FBI to private sector: work with us

The FBI has a message for the private sector when it comes to cybersecurity: Please don't make us your last call.

Howard Marshall, deputy assistant director of the FBI's Cyber Division told FCW at the RSA conference in San Francisco that the bureau is focused on "perpetual and constant engagement" with the private sector in hopes of not just recruiting more cyber talent, but fostering more information sharing and outreach in the event of a breach.

"There's really no alternative for that," he said. "In spite of [some] very public disagreements, I still believe that there's a lot of collaboration internally behind the scenes when the cameras are off, and the grandstanding is over.”

Marshall said that he understands that when a company is breached, it might have reservations about calling the FBI for help.

"Privacy [is] always a big concern," as is share price, he said. "A lot of public companies look at these breaches and they think about what will it do to their bottom line. There are a number of different factors that concern them.

"In some senses if they are able to talk through those things with us, there are some things we can do to help mitigate those concerns, and some things we can't," he said, adding that the FBI is never looking to publicize when companies that cooperate with them.

Ultimately, Marshall said it's about listening to the concerns of the private sector and trying to work collaboratively to foster better coordination. At the same time, he said he understands that privacy and liability concerns often drive private companies to seek out threat and breach remediation from private firms.

"It's always a concern that people carve out law enforcement altogether," he said. "The private sector remediators do a great job, and they provide a service and that's certainly an avenue that everybody can take," but he said that route will not likely result in a prosecution or justice for victims of a cybercrime, and it might leave the criminal actor free to continue attacks.

Others in the private sector who advocate sharing with government argue that private security firms do not have as much reach and awareness as do the FBI and Department of Homeland Security and that sometimes the government already has the solution to the problem and can share that information if it's contacted.

Marshall said the answer, though, isn't legislation. "We don't want to pursue that as an avenue for compliance,” he said, opting rather for “collaboration that allows us to … move forward.

"I'd like to think we've approached this almost with kid gloves, afraid of picking a fight," he added. "I think it's been effective. I think people have listened to the message. I think we can keep preaching."

Another of the messages the FBI is preaching is that there are now clearer structures in place to respond to cyber incidents. Last year, the Obama administration issued Presidential Policy Directive 41 that outlines roles and responsibilities for federal agencies in response to a significant cyber incident.

PPD-41 was followed by the National Cyber Incident Response Plan, which further outlines responsibilities for state and local governments as well as the private sector.

"We sure want people to know that PPD-41 gives us primacy in an investigative lane, and we work very closely with DHS on both sides, before the incident and after the incident," he said.

Marshall said PPD-41 is fairly well understood inside the Beltway, but not as much in the rest of the country. He said the FBI has to do a better job of explaining roles and responsibilities in places that do not see much cyber activity and aren't as well prepared.

Despite PPD-41, there are still questions about the relationships between the various federal agencies that own pieces of the cyber puzzle. The Obama administration worked to clarify which agencies have what authorities. Now agencies are anxiously awaiting an executive order from the Trump administration that could make changes to authorities for cyber.

Regardless of the exact structure and responsibilities, Marshall said, as long as there is clear intelligence sharing across federal agencies, "I think the system will eventually work."

"I don't necessarily think it's an issue of, well is it a DHS, is it an FBI, is it a DOD component?" he added. "Certainly there are issues with all of those options. But I think that's less important than making sure that everybody has visibility."