Why the FBI’s cyber attachés are so valuable
On an average day, cybercriminals visiting the Darkode darkweb forum would expect to enter an underground, invitation-only digital marketplace to buy, sell, and trade malware, access to botnets, and stolen personal information. However, in July 2015, users were instead confronted with the emblems of the U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ), and EUROPOL’s European Cyber Crime Center (EC3) instead of the Darkode homepage. A large, bold warning surrounded by the official seals of 17 additional international police departments prominently proclaimed, “This domain and website have been seized.” This was the culmination of a multi-year joint undercover operation by U.S. and international law enforcement from 20 countries who searched, charged, or arrested 70 of the forum’s members worldwide and indicted 12 individuals with computer fraud conspiracy.
This joint effort, known as Operation Shrouded Horizon, exemplifies the collaboration needed to counter the increasingly complex and diffuse challenges of cybercrime today. As part of its work, the Cyberspace Solarium Commission recognizes that international law enforcement organizations often face overwhelming challenges in operations that target illicit online activities. Collecting evidence is difficult because criminals use dark web forms with restricted memberships, anonymous personas, and obfuscation technologies — like VPN, Tor, and cryptocurrencies — in order to hide their identity. Meanwhile, getting multiple investigative organizations and the legal procedures that bind them to work together requires unprecedented collaboration. To keep pace with these evolving borderless and highly technical crimes in cyberspace, international law enforcement capacity must be improved.
For the United States, a cyber attaché being stationed with the host country’s counterparts provides quicker access to information that would otherwise be buried in a bureaucratic approval process. Dating back to 1940, the FBI began embedding special agents undercover as Legal Attachés (“legats”) in Central and South America to collect intelligence on the Axis powers and uncover spy networks. Since that time, these attachés have transitioned away from their spy origins to become official liaison officers within the country. The number of positions have grown to over 350 in 75 countries. And in 2011, in recognition of the need for subject matter expertise, the FBI began assigning cyber-knowledgeable Assistant Legal Attachés (“cyber ALATs”) to work with foreign partners to address the growing global threat. With 10 permanent cyber attachés currently assigned around the world, augmented by a few others in exploratory temporary duty locations, these FBI officials partner with host countries’ law enforcement agencies and officials, working hand-in-hand on complex cases.
Both the United States and host countries benefit greatly from this partnership. This close proximity also helps forge more meaningful relationships faster—which has practical implications for the FBI’s Cyber Division’s criminal and national security investigations, since time is often of the essence. Being able to share information quickly with the right person—and being able to trust the information will be handled appropriately—significantly strengthens the U.S.’s ability to combat both crime and national security threats. A law enforcement officer from a partner country said it best when interviewed as a part of the Commission’s work, observing that “[t]he [attaches] give us the opportunity to build really trusting relationships at an investigator level. You couldn’t get that across the Atlantic.”
The professional rapport between the attachés and their host’s counterparts, enables improved intelligence sharing, operational collaboration, and coordinated enforcement that ultimately helps to protect the U.S. beyond our physical borders. As countries devote varying amounts of focus and resources to cyberthreats, effective information sharing allows partners to concentrate on their country and region, while helping everyone involved develop a comprehensive picture of the overall threat landscape. Accordingly, these close relationships provide unique insight into foreign and domestic risks, helping U.S. analysts to prioritize or re-prioritize threats. With much of the information technology infrastructure around the globe owned by the private sector, these relationships are critical to cyber investigations. In turn, these engagements generate goodwill, crucial intelligence leads, and additional operational collaboration.
While the cyber attaché program offers clear advantages for the U.S., partner countries also benefit from the familiarity and direct access that attachés have with the U.S. government, including its judicial system, intelligence capability, and law enforcement resources. This background allows them to get to the correct points of contact in the U.S. federal, state, and local government, as well as the private sector, in a fraction of the time it would take foreign partners to make these connections themselves. Given the program’s footprint across Europe, this network can be especially helpful to countries with more limited cyber capacity.
Current cyber attachés are placed in a wide range of geographic locations, ranging from Ottawa to Canberra, and The Hague to Bucharest. The U.S.-UK relationship is particularly integrated and collaborative, with two attachés stationed in London. The London attaché program is in its third generation, with rotations lasting from two to three years. The fact that the UK has mirrored the relationship by embedding law enforcement staff in the Washington metropolitan area FBI offices is a testament to how much they want to lean into the relationship. As one UK law enforcement officer shared with the Commission, “imposing consequences is a really complicated, highly sequenced response. The UK couldn’t deliver that response in a strategically impactful way without the [attaché] program embedded in the UK system and knowing how the U.S. system worked.”
The investigations conducted by the program have yielded impressive results and imposed significant consequences in a number of high-profile cases. For example, in 2016 a four-year investigation culminated in disabling the Avalanche Network, an international criminal infrastructure platform used by cybercriminals to conduct phishing, send spam, find “money mules” and spread malware. To take down Avalanche, law enforcement agencies from around the globe worked in tandem to seize, sinkhole, and block an unprecedented 800,000 domains. Altogether, the effort involved more than 40 countries—including the German Prosecutor’s Office, local German police, the DOJ, the FBI Cyber Division, EUROPOL, India, Singapore, Taiwan, and Ukraine—and close coordination with numerous international private sector entities.
Attachés also played a critical role in the multinational investigation of Evil Corp, a Russian criminal group that used malware against financial institutions in over 40 countries that caused losses of over $100 million. The case was an unprecedented joint effort between the FBI, the UK National Crime Agency (NCA), and the UK National Cyber Security Centre spanning the course of several years. The investigations led not only to criminal indictments of two primary Evil Corp associates, but also to sanctions on 21 entities, blocking their access to property and finances in the United States, and a $5 million reward for information leading to the arrest or conviction of Evil Corp’s leader.
Given this impressive track record, the attaché program is punching well above its weight. For this reason, the Cyberspace Solarium Commission recommends adding twelve additional positions. With these additional positions, the program’s impact will improve our geographic reach and further enhance U.S. cyber collaboration with foreign partners. Strengthening the program helps ensure that the U.S. and our allies are positioned to credibly and effectively enforce norms of responsible behavior in cyberspace. Without attachés, it would be exponentially more difficult to coordinate the takedown of dark web marketplaces like Darkode. By making takedowns like this the rule—rather than the exception—we will help to create a more stable and secure cyberspace.
Frank J. Cilluffo is the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. Cilluffo is a member of the Cyberspace Solarium Commission and the Department of Homeland Security’s Advisory Council, and he’s routinely called upon to advise senior officials in the executive branch, U.S. Armed Services, and state and local governments on an array of matters related to national and homeland security strategy and policy.
Val Cofield is a Senior Director and Lead for Task Force Three at the U.S. Cyberspace Solarium Commission and the Deputy Assistant Director for the FBI’s Cyber Division. She has over 20 years of service with the FBI and has served in a variety of leadership positions such as the Senior Policy Director on current and emerging technologies and their impact on law enforcement, the Chief of Staff for the Science and Technology Branch, and the Budget Officer for the Criminal, Cyber, Response, and Services Branch.