Rachael thinks to herself, ‘They worked this out before this meeting started. But Siemens did come through as the attack happened.’
The OEM representative says, “We will consider our participation and get back to you.” He drops from the telepresence..
Next, the insurance agent continues. “The public part of the task force will be handled by the Department of Homeland Security. As policy, an FBI Cyber Action Team will join us this afternoon. They have federal jurisdiction and global reach in assisting with computer intrusion cases. They will gather the intelligence that identifies the pattern and execution of the cyber-crime and determine if a threat exists to our national security or the infrastructure of the country. They will coordinate state-of-the-art technology and resources from federal, state, and local counterparts. Rest assured, the combined task force will get to the truth of the incident and those responsible.”
The initial meeting with Aetna took most of the morning. After lunch, Rachael's ombudsman guides her back to the conference room. Pointing to the large wall screen, “We have set up a video call with law enforcement. This call is required and it will be a formal interview by the task force on your incident.” The screen accepts an incoming call showing two standard-issue conference cubicles, each with a dark-suited man waiting attentively in their seats.
One of the men, a middle-aged man with a Homeland Security logo behind him, opens the conversation: “This is an official planning meeting of the FBI’s Cyber-Security Response Team. You are Rachael Greg, the Managing Director of North East Control Analytics, correct?” Rachael, “No, I am the CEO.” The agent shrugs off the correction, “I see. I am Special Agent Mark Peabody of the U.S. Immigration and Customs Enforcement, Homeland Security Investigations, Cyber-Security Response Team. Do you consent to this interview and proceeding being recorded?”
Rachael: “Yes, but please be sure that my lawyer and the insurance company receive full copies.”
Peabody, nodding, says: “Of course. I am working with Agent Lisa Dean, who will also be your representative to the FBI Internet Crime Complaint Division. She will work with your insurance company to insure all official reporting is completed and be a conduit of information back to you and them from the FBI.”
Agent Dean, who looks like more like another lawyer despite the FBI badge hanging from a chain around her neck, comments “I’ve worked with Aetna before and there will be no issue with our communications. We have gotten the details through secure mail and also the vouchers for cost sharing. I'm sure they will be very cooperative and you don't need to worry about them.”
Agent Peabody: “Ms. Greg, it is our understanding that a cyber-attack and data breach occurred at North East Control Analytics yesterday.” She continues, "Ms. Greg, is your business involved with collecting rainfall and water use data in the northeast, as well as managing control of reservoir levels, spillway releases, and flow valves for water main distribution?” Rachael responds factually, “Yes. We installed our first systems in late 2023 and have managed contracts with multiple regional water boards since early 2024. Without prior incident and excellent reviews, I might add.”
Agent Dean: “Ms. Greg, I need to baseline this meeting with specific formal statements that explain the legal underpinnings of this investigation. We are primarily acting under Presidential Policy Directive 21 (PPD-21): The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience and the associated clarifications in PPD-38 of 2022. This directive states, 'Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards.' This includes specific requirements in your responsibility, Ms. Greg, as a ‘critical infrastructure owner and operator.' You must provide the task force access to your systems and share all related data. As this includes a cyber threat indicator, per CISA, you must also provide all your potentially affected customer data without redaction.”
Rachael protests: “What possible relevance could the customer data have?”
Peabody: “We need to determine, via correlation with other information we have from the NSA, if you were not the principle target of the attacks. Perhaps a customer of yours was the real target.”
Dean: “Our legally mandated responsibility to protect you, your clients, and the general public. 'Federal departments and agencies shall protect all information associated while carrying out directive PPD-21 consistent with applicable legal authorities and policies.' Ms. Greg, to ensure this directive, we will coordinate all exchange of information, without exception. If we discover information regarding how the incident occurred and judge that it will help you improve your security for the critical infrastructure under your operation, we are required to exchange discovered and derived information from our findings back to you, and your customers.”
Rachael looks at her lawyer and asks, “Is this really necessary? It seems very invasive.” He nods and says, “I’m afraid so. Our roles are strictly proscribed when infrastructure is judged to be at risk. I think they have it right here.”