ARTICLES

His Cyber Training Was Not About Tech. It Was About People

J. Keith Mularski knew that he wanted to work for the FBI when he was 16. But when he graduated from college in 1992, he was engaged to be married and the country was in a recession. Jobs were hard to find for a history major. His father, who had once worked in Pittsburgh’s steel mills, had later sold furniture. And he’d noticed that a new store had just opened north of Pittsburgh. So, as Mularski told an interviewer in 2014 for the National Law Enforcement Museum’s Witness to History program, his first big job was not special agent. It was furniture salesman.

Not the kind of training you’d expect would produce one of the FBI’s star cyber security investigators. He wasn’t even their IT guy. But it turned out that the skills he acquired and developed would prove crucial in helping him get into the FBI, and then succeed when he advanced into cyber investigations. And they’re the same skills that he’s counting on now as a managing director at EY, where he landed in October 2018.

What Mularski learned were people skills. It was all about building trust. “In furniture or in sales,” he told the oral history interviewer, “you want to get people to give you money that they don’t want to give you. And in my business [at the FBI], we get people to give us information that they don’t want to give you. So I think that from a standpoint of training, it was a great base for being able to go out and talk to people and make them feel at ease.”

The training didn’t end there. During his first year of college, Mularski had met an FBI recruiter on campus who had given him a list of qualifications the bureau was looking for in new agents. The big one was five years of professional experience managing people. Before he applied for the FBI job, Mularski had worked his way up to become one of the furniture store’s operations managers in St. Louis, and he’d done his five years. He’d also learned how to build trusting relationships with subordinates, which was an important step for a man who would later become a supervisory special agent leading teams of investigators.

Building a Cyber Hub

He made his first big splash as an agent in 2005, when he managed to infiltrate a huge international online forum for credit card scammers called DarkMarket. It was a testament to his ability to build relationships that the criminals he interacted with completely bought his undercover persona. (Drawing on his family heritage, he claimed to be a Polish hacker who used the handle Master Splyntr, which Mularski adapted from a character in the Ninja Turtles cartoons his young son loved.) He established himself so firmly at DarkMarket that the criminals themselves later asked him to take over as their administrator.

He carried on for two years in that role, scrambling to keep up with requests at all hours from members who were scattered across multiple time zones. When Mularski and his wide-ranging law enforcement partners finally shut down the market, they’d gathered sufficient evidence to bust more than 60 of its members worldwide. Officers from Brazil, France, Germany, Turkey, Ukraine, and the United Kingdom all contributed.

Mularski went on to lead some of the biggest cyber security investigations to date. Many of them were during the time that David Hickton was the U.S. attorney for the Western District of Pennsylvania, from 2010 to 2016. Hickton credits Mularski with helping to establish Pittsburgh’s reputation as a jurisdiction that knew how to tackle complex cyber cases. That reputation grew as he led and trained agents in the FBI’s growing Pittsburgh field office. For his part, Hickton created his office’s first group of lawyers who specialized in this area. And he made it a priority. Together they were able to build a string of important cases. The partnership helped turn Pittsburgh into a cyber hub.

Two of the biggest criminal cases were filed in 2014. Hickton signed the country’s first indictment of individuals accused of engineering cyber attacks by a nation-state. Five members of China’s People’s Liberation Army (PLA) were charged with planting malware to steal confidential and proprietary information from the computers of a variety of U.S. companies. Some of those companies had thought they were partners of Chinese firms. Others were locked in litigation against Chinese competitors. The 56-page indictment included a wealth of details about what, when, and how information was stolen, and it even displayed photographs of the five PLA officers allegedly responsible.

A week after the PLA indictment was unsealed, Hickton filed another that charged a Russian named Evgeniy Bogachev with stealing about $100 million from victim companies scattered around the globe. Bogachev and his cronies allegedly launched malware attacks aided by his massive GameOver Zeus botnet. They stole banking credentials from companies and then wired themselves money, the indictment said. Bogachev surprised some victims with ransomware attacks years before they were commonly found in the cyber criminal’s toolbox. Mularski and his FBI colleagues worked with law enforcement partners in a dozen countries to take down Bogachev’s botnet and its estimated 1 million infected computers.

When I asked Hickton what Mularski’s strengths were as an investigator, the former prosecutor ticked off three. “He has unbelievable positive energy. That's number one,” said Hickton, now the founding director of Pitt Cyber, a multidisciplinary cyber security institute at the University of Pittsburgh. “Number two, he doesn't get discouraged. He doesn't sit around and start thinking about why he can't get something done. He devotes 100 percent of his energy to getting it done.” And finally: “He's incredibly resourceful at building relationships.”

Jimmy Kitchen, who was deputy chief of Hickton’s national security/cyber crimes section, worked closely with the former agent on many cases, including the landmark PLA indictment. He called Mularski “innovative” and “aggressive.” During his 17 years as a prosecutor—the last 14 in Pittsburgh—he estimated that he worked with at least 1,000 investigators. Mularski was “the best agent I’ve ever worked with,” said Kitchen, now a partner at Jones Day. He was also “one of the best-connected.” His relationships were wide and deep, the lawyer said, and when they needed information, he always seemed to know someone to call.

Lessons He Imparts to Companies

After he’d put in his 20 years at the FBI, Mularski was ready for a change, he said. He knew some people at EY. The company had a good reputation and was particularly strong in this area. He saw an opportunity and he took it.

How do his skills translate? It’s not as different as you might think, said Mularski, who still looks youthful at age 50. “When I was at the FBI, I woke up in the morning, I looked at what was the latest threat intelligence, and we used that to help solve cases and write reports,” he said. And now? “I wake up in the morning, I look at the latest threat intelligence, and we write reports.” And he helps clients figure out how to defend themselves against those threats. “I still talk to a lot of the same people, and partner with some of the same people,” he added.

The big difference, of course, is that he used to be on offense, trying to arrest the bad guys. Now he’s playing defense. At EY, he consults with clients as a subject matter expert on cyber threat intelligence and SecOps, he said. And he works with some clients on a regular basis. He won’t give a precise number, but it’s “dozens.” And again, that means building new relationships.

His work with them is analogous to what a football coach does, Mularski explained. Clients need to answer three basic questions. First, who are the adversaries? Some companies may be susceptible to attacks from nation-state groups, he noted, others not so much. After studying the threat landscape (which is like watching game film on the teams you’ll play), clients should ask: What tactics, techniques, and procedures are the attackers likely to use? And then: How can we craft a defense designed to match up?

Like all coaches, Mularski preaches “practice, practice, practice.” You want to have a red team that understands how it’s going to attack. And you want them to be innovative to really test the defense. And then you work with the blue team on detection—isolating and recognizing the activity. And doing it fast, and then faster, he said. You keep running those exercises, building up muscle memory. So that when the real thing happens, the company is ready.

The Benefits, and the Limits, of Talking to the Feds

He encourages businesses to reach out to law enforcement in advance of an attack. Whether it’s the Secret Service, the FBI, or the Cybersecurity and Infrastructure Security Agency, they can help, he said. A company has a micro lens. The agencies have a macro lens. They may have information about attackers and their methods that a company wouldn’t have.

But Mularski understands that corporations are often reluctant. “I think they fear that they’re going to show up on the front page of The New York Times,” he said. “And the other thing is most companies don’t realize that the government doesn’t want your client data, or

your PII [personally identifiable information].” What they’re looking for, he said, is new types of attacks, new techniques, new pieces of the puzzle.

The decision on whether to initiate contact is always up to the client. He doesn’t exert pressure. He tries to educate them, he said—give them an idea of what the exchange will be like. And he can reassure them that “you can do it in a way that still maintains privilege and maintains your privacy.” But it takes time, he acknowledged. “Why do you share personal information with people? Because you know them and you trust them.” And that takes building a relationship.

The other piece that some companies don’t understand is that the feds don’t come over and fix your problem. “When you have a ransomware attack,” Mularski said, “it is great to call the FBI and let them know. There’s probably a field office that’s working that, and they could share information.” But neither the FBI nor any of the other agencies are going to show up to unencrypt your computers, he continued, or help you with your incident response. Those are the things that companies must plan for themselves.

Looking Back

After the conversation wound down, I asked Mularski what he misses most from the old days. There were no surprises in his answer. “I miss the people and the comradery,” he said. “Over 20 years, I really developed some great friendships worldwide.” Beyond that, “I also miss feeling that your cases are making an impact and a difference on a worldwide level.”

He added that when he left, he knew “in my position at EY, I would still be able to help companies protect and defend against cyber attacks. As a result, it was a win-win situation for me.”

When I asked what he misses the least from his days at the FBI, there was no shock there either. “Hands down, the bureaucracy.”