A Public-Private Partnership in the War on Cybercrime

“Exploring InfraGard:

A Public-Private Partnership in the War on Cybercrime”

Cyberwarfare and Cybercrime

CCJ 107

Professor Jack Landman Goldsmith

December 19, 2009

Submitted by:

Timothy Malin

Identifying the Problem

The Federal Bureau of Investigation is not as large an agency that one might believe it to be. As of July 31st, 2009, the FBI had a workforce of 32,709 persons. Only 13,249 of their personnel are Special Agents. The remaining 19,460 employees are support professionals such as such as intelligence analysts, language specialists, scientists, information technology specialists, and legal analysts.[1] To put this in perspective, the New York City Police Department currently has approximately 32,000 sworn officers and an additional 10,000 support personnel. However, the FBI has tremendous and diverse national and international responsibilities outlined by its mission statement that far outweigh those of any other domestic law enforcement agency. After being completely restructured in the wake of September 11, 2001, the priorities of the FBI were redefined. Traditional criminal investigations, like organized crime and gang violence, now receive much less emphasis from the agency. Currently, the Bureau’s top priority is Counterterrorism. Counterintelligence is the second priority, while Cybercrime ranks third on the list.

The FBI’s Cybercrime Division, simply referred to as “Cyber”, is charged with two main tasks. The first is to act as “the lead law enforcement agency for investigating cyber-attacks by criminals, foreign adversaries, and terrorists.”[2] The second is to investigate and attempt to prevent criminal acts that utilize the internet, private networks, or other online services during the commission of the crime. These are instances in which a cyber-attack is not the end goal. For example, criminals and sexual predators that utilize the above mediums to steal from, defraud, or otherwise victimize citizens, businesses, and communities would fall into this category.

The volume of cyber-attacks is ever increasing and the types are continuously evolving. The Cyber Division’s mission is a potentially overwhelming assignment. The FBI has been on the cutting edge of crime fighting since its inception in 1908. But cybercrime represents a relatively new arena in which the Bureau must operate. Methods of law enforcement that the Bureau has successfully employed in the past when combating traditional criminal enterprises are often not applicable in Cyber. Furthermore, as previously mentioned, cybercrime is given third priority in an agency that is simply not very large. Interestingly, Special Agents that are assigned to the Cyber Division after completing training at Quantico are often not cyber-specialists. Although the Bureau tries to place new agents according to background skills and preferred location, the staffing needs of the agency must be met and often take precedence over all other concerns.[3] A new agent may find himself on the front lines in the battle against cyber-attacks despite initially having little expertise or even a desire to be there.

A major challenge that consistently plagues the FBI Cybercrime Division is how to maximize their resources in order to face their increasingly difficult mission. One method that is common amongst law enforcement agencies is the hiring of civilian support members. The FBI now recruits personnel that are extraordinarily technically proficient from the ranks of academia and Silicon Valley. Although they are not able to offer pay comparable to the private sector, the FBI is somewhat successful in attracting talent by advertising their ability to provide employment stability and excitement. Another method of maximizing limited resources is the formation of partnerships with outside entities. This is less common amongst traditional law enforcement agencies. However, the Bureau has been exploring programs that are aimed at tapping into the talent that can be found in the public and private sectors.[4]

Perhaps the most fascinating of these initiatives is the InfraGard Program. It is an extraordinary effort that both maximizes FBI resources and supports the Bureau’s mission in the cyber-arena. InfraGard is worth examining not only because it represents a highly successful partnership between the public and private sector, but because the program demonstrates innovation, flexibility, and adaptability that is not typical of law enforcement.

The History of InfraGard

In 1996, agents in the Cleveland FBI office noticed a trend in attempted cyber-intrusions. Northeast Ohio contains offices for utilities such as American Electric Power, financial institutions such as Key Bank, and a multitude of colleges and universities. Across this wide array of institutions, similar cyber-attacks were being documented. The Cleveland FBI office needed the support from these various sectors to facilitate the investigation. However, in addition to simply gathering intelligence from individual actors, the agents wanted to make sure that these local entities were equally prepared to prevent future attacks. Although it might seem a simple concept today, at this time the FBI had never attempted to facilitate a collaboration between itself, industry, and academia. Acting as a clearinghouse for information, the Cleveland FBI office successfully linked all of their local institutions not just to facilitate their investigations, but to notify participants in close proximity of attacks so that the best preventative measures could be shared and implemented. The program was officially named InfraGard and was an immediate success.

The program was immediately exported to other field offices, but remained very localized until 1998. On May 22 of that year, the White House issued a memo that would prove crucial to the development of InfraGard. Presidential Decision Directive NSC-63 (PDD-63) outlined a strategy for critical infrastructure protection. It was one of the first government policy directives that specifically focused on the fact that a vast majority of the nation’s critical infrastructure was both in the hands of the private sector and increasingly interdependent due to advances in information technology. PDD-63 called for “a closely coordinated effort of both government and the private sector” to reduce the vulnerability of the critical infrastructure.[5] At that time, oversight of InfraGard was transferred to the then FBI controlled National Infrastructure Protection Center (NIPC). The NIPC formalized the InfraGard program guidelines, linked the various chapters into a national program, fast-tracked the creation of additional chapters, and implemented new priorities specifically focused on cyber-infrastructure protection.

In 2001, InfraGard had 518 member firms. On January 5th of that year, the FBI officially nationalized the InfraGard Program.[6] This act mandated that every FBI field office organize an InfraGard Chapter. After September 11, 2001, the NIPC expanded InfraGard beyond cyber-threats and used the program to also address physical threats to critical infrastructure.[7] The Department of Homeland Security, which now has responsibility for critical infrastructure matters, absorbed the NIPC in March, 2003. However, the Bureau retained InfraGard as a FBI sponsored program. This was a logical decision because InfraGard relies on building a network of local chapters that are coordinated by government personnel. Unlike DHS, the FBI already had the necessary agents in place in its existing field offices to continue administering the program. InfraGard has continued to expand and today has a membership that includes all types of American business and industry. Currently, there are approximately 32,300 members in 86 chapters.[8]

The Structure of InfraGard

Although InfraGard falls under the FBI’s Cyber Division, it “also supports Counterterrorism, Counterintelligence, and general criminal matters.”[9] It is managed by the Bureau’s Public-Private Alliance Unit, which is part of the Outreach, Capability & Development Section located at FBI Headquarters in Washington, D.C.[10] Although the Bureau routinely consults with the Department of Homeland Security about InfraGard operations, DHS does not play a role in managing any portion of the program.

The organization of the Federal Bureau of Investigation is the basis for InfraGard’s structure. The FBI has 56 field offices and over 400 satellite “resident agencies”. A field office is a full service “branch” with a complete management structure. Larger cities or locations with historical investigative importance, such as Boston, New York, and Albuquerque have field offices. A resident agency might just be comprised of a few or even a single agent. They have smaller office spaces (if any) and exist primarily to facilitate regional investigations and coordinate with local law enforcement. For instance, Providence, Rhode Island, does not have a field office, but has several resident agents who both work out of their homes and from a small office. All 56 of the field offices and a select few of the resident agencies have InfraGard chapters (e.g. The State of Maine lacks a field office, but organized its own chapter with the help of resident agents). Each chapter is required to have at least one highly trained Special Agent, designated to be an InfraGard Coordinator. It is important to note that a field office may have more than one chapter and also may have to cover a geographical area expanded beyond the city and state the field office is located in. For example, the Boston Field Office contains three separate chapters which cover four states.[11]

An InfraGard Chapter has three components- the FBI local field office, the local “InfraGard Members Alliance” (IMA), and a group of admitted InfraGard Members. The local InfraGard Members form each chapter’s IMA. Every IMA elects local board members and officers, who are responsible for administering the IMA’s events according to local infrastructure protection needs and for ensuring that the IMA is in compliance with “InfraGard National Members Alliance” (INMA) policies, procedures, and bylaws. The INMA is comprised of twelve Board members (six of whom are elected by the IMA’s and six of whom are appointed by the sitting Board members). INMA Board members serve three year terms. The INMA Board is responsible for representing the IMAs at FBI Headquarters.[12] Board members also travel to both promote InfraGard and serve as a critical link between FBI Management and the membership.[13] The INMA also has corporate officers that are appointed by the Board to administer the INMA’s corporate affairs. INMA Officers serve one year terms. In addition, the country is broken down into six InfraGard regions, and the IMA presidents elect regional representatives. The responsibilities of the regional representatives vary from region to region.[1]

Perhaps the most important aspect of InfraGard’s use of INA/INMA’sis that this structuring is designed to resemble that of a corporate board. This was a conscience organizational decision that was made in 2004.[14] In this regard, the FBI mimicked the private sector in order to increase the efficiency of the program.

Who Can Join InfraGard?

InfraGard is a program designed for critical infrastructure protection. Therefore, it is the Bureau’s desire to attract as many members as possible who work in the industries that PDD-63 defines as together comprising the Nation’s critical infrastructure. These industries include agriculture/food, banking/finance, chemical, defense industrial base, drinking water/wastewater treatment systems, emergency services, energy, information technology, national monuments/national icons, postal/shipping, public health/healthcare, telecommunications, and transportation systems.[15] Additionally, InfraGard welcomes members who are employed at locations, regardless of industry affiliation, that represent individual targets whose destruction would not endanger security on a national scale, but would create a local disaster or profoundly damage national morale. These individual potential targets are known as “key resources” and are defined by the Department of Homeland Security to be commercial facilities, commercial nuclear reactors and the materials and waste associated with them, dams, and government facilities.[16] Although sought after, members are not required to work in critical infrastructure or at a key resource. The FBI also encourages anyone who works for organizations that can assist in assessing vulnerabilities and minimizing risks to join. Even ordinary citizens who have an interest in the subject and a public conscience may join.

Joining InfraGard is completely free and continued membership carries no dues whatsoever.[17] However, there are restrictions in place to regulate who can join. Applicants must be United States Citizens residing within the United States.[18] A detailed application is submitted to The local FBI InfraGard Coordinator, who forwards it to the FBI InfraGard Program Office at LouisianaStateUniversity. A records check is then completed. The applicant is also thoroughly vetted to make sure they are a person capable of accepting unclassified, but very sensitive information. If approved, a member must agree to the terms and conditions regarding the handling of sensitive data. Joining requires signing numerous contracts that open a member to both criminal prosecution and civil suits should the individual not abide by the confidentiality clause and break the agreement.[19]

How Does InfraGard Work?[20]

InfraGard operates using one of the fundamental theories of modern law enforcement. If an agency is able to act to reduce victimization, they will reduce offenders’ opportunity, and thus lower crime. Although law enforcement is often criticized for being simply reactive, there has been a movement in the last three decades to shift the method of thinking to being proactive in nature.[21] InfraGard is the FBI’s attempt to be proactive in combating cybercrime. The key component of this attempt is also the “backbone” of the InfraGard program- the secure website that members are given access to. The InfraGard website is the main resource by which members can view in-depth updates, receive security alerts, and find data relative to any concerns they may have.

Each bulletin that is transmitted on the secure website is referred to by the FBI as a “product.” In 2008 InfraGard released approximately 1200 products to its members. Although the website contains cyber-security data compiled from sources such as other government agencies, private companies working in network security related fields, and even the media, the products are usually the most valuable offering for members. Products may be released based on a specific threat to critical infrastructure the FBI has discovered. A product may also be generated when an InfraGard member becomes the victim of an attempted or actually successful cyber-attack, network intrusion, or cyber-related crime. The victim company then notifies their local chapter’s InfraGard Coordinator, who records all necessary data in a report. The coordinator then forwards the report to FBI headquarters in Washington, where the case is “sanitized.” In the sanitizing process, all information that might be used to identify the victim company is stripped from the case. Details as general as the city of occurrence are deleted from the fact pattern. The end result of this process is the aforementioned “product.” Products are transmitted from Washington D.C., never local InfraGard chapters, so that other readers are unaware of even the region of occurrence. Members receiving the products then may take steps to put safeguards in place to make sure they are protected from an identical threat. However, often the receipt of a product may result in a member being able to diagnose that they too were victims. Therefore, the InfraGard website functions as both a tool for warning and for assessment. Products tend to be taken seriously and highly scrutinized by program member recipients. They are different from security alerts and often vague advisories that may be delivered by other government agencies or private network security companies. InfraGard products are not “What if’s?”; they represent actual occurrences that carry more weight with the reader.

Law enforcement agencies are always wary of releasing information that concerns ongoing investigations. However, the FBI’s creation of the “sanitizing” process is a remarkable way for the agency to mitigate this concern. It allows for information to be released with the intention of reducing victimization without fear of compromising an investigation. This represents a notable departure from typical law enforcement methodology.

The process is also highly beneficial to corporate members. The lack of identifying data assures executives from victim companies that, provided the case does reach prosecution, the incident will remain confidential. According to the FBI, nowadays most corporate executives do not mind the information regarding a cybercrime incident going public during a prosecution- the simple fact that an arrest was made and the perpetrator is being prosecuted demonstrates the company corrected the security lapse, is being “vigilant”, and helps bring “closure” in the eyes of observers. According to one FBI Special Agent who was asked about why the Bureau safeguards the identification of victim companies until prosecution:

“It’s not in our interest for that information to get out there before our investigation is completed. Most times it’s somebody inside the company [who] for whatever reason puts that information out. When the investigation is completed and we begin the prosecution, obviously there is going to be publicity, and there’s nothing we can do. At that point, you have to put the best spin on it you can. Any company that comes forward and assists law enforcement in stopping this problem, I think that will be seen as positive. [If you do not act], you will probably be hit again. The only way to stop this is to get these people off the streets.”[22]