OIG Report On Federal Government's Cyber Security Initiative
OIG Report On Federal Government's Cyber Security Initiative
OIG Report On Federal Government's Cyber Security Initiative
July 2015
U.S. Department of Justice Office of the Inspector General, The Federal Bureau of
Investigations Ability to Address the National Security Cyber Intrusion Threat, Audit Report 11-22
(April 2011).
previously run by the Cyber Division, including the Innocent Images National
Initiative addressing child pornography and the Intellectual Property Rights
Program, to its Criminal Investigative Division (CID). Second, the FBI shifted its
cyber intrusion emphasis from reacting to cyber-attacks to predicting and
preventing them. In the context of this new framework, the Next Gen Cyber
Initiative focuses on four areas: (1) strengthening the NCIJTF; (2) advancing the
capability of the FBI cyber workforce and supporting related enterprise
infrastructure; (3) expanding the Cyber Task Forces focused on intrusion
investigations in each of the FBIs 56 field offices, and (4) enhancing information
sharing and operational collaboration with the private sector.
Our current audit found that the FBI has made considerable progress towards
achieving the goals it established for the Next Gen Cyber Initiative. We found that
the NCIJTF, which serves as a coordination, integration, and information sharing
center among 19 U.S. agencies and international representatives for cyber threat
information, is no longer perceived as an extension of the FBI. Additionally,
according to NCIJTF partners, information sharing has improved among the
members, which was an issue identified in our 2011 report. Also, the FBI has
established Cyber Task Forces in all 56 field offices. In 2011, the FBI had Cyber
Crime Task Forces in 45 of the 56 field offices. Furthermore, the FBI has
implemented a cyber-specific training strategy to improve the technical skills of its
entire workforce, with specific training made available to those working cyber
intrusion investigations. The FBI is offering qualified personnel an opportunity to
participate in a Masters Degree program at Carnegie Mellon University and is in the
process of initiating a similar program at New York Universitys Polytechnic School
of Engineering,to provide an attractive incentive and valuable training to help
recruit, develop, and retain the cadre of FBI cyber professionals.
While the FBI has made progress in implementing its initiative, we found that
there are still issues preventing the FBI from fully meeting all of its goals for the
Next Gen Cyber Initiative. In particular, we found that:
the NCIJTF did not have a process to measure the timeliness of information
sharing among members;
the FBI did not hire 52 of the 134 computer scientists for which it was
authorized; and
5 of the 56 field offices did not have a computer scientist assigned to that
offices Cyber Task Force.
ii
Edward Snowden is an American computer professional who worked at the National Security
Agency as a contractor and revealed classified information, including details of United States
government global surveillance programs. Snowden has been charged by the Department of Justice
with violating the Espionage Act and theft of government property. United States v. Edward J.
Snowden, 1:13 CR 265 (CMH).
iii
James B. Comey, Jr., Director, Federal Bureau of Investigations, before the Homeland
Security Committee, U.S. House of Representatives, concerning Worldwide Threats to the Homeland
(September 17, 2014).
Botnets are remotely controlled systems used to coordinate attacks and distribute phishing
schemes, spam, and malware attacks. The FBI defines state-sponsored hackers as groups or
individuals conducting computer network operations at the direction of, or with the support of, a
nation state. Global cyber syndicates are organized criminal groups who use spam, spyware and
malware, and other types of cyber tools to engage in criminal conduct, including identity theft, online
fraud, and computer extortion for monetary gain.
borders and beyond. The FBIs most recent major initiative to strengthen its cyber
capabilities to address attacks such as these is the Next Generation Cyber Initiative.
Background
In April 2011, the Department of Justice Office of the Inspector General
(OIG) issued a report that addressed the FBIs ability to address the national
security cyber intrusion threat.4 The report made 10 recommendations to the FBI
to help it to improve its efforts in this area, including that the FBI establish policies
and procedures for the sharing of information at the National Cyber Investigative
Joint Task Force (NCIJTF); enhance efforts to educate FBI field office personnel on
the NCIJTFs role and use within FBIs national security cyber strategy; evaluate the
effectiveness of the step-by-step training course for FBI agents on how to
investigate national security intrusion cases; reconsider the rotation policy for cyber
agents and ensure that agents skilled and experienced in cyber intrusions are
available to FBI field offices; and consider developing regional hubs with agents
that are experts in investigating national security intrusions. The FBI has provided
the OIG with documentation to show that the FBI has adequately addressed all 10
of the recommendations contained in the 2011 report.
The FBI initiated its Next Generation Cyber (Next Gen Cyber) Initiative in
May 2012 in order to enhance the FBIs ability to address the full range of
cybersecurity threats to the United States. According to the FBI, implementation of
the Next Gen Cyber Initiative has focused on four areas: (1) strengthening the
NCIJTF; (2) advancing the capability of the FBIs cyber workforce and supporting
related enterprise infrastructure; (3) expanding Cyber Task Forces in each of the
FBIs 56 field offices that focus on intrusion investigations; and (4) enhancing
information sharing and operational collaboration with the private sector.
The Next Gen Cyber Initiative represents a fundamental shift in the FBIs
approach to addressing the cyber threat, changing its focus from reacting to cyberattacks to predicting and preventing them. As part of the Next Gen Cyber
Initiative, the Cyber Division was restructured to focus solely on computer
intrusions and the FBI transferred responsibility for the investigation of crimes not
focused on intrusion, specifically the Cyber Crime Program, Innocent Images
National Initiative (addressing child pornography), Intellectual Property Rights,
Internet Fraud, Internet Extortion, Identify Theft, Internet Money Laundering, and
Internet Gambling, from the Cyber Division to the Criminal Investigative Division.
The FBI-wide initiative encourages collaboration between the Cyber, Training, and
Operational Technology Divisions and is supported by the Finance Division,
Resource Planning Office, and Directorate of Intelligence. For fiscal year (FY) 2014,
the FBI initially budgeted $314 million for its Next Gen Cyber Initiative, including a
total of 1,333 full-time positions (including 756 agents). In addition, the
Department of Justice (Department) requested an $86.6 million increase in funding
U.S. Department of Justice Office of the Inspector General, The Federal Bureau of
Investigations Ability to Address the National Security Cyber Intrusion Threat, Audit Report 11-22
(April 2011).
for FY 2014 to support the Initiative. In this audit, we evaluated the FBIs
implementation of its Next Gen Cyber Initiative in each of its four core areas.
Office of the Inspector General Audit Approach
The OIG conducted this audit to evaluate the FBIsimplementation of the
Next Gen Cyber Initiative to combat cyber intrusions. To accomplish this objective,
we interviewed more than 50 FBI officials at FBI headquarters and FBI field offices.
We also interviewed 3 Department of Justice officials, 10 NCIJTF members, and
more than 12 private sector entities, including officials from the Carnegie Mellon
University Software Engineering Institute and the National Cyber-Forensics and
Training Alliance (NCFTA). We reviewed Next Gen Cyber Initiative planning
documentation, records, and reports, and conducted five site visits to FBI field
offices. The scope of our audit includes the implementation of the FBIs Next Gen
Cyber Initiative from May 2012, when the initiative was announced, through
January 2015.
In this report, the first finding describes the steps the FBI has taken to
strengthen the NCIJTF, including changes to its organizational structure intended to
ensure that the NCIJTF is no longer perceived as an extension of the FBIs Cyber
Division and its efforts to foster interagency cooperation and information sharing.
We interviewed 10 NCIJTF members, including representatives from the National
Security Agency (NSA); the U.S. Department of Homeland Security (DHS); the
Central Intelligence Agency (CIA); the Air Force Office of Special Investigations (AFOSI); U.S. Cyber Command; and Five Eyes partners from Australia and the United
Kingdom.5
In the second finding, we discuss the FBIs efforts to expand workforce
training and enterprise infrastructure. Specifically, we reviewed the FBIs efforts to
hire, train, and retain key cyber staff and the status of the FBIs efforts to fill cyber
positions through January 2015. Additionally, we reviewed the FBIs new cyber
training strategy to improve the skills of FBI employees, especially those working
cyber intrusion investigations. Finally, we reviewed the challenges the FBI is facing
in its effort to recruit and retain highly skilled cyber personnel, as well as the
initiatives the FBI has planned to assist with addressing the challenges.
The third finding focuses on the expansion of the FBIs Cyber Task Forces in
all of its 56 field offices and the FBIs efforts to recruit non-FBI participants to serve
as Task Force Officers. To inform our review of the FBIs efforts in this regard, we
conducted interviews with individuals from the following FBI field offices: Newark,
New Jersey; Philadelphia, Pennsylvania; Pittsburgh, Pennsylvania; San Francisco,
California; and Seattle, Washington. We also interviewed task force officers,
including personnel from other law enforcement entities.
Five Eyes (FVEY) is an alliance comprising Australia, Canada, New Zealand, the United
Kingdom, and the United States.
The last finding describes information sharing and collaboration between the
FBI and the private sector. We interviewed FBI officials, reviewed several FBI
officials testimonies related to the FBIs efforts to combat cyber intrusions, and
interviewed individuals from private sector entities to gain an understanding of the
FBIs efforts to enhance its information sharing and collaboration with the private
sector. We also interviewed individuals from the FBI Cyber Division Operations and
Outreach Section, including officials from the National Industry Partnership Unit
(NIPU), Guardian Victim Analysis Unit (GVAU), and Key Partnership Engagement
Unit (KPEU).
Appendix 1 contains further descriptions of our audit objectives, scope, and
methodology.
(2008).
7
In addition to 19 federal partners, the NCIJTF has five affiliates. Affiliates are agencies that
have a signed memorandum of understanding with the NCIJTF and have personnel on site at the
NCIJTF. However, the agencies do not have a primary cyber investigative role and their personnel do
not have a primary role in NCIJTF campaigns.
The Cyber National Security Section, which due to reorganization no longer exists, was
responsible for managing the FBIs counterterrorism and counterintelligence computer intrusion
operations. The responsibility of the Cyber National Security Section has been divided amongst three
newly-created sections in the Cyber Operations Branch.
9
why they did not receive available information. We also found a lack of
coordination between FBI field offices and the NCIJTF regarding national security
cyber intrusions, and that NCIJTF partners were not integrated into NCIJTF
operations, with several of the partners not having a memoranda of understanding
(MOU) in place establishing information sharing protocols among the NCIJTF
members. The OIG made several recommendations related to these issues and the
recommendations were closed after we verified that the FBI established NCIJTF
information sharing policies and procedures for sharing information among all its
members.
During this audit, NCIJTF members told us that they believe interagency
collaboration has increased and information has been shared freely between
member agencies as necessary. For example, the Operation Clean Slate Initiative
was a continuous, targeted campaign aimed at eliminating significant botnets
affecting United States interests. This initiative included United States government
partners, international partners, and other private sector stakeholders. The NCIJTF
members who we interviewed confirmed that there was significant and appropriate
sharing of information between NCIJTF members in carrying out this initiative.
However, we were also told that the NCIJTF did not have a process to track
and review the timeliness of such information sharing. We believe this is significant
because if information sharing is delayed, the FBI cannot be certain NCIJTF
members are able to use the information to effectively prevent or mitigate threats
in a timely manner. Given the potentially negative impact outdated information can
have on the NCIJTFs ability to effectively minimize or prevent a cyber attack, we
believe that the FBI should develop a process to measure the timeliness of
information sharing at the NCIJTF.
school recruiting programs and targeted utilization of the FBIs University Education
Program.10
The FBIs Human Resource Division is working with FBI divisions and field
offices to develop recruiting programs to identify schools, universities, clubs, and
professional organizations that focus on the development and promotion of cyber
education and talent. One FBI official explained that the FBI is offering several
incentives to recruit individuals including school loan repayment, reimbursement for
continuing education, and hiring at higher salary levels on the general pay scale.
He also added that the FBI is providing training opportunities for existing personnel
including certifications and enrollment in the Carnegie Mellon University Masters
program in Information Technology as retention tools. In addition, in
December 2014, the FBI announced to its employees a similar program at the New
York University Polytechnic School of Engineering. We were told that such
advanced educational opportunities provide an attractive inducement for individuals
with cyber skills to stay with the FBI and, as discussed below, they can provide a
valuable training opportunity for them as well. Still, although recruitment and
retention of skilled cyber professionals is challenging for the FBI, most of the FBI
cyber agents we interviewed told us that it is the FBIs mission that motivates them
to stay at the FBI rather than leave for more lucrative positions.
Training
One objective of the Next Gen Cyber Initiative was to improve the cyber
skills of its employees. To achieve this objective, the FBI implemented a new
training strategy in 2012. The cyber training strategy included: (1) High
Technology Environment Training, an initiative to improve the technical skills and
baseline technological knowledge of the entire FBI workforce; (2) commercially
available training courses for cyber personnel so that they can maintain their skills;
and (3) opportunities for qualified FBI personnel to earn a Master of Science degree
in Information Technology. In addition, we reviewed the results of a 2013 FBI
training survey conducted to gain a better understanding of the training needs of
the cyber workforce.
High Technology Environment Training
To address the increasing role of computer technology in criminal activity and
to enable its most technically skilled cyber agents to focus on the most complex
cases, the FBI developed an enterprise-wide training curriculum called High
Technology Environment Training (HiTET). According to the FBI, HiTET was
designed to ensure that the FBIs Special Agents, Intelligence Analysts, and
professional staff possess the basic technical capabilities to address the growing
cyber threat in the broad array of investigations that include a cyber element, but
may not be focused cyber investigations. The HiTET Overview course was designed
10
The FBI established the University Education Program (UEP) to enable qualified employees
in the Counterterrorism, Counterintelligence, Cyber, and Security Programs to earn advanced degrees.
The UEP is a tuition reimbursement program.
personnel had been selected to enroll in the program. While the numbers in these
programs are small, we believe they may provide an attractive incentive and
valuable training to help recruit, develop, and retain a core cadre of FBI cyber
professionals.
Cyber Training Survey
In anticipation of the 2013 federal budget sequestration, which was expected
to severely limit training resources, the FBI increased use of online training courses
in its cyber curriculum. In August 2013, to gain a better understanding of the
training needs of the cyber workforce, the FBI surveyed approximately 1,400
personnel with cyber responsibilities and received 1,154 responses (a response rate
of approximately 82 percent). The results were compiled and documented in a
November 2013 internal Cyber Division report.11 We reviewed the report and found
that the majority of respondents investigating cyber matters were relatively new to
their position (reporting less than 5 years of experience in their current FBI
position). The report noted that more than 80 percent of respondents preferred
classroom courses. In addition, all of those respondents who reported they were
working on cyber matters expressed a strong interest in advanced cyber training.
The most requested training courses offered by SANS were: Cutting-Edge Hacking
Techniques; Network Penetration Testing; and Hacker Techniques, Exploits and
Incident Handling.
We were told by the FBI that based on responses to the survey, the cyber
curriculum was revised and approved in November 2014. According to the FBI, the
new cyber curriculum is based on several findings from the training survey,
including: (1) designing the curriculum so that individuals from different academic
and technical backgrounds can be trained to be cyber investigators; (2) balancing
the technical courses offered by SANS and other investigative training courses; and
(3) an overwhelming preference for classroom-based training, especially higherlevel technical courses.
Computer Scientists
To strengthen its abilities to address the growing cyber threat and evolving
technology, the FBI developed the Computer Scientists Field Operations Program to
try to ensure adequate resources are available to enhance investigative and
intelligence operations related to cyber intrusion threats. To address this
requirement, during the fourth quarter of FY 2012 as part of the Next Gen Cyber
Initiative, the FBI realigned its internal funded staffing levels (FSL) to include at
least one computer scientist in each field office.
Due to a FY 2014 enhancement, the Cyber Division was authorized to hire
134 Computer Scientists to address the need for advanced cyber skills within the
FBI. The FBI is currently hiring and training computer scientists. The goal is to
11
Federal Bureau of Investigation Cyber Division Cyber Training and Logistics Unit, Cyber
Training Survey Data, November 8, 2013.
11
assign at least 1 computer scientist to Cyber Task Forces in each of the 56 field
offices. As of January 2015, however, 52 of the 134 Computer Scientist positions
remained vacant and 5 of 56 field offices did not have at least 1 computer scientist,
as planned.
All newly hired computer scientists are required to attend a 7-week training
program at the FBI Academy in Quantico, Virginia. The objective is to teach
computer scientist personnel how to apply their technical expertise in support of
FBI investigations and operations. Since the implementation of the Next Gen Cyber
Initiative, there have been four training cycles of the Computer Scientists Field
Operations Program.
We were told by the FBI that because of the FY 2013 federal budget
sequestration and government-wide hiring freeze, it has taken more time than
originally anticipated to meet the intended computer scientist hiring goal. The FBI
is also trying to hire more computer scientists from within the FBI and has listed
vacancy announcements soliciting current FBI personnel to fill computer scientist
positions.
The Assistant Director of the Cyber Division acknowledged that computer
scientist position pay scales cannot compete with private sector pay scales.
Therefore, in FY 2015 the Cyber Division requested and provided justification to
hire four senior level positions under the Senior Level and Scientific Position
(SL/ST) pay system to attract high-level, technically trained subject matter experts
that are extremely difficult to recruit under the standard general pay scale.12
Currently, the FBI employs contractors and cyber professionals to fulfill these highly
technical positions. We were told by the FBI that the Senior Level and Scientific
positions would provide it with a better opportunity to retain these highly skilled FBI
cyber professionals, as well as provide a financial savings by potentially converting
FBI contractor employees to government positions.
In addition to identifying alternate higher pay scales, the FBI is currently
reviewing programs used by other agencies to attract qualified computer scientists,
including programs that the NSA and CIA use to develop and attract high school
students.
12
Senior Level (SL) positions require individuals whose duties are broad and complex enough
to be classified above the GS-15. Scientific or Professional (ST) positions require individuals with
high-level research and development experience in physical, biological, medical, or engineering
sciences, or a closely related field.
12
13
The personnel assigned to a Cyber Task Force may include Special Agents, Intelligence
Analysts, Computer Scientists, and other professional staff from the FBI; and Task Force Officers, Task
Force Members, and Task Force Participants detailed from other agencies.
13
According to FBI officials, the cyber intrusion threat has become increasingly
relevant to state and local law enforcement agencies since entities targeted for
cybercrime are located within state and local law enforcement agencies areas of
responsibilities. For example, in June 2014, the GameOver Zeus botnet targeted
businesses and consumers throughout the United States, which resulted in
complaints to state and local law enforcement agencies. The FBIs Cyber Task
Forces are designed to lead interagency efforts to combat criminal and national
security related cyber intrusion threats. As a result, the FBI seeks national, state,
and local agency-level participation. Participants do not have to be sworn law
enforcement officers. Civilian employees such as computer scientists and analysts
working in the private sector, academic institutions, or other government agencies,
such as the NSA, may be detailed to the Cyber Task Forces.
However, we found that the FBI has encountered challenges in attracting
external participants to its Cyber Task Forces. According to the FBI, few state and
local law enforcement agencies are motivated to join a task force focused on cyber
intrusion threats because they may not fully understand the cyber threat, they may
believe that cyber intrusion investigations are inherently a federal matter, or they
may not have the resources or personnel to detail an officer to the local Cyber Task
Force.
One FBI official stated that although state and local law enforcement
agencies may not see cyber intrusion threats as an important concern, it will
become more of an issue for them in the near future as cyber intrusions increase
and the effects of those intrusions are felt at the state and local level. We were told
by the FBI that the lack of external participation on Cyber Task Forces in each of
the FBIs field offices may limit the sharing of critical information and hinder the
FBIs ability to adequately investigate and address future cyber intrusion threats.
As a result, the FBI told us that it is continuing its outreach efforts to educate state
and local law enforcement agencies about the importance of this work by sharing
information through cyber security briefings and offering cyber security training
opportunities. We reviewed outreach materials and found that the materials
address the domestic threat landscape and the tools used to identify the threats.
According to information reported by the field offices to the FBI Cyber
Division, as of January 2015, the FBI had 1 Cyber Task Force in each of its 56 field
offices. The Cyber Task Forces include over 1,000 members nationwide,
representing over 80 state and local agencies, over 30 private sector entities, 6
academic institutions, and over 40 federal agencies, including the U.S. Secret
Service, the NSA, and the CIA. In comparison, as of January 2015, the FBI had 71
Joint Terrorism Task Forces (JTTF) focused on investigating terrorism located in 104
cities nationwide, with at least 1 in each of the FBIs 56 field offices. According to
the FBIs website, the JTTFs include approximately 4,000 members nationwide from
over 500 state and local agencies and 55 federal agencies, including the
Department of Homeland Security, the United States military, Immigration and
Customs Enforcement, and the Transportation Security Administration.
In addition to the challenges mentioned above, FBI Cyber Division
headquarters communications with the FBI field offices may have lacked sufficient
14
detail about the resources available to facilitate such participation. As result, field
offices may have failed to consistently interpret the resources available for
recruiting TFOs. For example, at two of the field offices we visited, FBI officials told
us that one of the challenges in recruiting state and local participation is that they
are unable to offer incentives to TFOs. However, at another field office, a TFO told
us that the FBI provided use of computers, a government vehicle, and cyber
training as incentives to attract TFOs to the Cyber Task Force. Additionally, the
same TFO stated that the FBI field office provided additional resources, such as
access for his local agency to the field office Computer Analysis Response Team
(CART) lab examiners who process evidence.14 We believe that the Cyber Division
should ensure that all field offices are fully informed of the resources available to
facilitate such participation.
While we are concerned about the lack of non-FBI representation on a
number of Cyber Task Forces, there are signs that the FBIs efforts to bring in
personnel from other agencies are yielding some results. In addition to the
recruitment efforts for personnel from state and local agencies, in June 2014, the
Assistant Director of the FBI Cyber Division told us that the NSA is in the process of
selecting a total of six analysts to assign to Cyber Task Forces based in the San
Antonio, Chicago, Atlanta, Detroit, San Francisco, and Pittsburgh field offices. One
field office we visited had a Special Agent from the Department of Defense Office of
the Inspector General assigned to its Cyber Task Force. Another field office had
two part-time analysts from the United States Cyber Command. While these are
positive developments, we believe the FBI needs to continue its efforts to educate
and make it possible for other important partners, particularly including state and
local law enforcement partners, to participate on the Cyber Task Forcesand ensure
all relevant Cyber Task Force information, including resources
14
FBIs CART examiners provide digital forensic services to FBI investigators and, in certain
instances, federal, state, and local partners. CART examiners analyze digital media including desktop
and laptop computers, CDs/DVDs, and other forms of digital evidence.
15
15
On September 8, 2014, the OIG briefed the FBI on the audit findings. At that time, the FBI
did not provide any information related to Cyber Task Forces. At the exit conference conducted in
May 2015, the FBI provided the OIG with documentation outlining steps that it has taken to fully
inform each field office of resources available to facilitate and enhance task force participation.
Specifically, the FBI told us in May 2015 that, in September 2014, it had launched an enhanced
webpage as an information resource that included the Cyber Task Force Policy and Guidance Manual,
Cyber Task Force Funding, Cyber Task Force FAQs, a Cyber Task Force Fact Sheet, and procedures for
new Cyber Task Force Officers.
16
16
Edward Snowden is an American computer professional who worked at the NSA as a
contractor and revealed classified information, including details of global surveillance programs.
Snowden has been charged by the Department of Justice with violating the Espionage Act and theft of
government property. United States v. Edward J. Snowden, 1:13 CR 265 (CMH).
17
17
18
The InfraGard network is a longstanding partnership between the FBI and the private
sector. It is a network of individuals dedicated to sharing information and intelligence to prevent
hostile acts against the United States.
19
20
According to information provided to the OIG after the exit conference in May 2015, from
September 2013 through May 2015 the FBI provided a total of 111 classified briefings to 570 private
sector entities and 145 unclassified briefings to 346 companies. Additionally, at the exit conference,
the FBI told us it is codifying its processes for outreach to the private sector through an enterprisewide initiative. The Cyber Division is collaborating with the Office of Private Sector Engagement on
this initiative, and its methodology to identify and prioritize outreach is being adopted by the Office of
Private Sector Engagement.
21
In June 2014, the CIRFU was moved from the Cyber Divisions Cyber Outreach Section to
the Cyber Operation Section.
18
combat significant actors involved in both criminal and national security threats.
NCFTA members develop strategies to mitigate the cyber threat and the CIRFU uses
that information to open or further existing FBI investigations, often together with
law enforcement partners around the world.
The NCFTA Chief Executive Officer (CEO) told us that the NCFTA has been
successful breaking down information sharing barriers between the private sector
and government. The CEO indicated that in the past, private sector representatives
felt that there was no mutual sharing of information. For example, the private
sector would provide unclassified information to the FBI, which would subsequently
mark it as classified and then not share the information with others in the private
sector. The information shared and maintained at the NCFTA is considered
unclassified and open source, which allows for greater collaboration between NCFTA
members and the FBI. One private sector representative told us that the NCFTA is
the gold standard for sharing information. According to the NCFTA CEO, there are
about 15 private sector companies with representatives currently located at the
NCFTA and it is in the process of recruiting an additional 19 new private sector
companies.
We found that NCFTA participants rely heavily on the informal relationships
that have resulted from members working in the same location. One NCFTA
participant told us that discussions among NCFTA members often occur informally
about threats without giving away sensitive or proprietary information. However,
the same NCFTA participant told us that one of the challenges with information it
receives from the FBI is that it is stale by the time it is formally distributed through
one of FBIs intelligence reports to industry. Several NCFTA members said that a lot
of the FBI information that should be available for sharing is over-classified, and
that this prevents the timely sharing of information.
Challenges in Sharing Information
The FBI faces several challenges in sharing information with the private
sector, including: (1) a perception by the private sector that information flows in
one direction to the FBI; (2) information, when provided by the FBI, is often not
useful because it lacks context or is outdated; and (3) private sector concerns
regarding how the FBI will use the information that is shared.
One-Way Communication of Information
At the February 2014 conference mentioned previously, Director Comey also
acknowledged that it often seems to private industry that information flows one
way to the government.22 We interviewed representatives from more than 12
private sector entities and were consistently told that information seems to only
flow in one direction, which is from the private sector to the FBI. Several private
sector representatives told us that providing information to the FBI is akin to
sending it into a black hole the information goes in and the entities never hear
22
19
any more about it. The FBI has acknowledged these private sector concerns, but
has also stated that a lot of information cannot readily be shared because it is part
of an ongoing investigation. In response to this challenge, the FBI has developed
reports that it can share with the private sector. According to the FBI, FBI Liaison
Alert System Reports share anonymous and declassified technical indicators,
gleaned from ongoing investigations, with the private sector to assist them with
protecting their networks. From April 2013 through January 2015, 70 FBI Liaison
Alert System Reports were disseminated. The FBI also disseminates Private
Industry Notification Reports that provide contextual threat information regarding
nefarious activity by cyber criminals. From May 2013 to January 2015, the FBI
disseminated 42 Private Industry Notification Reports.
While this explanation may have some validity in certain cases, we believe
that when the FBI fails to exchange information on an ongoing basis with the
private sector, the private sectors ability to address and mitigate threats in a
timely manner may be hindered. In addition, this lack of mutual exchange of
timely information creates an environment in which private sector entities may be
less willing to share important information in the future.
Outdated FBI Information
According to private sector representatives, another issue is the timeliness of
information received from the FBI. Several private sector representatives stated
that they believe that the FBI over-classifies its information and by the time the
information is scrubbed and released, the information is often stale and no longer
useful. They also told us that the information received from the FBI is often
information that the private sector partners already have.
Another private sector representative told us that cybersecurity information
has to move fast and that the FBI should determine a method for not overclassifying its information to facilitate this. Additionally, the same private sector
representative told us that if the FBI does not have a metric in place to measure
how quickly information is being disseminated from the FBI to the private sector, it
should. We confirmed with the FBI that no such metrics exist but that the FBI was
in the process of working to develop metrics to measure the efficiency with which
information is shared. We believe that the FBI cannot measure its own
effectiveness if it is not measuring the time from when it receives to when it
disseminates actionable information to the private sector.
Director Comey stated that the FBI needs to have a means to share
information in real time.23 We found that the FBI is currently working on machineto-machine capabilities that would facilitate sharing of cyber threat information in a
more timely fashion with the private sector.24 At the time of our fieldwork, the
23
24
20
FBIs machine-to-machine capabilities were still in the planning stages. One private
sector representative told us that many private sector entities are already using
machine-to-machine platforms and the FBI should consider doing so to provide
more timely information to the private sector. The representative added that in the
cyber arena, that velocity of information is critical. Given the growing nature of the
cyber threat, we recommend that the FBI move as quickly as possible to develop
strategies, including machine-to-machine capabilities to ensure the timely
dissemination of actionable information to the private sector.
Challenges to Outreach and Collaboration
In planning the Next Gen Cyber Initiative, the FBI anticipated that private
sector partners would be reluctant to provide the FBI with access to data that may
contain personally identifiable information (PII).25 During our interviews with
private sector individuals, we found that private sector entities are reluctant to
share information, such as PII or sensitive or proprietary information, with the
government because of concerns about how that information could be used or the
possibility that it could be publicly released under the Freedom of Information Act
(FOIA).26 One private sector professional told us that he had declined to be
interviewed by the OIG due to FOIA concerns.
In addition, several private sector individuals discussed with us the
challenges in collaborating with the FBI in a post-Snowden era. One private
sector individual emphasized that Snowden has redefined how the private sector
shares information with the United States government. We were told by private
industry representatives and the FBI that, following the Snowden disclosures,
private sector entities have become more reluctant to share information with the
United States government because they are uncertain as to how the information
they provide will be used and are concerned about balancing national security and
individual privacy interests.
The FBI Director has acknowledged private sector concerns related to
proprietary information and the need to guard customer data and stated the FBI
will do what it can to protect private sector privacy.27 More generally, efforts to
detect, prevent, and mitigate threats are hampered because neither the public nor
private sector can see the whole picture. The FBI Director further explained the
25
According to the National Institute of Standards and Technology, PII is personal information
about an individual consisting of (1) information that can be used to distinguish or trace an individuals
identify, such as name, social security number, date and place of birth, mothers maiden name, or
biometric records; and (2) other information that is linked or linkable to an individual, such as
medical, educational, financial, and employment information.
26
The Freedom of Information (FOIA) Act, 5 U.S.C. 552, is a law that allows for the full or
partial disclosure of previously unreleased information and documents controlled by the United States
government. FOIA explicitly applies only to executive branch government agencies. FOIA defines
agency records subject to disclosure and grants nine exemptions which address issues of sensitivity
and personal rights.
27
21
22
Conclusion
Overall, we determined that the FBI has made considerable progress towards
achieving the goals it established for the Next Gen Cyber Initiative. We found that
the FBI appears to have strengthened the NCIJTF by adding international
participation, reorganizing to eliminate the perception that the NCIJTF is an
extension of the Cyber Division, and improving information sharing. However, we
believe the FBI should develop a process to track and measure the timeliness of
information sharing.
We found that, as part of the Next Gen Cyber Initiative, the FBI has
implemented a new training strategy to improve the awareness of all FBI
employees, as well as the technical capabilities of those investigating cyber
intrusion threats and incidents. We also found that the FBI continues to make
efforts to recruit, develop, and retain its cyber workforce. While we found that the
FBI is participating in various recruitment events, recruitment of qualified
candidates remains a challenge for the FBI. In addition, we found that retaining
highly qualified personnel can be a challenge when private sector entities can pay
higher salaries and applicants do not have to undergo the same background
investigation process as with the FBI. We believe that the FBI should continue its
creative recruitment and retention efforts, including targeted use of the SLRP and
increase the mobility of former employees with critical skills, to attract and retain
highly skilled cyber professionals. Further, we believe that the FBI needs to
continue to identify and recruit professionals who are motivated by the FBIs
mission as opposed to higher salaries. We also found that the FBI has not hired the
full complement of computer scientists for which it was authorized, and that it
should increase its efforts to address this.
Similarly, while we found that the FBIs Next Gen Cyber Initiative has met its
objective to establish Cyber Task Forces in all 56 field offices, challenges remain.
Specifically, we found that recruitment of external participants, particularly from
state and local law enforcement remains a challenge for the FBI. We believe that
the FBI should continue its outreach efforts to attract these external participants to
its Cyber Task Forces in order to foster information sharing and further the Cyber
Task Forces ability to fully investigation and address future cyber intrusion threats.
In addition, we believe that the Cyber Division should ensure that all field offices
are fully informed of the resources available to facilitate such participation. The FBI
also should ensure that the Cyber Division organization and lines of authority, and
any changes in same, are clearly communicated to all field offices.
Lastly, we found that the FBI has made efforts to establish some informal
relationships for sharing information with private sector partners; however, we
believe that the FBI should continue to strengthen its efforts to share and
collaborate with the private sector. In addition, we believe that the FBI should
continue its efforts to develop strategies, including machine-to-machine capabilities
to enable the more timely dissemination of information to the private sector. We
also believe the FBI should develop a metric to measure the time it receives
information to the time it makes the information actionable.
23
Recommendations
We recommend that the FBI:
1. Develop a process to track and measure the timeliness of information sharing
at the NCIJTF.
2. Increase its efforts to hire computer scientists for authorized positions.
3. Continue to develop creative strategies for recruiting, hiring, and retaining
highly skilled cyber professionals, including cyber agent targeted recruitment
efforts, new computer scientist job series, and using external partners to
identify highly qualified candidates motivated by a career in the FBI.
4. Continue its outreach efforts to recruit detailees to its Cyber Task Forces,
including ensuring that information about resources available to facilitate
partner agency participation is effectively communicated.
5. Ensure that changes within the Cyber Division organizational structure,
including roles and responsibilities, are clearly communicated to the field
divisions.
6. Continue to strengthen its outreach efforts to improve sharing and
collaboration with private sector entities.
7. Develop metrics to measure the timeliness with which it provides actionable
information to the private sector.
8. Move promptly to develop strategies, including machine-to-machine
capabilities, to ensure the timely dissemination of actionable information to
the private sector.
24
25
STATEMENT ON COMPLIANCE
WITH LAWS AND REGULATIONS
As required by the Government Auditing Standards we tested, as appropriate
given our audit scope and objective, selected transactions, records, procedures,
and practices to obtain reasonable assurance that the Federal Bureau of
Investigations (FBI) management complied with federal laws and regulations, for
which noncompliance, in our judgment, could have a material effect on the results
of our audit. FBIs management is responsible for ensuring compliance with
applicable federal laws and regulations. In planning our audit, we identified the
following laws and regulations that concerned the operations of the auditee and
that were significant within the context of the audit objective:
Our audit included examining, on a test basis, the FBIs compliance with the
aforementioned laws and regulations that could have a material effect on the FBIs
operations, through interviewing FBI personnel, analyzing data, examining
procedural practices, and assessing internal control procedures. Nothing came to
our attention that caused us to believe that the FBI was not in compliance with the
aforementioned laws and regulations.
26
APPENDIX 1
27
APPENDIX 2
FEDERAL BUREAU OF INVESTIGATIONS RESPONSE TO THE
DRAFT AUDIT REPORT
28
29
30
31
APPENDIX 3
OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND SUMMARY
OF ACTIONS NECESSARY TO CLOSE THE REPORT
The Department of Justice, Office of the Inspector General (OIG) provided a
draft of this audit report to the Federal Bureau of Investigation (FBI). The FBIs
response is incorporated in Appendix 2 of this final report. The following provides
the OIG analysis of the response and summary of actions necessary to close the
report.
Recommendations:
1. Develop a process to track and measure the timeliness of information
sharing at the National Cyber Investigative Joint Task Force
(NCIJTF).
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will develop a process to track and measure the timeliness
of information sharing at the NCIJTF.
This recommendation can be closed when we receive evidence that the FBI
has developed a process to track and measure the timeliness of information
sharing at the NCIJTF.
2. Increase its efforts to hire computer scientists for authorized
positions.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that the FBI Human Resources Division (HRD) will continue to
focus on hiring computer scientists and other technical professionals to help
the Cyber Division combat immediate and emerging threats. According to
the FBIs response, the HRD is also integrating a technology specific
recruitment plan into the FBIs larger, overarching recruitment plan, to
include: (1) targeted talent recruitment; and (2) developing partnerships
with specific educational institutions, talent incubators, and/or technical
organizations that provide cyber training and credible developmental
opportunities, such as intrusion and defense competitions.
This recommendation can be closed when we receive evidence that the FBI
has increased its efforts to hire computer scientists for authorized positions
and other technical professionals to help combat immediate and emerging
cyber threats.
3. Continue to develop creative strategies for recruiting, hiring, and
retaining highly skilled cyber professionals, including cyber agent
targeted recruitment efforts, new computer scientist job series, and
using external partners to identify highly qualified candidates
motivated by a career in the FBI.
32
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will continue to develop creative strategies for recruiting,
hiring, and retaining highly skilled cyber professionals, including cyber agent
targeted recruitment efforts, new computer scientist job series, and using
external partners to identify highly qualified candidates motivated by a
career at the FBI.
This recommendation can be closed when we receive evidence that the FBI
has developed creative strategies for retaining highly skilled cyber
professionals.
4. Continue its outreach efforts to recruit detailees to its Cyber Task
Forces, including ensuring that information about resources available
to facilitate partner agency participation is effectively communicated.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will continue its outreach efforts to recruit detailees to it
Cyber Task Forces, including ensuring that information about resources
available to facilitate partner agency participation is effectively
communicated.
This recommendation can be closed when we receive evidence that the FBI
has continued its Cyber Task Force recruitment efforts and ensures that
information about resources available to facilitate partner agency
participation is effectively communicated.
5. Ensure that changes within the Cyber Division organizational
structure, including roles and responsibilities, are clearly
communicated to the field divisions.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will ensure that changes within the FBI Cyber Division
organizational structure, including roles and responsibilities, are clearly
communicated to the field divisions.
This recommendation can be closed when the FBI provides evidence that it
ensures Cyber Division organizational changes are clearly communicated to
the field divisions.
6. Continue to strengthen its outreach efforts to improve sharing and
collaboration with private sector entities.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will continue to strengthen its outreach efforts to improve
sharing and collaboration with private sector entities.
33
This recommendation can be closed when we receive evidence that the FBI is
continuing to strengthen its outreach efforts to improve sharing and
collaboration with private sector entities.
7. Develop metrics to measure the timeliness with which it provides
actionable information to the private sector.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will develop metrics to measure the timeliness with which it
provides actionable information to the private sector.
This recommendation can be closed when we receive evidence that the FBI
has developed metrics to measure the timeliness with which it provides
actionable information to the private sector.
8. Move promptly to develop strategies, including machine-to-machine
capabilities, to ensure the timely dissemination of actionable
information to the private sector.
Resolved. The FBI concurred with our recommendation. In its response, the
FBI stated that it will move promptly to develop strategies, including
machine-to-machine capabilities, to ensure the timely dissemination of
actionable information to the private sector.
This recommendation can be closed when we receive evidence that the FBI
has developed strategies to ensure the timely dissemination of actionable
information to the private sector.
34