Even as hacks like the tawdry Ashley Madison affair demonstrate how vulnerable cyber infrastructure can be to attack, the FBI is finding it difficult to convince companies to share details of security breaches. An audit report released last month by the Justice Department’s inspector general found that the private sector lacks confidence that the FBI will strike the appropriate balance between national security and customer privacy.
When hackers breached the networks of Sony Pictures Entertainment last November, the company quickly notified the FBI.
“Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack,” the FBI summarized in a December 2014 press release.
“Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.”
But many companies are wary of cooperating with the FBI on cyber security.
The FBI initiated its Next Generation Cyber Initiative in May 2012 as part of a shift toward predicting and preventing cyber attacks, rather than investigating them once they take place. Last year, the Next Gen Cyber Initiative had a budget of $400 million and more than 1,000 full-time staffers.
One of the pillars of the initiative is to enhance information sharing and collaboration with the private sector. The audit found that the FBI particularly lags on this front.
“[A]lthough the FBI is working to develop strategies to enhance outreach to private sector entities, it continues to face challenges partnering and sharing information with these entities,” auditors found.
Companies that already interface with the FBI on cyber security are frustrated with information flow, interviewers found. Bulletins from the FBI are often outdated, and sending alerts to the FBI is “akin to sending information into a black hole.”
These are the gripes from companies already within the fold of initiatives like the InfraGard network, which boasts 350 out of all Fortune 500 companies as members. The FBI struggles furthermore to attract new private sector partners, particularly in the wake of the Snowden leaks.
“[T]he private sector is reluctant to share information with the government based on concerns regarding balancing national security and individual privacy interests,” auditors found.
While such a balancing act is not new, several interviewees emphasized challenges in collaborating with the FBI in the “post-Snowden” environment.
“One private sector individual emphasized that Snowden has redefined how the private sector shares information with the United States government. We were told by private industry representatives and the FBI that, following the Snowden disclosures, private sector entities have become more reluctant to share information with the United States government because they are uncertain as to how the information they provide will be used and are concerned about balancing national security and individual privacy interests,” the inspector general report reads.
The FBI has butted heads with the private sector on a number of fronts. In a number of speeches and Congressional hearings, FBI Director James Comey has warned about the “Going Dark” problem and called on companies to ensure that law enforcement can access encrypted digital content. Many security experts and companies counter that such encryption backdoors weaken security for everyone. Such tensions bleed over into potential collaborations on cybersecurity.
As the Snowden disclosures continue to chart how companies like AT&T have facilitated bulk surveillance by the NSA and the FBI, these tensions will only heighten. And it’s only going to get more difficult for the FBI to land the private sector’s cooperation on cybersecurity.
Full report embedded below:
Image via FBI.gov