Cybercrime: FBI • Rajeev Raghavan

(Auto-generated by Spotify. Errors may exist.)

Most recently, Mr. Raghavan was Special Counsel to the FBI Director, helping guide the FBI's efforts to navigate new technological challenges, as well as advising the Director and other senior government leaders on major cyber, national security, and criminal cases.

From the Director's office, Mr. Raghavan worked with the FBI Cyber Division in the Department of Justice to strengthen cyber policy initiatives, including private sector and public outreach, victim engagement, threat prioritization, and enhancing the FBI cyber workforce.

Mr. Raghavan also played a key role in driving FBI strategy for the reauthorization of a vital national security authority, FISA Section 702. With the emergence of AI, Mr. Raghavan helped shape FBI's policy and strategy for the use of AI, as well as protecting the private sector from AI-enabled threats. Developing messaging for the Director on this cutting-edge issue.

Prior to this time at the FBI, Mr. Raghavan served in the Department of Justice as an Assistant U.S. Attorney for the District of Maryland. In that role, Mr. Raghavan prosecuted a wide variety of federal criminal cases, including cyber, national security, public corruption, and financial fraud. Mr. Raghavan was the sole prosecutor that investigated and charged the operator of WT1 Shop, one of the largest online marketplaces for stolen credentials. He also led the prosecution of a defendant who sent threats via an anonymous encrypted email account to doctors at the NIH (National Institutes of Health) during the height of the COVID-19 pandemic. In recognition of his work as a prosecutor, Mr. Raghavan was awarded the United States Attorney's Office FBI Service Award and received the Letter of Recognition from the U.S. Postal Service for his work on fraud matters.

Host Rajeev Raghavan, it's such a pleasure to have you here. Welcome to unNatural Selection.

Rajeev Raghavan Thank you so much for having me, Nic. Looking forward to this conversation.

Host I'll be the first one to admit it's something I know very little about. And so, I really look forward to these things because I'm learning along with the audience as we're asking questions. So I like to start with a very high-level foundational question to hear from the guests directly. What passion motivates the things that you do? So with that, Rajeev, can you please let us know what impact or need drove what you did at the Department of Justice?

Rajeev Raghavan Of course. Listen, I've been very lucky in my government service career to spend time in both the law enforcement and the national security spaces, right? And what motivates many of us who do this work is to protect our communities, seek justice for victims, and hold the bad guys accountable. And I've been fortunate to be a federal prosecutor investigating crimes and charging the bad guys. And in that role, I was what's called a Computer Hacking and Intellectual Property attorney. So a CHIP attorney, and I prosecuted technology-enabled crimes like business email compromise schemes, ransomware, and social media-based frauds. And I was a programmer before I went to law school. Needless to say, I loved working on these cases: the challenge of being on the cutting edge of technology where the criminals, of course, are, and working with law enforcement to find out who's responsible and how to hold them accountable. And, you know, getting justice for victims is one of the greatest satisfactions. I remember this case I worked on when I was in Maryland where we had a half-million-dollar social media fraud scheme that targeted elders from across the country. The criminals represented themselves as agents of real or fictitious government agencies and offered victims financial rewards if the victims, you know, first sent cash or gift cards.

[5:00]

Rajeev Raghavan And the defendant we charged was the point person for this criminal conspiracy here in the U.S. He gave the conspirators this legitimacy by having a U.S.-based address, so victims would send him their cash or gift cards. He'd take a percentage for himself and then send the rest on to his conspirators in Nigeria. And the impact of this fraud on his victims was devastating. We had victims, some elderly victims and some of their family members, submit statements. And it wasn't just financial pain, you know, for them losing all of their savings, but the mental and emotional anguish that followed and continues to follow them in their lives. Some of the elderly victims were retired. They needed to go back to work. Some were so afraid of being swindled that they lost their ability to function and be part of the world. They spoke about how, you know, they had relationships with their spouses and their children ruined. Just this mass of pain and horror emanating from the crime and getting a significant sentence in that case, getting justice for the victims, ensuring that they had a moment in court where a federal judge could hear about their pain and suffering. It was one of the most fulfilling moments in my life. And then after that, being a prosecutor, I had the opportunity to work with folks at the highest level of the DOJ and the FBI and the FBI Director's office to solve some of the toughest organizational and policy issues like AI, encryption, working with the private sector on cyber and other issues, working with other agencies and Congress on, as you'd mentioned, you know, this legislative push to reauthorize FISA 702, which is a critical national security authority that FBI personnel need to protect us. And it's all driven by the very same mission, you know, when I was a line prosecutor: to keep our community safe and help get justice for victims.

Host Yeah, that's fascinating. From a purely private citizen standpoint, what I see are the endless voicemails and emails, but mostly voicemails. Like my phone has become useless at this point because I get non-stop messages about some loan that I took out or some financial this or whatever. And it's annoying to the point that literally I get yelled at by my wife because I don't pick up the phone, right? It just becomes pointless. I can only imagine what it means for people that are maybe more vulnerable, like, you know, the elderly or other people that might see these things and actually respond to them and find themselves in a lot of trouble. But even still, that's what I see. That's the level that I see. And I know, I'm sure there's an entire iceberg underneath that tip of what actually happens in the things that you deal with. And it almost feels like, when I really think about it, a perpetual and non-stop and accelerating cat-and-mouse game that the FBI has to be playing with these criminals all around the world trying to exploit new technologies. Saying, "How do I get a penny or a dollar or a million dollars out of somebody?" Before getting too deep into that, can you tell us, for people that are not familiar with this world—me being one of them—give us just a quick overview of what the FBI and Department of Justice do when it comes to cybercrime.

[10:00]

Rajeev Raghavan Of course, yeah. So, DOJ and FBI's primary responsibility is to investigate, charge, and hold accountable criminals who violate federal laws, right? And that applies equally to domestic and international cybercriminals and rogue nation-state cyber actors. And I think most people are familiar with the fact that, you know, DOJ prosecutors, they work with law enforcement to investigate crimes. You go to a grand jury, you obtain an indictment, and then law enforcement goes out to arrest the bad guys and they have their day in court or they take a plea. And I think that's clearly an effective strategy where we have criminals, say, in the United States or what we call rule-of-law countries, right? Countries that respect, you know, the laws of other countries and are willing to extradite criminals in their countries. But as we're increasingly seeing, many cybercriminals are operating from and taking refuge in countries like Russia, China, and North Korea, where the government not only turns a blind eye to the criminals, but in fact fosters that criminal element, right? And as long as these bad guys are setting their sights outside of the country and the criminals themselves are globalizing their operating model. You know, they're using servers and crypto tumblers from a variety of different countries. They're working with co-conspirators without regard for national boundaries. And so this evolution has required the FBI to change its thinking as well. So in 2020, the FBI announced a new strategy to not only disrupt the actors, but also their infrastructure and their money. So in effect, make it harder for them to run these campaigns and importantly, deny the bad guys the spoils of their criminal efforts. Arrests where possible, of course, but also strategically use the FBI's tools and the DOJ's tools to seize domains, servers, cryptocurrency, all of these various legs that prop up this criminal network, right? This global criminal organization. And because the rogue cyber element is globalized, the DOJ and FBI need to work with their international partners. So kind of every partner agency using their own unique tools and authorities to disrupt and take down bad guys. And while the law enforcement coordination is primarily in the FBI's remit, and of course, DOJ is focused on their prosecutor counterparts. For both the FBI and DOJ, it includes developing international standards and norms surrounding cyber, cryptocurrency, you name it. A lot of coordination with state and local authorities and the private sector especially, because, as we all know, they are a frequent target by the bad guys. And that private sector coordination is essential because a significant portion of the valuable threat intelligence that's out there is on their systems. And so it's important for the FBI and, you know, the agencies to get it so they can understand the threat and prioritize. And that coordination is important for the companies as well because it, you know, it behooves them to build a relationship with the FBI because as they're evaluating your cyber posture, their policies, their playbooks, they run tabletop exercises—all the kind of things that you need to do to make sure you're on top of your cyber game. Intelligence from the FBI can help them stay abreast of the attack vectors and, in fact, protect them. And even after an attack, working with law enforcement, it can be crucial because law enforcement sometimes is on the bad guys. They've got access to their systems. We've seen that where, you know, they have access to decryption keys and they can help if you've been the victim of a ransomware attack to get you those decryption keys quickly before you have to pay a ransom. And I think the most important thing, right, is everyone working in stride on both the public and private side to, you know, combat these increasing and diverse threats.

Host Yeah. Like you mentioned, the threats are coming. A lot of them are coming from abroad and, like you said, countries that either turn a blind eye or actively fostering and sponsoring a lot of this work. So it's got to make your work so hard because also a lot of these, a lot of these threats and the organizations behind it, they operate like agile startups, which makes it very hard for an organization, an institution based on laws and process and workflows, to be able to adapt to a fast-moving and adaptable and decentralized organization. Like these threats that are coming at you from multiple directions, multiple countries, and still be able to do that under the rule of law that the FBI has to follow. What was that experience like for you? I guess, from your perspective, where do you start? You know, it's almost like you're getting attacked from everywhere in all kinds of different directions and different vectors and different structures and approaches. Where do you draw the line? Because your resources aren't unlimited, right? Your attention, your time and your team's time was limited. And so, I couldn't even imagine just sitting there and being like, "Okay, step one." How do you approach that problem?

Rajeev Raghavan I mean, listen, being a line federal prosecutor is like drinking from a firehose, right? The number of cases that are there that you could work on, a prosecutor has a ton. And then you go up to this higher organizational level and start thinking about these problems. I mean, you touched on it, right, which is the technology itself is allowing for a continuous evolution for the criminals. But it's not just technology. They're almost like a business. They're evolving their business model as they go through the cyber campaigns, as they see how victims respond, how law enforcement responds. So, just take ransomware. You know, originally they'd access your system, deploy their ransomware, lock up your system and then demand money. And it was a tried and true formula that worked. Then they started stealing your data before they locked it up, you know, and so demanding a ransom not only to unencrypt your data, but also so that they don't release it on the web. So, you know, almost double extortion at that point. And then they evolved again. So now they start stealing your data, then threatening to leak or release that data if an additional payment is not made. So, triple extortion. And then, as we talked about with these countries that are fostering the criminal element, we're seeing this blended threat where previously you had nation-state hackers and cybercriminals as two distinct groups. Well, the nation-state hackers aren't getting paid enough money. So now they're moonlighting as cybercriminals and you've got these nation-state hackers employing cybercriminals or corporate hackers to carry out their hacking campaigns. And then you've got nation-state hackers using cybercriminal tools to mask their actions and attribution. And of course, you know, the rogue nations are allowing all of this to operate with, you know, impunity. And, you know, they've got a lot more sophisticated as well in who and how they target. They want to get paid and they want to get paid quickly. So they're looking for the biggest bang for their buck. And they've realized the best way to make that happen is to target the stuff that we can't live without every single day, the services that we need.

[15:00]

Rajeev Raghavan So, schools, hospitals, water, electricity, critical infrastructure. You know, we've seen a recent hack of a nursery chain in the U.K. and the bad guys starting to release data if ransom isn't paid. And then we've talked about the criminal ecosystem, but we've got now folks who aren't looking to just be that point of attack, but rather the ones who are going to prop up this criminal ecosystem and get paid for it. So, Ransomware-as-a-Service where skilled coders develop sophisticated malware and platforms and allow lesser, you know, technically skilled criminals to use their platforms to launch attacks and deploy malware. For the lesser skilled criminal, that's a chance to make some fast money. For the higher-skilled criminal, it's almost like getting the benefits of distribution. You know, you take a percentage of all the ill-gotten proceeds and then you've got folks running crypto tumblers to help these bad guys launder their proceeds, and each one of the legs of the criminal enterprise operates to profit from the whole criminal ecosystem. So, a good example of this is LockBit, the ransomware group, and the administrator of that service received a 20% cut of whatever ransoms were collected from people and companies around the world. And he provided assistance through hosting and storage by, you know, estimating optimal ransom demands and laundering currency and even giving discounts to high-volume customers. So, it's literally a business, and that's really where we are as organized crime in cyberspace.

Host What are the possible repercussions for a nation-state that supports this? You know, as I think about it, I feel like, you know, on the war side, there's mutually assured annihilation, right? You don't send us bombs, we don't send you bombs. And we're happy that way. It feels like these nation-states are sponsoring or turning a blind eye to what they're sending our way. We, on the other hand, if we have organizations like that doing that here, you know, and doing it to people in China or in Russia, presumably the FBI is going to shut them down because they're doing crime. And so they're going to go after them. So it feels like a very lopsided war and I don't expect an answer for this because I don't think there is one. It's not like the FBI is going to be like, "Oh, go ahead and do it," because that's not the way we do things here in this country. But it just feels like such a losing battle when you have these countries that, like I said, they go along and do this with impunity. There's nothing we can really do to China and there is no mutual annihilation kind of front to say, "Well, if you do it to us, we're going to do it to you." It just feels like such a hard battle to fight.

Rajeev Raghavan I think, yeah, there's a way in which you can easily get disheartened in all of this and the vastness and the enormity in the scope of it. But I'll say what it really comes down to is international partnerships, right? Folks working together. You know, whether it's us and our Five Eyes partners, you know, us and other rule-of-law countries working together to, you know, something that we've done previously is indeed name and shame and essentially put the spotlight on these countries that are doing this. And they thrive in anonymity. They thrive when that veil of secrecy is there and lifting that veil of secrecy, right? And so as we've seen over the past few years, much of the FBI's and DOJ's success is rooted in partnerships, you know, partnerships with the members of the intelligence community, international partners, and definitely the private sector. You know, when you introduced me, you talked about one of my cases, WT1 Shop, right? That was a case where we spent months investigating this website. It was an online marketplace that allowed vendors to sell stolen logins, driver's licenses, bank accounts, and credit cards. Something like 5.85 million items were on there. And thanks to the work of the FBI, we determined that the operator was a Moldovan national who was using servers in the Netherlands and Portugal to operate. And so, in coordination with law enforcement partners in those countries, we executed an operation to seize the servers in Portugal, charge the operator over here in the United States, and seize the U.S.-based domains as well, all in one day, disrupting this large criminal marketplace of stolen credentials. And during my time with the Bureau, the FBI has deployed operations like this to great effect. You know, LockBit, Genesis Market, and IcedID, the ransomware group, showing again and again that partnerships are key to combating this globalized and asymmetric threat, because we've seen bad guys work across country lines, and they're targeting victims regardless of national boundaries. So we need to work together. And you mentioned that, you know, there is one particular piece of legislation, CISA, the Cybersecurity Information Sharing Act, that I'd like to talk about quickly.

Host Please.

[20:00]

Rajeev Raghavan The CISA legislation, you know, that was in 2015 and one of the features of that act was that it offered legal protections for companies that share threat information with law enforcement. Now, as we record this this week, CISA 2015 expired this week and those important legal protections that are crucial to information sharing have gone, you know, are essentially gone away. The good thing is that Congress recognizes the importance of this law because the House CR that was floated before the shutdown included a short term extension of CISA 2015, delaying the deadline by a couple of months. And now I want to be clear, short term extension is definitely better than nothing. But I'll say what I said to folks when I was in the Director's office, which is Congress needs to work together and pass a full reauthorization of this critical law. The threat is global and cybercriminals are not pausing their operations because of the deadline, and certainly nation-states are not taking a break. You know, we're asking the private sector to share crucial threat information with us, and we need to be giving them the legal protections they need to share this information so we can be a coordinated defense. The bad guys are coordinated. We need to be coordinated.

Host That's fascinating. That's super insightful. That's a level of kind of back-end workings that, you know, we hear about these things, but we never hear about that kind of detail. And, and I'm sure you have a similar perspective with your experience and background with AI, which, you know, is the topic of the show, but you know, we always go into a little bit of back stories and background with the guests to, you know, to give the audience a full picture. But now let's, let's transition a little bit and talk about AI from your perspective, particularly as it relates to cybercrime and the role of the FBI. What is the FBI doing in this new era of AI?

Rajeev Raghavan Yeah. So AI, I think, is a tool. And like all tools, it can be used for good. And unfortunately, it can be used for bad. And for the FBI, that's anticipating and defending against threats from those who are using AI for malicious cyber activity and other crimes. And one part of this is about protecting systems, the FBI as well, right? One of AI's chief benefits is its ability to continuously ingest and monitor large volumes of system data, like gigabytes of logs generated daily from systems and servers across the globe and feeding that into AI models to detect atypical traffic patterns and user behaviors for potential insider threats in real time. And this kind of analysis can help network defenders in both the public and private space really up their game for network protection.

Host Yeah, I think I think that's that's the thing that's super fascinating to me. Not just about locating the bad guys in your network, but also immediately executing automated defense tactics, isolating them and even kicking them out. And just like the bad guys are using AI to hunt for vulnerabilities, organizations can use it in a defensive way. And I think that's the kind of arms race that we're going to see going forward. It's not going to be about who has the better human programmer, but who has the better AI protecting the network against the other side's AI attacking it.

[25:00]

Rajeev Raghavan Absolutely. And, you know, I think it's important to remember that for the FBI, that's really also about how we use the technology internally in a way that respects the law. Right. And so for the FBI, that's always a challenge when you're thinking about new technologies, which is how do we integrate the technology in a way that is going to be helpful to the pursuit of the mission? And that data is limited in how it can be used, right? Grand jury subpoena information that comes from a subpoena is limited in who can be disseminated to. So it's crucial to think through this information and what are the legal limitations and all of the data issues that come up and develop frameworks to, you know, before just letting AI loose on your systems. But I think thinking through these problems and figuring out how to push forward and whether it's the mission of the FBI or it's a business goal, that in itself, I think, is the crux of finding meaningful innovation when it comes to these technologies that you want to start using as soon as possible. And it's the best way to kind of take a considered, thoughtful approach that can really focus on the benefits to the organization and the mission. And that's really what we were focusing on as well.

Host That's incredible. As you were describing your experience and all these processes for doing this, I couldn't help but think about my experiences as startups, technology. You know, we share that background with you being computer scientists and software developers helping start biotech companies. And when you look at these big institutions, whether it's the Department of Justice, the FBI, or a major corporation, you know, the first instinct is to think about them as these slow-moving bureaucratic organizations that, you know, by the time they start doing things, it's too late. But the experience that I've had with, you know, big pharma, for example, is that they're not necessarily slow. They are a combination of small agile teams that, you know, it's a very dynamic environment. And so the ability for the FBI to do these kinds of innovations, I'm sure it's the same kind of dynamic that you're describing, where it's not the entire organization moving in one cohesive, but slow direction, but rather small agile groups that, you know, they're on a cutting-edge issue, and they can move quickly because they're small.

Rajeev Raghavan Absolutely. I think that's absolutely right. You've got small agile teams in the field offices that are using AI in ways that, you know, it works in organic ways where folks come together, they all, they see a problem that they need to deal with and they come together and figure out ways in which to solve it. And as I was talking about, that's the kind of innovation we see sometimes in the field offices that, you know, like, wow, why aren't we doing this for everyone? Why isn't this being brought into all field offices? And sometimes, you know, it's an organizational challenge that we're all of a sudden dealing with like AI where, you know, it's not about necessarily field offices just doing something by themselves, but thinking about what, how do we deal with this organizationally is an issue.

[30:00]

Host And so coming together with, you know, by putting the right folks in the room, getting the right people who are interested and have the expertise on this, who have the experience, who have a vision, and working together to build a way forward. I think that's absolutely crucial. I'm sorry, you know, I was going to ask about the other side of this, which is the use of AI against the FBI. You already talked about it a little bit, but what, what do you think is the hardest part for the FBI? And I guess for all of us, it's not just the FBI, right? The general population is exposed to this as well, but what is the most significant challenge that AI brings from a cybersecurity standpoint?

Rajeev Raghavan Yeah, I think, you know, you touched on it before, which is the globalized, asymmetric, and accelerating threat. And I think that's the crux of it. It's asymmetric because, you know, you've got this one criminal sitting in a room somewhere, and they can inflict significant pain on folks who are spread out across the country. And, you know, to be able to kind of identify and prosecute that one person and shut down their operations is a constant challenge. You've got to find out who's responsible and figure out how to shut down the criminal enterprise. And the acceleration is definitely the next challenge, which is AI allows these attacks to become more sophisticated and more personalized and faster. Right? So, you know, if you look at the, the phishing emails of the past, right, where, you know, you get some email from a Nigerian prince saying, "Oh, I've got this money." And it was clear to anyone with a little bit of experience that this was a phishing email. And you just kind of laugh and delete it. But AI is going to enable these criminal actors to make these phishing emails a lot more tailored and personal by drawing information about you from social media and other web pages. And they're going to get to a point where you really cannot distinguish between a real communication from your bank or your spouse and a fake one. And I think that's where we are headed. And so the level of sophistication is definitely going to go up. And that's going to be the next biggest challenge.

Host What about this idea that you just mentioned of, of, you know, distinguishing between a fake communication and a real communication, right? Because as, as we're getting to the point that we're talking about deep fakes, we're talking about, you know, all these videos and, and sounds that are becoming very hard to distinguish between what's real and what's fake. I feel like we're heading towards a general crisis of trust. And, and I think that's the underlying kind of psychological, sociological kind of issue that we're going to have with AI is just a general, you know, distrust of everything. And I think that's almost worse than the kind of immediate financial pain, because at least a financial crime is something that you can solve. You know, we can get better at it. We can hire more people. We can develop better technologies. But if you have this underlying kind of crisis of trust, that's almost like a societal fabric kind of issue that we're going to have to deal with.

[35:00]

Rajeev Raghavan I couldn't agree with you more. And I think it comes down to a fundamental concept, which is the law on the internet. And, you know, how do we regulate that? And there's this tension between freedom and privacy on the internet and then public safety and national security. And, you know, there's always going to be tension between the two. And, you know, the tension I'd say is really between two competing legal concepts: that which is covered by the Fourth Amendment and the reasonable expectation of privacy. And that's balanced against competing social interests of public safety, national security. And because this is a balancing act at its heart, this tension that you asked about, it's a policy question. And the right folks to answer this question are our elected officials, Congress. So my question for anyone who's thinking through these issues, who's listening to this, if you've got kids or elderly family members, you know, vulnerable folks in your family, who do we want to be making decisions for how they are kept safe online? Because online media platforms, tech companies and businesses, they naturally worry about liability, their bottom line, and how it impacts their business. You want folks to be making decisions about public safety, who have public safety in mind.

Host Yeah, you know, it's interesting because for many years, I think people assumed that the companies had their best interest in mind. Like you said, they didn't, their best interest was their bottom line and making revenue. But hopefully society is evolving to the point that we're becoming more savvy about what we put online and what we don't, because anything person you put out there could be used against you by bad actors that can exploit that information. And but I can, I can definitely see where you would have to have some boundaries as an individual, but then organizations and institutions like the FBI taking steps to protect us even further from things that we just don't anticipate beforehand.

Rajeev Raghavan And you know, I'll, I'll, they can't, the companies could have best intentions of consumers at heart, but ultimately, they are driven by their bottom line. And I think that's the key difference.

Host That's the key difference.

Rajeev Raghavan Absolutely.

Host So, I have two more quick questions for you. One is about what are the steps that an organization, not the FBI, but a private sector organization, should be taking right now to protect themselves from these emerging AI-based threats?

Rajeev Raghavan Yeah, I think there are three things that organizations, businesses of all sizes, should be doing, and they're basic, but they're important. First, and this is for any cyber threat, they need to have an incident response plan in place. And that's an up-to-date plan that, you know, is based on a thoughtful risk assessment, and it's tested frequently. You need to know exactly what you're going to do if you are the victim of a cyberattack. Second, they need to have strong security controls, which includes multi-factor authentication, up-to-date patches, logging, monitoring, and importantly, for AI, this is particularly important, training the users. Training the users to detect and flag sophisticated phishing attacks. Third, they need to, you know, organizations, big and small, need to be building relationships with the FBI and the Department of Justice. And you can do that by taking advantage of your local FBI field office, establishing a relationship with your local FBI agents, letting them know where your systems are and who to call. They need to, you know, take advantage of the FBI's ability to engage with their private sector organizations, and importantly, report. Report when you are the victim of a cybercrime. That is the only way in which we as a collective can get the kind of threat information that we need to understand what the criminal actors are doing and how to be able to counter it.

[40:00]

Host That's incredible advice. And my final question for you is around, you know, what happens when it's already too late? You know, someone's listening to this and they're like, "I've been scammed." You know, they lost all their money. They did what the criminal asked them to do. You know, a small business just got, you know, destroyed by a ransomware attack. Is there hope? What can the FBI do, or what should people be doing at that point when they've already been scammed?

Rajeev Raghavan Yeah, I think that is an important question. And the good news is that, you know, in 2018, the FBI established a team called the Recovery Asset Team. And their mission is specifically to recover stolen assets, to basically claw back the money that victims have lost to cybercriminals. And this team has a success rate of somewhere in the mid 70% when they get involved. I mean, that's pretty high. And but all of that success really hinges on timing. Individuals immediately reporting to the FBI and the financial institution when they've been defrauded, because time is of the essence. The bad guys, as soon as they can, are going to move those funds offshore. They're going to move those funds to their home countries where those funds cannot be recovered. So making sure that the FBI and the financial institution have a chance to take action before that happens is absolutely crucial. And it's why it's important to, for victims, both on the corporate side, as well as for individuals, to report when they are the victims of cybercrime.

Host That's really interesting. Yeah, it's, I mean, that's an incredible statistic. Mid 70%. That's amazing. And just one final, final question on that, which is, is there anything that people are doing now that you would advise them to stop doing?

Rajeev Raghavan Yeah, I think the important thing is, you know, for folks, especially the private sector, to not just rely on one layer of defense, right? You need to have that layered defense, and you need to think through these various potential attack vectors, because the criminals are being very creative. They're trying new things, and you need to be thinking about that as soon as possible to get ready for them.

Host No, that's incredible, amazing advice. So, Rajeev, this has been an incredible conversation, and I could stay here talking to you for hours, because and I don't think we'd scratch the surface, honestly. But just to, you know, to finish off, from your vantage point, you've experienced so much of this for so many years and seen so much, and I'm sure there's an enormous amount that you can't share. That's the stuff I really want to get to. But obviously, that's not the kind of stuff you can talk about. But from your vantage point, where, what do you think the future of cyber threats is really headed? And what does a secure, resilient digital society look like in 10 years from now if we get it right?

[45:00]

Rajeev Raghavan Yeah, I think it's going to be AI, and it's not going to be, you know, whether or not AI is going to be a good thing or a bad thing. It's how we're going to use it. And, you know, the folks who are making the most money in the dark web are the ones who are creating these AI tools, which is why AI is also great at detecting AI, right? And so the hope is to kind of get at those phishing emails, what have you, before they ever get past filters and before they ever get to the humans and all of this. You know, I'll be honest, and slight diversion over here, but thinking about this from a trial prosecutor perspective, one of the things, right, is when shows like CSI came out, and you kind of started to have these fantastical displays of technology, and how they influence juries to come to expect that when the government presents its case, a lot of videos, photos, analysis that literally show the defendant committing the crime in like 360-degree views, right? And I start thinking about what's going to happen when AI-generated images and videos are commonplace, and how does that influence the kind of evidence that juries are going to come to expect from the government. And so I think this is why we're seeing deep fakes on a regular basis. You know, it's not just a thing that you're watching on Netflix. It's actually a reality, and it's happening every day. And AI is only going to make these things more realistic, and it's only going to happen more frequently. And so thinking through those issues of how AI is going to impact every part of our life is crucial. And I think the criminal actors are going to be ahead of us on this. They're going to be using AI to hunt for vulnerabilities, and they're going to be using large language models. Think about how they can use information on the open web and hacked information that they stole in LLMs to be able to do better impersonations, to, you know, be able to do better social engineering when it comes to phishing campaigns. And so I think we've talked about this a lot, but I think the answer is always working together, right? It's not one group of folks who are going to somehow get this ball across the finish line. It's really everyone working together as a team on this because it's a public-private partnership across sectors, agencies, geographic boundaries. And there's a meaningful investment that needs to have in cybersecurity and visual resiliency, but it needs to happen by everyone. And that information sharing has to happen by everyone. So really, everyone brings their tools and their authorities and the information that they have to bear to, you know, get consequences for the bad guys who are operating in this space.

Host Yeah, I think those are words that obviously describe what a secure, resilient digital society looks like in 10 years if we get it right. It's the, you know, the coming together, the partnership, the collaboration, and more importantly, the trust that we have in our institutions. I mean, you know, if you look at money, for example, it's just a piece of paper, means nothing, but you have to trust that it has some value. So when I pass it to you, you can use it for something else. And trust really is what allows societies to function. You know, you mentioned patents before. It's a trust that that's going to hold some currency in some value and be protected in some ways. And a lot of what we're seeing here, a lot of what we talked about today, is really a deterioration of that trust. That's a deterioration of the trust that I can trust the money that I put into a bank is going to be there, or that a video that I'm looking at is real or a photograph, our conversation, and so on. And so it's fascinating to hear the work that you did and the FBI is doing. It's also terrifying to think about how all this is evolving and how we're not just protecting bank accounts, but really the fabric of what society is made of and our ability to trust each other and to live in a coherent way with each other. And so, anyways, we can become very philosophical about this. But, but I think this has been truly such an insightful conversation. I've learned so much, and I'm so grateful for your time and for sharing all of your experience with us. Rajeev, thank you for being on the show. And I, I really look forward to having a conversation like this with you again in the future.