CRS – Justice Department’s Role in Cyber Incident Response

beSpacific 2017-09-13

Via EveryCRSReport.com: Justice Department’s Role in Cyber Incident Response August 23, 2017 R44926.

“Criminals and other malicious actors increasingly rely on the Internet and rapidly evolving technology to further their operations. In cyberspace, criminals can compromise financial assets, hacktivists can flood websites with traffic—effectively shutting them down, and spies can steal intellectual property and government secrets. When such cyber incidents occur, a number of questions arise, including how the federal government will react and which agencies will respond. The Obama Administration, through Presidential Policy Directive/PPD-41, outlined how the government responds to significant cyber incidents. Responding to cyber incidents involves (1) threat response, (2) asset response, and (3) intelligence support. The Department of Justice (DOJ), through the Federal Bureau of Investigation (FBI, or the bureau) and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response, which involves investigating and attributing specific cyber activities to particular individuals or entities as well as facilitating intelligence and information sharing. In investigating cyber incidents, the FBI’s Cyber Division focuses on “high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets.” In addition to conducting its own cyber investigations, the FBI leads the NCIJTF, a multi-agency hub for coordinating, integrating, and sharing information on cyber threat investigations; heads up other task forces and law enforcement partnerships focused on cyber threat response, including cyber task forces with subject matter experts at each field office, cyber action teams that can rapidly deploy in response to specific incidents, and cyber assistant legal attachés positioned in certain foreign countries to work with U.S. counterparts; has established several initiatives to interface with the private sector regarding cyber incidents; these resources (such as the Internet Crime Complaint Center, IfraGard program, and National Cyber-Forensics and Training Alliance) collect and share information, build partnerships, and enhance cyber threat awareness; has been working to recruit and retain an appropriate cyber workforce and has developed a multi-layered cyber training program for its agents; and has been discussing with the technology community and policymakers how evolving technology, such as encrypted communications and devices, affects investigations, particularly in cyber-related cases, and how law enforcement can develop tools to investigate these cases most effectively. Relating to the FBI’s work in combating and responding to cyber threats, one question policymakers may have is how the bureau prioritizes cyber threats. DOJ’s Inspector General, while noting strides in this arena, has recommended that (1) the FBI should use a more data-driven, objective methodology to identify and prioritize cyber threats, and (2) the FBI should develop a means to track agent time spent on specific cyber threats. Policymakers may elect to conduct oversight of the FBI’s efforts in these areas, examine whether any changes to cyber threat prioritization affect where cyber threats rank within the broader universe of threats confronting the nation, and debate whether or how to direct the FBI’s use of funds allocated to combating cyber threats.”