Photo illustration: Yahoo News; photos: AP, Getty Images (4).
In
the spring of 2017, the Federal Bureau of Investigation was on the cusp
of a dramatic overhaul of the agency’s cyber capabilities. The FBI was
wrapping up an agency-wide survey, and one option on the table included
getting rid of the bureau’s central cyber division altogether and
dispersing digital experts throughout its 56 regional offices.
But
just days before FBI officials were scheduled to brief the director on
the results of the survey, according to a bureau official working there
at the time, President Trump fired James Comey, the bureau’s head.
Comey, who says he was fired after refusing to pledge loyalty to the president, recalled that episode at a recent conference in
Washington. “I failed to push us to the decision point of how do we
want to deploy against this threat aggressively enough,” he said.
“Should we have a cyber division or blow it up?”
He
never got the opportunity to make that decision, however. Chris Wray,
the current FBI director, “is wrestling with that now,” Comey said.
According
to Tonya Ugoretz, the deputy assistant director of the bureau’s cyber
division, her office isn’t going anywhere. “There are no plans to not
have a cyber division,” she told Yahoo News during an interview. The
division “is the locus of all our intrusion investigations, whether
that’s nation state or criminal.”
Regardless of the structure, the bureau’s top officials recognize a paradigm shift.
In
the United States, digital criminals using everything from weaponized
botnets to ransomware are attacking private industry and the government
on a daily basis, increasing the demand for experts with skills in
cybersecurity, intelligence and law enforcement. So, after nearly two
decades of focusing on terrorism and intelligence, the FBI is in the
midst of an even more intensive shift toward cyber.
While
the bureau has a history of being run by agents with guns, more funding
and priority is now being funneled into behind-the-scenes digital
experts who can watch network traffic and unravel digital trails back to
hackers, and who can explain online activity to judges and secure
subpoenas for tech companies. The Department of Justice budget request to Congress for 2019 asks for $370 million to fund the FBI’s cyber investigations and related work.
Now
“every field office has a cyber squad” modeled after lessons learned
fighting terrorism, said Ugoretz, speaking earlier this year at a
conference in Sea Island, Ga. Some field offices are being assigned as
leads for specific attacks or threat actors, she said. There is also a
rapid response team that can be deployed out of headquarters in
Washington at a moment’s notice.
Yet
even as the FBI’s need for cyber experts is increasing, its ability to
retain agents and employees with the needed technical expertise is under
threat. According to interviews with over a dozen former FBI cyber
employees as well as other national security experts, a cyber “brain
drain” is taking place at the bureau that could hamper its ability to
stem the constant flow of digital threats.
The
FBI’s loss comes at a critical time. With the 2020 presidential
elections approaching, and concerns about foreign interference as well
as theft of trade secrets and intellectual property, the need for cyber
experts is likely to increase. “Make no mistake, the threat just keeps
escalating,” Wray, the current FBI director, told a Senate panel this
week, “and we’re going to have to up our game to stay ahead of it.”
That
means more than just focusing on Russian influence campaigns. On
Tuesday, Florida Gov. Ron DeSantis announced the FBI has briefed him on
2016 Russian hacks of two county election systems in the state.
“Certainly
we expect our adversaries will not only continue to evolve
technologically, but they’re also always learning from each other,”
Ugoretz told Yahoo News. “Much of the conversation from 2016 and 2018
was about Russian efforts to influence the election. But we’re focused
on all threats, whether it’s influence or interference in election
infrastructure.”
Some
of the FBI’s first forays into the digital world came in the 1990s,
when computer crimes started to come under the agency’s purview. In the
early days, a large percentage of those cases involved tracking child
pornography, like the “Operation Innocent Images” case in 1993 that revealed an
online network of child predators based off a search for a missing boy
in Brentwood, Md. By 2007, according to the FBI, the bureau opened more
than 20,000 similar cases.
In
1994, the bureau caught a glimpse of what has today become common:
international adversaries committing crimes online. After multiple large
banks noticed $400,000 was missing from their coffers, the FBI was ultimately led to
a ring of criminal hackers led by a man in St. Petersburg, Russia.
Bigger cases followed, like the FBI’s Moonlight Maze, a sophisticated,
ongoing digital campaign to steal military technologies that was
ultimately linked back to Moscow.
Tim
Gallagher, managing director in the business intelligence and
investigations practice at Kroll, a division of global advisory firm
Duff & Phelps, first got into the cyber field at the FBI in the late
1990s, working on criminal intrusion cases in a small field office in
Ohio. There, he attended one of the first meetings of a task force
called InfraGard focused on working with the private sector to protect infrastructure in Cleveland.
From
Ohio, Gallagher “saw a gradual shift of pretty much every violation we
worked on” to the point that each investigation had “a cyber piece.” It
was “not about going in and grabbing evidence out of filing cabinets
anymore,” he said.
After
the terrorist attacks of Sept. 11, the FBI pivoted from a focus on
locking up criminals and busting gangs and drug rings to predicting and
stopping the next extremist plot at any cost, bulking up intelligence
resources and linking up with foreign intelligence agencies for
unprecedented information sharing. In 2002, the FBI’s cyber division at
FBI headquarters in Washington was created to pursue investigations of
“cyber-based terrorism, espionage, computer intrusions and major cyber
fraud.”
The
FBI employs a variety of different employees to defend against the
cyberthreat at its headquarters, around the country and overseas. “By
default, everyone talks about agents and analysts,” said Ugoretz, who
arrived at the bureau in 2001.
But
the division also employs computer scientists, data scientists and data
operation specialists, among others. At FBI field offices, each has a
cyber task force, and major cities now host a few dozen cyber experts,
while smaller ones may be home only to a handful.
According
to multiple former FBI employees, former bureau director Robert
Mueller— now better known for his role as the special counsel
investigating Russian interference in the 2016 presidential election —
worked to professionalize the analyst workforce during his tenure,
around the same time the bureau began implementing career tracks, one of
which was cyber-focused.
Previously, an agent’s ticket to promotion was disrupting a possible terrorist plot,
by making an arrest, seizing assets or blocking someone from committing
an ideologically motivated crime. But at the end of Mueller’s tenure as
FBI director, agents started getting pulled off of counterterrorism
squads to work on cyber investigations, and the cyber division was reorganized to
focus exclusively on intrusions, i.e., hacks or unauthorized computer
access as opposed to crimes that had only a digital component. “Around
2013, the writing was on the wall that cyber was becoming a higher
priority than it had ever been before,” said Jim Harris, a former FBI
agent who worked on cyber cases and later co-founded a startup.
At
the same time, the bureau was applying lessons from fighting terrorism
to the digital realm. “The FBI shifted its cyber intrusion emphasis from
reacting to cyber-attacks to predicting and preventing them,” according to a 2015 DOJ Inspector General report.
The
emphasis on prediction and prevention resulted in other changes. For
example, child pornography, a digitally enabled crime that occupied a
large amount of cyber agents’ time, was shifted to the criminal
division, freeing up other agents to do more intelligence-related work.
This shift toward broader national security may have come from a
bureauwide effort “because that’s where the money is,” said one former
FBI agent who requested anonymity to speak candidly. The FBI “constantly
ceded ground to other agencies as a result of this.”
Ugoretz
argues the “shift” toward cybercrime has been gradual, and that the
bureau’s primary targets have not changed. “I don’t know if I can speak
of a specific transition,” she told Yahoo News. “This has been a gradual
evolution. The bureau has always adapted to new technologies; I see
cyber in much the same way.”
By
around 2010, cyber investigations were already bleeding into all of the
FBI’s major operational divisions, from counterintelligence to
counterterrorism, according to Harris.
In one case, the bureau arrested Hector
Xavier Monsegur, known online as Sabu, for hacking private U.S.
businesses and government agencies, then used him as an informant to
indict other hackers. The bureau spent years hunting
down terrorists disseminating propaganda and committing crimes online.
In more recent years, the bureau has been at the forefront of the
biggest cyber cases in modern history, including Russian interference in
the 2016 U.S. presidential election and Chinese state-directed hacking.
In
a recent case from January of this year, a U.S. company and its 600 or
so employees suffered a ransomware attack that “completely crippled
their operations,” threatening to shut down the business entirely, said
Ugoretz. However, the cyber division had experience with the
perpetrator, and intelligence that enabled them to help unlock the
company’s files and restore operations in three days.
While
the bureau’s major arrests in cyber cases often make headlines, the
numbers are too small to make a significant dent in cyber crime,
according to analysis from national security think tank Thirdway, which determined that the FBI is arresting the perpetrators in less than 1 percent of malicious cyberattacks.
Part
of the problem is that cyber crimes are committed by a variety of
people and organizations, ranging from nation states and criminals to
terrorists and organized criminal gangs, according to Jim Baker, the
former FBI general counsel now working on cybersecurity and workforce
issues at R Street, a think tank. Because of the overlapping
responsibilities involved in dealing with those different types of
threats, “the cyber division has a bit of an identity crisis,” said
Baker, who noted he is a supporter of the division despite its issues.
The
problem that Baker refers to can be seen in both the lower and higher
levels of the FBI. Over the last two years, the press has tracked
several high-profile departures from the FBI’s senior cyber leadership.
In July of last summer, the Wall Street Journal revealed three top FBI cyber officials were leaving within the same month, and Politico detailed the
loss of about 20 “cybersecurity leaders” — a fraught time for the FBI
with a near constant barrage of criticism from the president.
At
the top levels, the investigation into Hillary Clinton’s email server
and routine attacks from President Trump have taken a toll, according to
several former FBI officials. But the cyber brain drain is affected by
many factors, and as the FBI transitioned from a building run by agents
with guns to an agency full of technical experts, retention of those
with cyber skills has become a major problem.
Both
senior officials and more junior FBI employees are eyeing the door or
have already left for a number of reasons, according to former FBI
employees who spoke with Yahoo News. One of the major issues they cited
has been the relationship between the field offices and headquarters,
and the lack of clarity on how cyber skills would be incorporated into
cases.
The
question for Comey, who was weighing the plan to eliminate the cyber
division, was whether having a part of the bureau dedicated to a
specific criminal vector, like the internet, made sense. After all, the
bureau never created an automobile division, despite the revolutionary
shift in crime cars brought about. “Criminals were suddenly moving at
breathtaking speeds at distances we couldn’t imagine,” he said. “The
challenge for the FBI was, you couldn’t have an automobile division.
…Everybody had to learn to drive.”
Experts
argue that Comey’s comments make sense, and that the bureau needs to
require a certain level of digital literacy and cyber know-how across
the board to confront the issue.
“Criminal
reliance on technology is so great that cyber competence is an
essential, not specialized, part of law enforcement,” said Mieke Eoyang,
vice president of the national security program of think tank ThirdWay,
who is currently researching FBI and workforce issues. “Unfortunately,
we don’t see law enforcement developing a strategic, coherent approach
to integrating cyber into their skill set.”
Ugoretz
challenged the notion that the bureau is pivoting toward “cyber” crime
the same way it reorganized to focus on terrorism. “The way cyber is
talked about, it’s as if it’s something wholly unique, not something
that’s connected to everything we do,” she said. “I think that’s not
correct.”
“I
know there’s been some analogies made to the post 9/11 shift in
resources ... [but] it’s about making sure everyone, no matter what
they’re working, has the perspective of whatever targets they’re
working, whether it’s a criminal, nation state, hacktivist, how they’re
using cyber-means to meet their objectives,” she said.
The
essential challenge is how to make the entire bureau digitally
competent. That includes providing basic digital training in how to
apply for subpoenas to get information about a post on an online forum
or on a social media website, remarked one former FBI cyber manager.
However, the true technical work involved in intrusions is so “in the
weeds” that many are not interested or not capable of developing those
skills, the former manager said.
Multiple
former FBI employees told Yahoo that part of the problem is that the
bureau has been dominated by agents, while other employees with the
specialized technical skills — sometimes dubbed “tech ninja wizards” —
have little opportunity for advancement, according to one former FBI
employee.
Employees
also found the bureaucracy and paperwork associated with the FBI can be
“crushing,” said one former FBI cyber employee. This is particularly
true for anyone used to working in Silicon Valley. “You may have this
grand vision of entering into a career of awesome cyber investigations
and come to the realization that half your time will be paperwork.”
That
paperwork, argued Ugoretz, is there for a reason. “Our primary mission
that’s in really giant letters in the lobby is about preserving the
Constitution and protecting the American people, and we can’t forget
that part.”
Some
employees with technical skills felt their talents were being
underutilized due to bureaucratic ranking systems. “The bureau sucks at
retaining people,” said one former FBI agent. “They actively drive
talent away because they do not let the people they hired for their
skills use the skills they were hired for in the first place.”
One
of the biggest concerns for the bureau is competition from the private
sector. Over recent years, the other intelligence agencies, particularly
the NSA, suffered an exodus of talent amid disruptive reorganizations,
clashes between military leadership and a civilian workforce, and
lucrative salaries on the outside. The bureau is now facing a similar
fate, though several former FBI employees interviewed by Yahoo said the
bureaucratic roadblocks make it more difficult for the FBI to reward
talented young cyber employees based on their rank, whereas NSA is
better positioned to do that.
“It’s
a highly competitive marketplace for talent,” said Gallagher, the
former FBI special agent who now works at Kroll. “There’s literally over
a million vacant cybersecurity jobs around the country.”
Even
the FBI efforts to train employees, as opposed to recruiting cyber
experts, can backfire. According to four of the former FBI employees
interviewed by Yahoo, the FBI’s cyber training is extremely valuable —
so valuable that it often allows them to find lucrative jobs in the
private sector. It was after the training phase that people started
leaving.
“The
FBI is kind of a victim of its own success,” said one retired FBI
agent. “Some people who landed in the cyber track felt like they were
trapped,” the official explained, unable to return to criminal cases and
play the field.
Former
FBI cyber employees who spoke to Yahoo, as well as others whose
departures were publicly announced, left the bureau for jobs in banks,
consulting jobs, threat intelligence firms and even the NFL.
One
of the reasons the FBI employees in New York leave is they can’t afford
to live there on a government salary, a problem that extends to other
tech hubs like San Francisco, Boston and Washington. High-ranking FBI
employees can make in the six figures, but multiple former FBI
employees, both agents and other employees, told Yahoo News their
salaries often doubled or rose substantially when making the jump to the
private sector. Seeking promotion within cyber roles at the bureau is
also difficult, according to one former FBI cyber supervisor. “If you
want to stay in cyber, promotion is unbelievably hard,” he said.
Even
beyond the FBI’s own internal problems, it also faces challenges from
inside government. As is often the case within the vast federal
bureaucracy, cyber is subject to turf battles among agencies. The U.S.
Secret Service is moving into cyber investigations, and routinely brings
financial cases forward, and the Department of Homeland Security,
created in 2002 following the 9/11 attack, has expanded into defending
the nation’s networks and critical infrastructure from cyberattacks. In
November 2018, the Trump administration mandated the creation of the
Cybersecurity and Infrastructure Security Agency within the DHS.
Both
the DHS and the FBI work with the private sector, and handle sensitive
information on breaches, but the FBI and the Department of Justice serve
as the lead for responding to a cyberattack, collecting evidence and
tracking down those responsible, while DHS is in charge of “asset”
response, offering technical assistance to prevent further damage.
Those
lines aren’t always clear cut, however. “They’re constantly stepping on
each other’s toes,” said one former FBI cyber employee, though
cooperation has improved over time, others said.
While
bureaucratic infighting and difficulties keeping talent are not
necessarily new issues to the federal government, they are likely to be
critical as the FBI prepares for the 2020 election. And behind the
scenes, the FBI’s leadership appears to now be recognizing problems with
retaining its cyber workforce, and within the last several months, the
bureau began conducting a survey on retention of cyber employees,
according to one source who received a copy of the questionnaire.
According
to the FBI, the voluntary attrition rate for special agents in 2018 was
.5 percent, while 2 to 3 percent chose to leave the cyber division.
“This
isn’t just an FBI issue,” said Ugoretz, said of retention issues.
“There’s certainly great demand in the government, private sector,
academia, everywhere for people with cyber skill.”
Even
despite complaints and concerns, nearly every former FBI employee who
spoke to Yahoo News said they have thought about going back to
government, nearly all citing the bureau’s national security mission as a
primary factor.
But
experts argue fixing the FBI’s problems, and retaining employees, will
require major changes directed from the top, as well as support from
Congress and the White House. Baker, the retired FBI general counsel,
said that’s what Mueller did following 9/11, and something of that
magnitude will be required now.
“The
FBI is well aware of the seriousness of the cyberthreat and that it
must organize itself to deal effectively with that threat. Doing so will
require leadership and effective management,” said Baker.
“Some china is going to have to be broken,” he concluded.