Describing cyber threats as one of its primary challenges, the Federal Bureau of Investigation (FBI) is asking for an additional $64 million in 2024 to add 192 new positions and improve its cyber capabilities. Much of the budget request focuses on the looming threat that China poses.
The FBI budget request would be a little over $90 million in total, as the agency is also seeking a separate $27.2 million for its own internal cyber defenses.
Budget request focuses on increasing threat from China
China was a central theme of the budget request, as the FBI painted itself as a vital firewall between highly skilled state-backed hackers and the nation. FBI Director Christopher Wray noted that, as a whole, the agency’s entire cyber staff is outnumbered by Chinese hackers by “at least” 50 to 1.
The budget request covered numerous other expected topics, but a definite focus was put on cyber threats. The total request is about $11.4 billion, with the cyber defense requests representing most of what is a relatively small increase from the present budget. If it is approved the agency would add 31 new special agents and eight intelligence analysts tasked with cyber issues, in addition to 153 general support staff and four new positions in internal network defense.
Though China was the primary focus, Wray spoke of other serious cyber threats including some 100 strains of ransomware the agency is tracking and the brisk trade in stolen personal information among dark web marketplaces. The agency played an instrumental role in taking down one of the largest of these marketplaces, Genesis, in early April.
One of the themes of the budget request was that lines between cyber crime and state-backed hacking are increasingly blurring, something perhaps best illustrated by North Korea’s crpyto-focused “advanced persistent threat” (APT) teams. At least one of China’s APT groups also dabbles in crime for personal profit, and some APT groups are increasing their use of cyber criminal contractors and temporary partners.
The budget request also notes the increasing willingness of cyber criminal groups to do real-world damage in pursuit of ransoms, something that was heralded by the Colonial Pipeline and JBS attacks of 2021. One of the emerging targets for cyber threats is the national network of health care facilities, as ransomware groups are now showing little reluctance to potentially caused death by shutting down equipment, or to embarrass patients with the release of private health information and treatment photos.
Melissa Bischoping, Director of Endpoint Security Research at Tanium, expands on this new mission for the FBI and why its budget requests are likely seen as a good investment: “As noted across several panels at RSA Conference 2023, the FBI’s focus on disrupting cybercrime at any step in the process is a shift from the traditional law enforcement goal of indictments and arrests. The financial investment by the FBI will hopefully result in additional human and technology support to disrupt cybercrime operations and infrastructure earlier than before, which may help prevent attacks. In just the last few months, we’ve learned that the FBI was key to disrupting the Hive ransomware group, which resulted in recovery of decryption keys and saved victims literally millions of dollars. Over time, we hope that these proactive and disruptive campaigns will serve as a deterrence for some criminals. So, what role can enterprises play in helping law enforcement take down dangerous threat actors? Contact the FBI or other relevant law enforcement agencies as soon as you identify compromise to identify any available resources and aid law enforcement in collecting valuable information about ongoing criminal campaigns.”
The FBI’s expanded role in disrupting cyber threats
While the FBI is first and foremost a domestic law enforcement agency, it has gradually been playing an expanding role in actions against foreign threat groups. A recent example is the campaign against the Hive ransomware outfit, in which FBI personnel penetrated the group’s internal network and obtained decryption keys.
This cyber threat line is blurring given that the damage done in the US generally originates from countries that hackers are relatively safe from legal consequences in, such as Russia and China. State-backed Chinese hackers have even gone so far as to compromise domestic companies, such as Tencent, as a means of spying on foreign NGOs and other civilian targets. And while “troll farms” dedicated to spreading disinformation are generally thought of as the province of Russia, China has established them on US soil. At least one, located in Manhattan’s Chinatown, shared space with an unofficial “police station” of the country run by Ministry of Public Security officers.
About 30 known APT groups have been attributed to China to date, and there are several more that are suspected to be affiliated with the country as well. China fields enough of these cyber threats that they can specialize in particular regions or missions, such as espionage directed primarily at US organizations or intelligence or disinformation operations focused on Taiwan. Some of these groups have also deployed numerous zero-days over the course of their existence, indicating that the Chinese government puts substantial resources into either developing them or being the first and highest bidder when they hit the black market.
Advanced state-backed hacking teams remain mostly a concern for government bodies and large organizations that have espionage-worthy confidential information, but the FBI also deals with the plethora of threats to the average US citizen. While ransomware is showing some signs of being on the wane, it remains a common form of cyber crime and there are indications that attackers are growing interested in smaller targets. Assorted scams and business email compromise also remain major issues, and the assistance that developing AI tools will provide in these efforts may spawn a renaissance period for criminals.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, notes that good publicity for the FBI’s cyber efforts will likely result in better overall security through willing private sector cooperation: “Without having a deeper view into the FBI’s inner workings, it’s hard to say what spurred them into taking a more active role in pursuing cybercriminal actors. But the fact is that the FBI is considered one of the finest law enforcement agencies in the world, and they should be taking a leading role in dealing with cybercrime. It’s difficult to say exactly how much of an impact the FBI’s activities have had on cybercriminal groups and other threat actors. There are some aspects of their activity, especially in counterespionage, that simply isn’t revealed to the public. It’s likely there is a mix of both here – we hear a bit of exaggeration in the victories they do talk about, while hearing nothing at all about the more sensitive operations thwarting nation-state threats. While government organizations have some requirements to cooperate with the FBI and report incidents, many private sector organizations are reluctant to publicize attacks whether they are successful or not. There is a desire to save face, but that comes at the price of “the FBI can’t help you if they don’t know it happened.” There are the very real business concerns that come from admitting an attack, but more transparency, rather than less, should be the order of the day.”