What Law Firms Should Know About the FBI’s InfraGard Program

Episode Notes

Transcript

Digital Detectives: What Law Firms Should Know About the FBI’s InfraGard Program – 2/2/2016

Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 64th edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.

John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is What Law Firms Should Know About the FBI’s InfraGard Program. We’re delighted to welcome as today’s guest, Kara Sidener. Kara is a special agent with the FBI and is currently serving as the InfraGard Coordinator for the Washington Field Office, otherwise known as WFO. Her 17 years with the FBI have all been in the Washington, DC area, having had assignments at WFO, FBI Headquarters, and the FBI Academy. Kara has experience in a number of areas to include counterintelligence and cyber investigations, evidence response, instruction and training, and private sector outreach. Kara was a member of WFO’s Evidence Response Team and a first responder to the Pentagon on 9/11/01. Thanks for joining us today, Kara.

Kara Sidener: Thank you for having me.

Sharon D. Nelson: Kara, I’m guessing that most of our listeners are not familiar with InfraGard. Can you explain what the FBI’s InfraGard is?

Kara Sidener: Certainly. The InfraGard Program is actually one of our longest running most formalized outreach programs that we have to be in touch with folks that are in the private sector. It actually started in the mid 90’s in one of our smaller field offices in the mid west, and cyber was really evolving for us and changing from being traditional criminal investigations, what we more commonly see now that is handled by the Internet Crime Complaint Center. Our typical criminal cyber activities are Nigerian scams, emails that you might get that say if you pay just this much money, you’ll get this much more money back, and your relatives that are overseas need help. As things were changing from that dynamic to really the information contained on networks of our companies in the US, our clear defense contractors, that being the target. So it was transitioning from the computer being the tool to commit the crime to the computers and what they house on their networks being the targets. And we really wanted to get out to the private sector and ask the subject matter experts there and ITs to help us get our arms around cyber as it was really evolving. Headquarters got wind of this effort and said this is something we should be doing at a national level, engaging with the private sector, because you are the owners and operators of a lot of things that we either are working with other agencies to protect or that we end up investigating because something bad unfortunately has happened at an organisation or entity. So it rolled out to all of our field offices as the InfraGard Program, housed in the National Infrastructure Protection Center with a focus on looking at those cyber threats that we were facing. After 9/11, that mission expanded to look at physical threats and cyber threats. So pretty much all threats, all hazards, if you will. Because if it doesn’t fall in one of those two categories, those are pretty broad areas that are probably not as significant of an issue for us. And of course, DHS was stood up and they actually took that infrastructure protection center with them. We retained the InfraGard Program, thereby giving us a natural reason to keep that relationship with DHS and their office of infrastructure protection so that we could be in locked step with them. Investigative agencies, them looking more from the protective side of the house and looking at the threats to critical infrastructure. And it really did kind of broaden to address what those critical infrastructure sectors are as defined by presidential policy decision directives and we try to mirror those sectors. It has grown to be today an individual member organization of over 40,000 people nationwide. So it’s not a company or a position-based membership, if you will. Individuals who are enrolled in both the public and private sectors that are interested in protecting critical infrastructure can volunteer to join to be part of InfraGard. And the InfraGard Program has also evolved in the sense that the membership decided that they wanted to give themselves a little bit more flexibility to do things and made themselves a 501C3 organization. So they’re organized by chapters around the country that are affiliated with the FBI field office that is within their geographic territory. And each one of those chapters are their own non profits and they enjoy the special relationship with the FBI that no other real outreach member organization has just because of its origin. The FBI agrees to vet the members who want to join, the individuals who volunteer to join InfraGard, and we provide security risk assessments of individuals to determine their suitability to be part of the InfraGard program. And we do that for two reasons: One is to establish a baseline level of trust among all the members so they know that their peers sitting next to them in these forums have gone through the same screening so that they can feel comfortable when they’re sitting and talking about threats that they’ve seen or best practices that they want to share within their sector or their industry that the person sitting next to them has also gone through that same vetting process. And two, we afford members access to a secure portal where we post intelligence products. They’re unclassified, some of them are for official use only or law enforcement sensitive, but they’re not generally available to the public. So they have the ability to log in and see intelligence bulletins from the FBI and DHS or one thing that we call a flash report; FBI leads and alert systems that provides indicators for cyber threats that allows those members to then use that information to better protect their assets. So long way of coming around to say that InfraGard has grown over the last 20 years and really is at its heart, a two-way sharing information platform between critical infrastructure owners and operators in the FBI to better protect those assets.

John W. Simek: Well, Kara, I know in my prior career, I worked for Mobiloil and I was very familiar with what InfraGard is. But I’m sure our listeners though – could you tell them a little bit more details about who can join InfraGard or if you want to add anything more to it which is certainly, you said previously?

Kara Sidener: Certainly. So as I mentioned, we reflect the 16 critical infrastructure sectors, so that’s everything from – as you alluded to – energies, oil and gas, banking and financial services, networks, water systems, transportations, information technology, government and commercial facilities; it’s very broad. Usually one falls in one of those sectors regardless of what their position might be within a company. And if they have an interest in protecting from physical human or cyber threats, not only their company or organization but even their communities, then they can join InfraGard. Oftentimes, we have a wide range of folks ranging from – you might have physical security guards that are at a government facility. You might have a system administrator for an IT firm or maybe even a chief information security officer for a healthcare organization. So wide ranging from top to entry level positions find reason and value in joining InfraGard. And we try to look at each chapter’s demographics, they’re a little bit different. So if you’re in Texas, there might be more of a focus in energy and gas than you might find in Oregon, you might say. So whatever the chapter is might drive and who wants to join that program based on what kind of assets are in that chapter’s territory. Of course, here in the DC area we have a lot of government facilities, a lot of military installations – obviously the Pentagon being the big one – but government facilities, the White House, the Capitol Building. So that’s huge in defense. Those two sectors are very highly represented within our membership and that often drives who we try to or what kind of programming we try to deliver to them and what their needs are and serving what those needs are. And it is two ways. We’ll often then go out to our members, too, to help us be smarter about the things that they’re concerned about and the things that they’re seeing. Because like I said before, they’re the owners and operators of that infrastructure. And without knowing what their concerns and needs are, we have a hard time doing our job, we can’t do it in a vacuum. So the members come from all 16 sectors, all position levels, usually with an interest in serving more than what they can do in their capacity in either their professional or their personal life.

Sharon D. Nelson: As I told you, I signed up and applied today to be a part of InfraGard. So for those who may be wondering, it will probably take you 8 or 10 minutes or so to fill out the application form and it’s an interesting one, I’ll say that. You need to take a look to know what I’m talking about. It may bring back memories of your indiscretions of youth that you wish you had forgotten.

John W. Simek: Skeletons, Sharon?  

Sharon D. Nelson: Skeletons, skeletons in the closet, yes. You talked a little bit, Kara, about how the InfraGard Program was structured. Was there anything more you want to add to that?

Kara Sidener: It does mirror a little bit of how we look at FBI headquarters. Each of the chapters are affiliated with an FBI field office and then the InfraGard program on the private side has a national body advisory, InfraGard National Members Alliance. The chapters are called Members Alliances, and they kind of serve as the conduit to FBI’s headquarters. So it’s a partnership at the headquarters level and also throughout the field offices through the chapters. And what one chapter is doing in one field office may be different than in another, and headquarters tries to serve both on the FBI side and the InfraGard side to serve as the touchpoint to say there’s some best practices over here that maybe are not being done over there and we’ve seen some neat things coming out of this chapter and this field office which might be able to be replicated or scaled to other places too. So of course, they’re also concerned with what the national posture is of the program from both sides of the house and tries to coordinate those efforts accordingly.

John W. Simek: Kara, we are on The Legal Talk Network so could you maybe mention something about what would the benefits be to a law firm for being a member of InfraGard?

Kara Sidener: We do have – at least I can speak for my own chapter – quite a few members in various positions from a number of the law firms that are here in DC, and that might range from the folks that are working to secure the law firm network, IT folks, but it can also be the professional staff, attorneys, advisors, paralegals, et cetera, who also want to be members so they can better understand what some of their clients are facing. And of course, we’ve see in the news – this isn’t new but in the last year to 18 months, maybe even further back than that – of law firms being another target area if one of your clients is very good at locking down their information, whether it be from a human perspective or an IT perspective, the law firm that they engage for whatever kind of services may not be. And that will be the access point for the bad hackers to try to get to that company’s intellectual property, for example. So I think it would be beneficial for a multitude of positions within a law firm because it does help you to better understand some of the threats that some of your clients might be facing, but also understand that you too are targets vulnerable to some of those same things.

Sharon D. Nelson: Trust me, at this point the law firms know that they either have been breached or will be breached.

Kara Sidener: Absolutely, and that’s why we say it’s not a matter of if you’ve been breached, it’s when.

Sharon D. Nelson: And for some of them it’s been multiple breaches. But help them to understand what the FBI’s role in this InfraGard partnership would be and how it would impact them as lawyers, law firms, et cetera.

Kara Sidener: Well, there’s a couple of different ways that we can come in and better understanding things. One is to, again, help you be informed about what kind of threats your clients are facing. So whether it’s intellectual property, theft that we’ve seen from nation states or attempts to do that. Whether it’s the latest malware or cyber intrusion. It can be a range of things from that perspective. I also think it is helpful to help the FBI kind of debunk what happens if you do have a problem as a law firm. And there are many firms – not just law firms but cleric defense contractors and companies – that can mitigate and remediate themselves. They have no requirement to report an intrusion to the FBI, they can stop their own bleeding and fix whatever damage has occurred. But it’s helpful for us to still know those things because it gives us a broader picture of what the threatscape is. So we want firms, companies, organizations, to tell us, “We had this incident and this is what has happened.” Even when there’s no compulsion to do so, because it really helps keep us informed about what the bad guys are doing if they’re changing their tactics and procedures. And sometimes, having us come in and say if you call us because you’ve had an issue, this is how it can be handled. It can be handled professionally, we’re not going to roll up in our mobile command post with guys in raid jackets then you’re going to be on the frontpage of the news. Because we do this all the time. Unfortunately, victim notifications are something that happens fairly regularly, so it’s us going out and telling you that you have a problem oftentimes before you even know that you have a problem.

Sharon D. Nelson: And how do you know it? How do you know it?

Kara Sidener: Investigative techniques! All those things that you know are predicated-

Sharon D. Nelson: I knew I was not going to get a-

Kara Sidener: All the things that we’re legally allowed to do that inform us about those with our investigation.

Sharon D. Nelson: Because of what we do for a living we have some notion of how the FBI might know. We speculate.

Kara Sidener: And speculate when you don’t, right?

Sharon D. Nelson: That’s right, exactly. So, Kara, what are some of the activities and programs of an InfraGard chapter that law firms might be interested in?

Kara Sidener: Well, the chapters do a lot of proactive programming for their members. So again, driving what their programming should be for the member interest and concerns and trying to help them if they want to learn more about certain threats, certain trends, certain cyber signatures, technical information, and if our folks are in a position to deliver that kind of content, then we want to give that to them. Sometimes it’s also facilitating member to member interaction that somebody who’s in the water sector didn’t realize that someone in the food and agriculture sector is facing some of the same things and they haven’t talked before. And we’re kind of matching them up so they can both be better informed and do some cross sector collaboration and sharing. So that’s one activity; the forward leaning programming that we try to deliver to the members. We also try to facilitate a strong partnership between the chapter’s board of directors. Every chapter has one that are usually elected from within their membership and the local FBI field office so that there is that exchange of information. A lot of times, there’s a perception that the FBI can go out and collect information and then we say thank you very much and you never hear from you again. InfraGard tries to really change that perception because we are giving back to the membership. One of the tools that’s available to members to kind of exemplify that is a tool called malware investigator. So this is a system that is available to members through the InfraGard portal where if they have malware that they have discovered on their network, they can submit it to malware investigator and they will get a technical report back that will give them indicators and signatures that they can then use to help plug the holes or remedy what they had seen on their network. They won’t get attribution from that report, but most folks – at least that I have talked to in my membership – don’t care about the attribution. They just want to be able to better protect themselves against that threat. So that’s a couple of examples of some of the activities and tools that the chapter likes to provide to their members.

John W. Simek: So, Kara, can you tell us some examples of the types of information that a member might provide to the InfraGard project?

Kara Sidener: Absolutely. They might provide information both from their professional and their personal life too. By having a person in an FBI field office serving as the face of this program really does give the field office a human component that a switchboard can’t ever emulate. So sometimes, folks are really hesitant to call the FBI if it doesn’t fit specifically within a box. It’s not something that their facility security officer needs to know, maybe not their human resources or their general counsel, but it’s something that they feel like law enforcement at some level should know and it’s scary sometimes to just call a switchboard and say, “Hi, I’m Bob Smith and this is what I want to tell the FBI,” and expect that you’re going to have credibility with them. To call your InfraGard coordinator or to even call your FBI field office and say you’re an InfraGard member, that does give you an instant credibility because we know who our InfraGard members are and they can say, “Look, we’re not sure that this is something that you’re interested in but we wanted to provide it to you,” and we will find someone on our side of the house who wants that information; if there’s anything to be done with it, then they’ll take care of it. So we’re kind of the Match.com for infrastructure protection in that regard. But specific types of things like I had mentioned with malware investigator, we have automated tools to submit cyber threat information. So you can put in malware. You can use another tool called iGuardian to put in cyber signatures, IP addresses, things like that that will go to our cyberwatch center and get triaged and routed appropriately to the appropriate field office and appropriate squad. We might have people in physical security who call to say, “We’ve seen some different kinds of activity around our facility and we wanted to bring it to your attention,” whether it’s people or maybe a placement of things that are different to them, so it ranges. We’ve also had people just at home in their community. So away from their job where maybe they have an absolute role to be reporting stuff to us or feel like sharing things with us where again, it doesn’t really fit into anything else, it’s not something that local law enforcement’s going to look at but they want to tell somebody. And because of their membership in InfraGard, they’ll say, “I’ll call my InfraGard coordinator and see if they want to know about it.”

John W. Simek: So the guy that called my house that claimed he was from Microsoft with a funky caller ID and said my computer was infected. That’s the kind of examples?

Kara Sidener: We do get a lot of that and it’s good to call if you don’t know where else to send something like that, we’ll try to route you appropriately. If it’s not something for us, that for example I would say would either go to FTC or the Internet Crime Complaint Center, but we want you to report it because – again – it helps those entities to aggregate data that might enable us to get involved at some point. We do get members who ask about Ransomware which I’m sure a lot of your folks are familiar with. And unfortunately, the statute and financial threshold that we’re bound by usually doesn’t allow us to open up an investigation for an individual who has lost $1,000, $5,000, even $10,000 and while we feel badly for those folks, oftentimes we’d say send it in to the Internet Crime Complaint Center with all of your victim information. And across the country, if everybody did that, they are aggregating that data and they are looking at the trends and they are able to see this is all originating from the same bad guy in country X. And once it reaches the threshold that allows us to get involved, then we can open an investigation. So it’s still very valuable to us, even if it’s not something as an individual that we can do anything with to have you go to the appropriate entities and because it might turn into something that we can then do something about. And that’s how the Ransomware actually grew enough so that we can get involved.

Sharon D. Nelson: So we had talked about a couple of more topics that we could cover. But since we only have time for a couple of minutes here, tell us, Kara, what you think is most important to law firms that you haven’t told us thus far that you would like to communicate specifically to them.

Kara Sidener: So I think probably from the InfraGard perspective is if you, as a law firm entity regardless of what kind of position you’re in, feel as though you have a need to have better information about how you can either better protect yourself either from cyber or physical threat or the clients you’re working with, we want to be a resource that you can call for those concerns. I have brought my executive management in to speak to, and sometimes it’s an issue of condensing folks at the C suite why it’s important to worry about things. We are happy to help deliver that message. Sometimes the three little letters we bring with us when we come and brief. It carries some weight and if that helps, we’re happy to deliver that. But I think knowing that we are a free resource to provide threat information and awareness about terrorism threats, cyber threats, even criminal enterprise type things that we’re available to do that. We’re not just who to call when bad things happen. And the InfraGard Program is one of those resources that can be used for a multitude of things in that regard.

Sharon D. Nelson: Well that was really my favorite answered, bringing pressure on the C suite, because that’s where you get most of the obstruction when you want to spread the gospel of cyber security. The C suite is the hardest to penetrate.

John W. Simek: Sometimes they call us in to do that because then outsiders certainly carries more weight than even their C suite folks.

Kara Sidener: Exactly.

Sharon D. Nelson: So we don’t have the same power as your three letters but just having some.

Kara Sidener: Well, like I said, if we can use them to help, then we’re happy to share that message.

Sharon D. Nelson: I think that’s great. And Kara, thank you so much for joining us today. There’s a lot of good information here. I would urge lawyers who are interested in this to sign up for InfraGard. There’s no cost to sign up so I think it’s really potentially very helpful and you’ll learn a lot more about cyber security by attending some of the meetings and getting some of the proactive education that you all help to provide. So thanks again for being with us today as our guest.

Kara Sidener: Thanks for having me.

John W. Simek: Well, that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.
Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.