What can we all do to foster a strong and highly collaborative partnership between higher education and the FBI?
In October 2019, the FBI invited the higher education community to its headquarters in Washington DC for the second annual FBI Academia Summit. FBI Director Christopher Wray welcomed attendees, reinforcing that academia is one of the greatest assets of the United States and, therefore, the FBI. He reflected on the necessity of trust and cooperation between the FBI and higher education for each to fulfill its mission. Director Wray assured academic partners that the FBI is working to improve and better coordinate the sharing of information. He also articulated that his goal is for the FBI to continue its engagement with colleges and universities so that they come to see the FBI as a critical partner in their success.
EDUCAUSE believes that collaboration is our best hope for standing strong against cybersecurity attacks. The EDUCAUSE Cybersecurity Program emphasizes coordination both across and among higher education institutions and also between those institutions and other sectors when possible and appropriate. To further this effort, EDUCAUSE President John O'Brien and Cybersecurity Program Director Brian Kelly recently posed some questions about what has changed over the years and what we all can do to foster a strong partnership between higher education and the FBI.
Supervisory Special Agent (SSA) Lazaro E. Andino is an eighteen-year veteran of the FBI, having served in numerous leadership capacities that include domestic and foreign assignments. In January 2015, he was assigned to the FBI Cyber Division Outreach Section, where he was responsible for managing the national relationship with the defense industrial base (DIB) and academia. SSA Andino was also embedded in the FBI Counterintelligence Division and assisted in coordinating cross-divisional investigative matters. He currently manages national security cyber-threats emanating from Asia. Supervisory Special Agent (SSA) Jay Patel is currently assigned to the Major Cyber Crimes Unit at FBI Headquarters. He has more than fifteen years of cybersecurity experience and has investigated some of the most complex national security and criminal cyber-intrusion investigations involving the US government, nuclear power companies, and defense contractors. SSA Patel also has experience leading high-profile international counterterrorism investigations involving homegrown violent extremists.
FBI agents have facilitated and participated in several classified and unclassified briefings for EDUCAUSE members, most recently in an unclassified briefing at the 2019 EDUCAUSE Annual Conference. Has the threat profile changed dramatically since then?
The threat profile has remained consistent and unabated. The primary change in the threat profile is that adversaries are continuously changing or evolving their tactics, techniques, and procedures (TTPs) in order to obfuscate their nefarious cyber-activities, particularly what we call advanced persistent threats (APTs). As noted in numerous publicized indictments subsequent to FBI investigations targeting malicious cyber-actors, we have seen an increase in the use of legitimate computing or internet services—for example, leased infrastructure—for illegitimate purposes while attempting to obfuscate their computer network exploitation activities. Additionally, we still observe many actors leveraging unpatched vulnerabilities to gain access.
How are cyber-criminal and national cybersecurity threats affecting colleges and universities?
The cyber-criminal threats influencing academia are coming from adversaries that are financially motivated. Many of these adversaries exploit systems by discovering a vulnerability that does not require human interaction—what is known as a "wormable" exploit. In other cases, the adversary conducts open-source research of employees who have access to internal systems and exploits them by socially engineering people to click on a link or an attachment. Successful exploitation can provide adversaries with unauthorized access to personally identifiable information (PII), valuable research data, and access to other protected information. Criminal adversaries often attempt to sell the information for monetary gain in dark web forums. We are seeing a trend of increased ransomware infections, since these enable adversaries to monetize unauthorized access to the network by encrypting files and demanding money to decrypt files. The FBI works with victim organizations to obtain evidence and provide intelligence to assist in understanding the threat and remediating incidents. The FBI Cyber Division prioritizes detecting criminal activity, identifying the adversary behind the keyboard, and disrupting that adversary by bringing the subject to justice.
Networked systems often have poor cyber-hygiene; some systems are outsourced to a third-party that has not implemented strong controls. This, in turn, makes it easier for cyber-criminals to successfully exploit these systems. Viruses, ransomware, data exploitation, and the like are not actually the problem: they are the symptoms of the problem, which is poor cyber-hygiene.
At a minimum, a thoughtful implementation of the NIST or ISO framework to strengthen internal controls would significantly reduce the risk and exposure of these systems. The National Institute of Standards and Technology (NIST) framework and the International Organization for Standardization (ISO) framework are scalable to an organization with five employees or 500. They are continuous-improvement frameworks—not "set it and forget it."
The cybersecurity threat to colleges and universities from a national security perspective is multifaceted. From a cyber-intrusion perspective, higher education is challenged in ways similar to how the private sector is challenged: both sectors maintain valuable data on their networks (e.g., research data and/or intellectual property data). If this data is of value to the institution or company, it will also be of value to cyber-adversaries who may try to steal it to monetize the data or advance their national interests. For example, numerous colleges and universities have been victimized by APT actors utilizing cyber-means as the vector into institutional networks where valuable data resides and is maintained. The data is later exfiltrated. However, the cyber-vector is not the only way adversaries attempt to steal information from colleges and universities. The open and collaborative spirit that feeds innovative thinking throughout academia in the Western world also places higher education at an additional risk for exploitation by foreign entities that do not follow the same rules or share the same values. This environment exposes academia to an increased human or insider threat risk when bad actors are directed either wittingly or unwittingly, by nation-states in particular. These nontraditional collectors take advantage of common methods of cooperation (e.g., joint ventures, foreign investment, research partnerships, and academic collaborations) to illicitly acquire pre-publication data and methods, as well as intellectual property.
The FBI understands this is a complicated issue within the higher education community given the large number of students, professors, and scientists, some of whom may be acting for the benefit of foreign governments. For this reason, we believe that continuous dialogue and coordination between higher education and law enforcement is the best way to address issues as they arise. To be abundantly clear, we are not asking students and professors to spy on foreign nationals on campus. What we are asking is for those in higher education to call law enforcement when suspicious circumstances arise with anyone on campus. Working together, we can determine potential national security risks such as economic espionage or intellectual property theft.
With continuous two-way communication between the higher education community and law enforcement, we can ensure that academia's investment in intellectual property and other sensitive data is kept safe from adversaries and we can bring to justice those responsible for stealing this data. The FBI does not target foreign nationals or US citizens from foreign countries based on nationality, race, sex, or religious beliefs, nor does the FBI ask anyone in higher education to scrutinize people based on those characteristics. We do, however, target criminal behavior and US legal violations that we have the authority to investigate, whether that activity is committed by a US citizen or a foreign national.
What emerging threat do you wish higher education leaders would take more seriously?
Identifying emerging threats is becoming increasingly difficult because adversaries are continually evolving in their TTPs to obfuscate malicious cyber-activity. In recent years, however, we have seen the emerging trend of cyber-adversaries obtaining unauthorized access to organizational networks to steal data. At times, the public perception is that these adversaries are very sophisticated and deploy zero-day exploits, meaning that victim organizations don't stand a chance. But our experience investigating compromised victim networks tells a different story. Usually, cyber-adversaries are exploiting known vulnerabilities that are unpatched or inadvertently ignored by victim organizations. After the adversary obtains a foothold on the network, it utilizes tools typically found on the network for the purpose of network administration. This is often referred to by cyber-professionals as "living off the land." This method allows the criminals to move around undetected because their activity can be masked as legitimate network administrator activity. The FBI has conducted multiple awareness campaigns to share this information and has asked institutions to limit access rights and to limit and monitor access to administrative tools on networks. Also, more adversaries are utilizing leased infrastructure or third-party connections in order to maliciously access victim networks as a way to "cover their tracks" while conducting reconnaissance, delivering malicious payload, or exfiltrating data once the network has been compromised.
For these reasons, perhaps a better way to look at threats is to ensure that network defenders are configuring their systems according to best practices as defined by, for example, the NIST or the ISO framework (noted above) in order to receive alerts when anomalous behavior is detected. Through the use of proper cyber-hygiene, an attack surface can be significantly reduced, ensuring protection from various common attacks such as ransomware, worms and viruses, and basic vulnerability exploitation. Although proper cyber-hygiene and continuous improvement of cyber-controls is highly recommended, these practices are not a guarantee for preventing advanced cyber-actors, particularly APTs, from unauthorized access. However, these practices will significantly increase the detection of malicious activity.
As actors become more sophisticated, it may become necessary for network defenders to evolve to a zero-trust model. Traditional network management strategies ensured that everything inside the network perimeter was considered safe and accessible. With the increase in spear-phishing, credential harvesting, lateral movement, and living-off-the-land tactics, the zero-trust model was developed to ensure strong authentication and controlled access even for trusted services inside of the perimeter. When network defenders detect malicious activity on their networks, it is important that they contact law enforcement so that we can work together to address the threat. The FBI can leverage its unique perspective on cyber-threats and can utilize lawful authorities to obtain additional information through legal process while working with victim institutions. In this way, the FBI can bring about resolutions that victims are unable to accomplish alone. As we continue to build trusted partnerships and relationships, we must work in collaboration with colleagues across all domains within the public and private sectors and academia. Simply stated, we cannot do it alone.
All of us in higher education are struggling to stay one step ahead of those who are trying to steal our institutional assets or generally cause mischief, but we are well aware that we fall short in various areas. If we could get vastly better at one thing, what would one thing be?
Having worked with higher education professionals within the scope of cybersecurity for several years, we have learned about the challenges of protecting privacy and information, particularly in relation to research data within an academic environment. Implementing technical solutions to exercise the concept of "least privilege" as it relates to sensitive data is always a good idea, but the challenge remains to protect that same data in the open and collaborative research environment of academia. In general, those who cause mischief and steal institutional assets through cyber-means are committing a crime. When these crimes are committed, we hope higher education professionals will readily call law enforcement partners to address these crimes. Law enforcement officials are not omnipresent and cannot see everything that happens. To do our jobs well, we depend on the public. As simple as that sounds, law enforcement partners are not always called when cyber-crimes occur, sometimes due to privacy concerns or to issues associated with reputational damage. If law enforcement officials are not called, we may not know a problem exists until other institutions are victimized or until we are notified in some manner by a third party. Working together is the only way we can successfully address the threats posed by cyber-adversaries.
On the flip side, and on a positive note, what does higher education do really well when it comes to cybersecurity?
Time and time again, we have witnessed how well academic professionals collaborate to share information and knowledge as it relates to cybersecurity. This willingness to work together is one of academia's key strengths. In the past several years, higher education professionals have welcomed FBI insights related to cyber and national security threats while we have also learned about the challenges affecting the broader academic community. The willingness of higher education to have a dialogue with the FBI about our shared challenges and concerns will perhaps serve as a catalyst for the FBI to be seen as a critical partner in academia's success, as noted by FBI Director Wray.
This is intriguing because at EDUCAUSE, we've been stressing that collaboration is our best hope for standing strong against attacks. We're emphasizing coordination both across the institution and among institutions.
The more human capital and financial resources that an organization possesses, the better equipped it will be to address cybersecurity threats. It is critical for network defenders at institutions with limited resources to collaborate with peer groups in other institutions, organizations, associations, and forums and share cybersecurity knowledge in order to be successful at detecting and deterring cyber-attacks.
How can colleges and universities work more effectively with the FBI? Can you discuss InfraGard and your thoughts on how to encourage more participation by the higher education community?
The best way for cybersecurity professionals in academia to work with the FBI is to develop a working relationship with cyber-agents throughout the fifty-six FBI field offices around the United States. Agents in the field offices try to meet as many private-sector and academic professionals as possible within their areas of responsibility. They will welcome the opportunity to connect. Higher education professionals can simply call their local FBI field office and ask to be transferred to a cyber-agent.
An in-person meeting is always recommended. The best relationships involve FBI agents and academic cybersecurity professionals meeting on a regular basis to conduct two-way and open sharing of information. But these trusted partnerships require time and energy from both sides. If there is no time to establish these arrangements, even just knowing who to call if an institution suddenly learns that it is a victim of a cyber-intrusion is extremely important.
Another point to raise here on trusted partnerships and relationships with law enforcement is that we work and operate under different legal and procedural requirements than do those who work in the private sector or academia. Again, the best way to understand each other's roles, responsibilities, and perspectives is to have open, honest, and clear communication over time. The more we understand each other's needs and concerns, the more our trusted relationships can grow. We truly want to help. The success of all of us in the FBI relies on bringing a sense that justice is being served to the cyber-crime victims.
InfraGard, noted above, is a very good platform for academia to meet with FBI personnel to discuss various topics of interests. It has morphed into a privately-run entity managed by citizen volunteers. The InfraGard chapters, located throughout the United States, are particularly helpful for smaller or medium-sized institutions with limited resources, affording the opportunity to meet not only with FBI personnel but also with peers facing similar challenges. Some benefits to participating in InfraGard include the following: access to a secure portal with unclassified threat-intelligence documents; connection to iGuardian, the FBI's cyber-incident reporting tool; availability of intelligence briefings; and training opportunities.
When it comes to your work with higher education institutions and academia, what's your biggest point of pride?
Without a doubt, we are most proud of being part of an organization that brings some relief or justice to the public we serve and to the victims we work to protect. We also take pride in the fact that many colleges and universities have embraced the FBI's efforts to increase awareness of cybersecurity threats and have worked with us, side-by-side, to assist their students in understanding what is legal and what is illegal when operating online. Working together, we can point everyone in academia in the right direction, setting us all up with a promising cybersecurity future.
Lazaro E. Andino is FBI Supervisory Special Agent.
Jay Patel is FBI Supervisory Special Agent.