A debate is currently raging in Washington, D.C. and various politically-engaged spots on the Internet over CISPA, a bill that promises to increase cybersecurity by giving private companies carte blanche to hand over information about cyberthreats they see on their networks. Lawmakers have seemingly decided the best way to fight cybercriminals is to deputize private industry and let companies with unfettered access to the evidence do the bulk of the detective work involved in outing hackers and breaking up botnet rings. That saves the government the trouble of getting pesky subpoenas and warrants as required by the Constitution and privacy laws.
Opponents worry about all kinds of sensitive information being served up to the government on a silver platter given the legal immunity granted to companies in the bill and the murky definitions of what constitutes a "cyber threat." What has been left out of the debate thus far, though, is the model that CISPA appears in many ways to be based upon. The FBI has been information-sharing with private industry for over a decade without a bill like CISPA in place.
In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that "functions as a conduit between private industry and law enforcement." Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA's office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.
“We can bring the pieces of intelligence together so we can see what it really is," says Larkin of the advantage of bringing security specialists from different sectors together.
NCFTA director Ron Plesco lists off his organization's purpose rotely: "We do information sharing with three goals: ID the cybercrime threat, share toward mitigation, share toward neutralization of threat."
As part of a non-profit, Plesco could not comment specifically on CISPA, which would, as currently drafted, allow companies to share much richer and more individualized data directly with the government. "We get network data," says Plesco. "Not PII (personally identifiable information)."
That means the NCFTA can pass along information, for example, about suspicious servers or IP addresses and content from spear-phishing emails that companies are seeing in their networks, but not the names or addresses of those who appear to be affiliated with the schemes.
"We can share what we see and hear with the government," said Ron Plesco. "We can share in aggregate, but law enforcement has to develop their cases separately and independently."
“An FBI agent works with [an NCFTA] analyst to get up to speed," said agent Eric Strom who has been with the embedded FBI unit since 2006 when it was installed in the NCFTA office.
Inhabiting one floor of a building in Pittsburgh and with just 15 permanent employees, the NCFTA is little-known outside of information security circles, though they have been involved in some controversial operations in the past, including Dark Market. Despite the current uproar over how and why information should be shared with the government, most civil liberty groups I spoke with had never heard of the FBI's on-going collaboration with private industry.
“We’re not in DC. We’re in Pittsburgh. We’re off the Beltway radar," says Plesco. "Since we’re a non-profit, we don’t get called in to do briefings on the Hill. We don’t have marketing and PR though we do occasionally get thanked in FBI press releases.”
This happened most recently after Operation Ghost Click, the FBI's takedown of a $14-million botnet ring run by six Estonians. The Estonians had infected over four million computers with DNS-changing malware that routed their computers to rogue DNS servers allowing the cybercriminals to display ads and send traffic to sites that profited them.
Several FBI agents involved in Ghost Click spoke with me about how information sharing through the NCFTA facilitated that investigation.
In 2009, an Internet security company, which the FBI prefers not to have named, saw malware affecting a customer and passed it along to the NCFTA. Soon, they got similar reports from another security researcher and an Internet payments company. “Some researcher sees malware or spam, then it leads to something bigger,” said FBI agent Eric Strom. “It generates intelligence and reporting.”
"For a year before the case started, we were seeing spam emanating from networks that they were able to track back to a company called Rove Digital," said FBI agent Tom Grasso in a separate interview.
The embedded FBI unit builds an initial case with intelligence from the NCFTA and then refers it out to a field office. Strom says they generated 80 cases in 2011, including Ghost Click and Coreflood (another server seizure case). New York agreed to take the Ghost Click case in 2010.
"Historically, businesses would come to FBI a month or two later, which is a lifetime in the cyberworld, and reveal they’d had a problem," said Strom. With NCFTA, they're more likely to pass info along in real time. "This gets the fraud investigators from the different companies talking to each other.”
One of the advantages offered by both CISPA and the NCFTA is that private companies don't just send information into a governmental black hole; they can get information back from the government about ongoing investigations, because they become partners with them.
Grasso started a mailing list with all the folks who had been tracking the malware activity, so they could continue to share information about what they were seeing on their networks.
"We had bimonthly teleconferences with FBI and private industry folks who would come into the office," says Grasso. He said they had about 25-30 people at each meeting, including fraud and abuse researchers from private companies. and importantly from ISPs such as Cox, Century Link, Qwest, and Verizon (Correction: Representatives from ISPs were involved at a later stage, during meetings to discuss how to keep victims online after rogue DNS servers were seized). "It was the first time we brought private industry people in like that. These folks were giving up so much intel. We wanted them to know it wasn’t going into a black hole.”
As the New York office got close to taking the ring down through working with law enforcement in Estonia, they realized that people with infected computers would lose Internet access when the FBI seized the rogue servers that were operating out of New York and Chicago. The NCFTA collaboration came in handy again.
"We needed a solution to keep people online,” said Grasso. The malware had changed IP addresses to redirect infected computers to the DNS servers that were about to be seized. "We knew we couldn’t get on people’s computers and change the IP addresses back."
So the FBI had to arrange for temporary servers so that 500,000 people in the U.S. wouldn't suddenly lose their Internet service. "Running DNS servers is tricky because you see browser activity," said Grasso. So they decided the FBI shouldn't run the servers directly. Instead they had a third party ISP, ICS, run them. “The servers are recording the IP addresses of infected computers and those are being given to ISPs so they can notify users.”
(That ends soon, though, so make sure your computer isn't infected or you lose service come July.)
Operation Ghost Click earned the NCFTA quiet raves. And quiet is how they like it to be.
It's worth paying some attention now, though, to highlight that CISPA and the idea of information sharing are not a novel approach to cybersecurity.
"Information sharing is already going on," said Allan Friedman, a technology fellow at the Brookings Institution, who pointed also to ISAC -- a sector specific information sharing program set up by Bill Clinton in the 90s. "As we expand it, we need to understand what has failed and what has been successful."
And to understand that, we perhaps need closer looks and more exposure of information sharing that's already happening. It's rather shocking that Congress has not called anyone from the NCFTA to the Hill to testify about how they function and how CISPA would change what they can do, or even make the need for a non-profit to facilitate information handovers obsolete.
