ACAMS Today had the privilege of speaking with John Riggi, a highly decorated 27-year veteran of the FBI, and who currently serves as the Section Chief for the Cyber Division Outreach Section where he leads the development of mission critical partnerships with the private sector.
Previously, Riggi served as an Assistant Special Agent in Charge for the Washington Field Office’s, Intelligence Division. In 2013 Riggi was selected to lead the development of the FBI’s Cyber Financial Pursuit Team. Previously, Riggi served for four years as the national operations manager for the FBI’s Terrorist Financing Operations Section (TFOS) and two years at CIA’s Counterterrorism Center (CTC).
Prior to working as a national operations manager, Riggi served 16 years in the FBI New York Field Office as a Case Agent, Supervisor of the High Intensity Financial Crimes Area (HIFCA) Task Force and Supervisor of the Terrorist Financing Squad. In New York, he developed and led the FBI’s first undercover operation targeting Russian organized crime, was the first to use sting money laundering transactions in terrorism financing cases and initiated the Alavi Foundation terrorism financing case, which resulted in the largest counterterrorism seizure of assets in U.S. history. Riggi also acted in an undercover capacity posing as an organized crime money launderer to penetrate and expose the multibillion dollar commercial check cashing industry in New York City and its connection to organized crime money laundering and bank corruption. In addition, Riggi served as an operator on the FBI New York SWAT team for eight years. Riggi began his career as an FBI Special Agent in the Birmingham office in 1988.
Moreover, Riggi is a recipient of the FBI Director’s Award for leading a highly successful classified terrorist financing interdiction program, which was responsible for preventing multiple terrorist attacks in a foreign ally’s nation. Riggi is also a recipient of the CIA George H.W. Bush Award for Excellence in Counterterrorism, which is the CIA’s highest counterterrorism award, for greatly expanding FBI/CIA joint counterterrorism operations and cooperation.
AT:ACAMS Today: You have had an impressive career in the public sector, when did you know you wanted to join the FBI?
John Riggi: Well, I guess I was lucky in that respect. Ever since I was a child, I seemed to have an innate interest in law enforcement. I grew up in a solid, but tough, blue-collar city, Lynn, Massachusetts, which was in the midst of a tremendous transition at that time. There was a great deal of interaction between the police and the community. I saw people on the right side of the law and the wrong side. Some of my friends’ dads were police officers and the neighborhood heroes. As I entered high school, I realized I wanted to do something bigger: be involved in law enforcement on a national level and deal with the most significant crime problems facing the nation. The FBI seemed liked the logical choice for me. I was truly fortunate to be able to realize that goal, and after 27 years in the FBI, I’m still grateful for the privilege to serve.
AT: Which case has been your most memorable and why?
JR: If you don’t mind, I’d like to highlight two cases, which illustrate the significance of “following the money” in both criminal and terrorism cases. In the mid-1990s, while investigating the international connections between Italian and Russian organized crime groups, I developed and led the FBI’s first undercover operation targeting Russian organized crime. By working with a great team of FBI undercover agents, we were able to infiltrate a vast money laundering network operated by Russian criminals, by posing as Italian organized crime members who were seeking the Russian organized crime group’s assistance to launder drug proceeds. The operation lasted for three years, in which we used the “sting” provision of the money laundering statute to allow millions of dollars of government funds, represented as drug proceeds, “walk” and be laundered through the Russian network. With the close cooperation of financial institutions, we were able to trace the movement of the government funds through the criminal network, which led to the identification of the money laundering methods, co-conspirators, interconnection between organized crime groups and health care fraud, and the collusion of corrupt bank employees. All defendants were successfully prosecuted and millions of dollars of criminal assets were forfeited to the government.
Ten years later, when I was the national operations manager for the TFOS of the FBI, I had the opportunity, again, with a great team including financial sector partners, to lead the development of a highly classified terrorist financing operation. What I can say about the case is that by using standard financial investigative techniques, combined with intelligence techniques and authorities, we were able to trace and interdict funds destined for a terrorist organization. The funds were to be used to enable attacks in a foreign ally’s nation. As a result of the operation and the intelligence gained from it, the network was identified and disrupted, which resulted in a marked decrease in terrorist attacks in the ally’s nation.
AT: What partnerships have you helped create between the public and private sectors?
JR: From money laundering investigations to terrorist financing investigations, I always understood that we, the FBI, could not successfully do our job without the financial sector’s assistance and partnership. Whether it was a suspicious activity report (SAR) review group in New York, the establishment of unclassified and classified financial crimes working groups on the national level, or trusted personal relationships in the major financial institutions, all have proven very valuable to the FBI’s mission. So, when I came to my new role as head of the FBI’s Cyber Outreach Section, I had a deep understanding and appreciation of the value of effective private sector relationships.
Effective and trusted private sector partnerships, across all critical infrastructure sectors is not only valued in Cyber, but is fundamental and essential to our core mission in combating the ever-increasing and complex cybercriminal and national security threats facing our nation. One of the programs I have the privilege to oversee is the InfraGard program—a 36,000 member 501(c)(3) non-profit organization sponsored by the FBI Cyber Division. InfraGard is an organization where individual citizen volunteers (“Patriots,” as I like to call them), come together in 83 chapters across the country with the common goal of exchanging threat intelligence among themselves and with the FBI, to help us mutually defend the nation against all manner of threats.
In addition to the InfraGard program, we in the Cyber Division routinely conduct outreach to key private sector partners to establish trusted relationships, provide classified threat briefings when appropriate and facilitate the exchange of cyber threat intelligence.
AT: What recommendations do you have for building and maintaining public-private relationships?
JR: I truly believe the government must understand and appreciate the value of private sector partnerships and how fundamental those relationships are to the core mission of defending the nation. Then, institutionalizing that philosophy through formal and centrally coordinated outreach programs and selecting individuals with outstanding interpersonal skills to develop and maintain private sector relationships critical to defending the nation against the cyber threat. I think we in the government are moving in the right direction, especially in terms of the cyber threat, where great efforts are underway to create a structurally and legally conducive environment for information sharing to occur between the private sector and government. The question, which only the future can answer, is: “Are we moving fast enough?”
AT: How has cyber risk increased in the last two years?
JR: Both the national security and criminal cyber threats to the U.S. have increased exponentially over the last two years and even over the last six months. The range of actors who threaten our interests is as complex as it is varied. We face cyberterrorists, who aim to use our reliance upon and use of digital systems to advance their political or ideological goals. We face nation states, who aim to use the cyber world to conduct espionage, to make preparations for war and who may even carry out acts of war through cyber means. We face ideology‐driven criminals, who may use methods such as denial of service attacks, known as DDoS attacks, to further their own ideology or social cause. We face insider threats, whose legitimate access to sensitive information may be used for various illicit ends. Lastly, we face financially motivated groups and individuals, who use a range of methods to enrich themselves at the expense of others.
The threat from cyber actors continues to garner an increasing share of the media spotlight and continues to advance in sophistication—just look at the headlines. Recent high‐profile attacks, such as those in the retail, financial, entertainment and health care sectors, highlight the vulnerabilities in some of our nation’s largest companies. We continue to work closely with the Secret Service, DHS and other partners across the government. Point of sale thefts, also known as POS scams, for example, are not new, but continue to pose serious threats to the financial services industry. According to Verizon’s 2014 Data Breach Investigations Report, the physical installation of a “skimmer” on an ATM, gas pump, or POS terminal to read credit card data has targeted ATMs with an overwhelming specificity—87 percent of skimming attacks in 2013, for example, were on ATMs. Retail POS scams, where attackers compromise the computers and servers that run POS applications with the intention of capturing payment data, comprise an additional level of sophistication and can take weeks or even months to be discovered, much less mitigated.
Botnets, which can harness the power of an enormous web of computers for malicious purposes, continue to evolve as well. As I speak, estimates place the total damages caused by botnets at more than $9 billion in losses to U.S. victims and over $110 billion in losses worldwide. Approximately 500 million computers are infected globally per year, translating to 18 victims per second. As botnets become more sophisticated, our techniques must evolve to keep pace. The FBI and our partners may take down one botnet, for example, but coders may alter code and rebuild their bots in fairly short order. The power and scale of botnets is particularly worth noting, as botnets have been used to attack the financial sector through DDoS attacks and the FBI has been deeply involved in preventing such attacks and in keeping such attacks from inflicting lasting damage. Beginning in September 2012, for example, actors launched powerful DDoS attacks from a botnet, combining the bandwidth of numerous Web servers to target major U.S. banking institutions. The FBI worked closely with the Department of Homeland Security (DHS) to issue Joint Indicator Bulletins (JIBs) to the U.S. banks, which included thousands of IP addresses that participated in the attacks. The U.S. banks used the IP addresses to better mitigate future incidents, thus helping to ensure their business operations could proceed with less interruption of service to their customers. The JIBs helped reduce the resources available for the threat actors to carry out future DDoS operations and demonstrated the effectiveness of FBI outreach to the industry. Throughout this campaign, the FBI held significant outreach efforts to brief bank net defenders through a series of classified briefs. These briefs, conducted by the FBI, DHS, and Treasury representatives, provided bank security personnel the context of the DDoS threat and enabled the banks to share best practices with their peers in real time.
AT: What can financial crime prevention professionals do to prepare for cyber attacks?
JR: I’ll answer this in the context of what professionals can do to “prevent and prepare” for a cyber attack. First, be keenly aware they personally could be specifically targeted for a cyber attack, or unwittingly used as a vector to deliver malware into the financial institution, based upon their position and level of access to critical data. Minimize their online social media profile, which may give clues to the “bad guys” as to their access to data. I believe close adherence to institutions’ information security policies, having good cyber security practices on personal computer devices, and of course, ensuring critical data is always backed up on separate systems or devices, are key components to preventing and preparing for a cyber attack. In addition, always report suspicious computer activity and emails to information security departments and never click on any suspicious link embedded in an email or visit suspicious websites.
AT: What are the top red flags that a financial institution should be aware of when dealing with cyber risk?
JR: The risk is actually two-fold: there is the risk to the institution and the risk to its customers. In terms of the institutional cyber risk, information security departments of major financial institutions are very effective in the dealing with the technical aspects of the risk. “Spear phishing” emails continue to be the most common delivery method of malware into any type of institution, financial or otherwise. Suspicious emails, unusual computer activity, a decrease in performance and speed on systems or individual devices, unexplained data exfiltration, unauthorized escalation of system privileges for users, or website anomalies may be indicators of an institutional cyber threat.
In terms of the cyber risk to customers there are account takeovers, ATM skimmers and fraud related to stolen identity are common and continue to increase. Some indicators are wire transfer activity from multiple accounts to a common domestic account, followed by either immediate withdrawals or foreign wire transfers; unusual wire transfer activity from a domestic account to Eastern Europe, Russia or China; draining of an account through multiple ATM withdrawals or foreign ATM withdrawals; one account receiving tax refunds for multiple individuals; multiple accounts being logged into from the same IP address or unusual foreign IP address logins. These are just some of the things for which customers and the financial institutions should be on alert.
AT: In your experience, what has been the common thread in thwarting criminal schemes?
JR: The common ingredients I’ve seen in successful cases over my 27 years in the FBI have included great partnership and information sharing with the private sector, transparency and cooperation between government agencies, incorporation of intelligence techniques and the application of financial investigative techniques, regardless of the violation.
AT: How has the fight against terrorism evolved in the last five years?
JR: That could be a totally separate interview or book, actually. In general, we’ve seen the strategic homeland threat posed by core al-Qaeda diminish as a result of their decimation by highly effective U.S. government counterterrorism operations. That’s the good news. The bad news is, we’ve seen the rise of other regional-based terrorist organizations, such as ISIS, inspiring Western recruits via the Internet to join them in Syria or conduct attacks in their home countries. The use of the Internet to recruit, radicalize and disseminate terrorist techniques, tactics and procedures has grown immensely. We’ve seen organizations such as ISIS demonstrate some ability to conduct website defacements. But thus far, they have not demonstrated the ability to conduct computer intrusions.
AT: Any other advice you would like to share with ACAMS Today readers?
JR: The government alone can’t defend against the multitude of cyber, terrorism, national security and criminal threats that face the nation. Collaboration, partnership and information sharing is key between the government and private sector and between the various internal components of financial institutions (especially with the information security professionals). By engaging in vertical and horizontal collaboration and information sharing, you not only help in defending your institution and customers, you help us defend the nation.
Thanks for the opportunity to speak with you today, and thank you, my friends and colleagues, for all you do.
