The United States addresses cyber threats not only through the prosecution of cyber criminals, but also through responding to, preventing and managing cyber incidents.
The Department of Justice (DOJ) and the FBI (which operates under the jurisdiction of the DOJ) play a key role in addressing cyber incidents which threaten U.S. interests.
Building Relationships and Sharing Cyber Threat Information
In order to enable effective reporting and facilitate response efforts, the Department of Justice and the FBI engage in relationship building, routine information sharing, and communication with organisations and sectors that are at particular risk.
The FBI engages in targeted outreach to build relationships with potential victims of cyberattacks, with programs that provide information about ongoing or emerging cyber threats. This helps to build trust, facilitate information sharing and provide recipients with actionable intelligence to protect against cyber threats.
In certain circumstances, the FBI will join with sector-specific agencies to execute an “action campaign” to quickly advise a specific group of stakeholders of a particular cyber threat.
The FBI has several established programs that enable connectivity, information sharing, and collaboration with the private sector on a range of hazards, including cyber threats. These programs include:
Domestic Security Alliance Council (DSAC)
DSAC encourages public-private engagement between corporate chief security officers and the FBI on emerging threats.
Also a partnership between the FBI and members of the private sector, InfraGard members join as individuals, not as corporations.
National Cyber-Forensics & Training Alliance (NCFTA)
NCFTA joins law enforcement, private industry and academia to build and share resources, strategic information, and cyber threat intelligence.
National Domestic Communications Assistance Center (NDCAC)
NDCAC is a partnership between law enforcement and the communications industry which ensures law enforcement’s understanding of new services and technologies, as well as providing a venue to exchange information, streamline processes, and facilitate more efficient interaction between law enforcement and industry.
Internet Crime Complaint Center (IC3)
IC3 provides a reporting mechanism for the public to submit information to the FBI concerning suspected Internet-facilitated criminal activity.
Responding to Cyber Incidents
The FBI may learn of a cyber incident through law enforcement or intelligence sources, or through direct notification by the victim. Robust frameworks are in place to ensure that the FBI and Department of Justice can effectively respond to cyber incidents and manage crisis.
The Presidential Policy Directive (PPD-41) designates the Department of Justice, through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF), as the lead federal agency for responding to significant cyber incidents.
Through evidence collection, technical analysis, and related investigative tools, the FBI works to quickly identify the source of a cyber incident, connect that incident with related incidents, and determine attribution.
In addition to the cyber incident response framework laid out in PPD-41, the federal government has also adopted a Cyber Incident Severity Schema, which helps to accurately describe an incident’s significance and ensure an appropriate response.
Routine Incident Response
Each FBI field office houses a multi-agency Cyber Task Force (CTF) which brings together cyber investigators, prosecutors, intelligence analysts, computer scientists, and digital forensic technicians. This allows for more effective incident response.
The FBI also has a strong international reach through a network of approximately 80 Legal Attaché offices throughout the world. It has supplemented 20 of these international offices with cyber-specific investigators to facilitate cooperation and information sharing to advance its cybercrime and national security investigations.
Significant Incident Response
In accordance with PPD-41, enhanced response procedures may be implemented in the event of a “significant cyber incident.” These procedures may include:
- Appointing an accountable senior executive to manage the response
- Establishing a dedicated command centre
- Adding further support from the Cyber Action Team (CAT) – the FBI’s elite rapid response force
Through relationship building and information sharing, leveraging investigative expertise and utilising a clear framework for responding to cyber incidents and managing crisis, the Department of Justice and the FBI play a key role in responding to, preventing and managing cyber incidents.