By Brian Abellera, Supervisory Special Agent, Federal Bureau of Investigation
he cyberthreat is a top national security priority for the United States. Terrorists, nation-state sponsored actors, and criminal groups have expanded their operations into the digital realm to probe domestic computer networks. After identifying vulnerabilities, they establish backdoors into proprietary systems and siphon out information. They look for anything they can exploit—research and development data; contracts on pending mergers; and personally identifiable information.
In November 2013, FBI Director James Comey told the U.S. Senate’s Homeland Security and Government Affairs Committee that the resources devoted to fighting the cyberthreat will in the future equal or even eclipse resources devoted to non-cyber terrorist threats.1 “We have connected all of our lives—personal, professional, and national—to the Internet. That’s where the bad guys will go because that’s where our lives are, our money, our secrets,” Comey stated during the hearing.
The Cyberthreat—Attacking Law Enforcement to Infiltrate the Community
|FBI’s Fellowship Offers Partners an Inside View of Cyberthreat|
|By Jenny Shearer, Federal Bureau of Investigation|
In the past year, the Federal Bureau of Investigation (FBI) established the cyber fellow program so that members of state and local law enforcement could work with the FBI for six months and then take the knowledge they gained back to their home departments. Fellows are assigned to the National Cyber Investigative Joint Task Force (NCIJTF).
Near Washington, DC, the NCIJTF houses representatives from 19 federal partners in the intelligence, law enforcement, and military sectors who collaborate and share intelligence about national security cyberthreats and actors.
NCIJTF Fellow Lieutenant Jimmy Garcia of the Los Angeles, California, County District Attorney’s Office is a 26-year law enforcement veteran and founding member of the United States Secret Service’s Electronic Crimes Task Force in Los Angeles, California.
He oversees three cyber teams in Los Angeles and works to protect the county departments’ infrastructure. Garcia thought he knew cyberthreats. Soon after joining the NCIJTF, though, he realized how much he did not know. He received a top-secret clearance and saw how prolific cybercrime is.
“I got here and was shocked. I felt like a kid in a candy store; I had no idea of the cyberthreat on a national, global level,” Garcia said. “I’m amazed at how [the FBI], the partners … determine who’s behind the keyboard.”i
Attribution is among the more challenging aspects of cybercrime investigations. Cyber criminals—be they state actors, members of an organized group, or hacktivists—obfuscate their tracks.
As a domestic law enforcement and national security agency, the FBI receives intelligence from partner agencies to further investigations. The international nature of cybercrime requires robust working relationships among global law enforcement. The FBI taps its network of legal attachés (Legats) who work overseas in 63 countries. Although the FBI’s jurisdiction ends at the U.S. borders, Legats represent the Bureau and liaise with law enforcement and share information and intelligence about investigations. The FBI works closely with the Department of Justice’s Office of International Affairs to pursue extraditions of known cyber criminals overseas, and Interpol and Europol are also key partners.
The FBI brings dual authorities to bear in its investigations: Title 18 and Title 50. Title 18 covers all criminal investigations, and Title 50 applies to national security investigations.
“Without Title 50 authority, I don’t think you can effectively work cyber in this day and age, this environment,” Garcia said. “These actors are so prolific (and) into everything right now. Without the information, the intelligence behind IP addresses and domains, you’re flying blind. You can go no further on an investigation.”ii
Lieutenant Kenn Nelson from the San Diego, California, Sheriff’s Department, is also an NCIJTF fellow. Unlike Garcia, he did not have a background in cyber investigations before his fellowship started. He learned by participating in collaborative meetings and working with allied agencies, as well as taking advantage of every possible training opportunity offered by the NCIJTF.
Nelson learned that the cyberthreat is a very persistent threat. “It’s much more overwhelming than I had previously thought. It encompasses more than just the military [and] cleared defense contractors. Even mom-and-pop shop systems are often being used as proxies. I have found, working with my agency and their IT division, I found even our own networks are under attack. It’s unbelievably eye opening.”iii
Through his fellowship, Nelson has passed along threat information to the sheriff’s department’s IT personnel, who told him the data were incredibly helpful. Because the threat evolves, it is helpful to have access to the intelligence the FBI collects. Through its Cyber Task Forces (CTFs), state and local law enforcement can stay abreast of trends in malicious software and which Internet Protocol (IP) addresses to block.
As a result of Nelson’s time at the NCIJTF, the San Diego County Sheriff’s Department has agreed to assign him to the San Diego CTF. Nelson will be the first state/local law enforcement official in the San Diego region assigned to the task force. He will work with the San Diego field office to educate the region’s local law enforcement on the current cyberthreat and develop a cyber training curriculum for law enforcement and work to expand the task force.
The San Diego Sheriff’s Department is paperless; deputies do all of their paperwork online. The department’s networks contain data about confidential information that, if lost or stolen, could result in others being exposed to possible harm or additional financial loss.
Nelson believes law enforcement agencies would do well to diversify the ranks by hiring individuals with technical backgrounds. As cyber technology becomes more prominent in our society, law enforcement needs to ensure employees have the diversified skills to address technology-enabled crimes.
He urges officers to learn what they can about the cyberthreat so they are prepared to help their communities. The public expects its police force to be knowledgeable about all threats.
In Nelson’s words: “We teach people to lock their doors and do neighborhood watch. Why not teach them better cybersecurity?” iv
iPhone interview with Jimmy Garcia, Los Angeles, California, County District Attorney’s Office, November 15, 2013.
iiiPhone interview with Lieutenant Kenn Nelson, San Diego, California, Sheriff’s Department, November 22, 2013.
The Emergency Services Sector, which includes the law enforcement community, is one of the 16 U.S. critical infrastructure areas within Presidential Policy Directive 21.2 According to intelligence sources, these 16 sectors are under constant cyber attack. If one of these sectors was compromised by an attack, it could significantly debilitate the backbone of the economy, security, and health of the United States.
State, local, territorial, and tribal (SLTT) agencies are the first line of defense for U.S. citizens against physical threats and emergencies. Attempts to infiltrate or immobilize these agencies’ information systems harms the communities law enforcement agencies are sworn to protect, with potentially devastating consequences. Previous attacks have resulted in the theft of highly sensitive information such as operation plans, case files, witness information, and workforce private identifying information. Other breaches have resulted in the loss of public trust and credibility and the debilitation of technology-reliant operations.
The Internet has no boundaries; law enforcement information systems can be attacked by actors outside the United States. Moreover, these actors will further cloak their methods of attack and location by hopping from country to country on compromised networks. These actors will then silently enter networks, exfiltrate valuable data, and establish a backdoor that they can enter and exit at will, undetected. Such covert activity may result in agencies not realizing their compromised state for months or years, until the actors choose to reveal themselves. Compounding the threat, previous attacks indicate that efforts are becoming increasingly coordinated to as many as 70 law enforcement agencies having been compromised in a single assault by the same actor.
Recognizing that this global issue cannot be overcome through the work of any one federal agency, the Federal Bureau of Investigation (FBI), U.S. Department of Homeland Security (DHS), U.S. Department of Defense (DOD), and various U.S. Intelligence Community (USIC) partners formed the National Cyber Investigative Joint Task Force (NCIJTF) to improve collaborative efforts on a national level. In further identifying that cyber actors attempt to infiltrate cyber-hardened federal agencies by attacking smaller and trusted law enforcement partners, it became very clear that collaboration must be extended to include the smallest of agencies to the largest and most cybersecurity-forward federal entities. This whole-of- government approach is the only way to beat this threat.
A Multitude of Ways to Increase Collaboration with the FBI
The FBI has four ways to improve collaboration with law enforcement and increase cyber skills for the more than 18,000 law enforcement agencies in the United States—entities with variances spanning budget, manpower, infrastructure, and cyber training.
National Cyber Investigative Joint Task Force
The FBI leads the NCIJTF, an entity that comprises representatives from 19 federal partners from the intelligence, law enforcement, and military sectors. Members collaborate and share intelligence about national security cyberthreats and actors. While partner agencies have different responsibilities, they must work together on cyberthreat investigations to the extent of their authorities and share information, following the principle that notification of an intrusion to one agency will be notification to all. The FBI offers training to command-level personnel via a six-month fellowship at the NCIJTF. Run through the Police Executive Fellowship Program and the FBI’s Office of Law Enforcement Coordination, the fellowship provides participants with a top-secret clearance so they can receive a first-hand glimpse into working national security cyber cases.
Cyber Task Forces (CTFs)
After more than a decade of combating cybercrime through a nationwide network of interagency task forces, the FBI has evolved its CTFs in all 56 field offices to focus exclusively on cybersecurity threats. In addition to key law enforcement and homeland security agencies at the state and local level, each CTF partners with many of the federal agencies that participate in the NCIJTF at the headquarters level.
A trained workforce is best positioned to mitigate cyber breaches; the FBI can help departments build capacity to address the threat. SLTTs are encouraged to participate in the CTFs in their areas. Personnel who participate will work with FBI agents and analysts on cases and receive access to the bureau’s training curriculum through the Virtual Academy platform.
Cyber Shield Alliance
The Cyber Shield Alliance is a partnership initiative developed by law enforcement for law enforcement to proactively defend and counter cyberthreats against law enforcement networks and critical technologies. It is accessible through Law Enforcement Online or members can access myriad law enforcement reports from various federal entities and fusion centers, review training opportunities provided by the law enforcement communities, take online cyber classes to work toward an FBI Cyber Investigator Certification, report cyber incidents, and receive assistance when necessary.
When SLTTs submit a cyber incident through Cyber Shield’s eGuardian reporting tool, the report is received within seconds by the FBI’s 24/7 Cyber Watch (CyWatch) and is made available to various federal agencies and the USIC community at the NCIJTF. Within the NCIJTF, the collaborative process takes hold and the corresponding support and/or response to the submitting agency is completed.
The Internet Crime Complaint Center (IC3)
The FBI is also partnering with SLTTs to combat Internet fraud, which victimizes thousands of individuals and businesses in U.S. communities each year. Many state and local agencies see the problem as too broad for their jurisdictions, while federal agencies, including the FBI, may perceive Internet fraud as too small to receive significant resources. In collaboration with the International Association of Chiefs of Police (IACP), the Major City Chiefs Association, and the National Sheriffs’ Association, the FBI recognized that the lack of investigation and prosecution of Internet crime—both at the federal and state and local levels—represents a huge gap in American policing.
To close this gap, the FBI and its law enforcement partners developed a plan that involves the FBI’s Internet Crime Complaint Center (IC3), which collects reports from private industry and citizens about online fraud schemes, identifies emerging trends, and produces reports about them. Under a pilot program that began in the summer of 2013 with the Utah Department of Public Safety, the FBI is enhancing the Internet fraud targeting packages the IC3 provides to state and local law enforcement for investigation and potential prosecution. The pilot’s successes, including the initiation of multiple new cases, led to its expansion in Dallas, Texas; Minneapolis, Minnesota; and several cities in New York.
Fighting cybercrime is a global problem; attacks can be launched from compromised systems in other countries, and actors can be outside of U.S. borders. Rather than focus on preventing and neutralizing attacks, a proactive posture—rooted in strong intelligence sharing among federal agencies and training the law enforcement community on the threats—is effective. Law enforcement agencies are encouraged to establish strong information technology security policies and train staff to develop a culture of awareness. ♦
1Greg Miller, “FBI Director Warns of Cyberattacks; Other Security Chiefs Say Terrorism Threat Has Altered,” National Security, Washington Post, November 14, 2013, http://www.washingtonpost.com/world/national-security/fbi-director-warns-of-cyberattacks-other-security-chiefs-say-terrorism-threat-has-altered/2013/11/14/24f1b27a-4d53-11e3-9890-a1e0997fb0c0_story.html (accessed January 7, 2014).
2Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil (accessed January 7, 2014).
Please cite as:
Brian Abellera, “Collaboration to Combat Cyberthreats,” The Police Chief 81 (February 2014): 46–48.