Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

May 2019
NCFTA analysts, who monitor real-time cyber threats, analyzing malware samples in the organization’s research lab in Pittsburgh.

The NCFTA gets both sides to sign on and then puts them together in a room to share information on cybersecurity.
It started as an idea in Pittsburgh in the 1990s. Some people in law enforcement, private industry and academia thought that there had to be a better way to fight against cyber crime. And they were convinced that the key was sharing information. After years of trial and error, the National Cyber-Forensics & Training Alliance [NCFTA] was officially founded in 2002. It began with volunteers and government grants. After a few formative years, it has grown to more than 60 employees, most of them intelligence analysts. But what makes it special is that its members, known as partners, are from law enforcement and private companies. And they work together in the same room. The Federal Bureau of Investigation was the initial agency that helped get things started, and still has the largest footprint. But next to the FBI are representatives from the U.S. Postal Inspection Service, the United States Secret Service, Homeland Security Investigations, the Drug Enforcement Agency, the Internal Revenue Service, and even the United Kingdom’s National Crime Agency. The 150 supporting corporate partners have the opportunity to work side by side or participate remotely. About 70 percent of the funding for the nonprofit comes from the private partners, and the balance from the government agencies.  
     Though the organization has garnered international recognition by professionals in the field, it’s not exactly a household name. Matt LaVigna, who has been CEO since 2016 (and who worked for more than 26 years at the Secret Service), acknowledges that its biggest publicity boosts are more likely to come by word of mouth than from tweets. Yet, the NCFTA expanded in 2017 and opened an office in New York and a second in Los Angeles. Still, LaVigna likes to point to the unofficial tagline that the group sometimes uses, which seems to capture its self-image perfectly: “For the committed, not the curious.” He talked about the challenges of getting highly regulated and reputation-conscious companies to open up—with each other and with law enforcement. Many companies tend to keep silent about ongoing cyber incidents and fraud that siphons data and profits. When they choose to go it alone, he adds, they are playing right into the cyber criminal’s hands. 

CyberInsecurity News: How has the NCFTA changed since the early days?  
Matt LaVigna: When it first started, it was more narrowly focused, and it was trying to prove the model of can we establish trust among industry and between industry and law enforcement. And it’s important to understand that there are two different things there: for industry to be able to collaborate among itself, across different industry sectors, and then between industry and law enforcement. But in the early days, it was focused on just a few issues. For example, let’s see what we can do to address spam. And which companies and industries are impacted? And on the technical side, who can help, and where are leverage points that law enforcement can use to inject themselves in and disrupt the flow? Today it’s a myriad of things. It goes from the very technical, purely cyber, such as malware and botnets, through the entire scheme of cyber-enabled crimes. What I mean by cyber-enabled crimes is the use of computers and the internet to further a criminal scheme.  After all, the purpose of a hack or a breach is to deal data—not just to steal it and possess it, but then to monetize it.  And the monetizing is what feeds crimes. Today it varies from malware to phishing, ransomware, credit card fraud, account takeovers, credential theft, human trafficking, IP rights violations, illicit pharmaceuticals, skimming at the point of sale, and on and on.

CIN: That’s quite a gamut.
ML: And that’s just the tip of the iceberg. We exist to enable industry to have a seat at the table and have a direct voice to the government or law enforcement in order to identify the things that are impacting them the most. Otherwise, from my background in law enforcement, it’s very reactive. A victim would call a local office and report a crime. Unfortunately, whether that agency has the ability to open a case on that specific incident depends on their office resources and capabilities and also on the local prosecutor’s office. If that incident is highly impactful to a particular victim or company, but it can’t be investigated because it doesn’t meet those thresholds, where does that go? What we strive to do is have those things reported through us so that we can connect that with another victim, and another victim, and another victim, and then link the seemingly one-off incidents and make it actionable for law enforcement.

CIN: Sometimes when people talk about cyber crimes, they sound far away and abstract—out in space somewhere. But you’re talking about the impact, and that doesn’t sound abstract at all.
ML: Absolutely. These are real things that happen to real companies and real people. And there are humans behind those threats. Yes, they’re leveraging machines. And yes, they’re leveraging technology. And yes, they’re exploiting our human behavior and how we interact with the internet. But there are actual people behind that. What’s very important is for industries to recognize that they have to report things, to work with others. And then, at the end of the day, help someone who can make an impact and disrupt that. And the only one who can do that on a large scale for everybody is law enforcement. Both in the United States and globally.

The Payoffs
CIN: What are the biggest benefits of membership?
ML: You don’t know what you don’t know. Joining a trusted community, where you can freely discuss some of your challenges without that going public and learn what others have found to be solutions, is a direct benefit. Just having a conversation with another company, even potentially a competitor, about a common issue that’s a threat or risk is an extremely big benefit. And then having a conversation with the government or law enforcement about an issue today or an area where they might be able to help, and doing all that under the radar, so to speak, where it is not publicly splashed across media outlets—that’s big. 

CIN: What do the agencies get back in return for their efforts?
ML: The agencies get access to knowing what the most impactful issues are that they should be focusing their limited resources on. And they get access to all of the cyber superheroes and subject matter experts that are out there in private industry. The government has very limited resources in that area. And so this is a way to leverage those resources and be a force multiplier for each other. For law enforcement, it’s the subject matter experts and hearing about the critical issues. And for private industry, it’s fighting back.

CIN: There are other organizations in the United States that work to facilitate information sharing on cybersecurity. Can you name some that you consider peers in some sense?
ML: The government itself has different levels of engagement. For example, the Secret Service has electronics crimes task forces where the private sector and their regional Secret Service field office engage in cyber crime knowledge sharing. The FBI has the InfraGard program. That’s where their regional private-sector engagement resides. There are industry-specific Information Sharing and Analysis Centers [ISACs]. There’s a financial services ISAC, a health ISAC, an auto ISAC, a legal ISAC and several others. Then there are regional-level Information Sharing and Analysis Organizations [ISAOs].  They’re generally limited within a certain locality or region. There are many different organizations that do similar things, and yet they are still different.

CIN: What’s the most important thing about your program that distinguishes it from the other programs that you’ve named?
ML: One is our direct engagement and participation with law enforcement—literally in-house. The second is cross-sector collaboration. We have representatives from financial services, telecommunications, manufacturing, the government, some critical infrastructure, health care and others. There’s really no industry that would not be a good fit for us. And just as valuable, if not more valuable, are our staff, our access to external resources and our intelligence analysis capabilities.

The NCFTA Moment
CIN: You had an experience at the NCFTA even before you were a paid employee that had a profound effect on you. You worked close by, and you used to spend time there when you were still with the Secret Service.
ML: I started attending meetings here and talking with private-sector partners and identifying very good cases to refer out to different Secret Service field offices that could be addressed. That’s one of the carrots for the private sector: “Somebody’s going to do something about this problem I have.” Who are the victims? How much information do they have? Can we gather more information? And can we push it out to the field and make it actionable, and have it investigated and ultimately prosecuted? So I started there. And I was very successful finding cases that could be worked. I identified the serendipitous moment—we call it the NCFTA moment—where I just happened to mention a counterfeit case that the Secret Service was working in Pittsburgh, and what was unique about the case was that the particular counterfeit note had only appeared in Uganda and other parts of Africa, and one day it appeared here in Pittsburgh. So that was very impactful for us. One of the law enforcement officers embedded at the NCFTA came to me within three days and said, “I think I identified your man.” That was eye-opening. I was not even aware that that particular agency had access to the information that they had. And they were able to cull it and filter it and identify some good leads that were spot-on, and probably within a week we knew exactly who we were targeting here in the U.S. And that led to a much broader investigation: dark web contacts and counterfeit manufacturing based in Uganda and shipping counterfeit notes to the U.S. That individual just pled guilty in Pittsburgh a couple of weeks ago. 

CIN: What is an NCFTA moment?
ML: Our office space is an unclassified environment. Which is the opposite of many government office spaces. So we have an open environment in which people hear other people talking. And that’s by design. An NCFTA moment is somebody in the office overhearing a conversation and just walking up and saying, “Hey, I heard you guys talking about that, and we’ve been looking at that too.” Or: “I think that impacts us. Can you tell me more?” The opposite—in another environment—would be, “Why were you listening to our conversation?” So it’s something that you might not have known that somebody else is working on that leads to success for your investigation or for your company.

CIN: Kind of like designed serendipity.
ML: There you go.

Sharing Data Is Almost Taboo
CIN: What are the biggest challenges?
ML: Helping industry understand how to share information, what information to share and why. That’s probably the biggest challenge. Today sharing data is almost taboo. It sets off alarms when you use a four-letter word like “data.” That’s a very challenging topic internally in the corporate world. And communicating that with the private sector is probably one of the biggest challenges: trying to get them over that hurdle—that it can be done safely, is acceptable, that it is to their benefit, and ultimately it’s to the benefit of the greater good and cybersecurity in general.   

CIN: How do in-house lawyers from partner companies get involved in your work?
ML: Our first touch point with in-house lawyers is during the introductory period, or signing on, or a company getting approval to join an information-sharing organization. Signing a confidential membership agreement. And typically we would have been having conversations with a chief information security officer [CISO] or their representatives or a chief security officer or a fraud team at the company. And they get it, and they’re antsy and want to get engaged and want to go. And then there’s the “but … I have to go to our in-house counsel.” So we’ve had these long conversations with the operators, and then they have to hand the conversation over to the general counsel: “We have the funding. Here’s what we want to do.” And the general counsel was not in any of the previous conversations, and so we have to have a one-on-one. And it works. It always works. We just have to articulate and explain down in the weeds exactly what it is that we do, and what it is that we would hope that they would approve their company to engage in.

CIN: What kinds of problems are the in-house lawyers concerned about when they’re examining the partnership agreement, and how do you resolve them?
ML: A lot of it has to do with contract language. Take, for example, the term “confidential information.” By default, we share confidential information. You could talk to 10 different lawyers and get the same response: “We’re not going to share company confidential information.” Confidential information meaning a particular fraud scheme. Maybe even the existence of the incident is confidential. That means don’t talk about this publicly, don’t tell anybody, just keep this in-house. And if that’s the culture and the mindset, then that organization would not be a good fit here. And another way is just strictly on contracts—we do have confidential membership agreements with all of our members. Sometimes it’s our agreement; sometimes it’s their agreement. Sometimes the lawyers say, “Everyone we have a relationship with has to sign our master service agreement [MSA].” Ughhh! That’s the challenging moment. Because then none of it really fits. We are not your typical “vendor.” It’s all standard vendor or supplier language that can be very challenging for us. We hope it doesn’t become expensive for us, but if necessary we can then engage our outside counsel with contracts and language and the typical redline back and forth. If we can engage early on with the attorneys, during the initial introductions and conversations, then they know it’s coming, and it makes it a lot smoother.

CIN: And how do you solve the MSA problem?
ML:  We just say, “Hey, it’s definitely going to be an easier process if we just have a conference call.” Having a conference call with the end user—it could be the CISO, the intelligence team, the fraud investigative team—with them and the attorney at the same time.  And then the end user can explain it to their own attorneys. And we can explain it, too. And that goes much more smoothly.

CIN: But you’ve always been able to solve it?
ML: Yes. [laughs] I say yes always, but it happened just yesterday that it did not. But I don’t want to say it was an attorney thing. It was actually an organizational thing. It was an international organization that included in its ultimate membership group certain countries that would preclude them from actually being a member by our rules. For example, those known countries that are supporting cyber crime or terrorism. Those on the list. That just wasn’t going to work. We do have global companies. We’re not just U.S. company-centered. But to answer your initial question, we’ve always been able to resolve the legal hurdles.

CIN: Are there certain companies that you wouldn’t be able to include because of issues along the same lines? Let’s take the example of the cybersecurity company Kaspersky Lab. There’s been a lot of litigation over Kaspersky.  We could mention Huawei, too, where there’s a lot of controversy, and suggestions that these are organizations that are under the sway of governments that have certainly been accused of a great deal of cyber crime. Would those companies raise the same red flags as you just described?
ML:  Yes, potentially they could. It’s a community. All of our members, all of our partners could potentially have issues there. One, we have government partners. Two, the companies that are partners here have trust in us and all of the other members. It’s a consortium. They all trust each other, and they all basically have the same agreement on how they’re going to handle information, and for what purpose and where it’s going to go. And if we were to bring in an entity that could potentially disrupt that trust, even if it impacted only one current partner, that wouldn’t work.

CIN: Have you ever had a situation where you thought you would allow some organization to join, and then you heard from others that this was not something that they were comfortable with, and you had to go back and rethink it?
ML: One comes to mind. And actually you just brought it up. And it’s not a partner. It’s more of a relationship. You brought up Kaspersky. It was one of the founding entities or companies that was involved in a project at Europol called No More Ransom. No More Ransom is a noncommercial entity. The purpose is to combat ransomware, and it’s based at Europol, so they control it, but there are many foreign law enforcement entities that are engaged. Some might not have very good relationships with the U.S. There are many private-sector companies that are supporting it in several different ways. Some U.S., some not. And then Kaspersky was also there. We were asked to join. And just last week I decided that we would join the project as a supporting partner, because the purpose is to provide resources to victims and to publicize that there are options and practices to prevent being a victim to ransomware attacks. So the single holistic mission overweighed the potential affiliation conflict—there really isn’t any. We’re not working directly with those countries or any one of those companies. It’s a project for the greater good, and I felt it was in the best interests of our community, our citizens and global cybersecurity for us to get engaged.

CIN: Do you have any success stories you’d like to share?
ML: There are many. Just last year, the collective work that we’ve done, based on what’s being reported back to us, we helped support or initiate 525 law enforcement cases. Law enforcement, based on their engagement here, initiated 139 arrests. Loss avoidance to the private sector was over $250 million. Seizures of intellectual property violations were in excess of $34 million. So those types of successes demonstrate that yes, it does work, and yes, it does make an impact.

Takeways for In-house Lawyers
CIN: What are three takeaways that you want to leave for in-house lawyers?
ML: It’s a cliché, but the government is truly here to help. Engaging with law enforcement before an incident should be preferable to post-incident, or worse, not at all. And information sharing on cyber-related topics is the right thing to do in our global community. When you’re shown the way, relationships with your peers and with law enforcement can be extremely beneficial. And—this is just my opinion—it’s counterproductive to your own security to avoid talking about things. What I mean by that is that in the majority of companies, when an incident happens they try to address it, fix it and move on. It’s not good for a reputation or a brand to talk about it or go outside the walls with any of this information. Notwithstanding any type of mandatory reporting, of course. And that may include not talking to law enforcement. And I would say, “How do you think that problem got to you in the first place? Somebody else did the exact same thing.” As you’re sitting there, pounding your head against the table that there’s a ransomware notice on every one of your corporate computers or you’ve been defrauded by cyber criminals for millions of dollars, and then you learn your neighbor already dealt with it before and never told you—that would certainly frustrate me, to say the least. I use the example of your neighborhood. If your neighbor has her car broken into one night, and you’re talking over the fence the next day and she says, “There’s someone going around the neighborhood, breaking into cars,” you say, “Thanks for telling me.” We don’t think twice about that. Why are we so circle-the-wagons and tight-lipped when it comes to cyber?