First, I’d like to talk for a moment about the threats we’re facing today, and I’ll start with one that’s at the top of the Bureau’s list of concerns and should be at the top of every U.S. company’s list, too.
That’s the counterintelligence threat posed by China. When we tally up what we see in our cases, nothing presents a broader, more severe threat to our ideas, our innovation, and our economic security than the People’s Republic of China.
The PRC is leading a generational fight for China to surpass the U.S. as a global superpower, and it’s pursuing those goals with little regard for international norms and laws and certainly not through fair and lawful competition.
Instead, the Chinese government has shown its willingness to steal its way up the ladder. In fact, the scale of China’s theft of U.S. innovation is unprecedented. And as a result, U.S. companies are facing a greater, more complex danger than they’ve ever faced before.
Because stolen innovation is not just the theft of one idea—it means stolen jobs, stolen opportunities for American workers, stolen national power, and stolen leadership in the industries China seeks to dominate in the decades to come.
That’s why investigating and preventing economic espionage and illicit technology transfer to the Chinese state is a top priority for the FBI.
Let me give you some context for this threat. The FBI has 56 field offices across the country.
Every single one has cases on the Chinese government’s attempts to steal U.S.-based information and technology, and those investigations tell us a lot about the tools and tactics the Chinese government uses to steal what it wants from unwitting companies.
These tactics range from the use of intelligence officers, to hackers, to front companies, to seemingly benign joint ventures or research partnerships to recruiting employees who use their legitimate access to steal corporate secrets, what we all refer to as “insider threats.”
Now later today, you’ll hear from Rachel Rojas, who heads up the Bureau’s Insider Threat Office, and others from both the USIC and the private sector who work in this field, in what promises to be a great panel discussion about establishing and running an insider threat program within your own organizations.
But I’d be remiss if I didn’t take a couple minutes to highlight the significant role insiders play when it comes to the Chinese government’s theft of American information and innovation.
So, I want to tell you a little bit about the case of Shan Shi. He was sentenced to federal prison in 2020 for stealing trade secrets from a company in Texas regarding a technology called syntactic foam. It’s export-controlled because it’s got important military applications–it allows submarines to evade detection underwater.
In that way, it helps make up the foundation of our naval power–and it’s also part of a multibillion-dollar oil and gas industry. Most important, it’s a technology China’s government agencies and state-owned enterprises hadn’t been able to manufacture themselves.
So here’s what they did instead. They gave Shi three million dollars to incorporate a company in Houston and get what they needed to make syntactic foam in China. But first he needed the technology, so he targeted the American victim company’s employees on social media.
Shi used cash incentives and cushy job offers to entice two former employees, two former insiders, to help with this effort in exchange for the company’s trade secrets and technical data.
Once he had the information, Shi sent it to China, where they started manufacturing a key component of syntactic foam.
Now, and here’s one of the more galling and egregious aspects of the scheme. Shi and his co-conspirators actually patented in China the very manufacturing process they’d stolen from the American company, and the Chinese government actively helped them do it.
Then, Shi contacted the victim company and offered it a joint venture using its own stolen technology. His business plan?
Gain the company’s cooperation—and then put it out of business and take over the market. We’re talking about an American company that spent years and millions of dollars developing a technology.
The Chinese government couldn’t replicate it. So instead, it paid to have it stolen. Fortunately, this story has a happy ending.
Although the FBI’s investigation started after the trade secrets were stolen, we were able to move quickly and prevent more damage. Eager to secure his employees’ jobs and keep a critical technology out of the Chinese government’s hands, the victim company’s CEO fully cooperated with the Bureau.
Indictments and arrests soon followed, and we disrupted a planned purchase of millions of dollars’ worth of manufacturing equipment destined for China.
Ultimately, four defendants—including the two insiders—pleaded guilty. Shi was convicted at trial and the Chinese government’s attempts to dominate that particular industry were thwarted.
But of course, economic espionage isn’t the only threat American companies are facing. The broader cyber threat ranks right up there, too. And it’ll stay near the top of our list as long as nation-states and cybercriminal syndicates keep innovating.
They’re constantly developing new ways to compromise our networks and get the most reach and impact out of their operations. As a result, today’s cyber threats are more pervasive, hit a wider variety of victims, and carry the potential for greater damage than ever before.
At the Bureau, that translates to the literally hundreds of national security and criminal cyber threats we’re tracking and countering, around the clock. We’re most concerned about possible cyberattacks against our nation’s critical infrastructure that could wreak havoc in our everyday lives.
A big portion of critical infrastructure attacks today come from ransomware groups. Last year alone, we saw ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
Not only have they wreaked havoc on company operations and caused devastating financial losses. But we’ve also seen them compromise networks for oil and gas pipelines, healthcare systems, grade schools, 9-1-1 call centers, and local governments.
They cause real-world harm, threatening our national security, economic vitality, and public health and safety. And the monetary losses associated with ransomware are striking.
In 2020, victims paid an estimated $350 million in ransom—an increase of more than 300% over 2019—with the average payment at more than $300,000. And those ransom amounts often pale in comparison to the massive costs associated with business disruption and remediation.
In total, between 2019 and 2021, the number of ransomware complaints reported to the FBI increased by 82%.
As harmful as attacks are when conducted by criminal actors, though, targeting of vital networks is in some ways even more dangerous when it’s done by nation-states.
Their efforts may look the same as a criminal attack at first. For example, if they’re using ransomware, you see a notice that your data is encrypted. But when a nation-state is responsible, there may not be a decryption key available—at any price.
Last June, hackers sponsored by the Iranian government prepared to launch a ransomware attack against a U.S. children’s hospital. Let me repeat that: a children’s hospital.
And in 2017, the Russian military used purported ransomware called NotPetya to hit Ukrainian critical infrastructure.
It was supposed to look like a ransomware heist, but it was actually designed to destroy systems. They targeted Ukraine, but ended up also hitting systems here, throughout Europe, and elsewhere.
That attack ended up causing more than 10 billion dollars in damages—one of the most damaging in the history of cyberattacks—and went global before anyone knew to do anything.
Just last month, we disrupted a global botnet of thousands of infected network hardware devices under the control of Russian military intelligence hackers. With the ongoing conflict raging in Ukraine, we’re particularly focused on the destructive cyber threat posed by the Russian intelligence services and the cybercriminal groups they protect and support.
But we’ve also got to keep a close eye on other nations with a history of threatening us in cyberspace, which brings me back to China.
In March 2021, Microsoft—a valuable DSAC partner–and other U.S. tech and cybersecurity companies disclosed some previously unknown vulnerabilities targeting Microsoft Exchange Server software. They warned the public that cyber actors were exploiting those vulnerabilities to illegally access email servers.
The hackers were operating out of China. Through our private sector partnerships, we identified the vulnerable machines. And learned the hackers had implanted webshells, malicious code that created a backdoor and gave them continued remote access to the victims’ networks.
So we pushed out a joint advisory with CISA to give network defenders the technical information they needed to disrupt the threat and eliminate those backdoors. But some system owners weren’t able to remove the webshells themselves, which meant their networks remained vulnerable.
So we executed a surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers. Those backdoors the hackers had propped open?
We slammed them shut, so the cyber actors could no longer use them to access victim networks. Our work wouldn’t have been successful without the strong partnerships we have with the private sector.
And those partnerships also enabled the U.S. to join our allies last July in publicly attributing the Microsoft Exchange compromise to China’s Ministry of State Security. And that’s just one example, out of many, where we’ve shown the U.S. business community that when it comes to cyber investigations.
One, we’re here to help. Two, building relationships with us ahead of time can go a long way in protecting your information, technology, and innovation. And three, there’s actually quite a bit we can do even after the fact to recover what’s been stolen or to mitigate the damage—if you come to us early.
Bottom line, whether you’re in the midst of a cyber problem or you’re preparing for one, we’re here for you.
Importance of Partnerships
It’s clear we’re up against some awfully serious threats to our economic and national security. And it’s equally clear that if we’re to continue combating those threats successfully, we’ve got to maintain and strengthen our partnerships with you.
We know we need to keep a meaningful dialogue going, and continue building trust throughout the private sector.
One of our most important partnership efforts is this one—DSAC—and for 17 years, it has served an absolutely critical role in keeping Americans safe.
What started as a few CSOs meeting with the FBI and State Department.
Has grown into a powerful organization representing more than 600 U.S. companies and millions of employees, at least 50 unique industries and nearly every critical sector.
Today, through our DSAC portal, we’re sharing important security information, intelligence products, event notifications, and training resources.
And when a critical incident occurs or an emerging threat surfaces, we’re providing you with as much detail as we can—in the immediate aftermath and in the days and weeks that follow.
You, in turn, are sharing with us your insight, knowledge, and expertise about the threats affecting you.
Combining our intelligence with what you’re seeing, making all of us stronger.
I can’t overstate how proud I am of this organization’s success, nor how grateful I am to DHS, our partners in developing DSAC for the past 14 years, for helping to make it possible.
Still, that doesn’t mean there isn’t room for improvement. That’s why, this past December, our Office of Private Sector held a day-long strategy session with DSAC’s Expanded Executive Working Group.
It was a day of candid conversation about what we’re doing right that’s most helpful to you—and what we can do better, too.
The group provided a lot of valuable feedback on ways to improve our DSAC community, and we took that feedback to heart.
We’ve used it put together short- and long-term strategies to guide DSAC, emphasizing four strategic pillars: people, partnerships, capabilities, and innovation.
And before I close, I’d like to share a little about those pillars and why we believe they’re so important.
First among our four pillars is people. Sure, DSAC’s a success today, but to ensure that success tomorrow and into the future—well after we’ve all retired—we need to increase diversity among our members and leaders.
And by that I mean both diversity in terms of the sectors and industries DSAC represents, as well as in the demographics of our members.
That’s the only way we can make sure we’re bringing the right mix of perspectives to the table.
The second of our strategic pillars is partnerships. And I hope I’ve made clear today—and many times over the years—partnerships are this organization’s bedrock.
We all need each other, and we all have a lot to gain from a strong partnership. When we can combine what we see with what you see, when we work together.
Our two plus your two equals more than four—five, or six, or seven. So an important part of our strategy involves a focus on those partnerships.
On making sure you, as DSAC members, have the information and relationships you need for successful security collaboration.
Third among our pillars is capabilities. What we need to have so we can effectively do our jobs—keeping companies, and people, safe.
To inform our decision making, it’s important that we’re all making the best use of the analytic tools we’ve got. That we’re offering the best training and resources to keep our members at the top of their game.
And that we’re investing in DSAC’s working groups so we can continue improving the way all of us work together.
Our final pillar is innovation. In the private sector, you’re no strangers to the pressure of finding new ways to be more efficient, more agile, and more resilient. And in government, we’re always working to stay a step ahead, too.
DSAC should be no different. We need to be working constantly to update our technology, so we can communicate and share information more effectively. And we’ve got to find new ways to increase collaboration across the private sector.
So while we should be proud that we’ve come a long way since those days of informal meetings with a handful of CSOs, we definitely aren’t resting on our laurels, and we know we’ll continue to have our work cut out for us.
Today, I’ve described the pretty daunting threats we’re facing to our economic and national security.
But I hope I’ve also demonstrated that we’re depending on you, our private sector partners, to help us keep Americans safe, to help us keep U.S. businesses and jobs safe, and to help us keep American information, technology, and innovation safe.
Because while that responsibility may be a daunting one, our adversaries are no match for what we can accomplish when we work together.
So, thank you for the work you’ve done with us as members of DSAC. I look forward to our continued partnership
I know next you’re going to hear from Secret Service Director Murray, and I’m sure he’ll have some excellent thoughts on how to strengthen partnerships as well.