Inside the FBI

Network World Fusion, 08/23/99

In an interview inside FBI headquarters, Network World Senior Editor Ellen Messmer met with Michael Vatis, one of the FBI's top cybercrimefighters. His official titles are chief of the National Infrastructure Protection Center (NIPC) and deputy assistant director within the FBI National Security Division.

Vatis The NIPC was set up in early 1998 to detect and deter cyberterrorism. As NIPC's director, Vatis discussed the government's effort to prevent network-based attacks on the U.S. and the controversial idea of setting up a mammoth intrusion-detection system to detect suspicious activity. Vatis also detailed how the FBI works with corporations to catch hackers.

What exactly is NIPC?

The NIPC consists of representatives from numerous federal agencies. It operates under the authority of the FBI, where it is located. NIPC's mission is to detect, warn of and respond to cyberattacks on the nation's critical infrastructures.

So the FBI decides how to respond to incidents?

NIPC is the headquarters element. We are the program managers of the investigative program across the FBI field offices. And the field offices are responsible for actually investigating computer intrusions, viruses and things like that, or other cybercrimes. We are the managers of that whole program but we also coordinate the investigation and response to attacks that might be national in scope and not limited to a single field office's jurisdiction.

What other agencies are part of the NIPC?

The Defense Department, all of the military services, the Office of the Secretary of Defense, the National Security Agency, the Defense Intelligence Agency, the Central Intelligence Agency, U.S Secret Service, U.S. Postal Service, Department of Energy and several of the national laboratories. Until recently, we had a representative from state and local law enforcement, we're currently trying to replace him.

This is a very difficult area to be involved in - to try and protect the U.S. from either internal or external attacks, directly on the government or on important parts of the national economy. How do you get the information to know that something might be happening?

We get information several different ways. We derive information from law enforcement investigations that are conducted by FBI field offices. We also obtain information from other investigation agencies, such as federal or state law enforcement agencies. Typically, we get information from intelligence agencies that operate abroad. However, these agencies can often obtain information about foreign threats or attacks and provide it to us. We can get information from open sources, including traditional media and the Internet.

In addition, private companies that are victims of attacks voluntarily provide us with a lot of information. One of the theories behind creating the NIPC and also for putting it at the FBI was to create a central location, a central mechanism, for collecting disparate types of information from a wide variety of sources - which heretofore no one has looked at altogether. The FBI is unique in having both a law enforcement mission and a foreign counter-intelligence mission, so it uniquely has the legal authority to gather many different types of information.

Some private-sector companies may report incidents voluntarily, but are there specific sectors, such as banking, required to give information, to report substantial problems?

The banking industry, I believe, is the only one that is required by regulation to report suspicious activity. There's a specific requirement that they report suspected fraudulent activity in things called SARs, or Suspicious Activity Reports. That's something that's been in place for a long time, and they don't report to us, they report to their regulators. But we can get access to that information from the regulators when there's an indication of possible federal criminal activity. And so cybercrime and cyberintrusions into bank systems are just a couple of examples of the types of suspicious activities that banks are required to report. But no other industry that I'm aware of has an analogous reporting environment.

If a company does want to report - they see an incident and they're worried about something - do you really want them to call a hotline here or somehow contact the NIPC directly? Or would they be better off calling a local FBI agent?

We urge companies to report first to the local FBI field office, then the field office will report to us. If a company happens to call us first, we'll refer them back to the field office for an investigation.

But we've also started a program called Infragard, which is an information-sharing partnership between private industry and us. It's a membership organization where companies join after undergoing a background check to make sure they're not a front for organized crime or foreign intelligence service or a hacking group. And then they get access to a secure e-mail network and a secure Web site. The Web site offers them updates on trends, security issues and things like that. And the e-mail alert network allows them to inform both the FBI field office in their area and us at the NIPC about threats or attacks on their own systems. And the field office can then respond but we add this data to our database of all-source information to determine whether this is part of a broader attack and also do trend analysis. What is so different about this is that we also give companies the capability of providing a sanitized version of the same report that we would then circulate to the other Infragard members that removes anything the reporting company doesn't want others to know about. So we'll use the detailed version to investigate if there are possible federal criminal violations. We'll disseminate the sanitized version to other members so they can at least take steps to protect themselves against the same sort of attack.

How many Infragard offices do you have?

This is starting as a pilot program in one office. We recently expanded to 21 offices. Later this year we'll expand it to all 56 FBI field offices so each of them will have a chapter where they will meet face to face with their local chapter members and solicit input on other things they should do - education, conferences, seminars, things like that. We'll try to expand the membership and get more people reporting. It's our sense we'll see more reporting from companies if we can convince them that it's worth their while, that they'll be getting something valuable back in return. So we're putting out information to members, part of which is based on input from other members, but also information we get from other sources.

How many companies are Infragard members?

I don't have a figure right now. But we just expanded to those 21 offices a couple of weeks ago. So we're in the process of building that membership base.

Companies wonder when they contact the FBI whether that will open up an investigation, and they're torn about that. On one side, they may want an investigation launched, but on the other hand, they worry that the FBI will be all over their building, taking over their networks. Why shouldn't they be concerned?

We address that sentiment by explaining precisely how we conduct the network investigation, that in fact we don't take over the network, we don't take over the building.

Companies that have reported to us and have worked with us on investigations have learned from experience that we have to work with the company cooperatively because it's really the system administrator of the network that has been the victim that is in many ways the lead investigator. That person knows the network and how it's set up and what type of information is resident on it and how to search the logs for relevant information. So we don't go in and shut down the network and figuratively surround it with yellow crime scene tape. But we allow the company to keep operating and encourage them to work with us and conduct the investigation at the same time. The other [misunderstanding] that exists out there is that if a company reports something to us it will right away makes it into the newspapers. We are succeeding in convincing companies that the only time that an investigation would become public is if it resulted in a prosecution, which is usually sometime down the road. And short of that, we are very good at keeping investigations confidential.

At this point, have you been able to ascertain whether there has been network terrorism originating from inside or outside the U.S.?

There are more examples than you can write about in a whole year, of serious intrusions into people's networks that cause either shutdown of the system, theft of valuable information, theft of money or at the very least damage to a system that requires millions of dollars to repair.

Can you mention actual incidents?

Well, just look at the viruses that have caused millions of dollars in damages by the most conservative estimates - the Melissa virus, the Explorer.zip worm, the Chernobyl virus. In the Melissa case, the FBI's Newark division and New Jersey State police apprehended a suspect and he is currently facing a trial on state charges. But just in terms of the damage caused those are very good examples.

We had numerous people who've gotten into systems to steal money. A good example of that was in '94 with the case of the Russian organized crime group that got into Citibank cash-management system; there was at least ten million dollars at risk of being stolen. But because Citibank contacted the FBI as soon as they knew there was a problem, their losses were stemmed at $400,000, which was what they had lost up to the time they reported.

How did this stem their losses?

Because working with the FBI, they were able to determine how the money was being taken and they were able to prevent further loss. And that's also a good example of how the FBI field office worked cooperatively with a victim company so they could continue doing business but at the same time stem their losses and catch the bad guys.

There have been a lot of reports about substantial, organized network-based attacks coming from Russia, with the Defense Department apparently telling Capitol Hill this constitutes a serious problem. But how does the department know the attacks are actually coming from Russia when it's hard to determine where an attack originates from because hackers can break into systems abroad and use them as jump-off points?

We have had many investigations where a hacker goes through different systems not only in the U.S. but also in foreign countries. And it makes it difficult to trace an attack back because if it goes through an ISP, for example, into a foreign country, you need to get assistance from that foreign country. There are many countries that we have good working relationships with, law enforcement to law enforcement. But there are some countries that are less able to assist us.

Where do you have good working relationships?

The ones you might expect, for example, the U.K. and Canada.

But not necessarily Russia?

We have good law enforcement relationships with a lot of countries.

There have been reports of network-based attacks coming from abroad, but does our military take countermeasures to launch network-based attacks itself?

I cannot comment on that because our mission is limited to warning of and responding to attacks on critical systems in the U.S. or attacks on other systems where there is a violation of U.S. federal criminal law.

Recently, a draft document was leaked that outlined White House plans for a government-wide intrusion-detection system called the Federal Intrusion Detection Network (FIDNET). This raised concerns by civil liberties groups about government monitoring. Should we be concerned?

Let me just say that most of the media accounts I've read - it's only a concept, the Federal Intrusion Detection Network - have been extremely inaccurate. The concept, in essence, amounts to deploying intrusion-detection networks for federal agencies - civilian agencies, not Defense agencies, because they already have this type of system.

But on federal civilian agencies, it would use analysis of attack signatures to look for indications that somebody was trying to gain illegal access to the system. That is something any rational company that's engaged in e-commerce or otherwise engaged on the Internet would have - and that most federal agencies already have in place. What FIDNET would do is link up those sensors at various agencies into one place, one central analysis facility that would be managed by the General Services Administration. This way, the federal government would have the capability to see the big picture of what was going on across federal agencies rather than just having a systems administrator at the Department of Commerce know what's happening to her agency, or the systems administrator at the Department of Energy know what's happening at his agency.

But we would get information if the GSA facility would see some evidence of a possible federal crime, and they would notify us and give us the relevant information. That would be the only time that the NIPC or the FBI as a whole would get access to the information about the network for possible intrusions. So this [FIDNET] concept has been reviewed by the Department of Justice, which has approved of the legality of the concept under the Electronic Communications Privacy Act (ECPA). Because systems administrators operating under their system administrator authority under ECPA would be looking for indications of illegal activity in their own networks, which they are legally entitled to do. And should they see possible federal criminal activity it would be reported to the FBI. And so it would be no different from federal agencies reporting criminal activity to the FBI in the physical world.

Would there be a lot of data capture for analyzing content and storing it?

It would depend on how the sensors are calibrated. But the basic legal authority exists under ECPA for systems administrators to look for illegal activity on their own systems. And they would also have banners on those systems, just as they do today; saying the network is federal government property and anyone who is engaged in activity with that system is subject to being watched by the system administrator.

So this would not be something that would be done by telecom firms or ISPs?

This is strictly for federal agencies. That's another big inaccuracy in a lot of the media reporting. This is just for federal agencies, not for private-sector companies. We're urging the private sector to make sure they protect their own systems and one aspect of protection is having good intrusion-detection systems to detect illegal hacking. But we're urging them to do this on their own since we can't require them to do anything in this area.

A lot of this intrusion-detection technology is still quite new and not evolved to act in a way one might want. Given that, if the FIDNET idea goes forward as planned, is there any idea how much this would cost to deploy?

You'd be better off asking the folks at the White House or GSA, who are the main folks behind the concept. But it would depend largely on how widely deployed the sensors were, where they were placed in the network, how many you needed, and how many people you require to actually examine and analyze the information that's derived from it.

As far as the legal aspect of this, some civil liberties groups assert that it would change the way the FBI looks for criminals because the FBI would no longer be working under a wiretap mode for approval, but they'd be essentially looking at everything for trouble. Is that right?

No, the way you just described it is incorrect because we would not be looking at everything. The GSA and the systems administrators at the agencies where the sensors are deployed would be looking for any suspicious activity on their networks. And information would be conveyed to the FBI only when there was evidence of possible federal crimes. So it would be, in fact, entirely consistent with the way we operate now - which is people report to us when there is a possible federal crime and we investigate. And to gather information, we have to conform to the exact same statutes and regulations and attorney general guidelines we've used in every other investigative area.

Can you say in general how many cases the FBI or the NIPC is involved in trying to find the perpetrators of network-based crimes?

There are over 800 pending investigations involving illegal intrusions or dissemination of viruses, which is a big increase over last year. Pretty much every year for the last several years we've seen approximately a doubling of the number of pending cases.

Do you think that's because people in the government and corporate worlds are just getting better at understanding what's happening to them and reporting it? Or is there this incredible explosion of interest by hackers?

I would speculate that it's a function of both of those things - more criminal activity going on and also more reporting of activity. And it's also a function of the fact that for the last year and a half we've made training our investigators on these kinds of cases a priority.

How many specialists or agents do you have associated with these kinds of cases?

In the field offices, we have 209 special agents working on these sorts of matters, plus another 10 supervisors. And they are supplemented in the field offices where we have full-fledged squads; there are 10 squads. The agents are supplemented with computer specialists and analysts who can help on some of the real high-end technical questions.

For the last six months there have been reports that the FBI was stepping up its prosecution of hackers. Is this the case?

If you're asking if we're suddenly ramping up our efforts to go after hackers, the answer is no. What we are trying to do is build our capabilities through training for our investigators and through possessing better equipment for our field offices, and providing guidance on how to conduct these operations so that we can deal with cybercrime. We are not going after any particular group or type of threat. But the president recognized, in the issuance of a directive in May of 1998, that our nation, as we continue on into the information age, is vulnerable to a new type of threat. People can engage in cyberterrorism by trying to shut down critical systems. Organized crime can use the same techniques to steal money. Foreign intelligence services can access proprietary information on government networks through these same types of methods. Foreign militaries can use the same techniques to try and attack critical systems here as an element of warfare since they can't match our conventional armaments in terms of warfare. So we are trying to improve our ability, and the government's as a whole, and the FBI's in particular, to deal with these new types of threats.