Inside the secret Fed cybersecurity unit keeping trillions of dollars safe from hackers.
- By Shane Harris
Shane Harris is a senior staff writer at Foreign Policy, covering intelligence and cyber security. He is the author of The Watchers: The Rise of America's Surveillance State, which chronicles the creation of a vast national security apparatus and the rise of surveillance in America. The Watchers won the New York Public Library’s Helen Bernstein Book Award for Excellence in Journalism, and the Economist named it one of the best books of 2010. Shane is the winner of the Gerald R. Ford Prize for Distinguished Reporting on National Defense. He has four times been named a finalist for the Livingston Awards for Young Journalists, which honor the best journalists in America under the age of 35. Prior to joining Foreign Policy, he was the senior writer for The Washingtonian and a staff correspondent at National Journal.
If the U.S. central banking system is ever hit with a crippling cyber attack, a group of roughly 100 government employees working in a three-story fortress-like building next door to a Buick dealership in East Rutherford, N.J., will be among the first to know about it. That’s where, almost entirely out of sight, a team from the Federal Reserve System’s crack cyber security unit is constantly on watch for malicious hackers, criminals, and spies trying to breach the computer networks of the Fed, its regional banks, and some of the most critical financial infrastructure in America.
The National Incident Response Team, or NIRT, as the group is called (pronounced "nert") tries to prevent intruders from breaking into Fed computer networks and money transfer systems used by thousands of banks across the U.S every day. Among the team’s most important protectees is the Fedwire Funds Service, a real-time settlement system that banks use to transfer money between accounts. In 2013, Fedwire handled on average $2.8 trillion in transfers every day.
For several years now, current and former U.S. officials, as well as bank executives, have warned that cyber attackers could sow mass panic by disrupting critical financial networks such as the ones NIRT protects, causing the systems to crash or manipulating information so that customers didn’t know how much money was in their accounts and financial institutions couldn’t square their ledgers. The nightmare scenario for NIRT members is a malicious hacker gaining access to Fedwire or to sensitive computers used by the Treasury Department, such as the International Treasury System, which the federal government uses to make payments directly to foreign individuals and companies around the world and is also monitored by the NIRT.
The cyber security team is the first line of defense for the central banking system. "If there’s a breach of Fedwire or another critical system, they’re going to wake the [Federal Reserve] chairman up out of bed," said one former NIRT member. "That’s a shit-your-pants type of emergency. Anything that compromises the faith and trust in the [government-backed] money system. And that’s all bound to the Fed and Treasury systems."
So far, the U.S. financial system has avoided a cyber calamity, a testament to the NIRT’s skill and the defensive precautions that the Fed has taken to closely police its networks, say former employees and cyber security experts. (Or a commentary on the relative lack of skill of some hackers. Those same security experts — and government officials — say that thousands of attempted intrusions occur against U.S. financial networks every day, but few get through.)
But for all its apparent success, the NIRT is unusually secretive. There is nary a mention of the group in press articles, and it’s work has rarely come up at congressional hearings. Federal Reserve Board officials declined several requests from Foreign Policy for interviews about the NIRT. Some former team members said they couldn’t discuss their work, citing confidentiality agreements. Those who would speak for this article would only do so anonymously.
For such an expansive mission, the NIRT is relatively small. About 100 employees, by one former team member’s estimate, scour the Fed’s computer networks every day looking for the tiniest signs that data is being removed, or exfiltrated, by an unauthorized source. The NIRT’s sensors are so finely tuned that if a Federal Reserve employee at any of the system’s twelve regional banks in the U.S. connects an unauthorized phone or other device to his work computer, the NIRT will be alerted and, if necessary, confiscate the computer and run forensic tests on it, said one former NIRT member. Another said that if the team detects that a computer may have been infected with a virus or is accessing a website that might be loaded with malicious software code that could steal data from the computer, the security team will quarantine the machine and limit its access to other networks.
"They’ll dump you into a walled garden so that you can’t get to anything put the NIRT homepage," says the former team member. "You’ll get a splash screen that says, ‘This computer has been compromised. Call NIRT.’"
The NIRT is not a typical technology help desk — it doesn’t field calls from bank employees who need help resetting a password. The Fed only calls in the team "for incidents that are deemed to have higher impact," according to at 2013 report by the Fed’s inspector general. The team offers eight different security services to the Fed board and its reserve banks, primarily security monitoring, forensic analysis of traffic flows and attempted cyber attacks, and alerts and warnings about potential threats, a NIRT representative told the inspector general.
The team is particularly vigilant for malicious software programs called Trojans that are designed to steal data from computer networks or install so-called backdoors that let hackers come and go on the network without being detected, former employees said. "The NIRT had a wicked budget for forensics work stations," said one former team member, referring to computers and tools that help analysts determine how a hacker breached a network or infected a computer.
Those tools are mostly used to assess break-ins at one of the approximately 3,000 commercial banks that are members of the Federal Reserve System and can ask for help from the NIRT after a major event. Commercial banks are routinely targeted by financial criminals and are primarily responsible for protecting the accounts of their individual customers. They’re required to report any breach of their networks to their regional Fed branch, which then alerts the NIRT.
"If a member bank gets compromised or there’s a breach, we make sure it didn’t affect the Fed," the former NIRT member said. "We’ll look at our systems and make sure we weren’t penetrated and that there was no exfiltration." The NIRT can help a member bank understand how it was attacked and what information was lost, and put defenses in place to prevent further damage. But the team’s main concern is always the security of the Fed itself. Two former NIRT employees who helped analyze break-ins at commercial banks said they couldn’t recall an instance in which the Fed suffered a significant breach that resulted in a loss or manipulation of data. Last year, hackers commandeered a public Web site that the Fed uses to communicate with commercial banks, but officials said no sensitive systems were affected.
In general, the Federal Reserve has some of the best cyber security procedures in the government, experts say. "The Fed is perhaps the best of the federal agencies in developing their cyber skills, outside the FBI and the National Security Agency," said Alan Paller, the director of research at the SANS Institute, which teaches cyber security courses for government employees. Former NIRT members said that even minor changes to the Fed’s cyber security protocols have to be defended in person to a review board of engineers. In 2013, the Fed’s inspector general gave a clean bill of health to the central bank’s overall information security program, which includes the NIRT and other teams focused on more mundane tasks.
The Fed’s cyber security is so well regarded, in fact, that last year an advisory panel comprised of chief executives from some of the country’s biggest commercial banks recommended putting the Fed in charge of cyber security for the entire financial services industry. The panel determined that the Fed already has the systems and procedures in place to serve as a broker between banks and law enforcement and intelligence agencies, sharing information about potential cyber attacks without revealing proprietary information that the banks want to keep s
ecret, according to minutes of the panel meeting obtained by Bloomberg.
The NIRT’s primary operations center is in a 400,000 square-foot facility in New Jersey, called the East Rutherford Operations Center, a short drive from the New York Stock Exchange and the financial district of Lower Manhattan. The building handles cash for the Federal Reserve Bank of New York (billions of dollars in paper currency and coins arrive regularly in armored vehicles), and it was designed as a "fail-safe" and secure environment, according to its architect. All of the building’s incoming power and utility lines have redundant features and are backed up by a diesel generator in case the facility loses electrical power because of an outage or a physical attack.
Forensic analysts for the NIRT also work at the Fed’s New York branch, in Manhattan, and a team devoted to finding ways to break into computer networks, in order to defend the bank’s own systems, works in the Fed branch in San Francisco, according to former employees. Publicly posted job descriptions for NIRT positions show the unit is looking for high-skilled experts who know how to reverse engineer malicious software, study traffic flows, conduct "post mortem" examinations of compromised computers, and come up with defensive security techniques on the fly. A top secret security clearance is required.
While they’re on the job, NIRT employees are as closely monitored as the Fed’s networks. To guard against anyone using insider information gleaned from the Fed’s operations or policy-making, anyone with a top-secret security clearance is generally prohibited from purchasing stocks except through an index fund, which pools purchases into groups chosen by brokers.
"If you did want to buy a stock, you’d have to fill out a form and explain why," one former NIRT employee said. "If anything hoaky goes on, Protection is going to pick you up," he said, referring to the Fed’s internal police department. Employees are even watched when they’re performing routine maintenance on bank equipment. "If I was installing a switch in the data center, there was a guy with a machine gun watching. They’re not messing around," the former employee said.
The NIRT also protects Federal Reserve research networks, which economists use to make financial forecasts and conduct research on policy issues on behalf of the Board of Governors and the powerful Open Market Committee, which makes decisions about interest rates and the growth of the U.S. money supply. The same former NIRT employee said that some of the research is so sensitive it’s conducted only on networks that have no connection to the Internet, so that criminals or foreign spies can’t access information that might help them discern the direction of U.S. policy.
Another big part of the NIRT’s job is warning Fed employees about malicious computer programs that have been found circulating the Internet and hacking techniques that intruders might use, such as hiding viruses inside attachments of legitimate-looking emails. The team sends out regular updates containing so-called "threat signatures" that employees should use to protect themselves and their networks. A former NIRT member said the group also has a team of researchers dedicated to finding zero day vulnerabilities, which are flaws in computer software that haven’t yet been discovered by their manufacturer. The Heartbleed vulnerability that recently set off alarms and led computer users to rush to change their online passwords is one example.
But it may not just be zero day flaws and Trojans that NIRT is looking for. In 2012, a former employee of the Federal Reserve Bank of Kansas City filed a civil complaint alleging that his bosses may have used the NIRT to find "inappropriate files" on his and other older or longtime employees’ computers, as a pretext for firing them. Christopher Nelson, who at the time he was fired had worked for the Federal Reserve Board for 21 years, claimed he was told that a scan of his computer had uncovered a file containing "inappropriate content," a charge he denied.
The complaint Nelson filed in U.S. district court in Missouri doesn’t state the nature of the content, and an attorney for Nelson declined to comment because the lawsuit was eventually settled out of court. But a former NIRT member said the group usually scanned employees’ computers looking for security threats, such as unauthorized devices that were inserted into a computer’s USB port. In the course of the scanning, the NIRT sometimes came across information, including emails, that if it were revealed publicly could prove "embarrassing" to the employee, the former NIRT member said. He declined to speak more specifically, but implied that such information might included pornographic images or off-color jokes and remarks made in emails.
But former NIRT employees said the high-level of scrutiny is to be expected given the team’s vital mission and the damage that a major cyber attack on the central bank would cause. Some of those who’ve worked in the NIRT see themselves as members of an elite club.
"Information security at the Fed isn’t just about protecting information — it’s protecting the dollar," said a former team member. "It makes the work a hell of a lot more important than it would be in another organization."