Every cloud needs a cop: How the FBI secures its digital assets

At the 2016 Structure Conference, FBI CISO Arlette Hart explained how the bureau approaches security and manages its systems.

Image: iStockphoto/domoyega

There's no doubt that the FBI is one of the first organizations that many Americans think about when they consider national security. However, in addition to focusing on the security of US citizens, the FBI has to focus on securing its own systems as well.

On Wednesday, at the 2016 Structure Conference in San Francisco, FBI CISO Arlette Hart answered some questions about the FBI's approach to security. Interestingly enough, many of the challenges faced by the FBI are faced by enterprises around the world.

For starters, the FBI has to think about managing legacy systems while also staying on the cutting edge of technology. So, understandably, this means that they have to have a metric by which they measure which systems get priority, and which areas need new innovations, to stay relevant.

SEE: Cloud security market to be worth $12 billion by 2022, here's why (TechRepublic)

For the FBI, that metric is the mission of the organization. Whereas a retail organization might do everything it can to make sure the customer is happy, the FBI centers everything it does in IT around making sure the mission is undeterred, Hart said. This leads to questions such as: Do their agents have the right tools to fight crime?

The mission itself is simply to reach their goal of keeping Americans safe and defending the Constitution, Hart said. However, different seasons can change what that goal looks like. The post-Snowden era and the prevalence of Wikileaks, for example, are forefront challenges for the FBI in its approach to security.

However, information leaks are something the FBI has been working against for a long time and has to be constantly aware of. The arrest of a Russian spy known as Robert Hanssen in 2001 prompted the creation of a separate division for security.

Later that year, the terrorist attacks on September 11 happened, and these two events led to a big conundrum for how the FBI handles information. While the FBI must lock down sensitive information, it also must make the information shareable between law enforcement agencies to help prevent events like September 11 from happening again.

It probably goes without saying that insider threats are a critical concern for Hart and her team at the FBI. Much like many other businesses that must protect against people stealing IP, money, or other assets--understanding how data is being compromised is a core competency for IT, Hart said, for the FBI and the private sector.

But, insider threats are only one side of the coin. They are also heavily focused on external threats--Hart called this the two sides of the threat optic. And, she said, any tools the FBI deploys must have capabilities to touch both sides of the optic.

Additionally, the FBI's system of classification for information is essentially a risk management tool, as it determines the protections and tools that are put in place for any given piece of data. However, Hart said, the FBI doesn't monetize risk, as it isn't a good metric for the FBI. They look at how impactful risks are of the FBI mission. But, Hart did encourage businesses to monetize risk and choose what to secure based on how it impacts their business.

Unlike most businesses, the FBI's website is not considered a mission critical asset, Hart said. Their website is focused mainly on information delivery, so it is segmented, but it isn't given the highest level of protection.

The FBI doesn't do BYOD, Hart said, as it is too difficult to lock down most consumer devices. But, the FBI does use the cloud, and in many different ways. One piece of that is Amazon's Govcloud, and the FBI is working on migrating some legacy systems to the cloud as well.

One huge piece of the FBI's overall strategy is availability, Hart said. The FBI has to be available to state and local law enforcement 24/7, so maintaining a high availability is a top priority.

The 3 big takeaways for TechRepublic readers

  1. The FBI faces many of the same security challenges faced by businesses around the world, but on a different scale.
  2. Risk isn't monetized in the FBI, rather the bureau looks at risk as how it could impact the mission of the organization.
  3. The FBI uses the cloud, but it doesn't have a BYOD program as too many devices are geared toward consumers and difficult to lock down.

More from the 2016 Structure Conference