SAN FRANCISCO — As hackers affiliated with the Chinese government continue to take a more aggressive stance, federal agencies and their private sector partners are turning to each other to shore up critical cyber vulnerabilities through improved relationships.
FBI Deputy Assistant Director for Cyber Operations Brett Leatherman sat down with Nextgov/FCW on the sidelines of the RSAC Conference in San Francisco, California, to discuss Chinese hacking threats and the bureau’s ongoing cyber work.
This interview has been edited for length and clarity.
Nextgov/FCW: What brings you and your FBI colleagues out to RSAC Conference this year?
Brett Leatherman: The conference itself focuses on partnerships. I’ve been with the FBI for 21 years now. I’ve worked counter terrorism, criminal investigations — there’s no discipline that requires the public private relationships as much as cyber. The cyber discipline doesn’t have the visibility that the private sector has, and, conversely, they don’t have the visibility that we have. And so putting the puzzle pieces together is incredibly important.
Nextgov/FCW: How is the mood this year, given changes in your agency, as well as other aspects of the U.S. intelligence community and CISA, as it relates to these engagements?
Leatherman: I talk to the partners, and the partners still have the trusted relationships. The unique thing about us that the other agencies don’t have is we have 55 field offices, so we have a forward-deployed workforce throughout the country. That hasn’t changed, like, the trust is still there. We still have folks who are experts in the field, who continue to work with threat, both the nation-state and the criminal threat. And I think folks recognize the priority that we place on victims and that there’s a value proposition when you are a victim and you have somebody coming to you to say, “we have expertise and we want to help.”
Nextgov/FCW: Let’s talk about Salt Typhoon. Industry representatives say that the Chinese hacking unit — which accessed troves of telecom systems — have been cleared out and their networks secured. When I speak to people with knowledge of ongoing U.S. investigations into the hacks, they aren’t convinced. Someone here must be wrong.
Leatherman: I think there’s some flexibility because every victim is different. We have multiple victims within the telecommunications sector who’ve been impacted by the Salt Typhoon activity. And so every one of those victims are doing their own incident response, and along with their third party incident response. Each of them is doing an assessment as to what the state of impact is in their infrastructure. I would say, right now, there’s a lot of work focused on containment.
By and large, I don’t know that we’ve gotten the signal that the actors have been fully eradicated from some of the environments. The telcos who believe they’ve been contained are looking for the actors to resurface in the event they’re still there. And they’re still conducting an investigation to determine if the actor set up persistent points of ingress into those networks. Meaning, if we plugged the original hole to get in, did they establish different areas? An actor like China is known for this.
So, it’s probably somewhere in the middle. But I think we’re operating from the framework right now that the actors are largely contained, but we’re waiting on the providers themselves to tell us whether they’re fully eradicated.
Nextgov/FCW: In December, we reported that hundreds of organizations — both telecoms and other industries — were notified of potential compromise by Salt Typhoon. How far did the hackers truly go?
Leatherman: We never rule out collateral industries that could be impacted, but our primary visibility has been directed at the activity directed at telecommunications providers as it relates to Salt Typhoon in the fall of 2024. The impact has been in the telecommunications core itself. They were able to access the [Communications Assistance for Law Enforcement Act] environments with some providers. And then it’s been in kind of extraneous areas where they maintain configuration files and whatnot, so that there’s different environments within the telco systems that are impacted. Each victim is impacted to a different degree by the actors based on their topology and just how they operate.
Nextgov/FCW: Any indications that the threat actor went beyond CALEA to other components underpinned by the Foreign Intelligence Surveillance Act, like systems used for warrantless collection under Section 702? [Editor’s Note: CALEA — used mainly to wiretap targets inside U.S. borders — can be used under Title I of FISA, and requires law enforcement analysts to obtain a warrant for telecom firms to hand over a person’s phone metadata].
Leatherman: I can’t comment on that, but I can say, in some cases, the CALEA environments encompass both national security and law enforcement processes. So again, depending on the provider, we continue to take a look at that, but can’t really go further than that.
Nextgov/FCW: What about Volt Typhoon, the Chinese hackers that have burrowed into troves of civilian critical infrastructure? Have we been able to measure their impact or reach?
Leatherman: I think if you look at last year, early last year, when we conducted the technical operation against Volt Typhoon where we removed their access to a bunch of vulnerable devices, we saw a significant decrease in their access to infecting devices. Now, over time, they have been able to exploit additional devices but have not fully reconstituted. And so we’re constantly measuring where they are at, as far as, reaching a critical mass of having some sort of ability to have an effect on our critical infrastructure. They remain active. Not nearly as active as they were prior to our technical operation last year.
Nextgov/FCW: The Wall Street Journal recently reported that China, in a secret meeting with U.S. officials, tacitly acknowledged they hacked into U.S. critical infrastructure. In public engagements with the press, Beijing always denies their hacking activity. Has the FBI considered ways to more diplomatically engage China and tell them to stop their pursuits?
Leatherman: We inform the White House and the administration, so they understand the threat environment, and from both a policy and a diplomacy standpoint, they can consume the intelligence that we provide … and then they can engage in diplomacy with foreign states, so we really rely on them to do that. But we also see that the technical operations we conduct and the enforcement operations we conduct cause the CCP to adapt or retreat. And those are important aspects for us because, even if they publicly deny it, the activity changes, decreases or goes away.
Nextgov/FCW: What’s keeping you up at night?
Leatherman: The [People’s Republic of China]. Their posture has changed over the last 18 months. They’ve taken a more aggressive stance. They’ve taken a stance that allows them to position onto critical infrastructure. To us that has real national security implications. I would also say that the continued onslaught of ransomware attacks against critical infrastructure … continues to keep us up at night.
Nextgov/FCW: Can I flip that on its head? What are you feeling better about?
Leatherman: I’m feeling better about resilience overall in private industry. We’re not there yet, but the relationships that we have built with the private sector … to move the needle when it comes to deterrence through defense. And then international partnerships continue to get closer and closer. We can’t do the number of effective operations that we do without our international partners. Cyber is border agnostic.
