printable banner

U.S. Department of State - Great Seal

U.S. Department of State

Diplomacy in Action

Cybercrime: International Partnerships to Combat Threats

FPC Briefing
Shawn Henry
Assistant Director, Cyber Division, FBI
Foreign Press Center
Washington, DC
May 26, 2009

Date: 05/26/2009 Location: Washington D.C. Description: Shawn Henry, Assistant Director of the FBI's Cyber Division, briefs on


3:00 P.M. EDT

MODERATOR: Good afternoon and welcome to the Washington Foreign Press Center. This afternoon we have Shawn Henry. He’s the Assistant Director of the Cyber Division at the FBI, and he will discuss cybercrime and international partnerships to combat threats. He’ll take – he’ll make some – discuss it a little bit and then he’ll take questions. And at that time, I ask that you wait for the microphone and state your name and media organization. Thank you.

MR. HENRY: Good afternoon, glad to be here today. I’d like to talk to you about cyber threats, some of the things that we’re seeing here in the States, particularly from the FBI’s perspective, and then discuss some of the mitigation strategies that we’re currently engaged in both here in the U.S. as well as outside the United States with our foreign partners. I’d be happy to just start with some kind of brief discussion points and then take some questions that you’d like to provide.

Essentially, what we currently see is threats across all networks, both here in the United States and information that we get from our partners, is that it’s widespread around the world. From within the United States, there is – or against the United States, there are many attacks on a regular basis against many of our networks, a lot of attacks on our financial services sector. And we’ve identified groups operating from around the world that are engaged in targeting the financial sector for personal gain. We’ve seen attacks against – or attempts by groups that are sympathetic to the jihadi cause that are interested in having some type of an impact on our networks here similar to the type of impact they’d expect from a kinetic attack, so there are groups that are interested in looking to obtain the skill set necessary to allow them to infiltrate networks, to breach networks, and to take all that intelligence that’s contained within.

The networks are a target because of all of the information that they withhold on a regular basis. So information related to research and development, information related to commerce, information related to corporate strategies, political strategies, et cetera, make all the networks a viable target for these groups.

One of the things that we’ve seen a great increase in recently is attacks by organized groups that have met together online in a virtual environment. So these are groups of people that may never have met each other physically, but they gather collectively online. Many of them, oftentimes from different countries, each having a specific area of expertise. So if you were to consider in the physical world a group that was attacking jewelry stores, for example. You’ve got somebody who’s an expert on identifying where the best products are, the highest value products. You’ve got somebody who’s an expert in the alarm system. You’ve got somebody who understands how to defeat the safe. You’ve got somebody who might be the getaway driver. And you’ve got somebody, who once they steal the jewels, are able to sell them and collect the cash.

We see that same type of strategy being used by organized groups that are attacking our financial sector. So we’ve got people who are very good at crafting malware. You’ve got other members of the group that can distribute the malware around the network. You’ve got people who are collecting the personally identifiable information once the malware compromises a computer. And you’ve got others who are taking that personally identifiable information and being able to use it through different fraud schemes to convert that money to cash or that information to cash. And then you’ve got others who are taking the cash and redistributing the money back to the members of the group.

The attacks that we’ve seen, as they continue to increase, are becoming more sophisticated and more widespread. And some of the strategies that we’ve used to try to mitigate them are quite varied.

Primarily, we’ve got to prioritize on the attacks that we focus on. Because of how many there are, we’ve got to really prioritize on the most critical and just work collaboratively with our partners throughout the U.S. and abroad. We work very, very closely with the private sector. It’s critical that the private sector in the United States owns 85 percent of the infrastructure, and it’s really important for us to work in a situation where we can share information with them back and forth about the attacks that they see, the emerging threats, and that we can provide them with information about the new attack vectors that we’re identifying so that they can better protect themselves.

We have a tremendous effort abroad with foreign partners. We’re working with many, many nations in this effort. Probably four or five years ago, we had a very limited exchange of information with foreign partners. But the attacks that we see are global in nature. The internet has no geographic boundary. The impact is on all commerce, worldwide commerce, not necessarily just on the U.S., but on other financial institutions around the world, other economies around the world, retail sector around the world. And our partners are working very closely with us to help us to try and defeat some of these adversaries. So I mentioned that a lot of these groups are getting together online virtually, and oftentimes they’re in five or six different countries. So without that cooperative effort, our ability to try and mitigate that threat is somewhat limited.

One of the other things that we’re doing is really working proactively. So we’ve used undercover operations. We’ve used judicially authorized surveillance of the adversary to try to identify across these groups, both vertically and horizontally within these groups to try to identify the full breadth of the adversary. And that’s provided us with a good insight into some of these people are and allowed us to successfully arrest or apprehend, identify many of these subjects. So that’s been very, very valuable.

In the U.S., we have started the Comprehensive National Cybersecurity Initiative, which is a strategy that this current Administration has embraced. Just in terms of the recognition of the cyber threat and the need to actively engage against the cyber threat, there’s been a 60-day review that’s been ongoing over – looking at what the prior administration had done and looking to determine which parts of the CNCI, the Comprehensive National Cybersecurity Initiative, will go forward. That report will probably be made available publicly over the next few weeks. But the President is, or is going to be evaluating that report, and looking forward.

So the CNCI generally just looked at a number of different areas across the infrastructure where we could better shore up our defenses and how we could leverage capabilities across different agencies to better protect ourselves against the cyber adversary. So it’s quite a large strategic look at how to defend networks and to respond to these types of attacks and threats. And you’ll be hearing more of that coming out of the Administration, I would imagine sometime in the next few weeks.

So those are just a couple quick points. I’d be interested in any comments or questions that you might have that relate to the FBI cyber strategy or the cyber threat.

MODERATOR: We can take your questions now. Right here.

QUESTION: Thank you very much, sir. Ahu Ozyurt from CNN Turk and Milliyet. Can you give a little bit more detail about your partnerships abroad? And there are some criticisms in some countries that the tools you make available for your partners are used by some of the law enforcement agencies there against the oppositions by certain, you know, monitoring their emails, following their sort of chat forums and things like that. Can you elaborate what the limitations are and what you make available for your partners outside of the U.S.? Thank you.

MR. HENRY: Sure. So I’ll talk about one particular country, because there are certain countries that we have actually done a lot of work with and have had a very productive partnership. And because of ongoing operations, we’re not able to discuss all of the partnerships.

But one that’s been highly publicized over the last two years, which I will mention and use that as kind of an example for some of the things we’re doing elsewhere, is the work we’re doing in Romania. I visited Bucharest back in 2003 and met with a number of cabinet-level officials, ministers across the government, just to talk about the threat and the impact that I saw on the Romanian economy, the Romanian commerce, because many companies in the United States were shutting down contact with Romania because of all the attacks that they saw. So they were actually black holing, or preventing any communication with Romania, certain retailers were because of the attacks that they saw. The Romanian Government recognized the significance of the attacks and the need to partner. And we actually sent an agent over to work physically in the Romanian National Police headquarters, agents and analysts, to work fulltime, side-by-side, in Romanian National police space.

When our agents are deployed overseas to work with our partners, we’re there really as liaison officers. We don’t have law enforcement authority in those nations, so we work in coordination with the – with the host government’s law enforcement, and they use their authorities, but with – oftentimes with information that we provide to them about who a particular attacker is or where we see an attack coming from.

In terms of sharing tools, certainly anything -- technology that we would share with any foreign government, I would imagine that the host government law enforcement would use those tools under – under authorization of their local laws, their native laws. So we wouldn’t have – I mean, I certainly would not go in and interpret how somebody was using tools, but I would imagine that local law enforcement would use those tools. Likewise, if we were to get tools from another government, a partner agency, we would only be able to use it in accordance with all our laws or strategies.

MODERATOR: Next question right here.

QUESTION: This is Jennifer Lee from the China Press. I have a problem. Recently, many media said there are some more and more internet attacks on China. And could you please introduce some in details, such as what kinds of organization or individual come originally from China? And do we have some connection with China to deal with this problem together? Thank you.

MR. HENRY: So I think that certainly all governments should have an interest in protecting the internet – protecting computer networks. It’s the way we all communicate. That’s the way we do business. The business of the world is done on the internet, so I think all governments should have an interest in protecting the infrastructure.

Regarding attacks, I don’t know that it’s necessarily prudent to talk about specific countries and attacks, because the fact of the matter is we see attacks emanating from all over the world, including from right here in the United States. So many of the cases that we work start here in the United States, where somebody is launching an attack from here or using a computer that’s compromised here in the U.S.

When I talk to businesses, I always explain to them that what’s most important is to work on the network security, because it doesn’t really matter if it’s a particular country or if it’s an organized group or if it’s somebody associated with a terrorist organization. The fact of the matter is you’ve got to protect the property, the technology, the information that’s contained on that network. And it’s critical, because once it’s gone it doesn’t really matter who took it. The fact of the matter is anybody can actually get their hands on it once it’s left the network. So I think it’s really important to focus on the protection of the network rather than who a particular adversary might be.

MODERATOR: Next question in the front.

QUESTION: Hi. Alex Spillius, Daily Telegraph. Can I just clarify, is the FBI mainly concerned with protecting corporate and private financial world, rather than the U.S. Government? Which – how is – then how is the labor divided between you and the Pentagon? And also, could you describe any attacks on either private or government sections that have actually got close or worked or –

MR. HENRY: I’m sorry, the first part of your question?

QUESTION: Well, is – are you mainly working with – you said attacks on financial centers in your opening remarks. I mean, is that the government’s – the U.S. Government is under threat, or Wall Street firms?

MR. HENRY: Okay. So, there are attacks that we see on .gov, .mil, .com, covering the full spectrum. And we work with domestic partners and foreign partners in those areas to try to identify the source of the attack, and how do we respond to the attack.

The actual day-to-day security of networks is really the responsibility of the owner of the network. So – you ask about Wall Street. A company on Wall Street is responsible for defending themselves. Once they’ve been breached, we’ll work with them to help to identify. Just like everybody is responsible for securing their house, lock the doors at night, turn on the alarm, make sure your outside lights are on; if somebody breaks into your house, there will be a police response.

So the other part that I mentioned was that 85 percent of the infrastructure is owned in the United States by the private sector. So they’ve got a great responsibility for defense.

The Department of Homeland Security is also a big player in this. The Department of Homeland Security is responsible for consequence management. They’re responsible for identifying – we work very closely with them in identifying where threats are and how to respond to those types of threats. But our – our focus would be in threat mitigation, how do we identify who an adversary might be, and how do we – how do we link back to that particular adversary.

QUESTION: Have any attacks come very close to hitting their target or have done so recently? Are there any examples you can give?

MR. HENRY: Yes, there are. And no, I won’t.

There are attacks all the time. I mean, we see attacks all the time where there have been breaches. One of the things we try not to do is to identify victims, because we want to protect their – themselves, protect them from the impact that it might have if it’s known that they were breached, and it’s not always necessary for us. Periodically, we’ll discuss some of those attacks publicly, but not generally.

MODERATOR: Right over here.

QUESTION: I’m Elvira Palomo with EFE News Services. This is a general problem. I’d like to know if you have something, a special relationship with Spain and which kind of case are related from Spain and also in generally with Europe with partnerships.

MR. HENRY: So I had said that I really didn’t want to talk about individual countries because of some of the ongoing operations. And there are some countries that are – I’m sorry?

QUESTION: (Off-mike.)

MR. HENRY: So we worked – we’ve worked on every continent except probably Antarctica. We’ve worked on every continent with law enforcement agencies, on every continent except Antarctica, and we worked very, very closely. And the breadth of those relationships have only grown in the last couple of years. We actually have 60 countries that we have FBI agents deployed in right now around the world, 60 countries where they work full time as liaison officers with our partners. And those agents are responsible for responding to leads in ongoing investigations.

So for example, we do have a liaison officer, its public knowledge, in Spain, in Madrid, I believe. And we have our agents here who are working and responding to cyber investigations. If there is a connection to a Spanish case, we’ll contact our officers in Madrid who will work with the Spanish authorities to help us identify. I have agents who we’ve also deployed who were full-time cyber agents, working cyber who we’ve deployed overseas, and that’s all that they’re doing is working cyber matters. Those are the ones I don’t want to talk about because of some of the pending investigations that we have. But --

QUESTION: How many agents (inaudible)?

MR. HENRY: We’ve got probably about 700.

QUESTION: Are there enough?

MR. HENRY: We actually have increased and we’ll continue to increase going forward.

MODERATOR: Next question.

QUESTION: If you can, go ahead with the cyber terrorism. Say something more about the cyber terrorists, how do you – how many --

MR. HENRY: So we’ve seen groups that have interest in a couple of different areas. One area would be looking to – through fraud on the internet, looking to steal money to raise funds for their cause. And we’ve also seen groups that have an interest in trying to attack networks of infrastructure, computer networks that are part of the infrastructure to see that they can have the same type of impact on the economy, on society, as they might if they were to use a traditional kinetic attack.

So there are ongoing operations now. I can’t give you the number, but we’ve got ongoing operations now, several of which are, again, involved with foreign law enforcement around the world, looking at how do we mitigate those. We’ve identified certain subjects. How do we actually mitigate and stop those attacks before they occur; preventive, rather than reactive.

MODERATOR: Next question.

QUESTION: This might just be a follow-up, and I don’t know if you would like to answer it. But you mentioned that there are some organized groups that meet online that do not physically see each other, but get organized. Is there a specific or general geographic clusterization of these groups? Can you give out locations or, you know, I mean –

MR. HENRY: There are actually – we’ve seen groups with members operating from six or seven different countries. So --

QUESTION: Can you name some of those countries (inaudible)?

MR. HENRY: No, I’d rather not, just because we actually have ongoing operations right now, where we’ve identified certain people. And some of the partners that we’re working with are – would rather us not discuss it just because of some of the operations that they have. So for the safety of people that are involved and for the ongoing operation, we wouldn’t talk about that specifically.

But again, there’s no geographic boundary. Anybody with a laptop and a wireless connection anywhere in the world can attack some of these networks. So in the physical sense, in the real life world, if you owned a business, you had to worry about people who would walk by and come into your business and steal money potentially, right, physically.

But with online commerce, the number of potential subjects is anybody with connection to the network, because a lot of the tools are available online. You don’t need a great deal of sophistication. A lot of the tools are – you can download and – click on, download and deploy and use them to try and attack certain networks. So really, everybody with a laptop and the intent is a potential threat.

And that’s why we see groups that are collaborating online across multiple countries because they’re not restricted by boundaries. And when they’re looking for the best spammer, if they’re looking for somebody who controls a large botnet that can distribute their malware, they’re looking for the best. And they can search the world. They don’t have to worry about, you know, I’m going to find somebody who’s within commuting distance, because those boundaries don’t exist. So it really is quite a large pool of potential subjects and they are from all walks of the globe.

MODERATOR: Yes, right here.

QUESTION: To follow up on that, how do they find each other? I mean, are there forums or websites where people --

MR. HENRY: There are. There are forums and websites. We actually had an operation just within the last year, I think in the fall of last year that we took down, where we had infiltrated one of these forums that had several thousand people that were trading information that had been stolen from networks, from companies around the world. They were trading skills, they were trading malware. We were able – using an undercover agent, able to infiltrated and dismantle that particular operation.

But there are many others that operate out there – some that are somewhat known, others that are password protected and well controlled by the adversary so that they’ve got a secure communication channel. Again, similar to the physical world, where you’ve got people who communicate covertly to avoid detection from law enforcement, same issues that we have to deal with on the internet side. But there are places where they will congregate and meet just like, you know, a dark alley in a major city.

MODERATOR: Right here.

QUESTION: Hi, I’m Scott Stewart with the Sankei Shimbun of Japan. Frequently, when there are media reports about attacks on U.S. Government networks, it’s reported that the people believe the attacks originated in China, but they – usually, U.S. Government officials are reluctant to say definitively that they are because it can be made to look as though something originates in a certain place. Is there a way to definitively know? I mean, can you know or is it – or is it impossible to know where attacks really originate from?

MR. HENRY: So the first – the whole first part of your question, the preamble to your question is very accurate, that people can disguise where they’re attacking from, and it’s often difficult to identify.

I think, without going into details here, there are certain investigative techniques that we can utilize to try and identify with some specificity where the attack is emanating from, and more importantly, whose fingers are on the keyboard. Because you can identify a particular computer, but if I have a computer in this room, you know, there might be 20 potential people who actually did it. So that’s a whole other part of it.

But there are certain investigative techniques. Again, I can’t go into great detail here. I’ve talked about some of them thus far, talking about some of the techniques that we use.

MODERATOR: Did you have a follow-up?

QUESTION: I just wanted to know if you can explain how they hide themselves in the internet, because I suppose that those websites are not available for everybody. And although you cannot specify, almost in general, how many cases you work per year? You have your --

MR. HENRY: So – I’m sorry, the first part of your question, how they --

QUESTION: Yes, how they – the people who meet in internet to commit cybercrimes, how do they get those websites or how are they available or are they secret? Or how --

MR. HENRY: They are. And so, I mean, it’s – again, I try to equate much of what we see in the virtual world to what we see in the physical world. So there’s – there are groups of people who are inclined to participate in activity, in criminal activity, and they associate with people who participate in criminal activity.

And these are – these things just kind of get around. I mean, people know somebody’s looking for something. They know that they’re looking for a particular piece of malware, or they know they’re looking for somebody who owns a botnet, and they’re referred to these people because they’re online talking to other people and it just kind of happens. It all kind of comes together.

When you go online and you’re there for a couple weeks or a month or so, you really get to know – get a feel for where the people you want to do business with are congregating. And that happens. Its how, in some of the operations that we’ve been involved in, we’ve been able to identify some of these people, because we’ve associated in the same groups.

QUESTION: And how many cases have you been (inaudible) more or less, per year?

MR. HENRY: A lot. I can’t --

QUESTION: Not the concrete, but more or less?

MR. HENRY: More than a thousand.


MODERATOR: Any other questions? Yes, in the back.

QUESTION: Yeah, but what is the difference of approach between this Administration --

MODERATOR: Could you identify your --

QUESTION: ANSA of Italy. What is the difference of approach between this Administration and the previous one in fighting cybercrimes?

MR. HENRY: This Administration has made it very well known that this is going to be a top priority in the Administration. And many of the people who worked in government that are career government employees traverse the administrations, so a lot of the people like myself who worked in the prior administration, work in this Administration. So a lot of the expertise and many of the methodologies continue over.

I think that we’ll see. I mean, this current Administration is relatively new, and the President has said that he would – has certainly identified this as a threat, and after the 60-day review comes out in the next couple of weeks, we’ll get some specific direction or a more specific direction. But I think it’s very positive.

MODERATOR: Any other questions? Okay. Well, with that, I want to thank the Assistant Director for coming today.

MR. HENRY: Thank you very much.

# # #