FBI Cyber Crimes Division Not So Great About Passing Info To Victims Of Cyberattacks
The FBI wanted in on the cyberwar. The problem was recruits. Years of treating Americans and their rights like garbage have turned the young ones against the feds. The FBI struggled to find enough willing and able youthful whitehats to send to the frontlines of the The Great War (Internet Edition).
The FBI had the budget, the permission, the power… but not the personnel. It also probably wasn’t the best agency for the job. The FBI knows investigations, but its part in the CyberWar included sharing info with private sector hacking targets. Sharing isn’t in the FBI’s nature. It’s appears to enjoy the sneakier parts of its cyber work, but when it comes to protecting companies and their customers, the FBI apparently isn’t up to the task.
A recently-released Inspector General’s report [PDF] shows the FBI is an unorganized mess when it comes to notifying victims of cyberattacks and data breaches. The FBI’s Cyber Guardian system received a purpose (notifying victims of cyber intrusions) and a nifty logo (a lion wielding a sword), but not much internal guidance or outside assistance.
The FBI is breaking the law by not doing the things it’s supposed to be doing. It’s violating an Executive Order, as well as the DOJ’s own policies on notification. Federal mandate says victims are to be notified. But failure every step of the way is apparently the process.
We found that not all victims were Informed of their rights as required by the AG Guldellnes .• This occurred because: (1) the AG Guidelines are outdated since they do not consider the needs of victims of cybercrlme; (2) there Is no widely accepted definition of what constitutes a victim of cybercrlme; and (3) there Is currently no process for getting cybercrlme victims’ Information from natlonal security cases Into the FBI’s Victim Notification System-the FBI system used to Inform crime victims of their rights.
Laying the groundwork for this compound failure was the system itself which did not demand enough input from agents to generate usable intel that could be passed on to victims. The securing of the homeland and its inhabitants was further held back by the Department of Homeland Security, which wasn’t submitting information it possessed to the FBI’s cybercrime system, resulting in even less usable info. The DHS blamed the system’s user unfriendliness. The FBI agrees to a certain extent and plans to replace all of the stuff that isn’t working with something that might work better sometime this year.
At this point, however, this only means there’s been at least three years of mandated notifications the FBI has failed to handle competently. A little consistency would have gone a long way:
We also found that that the amount of information and instructions for leads, which are used to assign tasks to agents such as victim notifications, varied depending on the author of the leads. Leads that contained little detail often made it difficult for agents conducting the notifications to make useful notifications to victims. Similarly, we found that the timeliness and quality of cyber victim notifications affected victims’ satisfaction with the process. Seven of the 14 victims we met with said that they had received at least 1 notification too late, or without enough detail, to allow any meaningful remediation to be made. At both FBI headquarters and field offices, FBI cyber personnel acknowledged the timeliness of notifications is a problem.
The FBI also manages to get in its own way when actually attempting to deliver info to affected parties.
With regard to quality, due to national security classification, the FBI cannot always share sufficient information to allow victims to take action to defend their networks or systems.
There we go again, sacrificing security for security, which is a really weird tradeoff that does little for the nation being secured. Adding to the insecurity is a lack of best practices, which meant involved agents followed no specific protocol. Some were completely unaware of how the system worked or what effect their contributions (or lack thereof) had on victim notification.
During this audit, we visited six FBI field offices and discussed the victim notification process with cyber squad Special Agents and supervisory Special Agents. In our discussions, we found that 29 of 31 field agents we interviewed do not use the “Victim Notification” lead type when setting leads for victim notification. Five of the agents had not even heard of it.
Without proper flagging, notifications never occurred. The OIG’s examination of records showed only 1% were classified as “victims” in need of notification. The IG’s investigation determined the actual number of victims contained in the files was closer to 30%.
As the report notes, the FBI is doing damage to its relationship with the private sector with this failure to properly handle this crucial part of its cybercrime directive. Delayed or under-informative notifications undermine the FBI’s credibility as a “partner” in the private sector’s own battles with cybercriminals. The FBI thinks it should have the public’s trust, but its track record over the past several decades shows it hasn’t done much to earn it. The agency may be dipping a toe in new waters with its cybercrime initiatives, but it still had a responsibility to handle it with the level of competence one expects from a storied agency with a healthy budget and a wealth of expertise within its ranks.
Permalink | Comments | Email This Story
Techdirt.