‘We have to hit the problem the way it hits us’: How the FBI tracks a range of hacking threats

The FBI has essentially had to become a “surge force” in handling cybersecurity issues, ramping up resources to combat a threat when it makes sense to.
FBI cyberthreats
(Getty Images)

FBI Director Christopher Wray has been clear to Congress: cyberthreats are outpacing the FBI’s capacity to track them, and the bureau needs more money and people to catch up. Boosting the FBI’s roster of cybersecurity talent, rather than playing whack-a-mole with an expanding docket of threats, is of the essence.

“[The cyber] threat has grown exponentially in terms of actors, methods, targets, and so we need personnel and tools there in a big, big way,” Wray told Senate appropriators in May. In fiscal 2020, the FBI is asking Congress for $70.5 million more in funding compared with the prior year for cybersecurity programs, and for 33 more personnel dedicated to the issue.

Any new hires would be stepping into an agency that has transformed its approach to cyberspace in the last several years. The FBI has had to get more out of its cybersecurity personnel as the types of malware, and the number of actors willing to use it, have proliferated. The old way of relying on each of the bureau’s 56 field offices to track hacking incidents by location didn’t stand a chance of keeping up with the way a computer worm propagates or a phishing campaign escalates.

Now, if a particular malware strain or hacking group is serious enough, one field office will be assigned the lead while others provide support. The FBI has long used that that structure to track state-sponsored hackers. And the SamSam ransomware, which caused tens of million dollars in damages from 2015 to 2018, made it clear to officials that the approach should extend to criminal groups and certain types of malware.


“In a lot of ways, we have to hit the problem the same way it hits us,” said Eric Welling, who until last month was deputy assistant director of the FBI’s Cyber Division. “So we have to have a matrixed approach, and it has to be resilient and it has to be well-connected.”

The more elastic structure is reflected in how the FBI tracks top-tier foreign hacking threats. The number of analysts the bureau has monitoring China, Iran, Russia, and North Korea fluctuates depending on how active those countries’ hackers have been, according to Welling.

A hacking threat might not affect a given field office’s environs, but “rather than sitting idle and waiting for something to happen” the FBI still wants to make use of the technically-sound analysts in that office, said Welling, who spoke to CyberScoop while still at the FBI. He has since joined consulting giant Accenture.

In the last year, Welling added, the FBI has increasingly applied that model to sophisticated, cybercriminal enterprises like the financially-driven group FIN7, which for years was one of the biggest suppliers of stolen credit card data on the dark web.

“We’ve ranked and prioritized [those big criminal groups] and we now have offices focusing on them as well,” said Welling, who spent more than two decades at the FBI.


The FBI has essentially had to become a “surge force” in handling cybersecurity issues, ramping up resources to combat a threat when it makes sense to. “The investigative cyber expertise in the FBI is not geographically constrained,” said John Riggi, a former top FBI cyber official who is now senior cybersecurity adviser at the American Hospital Association. That approach will only become more important as foreign hacking threats show no signs of abating.

Meanwhile, FBI also has had to contend with the retirement in the last year of several senior cybersecurity executives, including Welling. As they compete with private companies that pay much more, FBI officials say they have invested in recruiting and retaining cyber-savvy personnel.

Blurred lines

Complicating the picture for FBI analysts, the line between criminal and state-sponsored activity has blurred as governments outsource their hacking operations for plausible deniability. Russian intelligence agents, for example, allegedly enlisted a Canadian hacker in the 2014 breach of 500 million Yahoo email accounts.

“At some point, nation-states figured out that we were able to, pretty solidly, make attribution to them,” Welling said. “What we’re seeing then is the use of hackers-for-hire, cyber mercenaries, to conduct these attacks to help blur that attribution, in some cases.”


In the last 17 months, the Department of Justice has announced charges against hackers allegedly working for China, Iran, Russia, and North Korea.

Adversaries are changing their tactics as a result of indictments, Welling said.

“As we have come out with indictments…one of the things that is a result of that is the malicious actor, they learn from that,” he told CyberScoop. “So they’ll take that and they’ll try to figure out different tradecraft or different approaches to try to mitigate how they were caught that time.”

To sift through those muddying waters, FBI officials have to work in lockstep with cybersecurity companies that often have greater visibility into network activity.

Riggi, who at the beginning of the Yahoo hack investigation was head of the FBI’s national cybersecurity program for private-sector outreach, said the case drew heavily on private-sector know-how. “There are pockets of expertise all around the country that contributed to that investigation,” Riggi said.


As the proportion of digital evidence in private hands grows, that cooperation should only intensify, he added.

It is important for the FBI to continue “to leverage the enormous cybersecurity talent and expertise which resides outside of government to assist in the identification and investigation of cyberthreats,” Riggi said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts