Many years ago I wrote a SANS paper on Community Policing the Internet (give me a break on the grammar – ChatGPT wasn’t a thing in 2003). In my paper, I tout the the mission of Infragard, a local chapter based community outreach organization fostered by the FBI (to the point the FBI provided background checks on persons wanting to join), for its ability to engage the frontline personnel employed by critical infrastructure sectors. It gave the FBI a means to get their agents in front of these members to start putting names with faces and hopefully trading contact information into each other’s Palm Pilot or Blackberry (that’s how old Infragard is – almost ancient in today’s tech world). But the premise of Infragard was sound and the local chapters in several regions grew and became examples for others. In Raleigh, we had the one of the largest chapters, Eastern Carolina, and met every other month at Cisco’s campus in RTP. At one point we scheduled a one day seminar with both Cyber and Physical tracks in Greensboro that sold out. From the perspective of a member, knowing your fellow members are vetted to some extent helped avoid some trust issues and overall the program seemed to be meeting its goals of engaging stakeholders who work for and operate critical infrastructures in an open atmosphere prior to a real need to engage the FBI when the proverbial shit hits the fan. As the organization grew, the growing pains of multiple chapters trying add a local flavor to their goals and operating parameters resulted in several annual Infragard National Congress sessions needing to have a certified parliamentarian (AKA Lawyer) to run the congress. But I think that just demonstrated the passion of some chapters to buck the system that they thought was limiting them in their mission. Luckily, there were enough level heads in the room to see the larger picture and keep Infragard alive. Yes, these sessions were that pretentious. Backstory complete, let’s look at today’s Infragard challenge.
Some months ago, a vetted member of Infragard leveraged their legitimate access to the Infragard portal to collect information on members who had a presence on the portal. As a team member on my corporation’s Fraud and Insider team, I have to ask if the portal had any tracking to indicate someone was potentially screen scraping thousands of member profiles and alerting or terminating the activity once detected? My guess is – a government ran portal not holding classified data, not a priority. Anywho, we get to day 2 after disclosure of the data by the perpetrator and the portal is shut down. Now, months later, we have an effort to re-open the portal which requires vetting of members once again. My account on the portal is tied to a public email provider that’s generally very good at identifying spam as spam and legit emails as legit. But I get an email to my corporate account that says you have not used a recertification link required to maintain your membership and failure to do so will result in you having to complete the new member application process. Yikes, I never got that email and not enough time had elapsed for it be dropped from the spam folder. So, failure #1 on this Infragard recertification effort. The last note mentioned another reminder would be coming out tomorrow and sure enough this one made it to my inbox. First step, visit link, step two enter last 4 of SSN. Check complete. Next step, fill out this form with all of your contact information with the first field being a confirmation code that was just triggered by the submission of my SSN last 4 that should arrive in my inbox any moment. I wait and I wait. I am old it’s my bedtime and give up after about 1/2 hour waiting on said confirmation code but in the meantime I completed all of the fields except the confirmation code. About eight hours later, I get the confirmation code. That’s failure #2 in my book. Great, I can complete the form submission. Only problem, I will not have access to that computer for a couple of days. So, while I had some time during my lunch break, I tried the link from the e-mail and it’s no longer valid. Failure #3. At this point, I am thinking the new member process might be easier.
As a person who served on the local Infragard board for years, assisted with Infragard before and after being on the board, served as a cleared FBI Cyber Squad member, and being a victim in the OPM breach as a result of being on said squad – this seems to be the typical knee jerk reaction that is forcing members to endure undue hardship to maintain membership in an organization that was victimized by an insider. Chalk it up to experience, limit details available on other members of the portal, require some random captchas for more than one profile view and trigger alerts or drop the user’s connection and disable the account, but don’t make it nearly impossible to complete the revetting process on those of us who still want to support the cause and see Infragard as worth saving. I guess I will wait for the drop dead email of last resort with another form link in it and hope the confirmation code is a little more timely.