Identity Crisis: FBI Plays Catch-up as Cyberthreats Escalate

In the spring of 2017, the Federal Bureau of Investigation was on the cusp of a dramatic overhaul of the agency’s cyber capabilities. The FBI was wrapping up an agency-wide survey, and one option on the table included getting rid of the bureau’s central cyber division altogether and dispersing digital experts throughout its 56 regional offices.

But just days before FBI officials were scheduled to brief the director on the results of the survey, according to a bureau official working there at the time, President Trump fired James Comey, the bureau’s head.

Comey, who says he was fired after refusing to pledge loyalty to the president, recalled that episode at a recent conference in Washington. “I failed to push us to the decision point of how do we want to deploy against this threat aggressively enough,” he said. “Should we have a cyber division or blow it up?”

He never got the opportunity to make that decision, however. Chris Wray, the current FBI director, “is wrestling with that now,” Comey said.

According to Tonya Ugoretz, the deputy assistant director of the bureau’s cyber division, her office isn’t going anywhere. “There are no plans to not have a cyber division,” she told Yahoo News during an interview. The division “is the locus of all our intrusion investigations, whether that’s nation state or criminal.”

Regardless of the structure, the bureau’s top officials recognize a paradigm shift.

In the United States, digital criminals using everything from weaponized botnets to ransomware are attacking private industry and the government on a daily basis, increasing the demand for experts with skills in cybersecurity, intelligence and law enforcement. So, after nearly two decades of focusing on terrorism and intelligence, the FBI is in the midst of an even more intensive shift toward cyber.

While the bureau has a history of being run by agents with guns, more funding and priority is now being funneled into behind-the-scenes digital experts who can watch network traffic and unravel digital trails back to hackers, and who can explain online activity to judges and secure subpoenas for tech companies. The Department of Justice budget request to Congress for 2019 asks for $370 million to fund the FBI’s cyber investigations and related work.

Now “every field office has a cyber squad” modeled after lessons learned fighting terrorism, said Ugoretz, speaking earlier this year at a conference in Sea Island, Ga. Some field offices are being assigned as leads for specific attacks or threat actors, she said. There is also a rapid response team that can be deployed out of headquarters in Washington at a moment’s notice.

Yet even as the FBI’s need for cyber experts is increasing, its ability to retain agents and employees with the needed technical expertise is under threat. According to interviews with over a dozen former FBI cyber employees as well as other national security experts, a cyber “brain drain” is taking place at the bureau that could hamper its ability to stem the constant flow of digital threats.

The FBI’s loss comes at a critical time. With the 2020 presidential elections approaching, and concerns about foreign interference as well as theft of trade secrets and intellectual property, the need for cyber experts is likely to increase. “Make no mistake, the threat just keeps escalating,” Wray, the current FBI director, told a Senate panel this week, “and we’re going to have to up our game to stay ahead of it.”

That means more than just focusing on Russian influence campaigns. On Tuesday, Florida Gov. Ron DeSantis announced the FBI has briefed him on 2016 Russian hacks of two county election systems in the state.

“Certainly we expect our adversaries will not only continue to evolve technologically, but they’re also always learning from each other,” Ugoretz told Yahoo News. “Much of the conversation from 2016 and 2018 was about Russian efforts to influence the election. But we’re focused on all threats, whether it’s influence or interference in election infrastructure.”

Some of the FBI’s first forays into the digital world came in the 1990s, when computer crimes started to come under the agency’s purview. In the early days, a large percentage of those cases involved tracking child pornography, like the “Operation Innocent Images” case in 1993 that revealed an online network of child predators based off a search for a missing boy in Brentwood, Md. By 2007, according to the FBI, the bureau opened more than 20,000 similar cases.

In 1994, the bureau caught a glimpse of what has today become common: international adversaries committing crimes online. After multiple large banks noticed $400,000 was missing from their coffers, the FBI was ultimately led to a ring of criminal hackers led by a man in St. Petersburg, Russia. Bigger cases followed, like the FBI’s Moonlight Maze, a sophisticated, ongoing digital campaign to steal military technologies that was ultimately linked back to Moscow.

Tim Gallagher, managing director in the business intelligence and investigations practice at Kroll, a division of global advisory firm Duff & Phelps, first got into the cyber field at the FBI in the late 1990s, working on criminal intrusion cases in a small field office in Ohio. There, he attended one of the first meetings of a task force called InfraGard focused on working with the private sector to protect infrastructure in Cleveland.

From Ohio, Gallagher “saw a gradual shift of pretty much every violation we worked on” to the point that each investigation had “a cyber piece.” It was “not about going in and grabbing evidence out of filing cabinets anymore,” he said.

After the terrorist attacks of Sept. 11, the FBI pivoted from a focus on locking up criminals and busting gangs and drug rings to predicting and stopping the next extremist plot at any cost, bulking up intelligence resources and linking up with foreign intelligence agencies for unprecedented information sharing. In 2002, the FBI’s cyber division at FBI headquarters in Washington was created to pursue investigations of “cyber-based terrorism, espionage, computer intrusions and major cyber fraud.”

The FBI employs a variety of different employees to defend against the cyberthreat at its headquarters, around the country and overseas. “By default, everyone talks about agents and analysts,” said Ugoretz, who arrived at the bureau in 2001.

But the division also employs computer scientists, data scientists and data operation specialists, among others. At FBI field offices, each has a cyber task force, and major cities now host a few dozen cyber experts, while smaller ones may be home only to a handful.

According to multiple former FBI employees, former bureau director Robert Mueller— now better known for his role as the special counsel investigating Russian interference in the 2016 presidential election — worked to professionalize the analyst workforce during his tenure, around the same time the bureau began implementing career tracks, one of which was cyber-focused.

Previously, an agent’s ticket to promotion was disrupting a possible terrorist plot, by making an arrest, seizing assets or blocking someone from committing an ideologically motivated crime. But at the end of Mueller’s tenure as FBI director, agents started getting pulled off of counterterrorism squads to work on cyber investigations, and the cyber division was reorganized to focus exclusively on intrusions, i.e., hacks or unauthorized computer access as opposed to crimes that had only a digital component. “Around 2013, the writing was on the wall that cyber was becoming a higher priority than it had ever been before,” said Jim Harris, a former FBI agent who worked on cyber cases and later co-founded a startup.

At the same time, the bureau was applying lessons from fighting terrorism to the digital realm. “The FBI shifted its cyber intrusion emphasis from reacting to cyber-attacks to predicting and preventing them,” according to a 2015 DOJ Inspector General report.

The emphasis on prediction and prevention resulted in other changes. For example, child pornography, a digitally enabled crime that occupied a large amount of cyber agents’ time, was shifted to the criminal division, freeing up other agents to do more intelligence-related work. This shift toward broader national security may have come from a bureauwide effort “because that’s where the money is,” said one former FBI agent who requested anonymity to speak candidly. The FBI “constantly ceded ground to other agencies as a result of this.”

Ugoretz argues the “shift” toward cybercrime has been gradual, and that the bureau’s primary targets have not changed. “I don’t know if I can speak of a specific transition,” she told Yahoo News. “This has been a gradual evolution. The bureau has always adapted to new technologies; I see cyber in much the same way.”

By around 2010, cyber investigations were already bleeding into all of the FBI’s major operational divisions, from counterintelligence to counterterrorism, according to Harris.

In one case, the bureau arrested Hector Xavier Monsegur, known online as Sabu, for hacking private U.S. businesses and government agencies, then used him as an informant to indict other hackers. The bureau spent years hunting down terrorists disseminating propaganda and committing crimes online. In more recent years, the bureau has been at the forefront of the biggest cyber cases in modern history, including Russian interference in the 2016 U.S. presidential election and Chinese state-directed hacking.

In a recent case from January of this year, a U.S. company and its 600 or so employees suffered a ransomware attack that “completely crippled their operations,” threatening to shut down the business entirely, said Ugoretz. However, the cyber division had experience with the perpetrator, and intelligence that enabled them to help unlock the company’s files and restore operations in three days.

While the bureau’s major arrests in cyber cases often make headlines, the numbers are too small to make a significant dent in cyber crime, according to analysis from national security think tank Thirdway, which determined that the FBI is arresting the perpetrators in less than 1 percent of malicious cyberattacks.

Part of the problem is that cyber crimes are committed by a variety of people and organizations, ranging from nation states and criminals to terrorists and organized criminal gangs, according to Jim Baker, the former FBI general counsel now working on cybersecurity and workforce issues at R Street, a think tank. Because of the overlapping responsibilities involved in dealing with those different types of threats, “the cyber division has a bit of an identity crisis,” said Baker, who noted he is a supporter of the division despite its issues.

The problem that Baker refers to can be seen in both the lower and higher levels of the FBI. Over the last two years, the press has tracked several high-profile departures from the FBI’s senior cyber leadership. In July of last summer, the Wall Street Journal revealed three top FBI cyber officials were leaving within the same month, and Politico detailed the loss of about 20 “cybersecurity leaders” — a fraught time for the FBI with a near constant barrage of criticism from the president.

At the top levels, the investigation into Hillary Clinton’s email server and routine attacks from President Trump have taken a toll, according to several former FBI officials. But the cyber brain drain is affected by many factors, and as the FBI transitioned from a building run by agents with guns to an agency full of technical experts, retention of those with cyber skills has become a major problem.

Both senior officials and more junior FBI employees are eyeing the door or have already left for a number of reasons, according to former FBI employees who spoke with Yahoo News. One of the major issues they cited has been the relationship between the field offices and headquarters, and the lack of clarity on how cyber skills would be incorporated into cases.

The question for Comey, who was weighing the plan to eliminate the cyber division, was whether having a part of the bureau dedicated to a specific criminal vector, like the internet, made sense. After all, the bureau never created an automobile division, despite the revolutionary shift in crime cars brought about. “Criminals were suddenly moving at breathtaking speeds at distances we couldn’t imagine,” he said. “The challenge for the FBI was, you couldn’t have an automobile division. …Everybody had to learn to drive.”

Experts argue that Comey’s comments make sense, and that the bureau needs to require a certain level of digital literacy and cyber know-how across the board to confront the issue.

“Criminal reliance on technology is so great that cyber competence is an essential, not specialized, part of law enforcement,” said Mieke Eoyang, vice president of the national security program of think tank ThirdWay, who is currently researching FBI and workforce issues. “Unfortunately, we don’t see law enforcement developing a strategic, coherent approach to integrating cyber into their skill set.”

Ugoretz challenged the notion that the bureau is pivoting toward “cyber” crime the same way it reorganized to focus on terrorism. “The way cyber is talked about, it’s as if it’s something wholly unique, not something that’s connected to everything we do,” she said. “I think that’s not correct.”

“I know there’s been some analogies made to the post 9/11 shift in resources ... [but] it’s about making sure everyone, no matter what they’re working, has the perspective of whatever targets they’re working, whether it’s a criminal, nation state, hacktivist, how they’re using cyber-means to meet their objectives,” she said.

The essential challenge is how to make the entire bureau digitally competent. That includes providing basic digital training in how to apply for subpoenas to get information about a post on an online forum or on a social media website, remarked one former FBI cyber manager. However, the true technical work involved in intrusions is so “in the weeds” that many are not interested or not capable of developing those skills, the former manager said.

Multiple former FBI employees told Yahoo that part of the problem is that the bureau has been dominated by agents, while other employees with the specialized technical skills — sometimes dubbed “tech ninja wizards” — have little opportunity for advancement, according to one former FBI employee.

Employees also found the bureaucracy and paperwork associated with the FBI can be “crushing,” said one former FBI cyber employee. This is particularly true for anyone used to working in Silicon Valley. “You may have this grand vision of entering into a career of awesome cyber investigations and come to the realization that half your time will be paperwork.”

That paperwork, argued Ugoretz, is there for a reason. “Our primary mission that’s in really giant letters in the lobby is about preserving the Constitution and protecting the American people, and we can’t forget that part.”

Some employees with technical skills felt their talents were being underutilized due to bureaucratic ranking systems. “The bureau sucks at retaining people,” said one former FBI agent. “They actively drive talent away because they do not let the people they hired for their skills use the skills they were hired for in the first place.”

One of the biggest concerns for the bureau is competition from the private sector. Over recent years, the other intelligence agencies, particularly the NSA, suffered an exodus of talent amid disruptive reorganizations, clashes between military leadership and a civilian workforce, and lucrative salaries on the outside. The bureau is now facing a similar fate, though several former FBI employees interviewed by Yahoo said the bureaucratic roadblocks make it more difficult for the FBI to reward talented young cyber employees based on their rank, whereas NSA is better positioned to do that.

“It’s a highly competitive marketplace for talent,” said Gallagher, the former FBI special agent who now works at Kroll. “There’s literally over a million vacant cybersecurity jobs around the country.”

Even the FBI efforts to train employees, as opposed to recruiting cyber experts, can backfire. According to four of the former FBI employees interviewed by Yahoo, the FBI’s cyber training is extremely valuable — so valuable that it often allows them to find lucrative jobs in the private sector. It was after the training phase that people started leaving.

“The FBI is kind of a victim of its own success,” said one retired FBI agent. “Some people who landed in the cyber track felt like they were trapped,” the official explained, unable to return to criminal cases and play the field.

Former FBI cyber employees who spoke to Yahoo, as well as others whose departures were publicly announced, left the bureau for jobs in banks, consulting jobs, threat intelligence firms and even the NFL.

One of the reasons the FBI employees in New York leave is they can’t afford to live there on a government salary, a problem that extends to other tech hubs like San Francisco, Boston and Washington. High-ranking FBI employees can make in the six figures, but multiple former FBI employees, both agents and other employees, told Yahoo News their salaries often doubled or rose substantially when making the jump to the private sector. Seeking promotion within cyber roles at the bureau is also difficult, according to one former FBI cyber supervisor. “If you want to stay in cyber, promotion is unbelievably hard,” he said.

Even beyond the FBI’s own internal problems, it also faces challenges from inside government. As is often the case within the vast federal bureaucracy, cyber is subject to turf battles among agencies. The U.S. Secret Service is moving into cyber investigations, and routinely brings financial cases forward, and the Department of Homeland Security, created in 2002 following the 9/11 attack, has expanded into defending the nation’s networks and critical infrastructure from cyberattacks. In November 2018, the Trump administration mandated the creation of the Cybersecurity and Infrastructure Security Agency within the DHS.

Both the DHS and the FBI work with the private sector, and handle sensitive information on breaches, but the FBI and the Department of Justice serve as the lead for responding to a cyberattack, collecting evidence and tracking down those responsible, while DHS is in charge of “asset” response, offering technical assistance to prevent further damage.

Those lines aren’t always clear cut, however. “They’re constantly stepping on each other’s toes,” said one former FBI cyber employee, though cooperation has improved over time, others said.

While bureaucratic infighting and difficulties keeping talent are not necessarily new issues to the federal government, they are likely to be critical as the FBI prepares for the 2020 election. And behind the scenes, the FBI’s leadership appears to now be recognizing problems with retaining its cyber workforce, and within the last several months, the bureau began conducting a survey on retention of cyber employees, according to one source who received a copy of the questionnaire.

According to the FBI, the voluntary attrition rate for special agents in 2018 was .5 percent, while 2 to 3 percent chose to leave the cyber division.

“This isn’t just an FBI issue,” said Ugoretz, said of retention issues. “There’s certainly great demand in the government, private sector, academia, everywhere for people with cyber skill.”

Even despite complaints and concerns, nearly every former FBI employee who spoke to Yahoo News said they have thought about going back to government, nearly all citing the bureau’s national security mission as a primary factor.

But experts argue fixing the FBI’s problems, and retaining employees, will require major changes directed from the top, as well as support from Congress and the White House. Baker, the retired FBI general counsel, said that’s what Mueller did following 9/11, and something of that magnitude will be required now.

“The FBI is well aware of the seriousness of the cyberthreat and that it must organize itself to deal effectively with that threat. Doing so will require leadership and effective management,” said Baker.

“Some china is going to have to be broken,” he concluded.

Read more here.

This article first appeared in Yahoo News.