Advertisement

FBI shifting cybercrime focus from arrests, indictments to payment seizures, incident response

One top FBI official said the FBI would try to replicate its approach to recovering funds in the Colonial Pipeline case.
Assistant Director of the Cyber Division at the Federal Bureau of Investigation Bryan Vorndran speaks at a hearing with the House Committee on Oversight and Reform in the Rayburn House Office Building on November 16, 2021 in Washington, D.C. (Photo by Anna Moneymaker/Getty Images)

In 2022, the FBI is looking to approach cybercrime differently.

During separate public appearances on Thursday, two FBI officials said the bureau was going to change up how it deals with computer intrusions.

“The FBI specifically is moving away from an indictment- and arrest-first model into the totality of imposing costs on our adversaries, and we’re making tremendous progress there,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “There is a right time for indictments and arrests and certainly one of our goals to take players off the field. But at the end of the day, we’re a team member first before we’re prioritizing our own authorities.”

Vorndran, speaking at an event hosted by the Silverado Policy Accelerator, touted the FBI’s workforce around the country and the skills they can bring to bear.

Advertisement

“That decentralized workforce is a huge strength for our government, especially given the FBI statutory authorities for incident response, counterintelligence, domestic intelligence and computer intrusions,” he said. “You know, we can put a cyber-trained FBI agent on any doorstep in this country within an hour.”

The FBI’s incident response capabilities, he said, are one reason why Congress should ensure that incident reporting legislation that stalled in Congress last year should specify that the FBI gets those reports “in real time” from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Speaking at a Washington Post event, another top FBI official talked about specific ways that the bureau could impose financial costs on cybercriminals.

Tonya Ugoretz, deputy assistant director of the cyber division, mentioned seizures of ransomware payments back from criminals in cases like the Colonial Pipeline attack, although she didn’t have dollar totals for 2021.

“The types of ransomware seizures that you saw us undertake with the Department of Justice last year are certainly things we want to replicate … and try to scale,” she said.

Advertisement

And those kinds of interruptions of illicit cybercrime gains happen elsewhere in the bureau, too, such as a team focused on helping small- and mid-sized businesses.

“That team acts quickly with financial institutions to help those institutions freeze the funds which then makes it possible in some, but not all, instances to recover those funds for those victims,” she said. “That occurred to the tune of $400 million in 2020. That only happens when we learn about the incident and learn about the details of it in a very quick time window.”

It’s just as key, though, for victims to follow any notification to authorities with a willingness to work with the FBI, she said.

The question of how to “impose costs” on cybercriminals has generated some recent debate from cyber thinkers. Writing this week for CyberScoop, Selena Larson — a senior threat intelligence analyst for Proofpoint and Cyber Project nonresident fellow at the Harvard Kennedy School’s Belfer Center — said that “the collection of high-profile takedowns, indictments and financial actions don’t appear to have lasting impact” on ransomware gangs. Instead, she said, the focus should be on amping up cyber defense.

Josephine Wolff, a professor of cybersecurity policy at Tufts University, cast doubt this week on the effectiveness of arrests and ransomware payment seizures.

Advertisement

“Approaches to combating ransomware that might have a larger impact on the criminal ecosystem include cracking down on cryptocurrency transactions, making ransom payments illegal, making it illegal for insurers to cover those payments, and imposing security requirements on critical infrastructure operators to reduce the likelihood of infection in the first place,” she wrote for README.

Latest Podcasts