FBI assistant director spotlights London cyber attach�e9 and how field offices build transatlantic cases
June 12, 2026 | Federal Bureau of Investigation (FBI), Department of Justice (DOJ), Executive, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Brett Leatherman, assistant director of the FBI's Cyber Division, interviewed Kathryn Sherman, the FBI's cyber assistant law enforcement attach�e9 (ALAT) in London, about the day-to-day work of field cyber teams and how investigations scale across borders. "One thing I love about this job is that every day is different," Sherman said, describing work that ranges from victim interviews to tabletop exercises with private companies.
Sherman said investigations are opened when they are "predicated on something," including victim reports, major intrusions, ransomware incidents or referrals from private-sector partners or intelligence agencies. She described early investigative steps that include launching preservation letters to retain fleeting data and seeking legal process—subpoenas, pen register/trap-and-trace orders and search warrants—to gather evidence.
The ALAT role in London, Sherman said, adds value because face-to-face relationships speed joint operations and clarify what each partner needs. "Sharing at speed because I'm here and because I have those trusted relationships allows us to move the ball forward at a much quicker pace," she said, stressing that legal and procedural differences between the U.S. and U.K. make on-the-ground coordination important.
Sherman highlighted the central role of private-sector companies as frontline sensors: they often see threats first and can refer incidents to law enforcement. She also described how field squads combine analysts, computer scientists and prosecutors to sequence operations and determine who is best positioned to disrupt an adversary's infrastructure.
Leatherman and Sherman discussed operational strain and leadership. Sherman described the Washington Field Office's work during the COVID-19 era and an election cycle, noting the need to split resources between sustaining casework and producing frequent, comprehensible threat briefings. She emphasized recognizing burnout and "asking for help" as leadership imperatives: "put your people first," she said.
The conversation underscored practical measures for incident response: preservation of volatile data, rapid reporting by victims to improve chances for disruptive action, and the benefits of joint, sequenced operations that draw on both government and industry capabilities. The interview closed with Leatherman introducing the episode's next guest, Richard Horne of the U.K.'s National Cyber Security Centre, and a reminder that cross-border relationships are central to modern cyber investigations.
Sherman said investigations are opened when they are "predicated on something," including victim reports, major intrusions, ransomware incidents or referrals from private-sector partners or intelligence agencies. She described early investigative steps that include launching preservation letters to retain fleeting data and seeking legal process—subpoenas, pen register/trap-and-trace orders and search warrants—to gather evidence.
The ALAT role in London, Sherman said, adds value because face-to-face relationships speed joint operations and clarify what each partner needs. "Sharing at speed because I'm here and because I have those trusted relationships allows us to move the ball forward at a much quicker pace," she said, stressing that legal and procedural differences between the U.S. and U.K. make on-the-ground coordination important.
Sherman highlighted the central role of private-sector companies as frontline sensors: they often see threats first and can refer incidents to law enforcement. She also described how field squads combine analysts, computer scientists and prosecutors to sequence operations and determine who is best positioned to disrupt an adversary's infrastructure.
Leatherman and Sherman discussed operational strain and leadership. Sherman described the Washington Field Office's work during the COVID-19 era and an election cycle, noting the need to split resources between sustaining casework and producing frequent, comprehensible threat briefings. She emphasized recognizing burnout and "asking for help" as leadership imperatives: "put your people first," she said.
The conversation underscored practical measures for incident response: preservation of volatile data, rapid reporting by victims to improve chances for disruptive action, and the benefits of joint, sequenced operations that draw on both government and industry capabilities. The interview closed with Leatherman introducing the episode's next guest, Richard Horne of the U.K.'s National Cyber Security Centre, and a reminder that cross-border relationships are central to modern cyber investigations.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
