Despite stunning incident counts, many if not most insider threats remain unreported. Reasons vary but all bloom from the same stem: The victim company's fear of being harmed again, either by the legal system or law enforcement. But are those fears real and justified, or are they spun from myths? Time to take a look at what actually happens after a company contacts the FBI, formally or informally.
The Scene …
"About three out of every four malicious insider incidents are handled internally, with no legal action or no law enforcement activity taken," which means "these incidents are significantly underreported," says Randy Trzeciak, director of the National Insider Threat Center, which is in the CERT division of the Software Engineering Institute at Carnegie Mellon University.
Why do these incidents go unreported? Companies hesitate or decide not to report for several reasons, including fear they may be wrong about the person they suspect, and thus may be held liable. They may also fear significant business disruption during the FBI investigation, uncertainty over the nature of the threat, or who at the FBI to contact. But also because of "fear of negative reputational damage, fear of competitors knowing specifically that these incidents have occurred, and fear they are unable to prove through forensic evidence that an insider did something bad," Trzeciak says.
Those fears are based on rational business concerns, but they are not foregone conclusions. Nor is avoidance the best path to mitigating any of the risks they fear.
It was a hard-won lesson in the U.S. versus Shan Shi case, wherein valuable trade secrets were stolen and sold to a Chinese company. While FBI Houston's elite counterintelligence investigators worked for years to destroy Shi's prolific network and to successfully bring him to justice, "it is possible we could have prevented some of the loss had the suspicious behavior been reported earlier," Roman Rozhavsky, an acting section chief of the FBI Counterintelligence Division, told Dark Reading.
How to Tell Houston We Have a Problem
"That's why we do want contact even on suspicions," says Rozhavsky. "We follow the rules on opening investigations, but suspicions are often enough for us to work to prevent a future threat or stop ongoing losses."
While companies may greet this news with a sigh of relief once they realize they don't have to compile mountains of elusive evidence before they can seek help, the crime reporting process itself may feel overwhelming and thus discourage follow-through.
But that fear, too, is more imagined than real. It turns out there are several ways to easily contact the FBI.
A good place to start is in building relationships with the FBI before trouble happens.
"Have informal conversations and build relationships with FBI agents, even if your company has no infosec section or department," says Philip E. Frigm Jr., a section chief of the FBI Cyber Division.
Companies that outsource infosec to MSSPs, or start-ups and small companies that rely on little more than security software, can establish relationships with the FBI and attend educational security meetings to increase their threat awareness and decisions too. In other words, the FBI is not just for big companies and big cases, although they handle those routinely, too.
Building rapport and establishing relationships between the private sector and the FBI helps the agency, too — primarily in adapting their investigation methods to meet evolving threats.
For those reasons and a few more, the Office of Private Sector (OPS), part of the FBI's Intelligence Branch, came into being. The OPS "allows for one 'FBI voice' and connects private industry with whom they need to connect with — whatever the concern." This means you can contact almost anyone in the FBI and that person will see to it that any concern you express gets to the right agents within the FBI. It also means you will have contact with the same FBI agent(s) and not have to talk to different people each time there is a concern or incident.
The FBI offers several programs as a means for establishing and maintaining relationships with the private sector that both educate and offer informal communication channels. Two key FBI programs that are well-known throughout the infosec community are InfraGard and Domestic Security Alliance Council (DSAC). Additional resources are available for businesses as well. One key example is iGuardian, a secure information portal for businesses to report cyber intrusion incidents in real time.
While an ongoing relationship ahead of problems is ideal, you don't have to go that route. You can reach out to the local FBI field office, file a report online at ic3.gov, or simply call 1-800-CALL-FBI (1-800-225-5324).
"Any FBI contact can help direct you. But do converse with us as early as possible. If you wait to tell us about an incident that happened six months ago, we may not be able to get all of the evidence we need or to put the steps in place that may have helped you much sooner," says Frigm.
Two Can Keep a Secret If One of Them Is from the FBI
Once contact is made, what happens next? Will FBI vans swarm in and take computers, hard drives, and other hardware and software as evidence? Will business come to a screeching or crawling halt during the investigation?
How the FBI responds depends a great deal on the specific circumstances. But in general, "we like to keep our footprint very small. One FBI guy in a regular suit might come in to talk to someone at your company in the boardroom, for example," Frigm explains. "But we can also meet somewhere else, over coffee maybe."
You might want to ask your attorney to join the FBI meeting too — but probably not for the reasons you think.
"Legal counsel is desirable for several reasons. For one, bringing them up to speed afterward on our evidence collection delays progress. It's better to include legal counsel early on rather than repeat everything again later," Frigm says. "But also, given data privacy laws, you may not have the authority to give us consent — and you may not know that, but your lawyer will. It's imperative that we collect the evidence according to the rules."
Having legal counsel present isn't perceived as an obstacle or a confrontation. "I've never encountered a situation that legal counsel wasn't helpful," he adds.
"I agree," says Rozhavsky. "It saves a lot of time."
So ... Now the Screeching Vans?
Once the legalities are dealt with, evidence collection begins. So, do the FBI vans come skidding into the parking lot now? Do FBI agents in jackets with loud neon letters start hauling out company hardware?
"Evidence is collected in the least disruptive way possible. Often, much of the activity tracking and evidence collecting can be done remotely, but if we must collect evidence on site we'll do so quietly," Rozhavsky says.
The dedication to drawing zero attention to themselves and their work is not just a matter of courtesy, but of stealth and strategy.
"Insiders do have some legitimacy in accessing company information, so to some extent they are supposed to work with the information. We have to be careful not to tip the bad guy off while we're investigating," Frigm says.
And what should you expect once the investigation quickens towards an outcome?
"There will likely be more conversations, but with fewer people," according to Frigm.
In the end, hopefully a crime is prevented or halted in progress. If not, a criminal is hopefully brought to justice in the courts. In either case, the FBI has likely gone home as quietly as they came.