Criminals and other malicious actors rely on the internet and evolving technology to further their operations.¹ They exploit cyberspace, where they can mask their identities and motivations. In this domain, criminals can compromise financial assets, hacktivists can flood websites with traffic—effectively shutting them down, and spies can steal intellectual property and government secrets.

When such cyber incidents occur, a number of questions arise, including how the federal government will react and which agencies will respond. These questions have been raised following a number of high-profile breaches such as those against the U.S. Office of Personnel Management² and the Democratic National Committee,³ as well as intrusions into a number of federal agencies and other organizations via network management software produced by SolarWinds.⁴ Federal law enforcement has taken the lead in investigating cyber incidents, attributing certain malicious activities to specific perpetrators, and prosecuting cyber threat actors.

This report outlines the federal framework for cyber incident response, highlighting the Department of Justice's (DOJ's) role in this response. It also discusses challenges for federal law enforcement and potential policy issues for Congress.

Defining a Cyber Incident

A principal issue in understanding how the federal government responds to a cyber incident is the definition of a "cyber incident." A host of terms are used in discussing malicious activity with a cyber, online, or technological component. These range from cyberattack and cyberwarfare to cybercrime, cyber espionage, and cyber terrorism. A key distinction between these malicious incidents is the actor's motivation. For instance, a criminal may be profit motivated, while a terrorist may be politically motivated. However, "[t]he speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all."⁵

"Cyber incident," therefore, is an umbrella term encompassing a range of malicious activity carried out by diverse actors with varying motivations and capabilities—all of whom exploit cyberspace.⁶ The federal government has defined a cyber incident as

[a]n event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.⁷

As such, an incident could capture an array of activities carried out by malicious actors ranging from hacktivists and criminals to nation states and terrorists. Notably, the federal government has not developed official definitions for specific subsets of cyber incidents—such as cybercrime—that distinguish them from other subsets of cyber incidents.⁸

U.S. Cyber Incident Response

Federal law enforcement has the principal role in investigating and attributing cyber incidents to specific perpetrators, and this responsibility has been established within the broader framework of federal cyber incident response.⁹ The 2016 Presidential Policy Directive/PPD-41 outlined how the government responds to significant cyber incidents—those that are "likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."¹⁰ Responding to cyber incidents involves (1) threat response, (2) asset response, and (3) intelligence support. DOJ, through the Federal Bureau of Investigation (FBI) and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response.¹¹ Asset response and intelligence support responsibilities are led by other federal agencies.¹²

The concept of threat response, as outlined by PPD-41, involves

conducting appropriate law enforcement and national security investigative activity at the affected entity's site; collecting evidence and gathering intelligence; providing attribution; linking related incidents; identifying additional affected entities; identifying threat pursuit and disruption opportunities; developing and executing courses of action to mitigate the immediate threat; and facilitating information sharing and operational coordination with asset response.¹³

Due to the nature of crime and other malicious activity in the technology era, a number of departments and agencies with law enforcement capabilities are involved in responding to cyber threats.¹⁴ This section, however, highlights the activities led by DOJ—specifically, by the FBI.

FBI Cyber Investigations

The FBI pursues cybercrime cases ranging from computer hacking and intellectual property rights violations to child exploitation, fraud, and identity theft. Its top priorities involve combating computer and network intrusions and investigating ransomware. While some of these cases may be significant cyber incidents, others may not. The FBI's cyber priorities are focused on "high-level intrusions by state-sponsored hackers, global organized crime syndicates, and other technically sophisticated and dangerous actors."¹⁵ One key challenge, acknowledged by officials and others, is how to move away from reacting to malicious cyber events and toward preventing them.¹⁶

Indeed, the multifaceted approach of the FBI's new cyber strategy involves not only responding to cyber incidents through arrest and indictments but also working with a range of public and private partners to share information about cyber threats to prevent and react to incidents.¹⁷ The hub of these partnerships within the federal government is the NCIJTF, led by the FBI. In addition, the FBI established the National Defense Cyber Alliance to share intelligence with the defense industry and the National Cyber-Forensics and Training Alliance to share information with industry partners, academia, and the financial sector. The FBI also runs a number of cyber task forces and has been working to enhance its cyber workforce.

National Cyber Investigative Joint Task Force

The NCIJTF was established by National Security Presidential Directive-54/Homeland Security Presidential Directive-23 in January 2008. As established, the NCIJTF's mission is to "serve as a multi-agency national focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations."¹⁸ The NCIJTF coordinates the efforts of more than 30 U.S. agencies including law enforcement, intelligence, and the military. It also collaborates with the private sector and international partners.

One major initiative of the NCIJTF, Operation Clean Slate, aims to disrupt and dismantle significant botnets threatening the United States.¹⁹ In one prominent case under Operation Clean Slate, the FBI led an international law enforcement effort to disrupt the GameOver Zeus botnet.²⁰ GameOver Zeus was a variant of the Zeus botnet, which would steal online banking information and transfer funds to money mules, U.S. residents with bank accounts who would move the money out of the United States. In this case, law enforcement was authorized to sever communication between infected computers and criminal-controlled servers. Officials also indicted an alleged administrator of GameOver Zeus, "charging him with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering."²¹

Early in its inception, there were concerns about the effectiveness of the NCIJTF. One was that "the NCIJTF was not always sharing information about cyber threats among the partner agencies."²² There were also criticisms that the NCIJTF was perceived as an extension of the FBI's Cyber Division rather than as a multiagency effort—potentially hindering its collaborative mission. DOJ's Inspector General noted in 2015 that these issues had improved.²³

In combining resources of the NCIJTF with its own, the FBI runs a 24-hour cyber command center known as CyWatch. This center is charged with "coordinating domestic law enforcement response to criminal and national security cyber intrusions, tracking victim notification, and partnering with other federal cyber centers."²⁴

Cyber-Related Task Forces and Partnerships

The FBI leads a variety of law enforcement task forces and partnerships focused on cyber threat response.

• There is a Cyber Task Force (CTF) at each field office. These CTFs focus on local cybersecurity threats, respond to incidents, and maintain relationships with companies and institutions. They also support the national effort to combat cybercrime by participating in national virtual teams on certain cyber issues and providing cyber subject matter experts or surge capability outside of their territories, when needed.²⁵
• In 2006, the FBI established Cyber Action Teams (CATs) of agents and computer scientists that can be rapidly deployed around the country or the world to assist in computer-intrusion investigations. CAT members have expertise in various computer languages, forensic investigations, and analysis of malware.²⁶
• In addition to domestic field offices pursuing international leads in investigations, the FBI has positioned cyber assistant legal attachés (ALATs) in some foreign countries. These ALATs work with law enforcement in host countries to share information, collaborate on investigations, and enhance relationships with partner agencies. They focus on "identifying, disrupting, and dismantling cyber threat actors and organizations."²⁷

Private Sector Information Sharing and Collaboration

In addition to its partnerships with law enforcement, the FBI has established several initiatives to interface with the private sector regarding cyber incidents. They collect and share information, build partnerships, and enhance awareness.

• The FBI stood up the Internet Crime Complaint Center (IC3) in 2000. Its mission is two-fold: (1) act as a reporting mechanism for the public to submit information on potential criminal activity facilitated by the internet, and (2) foster law enforcement and industry alliances. Information is shared with law enforcement to bolster investigative and intelligence activities and with the public to enhance awareness.²⁸ Law enforcement can remotely search the IC3 database through the FBI's Law Enforcement Enterprise Portal.²⁹
• InfraGard is a collaboration between the FBI and private sector partners. These partners include business executives, entrepreneurs, computer professionals, academia, the military, law enforcement, and other government officials. The program facilitates information sharing with the goal of protecting U.S. critical infrastructure.³⁰ The alliance originally focused on cyber threats and has since expanded to include other threats that might impact critical infrastructure.
• The National Cyber-Forensics and Training Alliance (NCFTA) is a nonprofit information-sharing organization bringing together subject matter experts from law enforcement, the private sector, and academia to target cybercrime.³¹ The NCFTA produces unclassified intelligence assessments and develops strategies to mitigate cyber threats. The FBI can use this information to initiate or bolster law enforcement investigations.³²

While mechanisms have been developed to share information between the FBI and the private sector, a number of barriers to effective sharing have been highlighted. These include "(1) a perception by the private sector that information flows in one direction—to the FBI; (2) information, when provided by the FBI, is often not useful because it lacks context or is outdated; and (3) private sector concerns regarding how the FBI will use the information that is shared."³³ With respect to the concern about unidirectional information flow, some of the information becomes part of ongoing investigations and is thus marked as law enforcement sensitive or otherwise classified, which limits its sharing. However, the FBI has developed unclassified products that it can share with private sector partners that include information on technical indicators and information private entities can use to bolster protection for their networks as well as contextual information on current threats posed by cyber criminals.³⁴ Some private sector entities have noted that the information they receive from the FBI can be outdated or lacking substance. When the FBI receives information on cyber threats, it may take time to scrub sensitive or classified information from reports that it can share with its private sector partners. In a similar vein, private entities may be reluctant to share information with the FBI out of concerns surrounding how the FBI may handle—or potentially release—proprietary information and personally identifiable information from companies' records.³⁵ The FBI has noted that, even after a breach, a majority of private sector partners do not automatically engage federal investigators and instead turn to private firms for attribution and remediation.³⁶ For instance, the Democratic National Committee retained a firm named CrowdStrike to secure its network when it discovered a breach—attributed to the Russian government.³⁷ The FBI has been encouraging private companies and organizations to reach out directly to law enforcement to help investigate, attribute, and mitigate breaches.

Of note, the FBI indicated that many victims of cyber breaches—often companies and organizations—do not know they have suffered an intrusion until the FBI notifies them.³⁸ The bureau had established Cyber Guardian "for tracking the production, dissemination, and disposition of cyber victim notifications which can help victims mitigate the damage caused by cyber intrusions and increase the potential for intelligence collection by the FBI." DOJ's Inspector General found the data in Cyber Guardian to be incomplete and unreliable, thus preventing the FBI from knowing whether all victims had been notified of breaches.³⁹ The FBI has been in the process of replacing Cyber Guardian with a system called CyNERGY; assessments of this system have not been made public.

Congress has, for some time, shown an interest in cyber information sharing; in the context of examining the FBI's response to cyber threats, policymakers may specifically look into information sharing between the private sector and federal law enforcement. They may debate whether Congress can or should help reduce barriers to information sharing. While some have noted potential benefits of increased information sharing, there have also been concerns that such sharing—specifically in the direction of public to private—could potentially compromise law enforcement investigations and national security.⁴⁰

Cyber Workforce

In addressing the cyber threat, the FBI faces challenges in both recruiting and retaining an appropriate cyber workforce.⁴¹ On the recruitment side, former FBI Director James Comey noted that it can be challenging to find agents with integrity, fitness, intelligence, and specialized cyber knowledge. One solution might be rethinking whether there should be multiple classes of agents recruited to work on cyber cases. For instance, some of these individuals might have specialized knowledge but do not need to carry a firearm. Another option that has been floated involves easing the current requirement that agents who leave the FBI and wish to return after two years or more must go through the FBI's training academy again.⁴² Policymakers may consider how such changes to the hiring structure could impact the FBI's budgetary resources needed for hiring, training, and retaining cyber-focused agents.

On the retention side, DOJ's Inspector General recommended that the FBI, among other things, "evaluate the effectiveness of the step-by-step training course for FBI agents on how to investigate national security intrusion cases; reconsider the rotation policy for cyber agents and ensure that agents skilled and experienced in cyber intrusions are available to FBI field offices; and consider developing regional hubs with agents that are experts in investigating national security intrusions."⁴³ The FBI has evolved its strategy on assigning computer-intrusion cases. These cases are now assigned to the field office that has demonstrated the greatest strength in investigating a particular type of intrusion, rather than to the field office in the area where the intrusion occurred.⁴⁴ The bureau has noted this fosters competition between field offices to bolster agents' knowledge and skills.

The FBI has a multifaceted cyber training program for agents, and this training has been revised based on results of an internal survey the bureau conducted on it.⁴⁵ FBI cyber training includes (1) a High Technology Environment Training initiative to bolster the technical skills and technological knowledge of the full FBI workforce, (2) SANS Institute⁴⁶ training courses for cyber personnel, and (3) opportunities for certain personnel to earn a Master of Science degree in information technology.⁴⁷

Technology and Investigations

FBI investigators seek to use every tool in their cyber investigative toolkit to combat a range of threats and attribute activities to specific threat actors. Law enforcement has expressed concern that investigators' capabilities may be outpaced by the speed of technological change. For instance, factors influencing law enforcement's ability to obtain information include strong, end-to-end encryption; provider limits on data retention; bounds on companies' technological capabilities to produce specific data points for law enforcement; tools facilitating anonymity online; and a landscape of mixed wireless, cellular, and other networks through which individuals and information are constantly passing.⁴⁸ Much of the discourse in this area is around whether law enforcement should have "lawful access" to information that may be secured by end-to-end, or what investigators have called "warrant proof," encryption.⁴⁹ Notably, law enforcement supports strong encryption to protect networks, devices, and information. However, they note that malicious actors also exploit the widespread use of strongly encrypted communications and devices. Experts have generally recommended that the FBI deploy resources to strengthen its investigative competencies—rather than asking technology companies to build exploitable weaknesses or "backdoors" into their products—so that it can best respond to cyber and other threats.⁵⁰

Lawmakers and officials have continued to discuss how best to simultaneously protect the privacy of encrypted devices and communications as well as support legitimate law enforcement access. In 2016, for instance, members of the House Judiciary Committee and Energy and Commerce Committee established an Encryption Working Group to "identify potential solutions that preserve the benefits of strong encryption—including the protection of Americans' privacy and information security—while also ensuring law enforcement has the tools needed to keep us safe and prevent crime."⁵¹ Four points from the working group's year-end report may contribute to policy discussions in Congress: (1) any measure that weakens encryption would work against the nation's security interests, (2) encryption technology is widely used and increasingly available worldwide, (3) there is no one-size-fits-all solution to the encryption and going dark challenge, and (4) Congress should promote cooperation between the law enforcement and technology communities.⁵²

FBI Cyber Threat Prioritization

Relating to the FBI's work in combating and responding to cyber threats, one question policymakers may have is how the bureau prioritizes cyber threats. The FBI conducts an annual Threat Review and Prioritization (TRP) to delineate the top threats—cyber and other—and direct resource allocation. Within the broader threat prioritization framework, DOJ's Inspector General looked specifically at the FBI's prioritization of cyber threats from FY2014-FY2016.⁵³ The Inspector General's report made two recommendations:

• The FBI should use an "algorithmic, data-driven, and objective methodology" to identify and prioritize cyber threats.⁵⁴ This recommendation is based on the Inspector General's findings that the TRP criteria are subjective and open to interpretation. Changing the methodology may give the FBI a better view of the threat landscape and help the bureau accurately prioritize threats.
• The FBI should "[d]evelop and implement a record keeping system that tracks agent time utilization by threat."⁵⁵ The bureau currently tracks agent time by case classification (such as public corruption or counterterrorism), not specific threats. As such, it may not be able to evaluate resources dedicated to any given threat and evaluate whether a specific cyber threat has been appropriately prioritized.

The FBI concurred with both recommendations. It has reportedly been bolstering its Cyber Division's Threat Examination and Scoping (TExAS) tool, which relies on specific data and a weighted algorithm rather than subjective rankings to prioritize cyber threats. The bureau is also reportedly looking into potential changes to its record-keeping system to track agent time utilization.⁵⁶ Congress may elect to exercise its oversight to examine whether (and if so, how) the FBI has made any adjustments to its cyber threat prioritization regimen. They may also question whether any changes to this regimen could affect where cyber threats fall within the broader framework of threats facing the nation. This could, in turn, have implications for how Congress directs the FBI to use its appropriated funds.