Federal cybersecurity efforts can often seem like one long campaign to prevent another Office of Personnel Management cyber breach, or Edward Snowden leak. But that’s only half the story. There’s also a significant effort to keep nation states, insider threats and other bad actors from causing similar incidents in the private sector.
“Ninety-five percent of the country’s infrastructure is controlled by or in the hands of the private sector,” said Amy Hess, executive assistant director of the FBI on Agency in Focus – Justice Department. “And that’s significant. The things that these individuals are after, are highly sought after and controlled, owned by private industry. And we have to develop those relationships from a government perspective with private sector to ensure that for number one, for starters, that were notified when it is happens, because the sooner we can get involved, the sooner we can identify who it is, the sooner we can identify their [tactics, techniques and procedures], and the sooner we can stop them, hopefully from doing it again.”
That’s why the FBI is working to build relationships with the private sector, and help companies understand both the threats, and how they should respond to an incident. In some cases, that’s happening on a very local level, Hess said, with field offices reaching out to companies in the vicinity and providing briefings and building rapport.
Because sometimes, Hess said, companies are hesitant to call on the FBI after an incident, especially if that company is a government contractor. They don’t want to be further exposed, and they’re worried that acknowledging a cyber attack will damage their reputation, and potentially harm their business prospects.
FBI’s shifting threat focus
But the FBI is just one part of a three-pronged whole-of-government effort to help protect the private sector against cyber attacks.
“The FBI is the lead agency for the threat response. [The Department of Homeland Security] is the lead agency for the asset response, and ODNI is responsible and has the lead for the Intel support,” Hess said. “But what that essentially boils down to and what that means is while [DHS’ Cybersecurity and Infrastructure Security agency] is identifying ways that the company, the victim can protect themselves, how they can improve their capabilities in order from a defensive posture to ensure it doesn’t happen again, or to ensure that they are secured against the next threat. What the FBI is doing in the meantime, and the Justice Department, is trying to identify who did it. What are the techniques, tactics and procedures they’re using, to identify who it comes back to? Is this a criminal syndicate? Is this a nation state? Who did it and then, ultimately, to hold them accountable, so that we can either bring them to justice or to reveal their identities, and essentially make life difficult.”
That’s one of the FBI’s chief focuses today. But it wasn’t always that way. Back in the 1980s and ‘90s, the FBI’s biggest focus was organized crime. Then, after Sept. 11, 2001, the focus shifted to counterterrorism. Now it’s shifting again to focus on cybersecurity.
And reorienting an entire agency to focus on a new threat isn’t easy. For one thing, it takes a very different set of skills on the part of the workforce. That means hiring new talent. But it can also mean reskilling existing employees with comparable or compatible skills through training. That means starting by figuring out what the FBI already has to work with.
“What is the baseline of the employees we have working for us? As far as if they don’t come with a technical degree?” Hess said. “Well, we’ve trained a whole bunch of people to investigate or to conduct analysis, or to do other things, how can they adapt those skills to be able to address the cyber threat? In addition to that, how are we identifying the people that we want to recruit into the organization and of course, it’s a very competitive field.”
New employee incentives
And that competitiveness around recruitment means coming up with new ways to attract talent. For example, Hess said the FBI is working on a new program with the private sector, where private sector companies like Microsoft and Mastercard will guarantee jobs to any applicant who first completes a two year commitment to working for the FBI.
The FBI also has student loan repayment and incentive bonuses in its arsenal for enticing cyber talent. But one of the main attractions is the mission, Hess said.
“Hopefully the ‘cool factor’ wins out when it comes to our ability to recruit people with those technical skills and backgrounds,” she said.
There are also pushes to make it easier to go back and forth between the public and private sectors, giving workers the ability to gain new skills, learn new perspectives, and decide whether money or the mission is more important to them.
“I kind of jokingly refer to it as ‘you come into the federal government and you can die here 50 years later,’” Hess said. “Rather than using that model, we should be okay with you coming to work for us for a couple of years, then you go to work for — obviously it would be great if it was a cleared contractor so that you could retain that clearance. And then you come back to work extra with us. And to that point, we’ve actually recently seen several people who have left us, cyber employees who have left us who have come back to us. And so that’s heartening to think that perhaps this work, the fulfillment that they get from this work, is what was pulling them back.”