It’s just a two-page fact sheet. But the new document, from the National Cyber Investigative Joint Task Force, aims to help organizations guard against one of the most persistent and dangerous cybersecurity threats, namely ransomware. Secret Service Deputy Director Greg McAleer, and FBI Cyber Division Unit Chief Ryan Pierrot, talked with Federal Drive with Tom Temin about the whys and hows behind the task force’s work on the document.
Tom Temin: Let’s begin with the task force itself, the National Cyber Investigative Joint Task Force. What does it do, what’s its primary mission and who’s on it? Greg?
Greg McAleer: Tom, the NCIJTF is a national cyber task force that was established in 2008 through two specific presidential directives. The National Security Presidential Directive 54 and Homeland Security Presidential Directive 23. And its goal is to be the hub of the cyber investigative coordination across government with authorities from the Department of Justice and some other component agencies.
Tom Temin: Okay. And Ryan, there’s a lot that the FBI brings to this because there’s a lot of cyber work the FBI does in general. So tell us more about your role in here.
Ryan Pierrot: Thank you, Tom. And to go what off Greg was saying again, FBI leads and NCIJTF. It was established in 2008 as Greg said. The National Security Presidential Directive and the Homeland Security Presidential Directive. The NCIJTF is a multi-agency cyber center, which serves as the national focal point for a whole government approach on campaigns when we see significant threats and adversaries. The task force performs its role through its cooperation and collaboration with over 30 collated partner agencies, fy by partners, and state and local enforcement organizations. Senior leaders and cyber experts from across the United States government work together towards a common set of national priorities to collectively impose risks and consequences on our cyber adversaries. We leverage each agency’s unique authorities, skills and capabilities then NCI can integrate all these skills and capabilities in order to acquire, analyze, share, and act on information through joint sequence to naval operations.
Tom Temin: Before we get to the specific issue at hand, is it safe to say that you have been working on a lot of issues lately, we’ve had so many major cyber attacks? Do you guys also weigh in with Homeland Security from time to time when something like the Microsoft hack or the SolarWinds attack happens? Are you part of that governmentwide kind of response that happens, Mr. McAleer?
Greg McAleer: Absolutely and kind of the greater the threat and the greater the issue, the more agencies we seek to engage and to coordinate with. Our goal is to coalesce hold up government campaigns, that means any agency that has an equity or an authority that can be leveraged to maximize our impact we requested they join us and help us to combat whatever threat arises.
Tom Temin: Okay, let’s get to this new, it’s just as I said, a two page PDF, but it’s really packed with information on ransomware. What was the genesis of this particular document? Ryan?
Ryan Pierrot: Thanks, Tom. You know, ransomware is one of the top threats that the FBI has seen. So we take every opportunity that we can to inform the public. So even though it’s two pages, it has a lot of great information in it. And sometimes it’s repetitive to other documents that we’ve put out. But again, it’s very important, there’s kind of like six items within this document. We, again, define what ransomware is, we define like what the government’s affects to combat ransomware, common faction vectors that the public will see, best practices, how we’re seeing the public get impacted on ransomware, and how to report ransomware incidents. And that’s kind of key to it all Tom, is that we need to get as much reporting as we can from the public on ransomware.
Tom Temin: And we should point out there are one, two, three, four, five, six, seven, eight, nine, 10, 11 agency logos on this. So clearly, this is a whole of government effort to go after this problem. Earlier, you said too that part of the work that the FBI does involves state and local government in the whole cybersecurity issue. And from what we’ve seen, it looks like ransomware that is, is a bigger issue with the state and local levels, so far at least, than it has been at the federal level. Fair to say?
Ryan Pierrot: From what we’re seeing, we’re seeing ransomware doesn’t discriminate on who it attacks. It doesn’t target just one sector. It doesn’t target just one entity. Ransomware attacks all.
Tom Temin: Alright, and so then just run through as quickly what some of the top line advice is to detect it and then deal with it.
Greg McAleer: Tom, I’ll jump on that. So with the NCIJTF if you don’t mind and you’ll oblige me, I just like to make a comment about the banner that you talked about on the ransomware sheet. If you notice in the middle, the center icon is that of the NCIJTF. And then the other agencies are these partner agencies that actually make up the NCIJTF. And I think that’s a critical piece that really needs to be communicated is that the Secret Service, the FBI and a whole host of other agencies and organizations are committed to making the NCIJTF, that focal point for a whole of government operations and investigations. The fact that we can combine all of our authorities and equities into that one area really, really amplifies what we can do and that risk and consequences, we escalate that against our adversaries. And they’re a very sophisticated group. So we have to respond to them with the same level of force or whatever you’d like to call it investigative rigor, whatever you want to stop them from doing what they’re doing. Back to the best practices, I would suggest that agencies, private industry, anybody in the public or private arena, should backup your data as frequently as you can, test your backups, make sure your configurations are good, absolutely multi factor authentication, so the people who are on your networks, we really know who they are. Get every patch you possibly can. And we’ve seen that through some of the other incidents that have made the papers about patching issues. So patch your computers, patch your systems and make sure you’re really diligent when you’re doing that. And finally, make sure your security solutions are up to date, and really have a plan, you need to have a plan when something goes wrong. I think many times Ryan and myself have seen that companies, agencies call up and they say, my God, this is what’s happening. And we say, well, what have you done? And there’s this kind of pause for a moment where they don’t know how to answer that and they don’t know what to tell us that this is what they did. So have a plan, have a security plan, have a plan to continue your operation.
Tom Temin: And Ryan, the ransomware part of this, of course, is the ransom. Suppose a municipality or county gets hit? And, you know, give us a million dollars or your data is all locked up? What should they do short of paying the million dollars, which may not even be insurance against all of this?
Ryan Pierrot: You know, Tom, great question. When any entity that is hit by ransomware, you know, the first thing they should do is report it. If they report it to any agency, you know, whether they have a relationship with the FBI, with Secret Service, with DHS, again, we have this criminal mission center here at the NCIJTF. We are going to hear about it, we are going to share about it, and we are going to respond properly. So preferably before an attack happens just as Greg was mentioning, they should be calling up DHS. DHS handles preventive measures and they can coordinate with that business to sort of come up with a business plan and to strengthen their systems. If an incident should happen, they should contact again. What other agencies, you know, the FBI has field offices all over the United States, they could contact their local field office, and they report that incident from there, the FBI will respond. And we will respond by coordinating with that company, maybe with their remediation company, in order to collect evidence, provide indicators in order to investigate it but also provide them with information that may help them get their systems back up and running.