Report: FBI Fails to Promptly Notify Cybercrime VictimsInspect General Cites Numerous Errors in How FBI Makes Notifications
The FBI is largely failing to notify cybercrime victims of their rights in a timely manner following a "cyber intrusion," a new report from the U.S. Justice Department's inspector general finds. At times, small errors, such as typographical mistakes, can cause long delays in the notification process, according to the report.
The report is critical of a system called Cyber Guardian, which the bureau uses to track and disseminate cybercrime victim notices. The inspector general says the system largely fails in making sure these notices are sent on time, especially when the issue relates to national security concerns. A new platform, dubbed CyNERGY, will replace it later this year, the report notes.
Not notifying victims of their rights in a timely manner is a violation of attorney general guidelines and could cause additional problems as agents investigate these types of crimes, according to the report. "Some victims complained about the timeliness of the notifications and whether the information provided by the FBI was adequate to remediate the threat to IT systems," the report states.
In one case, the report says, agents did not notify a company about a cyber incident until nine months later. By the time the FBI showed up to investigate, the firm needed to hire a third party to retrieve the logs needed for the investigation.
"The FBI cannot always control the amount of time that elapses between the date of a cyber intrusion and when the intrusion is discovered. However, it can control how long it takes to notify the victim once the attack and victim have been identified," according to the report.
The inspector general made 13 recommendations to the Justice Department and the FBI on how to improve the system, and they have all been accepted, according to a statement from the Inspector General's office.
To prepare the report, the inspector general's office conducted interviews at the FBI's headquarters in Washington as well as several major field offices, including those in Washington, Boston, New Haven, Philadelphia, Chicago and Baltimore. The inspector general's team also met with 14 organizations that received notices from the FBI that they were victims of a cybercrime.
Overall, the outside organizations that were victims spoke well of their interactions with the FBI, but issues of timely notifications remain.
The report also found that the bureau did not always coordinate with other government agencies following an incident, and Department of Homeland Security personnel did not always enter information into Cyber Guardian correctly, which meant that data sent to the bureau was incomplete.
While the report did not point to a specific incident that promoted the audit, the FBI's notification system has previously come under scrutiny. In 2017, the Associated Press reported that the bureau did not notify dozens of U.S. officials that their devices or accounts were hacked by a Russian-backed group called Fancy Bear, which is believed to have ties to that country's intelligence agencies.
Much of the Associated Press report is based on lawsuits filed against the FBI by the non-profit Electronic Privacy Information Center, which obtained the bureau's Victim Notification Procedures guidelines through a Freedom of Information Act request.
Those guidelines state the FBI is required to notify cybercrime victims when an incident occurred, "even when it may interfere with another investigation or (intelligence) operation," according to an EPIC blog post. "The FBI did not follow the procedures and failed to notify U.S. officials that their email accounts were compromised" following the hacks by Fancy Bear, the blog states.
Making a Shift
The most significant recommendation made in the Inspectors General's report is moving the FBI from the older Cyber Guardian system to the newer CyNERGY platform, which the report says should eliminate some of the coding and other information errors that the audit found.
The FBI is expected to move to CyNERGY later this year. The system is costing the government about $4.9 million to develop, according to the report.
At initial deployment, CyNERGY will have simplified data input, utilizing only the fields used most often in Cyber Guardian, including the title of the cyber event and classification of the title; reporting agency and related reference number; receipt method; activity type; event date and time; and victim's information, the report notes.
Other recommendations from the inspector general's report include:
- Developing clearer definitions of what constitutes a cybercrime victim so that the information is properly indexed;
- Ensuring that these victims are notified of their rights, according to the attorney general's guidelines;
- Updating older guidelines concerning what information can be released to victims.