Inspector general finds deficiencies in how FBI tells companies they’ve been breached
The FBI needs to shore up its internal processes for notifying the victims of cyberattacks, according to a U.S. Justice Department inspector general’s report published Monday.
There are issues with the quality and completeness of the data stored in the FBI’s Cyber Guardian system — a tool for disseminating notifications after security breaches — reports Inspector General Michael E. Horowitz.
Many FBI agents tasked with responding to cybercrimes improperly handle the work associated with indexing the victims in the bureau’s system, a problem that could make it more difficult for hacked organizations to recover, according to the report.
“During this audit, we visited six FBI field offices and discussed the victim notification process with cyber squad Special Agents and supervisory Special Agents,” the report said. “In our discussions, we found that 29 of 31 field agents we interviewed do not use the ‘Victim Notification’ lead type when setting leads for victim notification. Five of the agents had not even heard of it.”
The inspector general found typographical errors in the system, instances where victims complained the FBI was too slow to notify them about a breach, several issues with the way the FBI coordinates with other government agencies, among other problems. The FBI also failed to inform all victims of their rights under the Attorney General Guidelines for Victim and Witness Assistance, which describes a victim’s role in the criminal justice process, in part because there is no widely accepted definition of a victim of cybercrime.
“We also found that the amount of information and instructions for leads, which are used to assign tasks to agents such as victim notifications, varied depending on the author of the leads,” the report stated. “Leads that contained little detail often made it difficult for agents conducting the notifications to make useful notifications to victims. Similarly, we found that the timeliness and quality of cyber victim notifications affected victims’ satisfaction with the process.”
The redacted inspector general report published Monday includes 13 recommendations for how to improve that process.
The FBI should strengthen controls to ensure victim notifications a tracked in Cyber Guardian, clearly define what constitutes of victim of cybercrime under the Attorney General Guidelines for Victim and Witness Assistance, conduct victim contact planning calls for all attacks labeled “medium” or higher, according to the National Security Council’s Cyber Incidents Severity Schema, and others.
Once notification is complete, the FBI aims to use that relationship to collect information about the hackers behind the crime.
“When contact is made with the victim, the victim is under no obligation to cooperate with the FBI unless a subpoena or legal process has been issued. Without improperly disclosing classified information, the FBI will provide as much information as possible to the victim to allow the victim to mitigate the threat,” the report states. “The FBI often asks the victim for permission to monitor the victim’s system(s) to observe the adversary’s activity and for the victim to provide activity logs for the affected systems.”