Thursday, April 25, 2019

What is the NCIJTF?


The acronym NCIJTF stands for National Cyber Investigative Joint Task Force.

It is a so-called fusion center, one of many inside the US Intelligence Community, so it's not a three letter agency unto itself, but rather a hub where many agencies collaborate and participate. Fusion centers came into vogue after stovepiping of intelligence was identified as a cause of the 9/11 attacks. It's a simply a way to combat stovepipes/silos. One example of a fusion center is the FBI's Joint Terrorism Task Forces (JTTF) which are scattered across the US and are each comprised of the local branches of FBI, US Secret Service, DEA, ATF, ICE, US Postal Inspection Service, US Marshals Service and much more.

Another example of a fusion center is the OCDETF, which Bruce Ohr ran not too long ago. That organization gathers intelligence on multi-jurisdictional drug trafficking and money laundering operations by pooling information from many of the same agencies mentioned above.

However, unlike the JTTF (terrorism) or the OCDETF (drug trafficking), the NCIJTF is specifically focused on cyber crimes, a discipline which the FBI has had an interesting relationship with. Any talk of the NCIJTF has to be couched in a larger conversation about the FBI and Cyber.

FBI, Cyber & creating the NCIJTF

A ton of things changed after 9/11 and the FBI shifted from an almost exclusively law enforcement agency to one that actually prioritized national security first. In 2006, then-Director Robert Mueller said:
"After the September 11 attacks on America, the FBI priorities shifted dramatically. Our top priority became the prevention of another terrorist attack. Today, our top three priorities—counterterrorism, counterintelligence, and cyber security—are all national-security related. To that end, we have made a number of changes in the Bureau, both in structure and in the way we do business."
As part of the reorganization, the FBI established a Cyber Division in 2002 and it was actually a quite prescient move. But "cyber" can mean many things of course. At first, the intent for the department seems to have been "crimes committed using a computer." So things like identity theft, digital child pornography and yes, P2P network intellectual property piracy.

Whatever your opinion of Napster is, the FBI's focus did not seem to extend much to large scale cyber intrusions. And to be fair, these were just were just starting to filter into the mainstream. But the federal government as a whole didn't seem to really get serious about cyber intrusions until the waning days of the Bush administration.

In January 2008, a classified presidential directive (specifically the Homeland Security Presidential Directive 23 and National Security Presidential Directive 54) was issued. It's also sometimes referred to as the Comprehensive National Cyber Security Initiative (CNCI). This thing seems to have a million names so I'm going to call it NSPD-54 or simply "the directive."

It was classified at the time, but we have access to a semi-redacted version of it now. From it's preamble, the purpose was to "(strengthen) policies for protecting the security and privacy of information entrusted to the Federal Government." Meaning, protect the data of the federal government from all adversaries. It's described further in this congressional report.

So, note here, that there is already a Cyber Division inside the FBI. NSPD-54 is intended to supplement or go above and beyond what is already there, and it's not just about the FBI, this has elements that affect all the three letter agencies.

A clue for what was envisioned under this directive can be gained from one of it's architects: Shawn Henry

an enterprising lad

Henry, later of Crowdstrike fame, was actually on the "study group" which formulated NSPD-54.

At the time he was Deputy Assistant Director in the FBI Cyber Division and was in the middle of a large, successful sting operation, which the FBI later took credit for and boasted about. Henry had set up an elite seven-agent cybercrime unit based at the National Cyber Forensics Training Alliance in Pittsburgh, PA, which is itself a semi-autonomous organization within the FBI.

This will come up again. Henry seems to like small teams outside of the bureaucratic structure and ideally working in non-identified and non-descript buildings in order to outfox whatever his cyber foe is at the time. But I digress...

The sting operation involved setting up a cybercrime forum called DarkMarket which purported to be run out of Eastern Europe but was actually run by the FBI in Pittsburgh! It netted 56 arrests worldwide, clearly a success.

So the NCIJTF seems to be an outgrowth of this. A way to maintain an agile cyber team within the bureaucratic US Government while having access to it's vast array of tools and resources. Henry was promoted to Assistant Director inside the FBI shortly after NSPD-54 was issued.

What does the NCIJTF do?

Back to the directive, section 31 reads as follows:
From NSPD-54

The NCIJTF is made up of a constellation of federal agencies. In fact, the full list is here:
From DOJ IG Report

The one redacted agency is the CIA of course. But this redaction explains so many things. Anything that gets "The Agency" involved becomes extremely secretive, in fact ridiculously so, as you can tell from the above image.

But in terms of what the NCIJTF was intended to do, here are some examples directly from the US Government:
  • Strategy: Developing global view of information warfare activity creating strategic framework for centralizing coordination of existing operational initiatives an developing new initiatives
  • Attribution: Seeks to identify threats to computer networks affecting national security
  • Investigation: Conducts LE/CI/CT cyber-related investigations and response to counterintelligence threats
  • Disruption: Proactively disrupts the foreign exploitation of U.S. computer networks
  • Incident Response: Identifies new methods of attacks; intends to develop 24/7 operations center
  • Collaboration: Collaborates with Intelligence, Law Enforcement, USSS, other USG entities, foreign LE agencies, state and local government, and private sector; Developing synchronization and collaboration approach for investigations
  • Monitor: Reviews all-source data and identifies intelligence gaps
  • Collection: Collects and synthesizes common operating picture of hostile-intrusion-related activity to aid investigations

And even though this is a collection of various agencies, the FBI was clearly taking the lead role on the NCIJTF. There was later a push to make it equally-led.

Obama signs on

So to re-state, NSPD-54 is a late Bush administration invention.

But once Obama was inaugurated in January 2009, he fully bought in to the plan. Look at this, published by the Obama White House in May 2009 which essentially puts the NSPD-54 directive in in graphic form:
Issued by Obama White House

You can see the NCIJTF is named directly in the bottom left as one of seven federal cyber centers (fusion centers). If you count the spokes sticking out of each fusion center, each of which represent "main functions", the NCIJTF actually has the most spokes and thus the most expected functions.

On the campaign trail, Obama promised to "make cyber security the top priority that it should be in the 21st century" so it must have been convenient to plug and play this policy. Also, his campaign was supposedly targeted by foreign hackers and he got a defensive warning from the FBI about it. So maybe he appreciated that. Regardless, Shawn Henry's brainchild survived a change in presidential administration and political party control in Washington.

The NCIJTF through today

Since 2009, the US Government has faced a dramatic rise in cyber threats and has had a spotty record of defending against them. The list of foreign hacks is long and sad. Some lowlights include the DPRK launched Sony hack in December 2014, the Clinton home-brew server reveal in March 2015, the Shanghai launched OPM theft in June 2015 and of course the GRU spearfishing attempts starting March 2016.

Yet through all that, the NCIJTF has been assigned more and more responsibility. Under the FBI's "Next Generation Cyber"  program launched in 2012, the NCIJTF was strengthened.
From DOJ IG Press Release

Plus, at the height of the election interference of 2016, the Obama administration designated the NCIJTF as the lead responder to emerging cyber threats. That was issued on July 26, 2016...four days after the shocking Wikileaks drop of hacked DNC documents.

Shawn Henry left the FBI in April 2012 to found his cybersecurity company, Crowdstrike. But Henry still uses his involvement with the NCIJTF in his press bios. It is something he is especially proud of:

It is also named in some of the "Midyear Exam" (Hillary Clinton Email Case) FBI documentation. Such as here:

Which even names a location for the NCIJTF: Chantilly, Virginia. In a text message, Peter Strzok mentions going to "Mission Ridge" which is an office building complex in Chantilly and is where I believe the NCIJTF is located. 

But more info on that in for the next article...

8 comments:

  1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for CSE

    JavaScript Training in Chennai

    Project Centers in Chennai for CSE

    JavaScript Training in Chennai

    ReplyDelete
  2. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

    ReplyDelete