The Role of the FBI in Cybersecurity

05/16/2012

By Richard Weitz

In a January 31, 2012 hearing on global threats of the Senate Select Intelligence Committee on worldwide threats, the director of the Federal Bureau of Investigation (FBI), Robert Mueller; warned about the growing cyber threat to the United States.

“I do not think today it is necessarily number one threat,” he said, “but it will be tomorrow.” Explaining his concern, Mueller worried that, “Counterterrorism — stopping terrorist attacks with the FBI is the present number one priority, but down the road, the cyberthreat, which cuts across all programs, will be the number one threat to the country.”

As in the counterterrorist domain, the FBI’s role in cybersecurity is unique in that it is both a law enforcement and a national security agency.

These dual missions arose from the 9/11 al-Qaeda terrorist attacks in the United States, which the FBI failed to identify in time to prevent.

Mueller argued that the FBI was changing its policies to meet this cyber challenge.

Just as the Bureau devoted more attention to terrorism as well as organized crime after the 9/11 attacks, so the FBI is now focusing on how cyber technologies were amplifying the threat from terrorists and criminals. In addition to developing its own capabilities, the FBI was strengthening partnerships with other U.S. government, state and local and foreign partners to counter cyber threats.

But he added that Congress had to assist this process by enacting national data breach requirements on private sector entities for reporting cyberattacks, to replace the various but differing reporting requirements in almost every state.

The FBI has prioritized its anti-crime Mission in both terrorism and the cyber domain.

The FBI’s Computer Analysis and Response Team (CART) became operational in 1991. It focused on criminal activities such as computer fraud and the sale of counterfeit software. This law enforcement Mission can often lead the FBI to advocate a response to cybersecurity threats that diverges from those of the other main cybersecurity agencies.

In particular, whereas the other agencies typically want to shut down a cyberattack as soon as possible, the FBI often wants to allow it to operate until the Bureau has acquired enough evidence to win a court case.

The FBI’s cyberthreat personnel are also more interested in identifying the person behind the keyboard so that the individual can be prosecuted than are the other U.S. cybersecurity agencies, which have in effect given up hope of being able to attribute a cyber incident to a particular individual.

Information sharing between government and the private sector receives considerable support from InfraGard, a program established by the FBI in 1996.

Originally developed to assist cybercrime investigations, InfraGard facilitates collaboration with law enforcement, business, and academia on range of security-related issues. InfraGard Chapters facilitate information collection, analysis, and training and provides discussion forums to share best practices.

InfraGard also provides a secure Web-based communications platform.

Nongovernmental Efforts. Private-sector companies, universities, research centers, and nongovernmental groups have developed capabilities to combat malicious cyber activities and to investigate or disrupt terrorist operations on the Internet.

A Presidential directive gives the FBI the lead role in the National Cyber Investigative Joint Task Force, which includes 18 law enforcement and intelligence agencies whose members try to predict and prevent cyberattacks. Picture of the FBI building in Washington DC credited to Bigstock.

Perhaps the best known of these groups is the Internet Security Alliance, a collaboration between the Electronic Industries Alliance, a federation of trade associations, and Carnegie Mellon University’s CyLab. It was established to provide a forum for information sharing and to generate suggestions for strengthening information security.

The FBI’s broad mission can enable the Bureau to detect malicious cyberthreats initially overlooked by other agencies.

“The FBI is both a law enforcement and national security agency, which means we can and must address every angle of a cyber case,” FBI Director Robert Mueller explained in 2009. “This is critical, because what may start as a criminal investigation may lead to a national security threat.… At the start of a cyber investigation, we do not know whether we are dealing with a spy, a company insider, or an organized criminal group.”

It can happen, Mueller added, that “Something that looks like an ordinary phishing scam may be an attempt by a terrorist group to raise funding for an operation.”

Unique Capabilities and Partnerships for Fighting Cyber Criminals

The FBI has developed unique capabilities and partnerships for fighting cyber criminals.

A Cyber Division at the FBI’s Washington Headquarters aims “to address cyber crime in a coordinated and cohesive manner.”

The FBI has specially trained cyber squads based at FBI headquarters as well as in each of the FBI’s 56 field offices. These employ more than 1,000 specially trained agents, analysts and digital forensic analysts who protect and investigate computer intrusions, theft of intellectual property and personal information, incidents of child pornography and exploitation and online fraud.

The squads run complex undercover operations and share information with Federal, state and local law enforcement and intelligence partners. Furthermore, FBI Cyber Action Teams “travel around the world on a moment’s notice to assist in computer intrusion cases” and “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy.”

Throughout the United States, 93 Computer Crimes Task Forces “combine state-of-the-art technology and the resources of our Federal, state and local counterparts.”

A Presidential directive gives the FBI the lead role in the National Cyber Investigative Joint Task Force, which includes 18 law enforcement and intelligence agencies whose members try to predict and prevent cyberattacks.

The task force operates through Threat Focus Cells—smaller groups of agents, officers and analysts from different agencies, focused on particular threats. For instance, the Botnet Focus Cell investigates high-priority botnets and attempts to reverse-engineer them to identify and stop those running the botnets. The FBI also has a lead role in investigating the unauthorized disclosure of classified or proprietary information, especially insider threat capabilities to gather data through unauthorized disclosure, as well as the recent WikiLeaks incidents.

The FBI is also a member of the National Cyber-Forsenics and Training Alliance (NCFTA), a non-profit alliance in Pittsburgh which brings together law enforcement, academia, and private industry to share information on cyber threats.  The NCFTA works as an early warning system where alliance member alert each other to cyberattacks they experience.  The NCFTA also provides training on cyber threats and hosts programs where various law enforcement agencies can share their experiences.

Working with Foreign Governments

The FBI tries to cooperate with foreign government law enforcement agencies to address international cybercrime.

In the United States, the Department of Justice’s Computer Crime and Intellectual Property Section, its Office of International Affairs and Assistant U.S. Attorneys throughout the country have worked tirelessly to create relationships and coordinate investigations with our international partners.

In addition, the FBI has embedded specialized agents in the police units of several foreign countries that focus on cyber issues. These agents currently work in Estonia, Ukraine, Romania, Colombia and the Netherlands, and the FBI hopes to establish additional embeds in the future.

The FBI has also trained Cyber Action Teams that are on call travel around the world to assist in computer intrusion cases and to gather intelligence on cyber threats. Furthermore, the FBI has more than 60 legal attaché offices in foreign countries that cooperate with foreign governments on a range of international criminal activities, including cybercrime.

The FBI says that these international partnerships have contributed to the arrest of hundreds of cybercriminals who have engaged in transnational criminal activities against Americans.

The FBI has collaborated with foreign governments on a range of cyber-related operations.

The FBI has collaborated with the Chinese Ministry for Public Security to convict some individual criminals found producing and distributing pirated Microsoft software worth several billions of dollars.

In October 2009, the FBI worked with Egyptian authorities to dismantle a computer intrusion and money-laundering scheme operating in the United States and Egypt. In March 2010, the FBI closed the Mariposa information-stealing botnet that infected millions of computers, from Fortune 1000 companies to major banks. In collaboration with law enforcement agencies in the United Kingdom, Germany and Turkey, the FBI dismantled Darkmarket, a sophisticated cybercrime syndicate that used the Internet to buy and sell stolen financial data.

After several American companies threatened to cut cyber ties with Romania because of the rampant hacking originating from that country, the Romanian government launched a comprehensive partnership between the FBI and the Romanian National Police that resulted in the arrest of more than 100 Romanian nationals.

In October 2010, the FBI uncovered an Eastern European ring that was stealing bank account information from mid-sized companies, towns, and churches with the help of agents in Western countries, who would help transfer the money. It took the combined efforts of American, British, Dutch, and Ukrainian law enforcement to break the ring.

In November 2011, Estonia arrested six of its citizens who had been running an Internet fraud scheme. The hackers had been able to manipulate Internet advertising to generate $14 million in illicit fees. They had been able to infect and control others computers whose users were unaware of their activity. The hackers were caught after a two-year FBI investigation, Operation Ghost Click, and are awaiting extradition to the United States.

One multinational initiative that aims to combat transnational cybercrime is the Strategic Alliance Cyber Crime Working Group, consisting of the federal policing agencies from Australia (Australian Federal Police), New Zealand (New Zealand Police), the United Kingdom (Serious Organised Crime Agency), Canada (Royal Canadian Mounted Police) and the FBI.

Formed in 2006, alliance members share intelligence, tools and best practices as well as strengthen and synchronize their respective laws. Its accomplishments include assessing emerging trends, vulnerabilities and strategic initiatives regarding transnational cyberthreats; sharing training curriculums and providing training to international cyber professionals; and exchanging cyberexperts to serve on joint international task forces so as to learn from others’ investigative techniques.

Critics complain that this cooperative orientation makes the FBI avoid confronting foreign governments over cybersecurity issues.

They note that some foreign officials may be working for cybercriminals, or providing sanctuary for cybercriminals that pledge to leave their host nation alone. They further warn that some foreign governments may actually sponsor apparently anti-cybercrime groups that are engaged in surveying potential Internet battlefields.

Trap Doors

In his book Cyber War, Richard Clarke, former counterterrorism chief with the National Security Council, writes that foreign countries have established “trapdoors” in electronic industrial-control systems in the form of nearly invisible software “rootkits.” They could give the attacker access and control over industries’ computer networks, which could later be used to disrupt or destroy operations—for example, the operations of the U.S. power grid.

Critics such as Clarke want the FBI to treat cybersecurity the same way it treats terrorist financing or WMD proliferation activities—pressure foreign governments to enforce model cybersecurity laws and crack down on cyber threats, or lose access to U.S. banks and other U.S. economic services. They also recommend that U.S. officials try to expand U.S. unilateral sanctions into more comprehensive economic sanctions.

In recent years, the United States has accepted a philosophy that if “a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a ‘use of force’.”

However, U.S. officials have not conclusively indicated whether the presence of an inactive worm in U.S. defense systems could produce the same result.

On the one hand, it seems questionable to violently retaliate for the presence of a computer virus that is, at the moment, causing no harm (an action made all the more difficult by the previously discussed challenges in attribution).

On the other hand, it is quite plausible that a state would react with force (if it could determine the perpetrator) to the discovery of explosives placed (again, preemptively) beneath one of its critical radar stations.

Logic Bombs are strategic assets that come in the form of malicious code designed to execute if specific events occur or at a predetermined time.

When triggered, this code may disable computer systems, delete data, or activate a denial-of-service attack. Logic bombs could be considered an act of aggression should their ultimate purpose be discovered. In practice, the vast amount of uses for logic bombs complicates any classification of this type of cyber weapons.

A logic bomb’s conventional equivalent would seem to be deep cover agents or sleeper cells. As in the conventional battlespace, these agents could lay dormant for decades until being activated and can perform many duties ranging from the gathering of intelligence to direct action missions. Cyberspace is no different; a logic bomb can be activated to release malware which gives intelligence agencies a back door in an enemy’s intelligence networks or it could be used to disrupt vital logistical networks or both private and public infrastructure. For a legal decision to be made, intent must be conclusively discovered.

The discovery of a Russian clandestine network in 2010 is an excellent comparison to the use of logic bombs.

In this case, the discovery of clandestine agents who had been dormant for years did not prove to be an act of war and thus required no military response. Had the agents be found to be sabotaging air traffic control centers or disabling safety features on nuclear power plants, there could have been a conventional military response due to the threat and intent to cause physical damage.

A comparison can also be made with “insider” threats—those people whose position allows them to circumvent many of the institution’s external defenses, which are typically directed outward.

Steven Chabinsky believes that “the primary cyber-risk to our critical infrastructure is from disgruntled employees who have insider knowledge and access.”  One reason why Google might have reacted so strongly to China’s Internet attacks in January 2010 was that, according to the media, Google suspected that one or more of its Chinese-based employees had abetted the December 2009 penetration of the company’s internal networks.

According to these reports, Google experienced the nightmare of a double Trojan Horse attack, with at least one of its local Chinese employees opening the company’s firewalls to allow virtual Trojan Horses to penetrate its internal network. What was unusual was that the particular malware program involved in the penetration, Hydraq, knew precisely what data to attack and where to find it.

Local Chinese media have reported that after January 13, when Google went public with its information about the alleged Chinese cyberattacks, the company denied some of its Chinese employees access to Google’s internal networks while transferring or putting on leave personnel in the company’s China office.

Military action based solely on the discovery of a logic bomb would be akin to a preventive strike against a threat, which was not immediate.

However, the deployment of a strategic asset such as a logic bomb during a time when two countries are approaching conflict could be deemed as a first strike.

For example, Chinese information warfare doctrine stresses seizing control of an adversary’s information flow.

In the event of an escalation of conflict between China and the United States over Taiwan, Chinese infiltration of U.S. networks, both civilian and military, could be considered a first strike due to the potential for risk to both forward deployed military assets and civilians at home. In this instance the PRC would be showing a hostile intent of disrupting C4ISR capabilities of their adversaries which in the case of a conflict in the Taiwan Straits could allow the PLA to launch military operations such as a cross-strait landing before the US could effectively intervene.

Proposed Changes

The threat of cyber espionage is compounded by the challenge of attribution. D Mueller testified at a February 2012 Hearing of the House Select Committee on Intelligence that after an attack on a private company, it is difficult to identify whether a state actor, an organized criminal group, or even “that high school student who lives down the street” was responsible for the data breach. Officials agree that real-time attribution of cyber attacks, knowing who carried out the attack and where they are working, is one of the greatest challenges to cyber security.

At a minimum, Mueller has called for congressional legislation requiring institutions that have experienced a cyber attack to report the data breach. If cyber attacks go unreported, Mr. Meuller maintained that “we cannot prevent the next event from happening” because the bureau cannot conduct a forensics investigation of who might be responsible, how they did it, and what damage was inflicted, and whether any malicious software has been left behind. “The sharing of information is as important if not more important as what we saw in the wake of September 11th,” Mueller explained. “And so the cyber bills are out there that break down the stovepipes, that allow the sharing of information within the government but also between the government and the private sector is tremendously important.”

The comprehensive cybersecurity legislation the Obama Administration submitted last year would modernize and synchronize laws and regulations by updating criminal codes designed for pre-cyber age.

For example, it would update the Federal Information Security Management Act to include greater automation and performance-based security measures, with DHS rather than the OMB implementing FISA. It would also synchronize punishment for cybercrimes with other kinds of crimes (i.e., apply mandatory minimum sentences). But the Administration’s proposal would strengthen individual privacy oversight such as by requiring the U.S. Attorney General’s approval for many actions as well as layered oversight programs and extensive congressional reporting. Critics worry that the measures would give the federal government excessive powers and threaten individuals’ rights as well as threaten one of the most dynamic sectors (information technology) of the U.S. economy.

The Obama proposal also would establish national-level data centers and data breach reporting standards to standardize private sector cybersecurity requirements by constraining the actions of individual states, many of which are enacting their own unique laws that then apply to companies operate in many states.

The Administration also wants to encourage the growth of cloud computing (seen as more secure than physical networks) by prohibiting state laws mandating a physical presence in their territory. This measure would replace 47 separate state laws with a single nationwide requirement for when and what firms must report to DHS alone when a cyberattack compromises individuals’ data .

Critics complain that the threshold for a reportable breach is unclear; U.S. businesses suffer thousands of attacks and minor penetrations each day, and cannot possibly report them all. They fear that a lowest common standard would be adopted as a result. They also fear that businesses that have the best cyber intrusion detection would be penalized since they would report the most incidents.

As a result, firms would have incentive to underinvest in cyber intrusion detection. They also are alarmed that federal authorities might misuse the private sector data they receive by, for example, using it to enforce other laws.

The Administration wants to encourage voluntary information sharing about cyberthreats between the public and private sectors to encourage mutual situational awareness. The Administration’s proposed comprehensive cybersecurity legislation would provide non-federal entities with immunity from lawsuits when they share cybersecurity data in good faith with the U.S. government. This immunity would not extend to non-cyber information. The Administration also wants to encourage short-term exchanges of public and private cybersecurity personnel.

The proposal has raised alarm that the offering immunity would reduce firms’ fear of lawsuits and lead them to reduce efforts to safeguard customers’ data. In addition, critics note that the Administration’s proposal would only protect private-public information sharing, not sharing among private entities, which might be suboptimal since businesses would run afoul anti-trust laws.