The FBI and Cyber Defense
By Dr. Richard Weitz
05/18/2011 – In his May 29, 2009 remarks announcing the results of his cybersecurity policy review, President Barack Obama said that he had turned to the Federal Bureau of Investigation (FBI), as well as the CIA and the Secret Service, when hackers managed to gain access to his campaign-related email messages. Still, the FBI’s unique role can be overlooked when national security analysts contemplate cyber issues.
The FBI identifies countering cyber threats, along with counterterrorism and counter intelligence, as its three main priorities. As in the counterterrorist domain, the FBI’s role in cybersecurity is unique in that it is both a law enforcement and national security agency. These dual missions arose from the 9/11 al-Qaeda terrorist attacks within the United States, which the FBI failed to identify and prevent in time.
Previously, the bureau had prioritized its anti-crime mission in both terrorism and the cyber domain. The FBI’s Computer Analysis and Response Team (CART) became operational in 1991. It focused on criminal activities such as computer fraud and the sale of counterfeit software. This law enforcement mission still can often lead the FBI to advocate a divergent response to cybersecurity threats from that of the other main Cybersecurity agencies.
In particular, whereas the other agencies typically want to shut down a cyber attack as soon as possible, the FBI often wants to allow it to operate for a while longer until the bureau has acquired enough evidence to win a contested court case. The FBI’s cyber threat personnel are also more interested in identifying the person behind the keyboard so that the individual can be prosecuted than the other U.S. cybersecurity agencies, who have effectively given up hope of being able to attribute a cyber incident to a particular individual.
The FBI’s broad mission can enable the bureau to detect malicious cyber threats initially overlooked by other agencies. “The FBI is both a law enforcement and national security agency, which means we can and must address every angle of a cyber case,” FBI Director Robert Mueller explained in 2009. “This is critical, because what may start as a criminal investigation may lead to a national security threat. … At the start of a cyber investigation, we do not know whether we are dealing with a spy, a company insider, or an organized criminal group.” It can happen, Mueller added, that, “Something that looks like an ordinary phishing scam may be an attempt by a terrorist group to raise funding for an operation.”
The FBI has developed other unique capabilities and partnerships for fighting cyber criminals. A Cyber Division at the FBI’s Washington Headquarters aims “to address cyber crime in a coordinated and cohesive manner.” The FBI also has specially trained cyber squads based at FBI headquarters as well as in each of the FBI’s 56 field offices. These employ more than 1,000 specially trained agents, analysts, and digital forensic analysts who protect and investigate computer intrusions, theft of intellectual property and personal information, incidents of child pornography and exploitation, and online fraud. The squads run complex undercover operations and share information with federal, state, and local law enforcement and intelligence partners. Furthermore, FBI Cyber Action Teams “travel around the world on a moment’s notice to assist in computer intrusion cases” and “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy.”
Throughout the United States, 93 Computer Crimes Task Forces “combine state-of-the-art technology and the resources of our federal, state, and local counterparts.” Presidential directive gives the FBI the lead role in the National Cyber Investigative Joint Task Force, which includes 18 law enforcement and intelligence agencies whose members try to predict and prevent cyber attacks. The task force operates through Threat Focus Cells—smaller groups of agents, officers, and analysts from different agencies, focused on particular threats. For instance, the Botnet Focus Cell investigates high-priority botnets and attempts to reverse-engineer them to identify and stop those running the botnets. The FBI also has a lead role in investigating the unauthorized disclosure of classified or proprietary information, especially insider threat capabilities to gather data through unauthorized disclosure as well as the recent WikiLeaks incident.
The FBI tries to cooperate with foreign government law enforcement agencies to address international cybercrime. Within the United States, the Department of Justice’s Computer Crime and Intellectual Property Section, its Office of International Affairs, and Assistant U.S. attorneys throughout the country, has worked tirelessly to create relationships and coordinated investigations with our international partners. In addition, the FBI itself has embedded specialized agents in the police units of several foreign countries who focused on cyber issues. These agents currently work in Estonia, Ukraine, Romania, Colombia, and the Netherlands and the FBI hopes to establish additional embeds in the future.
Furthermore, the FBI also has more than 60 legal attaché offices in foreign countries that cooperate with foreign law governments on a range of international criminal activities, including cybercrime. The FBI claims that these international partnerships have contributed to the arrest of hundreds of cybercriminals who have engaged in transnational criminal activities against Americans.
The FBI has cooperated with foreign governments on a range of cyber-related operations. The FBI has collaborated with the Chinese Ministry for Public Security to convict some individual criminals found producing and distributing pirated Microsoft software worth several billions of dollars. In October 2009, the FBI worked with Egyptian authorities to dismantle a computer intrusion and money laundering scheme operating in the United States and Egypt. In March 2010 the FBI closed the Mariposa information-stealing botnet that infected millions of computers, from Fortune 1000 companies to major banks. In collaboration with law enforcement agencies in the United Kingdom, Germany, and Turkey, the FBI dismantled Darkmarket, a sophisticated cybercrime syndicate that used the Internet to buy and sell stolen financial data. After several American companies threatened to cut cyber ties with Romania because of the rampant hacking originating from that country, the Romanian government launched a comprehensive partnership between the FBI and the Romanian National Police that resulted in the arrest of more than one hundred Romanian nationals.
Critics complain this cooperative orientation makes the FBI avoid confronting foreign governments over cybersecurity issues. They note that some foreign officials may be working for cyber criminals, or providing sanctuary for cybercriminals that pledge to leave their host nation alone. They further warn that some foreign governments may actually sponsor seeming cybercrime groups that actually are engaged in surveying of potential Internet battlefields.
In his book Cyber War, Richard Clarke, former counterterrorism chief with the National Security Council, writes that foreign nations have established “trapdoors” in electronic industrial-control systems in the form of nearly invisible software “rootkits.” They could give the attacker access and control over industries’ computer networks, which could later be used to disrupt or destroy operations – for example, of the US power grid. Critics such as former Clarke want the FBI to treat cybersecurity the same way it treats terrorist financing or WMD proliferation activities—pressure foreign governments to enforce model cybersecurity laws and crack down on cyberthreats or lose access to U.S. banks and other U.S. economic services. They also recommend that U.S. officials try to expand U.S. unilateral sanctions into more comprehensive economic sanctions.
According to Symantec’s most recent Internet Security Threat Report, private businesses are already under sustained assault in the cyber world due to three trends: (1) malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest (2) so-called “advanced persistent threats” focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets; and (3) mass-market attacks—those that small businesses and consumers usually fall prey to—continue to evolve in their sophistication.
Yet, private businesses sometimes are wary of sharing too much information with the government for fear their proprietary information will leak or that they could become liable for any flawed policies. They also have an incentive to keep cyber incidents secret so as not to alarm their customers and investors. Historically, the most effective public-private partnerships have had:
- Inclusive private sector membership, unified in the pursuit of common goals
- A single responsible and accountable government partner organization
- Clearly delineated roles for both public and private entities.
Information sharing with the private sector must be a two-way street and sensitive commercial data must be explicitly protected. Confidentiality and liability protection will encourage the private sector to implement desired activities.
Collective national cybersecurity can only be effectively addressed through a partnership approach between the government and private industry. The government has the legal authority required to organize markets, enforce laws and protect citizens’ privacy and property. On the other hand, the vast majority of cyberspace infrastructure is privately owned and operated. Private industry has most of the expertise in the field of cybersecurity as well as the various critical infrastructure sectors that could be threatened by cyber threats. Whereas the federal government will have the most comprehensive knowledge of potential terrorist threats, the operators of the private sector networks will likely first know when something is amiss with them.