew Hammond: I'm sure you won't. 

Bryan Vorndran: ...Legalese, but a couple things. No. 1, we have broad Title 18 investigative authority, which means that we have the right to investigate federal crimes through traditional grand jury, through search warrants and such, and everything that goes in between them. That's a really important step for us because somebody in the U.S. government has to play the long game through the traditional rule of law and try to take - my terms - players off the field, right? So I joke with people that's a big football fan, if I was playing Tom Brady, my No. 1 goal would be to keep Tom Brady off the field, right? Well, it's the same here. Someone has to play the long game to get players off the field because with those players on the field, they're going to continue to do what they do. 

Bryan Vorndran: So the intelligence that we derive out of that investigative authority is super powerful. That informs our domestic intelligence responsibility, essentially informing the public and private sector what is going on from a cyber-adversary perspective here in the United States. But it also informs our interagency partners in terms of operational outcomes. One I like to talk about is Rule 41, which, for your audience, is the search and seizure code. That is extremely important, and I'll come back to this and talk a little bit about Hafnium and Cyclops Blink and the application of Rule 41. The FBI is the lead counterintelligence authority in the United States, so fighting attacks from foreign governments, hostile agents, and there is undoubtedly bleed over between the traditional counterintelligence threat and the cyber vector. We have FISA Title I and Title III authority, which what that essentially means is we can collect on foreign adversaries here in the United States and FISA 702, foreign adversaries overseas. So those are our true authorities. 

Bryan Vorndran: Let me go back and touch on Rule 41 because it's been really relevant in the past 18 months. So Rule 41 is essentially what allows - what guides the FBI in terms of how we do search and seizure. Think about in traditional crime. We have a drug dealer. We are going to go to that drug dealer's house, and we are going to look for instrumentalities of the crime - drug scales, drugs, etc. Well, it's no different here, right? The instrumentalities of the crime are just different. The instrumentalities of the crime are traditionally malware. So in the case of Hafnium - and Hafnium is attributed to a China-based element - they had installed thousands of malicious web shells on U.S.-based computers and servers in early 2021 through a series of actions. And we always move from least intrusive to most intrusive. 

Bryan Vorndran: So what I mean by that is we are not going to go into U.S. infrastructure and do a search warrant right away unless there's an imminent threat. We are going to start with broad messaging, cybersecurity advisories, industry advisories. And we're going to whittle down the attack surface through public messaging to the best of our ability. In the case with Hafnium, we did that quite well with CISA and with Microsoft. But still, our experience has been that whatever the number is - 8%, 10%, 15% - some amount of the attack surface will always remain. There will not be remediation steps taken by those who are unwittingly victims in this process. And that was the case with Hafnium. We essentially wrote a tool but used it under the premise of Rule 41, sworn out in front of a magistrate judge in a district here in the United States to go in and precisely, surgically remove that malware from those infected computers and essentially close the backdoor access from the Chinese into U.S. infrastructure. It's a really powerful tool. The FBI is the only agency that has those authorities and the capability here in the United States to do that work - tremendous value-add to the American public. 

Bryan Vorndran: When we go forward to just recently, certainly in the media, there's conversations about what we call - what's referred to as Cyclops Blink. Cyclops Blink is a GRU - Russia GRU organizational malware that replaced VPNFilter from about 18 months ago. Well, the GRU took advantage of a vulnerability in a edge firewall that was very, very prevalent not only here in the United States but domestically and had established a command-and-control botnet through it. And, again, very similar process - we worked with the vendor. We worked with CISA, deployed multiple public messaging - pieces of public messaging, cybersecurity advisories, whittled down that attack surface to the best of our ability. But, again, at some point, time becomes of the essence, and we want to take simultaneous action to remove the rest of the attack surface for the adversary. And we did that again. 

Bryan Vorndran: We wrote a tool, used Rule 41 to essentially go in and - I'll talk about this a bit more here in a second - surgically remove that malware and close access for communication back to the GRU. When we do this, we do not touch any other part of a victim's - an unwitting victim's infrastructure, computer server, nothing. It is precision in. It's coded to grab that malware. We will always copy it for purposes of evidentiary collection, which probably doesn't surprise your audience, but then we will delete it. And again, the legal terminology behind this is instrumentalities of a crime. No different than a drug scale is an instrumentality of a crime for a drug dealer, malware is an instrumentality of a crime for an adversary in cyberspace, and Rule 41 provides us the authorities to seize those. 

Andrew Hammond: And the GRU - we're talking about Russian military intelligence. 

Bryan Vorndran: Correct. 

Andrew Hammond: So what's an attack surface? 

Bryan Vorndran: Yeah. When we use the term attack surface, we would just say - let's say - let's use just an easy example. You have a botnet that has 500 command-and-control nodes. Well, if we reduce 200, 250 of the command-and-control nodes, we'd say reduce the attack surface by 50%. If we have malicious web shells on 10,000 computers and the Chinese can action activity in all 10,000 of those somewhat simultaneously, that is a large attack surface. We would want to reduce that by as much as possible to reduce the attack surface. 

Andrew Hammond: And I'm sorry. If you just bear with me here, I just want to make sure we don't leave any of our audience behind. So botnet - the Cliff Notes version of botnets - can you just clarify... 

Bryan Vorndran: Sure. 

Andrew Hammond: ...What those are? 

Bryan Vorndran: Yeah. Botnet is short for robot network, which essentially would mean that if you have 500 computers that you have control of and you want to cause a denial of service attack, you could amplify the inbound traffic to a node by 500 times because you have control of 500 computers versus doing it by one computer. And that would overwhelm that communication node. So that would be an easy definition. 

Andrew Hammond: And a denial of service is just trying to overwhelm that. 

Bryan Vorndran: That's correct. 

Andrew Hammond: Yeah. OK. And what's a web shell? 

Bryan Vorndran: I would look at - for your audience to say this isn't a one-for-one definition, but I think it paints the picture the best. When you have remote desktop access from your IT service desk, you know, you essentially give control of your computer desktop over to somebody trying to help you. Well, think about if someone had put access to the back end of your computer in place without your knowledge and could manipulate what's on your computer. A web shell provides remote access to the adversary to essentially provide them access to manipulate and move within your computer without your knowledge. 

Andrew Hammond: Wow. Does that mean that if someone was ultra-sophisticated and they had the capability and the resources, could they go into my computer and frame me and make it look like I was involved in drugs or some other type of criminal activity by just completely curating my computer to make it look like I was something that I was not? 

Bryan Vorndran: I don't know is the answer. 

Andrew Hammond: OK. 

Bryan Vorndran: I'm certain it's probably not out of the realm of possibility. I would just say that that's not something we spent a lot of time on. We don't see that prolifically. 

Andrew Hammond: OK. And where's a good place for people to go to get more information about this - attack surfaces and web shells and botnets and so forth? 

Bryan Vorndran: Yeah. I mean, I would point them to a few resources. Certainly, from the current tactics, techniques, procedures, the current indicators of compromise that we are seeing today or that we've seen in the past one, three, six months, you can either go to ic3.gov or to cisa.gov - cisa.gov. There's also another website called stopransomware.gov. The NIST standards - N-I-S-T - is the standards that govern internet compliance. Really good resource, as well. But I think rather than the audience focusing time on the definitions of botnets or web shells, I think that the reading of what the threats look like on ic3.gov or cisa.gov is probably a better place for them to spend some time. 

Andrew Hammond: OK. 

Bryan Vorndran: A little bit technical, FYI. 

Andrew Hammond: (Laughter). And just briefly, CISA - how does CISA relate to your job as the assistant director for the cyber division of the FBI? 

Bryan Vorndran: Sure. We have a tremendously positive relationship with CISA. I would break it down into these two silos. So there's a document called PPD-41, which is Presidential Policy Directive 41 - somewhat irrelevant for the conversation, but it is backed in legislative policy. In that document, it talks about the FBI's role in cyber. And what it says is we have threat response responsibility, and I'll explain what that means in real terms. And it says what CISA does is asset response. 

Bryan Vorndran: So I would look at it this way. If there is a significant intrusion and FBI and CISA show up together to whatever company has been impacted, the FBI's role is to look at the evidence and look at how that is going to inform our investigative activity, future operations, our intelligence picture, the adversary who conducted the attack. We will be heavily engaged with the victim and do whatever we can with the victim in that situation. CISA is going to look at the intelligence that was derived from that attack and push it forward to net defenders. So I would say that the FBI's role is on the left side of the activity, and CISA is trying to get ahead of the next attack by sharing that information with net defenders. 

Andrew Hammond: And CISA is part of the intelligence community? Or where is that located? 

Bryan Vorndran: CISA fits into DHS. They're a component agency with the Department of Homeland Security. They're actually not in the intelligence community. That's a conversation for another day. But they're a tremendously relevant partner to us. And obviously, when we talk about traditional cyberdefense and we - the FBI doesn't consider itself in the game of cyberdefense, but when you consider traditional cyberdefense, that's the role that CISA fills for the U.S. government. 

Andrew Hammond: So they take the lead for that? 

Bryan Vorndran: They do take the lead for that. 

Andrew Hammond: Yeah. OK. So the FBI, if I understand it correctly - it's more of a defensive function. It's, this has happened. We investigate it. We collect evidence. We prosecute people. It's not a let's stop this from happening and go out and write code that's going to destroy a network overseas or something like that. Is that... 

Bryan Vorndran: Well... 

Andrew Hammond: ...Something to - help me if I'm not getting... 

Bryan Vorndran: Yeah. 

Andrew Hammond: ...That properly. 

Bryan Vorndran: I think that's probably a little bit inaccurate. What I would say is that certainly, the first part of what you said is accurate. The FBI is there to investigate, derive the evidence, derive the intelligence from attack. But then we are working with our partners - whether that's domestically, internationally, again, publicly, privately - to - what I say - put pressure on the adversary as a result of that. So there are always very unique breadcrumbs from every attack that lead us to whether it's infrastructure, financial resources, communication resources that allow us to either unilaterally or with a partner - again, my term - put pressure on the threat and make their life more challenging the next day and the next day and the next day. CISA's role would be essentially to enable net defenders. OK, do we see new - a new malware signature? Do we see a new indicator of compromise? And making sure that there is a dedicated element in the U.S. government - which CISA is - to inform everybody, hey, you better be blocking these IP addresses because so-and-so - we would always anonymize it, but there was just an attack from this IP address from Russia. 

Andrew Hammond: OK. To use football, it's like the difference between the forward defensive line and the safeties? 

Bryan Vorndran: Yeah, I guess... 

Andrew Hammond: Is that (laughter)... 

Bryan Vorndran: ...So. I guess so. I guess so. 

Andrew Hammond: And who's your team? 

Bryan Vorndran: I'm a Philadelphia guy, through and through. 

Andrew Hammond: OK. OK. That's interesting. It seems to me that this falls on quite an interesting space because traditionally, if you had, say, at an international level - if you've got nonstate actor who's - who are terrorists or who are drug traffickers, there's - depending on the context, there could be more state-to-state getting together to try to dissolve that type of threat. If it's drug traffickers, then there could be more state-to-state interaction to try to dissolve that type of threat. But if it's groups that are affiliated with Russian intelligence who are located in Russia, even if you've got all of the evidence and you know that they could be prosecuted but the Russian state is not going to play ball, they're not going to extradite them, what does that mean? Does that mean that you just collect and do all the things that you traditionally do, but it just never - it kind never ends up over in the touchdown zone? And help me understand that or help the listeners understand that. 

Bryan Vorndran: Sure. I think that... 

Andrew Hammond: I'm going to use football analogies... 

Bryan Vorndran: That's all right. 

Andrew Hammond: ...All the time (laughter). 

Bryan Vorndran: I think the reality of - it's we have to define success differently. 

Andrew Hammond: OK. OK. 

Bryan Vorndran: And so the FBI, when it comes to cyber, no longer defines success as just investigating to get to a charging instrument, whether that's an indictment, an arrest warrant. That's - we will - as I've already mentioned, we will always do that because it's a national tool of power, and there may be a need for it at some point, right? But that is core to the bureau, and that's why it will never leave. 

Bryan Vorndran: But new to the bureau is, how do we impose cost? How do we work with Cyber Command? How do we work with other agencies? How do we have tremendous international partnerships - I mean, tremendous? How do we work with them to make the adversary's life more challenging? So we are never going to stop China from trying to steal intellectual property. It's not going to happen in my lifetime. But are there things that we can do within the U.S. government, both diplomatically but also through traditional - the traditional IC that make that work for them more difficult and that can frustrate them or that can cause them to assess risk to themselves differently? Absolutely. And we do that quite well already. 

Bryan Vorndran: And I think the exciting thing for me is, as I look at the evolution over the last 18 months of the interagency, I can see material changes, material maturity over those last 18 months. And that's why I say, when it comes to the bureau or the interagency with the bureau, the best is yet to come, right? We are getting better at this by the month, and the costs that we are able to impose on our adversaries will become more and more significant. And that cuts across everything - right? - whether it's financial sanctions through Treasury. They're a huge partner to us. There's certainly the traditional diplomatic side that the bureau stays out of. But all of these things are in play. 

Andrew Hammond: Wow. And is this unique to cyber, this redefinition of success? 

Bryan Vorndran: It is. It is. Yeah. 

Andrew Hammond: Wow. OK. 

Bryan Vorndran: We will not arrest our way out of the ransomware problem. We are not going to arrest our way out of the Russia or China nation-state cyber vector problem, right? It's just not going to happen. But again, national tool power is something we will always do. But there has to be a way to degrade the ecosystem to make their life more challenging. 

Andrew Hammond: You mentioned China there, and not long ago we had on a former legat who was at the embassy in Beijing. And for our listeners, a legat - and correct me if I'm wrong - is like the chief of station for the FBI. It's the FBI's representative on an American overseas embassy. 

Bryan Vorndran: That's correct. 

Andrew Hammond: And the - for your job just now, Bryan, do you - like, do the legats come into the picture at all for you, or - yeah, how does that work? If you've got a legat in Beijing and you know that they're stealing intellectual property, like, how does that shake out? 

Bryan Vorndran: Yeah, I don't want to go into too much that. 

Andrew Hammond: OK. 

Bryan Vorndran: What I would say is our interaction with our legal attache program is daily. And so we have, you know, well over 50 locations in the world where we have dedicated FBI personnel. Probably more importantly for me and for the work we do is we have a growing number of dedicated cyber assistant legal attaches all over the world. 

Andrew Hammond: Oh, wow. OK. 

Bryan Vorndran: And so when you look at the strategic placement of them, they are in areas that you would expect - right? - hotbeds of, if you want to call it talent, adversary talent, where we have adversaries that are really talented doing this work. And we try to position those assistant legal attaches in places where the host nation also has strong cyber talent. From an investigative or intelligence perspective, that has proved invaluable because it puts us closer to the problem. So if there is a problem in a country, we can likely get an FBI agent there with cyber skills within a day, and that has proved to be exceptionally valuable. 

Andrew Hammond: Wow. For the general public, we know a lot about China. We know about Russia in terms of cyber talent. What are some of the other places that we know that there is considerable cyber talent and is out there in the public domain but your average person may not know this? 

Bryan Vorndran: Yeah. I mean, on the nation-state side - so the traditional adversarial governments - our focus is on four. And none of these four are not going to surprise anyone - China, Russia, Iran and North Korea - those four. We dedicate significant resources to that. Again, none of this probably surprises anybody. When you look at the hotbeds of talent, it is traditionally a Eurasia hotbed of talent - right? - in the former Russian bloc areas, Soviet bloc areas. But we have started to see a proliferation of some of those skills to other regions of the world. And I can't get into that right now. But we have started to see an expansion of the skill set, which would mean that the expansion of the adversary problem on the criminal side is going to increase. And that is something that we're deeply concerned about because if you have 50 - very simple math. If you have 50 capable people now doing their job and next year you're going to have 100, the problem has doubled. 

Andrew Hammond: And can we just talk about the distribution in growth for a second? Is that something that's just happened organically, or has that been fostered by adversaries or friends? Or is there something that - listen. We're in the information age. That stuff is just going to keep spreading. Like, how is it developed and proliferated? 

Bryan Vorndran: I actually don't know that answer. 

Andrew Hammond: OK. 

Bryan Vorndran: I actually don't know the answer. 

Andrew Hammond: I'm sure nobody does. But I just wondered. 

Bryan Vorndran: Yeah. I mean, I think - my guess would be that as we look at just the inclusion of electronics and computers in our world - right? - there are more people in that space. 

Andrew Hammond: And what's the value proposition of the FBI for cyber? So, I mean, we've talked about this a little bit, but just for anybody that's being distracted by a driver when they're on the freeway and now they're kind of edging back into the conversation, what's the value proposition of the FBI for cyber? 

Bryan Vorndran: Yeah. I talk about it this way. We have our authorities, which we talked about. Those are unique authorities to the FBI, which allows us to derive and add value specifically to the U.S. government, international partners and then private sector partners here in the - here and internationally based on those authorities. But I think our value proposition is our decentralized workforce. We've already talked about the Legal Attache program. And again, I think the latest number is somewhere around 70 legal attaches, but again, the dedicated cyber assistant legal attaches. But in the United States, we have close to 1,000 dedicated personnel in every one of - inclusively in our 56 field offices dedicated to cyber investigations, cuts across a special agent, the intelligence analysts, the computer scientists, job classes. 

Bryan Vorndran: We say - not that we do, but we say - we can literally put an FBI agent on any doorstep in this country in an hour if somebody has a need for cyber. And that is a tremendously significant value for the American public. The American public has invested deeply in that through taxes and those tax dollars invested in the bureau. And we have invested back into the communities with those personnel. It is very important for us to treat the public, whether they're unwitting victims or true victims of cyber crime, with the utmost decency. And that's core to our DNA and something that we take very, very seriously. 

Bryan Vorndran: So when you combine our authorities and you combine our decentralized workforce, I say we have four goals - No. 1, as we've already talked about, long-term enterprise-level investigations to take players off the field. That is easier said than done, but somebody has to play the long game of taking players off the field. And No. 2 - intelligence. We have a mandate in statute to inform the American public and our interagency partners on the - what the domestic intelligence picture looks like from cyber. No. 3 is we have to work with our partners to put pressure on the threat. How do we make their life more miserable tomorrow than it is today? That's not through arrests. That's from making their life more difficult, whether that's infrastructure disruptions, whether that's financial asset seizures, right? How do we impose costs on them? 

Bryan Vorndran: And No. 4 is we have to provide world-class customer service to victims. And so when we talk about victims, we talk about it in the space of when they - there was an intrusion. But in almost all the cases, our relationship with those victims starts prior to the intrusion. How do we effectively engage with those companies, those organizations, whether academic, nonprofits, etc., that allow us to add value prior to intrusion and then to truly, truly treat them with the utmost dignity during an intrusion? 

Bryan Vorndran: And my personal reflections on this topic, as I've talked to a dozen CEOs over the last year who have navigated this, is that when they come out the other side of what is a really bad set of days or bad set of weeks where they go through an intrusion, they don't remember that someone was able to help them shut down a server, right? They don't remember that we were there to be able to say, hey, the malware that was used was X. What they remember is being treated like a human being and having a soft ear to talk to about, hey, this is a really bad day for us, and having somebody from the FBI say, we know and what can we do to help? What are your priorities because our priorities are truly secondary in that moment? That's true. What are your priorities? How can we help you through that? But this theory of, you know, you're in this most technical field of crime and intelligence that exists, and the core of it still remains human decency. And that has proved itself to be true over and over again. And that's why we do have a commitment to victims that is memorialized in our mission and our vision statement. That is very, very important to us from a DNA perspective. 

Andrew Hammond: Thanks for listening to this episode of "SpyCast." Go to our webpage, where you can find links to further resources, detailed show notes and full transcripts. We have over 500 episodes in our back catalogue for you to explore. Please follow the show on Twitter at @INTLSpyCast and share your favorite quotes and insights or start a conversation. If you have any additional feedback, please email us at spycast@spymuseum.org. I'm your host, Dr. Andrew Hammond, and you can connect with me on LinkedIn or follow me on Twitter @spyhistorian. This show is brought to you from the home of the world's preeminent collection of intelligence and espionage related artifacts, the International Spy Museum. The "SpyCast" team includes Mike Mincey and Memphis Vaughn III. See you for next week's show.