Eric Strom is the Unit Chief of the Mission Critical Engagement Unit, Cyber Division. In this role, Mr. Strom oversees the FBI Cyber Division’s private sector outreach efforts to the 16 critical infrastructure sectors, forging partnerships with companies in those sectors to develop and share threat intelligence related to activities by sophisticated criminal organizations as well as nation state actors.
Eric Strom is the Unit Chief of the Mission Critical Engagement Unit, Cyber Division. In this role, Mr. Strom oversees the FBI Cyber Division’s private sector outreach efforts to the 16 critical infrastructure sectors, forging partnerships with companies in those sectors to develop and share threat intelligence related to activities by sophisticated criminal organizations as well as nation state actors.
"No, it's funny. None of us really had a traditional cyber background. Tom started out his career as a geologist and Keith actually started out selling like furniture. He was a salesman."
"But I mean, from the legal standpoint, you've got third party liability and other things. So we really had to walk a kind of a tight rope when it came to what types of malware we were infecting ourselves with. And then how far we'd let it go."
"And so as we're taking it over, it was really interesting to sit behind one of the malware analysts and watch a Wireshark and watch the instructions coming out. I crossed the wire. It was really cool. And when it really kind of sunk in, because to me it was like a tangible thing. I can actually see it happening as it was going on."
"It's (cybersecurity) probably the most rewarding thing you'll ever do in your life."
Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Stay in touch and sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
Ayman on Twitter: https://twitter.com/coffeewithayman
[00:00:00] Ayman Elsawah: hi, Eric, welcome to the show.
Eric Strom: [00:00:01] Thanks for having me.
Ayman Elsawah: [00:00:02] Yeah. Thanks for coming on. So, for those out there that might not be familiar with you or your work, can you give us a little about what you do today?
Eric Strom: [00:00:10] Sure. Well, my name's Eric Strom. I am currently the unit chief for the mission critical engagement unit, which is the FBI cyber division's unit that engages with both with the private sector and the public sector agencies that focus on the 16 critical infrastructure sectors. So our goal really is to engage with these entities to identify kind of current emerging threats that are affecting our critical infrastructure.
Okay. And I think the 16 different industries, there's a wide gamut. If I understand, is that right?
Yeah, ranges from academia to government facilities, to energy, to water, dams, wastewater, and kind of all the major infrastructure type entities. And then they all have their corresponding agencies that, uh, responsible for them. So like department of energy is responsible for the energy sector. And so we work very closely with them.
Ayman Elsawah: [00:00:54] Okay. So now, is this a one part of a cyber division in FBI or is this the cyber division in the FBI.
Eric Strom: [00:01:02] This. So I'm based out of our headquarters--so it's the main cyber division headquarters--and the way things are broken down is we have our 56 field offices that are in the field, but I am at the main cyber division headquarters and we're one unit within the cyber engagement intelligence section. So there's a number of sections--five sections--within cyber division and we're in one of those.
Ayman Elsawah: [00:01:21] Oh, I see. Okay, great. Yeah, just for those out there, that might not be familiar with the different organizational makeup of the FBI. I think it's changed a little bit over the years.
Eric Strom: [00:01:29] It changes almost every two years.
Ayman Elsawah: [00:01:33] Every two years. Okay.
Eric Strom: [00:01:34] It's more out of trying to stay up to date with current cyber threats and so it evolves as fast as it can. So that's not really a dig. It's just that we have to change in order to keep up with the pace of what's going on out there.
Ayman Elsawah: [00:01:45] That's actually pretty good. Given how fast technology changes. I think that's pretty good actually. Even many startups don't change as fast, so that's pretty cool. Great. So tell us how you got to the position you are today.
Eric Strom: [00:01:57] Well, so I've been in the Bureau for 21 years. I started in June of 1999. I had previously been an attorney in Chicago, had gone to law school in Chicago and worked for about three and a half years, practicing criminal defense and civil defense work. And I just happened to go to school at John Marshall law school is right down the street from the jerks and federal building in Chicago. That's where a lot of the federal agencies were housed. That's where a lot of all the courts were. And so we had the benefit of engaging with a lot of different agencies. Guys would come over and talk about what they did, whether it was ATF, DEA, or FBI, or US Marshall service. I had friends that were clerking for us magistrates, and they would talk about the different agencies they can engage with.
So, throughout that process, I kind of became interested in working with the FBI. I always liked the criminal aspect of the law. I liked being in the courtroom. And so I applied pretty much right after I graduated from law school, but they wanted me to be a little more seasoned as far as work experience.
And that holds true really for everyone. They kind of want you to work a little bit. They want the FBI to be your last job, not your first one. They want you to bring the experience that you learn out in the private sector or other government agencies to the FBI. And so it took about three years to get in.
And that's partly just because of the process, you know, whether it's the background checks, the health screenings, and then just the interview and then the testing and everything.
Ayman Elsawah: [00:03:16] So if I understand correctly, you applied and then I guess didn't get accepted initially. Is that right?
Eric Strom: [00:03:21] Well, no, it was just, it was just, that just is how long the process took. So I applied and then based on the need at the time, they just kinda, I don't want to say strung me along, but they kind of just, they wanted to keep me interested, but they just said, we'll keep calling you when we're ready.
Ayman Elsawah: [00:03:35] Interesting.
Eric Strom: [00:03:35] Seemed like so many months I get called down and would have to do wind up some sort of phase one testing, which would be a written exam.
And then two would be the interview and things like that. It just progressed. And I enjoyed what I was doing as a lawyer. And so this was just kind of happening. And, fortunately for me, the timing worked out that when they did call and say, you've been accepted, that I was ready and ready to go. And next thing you know, I was in Quantico in June of 99 and went through my four or five months of training.
And then my first office was Pittsburgh division and never lived there before. I had a friend that grew up there, and that was about the extent I knew about the city. And basically I started working on a drug and organized crime squad. I was on the SWAT team, tactical team, and I was also a farm instructor.
So very kind of violent crime centered career. I really enjoyed it. But as the years went on, there were some supervisors and other people that I met. And one of which was a man named Dan Larkin. And he had this concept of creating a shared space where we would work with industry and academia and law enforcement to try to tackle this emerging cyber threat that was growing, and this is when the early 2000s. We had already created the internet crime complaint center, which is down in Fairmont West Virginia. Which takes in a lot of victim complaints at the time, it was a lot of like fraud on different payment platforms and things like that back in the day. And you wanted to create a similar platform that companies could go to about different frauds and other cyber threats that were facing them.
So we kept in touch, eventually [00:05:00] created this new group and they built this nonprofit called the national cyber forensics and training Alliance: NCFTA for short. And they embedded an FBI unit in there and he asked me if I was interested in coming over and working it. And I had never really worked cyber threats before, but I had worked a lot of Russian organized crime before, and the Russians were very involved in pretty much everything from violent crime to art theft to healthcare fraud and then to this kind of emerging cyber threats. And so it piqued my interest. And so I worked in this kind of unique setting, not having any cyber or InfoSec background at all. Again, I was a lawyer by trade and I basically just was immersed in these kinds of new threats. You know, we looked at spamming and phishing and the emergence of botnets and things like that.
And I just learned along the way I learned through repetition, we had a lot of young graduate students that comprised the nonprofit staff. And a lot of them were either computer scientists or into InfoSec, but they also had sociologists and other kind of unique job or study positions that kind of brought a holistic look at the threat.
And it really kind of gave me a better perspective on cyber crime, because it's like looking at an onion and you start peeling away, all the layers in anonimization and things like that until you finally find that individual organization that's responsible for it. And so how we got to that middle park was really what I focused in on, because if you're new to cyber security or InfoSec, it's kind of overwhelming.
I likened it to math. I got in really early and I kind of kept up to date as the years went on. But if you're coming in and kind of the middle or towards the later part it can be... you don't understand the historical significance of why certain countries do what they do or why certain actors are doing what they're doing, because there's a lot of repetition along the way.
Ayman Elsawah: [00:06:40] Right. Okay. And so you're at this nonprofit, which is interesting in and of itself, and you're an FBI embedded in the nonprofit and doing these investigations.
Eric Strom: [00:06:48] I was one of the headquarter unit. So we were considered an offsite. So we were assigned to Washington DC, but we're located within this nonprofit in Pittsburgh, Pennsylvania. And there was six or seven of us that were embedded with the unit chief. So Dan Larkin was my boss and we all looked at different threats that were kind of dominating the kind of the cyber field at the time.
And like I said, there was the spamming there's fishing. There was kind of the online fraud that you were seeing, whether it was online pharmaceuticals and other related things. And then we started looking into the what we call the underground forums and that's where it really kind of peaked my interest because I likened that the closest to organized crime. And although I like to call it this organized crime, because unlike the mafia, families and things that you are familiar with in New York and Chicago and other places, these were organizations of individuals that had certain specialties or experience or expertise, and they would get together to do these different frauds online.
And so that was really interesting to me. And they were global. It wasn't like kids in the same neighborhood or the same city. You had a Turkish kid and then he had a kid from Russia. And then you had some kids maybe from down in South America and they all kind of linked up on these forums and were able to execute these different online cyber threats.
And so I found that very fascinating and so much so that we ended up taking over one of these underground forums. It was the first time that the FBI ever did that. You know, the forum was called dark market. And a colleague of mine, Keith malarkey, was our undercover officer and I was the case agent. And then we had another colleague, Tom Grasso that was really in charge of kind of the technical aspects of things.
No, it's funny. None of us really had a traditional cyber background. Tom started out his career as a geologist and Keith actually started out selling like furniture. He was a salesman. And I was a lawyer, but the three of us together, we had interest in information security and cyber. And I think we took our unique backgrounds and applied them in a way that we were able to get things done.
I mean, Keith is a great example. I mean, here's this guy who was a salesman before he got into the FBI and essentially his job as an admin for this form that we took over was he was selling these guys on believing that we were just as bad as they were. And we were really successful at it. So we ran this forum for two years.
We prevented about 70 million in loss, and we arrested a little over 75 folks globally. And the really important thing about this case, aside from the fact that it was kind of a game changer for the FBI, it was the fact that we really started to develop our international relationships with our foreign partners and police partners.
We were working a lot with the Germans, a lot with the UK, Turkey--we had a Turkish police officer embedded with us for almost a year. We also worked with Switzerland Belarus and a couple of other countries. And that really kind of made us realize at the time, and I'm talking 2006, 2008, that we can't do this on our own.
And this is a global threat and these actors are everywhere and we really need to rely on each other to work well together. And that was really actually prompted my interest to try to work overseas later in my career.
Ayman Elsawah: [00:09:46] Nice. So it kind of like how your targets were getting together across the globe. You as well on the other side, were getting together with partners across the globe as well.
Eric Strom: [00:09:54] That's correct. Yeah. Our initial group that we developed, which we call the foreign threat focus cell was Germany, the [00:10:00] Netherlands, Lithuania, Ukraine, the UK and Australia. That was kind of the first six countries that we really worked with on a consistent basis to try to de-conflict and coordinate.
Because what we also realized is a lot of these subjects that were attacking different countries were also attacking our partners and they were opening cases against them. So just as a manner of efficiency, we were like, well, wait a minute. Like we're also looking at this guy. And so we would negotiate and coordinate kind of evidence we had on each individual and see who had a stronger case and then try to get that information or evidence to that country so they can use it for their prosecution.
Ayman Elsawah: [00:10:31] Okay. So we have a furniture salesman, we have a geologist and a lawyer, and I'm sure many others with varied backgrounds. So you're talking about the salesman using his sales skills. What are some skills or assets that you guys brought to the table--you guys meaning you, all women included--what are some assets that you all brought to the table from your non-cyber security backgrounds that really helped in some of the cyber security investigation?
Like I love the sales analogy. What are some others that you noticed?
Eric Strom: [00:10:56] For me, being a lawyer, you can't do an undercover without getting all sorts of authorities and approvals by both the FBI and the department of justice. And so that whole process where you're reporting back to whether your supervisors or judges or folks back at headquarters, that was my responsibility. And so in order to keep us administratively pure, and really my goal was to keep it a good precedent because what we wanted to do was this model that we were creating, as far as taking over form and running with it, we wanted it replicated in other investigations and other fields.
And really in theory, because we were a headquarter unit, we were kind of at a disadvantage because headquarters is not like the field, the field has ready access to US attorneys. They have an evidence room, they have an Elisha room that that's electronic evidence and all these other support systems that help with their investigations.
We did not. And so we had to rely on, again, I kind of leveraged my relationships with Pittsburgh field office because I used to work there. And we worked out a deal where we'd be able to leverage their support systems to help us with this case. And in return, we were then referring cases on subjects, out to other field offices like New York or Omaha, Nebraska or Chicago. And so we became almost like a referral mechanism both internally within the United States, but then also externally with our foreign partners. And I'd be remiss in not saying that we also were very closely with USDA service because they also were kind of getting into this field at the same time.
Obviously one of their mandates is looking at financial crimes and especially online, and so, we did a lot of deconfliction coordination, both with their headquarter units, as well as their local Pittsburgh office, which was very hard. And then in return, a lot of the stuff that we were able to identify in our case solved the big case for them.
They had a case against a gentleman named Maxwell Butler who was actually arrested out in San Francisco. His nickname was ice man. And the secret service and our case, we're kind of looking at him, but they had some really good evidence against him. So we try to provide them as much as we could to help him get him because he had a knack of kind of disappearing and basically stealing wireless signals all over San Francisco, so you can never really track them down until they eventually did. And they work at one of those rare, no knock warrants to get him because he was always online. And the concern was that he would lock up all the systems and we wouldn't get any of the evidence on there. So that was a very interesting spinoff case of what we were doing, and they've read some books and other things about him.
But he was an interesting character and we subsequently brought him in after he went to prison to talk to companies and cybersecurity reps, to talk about what he did and how he did it. And one thing I learned over these years is a lot of these criminals, they love talking about themselves and what they do. And so they're really engaging and they love to spill the beans and talk about everything that they did and they get really excited about it and it really shows you how easy it is for young people to kind of fall into that kind of lifestyle and not realize the damage they're causing.
And I believe, you know, back in the day, the damage globally wasn't as bad because we weren't as interconnected as we are today. But today you look at things like the MRI botnet and other things where they're knocking off major companies offline. I mean, you're talking about the significant financial losses and communication losses and other things.
And I think a lot of young people just don't realize the power that the internet has these days.
Ayman Elsawah: [00:14:08] Right. They're very abstracted from an impact. I guess. Yeah. And from understanding the, you know, you have a lot of people showing their spoils online on YouTube and it's like, it's quite interesting.
Eric Strom: [00:14:18] Right again, and you try to take advantage of that. And I think that's what we did. And again, that's where kind of Keith kind of came in and was able to develop these really these friendships. And to be honest, once the case broke out and it was mentioned in the news that the forum was actually run by the FBI, he had a lot of people reaching out to him still and, and under his persona, saying this isn't true. You are the greatest guy ever, you know, and then he would just say, well, it is, and you probably would be best if you just turned yourself in. And we had a couple instances where they did, where they call the local police said, you know, I've been doing this and I've been working with this individual and it worked out. But yeah, I mean, that's the kind of trust that he developed and really, trust is the big word here because between myself and Tom and Keith, [00:15:00] the trust we developed both with, uh, partners in law enforcement, our foreign partners, and really the private sector partners.
Because as I mentioned, we prevented $70 million of loss. And so as these guys were posting bank accounts and brokerage accounts, and other things online on this forum, We were scraping those out and then contacting these different companies saying, "Hey, we're seeing your client's information being sold."
And they would confirm, yes, that is. And so they would take matters into trying to mitigate those losses. And so in doing that and having that kind of two-way exchange, we really develop solid relationships that the FBI could then leverage later on and vice versa. We got to know a lot of these folks in what we were doing, and we had the benefit in our group in particular that cause eventually I took over this unit in 2010.
And we were together for almost 10 years, which is really unheard of in government speak. Most people kind of move to different positions, but we really enjoyed what we were doing. And we could see that it was a tangible difference if you can see being made, which is another thing, you know, cyber cases can be longterm and time consuming because of this sophisticated nature of things.
But ultimately the end result when you either. Make a disruption or you make an arrest or, you know, indict or you taking money back out of their accounts that they stole. I mean, it's really satisfying at the end of the day. And I think it's really the mission, which draws a lot of people into the FBI and what we do and the variety of types of work we do.
I mean, it constantly changes the threats constantly change, and that really makes the job interesting. There hasn't been a day that I've been in that I'm like looking at the clock watching. I'm like, okay, what's this day going to get over with? It's usually like, Oh my gosh, it's already four. O'clock like, what's happening.
And that's great. That's the thing I really like about it. And I've known some guys that have left and have gone to work for companies, and they're like, I'm making more money, but it's just not the same mission. You're not helping people as much as we like.
Ayman Elsawah: [00:16:43] Yeah, that's wonderful. So tell me what's a really creative way you solve the problem. In, in your years of experience, what is the most creative solution that you came to a problem and lessons learned from that?
Eric Strom: [00:16:56] It's a good question. So I know it literally took us 18 months to kind of get this approval, but we ended up doing what a lot of researchers do. But the athlete did it ourselves as the FBI, but we ended up developing a self infection platform where we're infecting ourselves with different types of malware.
But I mean, from the legal standpoint, you've got third party liability and other things. So we really had to walk a kind of a tight rope when it came to what types of malware we were infecting ourselves with. And then how far we'd let it go.
Ayman Elsawah: [00:17:25] Are you referring to a particular incident or were you just in general?
Eric Strom: [00:17:28] In general, basically we provided a service and here's the issue. So you have all our 56 offices that we work with. And each office for time in the very beginning of cyber, each office was developing its own malware kind of collection. It was doing its own forensics and all this kind of stuff. And so we wanted to kind of centralize it and that way we weren't taking resources away from the field, but we were actually providing a service that headquarters could provide to the field.
And so we would canvas the field offices saying, okay, get us a sample of this malware and we'll run it in the wild to see what it does. And we'll get you the information back. You know what I piece it's calling out to and try to identify what this is doing. And in fact, one case we had, it was the game overs use case.
We infected ourselves with it. And then when we actually took the botnet down and when I say take it down, it was group work. We had researchers from universities, we had private sector companies. We had other nonprofits all helping us take this very sophisticated botnet down, but we had infected ourselves with it as well.
And so as we're taking it over, it was really interesting to sit behind one of the malware analysts and watch a Wireshark and watch the instructions coming out. I crossed the wire. It was really cool. And when it really kind of sunk in, because to me it was like a tangible thing. I can actually see it happening as it was going on.
And that certainly kind of got me hooked. I'm like, Hey, this is a great thing we can be doing from now into the future. That brings legal challenges though. I would have loved to push out patches and fixes all over the world, but you know, you're basically budding into country sovereignty and a lot of countries don't want that.
And so we had to do a lot of work arounds. One of which was we infected ourselves and we started collecting all the foreign IPS. And then we made arrangements with another nonprofit to then share those with four nice PS and foreign governments so that they can then remediate the problem. That was the best we can do outside of trying to actually fix the problem globally, just because it just wouldn't happen.
We made that argument went all the way up to the attorney general and he said, he'd rather not do that. So, but I mean, it's little things like that. Now you have a problem and it kind of blows up into something like that. And you're like at the end of the day, or like, wow, that's, you're really having a huge impact on sex.
Ayman Elsawah: [00:19:30] Yeah. When you have like a lot of legalities and foreign governments involved, I guess you can get to get a little creative you're trying to help, but then you have egos involved in different laws and stuff like that. Yeah.
Eric Strom: [00:19:40] correct. That's where my criminal defense attorney headcount would always come on. I would look at it from another perspective and say, you know, what are people going to say? You know, the U S government is reaching in and what happens. And they always come up with this. What happens if a computer is in a hospital and something happens and someone dies and every lawyer brings that one up, but they never bring up the fact that [00:20:00] that's already a vulnerable computer and anything could happen to it.
That said my job was really kind of sometimes to let the reins out and then pull the reins back. It just depended on the situation. And we always work with our office of general counsel and our cyber law unit. Nice. Just to really kind of get different perspectives work with the us attorney's office, obviously the department of justice to try to see what we can do again, because we wanted to set good precedents, do things where we can always say, Hey, that worked out well.
Let's try that again. In this situation. Because it works so well in the prior one and legally we were administratively pure. So those are the really kind of neat kind of challenges that unlike some of these other operational divisions that we have, whether it's criminal or counterterrorism stuff that we face almost daily, and it really kind of gets your mind going and really keeps you involved in kind of how you can challenge yourself and challenge the system at times to make change.
Ayman Elsawah: [00:20:51] Yeah. What are some important skills that are essential right now in working in cybersecurity? At least in the FBI? Yeah. They're technical. Non technical skills. Can you expand on what you're seeing right now is some really useful skills to have on both sides.
Eric Strom: [00:21:03] Sure. Yeah. The ideal agent, computer scientist, whatever would have be very technical know the law, be a people person. I mean, there's a lot of different aspects that you need because of the international nature of things, because the private sector owns 90% of the center. I mean, you have to be able to talk and engage and develop trust with people.
That's a critical requirement for the job. You can't do it alone and you have to be able to work with people. You know, sometimes investigators, whether they're with the FBI or other agencies tend to get, you know, this is my case and I don't want to harm it. And if I share something, it's going to blow the whole case.
But what they don't realize is that these cases, you don't have it corralled if it's being worked globally. And so you really got to get the word out there and what's going on. So being able to communicate, being able to develop trust, obviously having the technical, you don't have to be a ones and zeros programmer.
I mean, that would help just to have an appreciation. But what I have seen in the past is that people that are super technical tend to get lost in the technical nature of what they're looking at. Not really realizing that, yes, this is a map and this is what it's doing, but why is it being used? I liken it to like a bank robbery where the, someone is a gun expert and they look at the gun use and the bank robbery.
And they're like, well, that was just a tool. The reason I took the money, it was why was it because they just needed money? Do they need a drug fix? Are they part of an organized crime group that just doing something larger, a counterterrorism group that's doing something larger, but you can't get so focused in on that technical aspects either.
But having a general understanding of what a bot network is and how malware works and just understanding infrastructure in general would be very helpful. And we have a lot of lease in the FBI. We have a lot of training that we provide basic cyber investigative training. We also work with a couple other independent companies that provide training outside of the FBI that you can get certified in.
That really helps. And again, like I learned basically from sitting in a very unique environment, And was immersed in it. And unfortunately not everyone really gets that opportunity, but having a, just a basic awareness would definitely be helpful. And then being able to speak in front of people, we do a lot of conferences.
We do a lot of media interviews. You're constantly trying to sell your investigation to us attorney General's office executives within the FBI. I mean, you might be briefing the FBI director at some point on the case. And so that's just another aspect of what makes a good investigator.
Ayman Elsawah: [00:23:20] Let's step back for a second. What are all the different positions that the FBI has in its cyber units?
Eric Strom: [00:23:26] Sure at the field level. And so in a field office, you'd have a special agent that would be a cyber investigator focused on cyber investigations. And then part of that squad that would make up that group would be the special agents you would have computer scientists assigned that would do a lot of the malware analysis and other tracking you'd have Intel analysts that would kind of make connections between maybe the group or the.
Individual that you're looking at or the type of malware and what it's attacking and kind of writing, reporting on that, both for consumption internally within the FBI or with our partners in the larger kind of Intel community, or even in the form of a pin or a flash, which is what we provide to our private sector partners.
So Penn is kind of a high level private industry notification that we provide to, I guess it'd be written more to an executive level overview of kind of what the threat is. And then the flash is actually basically the Yara rules and other things. The IOC is that maybe the particular malware is associated with.
And so anybody who's a defense or at a company or whatever, can then use those or input those into their system to try to identify whether they have an issue or not. And then you have management program analysts as well. And so they and SOS is, so there are other professional support that do additional either reporting or research.
So you kind of work as a big team and the headquarter, these are kind of similar in that. You've got the special agents that are usually manage a particular program. So they're responsible for certain field offices or my case. They're responsible for a certain sector. And then you have management program analysts that support them.
A lot of presentations, they do a lot of the kind of massaging [00:25:00] information and exchanging information, making sure it's getting to where it needs to go. Then you have Intel analysts that obviously develop collection requirements and things like that. So when we are reaching out to a particular energy sector or a company within that sector, or trying to develop Intel requirements, that we can then relay to our field or operational units, Hey, this is what we see affecting.
The oil and gas sector, you know, what are we seeing out there from nation state actors or criminal actors and how they may be trying to exploit these vulnerabilities that we're identifying. And then we try to circle back to those companies and that sector saying, Hey, this is kind of what we're finding.
Have you seen any of this? And if so, can we share it to the broader audience so that the sector itself can be strengthened?
Ayman Elsawah: [00:25:36] Okay. So it seems like the wide variety of positions.
Eric Strom: [00:25:39] is, there's a lot. I mean, it's grown over time and again, it's really a kind of a team atmosphere. Everyone is providing some important aspect to a cyber investigation. There's a lot of analysis behind things, and you're constantly getting information back from legal documents and subpoenas.
And so someone has to analyze that information, which would either the. Professional support the is, or the SOS is, or the intelligence analysts and try to make these connections as to, okay. Where is this group really located or where did the money go or who are they working with? That kind of thing.
Ayman Elsawah: [00:26:11] If you have a need for all the positions right now, or are you seeing a stronger need for some positions more than others?
Eric Strom: [00:26:18] I think the FBI is kind of reflective of the overall kind of private industry. I think we're always a need for anybody who has the interest in cyber training. I think. It kind of ebbs and flows when we need, whether it's an agent or an analyst or an SOS. I think it just depends, but that shouldn't dissuade anybody from applying.
I think the Bureau after nine 11 cyber became one of the key backgrounds that we were looking for as well as like language ability and things like that. It used to be just attorneys, lawyers, police, and military. And then they kind of started opening that aperture up and cyber was one of them. And so if I'm ever out and about at a recruiting event or a major cyber conference or something, and I'm talking to people, I'm always trying to convince them that, Hey, this is a great job.
You're more than likely going to be traveling around the world. So you'll be using a passport. You need a passport. If you don't have one. You kind of run through it. I, every new agents class, I always tell the instructors, you got to emphasize the fact that they need to get their official passport because literally within a week or a month, they may be already going over Germany or wherever because that's where their case is taking them.
Ayman Elsawah: [00:27:23] Right. Wow. That's amazing. I've had people emailing me like how law enforcement police officers I'm looking to get into cyber. Do you have any specific advice for them? Someone in law enforcement, general law enforcement looking to get into cyber, either at the FBI or just in general, do you have any advice for them how to do so?
Eric Strom: [00:27:38] Sure. I mean, nowadays, everybody, I think every federal agency has some sort of cyber investigative branch or unit or squad or something or out in the field. And it runs the gamut. I mean, if you associate crimes against children, the dark web, that drug related to cases and things like that on there. So, I mean, there's a lot of variety now with agencies there isn't just one or two.
I think most of them have some sort of cyber component. What we're trying to do with a lot of police departments is all of our 56 field offices have CTS a cyber task forces. And we're always trying to encourage them to provide investigators, detectives, to join our CTS again, because they're getting a really bad, broad brush of what's affecting not just their area of responsibility.
I'll let you say it's Dallas, but you're looking at the threats across the country and across the world. When I was in a lab, assistant legal attache and the Hague, I remember supporting a case out of Dallas and it was a task force officer that was working. I think it was a ransomware case or something.
And I thought that was really cool. Here's an officer that joined the task force and now he's working in investigation that would bring him overseas. Now you have to ask like yourself, you know, how is that helping. Dallas police department, or I think he was with Fort worth. How is that helping Fort worth?
Well, in a way it is because if you can get the individuals responsible for this ransomware campaign, that's hitting school districts and local governments and police departments, well, then you're solving a problem for the United States and ultimately that's going to show, so show the benefits. And it's also to be honest with you, I mean, if you have that kind of, if you can do that and have that kind of background, to be honest, when you retire, I don't want to say the sky's the limit, but I mean, you would really be marketable in the private sector with that kind of background.
Ayman Elsawah: [00:29:13] I was going to say that experience is so valuable.
Eric Strom: [00:29:15] Yeah. And just in basic way of life, you know, I felt when I went to law school and having a legal background and knowledge and how I was able to navigate through life these days, you need to have some sort of basic InfoSec or cyber background, because I mean, just look at these virtual schools around the country.
I mean, helping a child, you know, trying to log in and figure out what's going on. I mean, just having the basic understanding of how your home network works is helpful. So, I mean, it's very important. One of the things I'd like to mention is NCI JTF, which is the national cyber joint investigative task force, which the FBI runs and collaboration with 20 other agencies.
I think we're renewing, it's almost like an internship or fellowship that we have with. Local and state police departments where we're bringing in different folks to have them work in kind of this collaborative environment, to learn more about [00:30:00] what we're doing on the cyber front, at the federal level and how we're collaborating in a, through the interagency.
And then we also have our national Academy at the FBI that we always bring state local, federal and foreign partners in. And we've been really trying to push, providing cyber training. At those events so that they're armed with more awareness. So when they do go back to their departments, they have a better idea of what's going on.
It's interesting. A lot of these state and local departments don't have responsibility for their it department. That's usually from the city or the County. And yet when there's an event like a ransomware attack and the files are locked up or say someone goes in and starts manipulating electronic evidence.
I mean, those are major issues that these guys need to know about. And that's what we're trying to promote to all of these, what we consider up and coming folks that are selected or nominated to be at the national Academy.
Ayman Elsawah: [00:30:44] Okay. That's great. I mean, first of all, does fem love acronyms or is it.
Eric Strom: [00:30:50] You can't be in government without loving acronyms. I mean, it's the way of life.
Ayman Elsawah: [00:30:53] It sounds like it. Yeah. Yeah. So the NCI JTF is a bunch of, I guess, agencies. I just looked it up here online. Are you seeing, is this a way for local law enforcement folks to get involved? Can you expand on a little bit?
Eric Strom: [00:31:08] So the NCI JTF is more or less the kind of the federal collaboration looking at threats.
Ayman Elsawah: [00:31:14] Okay.
Eric Strom: [00:31:14] we do have like a fellowship Graham with state and locals to expose them to that. So that there's more, they have a better understanding of kind of the resources available to state and local departments that are out there.
I think sometimes there's a disconnect between the state and local departments and they're working something locally. And then when it leaves the state, they're kind of like, okay, what do we do? And whether or not they have a good relationship with, through FBI office or not. I mean, this at least opens her eyes to, Hey, these are these, these are the resources that are out there.
This is the internet crime complaint center where a lot of complaints are. I mean, I think a lot of local police would be surprised at how many complaints that are filed from their area of responsibility, with the IC three. It could be three or $4 million of loss and the local sheriff or chief might say, Oh, this is a problem, but we can't really see it because we're not working collaboratively because you have multiple agencies within a certain state.
And they're not really sharing all that information. It's all being shared federally. So
Ayman Elsawah: [00:32:10] So how does one join that fellowship? Is there a way to get involved?
Eric Strom: [00:32:13] that is a good question. And I'll have to circle back with you on that. Because that's the program that's run separately out of the NCI JTF. I just know in the past, when I've been in and out of headquarters, that they've had different fellows that have stopped in for meetings, and they'd be an introduced them as this is detective so-and-so from this department, from San Diego or Dallas or wherever.
And I just don't know the facts as far as how you would apply for something like that.
Ayman Elsawah: [00:32:35] Okay. So given October is cybersecurity awareness month. So let's change gears a little bit and what are you seeing out there? What are some important things for the public to understand from a security awareness and then. What is something that a cybersecurity professional, whether they're new or old can do to help their local community from a cyber security harness?
Eric Strom: [00:32:54] Well, I have this conversation a lot in the office. Cyber can get really complicated, real fast. And usually my spiel, when I'm talking to companies or partners, I always go back to football. It's just all about blocking and tackling. It's all the basics. If you're running a company and you're the CSO or CTO, or whoever's in charge of kind of the cyber infrastructure and responsible for cyber defense, it's really about informing the employees of.
What they should and shouldn't be doing, and that's a 24 by seven job. You're constantly training, constantly advising them. And you really need the full support of the C suite in order to be able to push this down. And because if the C suite is not paying attention and they're not being responsible within the rank and file, folks are gonna say, well, they're not doing and why should I?
And that's really where your vulnerabilities pop up. It's not the computer or the types of programs. It's really the person behind the keyboard that gets you every time. And that's really a problem. And so we're always constantly talking to people that they need to make sure that they're training their folks to have good password management, that they make sure that they're not clicking on everything that they see online, that they verify who's reaching out to them because there's a lot of social engineering going on, whether it's through the phone or through online.
And these are really kind of the basics where folks can get into the network and then they just kind of hang out there for a long time. And then next thing you know, you're losing all sorts of money, intellectual property. So that's really what it boils down to. You also have to realize what's most important what's in the company.
What are your crown jewels that you need to protect and make sure they are protected? Do you segment your network so that you can't get into the R and D from the normal network? Are you segmented from other. Companies or other offices that are global. And are you protecting yourself that way? There's a lot of things that I think if you went to the, like the basic CISO school that they always beat in everyone's heads, but I mean, we just repeat that because those are really the basic things that you need to look out for.
And that's, what's really important. We always encourage companies to develop strong relationships with their local field offices. Because when there's an issue, the people that will re responding will be the local. That's going to be the first phone call. The stuff that my unit does, we're almost kind of like the backup.
If for some reason they can't get to the folds of [00:35:00] field office, they call us, or they call the office of private sector or some of the other outreach units that we have, and try to get in touch with the FBI, but ultimately for the general counsel of a company, For the CEO of a company to have those early discussions when everything's calm and fine and knowing how the FBI will react, knowing what the FBI will do with that information, knowing who else, what other agencies may respond because a number of agencies have as part of our new cyber strategy, it's really kind of a whole of government aspect to this.
So. You'll have DHS CYSA that provides some remediation were more threat response. And so we all bring certain aspects. Yeah. The table. And to have that Rolodex of people, this is who you need to call, and this is how you're going to respond, knowing that ahead of time, instead of when you're in panic mode and you've got your PR people and your lawyers and everybody kind of figuring out what's going on.
Having that laid out ahead of time will really produce great results in the end of the day. And knowing what those expectations are, are really important. And to be honest, one of the things that our unit's doing is reaching out to a number of CISOs that we've worked with. And said, Hey, you know, when you first got the job and you didn't have a relationship with the FBI, what were your like first couple of questions?
Like, what would you want to know ahead of a meeting or during a meeting with the FBI? And we kind of provided a, like a sheet basically to hand out or give to the field offices. So when they do have those initial conversations with a new partner or a new company, they can say, Hey, these are some questions that you might want to pass your general counsel on that way.
If there's any follow on, we can get back in touch with them and talk to them. Yeah. And we also have two programs that, again, my unit runs, it's the Cisco Academy. We run twice a year out of FBI. Quantico is through on hold right now because of COVID typically we bring in 30 to 40 CISOs from around the country.
They're usually nominated by the field offices and we bring them in for three days and they kind of see what the life is like in the FBI Academy for the agents and analysts that are going through the training. And then we have some briefings for them panel discussions. And then it just kind of helps us spend time with them.
We spend the whole week with them in the dorms and get to know them better. They really can't go off base or they're kind of stuck audience. So it's great. Yeah. And we also have these regional general council summits that we work with the field office on it. So that allows them to kind of have these conversations with general counsel will bring attorneys from the FBI, maybe from the us attorney's office.
And so they have a really good idea of, Hey, where's our information going? Are we going to meet the media right away? What's going on? And there's a lot of misconceptions out there. And I think this is our effort to try to say, Hey, no, no, it's not like that. Here's the us attorney's office. They could seal things and keep them quiet ahead of time, because obviously we don't want to affect an investigation, but we also don't want to revictimize the victim, I guess.
Does that make sense? So these are some of the things that we've been doing for the last couple of years to try to enhance those partnerships.
Ayman Elsawah: [00:37:41] That's great. So how can folks out there apply to the FBI if they're interested?
Eric Strom: [00:37:45] So you can go to fbi.gov and they'll have the various positions and a little description about which each one is responsible for and what their duties are and what they want to do. And that'll give them some background and that in turn will, as they apply, then it would go into like kind of a pool of things and they would start interacting with maybe local field office.
One of the things I did when I first was interested, as I knew through a friend, I knew an FBI agent. I just went out and had lunch with him. And asked him, like, what's your life? Like, what do you do? Do you enjoy it? What are the challenges? What are the highlights? And it really got me interested in it. So I've been asked to talk to a lot of young people over the years and I'm always happy to, I do that.
And I think a lot of folks in my position would be because I think most of us really love our job. And I think it really kind of gives them, they walk away with some excitement about it. It is challenging. There's a lot of people interested in these positions, but it's still worth it. Even if you have a really good job right now, there's no real downside to putting in for one of these positions.
If that's something you really want to do
Ayman Elsawah: [00:38:41] Okay, great. Any parting advice for those out there? Looking to get into the field, whether the FBI or
Eric Strom: [00:38:46] that it's probably the most rewarding thing you'll ever do in your life. life
Ayman Elsawah: [00:38:49] you mean cyber security?
Eric Strom: [00:38:50] Yeah. Cybersecurity, cyber investigations. You'll get a chance to travel the world. You'll get to meet people from around the world, whether you're in the private sector or in law enforcement, it may seem like a large community, but it really is quite small.
I always keep running into the same people I've run into for the last 15 years. And it's, they've released a very supportive, if you have any problems that you're dealing with, say at your company, whether it's technical or not technical and their people are always there to help. And that's what I really enjoy about the cyber community in itself is that people always kind of go out of their way to help each other out.
Because they're in turn, going to ask for help at some point. So it's not really a cutthroat profession technology's changing so quickly and you might have a friend who's really on top of it on that particular technology. And then all of a sudden you might have an interest in a different one. And you're on top of that one and you're sharing notes and comparing and meeting up.
And, you know, the cyber conferences are great presentations, but after hours that's when the real conversations and really interesting talks are. And that's what I really enjoy about going to those. That's what I miss currently and this current situation. So.
Ayman Elsawah: [00:39:49] Seriously. Yeah. Great. Well, Eric, thank you so much for coming on. The show is quite informative, quite enlightening, and I'm sure everyone out there will benefit from this episode. So thank you so [00:40:00] much for your time.
Eric Strom: [00:40:00] Thanks for having me, Amy. I really appreciate it. Good luck to everyone who's interested. I really appreciate the time.
Ayman Elsawah: [00:40:05] All right. Thanks a lot. Take care. Bye bye.
Eric Strom: [00:40:07] Bye.