FBI launches iGuardian to standardize cyber threat data sharing

Wednesday - 7/31/2013, 6:15am EDT

Jason Miller explains the FBI's new cyber data sharing program on the Federal Drive.

Download mp3

By Jason Miller
and Melissa Dawkins

The FBI launched a new portal Monday to test out how companies could report cyber threats or attacks in real time and in a more consistent way.

The portal, iGuardian, in its pilot stage for the next few months, is available to 58,000 companies comprising the FBI's InfraGuard network.

"If it's successful we're hoping that this is something that we, at some point, are going to role out universally to a much wider audience," said Rick McFeely, the FBI's assistant director of criminal, cyber, response and services branch, Tuesday at the AFCEA International Global Intelligence Forum in Washington. "Obviously, our concern is the critical infrastructure sectors that are out there. They'll probably be the next up. But we know that, from a technological standpoint, it works; it's working now. We have a very high degree of faith that this is going to work."

Participating companies can submit a form online in the instance of a cybersecurity breach to their networks. The National Cyber Investigative Joint Taskforce (NCI-JTF) handles the information provided by these companies, McFeely said.

The NCI-JTF includes 19 agencies that have come together to share cyber threat information and coordinate operations. The task force helps identify and address cyber threats and vulnerabilities before adversaries are able to exploit weaknesses. These efforts are only part of the solution.

McFeely said the FBI will have to deal with a lot of false positives or even a hack that was stopped before it caused damage. He says the information will help lead the FBI and the NCI-JTF to where the biggest threats are.

Similar to police reports

McFeely said this reporting tool is similar to a police report that covers all the bases of what happened and when.

He said in the past, the companies would tell the FBI they had an intrusion or the FBI would let the company know based on their intelligence efforts, but there was not consistency in the data collected or shared.

Through iGuardian, every report to the FBI will include the same data describing what happened, he said.

"It's going to be the individual field offices, and the cyber task forces in those field offices that are actually going to be the ones interfacing with the companies," he said. "It may be something that's going to be very resource- intensive, especially as we expand this program. And part of what we're going to assess is what we're going to need to resource this. That's a huge question for us right now."

iGuardian is another step in changing the way the FBI and private industry works together to improve communications, use intelligence and protect their computer networks from cyber attacks, McFeely said.

"I can tell you that the FBI was not a good partner in this arena up until about a year and a half ago," he said. "We have radically retooled the way that we work with private industry. Previously, we would actually watch our adversaries go into your networks, and we would be afraid to go out and tell the victims too much because of the fear of revealing our sources and methods. That fear no longer exists."

Testing malware sharing tool

The new online portal is an outgrowth of eGuardian, released in 2009, which serves as a repository enabling the DoD and federal, state and local law enforcement agencies to share terrorism-related cyber activity.

With the new portal, the FBI is looking for patterns and methods adversaries use to gain access to companies' networks. That information can then be disseminated, without attaching the victim company's name, so other companies and the FBI know what to look for and protect against.

In addition to iGuardian, McFeely said the FBI is in the process of making available malware collection and analysis, currently used by and within agencies, available to the private sector.

"We have an in-house capability to analyze malware. And we use that within our circle, within the intelligence community to share malware," McFeely said. "One of the things we're testing, and we have a high degree of confidence that over the next couple years we're going to actually be able to roll that out to the private sector."

The FBI's new approach to information sharing is part of an emerging rethinking of what is threat data, where to find it and even how to share it.

Troy Mattern, the technical director for cyber intelligence at the Software Engineering Institute at Carnegie Mellon University, said one industry sector already is changing the information sharing lexicon.