Risk
7/18/2011
11:37 AM
50%
50%

Cyber Strategies: National Security Versus Child Pornography

Among the interesting findings of an audit of the FBI's cyber crime capabilities: how Congress budgets the bureau, as well as the extent to which all cyber crime is local.

Does the FBI have its cyber priorities and investigative strategies straight?

That's one of the questions raised by an audit of the FBI's computer intrusion investigation capabilities, released earlier this year, which painted an unflattering picture of the bureau's ability to investigate cyber crime, especially cases involving national security. Notably, the audit, conducted by the Department of Justice's Office of the Inspector General (OIG), suggested that the FBI was failing to properly train and support its cyber investigators.

After the audit was released, the FBI fired back, alleging that the OIG's report was outdated and skewed by the opinions of a handful of agents who were training in a program that has changed numerous times over the past few years in response to the rapidly evolving nature of attacks and crimes perpetrated online.

"The FBI capacity that exists today is much greater than the capacity that existed two years ago, because we created a cyber career path specifically because we realized that all of the agents would not be at the [required] level," Steven Chabinsky, deputy assistant director of the FBI's cyber division, told me in a telephone interview earlier this year. "This is not something where we're coming to the table, seeing the OIG's report, and saying, we should have thought of this. Just the opposite."

In fact, the OIG's audit presented 10 actions that were necessary to resolve or close out the audit. By April 2011, the bureau had met all of those requirements. In addition, the bureau has been earning accolades from security experts for its cyber investigation capabilities, and it has chalked up some notable successes in recent months, including shutting down the Coreflood botnet and coordinating the international bust of two scareware rings.

But the audit raises at least one question that still needs answering. The auditors found that the bureau spends almost as many man-hours investigating child pornography as cyber crime. According to the report, in 2009 the FBI "used 19% of its cyber agents on national security intrusion investigations, 31% to address criminal-based intrusions, and 41% to investigate online child pornography matters."

In this era of targeted attacks--exploits involving everyone from RSA and Lockheed Martin to Sony and the U.S. Senate--is the FBI focusing on the right areas? To some extent, the bureau's hands are tied by funding, which is determined by Congress, "in different allocations," said Chabinsky. Notably, national security investigations are funded from different sources than child protection or investigating intellectual property crimes.

Furthermore, according to a different report from the OIG, "FBI Personnel Resource Management and Casework," released in 2010, the resources used by the bureau appear to be in line with what it has been told to pursue.

Another interesting question raised by the OIG's audit is whether the FBI should centralize more of its cybercrime operations. The FBI does have some regional hubs, for example, for digital forensic investigations. But in an age of distributed managed services, cloud computing, and virtual infrastructure, might it make more sense to further centralize the bureau's overstretched cyber resources?

While the FBI is exploring the creation of some additional regional hubs, Chabinsky ruled out any large-scale centralization of its cyber activities. "At the end of the day, we still have real victims who have real locations, and if you were to centralize, it would be difficult to have a private relationship with the owners and operators who are responsible for the networks," he said. That's why the FBI has cyber specialists in every field office.

Interestingly, the FBI also liaises with the country's top cyber targets based on the bureau's own field office locations. This structure gives FBI personnel direct responsibility for understanding which critical infrastructure exists in their territory, and for fostering relationships with the organizations that own that infrastructure. The FBI also uses its public-private partnership program, InfraGard, to reinforce these local relationships.

"There is a very local component to national security and law enforcement," even when it involves computer-related crime, Chabinsky said. In fact, information frequently flows in both directions. "It's often the case now that the FBI is informing people that they've been victimized, rather than victims coming to the FBI," he said.

Finally, keeping agents local means they don't have to hop on a plane to follow every lead or launch an investigation. In fact, "remote investigating" is often not an option, he said, as "some of our cases have information that you couldn't even approach on a telephone."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.