“It was during our work in this case that I saw the impressive power of likeminded individuals from public and private entities around the globe, coming together to combat these threats,” said the former special agent.
Shortly after that, in 2007, he was meeting with his Fordham mentor Professor Frank Hsu, Ph.D., Clavius Distinguished Professor of Science, and they started discussing ways to bring government, the private sector, and academia together.
“We devised a crazy idea to plan an international cybersecurity conference, a conference that would bring together the world’s best in the industry to talk about how we can all work together to combat the ever-evolving cyber threats we face every single day,” he said.
Two years later in 2009, Ferrante and Hsu had helped launch the first ICCS at Fordham.
At this year’s ICCS, Ferrante, who is now the global head of cybersecurity for FTI consulting, introduced Bryan Vorndran, assistant director of the FBI’s Cyber Division, as part of a session titled “The Morning Intelligence Briefing,” where Vorndran emphasized the importance of those partnerships to the FBI.
“We don’t do anything alone,” he said. “Any success you hear about in terms of U.S. government disruptions, international disruptions, are done as part of a partnership. That includes private sector as well.”
Vorndran highlighted two recent FBI cases that involved significant partnerships from not only government agencies but also the private sector.
The first was “Operation Shell Sweep” in 2021 where the FBI went into computers that were using Microsoft Exchange servers and had been hacked by a group called Hafnium. The hack affected tens of thousands of users. The computers had web shells—or pieces of code that allow for remote administration—installed by the hackers. The web shells “left open” a backdoor that gave the hackers access–but, Vorndran said, the FBI used those same shells to remove the malicious code.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” an FBI release on the operation read.
Microsoft became aware of the hack in March 2021, and the FBI said in a statement that “Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities in identifying and mitigating this cyber incident.” Vorndran said that the partnership between the FBI and Microsoft helped address about 93% of the impacted devices, and then the FBI worked to remove the malicious code from the remaining 7%.
The second was “Cyclops Blink,” where the FBI disrupted a Russian botnet that was infecting devices with WatchGuard and other software on them. The FBI partnered with WatchGuard which helped release detection and remediation tools the day the advisory about the botnet went out.
“Our purpose is simply this: to utilize our unique authorities—either unilaterally or with a partner—to impose maximum costs on our adversaries,” he said, noting that could mean an arrest or seizure of assets.
Vorndran highlighted the partnerships that occurred in both of these cases because initially, he said, Microsoft and WatchGuard “could not see the devices or software where there was a vulnerability at a tactical level. It took additional intelligence—in the Hafnium matter from a third party private sector—and it took FBI intelligence to inform the exact laser focus of where we needed to be.”
Partnering into the Future
Both Ferrante and Vorndran emphasized the need for partnerships as threats continue to evolve.
Vorndran said that he’s worried about the “increased precision of the adversary.” He gave the example of all of the commercial real estate companies in the U.S. using the same software. If that software is attacked, it could mean real issues for that industry.
“If they’re that precise on targeting, it could shut down the entire commercial real estate industry,” he said. “That is a huge problem for us.”
Vorndran said that they’re also paying “a lot of attention to synthetic content” or what some call “deep fakes,” which he said could have a tremendous influence on our democracy.
“There’s obviously tremendous downstream effects of deep fakes and synthetic content,” he said.
Vorndran gave the example of a recording played in court, with the attorney arguing that it is not his client on tape, but a fake. The question becomes “how do we authenticate that?” he said.
Vorndran said that they’re “putting a lot of attention into that within the community and that’s something that’s very important for us to get right.”
Having the partnerships between the public and private sector in place ahead of these attacks can help address these future problems, Ferrante said. He noted that “many conversations taking place this week will enhance all our efforts to combat these threats.”
“There are numerous challenges on the horizon, and cybersecurity issues will remain ever present,” he said. “The threat landscape is constantly evolving. A forward-thinking approach is required to keep pace.”