One of the most pressing cybersecurity issues facing government is the ability to recruit and hire talented professionals, who either have a knack for cyber or come highly skilled with a security background.
The FBI, for example, has 56 major field offices, 200 satellite offices and locations around the world. There is a strong need in all of those offices for people who have cyber backgrounds, skills, knowledge and abilities, said Pete Mitchener, Assistant Section Chief, Cyber Intelligence Section, FBI Cyber Division.
Individuals with a computer science background make strong candidates, but they aren’t the only potential hires on the FBI’s radar, Mitchener said during a GovLoop training event Tuesday on the Evolving Tactics to Combat the Cyber Threat.
People adept at analysis work, who can identify the broader ramifications of a cybersecurity attack against a financial institution or a company like Sony and what it may mean for other firms in an industry or the larger economy, are valuable assets to the FBI and in particular Mitchener’s section.
His section focuses on cyber intelligence and looks at not only the “what” aspect of cyber but also the “so what.” His team also works on cyber investigations in regional areas, such as East Asia and the Middle East, so having knowledge of those areas and the language are valued attributes. Individuals who understand the mindset and workings of cyber criminals also make attractive candidates.
“We’re trying to convince the best and the brightest who may be hackers in a different community of interest that they don’t have to wear a Jos. A. Bank suit to come work for us,” Merritt Baer, Chief of Staff, Cyber Strategy, Department of Homeland Security, said during the event.
Defending Against Evolving Cyber Threats
“A lot of the times when people talk about the cyber threat there is not always a realization that the cyber threat has manifested in a lot different ways,” Mitchener said. “It’s not just one category of actor.”
“You could have the 14-year-old who [says], ‘hey AOL is still around, I’ll see what’s there,” Mitchener said, responding to a question about how government can defend against a range of cyber attacks, including an alleged hack that is reported to have breached the personal AOL email account of CIA director John Brennan and the Comcast account for DHS Secretary Jeh Johnson.
The threat varies and includes the curious and mischievous; cyber criminals seeking financial gains; hacktivists motivated to break into computer systems and promote an ideological agenda; as well as nation state actors using highly-skilled experts to gather intelligence and make economic gains.
“I can’t tell you how many cases I’ve seen where it’s social engineering,” Mitchener said of the method commonly used by hackers to trick people into divulging sensitive information. “It’s [these] other things that allow the hackers to get in to do what they do, which no firewall in the world is going to detect.”
That’s why the FBI is developing all employees to ensure they are aware of cyber threats and steps they can take to help raise the agency’s defenses. “We all have limitation on what we can do,” Mitchener said, whether it’s experienced cybersecurity professionals or resources. “One of the most effective things we can do to have better cybersecurity structure is to work and develop partnerships.”
For example, the FBI and DHS have multiple partnerships to help the government and private sector share cybersecurity best practices. One of those partnerships involves training companies on how to do intelligence analysis.
What’s Next for Cyber?
“I’m convinced that this mostly open source, mostly unclassified world of negotiations between companies and between government and companies is where the puck is moving in cybersecurity,” Baer said.
She doesn’t see companies as nefarious actors trying to avoid responsibility when it comes to cybersecurity but rather organizations that prioritize the bottom line and need to understand the return on investment and economic implications of better cybersecurity.
Part of DHS’s role has been making tools available for companies to roll out the right cybersecurity solutions for their needs. Upon request, the department goes onsite to companies and provides red team testing to measure the security of unclassified business networks and identify gaps.
“Part of the delicacy of this is that we have to have a trust-based relationship,” Baer said. “We have to preserve some limits on liability, and this is also what feeds into our information sharing legislation currently. We are really looking to ensure that we have time to scrub any sensitive or otherwise delicate data.