CyberWire Daily - Interview select: David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement.
Episode Date: June 20, 2022As we break to observe the Juneteenth holiday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, ...exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with FBI Cyber Section Chief David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Cybersecurity leaders are seeing unprecedented outreach and collaboration
from federal agencies like CISA, NSA, and the FBI.
You'll often hear the phrase, cyber is a team sport,
with the acknowledgement that working together is the best way,
perhaps the only way, to meet the challenge of the threats we're seeing.
David Ring is section chief of the FBI Cyber Engagement Intelligence Section
and FBI Cyber Division. I caught up with him at the RSA conference.
Yeah, so, you know, as the Bureau and Cyber Division and cyber threats have been around for some time, the Bureau's been working them almost since inception.
And as we matured our investigative capabilities and built our investigations out, worked more with government partners, it evolved over time as we slowly come to realize that we can't do this without private sector and without
industry, right? Like private sector sees the threats before we do most times. We're relying
on reporting, certainly when it comes to cyber criminal events. And in the past few years,
that's grown significantly. We've evolved over the past 10 years or so in our private sector
engagement program, going from building relationships one-on-one based on victim engagements or opportunities that we've got into really a
strategic approach to identifying the right partners and engaging with them.
So where do we stand right now in terms of what the FBI brings to bear with the cybersecurity
challenges?
Sure.
FBI brings a lot to bear against the threat.
Of course, we work very closely with
our critical partners in government, NSA, Cybercom, CISA, to bring a whole government approach to the
broader threat environment because, again, cyber is a team sport, right? We hear that a lot. And
that's a mantra for the Bureau as well. Our goal is to ensure that all of the resources that the
federal government has are brought to bear against the threat
in working with
private sector. It's critical that
we bring those resources in as well
and that we're engaged early on.
I'm an old CT guy, right?
CT language, we try to
go left to boom with these companies and
identifying avenues
where we can share two-way sharing
of substantive information, intelligence, that can point us in the right direction or we can point two-way sharing of substantive information, intelligence
that can point us in the right direction, or we can point them in the right direction,
either one-on-one or more broadly. What do you say to folks who may find themselves,
I'm thinking particularly of those small and medium-sized businesses who may not think that
they are up to the level where FBI engagement really makes sense.
Is that something you're looking to get passed?
It sure is.
And frankly, when you look at the victim space,
those small and medium companies are really where the victim space is, right?
Because they don't have the same resources that these giants have.
And of course, we need to work with very large corporations,
companies, infrastructure providers every single day to make sure that we're working the threat effectively.
But from a day-to-day approach,
we have to identify who our most systemically important partners are
in the private industry space.
And so those companies aren't always the huge ones
that everybody thinks about.
When we talk about some sensitive national security projects,
we talk about COVID vaccine development and things like that.
These are sometimes some smaller, certainly medium-sized companies are very involved.
There are all sorts of sizes of managed service providers out there that we need to identify and
go out and have those conversations with at the field office level. FBI's got 56 field offices
across the country. That's part of our value proposition in working with private sector and countering
cyber threats. We're a deployed workforce across the country and frankly across the world where we
can have a technically trained cyber agent on somebody's doorstep in a very, very short time
frame. We're talking hours versus days in order to work with that organization. And if it's incident response
or they're dealing with an incident
or it's just, hey, we've identified
that you guys are working on something,
that's really critical.
If that information was potentially disrupted or stolen,
there's a national security implication,
there's a public safety implication.
We need to be out there with you
and working through kind of those threats,
and we can work with you to identify where some of those vulnerabilities lie.
Should folks be reaching out to their field offices ahead of time? We always talk about how
when you're in the chaos of actually in the midst of being in incident response, that that's the
worst time to be trying to create new relationships. Is the agency open to that as
well? Yeah. So we encourage that. When folks ask me or really anybody in the Bureau when it comes
to cyber, what's the best case scenario as far as building a relationship with the FBI? We want that
relationship before you're in, you're having your worst day. Listen, what I'd say is we're at our
best when you're dealing with your worst day. That's
kind of what the Bureau does. We work with people on the worst day of their lives or their professional
lives oftentimes in this threat environment. But we want to have that relationship first.
We want you to have in your phone somebody at the FBI field office near you that you pick up and
call. And even if that's somebody, hey, they're saying, I don't deal with that, that's not my
threat area, they can immediately get you in contact with the right person and get them there
in whatever means that organization prefers.
If the FBI is part of your incident response plan, you're already at an advantage.
I'll even say, if a company is building the FBI into an incident response plan
and they're having an exercise or a scenario-based threat exercise, we'll participate in it.
The local point of contact in your field office, reach out to them.
That's part of what we're trying to do in our engagement process.
It's really interesting to me to see, I guess what I describe as a real shift in approach for organizations like the FBI.
We're seeing it with CISA as well, with the
outreach, even NSA, the outreach to the community. Things aren't as insular as I think people thought
they were. And I wonder, you know, people might have had this notion of the kind of the big,
bad three-letter agencies, but it doesn't, it shouldn't be that way. I mean, these resources
are for folks to take advantage of. Yeah, I think that there's, it's a
stigma or a stereotype that we're trying to get away from.
You see, you know, in TV and movies, the FBI
braid jackets, they're kicking down doors, they're carrying stuff out of a building, they're putting up
crime scene tape, and most organizations don't want that type of presence out there when they're
dealing with this. That's not what the FBI does when we respond to a cyber incident. We take the cues from
the victim organization, the targeted entity, and say, hey, let's have a phone call. We have
questions that we are going to ask that's going to help us understand what you're dealing with.
And hopefully we can provide information that we have obtained via our investigations and our work
with intelligence community partners and other government partners that can help you
deal with the situation that you have.
So our goal is to get away from that big, scary,
three-letter government agency stereotype
that sometimes exists out there and say,
no, we're truly here to help.
I know that that's an overused term.
Hey, we're the FBI. We're here to help.
But we truly are.
And we're going to engage as minimalist of a way that that organization needs.
We're not going to be rolling up in 20 black suburbans and people pouring out and making a big show of it.
We're not going to walk out of the building with your servers.
We're there to facilitate, assist, and inform rather than be disruptive.
facilitate, assist, and inform rather than be disruptive. What's your advice for folks who are looking to start that relationship to make that introduction? What's the best way for them
to go about doing that? Yeah, so the best way is at the most local level possible, right? So again,
56 field offices and hundreds of smaller sub-offices that we call resident agencies
across the United
States. Work with your local contacts. It's out there. It's on the internet. You can reach out
to your local field office, have that initial outreach, look into InfraGard programs. InfraGard
is a public-private sector partnership that the FBI works with at every field office. They have
their own chapters. It's a method to get through the door and start talking to your local FBI contacts. We have multiple agencies in field offices on cyber task forces
where you've got local police, state police, other U.S. government agencies like Secret Service and
others working together. If you've got a contact in those organizations, they can feed you into
the FBI as well. But the best thing to do is pick up the phone or pull up the email and reach out to your local FBI field office,
and we'll reach back out to you and we'll start developing that relationship.
Oftentimes that relationship blossoms.
They feed us and feed folks back into my team here at headquarters where we can engage at a more national strategic level as well.
where we can engage at a more national strategic level as well.
Can you give us some insights as sort of the spectrum of services that the FBI is capable of providing?
Yeah, sure.
So when it comes to combating cyber threats in the United States, domestically especially,
the FBI is the lead investigative agency for those efforts. We've got not just an incredibly talented and strong cadre of special
agents in our field offices, many of whom are technically trained and can respond to a cyber
incident, speak the same language that some of your third-party incident responders are speaking,
but also can bridge that gap between outside councils that are there, your inside council, your C-suite.
We try to speak as many languages as possible so that we can engage on all those levels.
But we've also got thousands of intelligence analysts working a number of threats,
including cyber threats, who can interface with the intelligence community, bring information in,
and enhance what we're collecting with that other information.
That oftentimes, as we build our investigations, we can feed back to organizations to help
them, but also we're putting that information out in things like our private industry notifications,
our PINs, our flash reports, which are more technically driven reports that we can provide
IOCs and TTPs for different organizations that we're investigating.
And we work really closely with CISA and other partners to put out cybersecurity advisories, CSAs jointly.
You've seen probably a lot of those come out,
especially around Russia, Ukraine.
We're working with those agencies to put content on stopransomware.gov
or the shield, cisa.gov slash shields up.
We've also got ic3.gov, the Interim Crime Complaint Center,
which is a resource where you can go obtain all these reports that we're putting out.
We also have computer scientists and data analysts that are working together with our threat teams, with our investigative teams, to be able to better enrich the information that we're investigating and identify some of those things that help us get to the next level and connect the dots. I just want to point out, we also have a cyber action team, a CAT team, the FBI,
rapid response technical investigative team that we can deploy nationally. It's hosted here in
cyber division. And these are some of the most highly trained cyber threat folks that we have
in the entire bureau that we can deploy across the country to deal with significant incidents.
You know, it also strikes me, I mean, something that I hadn't really considered
is that the information,
it's a mutually beneficial thing
because as the FBI is able to get data
from the folks out there in industry,
that helps inform the whole picture
of national security as well.
You know, at the end of the day,
if you're dealing with a cyber incident, right,
and you've got a major ransomware attack
or even potentially worse, some nation-state activity on your systems,
it doesn't do any good to withhold that information
in that our goal is to be able to take that
and hopefully help others not end up in that same situation.
There's significant benefit to sharing.
One, there's benefit individually to you
and hopefully we can come back with some information
that can help you deal with it.
Oftentimes, most times we can.
But even for that kind of greater,
I mean, again, we say it a lot,
cybersecurity is national security.
That means something.
There's a national security and public safety aspect
to these incidents.
And if you can feed that information back to FBI or to CISA,
I'll say when we get a report of an incident that's ongoing,
our first call is going to be to our CISA counterparts.
If CISA gets something reported to them,
their first call is going to be to FBI
so we can work that together.
Sharing that information does truly benefit our broader national security and public safety
mission. Yeah. So if someone finds themselves the unfortunate victim of something like this,
what's the first step? I mean, what's the contact point? Yeah, sure. What we say all the time here
is report the compromise, right? That's our message out to our partners across private sector.
If you're hit with a cyber incident,
you have to report it to us so that we can,
we can actually do something about it and hopefully assist you and others
long-term. So how do you do that?
I think that oftentimes complicates things. There are so many, you know,
ways to report things across the U S government and more and more seem to be
coming up when it comes to cyber incidents.
So first thing that we would say every single time,
have that contact at your local field office
that you can reach out to.
That one-on-one contact with somebody in your locality
where they have a relationship, ideally, with you already,
and even if they don't, they're nearby, right?
Like, we can bring the tools that we have right to you
because we're already there.
And so having that field office level contact
is critically important.
If you don't have that,
we have a 24-7 CyberWatch Center called CyWatch.
You can report that information to CyWatch.
Their information is out there available
for both email and phone.
Just reach out to CyWatch, provide that information, and they'll then process
it and send it to the right field office. And if all else fails, we always
have ic3.gov. You can go to ic3.gov, file a complaint,
and submit that in 24-7.
That's David Ring from the FBI.