Department of Justice Inspector General Audit of FBI Next Generation Cyber Initiative

The Federal Bureau of Investigation (FBI) has reported that the frequency and impact of cyber attacks on private sector and government computers increased dramatically in the last decade and are expected to continue to grow. In January 2012, former FBI Director Mueller stated during a congressional testimony that he expected the cyber threat to surpass the terrorism threat to our national security in the years to come. According to current FBI Director, James B. Comey, Jr., the FBI is prioritizing the investigation and prevention of cyber intrusions against the United States. The FBI has designated the protection of the United States against cyber-based attacks and high-technology crimes as its number three priority, behind only counterterrorism and counterintelligence.

Following the Office of the Inspector General’s (OIG) April 2011 report on the FBI’s ability to address the national cyber intrusion threat, in October 2012 the FBI launched its Next Generation Cyber (Next Gen Cyber) Initiative to enhance its ability to address cybersecurity threats to the United States. In fiscal year 2014, the FBI initially budgeted $314 million for its Next Gen Cyber Initiative, including a total of 1,333 full-time positions (including 756 agents). In addition, the Department of Justice (Department) requested an $86.6 million increase in funding for fiscal year 2014 to support the Initiative. The objective of this audit was to evaluate the FBI’s implementation of its Next Gen Cyber Initiative.

In our 2011 report, the OIG made 10 recommendations to improve the FBI’s efforts in this area, including that the FBI establish policies and procedures for the sharing of information at the National Cyber Investigative Joint Task Force (NCIJTF); enhance efforts to educate FBI field office personnel on the NCIJTF’s role and use within FBI’s national security cyber strategy; evaluate the effectiveness of the step-by-step training course for FBI agents on how to investigate national security intrusion cases; reconsider the rotation policy for cyber agents and ensure that agents skilled and experienced in cyber intrusions are available to FBI field offices; and consider developing regional hubs with agents that are experts in investigating national security intrusions.

The Next Gen Cyber Initiative is an ongoing, multi-year strategy that included two fundamental changes to the way the FBI addresses cyber threats. First, the FBI narrowed the focus of its Cyber Division to work solely on cyber intrusions because the FBI determined that they pose the greatest threat to national security. Simultaneously, the FBI transferred non-intrusion programs previously run by the Cyber Division, including the Innocent Images National Initiative addressing child pornography and the Intellectual Property Rights Program, to its Criminal Investigative Division (CID). Second, the FBI shifted its cyber intrusion emphasis from reacting to cyber-attacks to predicting and preventing them. In the context of this new framework, the Next Gen Cyber Initiative focuses on four areas: (1) strengthening the NCIJTF; (2) advancing the capability of the FBI cyber workforce and supporting related enterprise infrastructure; (3) expanding the Cyber Task Forces focused on intrusion investigations in each of the FBI’s 56 field offices, and (4) enhancing information sharing and operational collaboration with the private sector.

Our current audit found that the FBI has made considerable progress towards achieving the goals it established for the Next Gen Cyber Initiative. We found that the NCIJTF, which serves as a coordination, integration, and information sharing center among 19 U.S. agencies and international representatives for cyber threat information, is no longer perceived as an extension of the FBI. Additionally, according to NCIJTF partners, information sharing has improved among the members, which was an issue identified in our 2011 report. Also, the FBI has established Cyber Task Forces in all 56 field offices. In 2011, the FBI had Cyber Crime Task Forces in 45 of the 56 field offices. Furthermore, the FBI has implemented a cyber-specific training strategy to improve the technical skills of its entire workforce, with specific training made available to those working cyber intrusion investigations. The FBI is offering qualified personnel an opportunity to participate in a Master’s Degree program at Carnegie Mellon University and is in the process of initiating a similar program at New York University’s Polytechnic School of Engineering, to provide an attractive incentive and valuable training to help recruit, develop, and retain the cadre of FBI cyber professionals.

While the FBI has made progress in implementing its initiative, we found that there are still issues preventing the FBI from fully meeting all of its goals for the Next Gen Cyber Initiative. In particular, we found that:

the NCIJTF did not have a process to measure the timeliness of information sharing among members;

recruitment and retention of qualified candidates remain a challenge for the FBI, as private sector entities are often able to offer higher salaries and typically have a less extensive background investigation process;

the FBI has encountered challenges in attracting external participants to its established Cyber Task Forces;

the FBI did not hire 52 of the 134 computer scientists for which it was
authorized; and

5 of the 56 field offices did not have a computer scientist assigned to that office’s Cyber Task Force.

Finally, although the FBI is working to develop strategies to enhance outreach to private sector entities, it continues to face challenges partnering and sharing information with these entities. While the FBI has developed reports to provide the private sector with actionable information to allow it to protect its networks and to disseminate technical information gleaned from some ongoing investigations, both FBI and private sector representatives acknowledged to us that information sharing remains a challenge. We found that when the private sector shares information with the FBI, it is perceived by the private sector as akin to sending information into a black hole because they often do not know what becomes of it. We also found that the private sector is reluctant to share information with the government based on concerns regarding balancing national security and individual privacy interests. The private sector reluctance to share information has been further affected by the distrust of government created by the Edward Snowden leaks. Private sector representatives have also expressed privacy concerns about how the information collected will be used. Additionally, information the FBI shares with the private sector is often considered by the recipients to be not useful because it is already known, lacks context, or is outdated.

While the FBI continues to advance its cyber capabilities, we found that it still needs to: (1) continue to focus its efforts on recruiting and retaining highly-skilled, technically trained cyber professionals; (2) increase external partners’ participation on the Cyber Task Forces, including enhancing state and local law enforcement and interagency participation; and (3) expand private sector outreach to develop an environment that promotes information sharing and collaboration. We believe that the FBI needs to address these challenges to most effectively identify and address emerging cyber intrusion threats.

This report contains eight recommendations to assist the FBI in meeting these objectives and achieving the goals of the Next Gen Cyber Initiative that are the basis for its efforts to address this significant and growing threat to our national security.

…

Challenges in Sharing Information

The FBI faces several challenges in sharing information with the private sector, including: (1) a perception by the private sector that information flows in one direction – to the FBI; (2) information, when provided by the FBI, is often not useful because it lacks context or is outdated; and (3) private sector concerns regarding how the FBI will use the information that is shared.

One-Way Communication of Information

At the February 2014 conference mentioned previously, Director Comey also acknowledged that it often seems to private industry that information flows one way – to the government. We interviewed representatives from more than 12 private sector entities and were consistently told that information seems to only flow in one direction, which is from the private sector to the FBI. Several private sector representatives told us that providing information to the FBI is akin to sending it into a black hole – the information goes in and the entities never hear any more about it. The FBI has acknowledged these private sector concerns, but has also stated that a lot of information cannot readily be shared because it is part of an ongoing investigation. In response to this challenge, the FBI has developed reports that it can share with the private sector. According to the FBI, FBI Liaison Alert System Reports share anonymous and declassified technical indicators, gleaned from ongoing investigations, with the private sector to assist them with protecting their networks. From April 2013 through January 2015, 70 FBI Liaison Alert System Reports were disseminated. The FBI also disseminates Private Industry Notification Reports that provide contextual threat information regarding nefarious activity by cyber criminals. From May 2013 to January 2015, the FBI disseminated 42 Private Industry Notification Reports.

While this explanation may have some validity in certain cases, we believe that when the FBI fails to exchange information on an ongoing basis with the private sector, the private sector’s ability to address and mitigate threats in a timely manner may be hindered. In addition, this lack of mutual exchange of timely information creates an environment in which private sector entities may be less willing to share important information in the future.