Howard S. Marshall, Deputy Assistant Director of the Cyber Division of the FBI, spoke Tuesday before the House Small Business Committee on the subject of ‘Small Business Information Sharing: Combating Foreign Cyber Threats.’ The purpose was to outline the FBI’s role in helping small businesses defend against cyber threats.
His statement came in two parts: first, to outline the major cyber threats to U.S. business, and then to outline the FBI’s response to these threats.
“Some of the more prevalent or rising cyber threats to small businesses,” he said, include business e-mail compromise (BEC); ransomware; criminal data breach activity; and the internet of things (IoT). He did not provide any statistics on these cybercrimes, but instead concentrated on a high-level description of the threats with a brief explanation of FBI advice on countering them.
The FBI’s advice for BEC is that companies should require a second, independent verification on payment requests; that e-mail accounts should have regularly changed strong passwords and two-factor authentication; and that companies should use their own domain-based email rather than free web-based email. Wherever possible, the last recommendation should be supported a filter system that flags emails with look-alike domain names.
The primary advice against ransomware, which the FBI expects “to remain a significant threat to businesses in the U.S. and worldwide”, is that businesses should schedule regular backups to drives not connected to their network. “These drives can be used to restore a system to the backup version without paying the ransom to the perpetrator.”
There is no specific advice on whether businesses should or should not pay the ransom, although it is known that the FBI — and LEAs generally — would prefer that ransoms are not paid. Marshall did say, however, “It is important to note that even if a ransom is paid, there is no guarantee the business or individual will obtain their files from the cyber criminal.”
In two recent ransomware incidents, two separate healthcare organizations were infected with different variants of the SamSam ransomware. One, Hancock Health, decided to pay the ransom. It was infected on January 11 and was back online by January 15. The second, Allscripts, chose not to pay the ransom. It was infected on January 18. On January 26, Allscripts emailed SecurityWeek, “We are pleased to announce that service to all affected clients has been restored.” In the final analysis, whether to pay or not is a risk-based decision for each individual victim.
‘Criminal data breach activity’ is such a vast subject that the statement makes little attempt to discuss it in detail. This is probably a mistake since it could leave politicians with the idea that small businesses are at less risk of hacker attacks than large organizations — which is not correct. All that Marshall says here is, “We encourage businesses to apply a variety of best practices to secure their network architecture.”
The growing IoT threat is discussed as a problem with no current solution. “Increased connectivity through IoT devices will only increase the potential attack surface for networks, as cyber security is largely under-prioritized from device design through implementation.” Marshall highlighted the IoT-based DDoS attacksof late 2016. He said, “Individuals and businesses can prevent their devices from being compromised by changing default user name and passwords, ensuring device firmware is up to date, implementing strong firewall rules, and by turning off or rebooting devices when not in use.”
The long-term solution to the IoT threat will come from better designed and built devices, and he noted that NIST is currently developing standards to improve IoT devices.
The description of current threats provides the background for the second half of the statement: ‘FBI Cyber private sector engagement’, which is described as a key component of the FBI’s strategy for combating cyber threats. This engagement has required a change to the FBI’s traditional methods of intelligence gathering. Traditionally, intelligence has been gathered from its own operations, from intelligence services, and from other LEAs.
“However,” said Marshall, “we are now also looking to integrate private industry information into our intelligence cycle to enhance our ability to identify and respond to both emerging and ongoing threats.” The FBI is particularly looking to private industry to share both its understanding of sector-specific networks, and its threat intelligence in order to integrate that understanding into its own intelligence cycle. “This type of information sharing enables us to provide more specific, actionable, and timely information to our industry partners so they can protect their systems in a proactive manner.”
The FBI accepts that such information sharing must be two-way. Marshall described some of the FBI’s outreach projects: nearly 70 public service announcements (PSAs) over the past five years, and other notifications including FBI Liaison Alert System (FLASH) reports, and private industry notifications (PINs).
Other projects include its involvement with the National Cyber-Forensics and Training Alliance (NCFTA); its public awareness campaigns or ‘open houses’ to educate businesses on serious cyber threats; its workshops on specific threats (such as BEC); and its countrywide briefings, conferences, and workshops for key executives throughout industry. There have been nearly 2800 of the latter over the past five years.
This is achievable through the FBI’s countrywide decentralized organization, with field offices in every state. “Cyber-trained special agents are in each field office, providing locally available expertise to deploy to victim sites immediately upon notice of an incident,” he said.
One aspect of the FBI statement stands out. Marshall goes to some length to stress that the FBI will treat cyber victims as the victim. “No matter what course of action is deemed appropriate, the FBI views a company that has been attacked as a victim and will protect investigative information appropriately.” This goes to the heart of the FBI’s problem in engaging with small businesses. While companies will automatically consider the FBI as the first port of call in an emergency, other engagements are traditionally avoided or concerning.
Voluntarily offering operational details to the FBI is not yet in the psyche of small business — and yet this must be achieved for the FBI to fulfil its purpose. That ultimate purpose, says the statement, is to “provide information that can be used to initiate indictments, affect arrests, generate demarches, or produce international sanctions against those who conduct cyber attacks or aggressive actions against entities in the United States.”