{ "id": "IN10609", "type": "CRS Insight", "typeId": "INSIGHTS", "number": "IN10609", "active": false, "source": "EveryCRSReport.com", "versions": [ { "source": "EveryCRSReport.com", "id": 457062, "date": "2016-11-15", "retrieved": "2017-04-21T15:12:44.103183", "title": "Justice Department\u2019s Role in Cyber Incident Response", "summary": "Criminals and other malicious actors increasingly rely on the Internet and rapidly evolving technology to further their operations. They exploit cyberspace, where they can mask their identities and motivations. In this context, criminals can compromise financial assets, hactivists can flood websites with traffic\u2014effectively shutting them down, and spies can steal intellectual property and government secrets. \nWhen such cyber incidents occur, a number of issues arise, including how the government will react and which agencies will respond. These issues have been raised following a number of high profile breaches such as those against the U.S. Office of Personnel Management. Federal law enforcement has the principal role in investigating and attributing these incidents to specific perpetrators, and this responsibility has been codified within the broader framework of federal cyber incident response. \nPresidential Policy Directive (PPD) on U.S. Cyber Incident Coordination\nThe Obama Administration, through PPD-41, outlined how the government responds to significant cyber incidents\u2014those that are \u201clikely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.\u201d Responding to cyber incidents involves threat response, asset response, and intelligence support. The Department of Justice (DOJ), through the Federal Bureau of Investigation (FBI) and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response. Asset response and intelligence support responsibilities are led by other federal agencies.\nThe concept of threat response, as outlined by PPD-41, involves \u201cconducting appropriate law enforcement and national security investigative activity at the affected entity\u2019s site; collecting evidence and gathering intelligence; providing attribution; linking related incidents; identifying additional affected entities; identifying threat pursuit and disruption opportunities; developing and executing courses of action to mitigate the immediate threat; and facilitating information sharing and operational coordination with asset response.\u201d \nFBI Cyber Investigations\nThe FBI pursues cybercrime cases ranging from computer hacking and intellectual property rights violations to child exploitation, fraud, and identity theft. Its top priorities involve combating computer and network intrusions and investigating ransomware. The FBI\u2019s Cyber Division focuses on \u201chigh-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets.\u201d One key challenge, acknowledged by Administration officials and others, involves moving away from reacting to malicious cyber events and toward preventing them. \nIndeed, cyber attack prevention is one of the main tenets of the FBI\u2019s Next Generation Cyber (NGC) initiative. Established in 2012, NGC has focused FBI resources on enhancing cyber capabilities. It has aimed to do this through (1) strengthening the NCIJTF, (2) bolstering the FBI\u2019s cyber workforce, (3) expanding Cyber Task Forces (CTFs) in all 56 field offices and focusing their efforts on computer/network intrusion investigations, and (4) increasing information sharing and coordination with the private sector.\nTask Forces and Partnerships\nThe NCIJTF was established by National Security Presidential Directive-54/Homeland Security Presidential Directive-23 in January 2008. As established, the NCIJTF\u2019s mission is to \u201cserve as a multi-agency national focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations.\u201d Led by the FBI, the NCIJTF coordinates over 20 U.S. agencies from law enforcement, intelligence, and the military. It also collaborates with the private sector and international partners. Early, there had been concerns that \u201cthe NCIJTF was not always sharing information about cyber threats among the partner agencies.\u201d There were also criticisms that the NCIJTF was perceived as an extension of the FBI\u2019s Cyber Division instead of as a multi-agency effort. DOJ\u2019s Inspector General more recently noted that these issues have improved.\nThe FBI leads several other task forces and partnerships focused on cyber threat response. For instance, there is a CTF at each field office. These CTFs focus on local cybersecurity threats, respond to incidents, and maintain relationships with companies and institutions. The CTFs also support the national effort to combat cybercrime by participating in national virtual teams on certain cyber issues and providing cyber subject matter experts or surge capability outside of their territories, when needed. Additionally, the FBI has established and maintained Cyber Action Teams of agents and computer scientists that can be rapidly deployed around the world to assist in computer intrusion investigations. In addition to domestic field offices pursuing international leads in investigations, the FBI has positioned cyber assistant legal attach\u00e9s (ALATs) in some foreign countries. These ALATs work with law enforcement in host countries to share information, collaborate on investigations, and enhance relationships with partner agencies. The ALATs focus on \u201cidentifying, disrupting, and dismantling cyber threat actors and organizations.\u201d\nGoing Forward: Communication and Technology\nFederal law enforcement responds to cyber intrusions in both public and private sector networks. One challenge investigators face is that a majority of private sector partners do not automatically engage federal investigators when they experience a breach and instead turn to private firms for attribution and remediation. For instance, the Democratic National Committee retained a firm named CrowdStrike to secure its network when it discovered a breach\u2014attributed to the Russian government\u2014in the spring of 2016. The FBI has been encouraging private companies to reach out directly to law enforcement to help investigate, attribute, and mitigate breaches. \nIn addition to working with law enforcement and private sector partners, FBI investigators seek to bolster their internal investigative capabilities to avoid being outpaced by technology, a phenomenon that the FBI has called Going Dark.\u2019 Notably, law enforcement supports strong encryption to protect networks, devices, and information. However, they note that malicious actors also exploit the widespread use of end-to-end, or what investigators have called warrant proof\u2019 encryption, locking out investigators. Experts have recommended that the FBI invest resources to strengthen its investigative toolbox\u2014rather than asking technology companies to build in exploitable weaknesses or \u201cbackdoors\u201d to their products\u2014so that it can best respond to cyber threats.", "type": "CRS Insight", "typeId": "INSIGHTS", "active": false, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/IN10609", "sha1": "4bfbddf655db7b93e321399f2f8f34287bd96bfb", "filename": "files/20161115_IN10609_4bfbddf655db7b93e321399f2f8f34287bd96bfb.html", "images": null } ], "topics": [] } ], "topics": [ "CRS Insights" ] }