On October 22, 2015, the FBI and U.S. Secret Service hosted a meeting of representatives from both agencies, along with representatives from the financial services sector. The meeting was in connection with law enforcement’s stated desire for a “partnership” with the private sector on common concerns about cybersecurity. The FBI has stated that “after more than a decade of combating cybercrime through a nationwide network of interagency task forces, the FBI has evolved its Cyber Task Forces (CTFs) in all 56 field offices to focus exclusively on cybersecurity threats.”[i] Both agencies also discussed coordination among and within their agencies, so that law enforcement’s cyber efforts are not patchwork.
Law enforcement benefits from private sector reporting, particularly as it affects crime solving and trends. But law enforcement also offers the businesses resources for detection and prevention.
- Average annualized cost of cybercrime from a benchmark sample of U.S. organizations was $15 million, representing a nearly 20 percent increase year over year.[ii]
- The average time it takes to resolve a cyber-attack (46 days) has increased by nearly 30 percent during the most recent six-year period.[iii]
- The average cost incurred to resolve a single attack totals more than $1.9 million.[iv]
- small organizations incur a “significantly” higher per capita cost for cybercrime than larger organizations. [v]
- The most costly cybercrimes are caused by denial of service, malicious insiders and malicious code. Those crimes accounted for more than 50 percent of all cybercrime costs per organization on an annual basis. [vi]
Some of the takeaways from the meeting:
- Businesses should report cyber breaches immediately to the FBI or Secret Service, or as soon as practical. More information about doing so is located at http://www.ic3.gov/default.aspx and http://www.secretservice.gov/investigation/#cyber Both agencies emphasized that businesses can contact either agency, since both share information about cyberattacks and investigations.
- The FBI and Secret Service both regard businesses compromised by cyber-attacks as “victims,” not as prospective referrals to regulators. They make no promises, however, that law enforcement won’t refer a matter to a regulator in an appropriate circumstance. Recent legislation, passed in the U.S. Senate, may provide some protections to business for cyber information sharing with law enforcement. That legislation “would extend protections to organizations [that] decide to share information with the Department of Homeland Security and the FBI, pooling it in a database designed to aid U.S. authorities in their ongoing war with cybercriminals.”[vii] But whether these “protections” include regulatory referral is unclear.[viii] And the legislation as of this writing has not been enacted into law.
- The FBI and Secret Service will not provide post-incident remediation to a cyber-attacked business. But the agencies provide pre-attack generalized assistance, including outreach to public and private sector partners, by providing strategic reports and sector-specific threat briefings. And the FBI provides the public with a post-attack online reporting mechanism for suspected Internet-facilitated crime, including intellectual property theft and online fraud.
The FBI’s resources:
- The FBI’s website provides information about InfraGard, a non-profit organization and public-private partnership between the FBI and business members. The program “brings together representatives from the private and public sectors to help protect our nation’s critical infrastructure and key resources from attacks….”[ix]
- InfraGard members get access to an FBI secure communications network featuring an encrypted website, web mail, listservs, and message boards. The website plays an integral part in information-sharing efforts, and can disseminate threat alerts and advisories. It also provides information about intelligence products from the FBI and other agencies, and last year posted more than 1,000 of them, along with giving InfraGard members the ability to offer feedback.
- You can get more information from InfraGard’s public website (https://www.infragard.org/) or contact your local FBI field office. Membership in InfraGard includes:
- a secure information portal, iGuardian, which is allows industry-based partners to share cyber intrusion incidents in real time and receive training and cyber threat reports. All iGuardian incident submissions are processed through the FBI’s CyWatch website (email@example.com) for immediate action.
- Malware Investigator, a secure online venue that collects file identifiers, virus scanning, and malware mitigation.
- The FBI provides prevention and mitigation techniques for computer intrusion. That information is located at http://pdxccc.org/wp-content/uploads/Prevention_v4.pdf.
These resources will be particularly valuable for businesses whose management has not been appropriately focused on cybersecurity. The data on cybercrime and the headlines about breaches speaks for itself. Businesses should assume they will be targeted, not “if,” but “when.”
Bohdan S. Ozaruk
Attorney, Jones Morrison, LLP
[ii] Marketwatch, Annual Study Reveals Average Cost of Cyber Crime per Organization Escalates to $15 Million, (Oct. 16, 2015), available at http://www.marketwatch.com/story/annual-study-reveals-average-cost-of-cyber-crime-per-organization-escalates-to-15-million-2015-10-06
[vii] Legaltech News, What CISA Means for Organizations and Their Data (Nov. 3, 2015), available at http://www.legaltechnews.com/id=1202741474408/What-CISA-Means-for-Organizations-and-Their-Data#ixzz3qjKmSQuM
[viii] A recent law blog stated that “[a]s a general proposition, companies sharing information about “’cyber threats’” through the reporting mechanisms outlined in CISA would be awarded liability protection from lawsuits relating to data sharing.” Data Security Law Blog of Patterson Belknap Webb & Tyler LLP, Truth or Consequences: Does the Senate’s Information Sharing Bill Really Help Business? (Oct. 30, 2015) (emphasis added), available at http://datasecuritylaw.com/blog/truth-or-consequences-does-the-senates-information-sharing-bill-really-help-business/