Cybersecurity Progress in the U.S. Government
The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists. The threat is incredibly serious—and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators. Just as the FBI transformed itself to better address the terrorist threat after the 9/11 attacks, it is undertaking a similar transformation to address the pervasive and evolving cyber threat. This paper presents some of the highlights of testimony provided by U.S. government agencies on combating evolving cyber threats.
Today, computer intrusion cases—counterterrorism, counterintelligence, and criminal—are the paramount priorities of our cyber program because of their potential relationship to national security. The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services around the country.
In recent years, the FBI has built a whole new set of technological and investigative capabilities and partnerships for chasing outlaws in cyberspace that include:
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.
The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation. Home computers are just as susceptible to ransomware and the loss of access to personal and often irreplaceable items— including family photos, videos, and other data—can be devastating for individuals as well.
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Karen H. Brown Deputy Director NIST
Testimony on Computer Security Issues March 09, 2000
Subcommittee on Government Management, Information, and Technology
The explosive growth in Electronic Commerce highlights the nation's ever increasing dependence upon the secure and reliable operation of our computer systems. Computer security, therefore, has a vital influence on our economic health and our nation's security and we commend the Committee for your focus on security.
Under NIST's statutory federal responsibilities, we develop standards and guidelines for agencies to help protect their sensitive unclassified information systems. Additionally, we work with the information technology (IT) industry and IT users in the private sector on computer security in support of our broad mission to strengthen the U.S. economy, and especially to improve the competitiveness of the U.S. information technology industry. Addressing security will also help ensure that Electronic Commerce growth is not limited because of security concerns.
We work to develop security standards and specifications to help users specify security needs in their procurements and establish minimum security requirements for Federal systems. We develop and manage security testing programs, in cooperation with private sector testing laboratories, to enable users to have confidence that a product meets a security specification. We produce security guidance to promote security planning, and secure system operations and administration.
When we identify new technologies that could potentially influence our customers' security practices, we research the technologies and their potential vulnerabilities. We work to find ways to apply new technologies in a secure manner. The solutions that we develop are made available to both public and private users. Some examples are methods for authorization management and policy management, ways to detect intrusions to systems, and demonstrations of mobile agents. Research helps us find more cost-effective ways to implement and address security requirements.
NIST has long been active in developing Federal cryptographic standards and working in cooperation with private sector voluntary standards organizations in this area. Moreover, in the standards area we have been working with the private sector in preparing for the future. We are leading a public process to develop the Advanced Encryption Standard (AES), which will serve 21st century security needs. Another aspect of our standards activities concerns Public Key and Key Management Infrastructures. The use of cryptographic services across networks requires the use of "certificates" that bind cryptographic keys and other security information to specific users or entities in the network.
Many of these activities are being done in cooperation with the Defense Department and National Security Agency in a National Information Assurance Partnership. Private sector laboratories are being accredited under our National Voluntary Laboratory Accreditation program to conduct such testing. The effort involves developing testing competencies and a process for accrediting testing organizations. Under this program we have also led the development of an international mutual recognition arrangement whereby the results of testing in the U.S. are recognized by our international partners, thus reducing the costs to industry.
The White House has proposed establishing a $50 million Institute for Information Infrastructure Protection (IIIP), which was initially recommended by the President's Committee of Advisors on Science & Technology (PCAST). IIIP's R&D, which will aim to help prevent security problems will include work that can be applied to protect multiple sectors' infrastructures, and thus will complement sector-specific R&D underway elsewhere in the government and private sector. This will help strengthen the focused existing and planned security architectures within the critical infrastructure sectors and help prepare the owners/operators of those infrastructures to survive potential hostile activities. At the core of the partnership is IIIP's selection of information infrastructure protection R&D focus areas.
The security of Federal systems must also be improved. These systems contain sensitive information about our citizens and provide services upon which our citizens' safety and well-being depend. The government should exert leadership and set an example for the nation in protecting against risks and vulnerabilities.
Ronald L. Dick Director, National Infrastructure Protection Center, FBI
Testimony on the National Infrastructure Protection Center June 24, 2002
House Committee on Governmental Reform, Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee
As set forth in Presidential Decision Directive 63 (PDD-63), the mission of the NIPC is to provide "a national focal point for gathering information on threats to the infrastructures" and to provide "the principal means of facilitating and coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts." The Directive defines critical infrastructures to include "those physical and cyber-based systems essential to the minimum operations of the economy and government," to include, without limitation, "telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private." Our combined mission supports information and physical security, law enforcement, national security, and the military.
The annual Computer Security Institute/FBI Computer Crime and Security Survey, released in April, indicated that 90% of the respondents detected computer security breaches in the last 12 months. Only 34% reported the intrusions to law enforcement. On the positive side, that 34% is more than double the 16% who reported intrusions in 1996. The two primary reasons for not making a report were negative publicity and the recognition that competitors would use the information against them.
The InfraGard program is a nationwide initiative that grew out of a pilot program started at the Cleveland FBI field office in 1996. Today, all 56 FBI field offices have active InfraGard chapters. Nationally, InfraGard has over 5000 members. It is the most extensive government-private sector partnership for infrastructure protection in the world, and is a service the FBI provides to InfraGard members free of charge. It particularly benefits small businesses which have nowhere else to turn for assistance. InfraGard expands direct contacts with the private sector infrastructure owners and operators and shares information about cyber intrusions and vulnerabilities through the formation of local InfraGard chapters.
The chapter members include representatives from the FBI, State and local law enforcement agencies, other government entities, private industry and academia. The National Infrastructure Protection Center and the Federal Bureau of Investigation play the part of facilitator by gathering information and distributing it to members, educating the public and members on infrastructure protection, and disseminating information through the InfraGard network.
The NIPC has recently initiated the establishment of an Information Sharing and Analysis Center (ISAC) Support and Development Unit, whose mission is to enhance private sector cooperation and trust, resulting in two-way sharing of information and increased security for the nation's critical infrastructures. The ISAC Development and Support Unit have assigned personnel to each ISAC to serve as NIPC's liaison to that sector. When an ISAC receives information from a member, they forward the information to their NIPC liaison, who then works with NIPC's Analysis and Information Sharing Unit and Watch and Warning Unit to coordinate an appropriate response. The NIPC now has information sharing agreements with nine ISACs, including those representing energy, telecommunications, information technology, banking and finance, emergency law enforcement, emergency fire services, water supply, food, and chemical sectors.
Three examples bear discussion. The North American Electric Reliability Council (NERC) serves as the electric power ISAC. The NIPC has developed a program with the NERC for an Indications and Warning System for physical and cyber attacks. Under the program, electric utility companies and other power entities transmit incident reports to the NIPC. These reports are analyzed and assessed to determine whether an NIPC alert, advisory, or assessment is warranted to the electric utility community. Electric power participants in the program have stated that the information and analysis provided by the NIPC back to the power companies make this program especially worthwhile. NERC has recently decided to expand this initiative nationwide.
One of our most recent agreements was with the ISAC for Emergency Services - Fire, the US Fire Administration, an organization which has been a model for the mutual benefits of two-way information sharing. Since that agreement, we have shared intelligence on diver threats to waterfront facilities, suspicious attempts to purchase an ambulance in New York, and the theft of a truck with 10 tons of cyanide in Mexico. In turn, they have told us of suspicious foreign nationals visiting fire stations to gather information and of foreign nationals calling fire and EMS departments and visiting their web sites to gather information on capabilities, watch schedules and manning levels. Such two-way information sharing provides significant safety and infrastructure protection benefits to the public we serve.
The telecommunications ISAC provides a good example of positive, two-way information sharing. In his July 9, 2002 testimony before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, Bill Smith, Chief Technology Officer, BellSouth Corporation, stated: "With respect to FOIA (Freedom of Information Act), many companies are hesitant to voluntarily share sensitive information with the government because of the possible release of this information to the public." He further noted that BellSouth does share information with the Telecommunications ISAC, but it is "done on a limited basis, within trusted circles, and strictly within a fashion that will eliminate any liability or harm from FOIA requests for BellSouth information."
Since its inception, the NIPC has issued over 120 warning products. A number of warning products have preceded incidents or prevented them entirely by alerting the user community to a new vulnerability or hacker exploit before acts are committed or exploits are used on a widespread basis. The Center has had particular success in alerting the user community to the presence of Denial of Service tools on the network and has in some cases provided a means to discover the presence of tools on a network.
The NIPC has formed an Interagency Coordination Cell (IACC) at the Center which holds monthly meetings regarding ongoing investigations. To date, the IACC's growing membership has risen to approximately 35 government agencies that meet on a monthly basis, and as needed, to address specific threats and vulnerabilities. The IACC include representation from NASA , US Postal Service, Air Force Office of Special Investigations (AFOSI), US Secret Service, US Customs, Departments of Energy, State and Education, and the Central Intelligence Agency, to name a few.
The Department of Defense has the second largest (after FBI) interagency contingent in the NIPC. The Deputy Director of the NIPC is a two-star Navy Rear Admiral; the Executive Director is detailed from the Air Force Office of Special Investigations; the head of the NIPC Watch is a Naval Reserve officer; and the head of the Analysis and Information Sharing Unit is a National Security Agency detailee. There are also liaison representatives from the National Imagery and Mapping Agency and the Joint Programs Office. A contingent of DOD reservists serves in the Center to provide additional critical infrastructure expertise and emergency surge capabilities. NIPC works particularly closely with the DOD through liaison with the Joint Task Force-Computer Network Operations (JTF-CNO). NIPC members stay in close contact with their JTF-CNO counterparts, providing mutual assistance on intrusion cases into DOD systems, as well as on other matters. NIPC alerts, advisories, and assessments are routinely coordinated with the JTF-CNO prior to release to solicit JTF input.
The NIPC also has an excellent cooperative relationship with the Federal Computer Incident Response Center (FedCIRC). The NIPC's Director and principal legal advisor sit on FedCIRC's Senior Advisory Council, and a FedCIRC representative participates in NIPC's Senior Interagency Partners Group. FedCIRC is operated by the General Services Administration as the central coordinating point on security vulnerabilities and lower level security incident data.
On the information infrastructure side of the equation, a typical cyber investigation can involve victim sites in multiple states and often many countries, and can require tracing an evidentiary trail that crosses numerous state and international boundaries. Even intrusions into U.S. systems by a perpetrator operating within the US often require international investigative activity because the attack is routed through Internet Service Providers and computer networks located outside the United States. When evidence is located within the United States, the NIPC coordinates law enforcement efforts which might include: subpoenaing records by FBI agents, conduct of electronic surveillance, execution of search warrants, seizing and examining of evidence. This means that effective international cooperation is essential to our ability to investigate cyber crime. The FBI's Legal Attaches (LEGATs) provide the means to accomplish our law enforcement coordination abroad, and are often the first officials contacted by foreign law enforcement should an incident occur overseas that requires U. S. assistance.
Steven M. Martinez Deputy Assistant Director, Cyber Division Federal Bureau of Investigation
Testimony on Cyber Terrorism April 21, 2005
Subcommittee on Crime, Terrorism, and Homeland Security Committee on the Judiciary U.S. House of Representatives
In this digital age, crimes can and do occur within seconds without the perpetrator ever getting anywhere physically close to the victim. In such a setting, law enforcement must be equipped with the investigative tools necessary to meet, locate, and incapacitate this growing threat. I want to express my full agreement about the importance of the PATRIOT Act and the provisions I plan to address today. I believe that the Act's substantial merit can be demonstrated by what we already have experienced as a nation; still, it is equally true that the Act is essential so that we are prepared to confront the ever-evolving threat that no doubt will come.
Section 209 permits law enforcement officers to seize voice mail with a search warrant rather than a surveillance, or Title III, order. Section 209 provides a very good example of how the USA PATRIOT Act simply updated the law to reflect recent technological developments. The drafters of the Act determined that obtaining voicemail stored on a third party's answering system is more similar to obtaining voicemail stored on a home answering machine (which requires a search warrant) than it is to monitoring somebody's telephone calls (which requires a TIII order). In passing this portion of the Act, Congress made the statutory framework technology-neutral. Privacy rights are still well accounted for, since section 209 allows investigators to apply for and receive a court-ordered search warrant to obtain voicemail pursuant to all of the pre-existing standards for the availability of search warrants, including a showing of probable cause. With privacy rights left firmly intact, there is a distinct advantage to the public's safety when law enforcement can obtain evidence in a manner that is quicker than the Title III process.
I would like to move next to section 217, the hacker trespasser exception. Like section 209 before it, section 217 also makes the law technology-neutral. Section 217 places cyber-trespassers--those who are breaking into computers--on the same footing as physical intruders. Section 217 allows the victims of computer-hacking crimes voluntarily to request law enforcement assistance in monitoring trespassers on their computers. Just as burglary victims have long been able to invite officers into their homes to catch the thieves; hacking victims can now allow law enforcement officers into their computers to catch cyber-intruders. This, in essence, is what was occurring prior to the PATRIOT Act.
With respect to the first point, the narrowly crafted scope of this legislation, section 217 preserves the privacy of law-abiding computer users by sharply limiting the circumstances under which the trespasser exception may be used. At its most fundamental level, section 217 requires consent. Law enforcement assistance is by invitation only. Since its enactment, section 217 has played a key role in a variety of hacking cases, including investigations into hackers' attempts to compromise military computer systems. Allowing section 217 to expire at the end of this year would help computer hackers avoid justice and prevent law enforcement from responding quickly to victims who are themselves asking for help.
Lastly, I would like to turn to section 220 of the USA PATRIOT Act. Section 220 enables federal courts--with jurisdiction over an investigation--to issue a search warrant to compel the production of information (such as unopened e-mail) that is stored with a service provider located outside their district. Prior to the PATRIOT Act, if an investigator wanted to obtain the contents of unopened e-mail from a service provider located in the United States, he or she needed to obtain a warrant from a court physically located in the same federal district as the service provider was located.
Section 220 fixed this problem. It makes clear, for example, that a judge with jurisdiction over a kidnaping investigation in Pittsburgh can issue a search warrant for e-mail messages that are stored on a server in California. As a result, the investigators in Pennsylvania can ask the judge most familiar with the investigation to issue the warrant rather than having to ask an Assistant United States Attorney in California, who is unfamiliar with the case, to ask a district judge in California, who also is unfamiliar with the case, to issue the warrant. It is imperative that section 220 be renewed. The provision expedites the investigative process and, in doing so, makes it more likely that evidence will still be available to law enforcement after it executes a court-authorized search warrant and obtains further leads; the provision frees up FBI, U.S. Attorney, and judicial personnel to more efficiently pursue other time-sensitive investigative matters; and, section 220 in no way lowers the protections that apply to the government's application for a search warrant.
Gordon M. Snow Assistant Director, Cyber Division Federal Bureau of Investigation
Testimony on Cybersecurity Issues April 12, 2011
Senate Judiciary Committee, Subcommittee on Crime and Terrorism
As both an intelligence and law enforcement agency, the FBI can address every facet of a cyber case—from collecting intelligence on the subjects in order to learn more about their networks to dismantling those networks and prosecuting the individual perpetrators. The ability to take action on the information we collect is critical because what may begin as a criminal investigation may become a national security threat.
U.S. critical infrastructure faces a growing cyber threat due to advancements in the availability and sophistication of malicious software tools and the fact that new technologies raise new security issues that cannot always be addressed prior to adoption. The increasing automation of our critical infrastructures provides more cyber access points for adversaries to exploit.
New “smart grid” and “smart home” products, designed to provide remote communication and control of devices in our homes, businesses, and critical infrastructures, must be developed and implemented in ways that will also provide protection from unauthorized use. Otherwise, each new device could become a doorway into our systems for adversaries to use for their own purposes. Industrial control systems, which operate the physical processes of the nation’s pipelines, railroads, and other critical infrastructures, are at elevated risk of cyber exploitation.
Cyber crime that manipulates the supply chain could pose a threat to national security interests and U.S. consumers. Malware could be embedded on the chips to exfiltrate information from computers and result in the theft of personally identifiable information (PII) that could then be used in future cyber crimes. As the quality of counterfeit goods increases, U.S. consumers may be challenged to tell the difference between authentic and fraudulent goods. Operation Cisco Raider is a joint initiative between the U.S. and Canada that targets the illegal distribution of counterfeit network hardware manufactured by private entities in China. The use of counterfeit network components can lead to exploitation of cyber infrastructure vulnerabilities and even network failure. Since 2006, Operation Cisco Raider has seized over 3,500 network components amounting to $3.5 million of Cisco retail products. Ten individuals have been convicted as a result of the joint initiative.
Successful botnet development and operations use techniques similar to legitimate businesses, including the involvement of personnel with various specialties, feature-based pricing structures, modularization, and software copy protection. The development and sale of kit-based botnets has made it easier for criminals with limited technical expertise to build and maintain effective botnets. Botnet development and management is approached in a business-like fashion. Some criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal organization. At least one botnet kit author implemented a copy protection scheme, similar to major commercial software releases, which attempts to limit unauthorized use of the botnet kit.
Hacktivist groups such as Anonymous undertake protests and commit computer crimes as a collective unit. Anonymous does not have a leader or a controlling party, but instead relies on the collective power of individual participants. Its members utilize the Internet to communicate, advertise, and coordinate their actions. Anonymous has initiated multiple criminal Distributed Denial of Service attacks against the Recording Industry Association of America, the Motion Picture Association of America, the Church of Scientology, and various businesses in support of WikiLeaks. Just last month, Anonymous hacked into the website of a U.S. security firm with U.S. government contracts and stole approximately 72,000 e-mails from the company and posted them online. This attack was in response to the claim that a researcher at the company had identified key members of Anonymous.
The sting of a cyber crime is not felt equally across the board. A small company may not be able to survive even one significant cyber attack. On the other hand, companies may not even realize that they have been victimized by cyber criminals until weeks, maybe even months later. Victim companies range in size and industry. Often, businesses are unable to recoup their losses, and it may be impossible to estimate their damage. Over the past five years, estimates of the costs of cyber crime to the U.S. economy have ranged from millions to hundreds of billions. A 2010 study conducted by the Ponemon Institute estimated that the median annual cost of cyber crime to an individual victim organization ranges from $1 million to $52 million.
According to a 2011 publication released by Javelin Strategy and Research, the annual cost of identity theft is $37 billion. This includes all forms of identity theft, not just cyber means. The Internet Crime Complaint Center (IC3), which aggregates self-reported complaints of cyber crime, reports that in 2010, identity theft schemes made up 9.8 percent of all cyber crime.
The FBI is a substantial component of the Comprehensive National Cybersecurity Initiative (CNCI), the interagency strategy to protect our digital infrastructure as a national security priority. Through the CNCI, we and our partners collaborate to collect intelligence, gain visibility on our adversaries, and facilitate dissemination of critical information to decision makers.
Through the FBI-led National Cyber Investigative Joint Task Force, we coordinate our efforts with 20 law enforcement and intelligence community (IC) entities, including the Central Intelligence Agency, Department of Defense, Department of Homeland Security (DHS), and the National Security Agency. The FBI also has embedded cyber staff in other IC agencies through joint duty and detailee assignments.
We currently have FBI agents embedded full-time in five foreign police agencies to assist with cyber investigations: Estonia, the Netherlands, Romania, Ukraine, and Colombia. These cyber personnel have identified cyber organized crime groups targeting U.S. interests and supported other FBI investigations. We have trained foreign law enforcement officers from more than 40 nations in cyber investigative techniques over the past two years.
We have engaged our international allies, including Australia, New Zealand, Canada, and the United Kingdom, in strategic discussions that have resulted in increased operational coordination on intrusion activity and cyber threat investigations.
In addition to InfraGard, the FBI participates in other activities with the private sector, like the Financial Services Information Sharing and Analysis Center (FS-ISAC). A good example of this cooperation is the FBI’s identification of a bank fraud trend in which U.S. banks were unaware that they were being defrauded by businesses in another country. As a result of FBI intelligence analysis, a joint FBI/FS-ISAC document was drafted and sent to the FS-ISAC’s membership, alerting them to these crimes and providing recommendations on how to protect themselves from falling victim to the same scheme.