Who you gonna call? DHS and FBI streamlining cyber response

The head of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center compared DHS to firefighters as a way of explaining how federal outreach after a breach can involve multiple agencies.

If a cyber breach were like an arson attack, Andy Ozment would be the nation’s fire chief.

That’s the analogy the head of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center used when describing how his organization works with other federal agencies in response to hacker attacks. He compared DHS to firefighters as a way of explaining how federal outreach after a breach can involve multiple agencies.

“If there’s an arson at your house, firefighters show up, but we don’t figure out who did it and put handcuffs on them,” he said.

Ozment was part of a panel Tuesday at the 2016 RSA Conference that urged private companies to understand the different responsibilities of various federal agencies and called on business executives to establish the right relationships to better prepare themselves for the aftermath of a cyberattack.


Eric Sporre, the deputy assistant director of the FBI’s cyber division, said the criminal side of the investigation falls to his office. However, Sporre said FBI Director James Comey has made a point to dispatch victim response units in the wake of cyber crimes, following the same protocols the bureau would dispatch in the wake of terrorist attacks or financial crimes.

“I know people think we are showing up as the cyber division and we are going to show up and work just the computer intrusion, that’s not the case,” Sporre said. “We try to put [victims] at ease and let them know they have federal government victim services behind them, while FBI and DHS are working the actual breach.”


Even with the best intentions, the separate roles DHS and FBI play can often lead to confusion when private companies are trying to reach out.

White House Cybersecurity Coordinator Michael Daniel said the Obama administration is working on this with the recently passed Cybersecurity Information Sharing Act. Last month, DHS and the Justice Department issued guidance on how private companies can share information with the government, including directions on how to use a Web portal hosted by US-CERT.


“We have to make it so that you don’t have to figure where the right place to go in the federal government is,” Daniel said. “We should make the back end easier so that no matter when you come to the federal government, when you request assistance, it’s our job to get it to the right place so we use the right assets to address the situation.”

All three federal officials stressed that forging relationships beforehand is crucial ahead of a breach. Ozment used the recent Ukraine power grid attack as an example, where DHS’ ISC-CERT and the FBI responded, ultimately issuing an alert for the malware used in the attack.

“No matter how much we’ve talked about this for the past 20 or 30 years, there are still hundreds of thousands of American companies whose CEO, if they read an article about [a power grid hack] in the paper, they will be surprised,” Ozment said. “This should be the incident that makes CEOs sit up and take notice.”

Sporre said private companies should be proactive with the feds, reaching out to one of the 56 FBI field offices if they are seeing bad traffic or something that indicates a bigger problem around the corner.

“We want the calls where you are seeing something that we might be able to shed some light on, or might be able to have a discussion and further the intelligence and information you have to make decisions,” Sporre said.


“I can sit here and assure you that you are going to get the kind of response that you need, but only by developing those personal relationships and having the trust in the people where you are, do you feel comfortable with it and want to have that daily communication.”

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts