Exclusive: Top FBI cyber official Bryan Vorndran expected to leave the bureau
Bryan Vorndran, who has helped guide the FBI to be more aggressive in disrupting malicious hackers and cybercrime gangs, will retire from the agency soon, Recorded Future News has learned.
Vorndran, who joined the bureau in 2003 and has served as the assistant director of the FBI’s Cyber Division since early 2021, is expected to leave sometime in the near future, according to two people with direct knowledge, who spoke on the condition of anonymity because his decision has not been publicly announced.
These people stressed that Vorndran’s departure — the exact date of which is unclear — is due to his retirement eligibility and is not connected to the various personnel moves that have taken place under President Donald Trump.
Many senior leaders at the bureau were fired or transferred in the first days of the new administration and more changes are being pushed by FBI Director Kash Patel, such as relocating 1,500 employees from Washington to field offices around the country.
A spokesperson for the FBI declined to comment.
During Vorndran’s tenure, the bureau has expanded its anti-cybercrime tactics beyond the indictment-and-arrest approach. The FBI now is more likely to conduct incident response, such as outreach to LockBit ransomware victims, and impose costs on adversaries, like dismantling their online infrastructure and clawing back ransomware payments, as in the case of the Colonial Pipeline attack.
In a sit-down interview at FBI headquarters in late 2022, Vorndran told Recorded Future News that, in addition to the agency’s traditional intelligence work, arrests and victim assistance, the bureau had to “pressure the threat” posed by cybercriminals.
“We're not going to pressure the threat through indictments and arrests. That's a very small percentage we'll be able to get our hands on. Pressuring the threat means eroding the ecosystem of which they operate, whether it's their malware developers, their traditional infrastructure, their money, or their communications,” he said.
“We do have the ability to take on those operations, but we need to scale our ability to do that,” he added. “Obviously NSA and CIA have been in this space for decades, and we just need to continue to scale to do more of those operations. I wouldn't view it in the space of being more aggressive as much as more volume and those opportunities do exist.”
On that front, the bureau and its partners conducted 17 “joint seamless operations” against nation-state and criminal cyber actors globally last year, said Brett Leatherman, deputy assistant director of the FBI Cyber Division, at the RSA Conference in San Francisco last week. Those that made headlines included takedowns of the BreachForums market and a botnet traced to China.
It’s not immediately clear who will succeed Vorndran as the bureau’s cyber chief, according to sources, as the FBI has its own internal promotions process. The position is not subject to Senate confirmation.
In a statement, former White House National Cyber Director Chris Inglis said that “across my four-plus decades in the national security business, I have met few people that are as selfless, collaborative and influential as Bryan Vorndran.”
“His integrity shines through in every engagement you have with him. He always has your back even, especially even, if it means extra work or burden for him”
Connecting to the private sector
The bureau also has become an essential player in drawing public attention to digital threats, principally by teaming up with other entities, like the Cybersecurity and Infrastructure Security Agency (CISA) and others, to issue joint advisory warnings about potential dangers.
Vorndran and other current and former officials have credited the move away from unilateral warnings by individual agencies to multi-stamped ones as helping the private sector gain greater understanding of possible risks and prioritize resilience accordingly.
In addition to his work inside the bureau, Vorndran has often acted as the FBI’s lead official for government-wide efforts on digital security issues, including ransomware.
Vorndran is the co-chair of the Joint Ransomware Task Force. The group, which is co-led by CISA, was established in 2022 as part of incident reporting legislation — known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) — to bring together federal authorities and resources to better disrupt malicious activity and coordinate operations with state and local governments, as well as the private sector.
Prior to the bill’s passage, Vorndran was initially a chief critic of the landmark proposal for not giving a broad enough role to the FBI in the incident reporting regime. He argued that while the agency wasn’t looking to run the program alongside the Homeland Security Department’s cyber wing, Justice Department and FBI officials wanted all reports submitted to CISA to simultaneously go to the FBI.
“Cyber is the team sport, and the Department of Justice and the FBI are a key player,” Vorndran said in a statement for the record provided to the House Oversight Committee. “It is time for legislation to reflect this reality.”
The final CIRCIA legislation, which mandates that certain critical infrastructure organizations report cyber incidents within 72 hours and ransomware payments within 24 hours, gave law enforcement the involvement it sought. CISA is supposed to publish the final rule governing reporting requirements later this year, with a federal rule taking effect in 2026.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.