Earlier this year the new FBI director revealed that the agency will introduce a system intended to share information among private businesses about digital intrusions in near-real time.
Called “Malware Investigator,” its purpose will be to gather and share intelligence from public, private, and government sources to stop threats before they become problems, mainly by passing information directly from machines to machines.
“Human speed won’t cut it anymore. The cyber threat is too pervasive, too persistent, and too fluid,” said James Comey, who became FBI director in September. He spoke in February before the RSA Cyber Security Conference in San Francisco.
While not providing many details about the new system, Comey said it will generally be an unclassified version of a malware repository and analysis tool the FBI already has called the Binary Analysis Characterization and Storage System (BACSS). In general, the system helps link malware in different jurisdictions and paints a picture of cyber threats worldwide. The Malware Investigator version will be introduced sometime later this year, he said.
Comey said the initiative comes from an understanding that the agency needs to do a better job communicating with private entities that already are required to provide detailed information about digital crimes, but who have not received much valuable intelligence in return.
“To date, we’ve been fighting [distributed denial of service] attacks at mere human speed, sending malware indicators, host names, and IP addresses to those in the private sector. We understand that sending a laundry list of IP addresses without any content isn’t useful and puts companies at risk of blocking legitimate web traffic,” Comey said.
Instead, he said, with the new system, “Imagine a day where intelligence from combined sources—the government, antivirus companies, ISPs, the financial services sector, and communications companies—is shared instantaneously, machine-to-machine, pursuant to law and with strong privacy protections in place. What if we were able to stop much of the malware as it transited the networks? It is no longer good enough to identify malware as it attacks your system.”
Once it is in place, he said, “If your company has been hacked, you can send the malware to us, and, in most cases, receive a report within hours on how it works, what it might be targeting, and whether others have suffered a similar attack.”