CyWatch Marks 10 Years

in 2012, the FBI created a new cyber center called CyWatch to be the first point of contact in the event of a computer intrusion, ransomware attack, or financial crime

Think back to the year 2012. The average cost for a gallon of gas was $3.91, a dozen eggs cost $1.54, the Dark Knight Rises was in theaters, and the FBI created a new cyber center called CyWatch. Now, fast-forward 10 years to present day. The number of ransomware complaints reported to the FBI has risen dramatically—by 82 percent between 2019 and 2021, and ransomware incidents reported to the Internet Crimes Complaint Center (IC3) nearly doubled from 2001 to 2021. With statistics like these, it is fair to say that the war on cyber crime is far from coming to an end.

This October marks the 10-year anniversary for CyWatch personnel, who fight this battle every day. CyWatch, a 24/7 cyber center, operates 365 days a year to coordinate domestic law enforcement responding to criminal and national security cyber intrusions, track targeted entity and cyber victim notifications, and manage the FBI’s response to major cyber incidents. But who is CyWatch exactly? They are a diverse workforce with a variety of skillsets. Currently, CyWatch is made up of staff operations specialists, management and program analysts, supervisory special agents, and contract employees. “The majority of these personnel support 24/7/365 operations. Rain, snow, sleet, or sunshine, CyWatch personnel ensure each shift is properly staffed and available to support our public and private sector partners with any kind of cyber related crisis or request,” said Chris Thorpe, CyWatch’s unit chief.

CyWatch is uniquely positioned within the FBI Cyber Division and the National Cyber Investigative Joint Task Force (NCIJTF), and being part of the NCIJTF allows the FBI to work side-by-side with other government agencies (OGAs). “As part of the NCIJTF, we have the ability to reach out to an array of different resources to move forward with our mission,” said a management and program analyst who has been at CyWatch since 2020.

“In the event of a computer intrusion, ransomware attack, or financial crime, CyWatch personnel serve as the first point of contact for Americans, private organizations, OGAs, FBI field offices, and FBI legal attachés,” said a staff operations specialist. CyWatch personnel are quick to act and used to handling large volumes of data. When they receive notice of a cyber threat or incident, they expeditiously assess the cyber event for action and engage with the appropriate components within the FBI Cyber Division, NCIJTF, respective FBI field offices, legal attachés (Legats), OGAs, and other federal cyber centers. In one year, CyWatch processes thousands of requests from both public and private-sector partners.

These requests also include major domestic and international special events, such as they Olympics, that require hours upon hours of coordination. CyWatch also disseminates information to trusted partners via Private Industry Notifications (PINs) and FBI Liaison System (FLASH) messages. They have disseminated over 100 public threat advisories, to include Joint Cybersecurity Advisories, FLASH, PINs, and Public Service Announcements, many of which are jointly authored with other U.S. government agencies and international partners. These products have contributed to a number of success stories.

In a recent success story, a foreign law enforcement partner discovered early indications that a health care center was the target of a ransomware attack. They forwarded this threat information to the FBI’s Legat in London, who then forwarded the information to CyWatch. In 37 minutes, CyWatch conducted initial database checks on the health center and forwarded all relevant information, including intelligence, database checks, and the health center’s address to their local FBI field office for review. The FBI field office then contacted the health center’s IT manager and provided the initial threat information. Because of this contact, the health center was able to isolate the compromised server, contact their insurance company, and enlist the help of a third-party remediation company. Quick actions by each party prevented the malware from spreading to the rest of the network and mitigated potential harm to victims and patient care.

There is no “typical day” in CyWatch said a staff member. “Yes, the team has routine matters that occur, but with the cyber events continuously evolving the team is staffed to act quickly to meet the needs of the Bureau to provide appropriate threat response to any major cyber incident.” It’s this mentality and culture that has made CyWatch such a valuable and agile asset.

When asked what the best part is about working in CyWatch, another CyWatch team member said it’s the positive feeling that comes from helping victims and knowing they are making a difference. “Seeing field agents get in touch with victims of financial crimes minutes after disseminating the victim’s information is amazing. It’s satisfying when we receive an email saying that the victims’ funds were recovered and returned to the beneficiary’s bank. I really get to see how quickly we can action and disseminate cyber threat information, not just to our field offices and Legats, but among OGAs."