27 October 2022

How the FBI stumbled in the war on cybercrime

Renee Dudley and Daniel Golden

Investigating cybercrime was supposed to be the FBI’s third-highest priority, behind terrorism and counterintelligence. Yet, in 2015, FBI Director James Comey realized that his Cyber Division faced a brain drain that was hamstringing its investigations.

Retention in the division had been a chronic problem, but in the spring of that year, it became acute. About a dozen young and midcareer cyber agents had given notice or were considering leaving, attracted by more lucrative jobs outside government. As the resignations piled up, Comey received an unsolicited email from Andre McGregor, one of the cyber agents who had quit. In his email, the young agent suggested ways to improve the Cyber Division. Comey routinely broadcast his open-door policy, but senior staff members were nevertheless aghast when they heard an agent with just six years’ experience in the bureau had actually taken him up on it. To their consternation, Comey took McGregor’s email and the other cyber agents’ departures seriously. “I want to meet these guys,” he said. He invited the agents to Washington from field offices nationwide for a private lunch. As news of the meeting circulated throughout headquarters, across divisions and into the field, senior staff openly scorned the cyber agents, dubbing them “the 12 Angry Men,” “the Dirty Dozen” or just “these assholes.” To the old-schoolers — including some who had risked their lives in service to the bureau — the cyber agents were spoiled prima donnas, not real FBI.

The cyber agents were as stunned as anyone to have an audience with Comey. Despite their extensive training in interrogation at the FBI Academy in Quantico, Virginia, many were anxious about what the director might ask them. “As an agent, you never meet the director,” said Milan Patel, an agent who attended the lunch. “You know the director, because he’s famous. But the director doesn’t know you.”

You also rarely, if ever, go to the J. Edgar Hoover Building’s seventh floor, where the executive offices are. But that day, the cyber agents — all men, mostly in their mid-30s, in suits, ties and fresh haircuts — strode single file down the seventh-floor hall to Comey’s private conference room. Stiffly, nervously, they stood waiting. Then Comey came in, shirt sleeves rolled up and bag lunch in hand.

“Have a seat, guys,” he told them. “Take off your coats. Get comfortable. Tell me who you are, where you live and why you’re leaving. I want to understand if you are happy and leaving, or disappointed and leaving.”

Around the room, everyone took a turn answering. Each agent professed to be happy, describing his admiration for the bureau’s mission.

“Well, that’s a good start,” Comey said.

Then sincerity prevailed. For the next hour, as they ate their lunches, the agents unloaded.

They told Comey that their skills were either disregarded or misunderstood by other agents and supervisors across the bureau. The FBI had cliques reminiscent of high school, and the cyber agents were derisively called the Geek Squad.

“What do you need a gun for?” SWAT team jocks would say. Or, from a senior leader, alluding to the physical fitness tests all agents were required to pass, “Do you have to do pushups with a keyboard in your backpack?” The jabs — which eroded an already tenuous sense of belonging — testified to the widespread belief that cyber agents played a less important role than others in the bureau.

At the meeting, the men also registered their opposition to some of the FBI’s ingrained cultural expectations, including the mantra that agents should be capable of doing “any job, anywhere.” Comey had embraced that credo, making it known during his tenure that he wanted everyone in the FBI to have computer skills. But the cyber agents believed this outlook was misguided. Although traditional skills, from source cultivation to undercover stings, were applicable to cybercrime cases, it was not feasible to turn someone with no interest or aptitude in computer science into a first-rate cyber investigator. The placement of nontechnical agents on cyber squads — a practice that dated to the 1990s — also led to a problem that the agents referred to as “reeducation fatigue.” They were constantly forced to put their investigations on hold to train newcomers, both supervisors and other cyber agents, who arrived with little or no technical expertise.

Other issues were personal. To be promoted, the FBI typically required agents to relocate. This transient lifestyle caused family heartache for agents across the bureau. One cyber agent lamented the lack of career opportunities for his spouse, a businesswoman, in far-flung offices like Wichita. The agents told Comey they didn’t have to deal with “the shuffle” around the country for professional advancement because their skills were immediately transferable to the private sector and in high demand. They had offers for high-profile jobs paying multiples of their FBI salaries. Unlike private employers worried about staying competitive, the FBI wasn’t about to disrupt its rigid pay scale to keep its top cyber agents. Feeling they had nothing to lose, the agents recommended changes. They told Comey that the FBI could improve retention by centralizing cyber agents in Washington instead of assigning them to the 56 field offices around the country. That made sense because, unlike investigating physical crimes like bank robbery, they didn’t necessarily need to be near the scene to collect evidence. Plus, suspects were often abroad.

Most important, they wanted the bureau’s respect.

Comey listened, asked questions and took notes. Then he led them to his private office. They glanced around, most of them knowing they were unlikely to be granted such access to power again. Comey’s desk featured framed photos of his wife and children, and the carpet was emblazoned with the FBI’s seal. The agents had such respect for the bureau that they huddled close so that no one had to step on any part of the seal.

Perhaps the most striking feature of the office was the whiteboard that sprawled across one of the walls. On it was an organizational chart of the bureau’s leadership with magnets featuring the names and headshots of FBI executives and special agents in charge of field offices. Many were terrorism experts who had risen through the hierarchy in the aftermath of the Sept. 11, 2001, attacks.

Comey was sympathetic to his visitors and recognized the importance of cyber expertise to the FBI’s future. At the same time, he wasn’t going to overhaul the bureau and alienate the powerful old guard to please a group of short-timers.

“Look, I know we’ve got a problem with leadership here,” Comey told the cyber agents as they studied the whiteboard, according to agents who were there. “I want to fix it, but I don’t have enough time to fix it. I’m only here for a limited amount of time; it’s going to take another generation to fix some of these cultural issues.” But the agents knew the FBI couldn’t afford to wait another generation to confront escalating cyberthreats like ransomware. Ransomware is the unholy marriage of hacking and cryptography. Typically, the attackers capitalize on a cybersecurity flaw or get an unsuspecting person to open an attachment or click a link. Once inside a computer system, ransomware encrypts the files, rendering them inaccessible without the right decryption key — the string of characters that can unlock the information — for which a ransom is demanded.

Although attacks were becoming more sophisticated, bureau officials told counterparts in the Department of Homeland Security and elsewhere in the federal government that ransomware wasn’t a priority because both the damages and the chances of catching suspects were too small. Instead of aggressively mobilizing against the threat, the FBI took the lead in compiling a “best practices” document that warned the public about ransomware, urged prevention and discouraged payments to hackers. Through an intermediary, Comey, fired from his FBI position by then-President Donald Trump in 2017, declined to comment on the meeting. The FBI acknowledged but did not respond to written questions.

To FBI leadership, ransomware was an “ankle-biter crime,” said an agent who attended the meeting with Comey.

“They viewed it as a Geek Squad thing, and therefore they viewed it as not important,” he said.

Many of the issues the FBI cyber agents raised during their meeting with Comey were nothing new. In fact, the bureau’s inertia in tackling cybercrime dated all the way back to a case involving the first documented state-sponsored computer intrusion.

In 1986, Cliff Stoll was working as a systems administrator at the Lawrence Berkeley National Laboratory when his boss asked him to resolve a 75-cent shortfall in the accounting system the lab used for charging for computing power. Stoll traced the error to an unauthorized user and ultimately unraveled a sprawling intrusion into computer systems of the U.S. government and military. Eventually, the trail led to German hackers paid by the Soviet Union’s intelligence service, the KGB. Stoll immortalized his crusade in the 1989 book “The Cuckoo’s Egg.” In the course of his investigation, he tried seven times to get the attention of the FBI but was rebuffed each time.

“Look, kid, did you lose more than a half million dollars?” the FBI asked him.

“Uh, no,” Stoll replied.

“Any classified information?”

“Uh, no.”

“Then go away, kid.”

Stoll later spoke with an Air Force investigator who summed up the FBI’s position: “Computer crimes aren’t easy — not like kidnapping or bank robbery, where there’s witnesses and obvious losses. Don’t blame them for shying away from a tough case with no clear solution.”Cliff Stoll in 1989. (Photo credit: Ira Wyman/Getty Images)

It wasn’t until almost a decade later that the federal government took its first significant step to organize against cyberthreats. After the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, the Clinton administration called together a dozen officials from across the government to assess the vulnerability of the nation’s critical infrastructure. Since essential services such as health care and banking were moving online, the committee quickly turned its attention from physical threats, like Timothy McVeigh’s infamous Ryder truck, to computer-based ones.

The group helped establish what became known as the National Infrastructure Protection Center in 1998. With representatives from the FBI, the Secret Service, intelligence agencies and other federal departments, the NIPC was tasked with preventing and investigating computer intrusions. The FBI was selected to oversee the NIPC because it had the broadest legal authority to investigate crime.

Turf battles broke out immediately. The National Security Agency and the Pentagon were indignant about reporting to the FBI about sophisticated computer crimes that they believed the bureau was incapable of handling, said Michael Vatis, then a deputy U.S. attorney general who led the effort to launch the center.

“They said: ‘Oh, no, no, no. It can’t be the FBI,’” Vatis recalled. “‘All they know how to do is surround a crime scene with yellow tape and take down bad guys. And they’re notorious for not sharing information.’”

Meanwhile, infighting over resources roiled the FBI. “You had a lot of old-line people arguing about whether cybercrime was real and serious,” Vatis said. “People who came up through organized crime, or Russian counterintelligence. They were like: ‘This is just a nuisance from teenagers. It’s not real.’”

At the time, only a couple of dozen FBI agents had any experience or interest in investigating computer crime. There weren’t nearly enough tech-literate agents to fill the scores of new job openings in the NIPC. Needing warm bodies, the FBI summoned volunteers from within its ranks, regardless of background. Among them was the New Orleans-based agent Stacy Arruda. During her first squad meeting in 1999, as her supervisor talked about “Unix this, and Linux that,” she realized she was in over her head.

“Arruda, do you have any idea what I’m talking about?” the supervisor asked her.

“Nope.”

“Why are you nodding and smiling?”

“I don’t want to look stupid.”

It was an easy admission because most of the new NIPC agents were similarly uninformed about the world they would be investigating.

When the bureau ran out of volunteers to join the NIPC, agents were “volun-told” to join, Arruda said. That’s what happened to Scott Augenbaum. He said he was assigned to the NIPC because he was the only agent in his Syracuse, New York, office “who had any bit of a technology background,” meaning he “could take a laptop connected to a telephone jack and get online.” He was disappointed by the assignment because it was “not the cool and fun and sexy job to have within the FBI.” His friends in the bureau teased him. “They told me, ‘This cyber thing is going to hurt your career.’”

Following the Sept. 11, 2001, terrorist attacks, FBI Director Robert Mueller created the bureau’s Cyber Division to fight computer-based crime. The division took over the NIPC’s investigative work, while prevention efforts moved to the Department of Homeland Security, which was established in November 2002. The DHS, however, put the computer crime prevention mission on hold for years as it focused instead on deterring physical attacks.

To ramp up the new division, the FBI put a cyber squad in each field office and launched a training program to help existing agents switch tracks. It also benefited from the “patriot effect,” as talented computer experts who felt a call to service applied. Among them were Milan Patel and Anthony Ferrante, two of the agents who would attend the meeting with Comey.

Fresh out of college, Ferrante was working as a consultant at Ernst & Young on 9/11. From his office in a Midtown skyscraper, he watched the towers fall. In the days that followed, he resolved to use his computer skills to fight terrorism. While pursuing a master’s degree in computer science at Fordham University, he met with an FBI recruiter who was trying to hire digital experts for the new Cyber Division. The recruiter asked Ferrante what languages he knew.

“HTML, JavaScript, C++, Business Basic,” he answered.

“What are those?” the perplexed recruiter responded. “I mean, Russian, Spanish, French.”

It wouldn’t be the last time Ferrante felt misunderstood by the bureau. When he arrived at Quantico in 2004, he found himself in a firearms class of about 40 new agents-in-training. There, the instructor asked: “Who here has never shot a gun?”

With his gaze cast downward as he concentrated on taking notes, Ferrante raised his hand. The room became silent. He looked around and saw he was the only one. Everyone stared.

“What’s your background?” the instructor asked.

“I’m a computer hacker,” Ferrante said.

On a campus that recruits jokingly referred to as “college with guns,” his answer was not well received. The instructor shook his head, rolled his eyes and moved on.

Patel arrived at the FBI Academy in 2003 with a college degree in computer science from the New Jersey Institute of Technology. From Quantico, he was assigned to a cyber squad in New York, where his new boss didn’t quite know what to do with him. The supervisor handed him a beeper, a Rand McNally map and the keys to a 1993 Ford Aerostar van that “looked like it was bombed out in Baghdad,” Patel said. Another agent set him up with a computer running a long-outdated version of Windows.

“Oh my God, this is like the Stone Age,” he thought. As time went on, Patel discovered how cumbersome it was to brief supervisors about cyber cases. Since many of them knew little about computers, he had to write reports that he considered “borderline childish.”

“You had to try to relate computers to cars,” he said. “You’re speaking a foreign language to them, yet they’re in charge, making decisions over the health of what you do.”

Patel realized that most of his Cyber Division colleagues, like Arruda and Augenbaum, didn’t have a technical background. The bureau tried to turn traditional law enforcement officers into tech specialists while passing over computer scientists who could not meet its qualifications to become agents. “Is the person who can do 15 pull-ups and run 2 miles around the track in under 16 minutes the same guy that you want decrypting ransomware?” Patel said. “Typically people who write code and enjoy the passion of figuring out malware, they’re not in a gym cranking out squats.”

Some agents ended up in the Cyber Division because it had openings when they graduated from Quantico, or because it was a stop on the way to a promotion. In a popular move, many senior agents and supervisors pursued a final assignment in the division before becoming eligible for retirement at age 50, knowing it made them more attractive to private-sector employers for their post-FBI careers.

“On a bureau cyber squad, you typically have one or two people, if you’re lucky, who can decrypt and do network traffic analysis and programming and the really hard work,” Patel said. “And you’ve got two or three people who know how to investigate cybercrime and have a computer science degree. And the rest — half of the team — are in the cyber program, but they don’t really know anything about cyber.” Some of those agents made successful cases anyway, but they were the exception.

Despite the internal headwinds, Patel worked on some of the bureau’s marquee cybercrime cases. He led the investigation into Silk Road, the black-market bazaar where illegal goods and services were anonymously bought and sold. As part of a sprawling investigation into the dark web marketplace, law enforcement located six of Silk Road’s servers scattered across the globe and compromised the site before shutting it down in October 2013. Ross Ulbricht, of San Francisco, was later found guilty on narcotics and hacking charges for his role in creating and operating the site. He is serving two life sentences plus 40 years in prison. Patel was nominated for the FBI Director’s Award for Investigative Excellence; he became a Cyber Division unit chief, advising on technology strategy. Then, shortly after the Dirty Dozen meeting with Comey, he left the FBI for a higher-paying job in the private sector.

Ferrante was selected for the FBI’s Cyber Action Team, which deployed in response to the most critical cyber incidents globally. As a supervisory special agent, he became chief of staff of the FBI’s Cyber Division. After the meeting with Comey, Ferrante remained in the FBI for another two years. He left in 2017 to become global head of cybersecurity for FTI Consulting, where he worked with companies victimized by ransomware.

He kept tabs on the bureau’s public actions in fighting the crime. Despite occasional successes, he said in 2021 that he was disappointed by the small number of ransomware-related indictments in the years that followed Comey’s 2015 gathering.

“They would work cases, but those cases would just spin, spin, spin,” Ferrante said. “No, they’re not taking it seriously, so of course it’s out of control now because it’s gone unchecked for so many years. … Nobody understood it — nobody within the FBI, and nobody within the Department of Justice. Because they didn’t understand it, they didn’t put proper resources behind it. And because they didn’t put proper resources behind it, the cases that were worked never got any legs or never got the attention they deserved.”Photo credit: Yuri Gripas/AFP via Getty Images

By 2012, FBI leadership recognized that most crimes involved some technical element: the use of email or cellphones, for example. So that year, it began to prioritize hiring non-agent computer scientists to help on cases. These civilian cyber experts, who worked in field offices around the country, did not carry weapons and were not required to pass regular physical fitness tests. But respect for the non-gun-carrying technical experts was lacking. This widespread condescension was reflected in a nickname that Stacy Arruda, the early NIPC agent who went on to a career as a supervisor in the Cyber Division, had for them: dolphins.

“Someone who is highly intelligent and can’t communicate with humans,” said Arruda, who retired from the FBI in 2018. “When we would travel, we would bring our dolphins with us. And when the other party started squeaking, we would have our dolphins squeak right back at them.”

If agents like Patel and Ferrante had a hard time winning the institutional respect of the FBI, it seemed almost impossible for the dolphins to do so. They worked on technical aspects of all types of cases, not just cyber ones. Yet, despite the critical role they played in investigating cyber cases — sometimes as the sole person in a field office who understood the technical underpinnings of a case — these civilian computer scientists were often regarded as agents’ support staff and treated as second-class citizens.

Randy Pargman took a circuitous route to becoming the Seattle field office’s dolphin. As a kid in California, Pargman regularly hung out with his grandma, who was interested in technology. She bought magazines that contained basic code and helped Pargman copy it onto their Atari video game console. It was his introduction to computer programming. Later, as a teenager, Pargman was drawn to a booth of ham radio enthusiasts at a county fair and soon began saving up to buy his own $300 radio. It was the early 1990s, before most home users were online, so Pargman was thrilled when he used the radio to access pages from a library in Japan and send primitive emails.

After high school, Pargman put his radio skills to work when he became a Washington State Patrol dispatcher. Although it wasn’t a part of the job description, he created one computer program to improve the dispatch system’s efficiency and another to automate the state’s process for investigating fraud in vehicle registrations. The experience led him to study computer science at Mississippi State. In the summer of 2000, while still in college, Pargman completed an FBI internship, an experience that left him with a deep appreciation for the bureau’s mission. So, following brief stints working for the Department of Defense and as a private sector software engineer once he graduated, he applied to become an agent. He was hired in 2004, around the same time as Patel and Ferrante.

Like those two agents, Pargman was shocked by the digital Stone Age he found himself in upon arriving. At the FBI Academy, a computer instructor gave lessons on typing interviews and reports on WordPerfect, the word processing platform whose popularity had peaked in the late 1980s. To Pargman, even more outrageous than the FBI’s use of WordPerfect was the notion that agents would need instruction on such a basic program. The first week of class, the instructor delivered another surprise.

“OK, who are the IT nerds in here?” he asked.

After Pargman and a classmate raised their hands, the instructor addressed them directly.

“You’re not going to be working on cybercrimes. You’re going to be working on whatever the bureau needs you to do.”

The other tech-savvy recruit later confided to Pargman that he was dropping out of the FBI Academy to return to private industry. “This is not what I thought it was going to be,” he said.

Pargman was similarly torn. He believed in the FBI’s mission but wanted to work solely on cybercrime. Like Ferrante, he didn’t have experience with guns, and he was unsure about how he would handle that aspect of the job. He faced a reckoning when an FBI speaker led a sobering session about the toughest aspects of working for the bureau, from deadly force scenarios to the higher-than-average rates of suicide and divorce among agents.

After consulting with FBI counselors and a bureau chaplain, Pargman decided he didn’t want to become an agent. Instead, he stayed in the FBI as a civilian, working as a software developer at the FBI Academy. Eight years later, when the FBI launched the computer science track, Pargman eagerly applied. He became the Seattle field office’s dedicated computer scientist in October 2012.

“This is why I had gotten into the FBI to begin with,” Pargman said. “I can concentrate just on cybercrime investigations and not have to deal with the whole badge and gun.”

Once Pargman got to Seattle, he began to dream big. His vision: The FBI could model its Cyber Division after one of the world’s most successful computer crime-fighting law enforcement organizations, the Dutch High Tech Crime Unit. He knew how traditional and hidebound the bureau was, how different from the HTCU and its innovative culture. But, ever idealistic, he hoped that the HTCU’s remarkable track record would persuade the FBI to adopt elements of the Dutch approach.

Pargman had long been familiar with the HTCU’s reputation for arresting hackers and disrupting their infrastructure. When he met a Dutch officer through an FBI program for midcareer professionals, he asked her the secret to the HTCU’s success. Her response was straightforward: the HTCU was effective because it paired each traditional police officer with a computer scientist, partnerships that had been a founding priority of the unit. While the HTCU computer scientists weren’t required to pass police exams, meet physical fitness requirements, or handle weapons, they nonetheless were entitled to the same rank and promotions as their traditional counterparts. They also were not obligated to pivot to noncomputer work during their police careers.

The density of computer science experts in the HTCU astounded Pargman, who thought it was brilliant. He suggested the Dutch approach to managers in the FBI’s Operational Technology Division, which oversaw the new computer science track. They laughed.

“We can’t get funding for that many computer scientists,” one contact told him. “That would be crazy.”

Pargman acknowledged that, since the FBI’s Cyber Division was much larger than the Dutch Police’s HTCU, establishing a one-to-one partnership was a stretch. Yet the FBI’s setup all but ensured that its drastically outnumbered computer scientists would not find a collective voice, as the tech experts had done in the HTCU. As Pargman dug into cyber investigations in Seattle, he learned that the bureau’s staffing imbalance was straining its cyber experts, both civilian computer scientists and technically advanced agents like Patel and Ferrante.

Many of the cyber agents Pargman worked with in Seattle had prior careers as accountants, attorneys or police officers. To get acquainted with the digital world, they took crash courses offered by the SANS Institute, the bureau’s contractor for cybersecurity training; popular offerings included Introduction to Cyber Security and Security Essentials Bootcamp. From an institutional perspective, learning on the job to investigate computer crime was no different from learning on the job to investigate white-collar or gang crime. But FBI leadership didn’t take into account something that early leaders in the Dutch HTCU knew from the unit’s start: It’s not easy to teach advanced computer skills to someone who has no technical background.

Cyber agents routinely came to Pargman with basic tasks such as analyzing email headers, the technical details stored within messages that can contain helpful clues.

“This is easy, you need to learn how to do this,” Pargman told one agent. He produced the IP address from the headers.

“What does that mean?” the agent responded. “What is this IP address?”

Pargman had to make the time to help because, if he didn’t, the agent might do something embarrassing, like attempt to subpoena publicly available information “because they just didn’t know any better.”

In the FBI, investigations into specific ransomware strains were organized by field office. For example, Springfield, Illinois, investigated complaints involving a strain called Rapid, while Anchorage, Alaska, investigated those related to Russia-based Ryuk, one of the first ransomware gangs to routinely demand six-figure payments and to carefully select and research its targets. From time to time, Pargman learned of victim complaints to the Seattle office about emerging ransomware strains. Since cases weren’t assigned directly to computer scientists, he pushed the agents to take them on. “Oh boy, here’s one that nobody is working,” he told one colleague.

“Let’s jump on this.”

“That sounds amazing,” the agent responded. “But I’ll be so busy with that case that I won’t get to do anything else.”

In the early days of ransomware, when hackers demanded no more than a few hundred dollars, the FBI was uninterested because the damages were small — not unlike Cliff Stoll’s dilemma at Berkeley. Later, once losses grew to hundreds of thousands or even millions of dollars, agents had other reasons to want to avoid investigating ransomware. In the FBI, prestige springs from being a successful “trial agent,” working on cases that result in indictments and convictions that make the news. But ransomware cases, even with the enthusiastic support of a computer scientist like Pargman, were long and complex, with a low likelihood of arrest.

The fact that most ransomware hackers were outside the United States made the investigative process challenging from the start. To collect evidence from abroad, agents needed to coordinate with federal prosecutors, FBI legal attachés and international law enforcement agencies through the Mutual Legal Assistance Treaty process. Seemingly straightforward tasks, such as obtaining an image of a suspicious server, could take months. And if the server was in a hostile country such as Iran or North Korea, the agents were out of luck. Aware of this international labyrinth, even some federal prosecutors discouraged agents from pursuing complex cyber investigations.

During Pargman’s time as Seattle’s computer scientist, the field office took on a number of technically sophisticated cases. He was especially proud of one that led to the Justice Department’s indictment, unsealed in 2018, of hackers accused in the notorious Fin7 attacks. They breached more than 100 U.S. companies and led to the theft of more than 15 million customer credit card records. But during his seven years in Seattle, the office never got a handle on ransomware.

“If you spend all of your time chasing ransomware, and for years you never make a single arrest of anybody, you’re seen as a failure,” Pargman said. “Even if you’re doing a ton of good in the world, like sharing information and helping protect people, you’re still a failure as an investigator because you haven’t arrested anybody.” Despite its own inaction, the FBI feuded with the other federal agency responsible for investigating ransomware: the Secret Service. Although the Secret Service has been guarding presidents since 1894, its lesser-known mission of combating financial crimes dates back even longer — to the day in April 1865 that Abraham Lincoln was assassinated. Before heading to Ford’s Theatre, Lincoln signed legislation creating the agency and giving it the mandate to fight counterfeit currency. As financial crime evolved and moved online, the Secret Service and the FBI squabbled over cases. Although it, too, had a federal mandate to fight computer crime, the Secret Service was sometimes bigfooted by the FBI, said Mark Grantz, who was a supervisory special agent for the Secret Service in Washington.

“They’d say: ‘Yeah, we’ve got a case on that already. We were looking at him five years ago. Give us everything you’ve got and we’ll go from there.’ That was their M.O.,” Grantz said. It left him wondering: “You haven’t touched that case in five years, why are you asking me for my case file?”

Grantz led an investigation into a ransomware attack in January 2017, eight days before Donald Trump’s inauguration. The strike disabled computers linked to 126 street cameras in a video surveillance system monitoring public spaces across Washington, D.C., including along the presidential parade route. Instead of paying the five-figure ransom, the district scrambled to wipe and restart the cameras, which were back online three days before the swearing-in. Assisted by other law enforcement organizations, the Secret Service traced the hack to two Romanians, who were arrested in Europe, extradited to the United States and found guilty on wire fraud charges — an uncommon U.S. law enforcement success against ransomware operators.

Other Secret Service investigations sometimes stalled because agents had to rotate away for protective detail. “That’s where it gets frustrating,” Grantz said. “You’d train someone. They’d do digital forensics for five years. They’d get really good at it. And then you’d send them off to do presidential detail.”

Randy Pargman also grew frustrated by the FBI’s reluctance to engage meaningfully with private-sector cybersecurity researchers like the Ransomware Hunting Team. An elite, invitation-only group of tech wizards in seven countries, the team has uncovered keys to hundreds of ransomware strains, saving millions of individuals, businesses, schools and other victims from paying billions of dollars in ransom. When the FBI did connect with experts in the private sector, sensitive information typically flowed only in one direction — to the bureau.

Following large cyberattacks against U.S. targets, the FBI routinely affirmed its commitment to public-private partnerships to help prevent and gather intelligence on such strikes. But some agents believed the rhetoric was hollow, comparing it to public officials’ offering “thoughts and prayers” after mass shootings. The reality was that many people in the FBI had a deep distrust of private-sector researchers.

“There’s this feeling among most agents that if they share even a little bit of information with somebody in the private sector, that information will get out, broadcast over the internet — and the bad guys will definitely read it, and it will destroy the whole case,” Pargman said.

Even though he couldn’t work on ransomware cases, Pargman found ways to feel fulfilled in his job, including by helping organizations defend themselves against impending cyber intrusions. He examined malware command-and-control servers obtained through the MLAT process, then alerted potential victims to imminent attacks. “That was a really good feeling because we stopped a ton of those intrusions,” he said. FBI leadership rewarded his efforts: Pargman earned both the FBI Director’s Award for Excellence in Technical Advancement and the FBI Medal of Excellence.

But he grew tired of his subordinate role as an “agent helper,” and he thought about how things would be different if the FBI were more like the Dutch HTCU. In the bureau, he couldn’t be promoted since Cyber Division leadership roles were open only to agents. And while agents could retire at 50 with full pensions, he had to wait until age 62, and would receive less money. In 2019, Pargman resigned from the FBI, telling his supervisor he wanted to be in a role where he could enact changes rather than just suggest them.

“I love working for the FBI,” he told his supervisor. “It’s very meaningful and fulfilling. But there is no leadership spot for me to go to, only because I’m not an agent. So you cannot be upset that I’m going to get a job where I can be a leader, and make changes, and create a team to do big things.”

When it came to ransomware, the FBI didn’t have a lengthy roster of achievements to boast about. It would not be until after the May 2021 attack on the Colonial Pipeline, which shuttered gas stations across the Southeast, that the FBI would prioritize the ransomware threat and embrace assistance from private researchers like the Ransomware Hunting Team. But even with its new emphasis on ransomware, the FBI didn’t undertake fundamental reforms to expand its roster of cyber experts. It still wanted its cyber agents to be athletic college graduates with relevant job experience, who also had to be willing to shoot a gun, relocate their families and pivot away from investigating cybercrime as needed.

The bureau’s reluctance to adapt disappointed some former agents. “I think the next generation of cyber people in the bureau should be the type of people who want to be cyber first, and not agents at all,” said Patel, one of the agents who attended the 2015 meeting with Comey. “The bureau needs expertly trained technical programmers, cybersecurity engineers, that know how to write code, compile, dissect and investigate — and it has nothing to do with carrying a gun.”

No comments: