FBI struggles to keep top cyber talent
With help from Eric Geller and Martin Matishak
FBI’S CYBER RETENTION WOES — The FBI is struggling to retain its top cybersecurity officials due to a combination of high-paying private-sector jobs and a mandatory retirement deadline for veteran agents, a long-running problem that is getting more attention amid growing cyber threats to power plants, hospitals and election systems, Eric reports. The latest indicator of this dilemma came last month with the departures of four senior cyber officials. “It is absolutely imperative that the FBI try to retain as many senior leaders as they can, especially due to the current state of how the public and others may view the organization,” said a former senior FBI cyber official. And while the departures won’t disrupt investigations or rattle agents, they raise broader concerns. The losses “represent a more serious issue for the FBI’s cyber mission and strategy,” said a former FBI official who specialized in cyber cases.
Story Continued Below
The dynamic that pushes experienced officials to the private sector is unavoidable, said a current FBI agent involved in cyber investigations. “As cyber moves up the ladder of priorities for [the] private sector, our execs get these lucrative offers,” the agent said. At the same time, veteran FBI supervisors “hit a ceiling” where more promotions are rare, and “the natural option is to bounce out, assuming they’re eligible” for retirement benefits. “Even for the most dedicated,” said Austin Berglas, a former head of the FBI New York field office’s cyber branch, “the lure of private sector pay and benefits for young agents with growing families and college-aged children could prove to be destructive to the FBI’s mission over time.”
The question now is who will fill the newly open positions, which include the assistant director in charge of the FBI’s Cyber Division. Some agents worry that bureau leaders will select replacements from the ranks of other, mostly unrelated divisions. “It would show a lot that the culture hasn’t changed if a 20-year organized crime agent … gets appointed to [be] the [assistant director] of Cyber,” said a former senior cyber agent who speaks regularly with current officials. This person also acknowledged cause for hope, however, saying there had been “a significant surge in rank-and-file cyber agents” taking leadership roles.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Brace thyselves, dear readers, for today’s edition is perhaps the most mammoth edition with which your MC host has ever been affiliated. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WE’RE ON IT — Senior Trump administration national security officials on Thursday tried to reassure Americans that the president and his team were laser-focused on combating Russia’s election meddling. “The president has specifically directed us to make the matter of the election meddling and securing our election process a top priority, and we have done that and are doing that and will continue to do so,” Director of National Intelligence Dan Coats told reporters at the White House press briefing, during a surprise appearance from several of the government’s top security leaders. National security adviser John Bolton said Trump “has made it abundantly clear to everybody who has responsibility in this area that he cares deeply about it … and that he supports them fully.”
But even as the officials spoke with one voice about the Russian hacking threat and their coordinated efforts to battle it, they offered few details about their election security activities. Coats noted that his office leads an interagency working group on election security composed of officials from DHS, the DOJ, the FBI, the CIA and the NSA. And he mentioned that the intelligence community was tracking attempts to hack “candidates and government officials alike.” But he declined to identify those targets, even as Democratic Sens. Claire McCaskill and Jeanne Shaheen have publicly acknowledged being among them. Virginia Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, said the briefing only underscored Trump’s disconnect from his national security team.
The officials also tried to warn Russia and other U.S. adversaries to stand down. Gen. Paul Nakasone, director of the NSA and head of U.S. Cyber Command, said the U.S. was prepared to aggressively rebut election interference. And DHS Secretary Kirstjen Nielsen said her agency’s partnership with state officials had produced significant results. “The progress we have made is real,” she said, “and the nation’s elections are more resilient today because of the work we are all doing.”
LIMITING RISKS — Starting Thursday and continuing today, Fairfax, Va., is carrying out a pilot program to determine the best way to conduct risk-limiting audits, a measure touted by election security experts as key to ensuring the proper results. Colorado is the only state thus far to complete a statewide risk-limiting audit, and Fairfax became the third local government in the nation to launch a pilot, according to Liz Howard, cybersecurity and elections counsel in the democracy program at the NYU School of Law’s Brennan Center for Justice.
Thursday’s activity included testing out one such method of auditing, with two more on the schedule today. Thursday turned up one anomaly, a blank ballot cast in June’s Republican primary for the U.S. Senate, but the system accounted for that. “That just proved to me that the process worked,” Brenda Cabrera, the director of elections and general registrar for Fairfax, told MC. “The scanner did what it was supposed to do.” Overall, things went too well, she said: The process moved more swiftly than expected, which meant they had to wait for cameras to show up that were planning to film the occasion.
A Virginia law that went into effect July 1 requires risk-limiting audits, joining Colorado and Rhode Island. (Some other states use other kinds of post-election audits, but election security advocates consider risk-limiting audits the best and most efficient, Howard told MC.) “This is like a laboratory learning experience for everyone to see how these things work,” Verified Voting President Marian Schneider, whose software was used in Thursday’s tests, told MC. Another Thursday highlight: the rolling of a 10-sided die to help randomly select ballots. “It was really, really awesome,” Howard said.
FIRST IN MC: JIHADI OUTLETS MIGRATING ANEW — French-language media outlets affiliated with al-Qaida in Syria are contemplating a move to the encrypted social media network Minds.com, according to an analysis out today from the Middle East Media Research Institute. “Jihadi media operatives are known to attempt to spread their content in various ways, including migrating to new social media platforms, with the aim of maintaining the flow of information despite efforts made by governments and media platforms to block it,” the analysis reads. One account that popped up on the site on July 23 apparently was shut down Wednesday. At least a couple remain, according to MEMRI.
PERSISTENT PROBLEMS — Federal agencies are still struggling to give their leaders high-quality data to support spending and policy decisions, a DHS cyber official said Thursday. “The data behind cybersecurity compromises is still very new,” Brad Nix, a senior adviser at DHS’s National Cybersecurity and Communications Integration Center, said at a MeriTalk event in Washington. “The data, just from a budget justification standpoint, is sort of difficult to nail down.” As a result, he said, it was hard for cyber personnel to tell their bosses with confidence that $1 million spent on cyber defense had kept an adversary out. (In fact, Nix said, they might not even know that the adversary had already gotten in.)
These data challenges also vexed the private sector, Nix said, pointing to the insurance industry’s struggle to assign dollar figures and probabilities to their services. Developing metrics for success in cyber defense is “still an evolving effort that doesn’t have any clear-cut answers just yet,” he said. “It’s very, very hard.”
Speaking on the same panel at the MeriTalk conference, a top TSA security official painted an even grimmer picture about the continuing success of spearphishing attacks. “One of the best ones is when you say we’re going to have a raffle for Redskins tickets,” said TSA Chief Information Security Officer Paul Morris. The fake spearphishing emails from Morris’ team invite TSA employees to click a link to sign up for the raffle. Morris said that despite years of simulations and training, almost every time “there’ll be somebody there clicking that thing 10 times.”
But Morris uses these events as a teaching opportunity, inviting the people who clicked the link to attend a “raffle drawing.” “There’ll be 50 people there waiting for the raffle,” he said, “and we’ll do security awareness training.” Morris said he watched digital adversaries try new techniques to evade detection. “But they’re going to continue to phish,” he said. “That’s still 80 to 90 percent of the way in.”
LINE OF DMARC-ATION — Sen. Ron Wyden wants to know from DHS how the federal government is performing in its implementation of a mandate to adopt an email anti-spoofing standard. In a letter Thursday to the department about the standard — known as Domain-based Message Authentication, Reporting and Conformance — he also said he wanted to know whether DHS has obtained any “actionable cyber intelligence” from its data on DMARC adoption. “Requiring agencies to transmit email impersonation threat data to DHS is only the first step,” he said. “DHS must then collate and analyze those reports in order to understand the scope of the threat and determine how best to protect federal agencies from impersonation.”
HAPPY INDUSTRY DAY — DHS’s main cybersecurity wing is hosting an industry day Aug. 16 to swap its agenda with potential contractors. Topics on that agenda for the National Protection and Programs Directorate’s Office of Cybersecurity and Communications include election security, protecting federal sites, cloud migration, the Continuous Diagnostics and Mitigation program and upcoming procurement opportunities. The theme of this year’s industry day is “Partnering for a More Secure Cyberspace,” according to the late Wednesday notice.
PRICE TAG FOR CDM BILL — The new bill that would codify into law the aforementioned Continuous Diagnostics and Mitigation program would cost less than $500,000 over the years from 2019 to 2023, according to a new Congressional Budget Office estimate. The bill, H.R. 6443 (115), which the House Homeland Security Committee approved, also requires DHS to prepare a strategy on the multibillion dollar, multiyear program that helps protect federal agency networks. That part of the bill is what imposes the costs, according to the CBO.
WHOA, A CYBER BILL MIGHT BECOME LAW! — The Senate passed a bill, S. 770 (115), directing technical standards agency NIST to make cybersecurity resources available to small businesses to help them use NIST’s voluntary framework, and to take into account their needs when working on new standards. It’s now headed for the president’s desk after this week’s vote. “As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Sen. Brian Schatz, who co-sponsored the bill with Sen. Jim Risch.