While some may question the rationale behind indicting people in countries that are unlikely to extradite to the U.S., the Federal Bureau of Investigations (FBI) sees value in the activity as one aspect in a national strategy of deterrence, said Tonya Ugoretz, deputy assistant director in the Cyber Division of the FBI.
“I think there is some question about the utility of finding individual actors or nation states behind activity and holding them responsible,” Ugoretz said during Forcepoint’s Cybersecuirty Leadership Forum on Thursday. In her speech, she laid out the case in favor of attribution.
To make her point, Ugoretz told the story behind the SamSam ransomware, a malware strain attributed to two Iranian men in 2018. The malware caused over 30 million in losses, and affected the City of Atlanta, the City of Newark, and the Port of San Diego.
“What else was going on between 2015 and 2018? There was a little something going on called the JCPOA, an agreement the United States government decided it no longer wanted to be a part of,” she noted.
Through information gathering and collaboration, the FBI was able to discern that the attackers were motivated by personal gain, and not politics. Since naming the attackers, Ugoretz noted that they had seen no new cases of SamSam malware.
“If you believe in the rule of law and believe in accountability, you can’t have accountability if you don’t know who is behind activity,” she said. “What we’re talking about here is attribution.”
The infection also forced the FBI to rethink its processes, as almost all of the bureau’s 56 field offices had open investigations for targets in their area. Now, one field office is placed in charge of each investigation, with support from other offices and the bureau headquarters.
