The FBI Builds Enduring Partnerships in Cyber

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 180 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

The U.S. Federal Bureau of Investigation, the FBI, has taken an increasingly prominent role in the day-to-day cyber defense of organizations and institutions here in the U.S. and globally. Through the establishment of the IC3, the Internet Crime Complaint Center, the FBI provides an invaluable public resource for prevention, response, and mitigation of cyber threats to businesses and public organizations of all sizes.

Joining us this week is FBI cyber division section chief Herb Stapleton. He shares his journey toward a mission-based career in public service, as well as his insights on the FBI’s ongoing efforts to form lasting partnerships with the people they serve.

Herb Stapleton:

So before I came into the FBI, I was an attorney in private practice. I practiced law in southern West Virginia for about four years before I came to the FBI and I really enjoyed that. I think it gave me a really good background for the work that I would later do in the FBI. I'm mostly focused on corporate and commercial law, and I learned a lot about how banks operate, how businesses operate and what happens when there's a dispute between those businesses, which gave me really a good foundation for work I would later do in the FBI. And so, while I was practicing law, the 9/11 attacks occurred and that was one of the things that I think really pushed me to explore a career with the FBI. Like many of the people who I joined the FBI with in the early 2000s, that was really a catalyst for making that career change.

For me, the FBI was something I was always interested in, but I grew up not knowing how much of an option that would be for me and I started to explore it after the terrorist attacks on 9/11, and was fortunate enough to get an opportunity to interview and take the battery of tests that you go through and lucky enough to be selected as a special agent in 2004. So that's how I started out.

My first office in the FBI, I was in a small office out in Cape Girardeau, Missouri, which is in Southeast Missouri, a rural area for the most part. Cape Girardeau is a college town, but the surrounding counties are fairly rural. Only four agents were in that office when I got there and that was really just an incredibly valuable and honestly fun part of my career, where I was working a whole host of criminal violations that the FBI is responsible for like bank fraud cases, drug, and gang cases.

I was working bank robberies and that's really where I got my first exposure to the cyber mission in the FBI, which at that time was a pretty new thing. And my first exposure to that was in working the online exploitation of children cases that are so critical to the FBI's mission. I went from there to Chicago where I worked organized crime in Chicago and for me, that was another introduction to the cybercriminal mission. I worked the non-traditional organized crime, which is how we put it. So basically the groups that were not typical La Cosa Nostra or Italian organized crime cases, but some other Eastern European groups. And I got involved in a case that involved a Romanian tax fraud case, which had some cyber elements to it, involved with basically stealing the legitimate credentials and identifiers of real tax filers and using those to file fraudulent federal tax returns.

And so again, my second exposure to cyber, even though I wasn't technically working in the cyber program. And then I went from Chicago to FBI headquarters and I worked at the IC3, which I know you're familiar with and many of the listeners probably are too, so the Internet Crime Complaint Center. And that was really my first foray into the cyber division and I had the privilege to work there for a couple of years. And without giving the total blow by blow, I had an opportunity to have a couple of different leadership positions in the Cincinnati field office after that, continued to touch on cyber and work in the cyber area and then about a year and a half ago, I came here to the cyber division as a section chief, responsible for the FBI's global cybercriminal mission.

Dave Bittner:

What is your day-to-day like today? Can you give us an insight? What sort of things take up your time?

Herb Stapleton:

Well, I like to joke sometimes with people when I'm talking about what it's like to be an FBI agent in general, that being an FBI agent is just like it looks on TV and the other 99 percent of the time we do paperwork. So there's some element of truth to that. The FBI is very focused on strategy and documentation and process. And so a lot of what I do now, is I try to ... I no longer work the cases as a case agent as I would have in Chicago or in Missouri, but my job is really to try to identify where our resources across the FBI are best used. So I spend a lot of time looking at what we're doing, what the great work in the field looks like. Are we focused on the right things? Should we prioritize one thing over another?

And then importantly, I think part of my role is to build partnerships with other government agencies and with folks in the private sector. So I spent a good amount of my time, before COVID, traveling to meetings where I could discuss joint opportunities with those government agencies or private sector partners and now I spend a lot of time doing whatever remote type of meeting is appropriate so that I can make sure that we in the FBI are properly lashed up with the people we need to be working with on a day-to-day basis.

Dave Bittner:

Yeah, it's interesting you mentioned that. I mean, I would say my perception over the past couple of years is that there's been a real deliberate effort on behalf of folks in the FBI to reach out, to have more engagement, to be a little less, I don't know, opaque or mysterious, or any of those sorts of things, as you say, to actively engage in partnering. First of all, is my perception correct there that that's been a real deliberate thing that you and your colleagues have been up to?

Herb Stapleton:

Absolutely. I think the word deliberate is the right word. This has been a concerted effort by the FBI to try to build partnerships and build not just a partnership for a specific case or a specific incident, but build the type of enduring partnerships that we need to be successful as a society. And I think one of the real strengths of the FBI in the cyberspace is our footprint. We have 56 field offices and over 300 satellite offices all around the country and sprinkled throughout those offices, we have highly trained cyber investigators. And so putting those people in touch with the people in their backyards, who hold the other pieces of the puzzle when it comes to combating the cyber threat, is one thing that the FBI can do as part of the whole of government effort to help fight that threat.

Dave Bittner:

Yeah, I think about that small business in a town, a community somewhere, who may have gotten hit with ransomware and I would imagine in the past that they wouldn't have thought who to contact. "Well, I'll call the FBI." I would imagine they'd think, "Well that's beyond the scope of it. They're not going to be interested in me." But I think one of the things that you and your colleagues have really done a good job with lately is putting the word out that, "No, we want to hear about these things. We need to hear about these things so that we can weave together this bigger picture of what's going on out there."

Herb Stapleton:

That's 100 percent true. And we don't want anyone to think that when it comes to a cyber incident, when there's potential criminal activity that has spawned some type of cyber incident, we don't want anybody to think that their problem is too small for the FBI. We're always happy to entertain that conversation. While we can't always take immediate action that fixes the problem as we look at the long-term solution, I look at this as pieces to a puzzle and the FBI, we hold some of those pieces, but many of them are out there with victims or private sector entities that work in the cybersecurity space and so only by really coming together and putting those puzzle pieces together can we solve that ultimately.

Dave Bittner:

Can you give us some insights as to what that engagement looks like. If someone reaches out to you and they've had some sort of a cyber incident, how does it work?

Herb Stapleton:

Absolutely. So the first thing is we need to assess, does the FBI have some type of predication or jurisdiction to help look at this problem? And so one of the things we're always looking at is, and it's not as if you have to prove this upfront, that's why we do investigations, but we're looking at, do we have sufficient facts here to say that there has been a potential violation of federal criminal law or some type of threat to national security? Those are really the two things that give the FBI its authority and power. And if we do think there are facts that suggest that that's going on, then typically a cyber-trained special agent will make contact with that victim and start talking with them about what the potential incident involved and what we can do to help.

So it's different in every situation, but some of the things that we might do is we might take information that we've gathered from other cases, indicators of compromise or potential things that could be useful to a company in trying to remediate whatever problem is going on. And so if we have that type of information in our holdings and it's not classified and we can share it, then we will. That's really the first step because we know that the number one thing that a company wants to do when they've suffered some type of cyber incident is they want to get back to business and they want to know that their systems are safe to conduct business on. So whatever information we have, we're going to provide that. The second thing that we do is we want to start a dialogue with that company about what type of information the FBI might need to collect in order to advance an investigation into this particular incident.

Fortunately for us, we have very experienced cyber agents who understand that when we make a determination that we need to collect evidence from a company, we have to balance the disruption that that particular process might cause with our need for that information. And so we try to do that in the way that is least intrusive, but still allows us to get the evidence that we need to move on. And then the third thing that we really talk about with that company, and this is something that I think we need to constantly reassure our partners of, is that if you're a victim of a cyber incident, regardless of what that is, the FBI recognizes that there's sensitivity involved in that and that is not the type of thing that a victim would necessarily want to be broadcast to the world.

And so we want to protect the privacy and sensitivity of a victim's information as we conduct the investigation. Sometimes through the legal process, if something goes to trial, ultimately, sometimes some of that information will become public, but we want to work with our partners and particularly when you've been the victim of a crime, to make sure that you don't get revictimized by having sensitive information about your business or your company published. So those are really the three initial things that we do when we find out about some type of cyber incident.

Dave Bittner:

It strikes me, I mean, that's a, I suppose, a reactive sort of thing where something happens to someone, they reach out to the FBI and the engagement begins and you collaborate together to try to do what you can. Is there a proactive component as well? For example, if the FBI gets word of something that may be happening or an organization that's been targeted and maybe that organization doesn't know about it yet, is that a situation where you all can go reach out to people out there in the private sector?

Herb Stapleton:

Great question. We do a lot of that and honestly, that's in many ways more important than the reactive piece of our mission. If we can prevent a cyberattack, that's certainly something that we want to do. Think about it along the lines of preventing violence or terrorist attacks. We want to do the same thing in the cyberspace, if at all possible. And so we have a couple of ways that we primarily engage in that way. We have an engagement unit here at headquarters that oversees engagement with the private sector on these types of topics and if we have products that we can put out broadly that would provide potential indicators to companies that would allow net defenders to protect themselves, or if we have other information that would be of use, we publish that through a number of means, not the least of which is by posting it on IC3.gov.

We also lean heavily on that field office presence when we are looking to engage. And so every field office leader, which is a special agent in charge, is tasked with engaging with the most important partners within their own areas of responsibility on all of our programs. But as you can imagine, when we do those types of engagements, one of the main concerns of executives in companies big and small are cyber threats. And so we engage in all that on a very personal and direct level. And then the last thing I would say that we try to do is promote general public awareness about this, so maybe not necessarily targeted at a particular entity or company, but when we hear about potential threats or when we see a trend indicating an increase in a particular type of threat, then we'll publish public information about that often in the form of a public service announcement posted on IC3.gov.

And of course, we have many partners in this space that we work alongside. We'll do joint seal products with other government agencies who are involved in this space, like the Department of Homeland Security, to try to speak with one voice as a government, as much as possible.

Dave Bittner:

Yeah. I mean, that was going to be my next question, which is how does that level of collaboration work between your teams and the other three-letter agencies throughout the government? What's the interaction there?

Herb Stapleton:

Well, we all have a defined role within that space and of course, the cyberspace is not simple. It's a complex environment, so there's naturally some overlap. I think, where I see the FBI is really sitting in the middle of that continuum between the offensive mission that we may have, that may be part of what the military does for example, and the defensive mission, which is really led by our partners at DHS and others. The FBI, as a law enforcement and intelligence agency, really sits at the crux of that particular framework that I just described. And we have to support both the offensive and the defensive piece through our investigations and our ability to collect intelligence on the cyber threat.

So in that regard, I think the FBI, in my biased opinion, is really a key cog in that wheel and while we do have different roles and responsibilities, our role is really to work alongside everybody within the government to make sure that we achieve our goals and objectives as a law enforcement agency, but also that we enable those other partners to take the actions they need to take. That's really the thing that's going to keep the American people most protected is if we work together in that fashion.

Dave Bittner:

What sort of advice do you have for someone who may be inspired to follow in your footsteps, someone who thinks that maybe a career, a mission-based career, in an organization like the FBI might be for them? What sort of things would you say they need to know to pursue something like that?

Herb Stapleton:

I think the most important thing that they need is just the willingness to take that leap and go for it. I think there are probably many people who have an interest in serving with the FBI who think maybe it's not for them, or it's something that they can't do. You won't know that until you give it a try. We need people from all different backgrounds and people of all different types of skills to make the FBI the strongest it can be. I think a little more specifically, the service that I have been able to provide to my country and the citizens of the United States as a part of this organization is something that you can't put a price tag on. There's really no replacement for the fulfillment that you can get out of serving in an organization with a very important and specific mission like the FBI has.

And we need the very best people that we can get to come to the FBI, if we're going to continue to do our job the way we have for the past hundred plus years. And then really specifically to cyber, I would also say, as I talked about my background earlier, one thing I never mentioned was my computer science degree or my background in information technology, and that's because I don't have one. I think that we certainly need those folks with strong technical backgrounds who really know the ones and zeros of this type of work, but we also need people who may not have that background yet, but have an aptitude for learning and have the ability to do all the other things that make the FBI successful. So I've encouraged people of all backgrounds to get into the cyber mission, in particular within the FBI, because number one, I think that diversity of background makes us stronger in the cyber program and number two, I can't see the cyber mission decreasing in importance as we go forward. I think it's only going to become more and more important to the FBI and the country.

Dave Bittner:

And you get to have one of those cool windbreakers too, right?

Herb Stapleton:

Exactly. That's the main thing, the windbreaker.

Dave Bittner:

Our thanks to FBI Section Chief, Herb Stapleton, for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.