09:47 AM
Connect Directly

FBI Defends Cyber Investigation Capabilities

Exclusive: An FBI official argues that an audit finding insufficient national cybersecurity investigation skills doesn't reflect current expertise and results.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The FBI's field offices lack the skills and expertise that they require for investigating national cybersecurity intrusions, with many field offices facing a shortage of forensic investigators and intelligence analysts, as well as tactical intelligence for guiding investigations.

Those are some of the top-level findings from a Department of Justice Office of the Inspector General audit of the FBI's computer intrusion investigation capabilities, released last week.

The audit, started in 2008 as an assessment of the FBI's computer intrusion investigation capabilities, grew to encompass the bureau's ability to investigate national security computer intrusions by the audit's completion in 2010. The audit also assessed the effectiveness of the FBI-led, multi-agency task force known as the National Cyber Investigative Joint Task Force (NCIJTF). Created in 2008 when President Obama established the Comprehensive National Cybersecurity Initiative, the task force's job is to coordinate intelligence and investigations into national cybersecurity intrusions across 18 intelligence and law enforcement agencies. For the report, auditors interviewed personnel at FBI headquarters, in 10 field offices, and at the NCIJTF.

According to the audit, 36% of FBI of cyber agents thought they lacked the necessary IT expertise for handling national security intrusions, and five out of 36 agents interviewed told the auditor that they didn't think they were skilled enough to investigate national security intrusions. In addition, the audit found that sharing intelligence information between agencies could be challenging, with the reasons for withholding information not always being clear to all participants. Finally, it questioned the FBI's approach to rotating cyber personnel to new offices every three years.

But in an exclusive interview, Steven Chabinsky, deputy assistant director of the FBI's cyber division, largely disputed those findings. On the skills front, for example, he said the audit paints an out-of-date picture of the bureau's cyber-investigation capabilities and results. "We have a very limited sample size of data that's years old, that's going down to the individual level of five agents, that ignores the fact that these agents were in training, and that these agents work in an environment that's conducive to success," he said in a telephone interview.

The FBI has been heavily adjusting its approach to cyber investigations over the past few years. In particular, the bureau has created a cyber-focused training program that mixes real-world experience with classroom learning. "Some of these situations you'll never be able to learn in a classroom, because some of our adversaries are using zero-day exploits which by definition you've never seen before," said Chabinsky. Agents are also part of a squad of experienced personnel, and backed by FBI agents with extremely specialized knowledge who are part of a cyber-action team that can quickly deploy to assist with investigations onsite.

Hence, instead of focusing on the subjective opinions of interviewed agents who were in the process of being trained, Chabinsky said that observers should examine the FBI's results, which he said the report largely ignores. "Case success is relegated to a footnote that said there have been some successes which are beyond the classification level of the report," he said.

Praise For The FBI's Cyber Unit

The FBI's cyber unit and the NCIJTF have received praise for their results, notably from the Office of the Directorate of National Intelligence (ODNI), which oversees the NCIJTF and evaluates its performance on a quarterly basis. In August 2009, the ODNI praised the task force for having been "the driving force behind the transformation of cyber threats from a fragmented and reactive individual agency response, to a unified and highly successful proactive national effort that established itself as a national center of excellence."

Industry experts have also lauded the NCIJTF. "It is the best interagency cooperation program anywhere in cybersecurity--with every key agency actually helping on real cases, hunting down the attackers," said Alan Paller, director of research for information security training company SANS, in an email interview. "They are also effective in finding evidence of actual attacks and warning corporations and agencies that those organizations have been penetrated and data has been stolen. Along with the [National Security Agency vulnerability analysis and operations group], it is the best cybersecurity program we have."

If there's a shortcoming of the NCIJTF--or the FBI's cyber unit--it's that "they have too many cases for the number of people they have, but that brings us around to the problem of skills," said Paller. "The colleges are graduating people who can talk about security, but have no forensics or intrusion detection or exploit skills."

What will help, he said, are internal agency training programs, as well as outreach efforts, such as the U.S. Cyber Challenge--championed by Shawn Henry, executive assistant director of the FBI's criminal, cyber, response and services branch, said Paller--which focuses on fostering high-schoolers' and college students' interest and expertise in information security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.