And misinformation, they said, has the potential to do enormous damage.

“It’s a threat because what you’re trying to do is educate the citizenry about who would make the best leader for the future,” said Karen Greenberg, head of Fordham’s Center on National Security.

Greenberg, the author of Subtle Tools: The Dismantling of American Democracy from the War on Terror to Donald Trump (Princeton University Press, 2021), is currently co-editing the book Our Nation at Risk: Election Integrity as a National Security Issue, which will be published in July by NYU Press.

“You do want citizens to think there is a way to know what is real, and that’s the thing I think we’re struggling with,” she said.

At the International Conference on Cyber Security held at Fordham earlier this month, FBI Director Chris Wray and NSA Director General Paul Nakasone spoke about the possibility of misinformation leading to the chaos around the U.S. election in a fireside chat with NPR’s Mary Louise Kelly. But politics was also a theme in other ICCS sessions.

Anthony Ferrante, FCRH ‘01, GSAS ‘04, global head of cybersecurity for the management consulting firm FTI, predicted this year would be like no other, in part because of how easy artificial intelligence makes it to create false–but realistic—audio, video, and images, sometimes known as deepfakes.

The Deepfake Defense

“I think we should buckle up. I think we’re only seeing the tip of the iceberg, and that AI is going to change everything we do,” Ferrante said.

In another session, John Miller, chief law enforcement and intelligence analyst for CNN, said major news outlets are acutely aware of the danger of sharing deepfakes with viewers.

“We spend a lot of time on CNN getting some piece of dynamite with a fuse burning on it that’s really hot news, and we say, ‘Before we go with this, we really have to vet our way backward and make sure this is real,’” he said.

He noted that if former President Donald Trump were caught on tape bragging about sexually assaulting women, as he was in 2016, he would probably respond differently today.

“Rather than try to defend that statement as locker room talk, he would have simply said, ‘That’s the craziest thing anybody ever said; that’s a deepfake,” he said.

In fact, this month, political operative Roger Stone claimed this very defense when it was revealed that the F.B.I. is investigating remarks he made calling for the deaths of two Democratic lawmakers. And on Monday, it was reported that days before they would vote in their presidential primary elections, voters in New Hampshire received robocall messages in a voice that was most likely artificially generated to impersonate President Biden’s, urging them not to vote in the election.

A Reason for Hope

In spite of this, Greenberg is optimistic that forensic tools will continue to be developed that can weed out fakes, and that they contribute to people’s trust in their news sources.

“We have a lot of incredibly sophisticated people in the United States and elsewhere who understand the risks and know how to work together, and the ways in which the public sector and private sector have been able to share best practices give me hope,” she said.

“I’m hopeful we’re moving toward a conversation in which we can understand the threat and appreciate the ways in which we are protected.”

“It was during our work in this case that I saw the impressive power of likeminded individuals from public and private entities around the globe, coming together to combat these threats,” said the former special agent.

Shortly after that, in 2007, he was meeting with his Fordham mentor Professor Frank Hsu, Ph.D., Clavius Distinguished Professor of Science, and they started discussing ways to bring government, the private sector, and academia together.

“We devised a crazy idea to plan an international cybersecurity conference, a conference that would bring together the world’s best in the industry to talk about how we can all work together to combat the ever-evolving cyber threats we face every single day,” he said.

Two years later in 2009, Ferrante and Hsu had helped launch the first ICCS at Fordham.

At this year’s ICCS, Ferrante, who is now the global head of cybersecurity for FTI consulting, introduced Bryan Vorndran, assistant director of the FBI’s Cyber Division, as part of a session titled “The Morning Intelligence Briefing,” where Vorndran emphasized the importance of those partnerships to the FBI.

“We don’t do anything alone,” he said. “Any success you hear about in terms of U.S. government disruptions, international disruptions, are done as part of a partnership. That includes private sector as well.”

Vorndran highlighted two recent FBI cases that involved significant partnerships from not only government agencies but also the private sector.

The first was “Operation Shell Sweep” in 2021 where the FBI went into computers that were using Microsoft Exchange servers and had been hacked by a group called Hafnium. The hack affected tens of thousands of users. The computers had web shells—or pieces of code that allow for remote administration—installed by the hackers. The web shells “left open” a backdoor that gave the hackers access–but, Vorndran said, the FBI used those same shells to remove the malicious code.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” an FBI release on the operation read.

Microsoft became aware of the hack in March 2021, and the FBI said in a statement that “Microsoft and other industry partners released detection tools, patches, and other information to assist victim entities in identifying and mitigating this cyber incident.” Vorndran said that the partnership between the FBI and Microsoft helped address about 93% of the impacted devices, and then the FBI worked to remove the malicious code from the remaining 7%.

The second was “Cyclops Blink,” where the FBI disrupted a Russian botnet that was infecting devices with WatchGuard and other software on them. The FBI partnered with WatchGuard which helped release detection and remediation tools the day the advisory about the botnet went out.

“Our purpose is simply this: to utilize our unique authorities—either unilaterally or with a partner—to impose maximum costs on our adversaries,” he said, noting that could mean an arrest or seizure of assets.

Vorndran highlighted the partnerships that occurred in both of these cases because initially, he said, Microsoft and WatchGuard “could not see the devices or software where there was a vulnerability at a tactical level. It took additional intelligence—in the Hafnium matter from a third party private sector—and it took FBI intelligence to inform the exact laser focus of where we needed to be.”

Partnering into the Future

Both Ferrante and Vorndran emphasized the need for partnerships as threats continue to evolve.

Vorndran said that he’s worried about the “increased precision of the adversary.” He gave the example of all of the commercial real estate companies in the U.S. using the same software. If that software is attacked, it could mean real issues for that industry.

“If they’re that precise on targeting, it could shut down the entire commercial real estate industry,” he said. “That is a huge problem for us.”

Vorndran said that they’re also paying “a lot of attention to synthetic content” or what some call “deep fakes,” which he said could have a tremendous influence on our democracy.

“There’s obviously tremendous downstream effects of deep fakes and synthetic content,” he said.

Vorndran gave the example of a recording played in court, with the attorney arguing that it is not his client on tape, but a fake. The question becomes “how do we authenticate that?” he said.

Vorndran said that they’re “putting a lot of attention into that within the community and that’s something that’s very important for us to get right.”

Having the partnerships between the public and private sector in place ahead of these attacks can help address these future problems, Ferrante said. He noted that “many conversations taking place this week will enhance all our efforts to combat these threats.”

“There are numerous challenges on the horizon, and cybersecurity issues will remain ever present,” he said. “The threat landscape is constantly evolving. A forward-thinking approach is required to keep pace.”

Rocco Grillo, FCRH ’89, is a managing director in the New York office of Alvarez & Marshal, where he leads multidisciplinary teams that provide cybersecurity and incident response services to clients throughout the world.

He previously held a similar global leadership position at Stroz Friedberg, a digital forensics and cybersecurity firm co-founded by Fordham graduate and trustee Edward M. Stroz, GABELLI ’79.

Grillo, who earned a bachelor’s degree in sociology at Fordham College at Rose Hill, has worked closely with both corporate clients and government agencies, including the FBI and Secret Service.

“His 25 years of experience in cybersecurity advisory services, incident response investigations, and other technical advisory services, combined with his well-established understanding of commercial sector challenges and national security objectives, have made him influential to the development of national policy in cybersecurity—including the NIST Cybersecurity Framework,” according to The Consulting Report.

Anthony J. Ferrante, FCRH ’01, GSAS ’04, also has deep experience in both the public and private sectors. A former top cybersecurity official at the White House, he is currently the senior managing director and global head of cybersecurity for FTI Consulting.

Prior to joining FTI, he was the director of cyber incident response at the U.S. National Security Council from 2015 to 2017, and he previously served as chief of staff for the FBI’s Cyber Division.

In 2009, Ferrante, then a special agent in the FBI’s New York office, helped Fordham launch the International Conference on Cyber Security. The conference, typically held every 18 months at Fordham in partnership with the FBI, brings together university researchers, top security and law enforcement officials, and executives from companies including IBM, Microsoft, and Google.

More recently, Ferrante, who earned bachelor’s and master’s degrees in computer science at Fordham, helped establish the master’s degree program in cybersecurity at the University’s Graduate School of Arts and Sciences, where has served as an adjunct professor. In 2021, he joined the executive committee of the Fordham President’s Council, a group of successful professionals and philanthropists who are committed to mentoring Fordham’s future leaders.

“We’ve seen countless students graduate from the [master’s degree] program and start successful careers in cybersecurity, helping both to reduce the growing cybersecurity skills gap and better protect organizations from the endless barrage of cyber threats,” he told Consulting magazine in 2019.

Since 2017, Fordham has been recognized by the U.S. National Security Agency and Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education. The University is home to the Center for Cybersecurity, and its undergraduate and graduate programs emphasize both competency-based learning and applied research.

Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22 to 25, concluded with remarks by FBI Director Christopher Wray.

Anthony Ferrante, FCRH ‘01, GSAS ‘04, a former FBI agent who was director of cyber incident response for the National Security Council from 2015 to 2017 and is currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel “The Tipping Point: Cyber Risks to Election Systems.” Fordham News caught up with him during a break in the action.

Listen here:

Full transcription below:

Anthony Ferrante It’s happening. It’s happening today. The question is, is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?

Patrick Verel: Ten years ago Fordham and the FBI committed to bringing together the world’s best and brightest experts on law enforcement and computer science. Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center Campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22nd to July 25th, concluded with remarks by FBI Director Christopher Wray.

Anthony Ferrante, a former FBI agent who was director of Cyber Incident Response for the National Security Council from 2015 to 2017 and currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel, The Tipping Point: Cyber Risks to Election Systems. Fordham News caught up with him during a break in the action.

Let’s talk about 2008. How and why did Fordham, which is your alma mater and the FBI, which you joined in 2005, team up to tackle cybersecurity?

AF: So the FBI and Fordham roots grow much deeper than cybersecurity. Believe it or not, when I was in the FBI in the New York field office in 2005 through 2013, there was always a consistent large, large consistent group of Fordham alumni in the field office. And when I say a large group, I would say anywhere from 50 to 100 Fordham alumni working in the New York field office, which is a large amount of alumni for a single field office. Myself, being a former alumni, studying computer science, always maintained excellent relationships with the faculty in the computer science department, and then of course in the university’s administration.

It was late 2007 when myself and a good friend Clavius Distinguished Professor of Computer Science, Frank Hsu—we’d regularly met for dinner right around that period of time, and we talked about the global implications of secure cyber networks, and how it’s more than just the responsibility of governments or private industry or academia. It’s actually in order to be successful in this space, we need a partnership between the three.

PV: I’m intrigued by this notion of bringing together the three different entities, that it’s not just about law enforcement. It’s not just about education. It’s not just about the private sector. It’s about all three working together. Is there something you can point to say like, this is, especially when you were with the FBI, that you could say having worked with somebody from an educational institution or a private sector at the time that you got out of the conference, like a contact that you made that you wouldn’t have made if the conference never had happened?

AF: Oh, absolutely. I mean, I could talk for hours about various cases, FBI cases that were enhanced just because of this event where representatives from Eurasia would come to this event and meet with their counterparts in Europe or the United States and they would break off and have meetings in private rooms where they would broker advancements in various investigations that they were working on. And it’s actually stories like that, that make me most proud of this event.

PV: You came here to talk about cyber risks in the election systems, which are obviously going to be on people’s minds next November. What’s your current take on the state of affairs now?

AF: I think it is definitely something significant that the entire country should set up and take notice. This is something we’re staring at as we enter into the election cycle, and risks to the electoral infrastructure should not be ignored. Not only should states and government officials be aware of the risks that they’re facing, but they should be equipped to handle those risks because in the world we live in today, there’s no way to avoid it. We have to confront it head on or suffer the repercussions.

PV: Scale of 1 to 10, 1 we’re completely unprepared, or 10 things are great, we’re doing in good shape. Where would you put us right now?

AF: I would say anywhere from four to six. I think that there are a lot of really important skilled people focused on the issue, but I also think there’s a lot of talk and not a lot of action, and I do think that the government today is spending a lot of time and making a lot of investments to prepare the states to confront this threat head on. But I also always think there’s room for improvement.

PV: It’s kind of crazy, right? I mean you’re talking about a system that relies upon 50 different states, all managing their own elections.

AF: Fifty different states and numerous different counties. I remember when I was at the White House actually doing preparedness and response in preparation for the 2016 presidential election, we learned some states actually conducted their voting hundreds of different ways throughout the state. So there was no single cookie-cutter solution for that single state, nevermind, as you just said, 49 other states. So it is a very complex issue, but the complexities of the issue actually give the United States a little bit of security just knowing that it is such diverse and distributed system, that there is no single point of failure per se, but there are many different little points of failure that the country needs to be aware of.

PV: If you learn to hack one system, you’re not going to be able to hack them all basically.

AF: It’s not going to be that easy. Right? And when I was working for the Obama Administration, we went to great lengths to study this and to look into this. And to hack an electoral system and actually manipulate votes without it being noticed is extremely hard, if not impossible. That is just one example of some of the built-in redundancies and securities of the system. However, like I said, there were just so many different systems and different ways to do, different ways for Americans to cast their vote that there are vulnerabilities throughout.

PV: Now for as long as I’ve been covering ICCS for Fordham, the Internet of things has been an area of concern with all sorts of devices being sold to the public that can easily be hacked. Have you seen any improvement in this area?

AF: No, absolutely not. Unfortunately, people ask me all the time, what is the greatest risk that you see or the biggest threat that you see, and you, some people will be, well some people say, “Oh goodness, the greatest risk I see is an attack on the electrical grid.” Don’t get me wrong, an attack in the electrical grid will have serious consequences, but that’s not the greatest risk.

PV: It’s Alexa, isn’t it? Alexa is going to take us all down, right?

AF: No. Alexa is a great tool, but it is an Internet of things tool. I will say my fear, the greatest risk when people ask me that question is I say is the Internet of things. You’re talking about 5.5 million devices coming online per day. I think the latest number I read was by 2025 there will be 50 billion devices, Internet of things devices online, on the public internet. Those can all be taken over and turned into armies of robots to conduct different adversarial activities.

I don’t even know where you’d begin regulating space like that, just given the fact that these technologies are designed and developed all over the globe, and sometimes it just comes that consumers look and they want to buy the cheapest device they can buy. And when you do that and you take that device home and you plug that into the global internet, you actually put a small computer online. And that small computer can be compromised and then turned into a robot that can be used to conduct any number of activities from conducting a denial-of-service against a major financial institution to exploiting a major vulnerability in a small tech company.

Don’t get me wrong, Internet of things devices are extremely convenient. They add certain comforts to one’s life. But what I always tell people, cybersecurity is risk management. You can’t properly manage risk if you don’t know the risk. So what I do is I get out and I speak to people about what the risks are. Once you know the risk, then it’s up to individuals to make the decision on their own. And believe it or not, when it comes to Internet of things devices, Americans today probably use two to three Internet of things devices and they don’t even know it. It’s-

PV: Give me an example. What would be something that people might be using and not even realize that is connected to the internet?

AF: If they subscribe to a major cable company and have cable at home and have a digital video recorder, a DVR.

PV: That would be me.

AF: That is an Internet of things device. A mobile phone is an Internet of things device, a smart watch, a Nest thermostat, an IP camera.

PV: The thing that seems the most frustrating is that the onus is on consumers to sort of be on top of the game when it comes to the security of these things. But most of us don’t have that kind of background, nor do we have the time to kind of look into these things. What are we supposed to do? Or how do you know exactly whether these things are secure?

AF: Yeah, I mean that’s a really fair question and it’s a question I’m asked all the time. For an average consumer, there is no one-stop shopping to know. Purchasing a certain device comes with these risks versus another one. It all depends on how the manufacturer markets their device and how easy they make it. And candidly, most consumers don’t care right now. I think that is the bigger question, is why don’t they care?

I’ve worked cybersecurity and cyber crime going on 20 years now and I’ve met with some of the biggest organizations on the planet to talk to them about significant cyber incidents that they were facing at that given moment. And they would work with me to help mitigate that risk and overcome it. But they really didn’t sit up and take notice until they realized that it was personally affecting them. It could be their personal machine or their personal safety or their bank accounts, their personal financial situation. And that’s something that I think, I think a lot of people, including our government is still grappling with today.

I can’t tell you how many times I heard in Washington that we just have not yet had a cyber 9/11 which is appalling for me to hear for two reasons. One is because I lived and worked in New York City on 9/11, and to even use that in a political statement of why we should not invest or take cybersecurity seriously is just appalling to me. But in another sense, I would say that we had a foreign entity partake in a massive campaign to affect the way the American people thought about certain issues in an attempt to influence their vote on Election Day, to literally undermine one of our bedrock principles, which is the right to conduct free and open elections, that so many of our forefathers and ancestors died for that right.

PV: If that’s not your 9/11 of cyber, what is exactly? I guess you have to shut down somebody’s electrical grid to get their attention.

AF: And that’s happened twice. It happened in Ukraine.

PV: That’s right overseas, yeah.

AF: Two days before Christmas, twice, two years in a row. So it’s happening. It’s happening today. The question is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?

PV: What’s the greatest cybersecurity threat that Americans face that they’re not aware of, but they should be?

AF: The first two we’ve already heard about that. The third one I want to dig into a little bit. The first one is the Internet of things. They’re just coming online at exorbitant speeds. The second one we’ve also touched upon, which is the weaponizing of information. I think our adversaries have seen how this can have such a large scale effect on the way, the American way of life. The third and equally significant risk that people should be aware of is data.

Data is much more than just an asset. It can also be a huge liability. And data is being generated every single second. So much data is being generated by our smart devices, by our usage of a computer, by our searches on a computer, by our interactions with various Internet of things devices. And as we interact with these platforms, data is being generated. Whether it’s data on us, our habits, our family.

I’m not talking just data of documents and words in documents. I’m talking about the tone of our voice, the health of our voice, the different questions that we may be searching for on our devices or asking our smart devices for responses. All that is data that is being collected and harvested somewhere. And I think it’s important for people to understand the risks associated with that data.

I would say a fourth threat that definitely has me concerned is the threat of the insider. What is the insider threat? For different organizations it means different things. But the reality is, is the insider threat is someone living and working within your organization every single day, somebody who has an access ID, somebody who has a login to your network infrastructure, and someone who in theory has access to your data and in some cases your most sensitive data.

The insider threat has always been a threat, but now that I am in private practice, I am seeing more and more cases of insider threats crossing my desk, where organizations need help identifying rogue employees that are stealing information and potentially selling it to competitors, selling it to nation states, or conducting activities on their network to sabotage infrastructure.

PV: You know, what’s really funny? I think about data. This is weirdly enough, this is a question I thought of just this morning as kind of a joke, but I think it actually ties into what you were just saying.

AF: Yeah.

PV: Should I be using FaceApp?

AF: No comment.

“I would show up to work every single day and learn of two, three, four more states that had been actively targeted by the same actors,” said Ferrante, a former FBI agent who was director of cyber incident response for President Barack Obama’s National Security Council at the time.

He says that and more in a recent 60 Minutes report, “When Russian Hackers Targeted the U.S. Election Infrastructure.” The segment highlights concerns that have come to define Ferrante’s career as a public official, private consultant, and adjunct professor in the Department of Computer and Information Science at Fordham.

Ferrante is a senior managing director and the global head of cybersecurity practice at FTI Consulting and teaches in Fordham’s M.S. in cybersecurity program. He played a central role in establishing the International Conference on Cyber Security, co-organized by Fordham and the FBI and held every 18 months at the Lincoln Center campus.

In the 60 Minutes interview, Ferrante said hackers who targeted states’ systems “absolutely” could have caused havoc when Election Day came around. Asked by correspondent Bill Whitaker why they didn’t, he replied, “I don’t know if we’ll ever know.”

Watch the 60 Minutes segment here.