Cyber Academy Focuses on Partnerships with Private-Sector Information Security Leaders
A spate of damaging, disruptive, and increasingly aggressive hacks into key sectors of the country’s critical infrastructure in recent years provided a sobering backdrop for a recent gathering of FBI cyber experts and the chief information security officers from companies around the country.
The FBI’s Cyber Division has held its Chief Information Security Officer (CISO) Academy since 2016. The semi-annual meetings give select personnel at private sector companies a chance to connect with FBI cyber experts and receive classified briefings about the threats they face and how to work with the FBI and partners when a cyber breach occurs. For the FBI, the CISO Academy helps curate new partners in the defense against cyber attacks—a worthy goal when an estimated 85% of the nation’s critical infrastructure is owned and operated by the private sector.
“In terms of being the front line of defense, or those who are most likely targeted, it’s going to be the private sector,” said Noah Epstein, an intelligence analyst whose Cyber Division unit tracks threats and vulnerabilities in the country’s critical infrastructure. “That’s why it’s important that we develop this relationship with them. It’s two-way information sharing. And when something does occur, we already have that relationship and we can respond swiftly.”
The three-day session in October, hosted by the FBI’s Charlotte Field Office in North Carolina, included 17 information security officers from companies of varying sizes representing the energy, finance, health care, and information technology sectors. FBI special agents and analysts briefed attendees on past cases like cyber intrusions and ransomware and described how the FBI conducts these types of dynamic and sensitive investigations. As a general rule, they said, the earlier the FBI is integrated into a response, the better the outcome for everyone involved.
Academy attendees also heard from information security experts who recalled their own experiences fending off cyber attacks and working alongside the FBI. Ron Bushar, a senior vice president and chief technology officer for government solutions at FireEye, discussed how his company—a hired investigative partner—worked alongside the FBI in the massive SolarWinds breach. The 2020 hack of the Texas company, attributed to overseas actors most likely in Russia, affected thousands of organizations, including some federal agencies. Bushar said that private sector companies stand to benefit from having a strong relationship with a federal investigative partner and knowing in advance what they will need to assist.
“In terms of being the front line of defense, or those who are most likely targeted, it’s going to be the private sector.”
Noah Epstein, intelligence analyst, FBI Cyber Division
CISO Academy attendees at the Cyber Division's ninth session included information security officers from companies representing the energy, finance, health care, and information technology sectors. During the three-day program, participants received security briefings and heard from information security experts who recalled their experiences with cyber attacks.
During a scheduled break, participants also watched a SWAT demonstration and had an opportunity to shoot FBI-issue weapons at a target range, including a 100-year-old Thompson submachine gun, or Tommy gun.
“It certainly helps to have some understanding of what is going to be needed, what types of questions you are going to be asked,” Bushar said. “Part of our experience was we had a long-standing relationship with various government people and organizations, so it was very ad hoc for us. But a lot of organizations do not have that daily interaction or understand the protocols. So building some of those relationships through efforts like this is very useful.”
The CISO Academy has traditionally been held at the FBI Training Academy in Quantico, Virginia, where attendees get to watch and participate in tactical and firearms demonstrations on the same campus where new agents train. But COVID-19 protocols at the training academy put classes at Quantico on hold, so the ninth session was held in Charlotte. Between cyber briefings and breakout sessions, attendees were given a break to see more traditional FBI roles. They visited FBI Charlotte’s “shoot house,” where agents train in close-quarters combat, and watched a demonstration by the division’s SWAT team. Students also got to shoot FBI-issue weapons at a target range the Bureau shares with local police. A highlight for many was firing one of the division’s century-old Thompson submachine guns, or Tommy guns.
By week’s end, attendees had a better understanding of how they could work with the FBI and other federal partners—ideally well before they are targeted in a cyber attack. Many felt emboldened to meet again with their CEOs and lawyers to hammer out more detailed plans of how they will work with federal partners.
Eric Miller, information security manager at Michigan-based Roush Enterprises, said it’s helpful to have FBI input and a direct contact at the Detroit Field Office who can provide a more comprehensive perspective when it comes to making security decisions and pitching them to company executives.
“It really does help when you have additional expertise, especially from law enforcement, to support your case,” Miller said.
“Cyber is a unique threat where we cannot do our job without collaboration with the private sector. Without them forward-leaning with us, we don't have a successful case.”
Kathryn Sherman, special agent, Washington Field Office
Christina Quaine, chief information security officer at AvidXchange, a Charlotte-based software company, said a checklist provided by the CISO Academy was particularly valuable because it spells out questions that would likely be asked by agents investigating a breach.
“I’m definitely going back to my team and having them proactively fill this out so we have it on deck,” Quaine said. “I will go to my legal counsel, understand what their stance is on sharing data, and understand how we can get to the right terms so, if or when this happens, we have all these things lined up.”
Bryan Vorndran, assistant director of the FBI’s Cyber Division, recommended that everyone at the very least establish a single point of contact between their companies and the federal government. He said the FBI—through investigation, prosecution, and attribution—can hold bad actors accountable, which can have ultimately a deterrent effect.
“The Bureau is excellent with targeted partners who fall victim to these types of crimes,” he told Academy attendees as they wrapped up the session. “We are the only agency in this country that can put a well-educated, well-trained, well-intentioned agent on any doorstep in this country within one hour; we can do that in 70 countries within a day. That is our value proposition.”
“It really does help when you have additional expertise, especially from law enforcement, to support your case.”
Eric Miller, information security manager, Roush Enterprises