Close this search box.
FBI on the Cyber Offensive

EP 83: FBI on the Cyber Offensive

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 6, 2021

The FBI is publicly releasing details about their active defense of the U.S. Is this a good thing? Find out your with hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at

Jake: So Kip, what are we going to talk about today?

Kip: Hey there, Jake. Hi. I think we should talk about something encouraging for a change and I'm stumbling over my words because I don't often, I can't remember if I've ever actually said in a podcast episode opening that we were going to talk about something encouraging. So it's like, this is a new thing, but what I'm seeing is the FBI is publicly acknowledging what I would call their active defense of the United States against cyber attacks. And I think this is a great thing.

Jake: Yeah. I mean, that is a different set of circumstances. And we've talked about active defense before on this podcast, but I feel like it's been a while.

Kip: Yeah, it has been, I was actually doing show prep and I was wondering myself, I'm like, I know we talked about it. And I went into the archives and I figured out, yeah, it was over three years ago. So back in 2018, March 6th episode, which of course we recorded, I don't know, 60 to 90 days before the release, but I went back and I looked at the script and I realized that not much had changed in terms of the definition of active defense and the kind of the controversy around active defense. So I think our goal on this podcast is to produce evergreen episodes as much as possible. And I think this one definitely remains evergreen. So folks, if you want to know more about active defense, I'm going to recommend that you go back to the March 6th, 2018 episode and listen to that. So we're not going to trod over that ground again. But what I do want to do today is I want to talk about what the US government is doing in the first half of 2021 that is actually breathing life into this idea of active defense.

Jake: So, I mean, I agree, we don't need to rehash it, but it was over three years ago. So why don't you give a really quick reminder, just what active defense as a phrase means.

Kip: Yeah. Okay. Okay. That's that's fair. Let's just do a quick definition. So if you think about a continuum of activities that we can take as defenders, right? We're getting attacked, what can we do? Well on the one end, we can be completely passive. Anything from disconnecting from the internet over to installing firewalls, patching our servers, and that sort of business, right? So kind of passive. Now, if you run all the way to the other side of that continuum, then you're in a territory that I call hacking back, and that's where you might get a cyber attack, and then in response, you identify what you think is the source. And then you launch a denial of service attack against the source of the attack against you, thereby halting that attack, right? So you're actively defending yourself, but in the process of doing that, you're actually striking back at another computer. So that's hacking back. And as we discussed in the previous episode, there's a lot of problems with that. And I don't want to unpack that again today.

But now somewhere in the middle between purely passive defense and hacking back is this space that we called active defense. And there's actually a whole range of activities in there. There's everything from inserting HTML beacons inside a document so that when it's opened, you can actually receive a notification that a document has been opened and you can actually collect some metadata to determine where was that document opened. So if you do business in the US and you don't do business in Russia, for example, and somebody in Russia opens up one of these documents that you've inserted this beacon into, okay, well, you probably have an incident on your hands and now you need to do something about it.

You could even do rescue missions, right? So right at the edge of active defense, just before you start getting into hacking back territory, you could actually mount a rescue mission to go and find your data and either copy it back because you lost your copy or delete it, because you don't want the criminals to have it, or maybe you're going to do both. Or you might retrieve Bitcoin that you paid in a ransom, right? You want to go get that back. And that's a form of active defense, and as we're going to see that actually happened.

Jake: That's super interesting. The rescue mission sounds really, really close to hacking back, and we don't need to necessarily harp on that, but why do you think we need active defense?

Kip: Well, my perception is that it's really not enough to just passively defend anymore. When I first started doing this work, everyone's perception was, is that doing passive defense was a real pain in the ass, but we needed to do it because it was just too easy for people to get into our servers and cause trouble. So we started putting up this fences, basically digital fences to keep people off our lawn. However, the cyber criminals and cyber soldiers are getting way more aggressive. And so, this is like, to me, I've always thought of this as like standing at the bar and somebody comes up from behind you and smacks you on the head with a bottle or something like that, or a pool cue or whatever. Now, if that happens to you and you're still standing after they hit you, you're not going to just keep standing there. You're going to want to tell this person, in no uncertain terms, that what they did was absolutely out of bounds. And if they ever try that again, they're going to regret it. And so you're going to punch back or you're going to knock that person to the ground. You're going to do something to tell them you will not mess with me. What you did was completely unacceptable. And that's what people want to do when they get attacked. Right?

So the mood has really shifted from, I'm just going to put up a no trespassing sign and now it's like, stay the heck out, and I'm going to wave a gun at you if I find you on my property. But even in the real world, right, we can't just chase people down off of our property and shoot at them as they flee. I mean, so we have to figure out how to do more to protect ourselves, but not cross that line into becoming an aggressor ourselves.

Jake: Agreed, agreed. So, what we're talking about, ultimately, what the FBI has been doing on active defense and what were their active defense events that you'd like to talk about?

Kip: Well, there was potentially three and I say potentially, because one, there was one that we're going to talk about that looked like it could have been a form of active defense, but then later on, we found out that it wasn't. And so, in a way, for me, it's been a bit of a roller coaster ride. So every other week I send out an email to my subscribers and it's called inflection point. And what I try to do is I try to identify the key events that are going on in the world right now that affect the way that those of us who use the internet for commerce, how is that affecting us? Right? And so, in my inflection points, I've been watching this and so anybody in the audience who's been reading them knows that , first I was like, hooray, active defense. And then it was like, oh, look, this is another form of active defense. And I was like, oh no, actually it's not. And then another one came along. I was like, oh, it's active defense again. So it's this really crazy rollercoaster ride that we're on right now. And I think it's going to continue like that,

But let's talk about these, there's three in particular that I think of noteworthy. Now, the first one happened in April of 2021. So we are recording this at the end of June. So this is a couple of months ago, and what happened was, I'll just recapped the incident real quickly. In March of this year, Microsoft acknowledged that there were a number of zero day exploits and a zero day exploit, for those of you who don't know, means somebody has come up with a way to hack into a system, and it was a vulnerability that the manufacturer didn't know about. And the first time we find out about it is when it's being used to actively exploit us. And so that's a zero day exploit. At that point, the manufacturer is scrambling to catch up because they didn't know about it and they got to figure out how they're going to patch it.

So in March of 2021, Microsoft said, yep. The on premises versions of Exchange Server, right, which is their email system, had zero day exploits that were actively being used and they were actively compromising anybody that was running this version of their email server. And what was happening is that the cyber criminals were getting in and they were installing malware and other, and they were making configuration changes in order to ensure that they had long term access to these email servers. And you can imagine what they would use that for, right? Launching business email compromises, phishing campaigns, that sort of thing. And so Microsoft in April of 2021 published patches. But by that time, there were all these exchange servers that had been hacked. And a lot of people running these servers didn't even realize that they had been hacked, because these days, cyber attackers aren't trying to deny you the use of your asset. They're just trying to co-opt it. They're going to use it and they're going to let you use it too. And so you don't necessarily know that you've been exploited. Well, the FBI knew about this. And so the FBI decided that they were going to patch people's exchange servers for them. And as far as I know, that's absolutely unprecedented.

Jake: I think so. I think you can assume that's unprecedented.

Kip: Yeah, that a law enforcement agency, or really anybody, I know of a couple of cases where somebody wrote a benign worm that trolled the internet and patched people's home routers, but that's not a government action. This is a government action designed to increase the attack resistance of private assets. And so, this is a form of active defense.

Jake: Oh, absolutely. It's a form of active defense and it's a fairly aggressive form of active defense. And I think it's really quite interesting. And I believe that there was actually a fair amount of discussion about this kind of on social media and whatnot. And I believe someone posted the full, or I should say it was a redacted version of the warrant that the FBI got, or maybe it was the warrant application, but it was very, very interesting to see that this was something that could happen. It's never happened before. So it's difficult to kind of say what made them, in this particular case, why was this special? And I don't know that we'll ever actually know.

Kip: Well, yeah. So I would say as somebody who used to, okay, so I was on active duty in the military. That's not the same as being in the FBI, but it's not as different as some people might think that it is. In other words, what I'm saying is I've been on the government side where we were protecting secrets and I would be willing to bet that this was not the first time the FBI has done this. But I think what we can say is it's the first time that that they've put out a press release saying that they did it. They did it in a highly visible way. I really would be surprised if they hadn't done something covertly in the past, because this is very risky. Super, super risky. I mean, what if the FBI botches the deployment of a patch, which IT departments do that all the time, simply because they make a mistake. But what if the FBI had accidentally deployed a patch that actually bricked exchange servers all over the country? I mean, that would've been awful and I'm sure they thought about that. So it's hard to imagine that they did this on the spur of the moment or in a less than thoughtful way.

By the way everybody, if you want to look this up, you can do an internet search on Hafnium. That was the name given to the Chinese-backed cyber criminal gang that was actively exploiting these zero days on the exchange servers. But just incredible. And the fact that there was a press release tells me that the FBI is putting everybody on notice, US citizens, as well as foreign nationals that they are in the game. It's fascinating.

Jake: Yeah, it is fascinating. And I suppose it's, I mean, do we think it's a bad thing? I'm not sure I have an opinion one way or the other. I mean, on the one hand, I think it's good that the government is stepping up its defense of the country and its citizens. On the other hand, it's a very unusual step. So I think it's probably going to have to be one of those things that we just process for quite a while longer.

Kip: Yeah. I mean, so we're in uncharted territory is what it comes down to. We don't really know what to think about this. On the one hand, I think about things that law enforcement does to make traveling the interstate highways in a car, a safe thing. Right? They do all kinds of stuff. They run patrols. There's state patrol, there's federal money being put into the safety of the road in terms of accidents and that sort of thing, right? So there's a lot of government involvement in keeping the interstate highway system safe and available for commerce. And I would like to see something comparable for the internet because the internet, it really is a digital highway. It's not optional anymore. We have to use it to do business.

Jake: For the last year it was more important than any set of roads.

Kip: Yeah. It was. Absolutely. We couldn't even drive anywhere because nothing was open. So, on that side, I like it and I'm encouraging it. But on the other hand, this is breaking a lot of barriers, right? So the idea of public partner, private partnership, we've talked about hey, let's partner up, but there's a deep, deep seated distrust among private enterprise, towards government involvement in their activities. The idea that the government would have free access to our private networks to deploy patches, I don't think that rubs people the right way.

Jake: No, I don't think it does either. Which means that we can assume that they really thought the risk was worth it.

Kip: Absolutely. I mean, they were risking the wrath, huge blowback, but I think what allowed them to get away with it in this situation is that the need is so pressing. 10 years ago, no, this would've been totally out of bounds. But now with all these ransomware attacks pressing down on us, I mean, we're fish in a barrel being shot at it. It's not that hard to see that we need a miracle here. Right? We need heroics. We need a big action. And that's what the FBI did. And I think that's why they felt comfortable doing it.

Jake: Yeah, I think that's probably correct. And I think, it might be that public private cooperation simply, I mean, look, almost by the definition, when we say a state actor or state sponsored actor, think about what that means, right? The bad guys are teaming up with their governments. Maybe it's only fair, or maybe it's necessary that we do the same.

Kip: I do think it's necessary. I do think we're going to go in this direction. We just have to sort out some of our reticence. And I think the government has to clarify, has to get way, way more clear about what does it mean to have the government more involved in network defense. And I think they need to do some things like, for example, when you work with the FBI on a cyber attack, they're very clear about this, because I've asked them, look, we do not inform on you. So if you tell us that you did something that was against regulation, we're not going to take that and go to the Department of Commerce or something like that. Or to the-

Jake: Or the FTC.

Kip: Yeah, we're not going to go to your regulator and we're not going to snitch on you. Right? But I think that's a big concern.

Jake: It is.

Kip: Right? Because people are take can risks all the time, cutting corners constantly in order to abide by the law, but still conduct business in the most profitable way possible. So there's going to need to be some really clear believable boundaries that folks are going to buy into.

Jake: Yeah. Agreed. Agreed.
Okay. So what was this second example then of the FBI's active defense events?

Kip: Yes. So the next one which turned out to be a faint, was when Colonial Pipeline was attacked and that happened in late May. They had a ransomware attack upon them and they paid the ransom. Ultimately, they got control of their computer systems back. There's so much to say about that. There's so much to unpack about that. I'm trying to hold myself back, but downstream from that attack and before the third item that we're going to talk about happened, there was this announcement from the DarkSide Ransomware Gang, that they were going to go out of business and that they were doing that in a response to political pressure from the US government. Now that's what the cyber criminals said.

And so at first my reaction was, wow. Oh my goodness, right? Here's the US government flexing its muscles and actually, in effect, scaring criminals from continuing to commit acts of crime, but that was quickly discredited government itself. And as I read some of the commentary on it, I realized that it's true that they probably couldn't have done that as a spur of the moment, shoot from the hip sort of a response, because you're talking about international relations, you're talking about operating on the global stage where you can't just shake a stick at another country without a lot of thought, a lot of planning, a lot of preparation. You have to be ready for some kind of response, some kind of aggressive response when you do that. Right? So, it probably was not true. It sounds like the ransomware gang was, I don't know, just cooking up some story. And the prevailing theory was is that they just wanted to abscond with their...

Jake: Ill gotten gains?

Kip: Yeah, well, not just with that, but also DarkSide has an affiliate business model where if I suddenly broke bad and decided I wanted to be a purveyor of ransomware and that's how I wanted to fund my lifestyle, I wouldn't need to know anything. I could just troll around on the dark web, find their affiliate website, sign up, and they would do most of the work, and they'd take a 30% cut of all the ransoms that I collected. I'd get 70% and I'd have to learn how to handle Bitcoin at that point, I suppose. So what happens though, is that when the ransom is paid, the DarkSide gets the whole ransom and then they distribute the 70% to the affiliate and they didn't in this case, they just went dark and they took all the money. So if you were an affiliate, you lost money because your supporter made off with your Bitcoins.

Jake: Well, that's not a good long term strategy for DarkSide, but I guess we'll just see what happens. So, that was obviously a lie. The US government ultimately said, no, that wasn't true. Quite relatedly though, what was the third FBI active defense event?

Kip: Right. So now let's go back and focus on the Bitcoins that were paid by Colonial Pipeline to DarkSide. So essentially what happened is the FBI got the Bitcoins back, or got a pretty substantial fraction of the Bitcoins back. So what happened was Colonial paid about 75 Bitcoins and at the prevailing prices of the time, that was about five million US dollars. By the time the FBI grabbed the Bitcoins back, the price was severely depressed because there was a big price correction in Bitcoin value. But even though the monetary value of the Bitcoins went down, they were able to recover just under 64 of the 75 Bitcoins paid.

And then they released some court documents about that, which I read. And I was stunned because there's two things you have to be able to do in order to pull this off. The first thing is, is you have to find out what Bitcoin wallet is holding those Bitcoins. And as you can imagine, just like criminals do in other activities where they're laundering money, you can launder Bitcoin, or at least you can try to.

Jake: You can to.

Kip: By moving it through wallet, after wallet, after wallet, after wallet. You can split it up, you can join it back together. And what the FBI did is, is they just followed the blockchain. In other words, every transaction of Bitcoin is in a public ledger. And so they're bunch of accountants.

Jake: To be clear, that's by definition, right?

Kip: That's not a bug, it's a feature.

Jake: Yeah. And just to make sure everyone understands your little joke there, the FBI is in fact, a bunch of accountants. If you think about kind of, I mean, how was it that they got, was it Capone?

Kip: Yeah.

Jake: Who am I thinking of? I think it was Capone.

Kip: Well, a lot of mobsters in Capone's era.

Jake: A lot of mobsters. They were ultimately arrested and prosecuted on accounting type issues, tax crimes, things like that. And indeed, the Bitcoin ultimately, and this is not an episode about Bitcoin, but I think it is important. There are folks, including us to some degree, who will argue that ransomware will be around precisely as long as Bitcoin remains a viable form of payment.

Kip: Or some cryptocurrency.

Jake: Or some cryptocurrency. And therefore, the implication of that is that, oh, we should not allow cryptocurrencies. And that of course is a major... I don't think I fully agree with that. I think that's oversimplifying. I mean, they'll find other ways to get compensated. However, it is kind of amusing to think about the fact that by design, Bitcoin allows dedicated accountants to follow the trail. I mean, in fact, that's the whole point of a blockchain. And so, one wonders whether this could be the beginning of the end of Bitcoin, at least as a viable payment currency. And look, this isn't going to solve the problem. There are many, many, many other cryptocurrencies with different models and different technologies, but Bitcoin by far is the most well known one.

Kip: That's true. And Bitcoin is possibly the most transparent one in terms of the open ledger. Now, I think what's going to happen is I think the cyber criminals are going to fall back. And they're going to say, yeah, Bitcoin's a little too visible for us. Let's see if we can use a different cryptocurrency or possibly, there's no reason why they couldn't make their own.

Jake: It's a good point.

Kip: They could launch their own coins and they could figure out how to obscure the ledger. But anyway, I just think it's fascinating that the FBI used what's called a blockchain explorer, which is a piece of software that automates the analysis of transactions on the blockchain. And so they probably could have done it by hand to be honest with you.

Jake: Yeah, and really just to be clear, I mean, anyone could do that, right?

Kip: Yup, anyone could do that. And people have been doing that.

Jake: So I guess one of the questions I have, and hopefully you know the answer, maybe you know the answer, what allowed them to get the Bitcoin back exactly. How did they actually do that?

Kip: I wish I knew. I wish I knew. So, I went immediately to the court documents that were released, because I wanted to know the answer to that. I mean, as somebody who's worked in tech for a long time, I knew that the private key was what you needed to have in order to transfer those Bitcoins out. And I also knew that private citizens in the US and other countries have been scammed for years by having their coins in a hot wallet. And the way you scam them is you just steal their password or you steal their form of authentication. And so, SIM jacking, right, where I can take control of your phone, and then if you're using SMS to get two factor authentication for your cryptocurrency wallet, well, that's how a lot of people lose their Bitcoins.

And I assumed that the FBI must have done something like that. And so I went in to read the court docs to find out what they had actually done, but they're not saying. All they said in the court doc was, is that the FBI had the private key. They did not elaborate, which I thought was amazing because when they talked about how they determined which wallet had the coins, they were very, very detailed. They provided pages of elaboration of how they actually tracked that down. They included wallet addresses. And I mean, it was very interesting to see how they did the accounting, but they would not talk about how they got the private key. We have no idea at this point. So that means they hacked it. I mean, that's the conclusion I come to is that they dropped a remote access Trojan on some computer that had the wallet on it.

Jake: Because when you say they hacked it, they certainly didn't brute force it. I mean, a cryptocurrency private key is dozens of characters long. I mean, that's not brute forceable.

Kip: Okay. So let's talk about, if they didn't steal the authenticators, the passwords and everything, what other methods could they have used? Well, so maybe there was a flaw in that particular wallet, a technical implementation flaw, and maybe the FBI had a zero day exploit for that wallet, which allowed them to circumvent the need to perform some kind of authentication. And maybe they retrieved the private key from using this flaw. That's a possibility. I'm going to give you a farfetched possibility too, which is quantum computing. So the theory is, is that once quantum computers become practical, that they will be able to do math so fast that the public key private key algorithms that are in use will fall away. Because today it's mathematically really, it's practically impossible to brute force those keys using current computing methods, but with quantum computing.

Jake: In theory.

Kip: In theory, the expectation is, is that quantum computing will slice through them like a hot knife through butter. So if you want a far out theory, my far out theory is that the NSA has practical quantum computing and they help the FBI.

Jake: That's a farfetched theory.

Kip: It is. It is.

Jake: Maybe.

Kip: Well, but you know what? The NSA in terms of computing has been shown to be 10 to 20 years ahead of what's available in the open market. Quantum computing is the next frontier.

Jake: Yeah. I mean, I guess there's no reason to think that wouldn't be possible. I mean, you think about the cryptography that's available now, would've been, at one point was controlled, the same export controls as weapons.

Kip: That's right. They were considered munitions.

Jake: Exactly. And so, I suppose it's conceivable.

Kip: It's conceivable. It's not likely. And I'll tell you one reason why it's not likely. If I was the NSA and I had a practical quantum computer, I would not want to use it to spring less than five millions dollars worth of Bitcoins out of the hands of a bunch of cyber criminals, because that would tip my hand.

Jake: Yeah.

Kip: That I have missed.

Jake: It wouldn't be used for that. I mean, it's not going to be used for any level of money like that.

Kip: No. No, not yet.

Jake: I mean, someone would have to basically have like stolen the US Treasury before it becomes worthwhile to...

Kip: To reveal.

Jake: To reveal that capability.

Kip: Yeah.

Jake: So I think we can probably rest assured that if for no other reason it's not worth it, that seems unlikely. So let's talk about the legality of this. I mean, look, it really depends. First of all, we're talking about the US government doing it, even if we just put aside all kind of sovereign immunity questions and whether or not the government even can be liable and who the plaintiff would be. And if we just to focus on private citizens, we really only have the Computer Fraud and Abuse Act and their state equivalence, like Washington's Cyber Crime Act. And those are the only laws I can think of presently that really touch upon active defense techniques.

And the question, look, is one of unauthorized access. And there's really no question in my mind, given the breadth of the definition of so-called protected computer, which is just a strange way of saying a computer used and interstate commerce. Almost always the answer's going to be, no, you don't have authorized access, or in other words, it is unauthorized. So technically most of these hack back or approaching hack back types of active defenses would violate the Computer Fraud and Abuse Act.

Now, interestingly enough, the state laws that are newer, and remember the CFAA is fairly old and I don't think it's been updated recently. So this of course could change, but the state law does have an exception for so-called white hat information, security research, or white hat cybersecurity research. And so, one could potentially say that active defenses that don't rise to the level of causing damage could be considered white hat security research. And that might protect you.

The fact though that ultimately, one, it was the government in this case, it probably doesn't matter. I suppose you could argue that these computers are outside of interstate commerce, if they're based in foreign countries and primarily being used to commit crimes. But we're so far ahead of the law in this area, just even talking about active defense is so far ahead of where the law is.

Kip: Yeah.

Jake: I guess what I'm saying is I wouldn't recommend it at this point to anyone but the largest players. And I wouldn't even recommend it to them unless it's in cooperation with the government.

Kip: Oh, absolutely. Absolutely. So there's two things here, right? Is it legal for the US government to do this? Is one side of the coin, right? Oh, the coin. Oh, I didn't mean to say that. And then the other aspect here is can private citizens, or can organizations in the private sector do this? And I would bet you that Microsoft's been doing this, but only in cooperation with the approval of the US government.

Jake: Yeah.

Kip: But I wouldn't go rogue and just start doing this on my own.

Jake: No. And do, keep in mind that that in some cases you could say that Microsoft's, and frankly, other companies efforts over time to bring down botnets through legal process is a form of active defense. By definition that one's going through the courts. So I think that's pretty low risk in terms, I mean, it is low risk. They're doing it the right way. I think the risk of doing it outside the courts is probably one I would not take unless you're doing it under response in reaction to receiving a government order or subpoena or some other form of authority. But it is really, this is just so far ahead of where the law is. The law is barely able to keep up with just cybersecurity in general.

Kip: Yeah.

Jake: Let alone this concept of hacking back and active defense.

Kip: So ladies and gentlemen, we're living through a revolution in digital affairs is what's going on here, right? And so, what's this comparable to, well, I think it's comparable to when the FBI had to innovate in order to stop machine gun toting criminals in the US in the 1920s and 30s. I think this is comparable to the emergence of nuclear weapons in the 1940s where we didn't know, I mean, all of a sudden we found, the Russians and the Americans and others found themselves with these planet destroying weapons. We had no idea what the rules of law, or sorry, what the laws of war were going to be. And we had to figure it out at the same time that we were under threat of total annihilation. Now this is a little different, of course, but I think it's still, we are in uncharted territory trying to sort out, what are the rules of engagement? How do we tussle with each other on the digital highway, so to speak? And so, it's evolving.

Jake: It is. And the machine gun analogy is actually quite apt. I mean, the fix for that was ultimately the Firearms Act that outlawed machine guns in most places. I mean, if you think about it, those were not controlled until the thirties. And that's one of the ways that the FBI was-

Kip: That was one of the ways. And the other ways they started hiring accountants and they prosecuted people for tax evasion, not for the actual crimes that they were suspected of committing.

Jake: Correct.

Kip: The acts of violence, right? So they innovated and they were able to figure out new ways of law enforcement. And that's what we're having to do here. New ways of law enforcement, which in the future could include patching your exchange server when you haven't bothered to do it.

Jake: Yup.

Kip: So, this is a fascinating evolving topic. I'm glad we had a chance to talk about it here in the podcast, but I guarantee this is not the last time that we're going to observe acts of active defense by the US government. And so, I'm keeping an eye on this for sure.

Jake: Yeah. Surely not. So it will be a constant I'm sure over the next decade.

Kip: Yup. Okay everybody, that wraps up this episode. Thanks for being here with us on the Cyber Risk Management podcast. Today, we talked about the FBI's publicly acknowledged active defense of the United States. We'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.