Cyberwar

Exclusive: Meet the Fed's First Line of Defense Against Cyber Attacks

Inside the secret Fed cybersecurity unit keeping trillions of dollars safe from hackers.

If the U.S. central banking system is ever hit with a crippling cyber attack, a group of roughly 100 government employees working in a three-story fortress-like building next door to a Buick dealership in East Rutherford, N.J., will be among the first to know about it. That's where, almost entirely out of sight, a team from the Federal Reserve System's crack cyber security unit is constantly on watch for malicious hackers, criminals, and spies trying to breach the computer networks of the Fed, its regional banks, and some of the most critical financial infrastructure in America.

The National Incident Response Team, or NIRT, as the group is called (pronounced "nert") tries to prevent intruders from breaking into Fed computer networks and money transfer systems used by thousands of banks across the U.S every day. Among the team's most important protectees is the Fedwire Funds Service, a real-time settlement system that banks use to transfer money between accounts. In 2013, Fedwire handled on average $2.8 trillion in transfers every day.

For several years now, current and former U.S. officials, as well as bank executives, have warned that cyber attackers could sow mass panic by disrupting critical financial networks such as the ones NIRT protects, causing the systems to crash or manipulating information so that customers didn't know how much money was in their accounts and financial institutions couldn't square their ledgers. The nightmare scenario for NIRT members is a malicious hacker gaining access to Fedwire or to sensitive computers used by the Treasury Department, such as the International Treasury System, which the federal government uses to make payments directly to foreign individuals and companies around the world and is also monitored by the NIRT.

The cyber security team is the first line of defense for the central banking system. "If there's a breach of Fedwire or another critical system, they're going to wake the [Federal Reserve] chairman up out of bed," said one former NIRT member. "That's a shit-your-pants type of emergency. Anything that compromises the faith and trust in the [government-backed] money system. And that's all bound to the Fed and Treasury systems."

So far, the U.S. financial system has avoided a cyber calamity, a testament to the NIRT's skill and the defensive precautions that the Fed has taken to closely police its networks, say former employees and cyber security experts. (Or a commentary on the relative lack of skill of some hackers. Those same security experts -- and government officials -- say that thousands of attempted intrusions occur against U.S. financial networks every day, but few get through.)

But for all its apparent success, the NIRT is unusually secretive. There is nary a mention of the group in press articles, and it's work has rarely come up at congressional hearings. Federal Reserve Board officials declined several requests from Foreign Policy for interviews about the NIRT. Some former team members said they couldn't discuss their work, citing confidentiality agreements. Those who would speak for this article would only do so anonymously.

For such an expansive mission, the NIRT is relatively small. About 100 employees, by one former team member's estimate, scour the Fed's computer networks every day looking for the tiniest signs that data is being removed, or exfiltrated, by an unauthorized source. The NIRT's sensors are so finely tuned that if a Federal Reserve employee at any of the system's twelve regional banks in the U.S. connects an unauthorized phone or other device to his work computer, the NIRT will be alerted and, if necessary, confiscate the computer and run forensic tests on it, said one former NIRT member. Another said that if the team detects that a computer may have been infected with a virus or is accessing a website that might be loaded with malicious software code that could steal data from the computer, the security team will quarantine the machine and limit its access to other networks.

"They'll dump you into a walled garden so that you can't get to anything put the NIRT homepage," says the former team member. "You'll get a splash screen that says, 'This computer has been compromised. Call NIRT.'"

The NIRT is not a typical technology help desk -- it doesn't field calls from bank employees who need help resetting a password. The Fed only calls in the team "for incidents that are deemed to have higher impact," according to at 2013 report by the Fed's inspector general. The team offers eight different security services to the Fed board and its reserve banks, primarily security monitoring, forensic analysis of traffic flows and attempted cyber attacks, and alerts and warnings about potential threats, a NIRT representative told the inspector general.

The team is particularly vigilant for malicious software programs called Trojans that are designed to steal data from computer networks or install so-called backdoors that let hackers come and go on the network without being detected, former employees said. "The NIRT had a wicked budget for forensics work stations," said one former team member, referring to computers and tools that help analysts determine how a hacker breached a network or infected a computer.

Those tools are mostly used to assess break-ins at one of the approximately 3,000 commercial banks that are members of the Federal Reserve System and can ask for help from the NIRT after a major event. Commercial banks are routinely targeted by financial criminals and are primarily responsible for protecting the accounts of their individual customers. They're required to report any breach of their networks to their regional Fed branch, which then alerts the NIRT.

"If a member bank gets compromised or there's a breach, we make sure it didn't affect the Fed," the former NIRT member said. "We'll look at our systems and make sure we weren't penetrated and that there was no exfiltration." The NIRT can help a member bank understand how it was attacked and what information was lost, and put defenses in place to prevent further damage. But the team's main concern is always the security of the Fed itself. Two former NIRT employees who helped analyze break-ins at commercial banks said they couldn't recall an instance in which the Fed suffered a significant breach that resulted in a loss or manipulation of data. Last year, hackers commandeered a public Web site that the Fed uses to communicate with commercial banks, but officials said no sensitive systems were affected.

In general, the Federal Reserve has some of the best cyber security procedures in the government, experts say. "The Fed is perhaps the best of the federal agencies in developing their cyber skills, outside the FBI and the National Security Agency," said Alan Paller, the director of research at the SANS Institute, which teaches cyber security courses for government employees. Former NIRT members said that even minor changes to the Fed's cyber security protocols have to be defended in person to a review board of engineers. In 2013, the Fed's inspector general gave a clean bill of health to the central bank's overall information security program, which includes the NIRT and other teams focused on more mundane tasks.

The Fed's cyber security is so well regarded, in fact, that last year an advisory panel comprised of chief executives from some of the country's biggest commercial banks recommended putting the Fed in charge of cyber security for the entire financial services industry. The panel determined that the Fed already has the systems and procedures in place to serve as a broker between banks and law enforcement and intelligence agencies, sharing information about potential cyber attacks without revealing proprietary information that the banks want to keep secret, according to minutes of the panel meeting obtained by Bloomberg.

The NIRT's primary operations center is in a 400,000 square-foot facility in New Jersey, called the East Rutherford Operations Center, a short drive from the New York Stock Exchange and the financial district of Lower Manhattan. The building handles cash for the Federal Reserve Bank of New York (billions of dollars in paper currency and coins arrive regularly in armored vehicles), and it was designed as a "fail-safe" and secure environment, according to its architect. All of the building's incoming power and utility lines have redundant features and are backed up by a diesel generator in case the facility loses electrical power because of an outage or a physical attack.

Forensic analysts for the NIRT also work at the Fed's New York branch, in Manhattan, and a team devoted to finding ways to break into computer networks, in order to defend the bank's own systems, works in the Fed branch in San Francisco, according to former employees. Publicly posted job descriptions for NIRT positions show the unit is looking for high-skilled experts who know how to reverse engineer malicious software, study traffic flows, conduct "post mortem" examinations of compromised computers, and come up with defensive security techniques on the fly. A top secret security clearance is required.

While they're on the job, NIRT employees are as closely monitored as the Fed's networks. To guard against anyone using insider information gleaned from the Fed's operations or policy-making, anyone with a top-secret security clearance is generally prohibited from purchasing stocks except through an index fund, which pools purchases into groups chosen by brokers.

"If you did want to buy a stock, you'd have to fill out a form and explain why," one former NIRT employee said. "If anything hoaky goes on, Protection is going to pick you up," he said, referring to the Fed's internal police department. Employees are even watched when they're performing routine maintenance on bank equipment. "If I was installing a switch in the data center, there was a guy with a machine gun watching. They're not messing around," the former employee said.

The NIRT also protects Federal Reserve research networks, which economists use to make financial forecasts and conduct research on policy issues on behalf of the Board of Governors and the powerful Open Market Committee, which makes decisions about interest rates and the growth of the U.S. money supply. The same former NIRT employee said that some of the research is so sensitive it's conducted only on networks that have no connection to the Internet, so that criminals or foreign spies can't access information that might help them discern the direction of U.S. policy.

Another big part of the NIRT's job is warning Fed employees about malicious computer programs that have been found circulating the Internet and hacking techniques that intruders might use, such as hiding viruses inside attachments of legitimate-looking emails. The team sends out regular updates containing so-called "threat signatures" that employees should use to protect themselves and their networks. A former NIRT member said the group also has a team of researchers dedicated to finding zero day vulnerabilities, which are flaws in computer software that haven't yet been discovered by their manufacturer. The Heartbleed vulnerability that recently set off alarms and led computer users to rush to change their online passwords is one example.

But it may not just be zero day flaws and Trojans that NIRT is looking for. In 2012, a former employee of the Federal Reserve Bank of Kansas City filed a civil complaint alleging that his bosses may have used the NIRT to find "inappropriate files" on his and other older or longtime employees' computers, as a pretext for firing them. Christopher Nelson, who at the time he was fired had worked for the Federal Reserve Board for 21 years, claimed he was told that a scan of his computer had uncovered a file containing "inappropriate content," a charge he denied.

The complaint Nelson filed in U.S. district court in Missouri doesn't state the nature of the content, and an attorney for Nelson declined to comment because the lawsuit was eventually settled out of court. But a former NIRT member said the group usually scanned employees' computers looking for security threats, such as unauthorized devices that were inserted into a computer's USB port. In the course of the scanning, the NIRT sometimes came across information, including emails, that if it were revealed publicly could prove "embarrassing" to the employee, the former NIRT member said. He declined to speak more specifically, but implied that such information might included pornographic images or off-color jokes and remarks made in emails.

But former NIRT employees said the high-level of scrutiny is to be expected given the team's vital mission and the damage that a major cyber attack on the central bank would cause. Some of those who've worked in the NIRT see themselves as members of an elite club.

"Information security at the Fed isn't just about protecting information -- it's protecting the dollar," said a former team member. "It makes the work a hell of a lot more important than it would be in another organization."

Mark Wilson / Getty Images News

National Security

Breaking Bad

How America's biggest corporations became cyber vigilantes.

The Pentagon is gearing up for cyber-warfare. General Keith Alexander, commander of U.S. Cyber Command, testified in March that the Department of Defense "is conducting a coordinated, thorough review with the Joint Staff of existing standing rules of engagement on cyberspace. These revised standing rules of engagement should give us authorities we need to maximize pre-authorization of defense responses and empower activity at the lowest level." NATO's Cooperative Cyber Defence Centre of Excellence recently released its "Tallinn Manual," outlining how international law can be translated to cyber warfare. And, as Ellen Nakashima of the Washington Post reported last month, the Department of Defense may broaden its authority and ability to combat attacks not only on its own systems, but also against private computers, including infrastructure abroad.

This latter development is crucial -- after all, the private sector is critical to national security, intellectual property is a pillar of the American economy, and protecting citizens not only from physical but also virtual threats is a core function of government.

The problem is that the government is not the only one taking on cyber threats. Corporations, which have long worked to defend their networks from intrusion, are increasingly going on the offensive, turning from firewalls to retaliation. William J. Fallon, former commander of U.S. Pacific Command and U.S. Central Command, recently wrote about a survey of cybersecurity executives conducted by his firm, CounterTack, Inc.: "more than half [of the respondents] thought their companies would be well served by the ability to ‘strike back' against their attackers." This raises important questions about cyber-warfare and the role of private companies. What happens when a corporation takes matters into its own hands? What if its attacks hit the wrong target, involve a foreign government, or lead to escalation? In short, what happens when corporations become cyberwarriors?

These are not theoretical questions. In January 2010, Google announced it had been hacked the previous month in an attack nicknamed Operation Aurora that was traced back to China. The hackers exploited a previously unknown vulnerability in Microsoft's Internet Explorer, routed the attack through servers at two Chinese educational institutions to hide their tracks, accessed Gmail accounts and -- more importantly -- stole Google's source code. When Google discovered the attack, "the company began a secret counteroffensive," according to the New York Times. "It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at least 33 other companies, including Adobe Systems, Northrop Grumman, and Juniper Networks." McAfee's George Kurtz wrote, "Like an army of mules withdrawing funds from an ATM, this malware had enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays."

Some in the field cheered Google's aggressive response, and some are following in its shoes. Matt Buchanan at the technology blog Gizmodo commented, "It's pretty awesome: If you hack Google, they will hack your ass right back." The CounterTack survey found that 29 percent of participants felt that their "company would be well-served if it could proactively strike at the attackers' infrastructure to minimize threats" and an additional 25 percent said that their "company's data would be more secure if the company would strike back, but only if were attacked first." In June, Reuters reported, "Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action." At this year's Black Hat conference in Las Vegas in July, a poll of 181 participants revealed that 36 percent had already engaged in retaliatory hacking in the past with 23 percent having hacked back once and 13 percent frequently. And Tim ‘TK' Keanini from nCircle, which conducted the poll, thinks the real numbers are higher: "Retaliatory hacking is a huge topic at Black Hat this year, but we should take these survey results with a grain of salt.... It's safe to assume some respondents don't want to admit they use retaliatory tactics. It's very tempting to strike back out of anger and frustration."

Taking offensive actions such as intruding on another system to trace or block an attack are among the more controversial measures institutions can take as part of what has been called "active defense," which also involves more defensive tools such as honeypots, which lure hackers into a trap, or bogus decoy files that make it more difficult for hackers to find valuable data. And, if a company does not have the know-how to carry out a counter-strike, it can hire contractors. Brian Krebs wrote about such digital hit men in 2011: "Hackers are openly competing to offer services that can take out a rival online business or to settle a score." He also provided pricing for Distributed Denial of Service attacks similar to the attacks Estonia witnessed in 2007 and Georgia in 2008. They range from "$5 to $10 per hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month."

The threat to corporations is not going away. "Operation Aurora was one of the most visible attacks we've seen in years. It wasn't the first of its kind, nor will it be the last. The sophistication levels and frequency of attacks will likely continue to increase," McAfee's Rees Johnson warns. But Fallon cautions against companies' enthusiasm for offensive action: "In my opinion, this mindset reveals misplaced priorities. Enterprise should focus on its core business, while defending the most critical assets, not striking back at unseen adversaries." Keanini agrees, saying, "As infuriating as cyber criminals can be, this ‘eye for an eye' code of justice can be extremely dangerous." And even if the unmasked hacker is deterred from attacking again, what happens if the company gets it wrong or causes collateral damage? What if companies trigger an escalatory spiral that puts national security at risk?

As Max Weber might have put it, the government needs to maintain control over the legitimate use of force -- whether physical or virtual. The CounterTack survey offers a straightforward solution. It prefaced the question "would your company's critical infrastructure be better protected if you moved away from a ‘defense only' strategy and started to play ‘offense'?" with the caveat "if there were no legal ramifications." In other words, the government must make clear to companies that they will face legal ramifications if they decide to take matters into their own hands in cyberspace without government sanction. And Robert Clarke, an attorney at U.S. Cyber Command, points out that such action may already violate the Computer Fraud Abuse Act.

But, the government must also fulfill its protective role. Joel Brenner, former senior legal counsel at the National Security Agency explains that "After the Google heist, companies started asking the government for help in defending themselves against nations. This was unprecedented." The State Department announced an official complaint, and Secretary Clinton said, "We look to the Chinese authorities to conduct a thorough review of the cyber intrusions that led Google to make its announcement. And we also look for that investigation and its results to be transparent." Yet, little has changed since the 2009 hack. The high-profile hack in 2011 of another top technology company, RSA Security, shows that the private sector continues to be targeted by Advanced Persistent Threats. And later that year, the U.S. Office of the National Counterintelligence Executive publicly blamed China for conducting economic cyber-espionage. So if a tech-savvy company gets hacked again, it would not be too surprising if it decides not to call Washington and takes matters into its own hands instead

So if companies are already taking to the cyber battlefield, a more concerted discussion is essential. As retired Lieutenant General Kenneth Minihan, former director of the National Security Agency, argued at the RSA security conference earlier this year, "It's time to have the debate about what the actions would be for the private sector." Especially since Janet Napolitano, Secretary of Homeland Security, said in April that she was considering having private entities participate in "proactive" efforts against hackers abroad. There has been little follow-up since then, however, which begs the question: is this discussion still on-going or if it has come to a close, what was the outcome?

MANDEL NGAN/AFP/Getty Images