America's cyberdefenses are disturbingly
weak according to numerous reports both from the government and the private
sector. Three out of four advisors to former President George W. Bush
predicted that a major
attack on a U.S. utility would occur within two years, depriving Americans
of vital service. Individuals in China and Russia are suspected of
breaking into government systems on a regular basis and stealing information.
But the America's cybersecurity isn't so abysmal
merely from underfunding. According to a recent U.S. Department of Justice report [PDF], it is
also suffering from internal incompetence and mismanagement.
The DOJ's inspector general's office performed an
audit of cybersecurity staff at the U.S.
Federal Bureau of Investigations. The audit examined 10 of the FBI's
56 field offices, which are designed to respond to cyberthreats.
Of the 36 agents examined, 23 proved basically
competent, but 13 "lacked the networking and counterintelligence expertise
to investigate national security intrusion cases."
The report complains that some of that
incompetence isn't even the agents’ fault -- it’s the fault of the FBI
leadership. Currently the FBI rotates its field agents every three years
between offices. As a result, many agents find themselves with essentially
zero expertise at their new, dramatically different cybersecurity position.
The report also complains that the FBI is doing a
poor job sharing information with other intelligence agencies. And it
says that many of the field offices examined were "inadequate" in
both an analytical and a forensic cybersecurity capacity.
Interestingly, the FBI convinced the DOJ to redact
the number of agents that had completed its Cyber Development Plan course
program. The CDP consists of 12 core security sessions, similar to
college courses. The sessions are designed to strengthen agents' background
in cybersecurity. The program was first introduced in 2007.
Since 2009 the FBI has been trying to hire 3,000
new agents, with a heavy emphasis on individuals with IT experience. The
FBI was embarrassed in 2009 by its chief's admission that he almost
responded to a phishing scam.
The FBI has had some high profile successes of
late -- such as taking
down the CoreFlood botnet-- but it also has struggled in dealing with more
organized foreign cyberaggression. The FBI and fellow agencies have
also struggled in dealing with homeland cybercriminals, such as child
predators. They have raided
several citizens’ homes and reportedly brutalized them, only to find that
it had misidentified the suspect due to a lack of investigation.