Does the FBI have its cyber priorities and investigative strategies straight?
That's one of the questions raised by an audit of the FBI's computer intrusion investigation capabilities, released earlier this year, which painted an unflattering picture of the bureau's ability to investigate cyber crime, especially cases involving national security. Notably, the audit, conducted by the Department of Justice's Office of the Inspector General (OIG), suggested that the FBI was failing to properly train and support its cyber investigators.
After the audit was released, the FBI fired back, alleging that the OIG's report was outdated and skewed by the opinions of a handful of agents who were training in a program that has changed numerous times over the past few years in response to the rapidly evolving nature of attacks and crimes perpetrated online.
"The FBI capacity that exists today is much greater than the capacity that existed two years ago, because we created a cyber career path specifically because we realized that all of the agents would not be at the [required] level," Steven Chabinsky, deputy assistant director of the FBI's cyber division, told me in a telephone interview earlier this year. "This is not something where we're coming to the table, seeing the OIG's report, and saying, we should have thought of this. Just the opposite."
In fact, the OIG's audit presented 10 actions that were necessary to resolve or close out the audit. By April 2011, the bureau had met all of those requirements. In addition, the bureau has been earning accolades from security experts for its cyber investigation capabilities, and it has chalked up some notable successes in recent months, including shutting down the Coreflood botnet and coordinating the international bust of two scareware rings.
But the audit raises at least one question that still needs answering. The auditors found that the bureau spends almost as many man-hours investigating child pornography as cyber crime. According to the report, in 2009 the FBI "used 19% of its cyber agents on national security intrusion investigations, 31% to address criminal-based intrusions, and 41% to investigate online child pornography matters."
In this era of targeted attacks--exploits involving everyone from RSA and Lockheed Martin to Sony and the U.S. Senate--is the FBI focusing on the right areas? To some extent, the bureau's hands are tied by funding, which is determined by Congress, "in different allocations," said Chabinsky. Notably, national security investigations are funded from different sources than child protection or investigating intellectual property crimes.
Furthermore, according to a different report from the OIG, "FBI Personnel Resource Management and Casework," released in 2010, the resources used by the bureau appear to be in line with what it has been told to pursue.
Another interesting question raised by the OIG's audit is whether the FBI should centralize more of its cybercrime operations. The FBI does have some regional hubs, for example, for digital forensic investigations. But in an age of distributed managed services, cloud computing, and virtual infrastructure, might it make more sense to further centralize the bureau's overstretched cyber resources?
While the FBI is exploring the creation of some additional regional hubs, Chabinsky ruled out any large-scale centralization of its cyber activities. "At the end of the day, we still have real victims who have real locations, and if you were to centralize, it would be difficult to have a private relationship with the owners and operators who are responsible for the networks," he said. That's why the FBI has cyber specialists in every field office.
Interestingly, the FBI also liaises with the country's top cyber targets based on the bureau's own field office locations. This structure gives FBI personnel direct responsibility for understanding which critical infrastructure exists in their territory, and for fostering relationships with the organizations that own that infrastructure. The FBI also uses its public-private partnership program, InfraGard, to reinforce these local relationships.
"There is a very local component to national security and law enforcement," even when it involves computer-related crime, Chabinsky said. In fact, information frequently flows in both directions. "It's often the case now that the FBI is informing people that they've been victimized, rather than victims coming to the FBI," he said.
Finally, keeping agents local means they don't have to hop on a plane to follow every lead or launch an investigation. In fact, "remote investigating" is often not an option, he said, as "some of our cases have information that you couldn't even approach on a telephone."
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Read our report now. (Free registration required.)