Telling the FBI Your Company Has Been Hacked
As cyber attacks against U.S. companies move markets, drain tens of millions dollars from bank accounts, siphon off trade secrets, and threaten critical infrastructure, the mantra among government officials is: sharing (information) is caring. The governments desire to increase information sharing on cyber intrusions with the private sector is at the heart of an executive order issued in Februaryand it was a point underscored at a New York City Bar Association event on Monday, when Mary Galligan, who is an FBI cyber cop, urged corporations to come forward with information about attacks on their networks.
So what can and should companies expect when they ring up the government and report a problem? What sort of legal issues are going to arise? For this, we turn to Galligans afternoon panel on cyber crime, where she was accompanied by attorneys in private practice, a law professor, the head of a computer forensics firm, and the chief of the Manhattan District Attorneys investigations division.
First, as Ed Stroz, of the investigative firm Stroz Friedberg, explained, its important to recognize that you could be attacked by different categories of attackers, including state-sponsored actors, organized criminal groups, individual hackers or hacktivists, and company insiders. Galligan added a group to the list: terrorists.
Now, before you even have a chance to think about calling the FBI, theres a good possibility they will call you. What happens with the FBI is right now, approximately 60 percent of the time, we are going out and telling a company that they have been intruded upon, says Galligan.
How does the FBI already know youve been hacked? Well, either theyre getting the information from another FBI investigation, or were getting it from our partners in the government, Galligan says, which includes all 16 of the U.S. intelligence agencies.
As recently as three years ago, the FBI didnt necessarily tell you that your company had been hacked. That sharing wasnt always there, because of the issue of classified information, Galligan says. But times have changedparticularly in light of several distributed denial-of-service (DDoS) cases against U.S. banks and the Improving Critical Infrastructure Cybersecurity executive order President Barack Obama signed in February.
The government isand especially after the executive ordersharing information as fast as we can get it, says Galligan.
Whether you call them or they call you, Galligan and her FBI team are going to hope your company has already contemplated the possibility of a cyber attack, that you have a response plan, and that your general counsel is involved in it.
Because we say over and overand I have seen it over and overthat unless the general counsels and/or your outside counsel are involved in these issues from the beginning, are part of your plan, it becomes very, very difficult for the government to help you, Galligan says,
Why? Because the law has not kept up with the issue, she adds. So Ive had companies and banks say, Okay, come on in and help us, but they cant give us consent for that.
For example, following the high-profile string of DDoS attacks against several banks in the past year, the FBI didnt only brief the banks' technical personnel. For the first time, they brought the general counsel of the banks into the discussions of the attack.
We needed information from the banks, Galligan explains, noting that it was a two-way communication in which, we shared what we knew about the DDoSs. The FBI gave the banks information on the days and times when attacks occurred and what types of things to look for, she says. The bureau also pointed out to the banks that a DDoS can serve as an opportunity for criminal actors to come in and commit crime in your system.
Alright, so say something happens, how soon should you tell the FBI? Were going to say, call us sooner rather than later, Galligan says. And the reason is, we often get called after about two weeks, when a firm or company has tried to fix the issue. The problem with that, she adds, is it can cause worse technical issues for the company.
Once your company and the FBI are in contact, theres any number of actions they could take. The FBI could tell your company that the bureau cant help you, and refer you instead to a third party. They may need to call in the Secret Service or the National Security Agency for assistance on the case. They may be able to give you information about an attack on another company in your industry. Or the FBI may even suggest that they monitor your systems and attempt to collect more information about the attacker.
The options are framed as a conversation about the business decision a company needs to make, according to Galligan. Its a discussion where we say, We recognize you need to make a business decision, she says, and that business decision is going to be a very complicated one.
Albeit one thatll be made easier if the company already has a response plan and legal counsel is involved. Oh, it also helps to know something about your companys networks.
You would not believe the number of firms who cannot explain what their network looks like, Galligan says. They dont know their leasing agreements with other companies. They dont know whats on their servers. And these are all important questions to make these business decisions, to make these legal decisions.
And these are not minor legal matters. You have to really figure out what exactly youre going to be willing to do, says DeVore & DeMarco partner Joseph DeMarco, who specialized in cyber crime as an assistant U.S. Attorney, adding: These are voluntary requests for information. They dont come with immunity.
Hogan Lovells partner, and former IBM security counsel, Harriet Pearson agreed: There is no immunity right now. Theres a fair amount of legal uncertainty that comes with this relationship, or this dance that business does with law enforcement.