Friction by design: FBI, DHS disagree on when to tell victims they’ve been hacked
This report first appeared on CyberScoop.
Competing interests exist between two of the predominant federal agencies tasked with stopping hackers from attacking the U.S., officials say, and that dynamic shapes how and when the government notifies Americans if they’ve been breached.
The Homeland Security Department and FBI follow distinctly different missions, and this extends into cyberspace, according to John Felker, director of the National Cybersecurity and Communications Integration Center. NCCIC is DHS’s around-the-clock office for incident awareness and response.
Occasionally, DHS’s efforts to rapidly deploy software updates and immediately notify a victim when a cybersecurity incident occurs clashes with the FBI’s work to fully investigate and ultimately prosecute cybercriminals, Felker said Thursday.
“There’s always going to be some tension between our mission space at DHS, which is asset response, threat mitigation — stop the bleeding, if you will — and law enforcement’s threat response, which is to catch a bad guy and make a successful prosecution,” Felker said during McAfee’s Security through Innovation conference hosted by CyberScoop and FedScoop. “It’s not easy and it’s case-by-case. The challenge we have is to keep a relationship that is open and honest and transparent between us.”
“Even in the last couple weeks we’ve had a few knock-down, drag-outs about cases that are going on, but it is what it is,” Felker said. “We’ll work through it.”
Felker and others who spoke Thursday discussed the topic in general terms and did not refer to any specific cases.
Because hackers commonly monitor activity on a victim’s network, a defense shift may tip off the attacker — letting them know that law enforcement may be aware of the intrusion.
Ongoing negotiations effectively determine when DHS will rapidly reach out to a victim or, on the other hand, if the FBI will be afforded a grace period to collect evidence and gain new insight. This collaborative although sometimes challenging balance underscores a larger cyberthreat information sharing partnership between the two agencies and broader federal government.
“The speed of trust is there,” said FBI Section Chief Trent Teyema. “By design we have that friction because we’re trying to get information to go after a case and they’re trying to stop the bleeding. We want that friction, we want that dialogue going forward. It’s a good process.”
A conflict of equities is most common, according to Josh Goldfoot, Deputy Chief of the Justice Department’s Computer Crime and Intellectual Property Section, when “you have a victim that for whatever reason hasn’t done some of the traditionally security practices like having a vigorous system of logging, like having a good system of authentication and checking your user credentials and all that stuff.”
“If you have that in place and we’re arriving then there’s no conflict, those logs will tell me who went in and out. That’s when the two sides I think get along,” Goldfoot said. “Where you have a problem is when you arrive at a victim that doesn’t have any of that stuff. And then questions come up like ‘is this the right moment to evict or do we want to watch a little long.”
Because a specific software vulnerability in any given popular product may allow an attacker to compromise not only one company but potentially an industry, getting information about a threat to the private sector can be imperative regardless of the status of an investigation, Felker said.
“I don’t want to flip your apple cart when it comes to a prosecution, but if there’s a vulnerability or a set of TTPs that can be useful to cyber-defenders somewhere else then we’d like to know that,” Felker said, “and we’ll try to get [the information] out there like a tree in the forest, so that it doesn’t look any different from patch Tuesday.”
