Thursday, April 25, 2019

What is the NCIJTF?

The acronym NCIJTF stands for National Cyber Investigative Joint Task Force.

It is a so-called fusion center, one of many inside the US Intelligence Community, so it's not a three letter agency unto itself, but rather a hub where many agencies collaborate and participate. Fusion centers came into vogue after stovepiping of intelligence was identified as a cause of the 9/11 attacks. It's a simply a way to combat stovepipes/silos. One example of a fusion center is the FBI's Joint Terrorism Task Forces (JTTF) which are scattered across the US and are each comprised of the local branches of FBI, US Secret Service, DEA, ATF, ICE, US Postal Inspection Service, US Marshals Service and much more.

Another example of a fusion center is the OCDETF, which Bruce Ohr ran not too long ago. That organization gathers intelligence on multi-jurisdictional drug trafficking and money laundering operations by pooling information from many of the same agencies mentioned above.

However, unlike the JTTF (terrorism) or the OCDETF (drug trafficking), the NCIJTF is specifically focused on cyber crimes, a discipline which the FBI has had an interesting relationship with. Any talk of the NCIJTF has to be couched in a larger conversation about the FBI and Cyber.

FBI, Cyber & creating the NCIJTF

A ton of things changed after 9/11 and the FBI shifted from an almost exclusively law enforcement agency to one that actually prioritized national security first. In 2006, then-Director Robert Mueller said:
"After the September 11 attacks on America, the FBI priorities shifted dramatically. Our top priority became the prevention of another terrorist attack. Today, our top three priorities—counterterrorism, counterintelligence, and cyber security—are all national-security related. To that end, we have made a number of changes in the Bureau, both in structure and in the way we do business."
As part of the reorganization, the FBI established a Cyber Division in 2002 and it was actually a quite prescient move. But "cyber" can mean many things of course. At first, the intent for the department seems to have been "crimes committed using a computer." So things like identity theft, digital child pornography and yes, P2P network intellectual property piracy.

Whatever your opinion of Napster is, the FBI's focus did not seem to extend much to large scale cyber intrusions. And to be fair, these were just were just starting to filter into the mainstream. But the federal government as a whole didn't seem to really get serious about cyber intrusions until the waning days of the Bush administration.

In January 2008, a classified presidential directive (specifically the Homeland Security Presidential Directive 23 and National Security Presidential Directive 54) was issued. It's also sometimes referred to as the Comprehensive National Cyber Security Initiative (CNCI). This thing seems to have a million names so I'm going to call it NSPD-54 or simply "the directive."

It was classified at the time, but we have access to a semi-redacted version of it now. From it's preamble, the purpose was to "(strengthen) policies for protecting the security and privacy of information entrusted to the Federal Government." Meaning, protect the data of the federal government from all adversaries. It's described further in this congressional report.

So, note here, that there is already a Cyber Division inside the FBI. NSPD-54 is intended to supplement or go above and beyond what is already there, and it's not just about the FBI, this has elements that affect all the three letter agencies.

A clue for what was envisioned under this directive can be gained from one of it's architects: Shawn Henry

an enterprising lad

Henry, later of Crowdstrike fame, was actually on the "study group" which formulated NSPD-54.

At the time he was Deputy Assistant Director in the FBI Cyber Division and was in the middle of a large, successful sting operation, which the FBI later took credit for and boasted about. Henry had set up an elite seven-agent cybercrime unit based at the National Cyber Forensics Training Alliance in Pittsburgh, PA, which is itself a semi-autonomous organization within the FBI.

This will come up again. Henry seems to like small teams outside of the bureaucratic structure and ideally working in non-identified and non-descript buildings in order to outfox whatever his cyber foe is at the time. But I digress...

The sting operation involved setting up a cybercrime forum called DarkMarket which purported to be run out of Eastern Europe but was actually run by the FBI in Pittsburgh! It netted 56 arrests worldwide, clearly a success.

So the NCIJTF seems to be an outgrowth of this. A way to maintain an agile cyber team within the bureaucratic US Government while having access to it's vast array of tools and resources. Henry was promoted to Assistant Director inside the FBI shortly after NSPD-54 was issued.

What does the NCIJTF do?

Back to the directive, section 31 reads as follows:
From NSPD-54

The NCIJTF is made up of a constellation of federal agencies. In fact, the full list is here:
From DOJ IG Report

The one redacted agency is the CIA of course. But this redaction explains so many things. Anything that gets "The Agency" involved becomes extremely secretive, in fact ridiculously so, as you can tell from the above image.

But in terms of what the NCIJTF was intended to do, here are some examples directly from the US Government:
  • Strategy: Developing global view of information warfare activity creating strategic framework for centralizing coordination of existing operational initiatives an developing new initiatives
  • Attribution: Seeks to identify threats to computer networks affecting national security
  • Investigation: Conducts LE/CI/CT cyber-related investigations and response to counterintelligence threats
  • Disruption: Proactively disrupts the foreign exploitation of U.S. computer networks
  • Incident Response: Identifies new methods of attacks; intends to develop 24/7 operations center
  • Collaboration: Collaborates with Intelligence, Law Enforcement, USSS, other USG entities, foreign LE agencies, state and local government, and private sector; Developing synchronization and collaboration approach for investigations
  • Monitor: Reviews all-source data and identifies intelligence gaps
  • Collection: Collects and synthesizes common operating picture of hostile-intrusion-related activity to aid investigations

And even though this is a collection of various agencies, the FBI was clearly taking the lead role on the NCIJTF. There was later a push to make it equally-led.

Obama signs on

So to re-state, NSPD-54 is a late Bush administration invention.

But once Obama was inaugurated in January 2009, he fully bought in to the plan. Look at this, published by the Obama White House in May 2009 which essentially puts the NSPD-54 directive in in graphic form:
Issued by Obama White House

You can see the NCIJTF is named directly in the bottom left as one of seven federal cyber centers (fusion centers). If you count the spokes sticking out of each fusion center, each of which represent "main functions", the NCIJTF actually has the most spokes and thus the most expected functions.

On the campaign trail, Obama promised to "make cyber security the top priority that it should be in the 21st century" so it must have been convenient to plug and play this policy. Also, his campaign was supposedly targeted by foreign hackers and he got a defensive warning from the FBI about it. So maybe he appreciated that. Regardless, Shawn Henry's brainchild survived a change in presidential administration and political party control in Washington.

The NCIJTF through today

Since 2009, the US Government has faced a dramatic rise in cyber threats and has had a spotty record of defending against them. The list of foreign hacks is long and sad. Some lowlights include the DPRK launched Sony hack in December 2014, the Clinton home-brew server reveal in March 2015, the Shanghai launched OPM theft in June 2015 and of course the GRU spearfishing attempts starting March 2016.

Yet through all that, the NCIJTF has been assigned more and more responsibility. Under the FBI's "Next Generation Cyber"  program launched in 2012, the NCIJTF was strengthened.
From DOJ IG Press Release

Plus, at the height of the election interference of 2016, the Obama administration designated the NCIJTF as the lead responder to emerging cyber threats. That was issued on July 26, 2016...four days after the shocking Wikileaks drop of hacked DNC documents.

Shawn Henry left the FBI in April 2012 to found his cybersecurity company, Crowdstrike. But Henry still uses his involvement with the NCIJTF in his press bios. It is something he is especially proud of:

It is also named in some of the "Midyear Exam" (Hillary Clinton Email Case) FBI documentation. Such as here:

Which even names a location for the NCIJTF: Chantilly, Virginia. In a text message, Peter Strzok mentions going to "Mission Ridge" which is an office building complex in Chantilly and is where I believe the NCIJTF is located. 

But more info on that in for the next article...


  1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for CSE

    JavaScript Training in Chennai

    Project Centers in Chennai for CSE

    JavaScript Training in Chennai

  2. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  3. I have seen this abbreviation so many times and I had no question in my head what it means. Now, having read this article, I understood what it is.

  4. Top Technologies to learn

    Excellent blog with lots of information. I have to thank for this. Do share more.

  5. Does your site work? Gab's not working. I'm dead cuz I can't bug you.

  6. Um, I hope you get this Nick .... it's about Gab. Everyone thinks/says I'm psycho. Complicated, but I posted a couple of messages to Gab via their link to Facebook (which I haven't been on for years). Then I tried to get on Gab's site again and get this:
    A code has been emailed to you. Enter it below to complete your login:

    (My screenshots don't appear - took a camera shot). Anyways, I entered my e-mail address, but did NOT receive an email to "complete your login" with a code. Ugh. I hate everyone. Gab/Torba is going to die if they don't fix their site (I warned them and now after I followed their links to FB and warned them 3 times - I am now getting weird shit and can't even access their site's "error" maintenance message? Huh. I'm not tech savvy, but I ain't stupid Nick. Huh.

  7. It's very useful article with inforamtive and insightful content and i had good experience with this information. We, at the CRS info solutions ,help candidates in acquiring certificates, master interview questions, and prepare brilliant resumes.Go through some helpful and rich content Salesforce Admin syllabus from learn in real time team. This Salesforce Development syllabus is 100% practical and highly worth reading. Recently i have gone through Salesforce Development syllabus and Salesforce Admin syllabus which includes Salesforce training in USA so practically designed.

  8. famous jewellery shops in chennai

    The craze on jewelry never goes down. Are you looking for the best Jewellery shops in Chennai? Here, is the list for you.

  9. Myself so glad to establish your blog entry since it's actually quite instructive. If it's not too much trouble continue composing this sort of web journal and I normally visit this blog. Examine my administrations.
    Go through these Salesforce Lightning Features course. Found this Salesforce CRM Using Apex And Visualforce Training worth joining. Enroll for SalesForce CRM Integration Training Program and practice well.

  10. data scientist interview questions and answers pdf

    Important Data science Interview Questions and Answers for freshers and experienced to get your dream job in Data Science! Basic & Advanced Data Science Interview Questions for Freshers & Experienced.

  11. Thanks as always for your advice.And thanks for saying in your newsletter that you have seen other bloggers spend months and years chasing their tails. It is easy to feel like you’re the only one who hasn’t succeeded!