The FBI is catching heat from Congress again.
In a report released Friday by the House Intelligence Committee about their own investigation into Russian interference in the 2016 election, lawmakers argued that the FBI didn’t do enough to notify victims that were targeted by Russian cyberattacks.
“The Federal Bureau of Investigation’s notification to numerous Russian hacking victims was largely inadequate,” the committee wrote. “The Committee is also concerned that many, perhaps even a majority, of Russia’s known victims were never contacted by the FBI.”
Much of the committee’s notes on this subject are redacted, but the panel appears to base its assessment at least partially on reporting from the Associate Press in November 2017. The AP reported that the FBI was aware of Russian hacking group Fancy Bear attempting to break into scores of U.S. officials’ Gmail accounts, but only notified a small fraction.
The committee also highlighted the fact that Hillary Clinton campaign staffer Jake Sullivan testified before Congress that he was never notified by the FBI about his email account being targeted.
Aside from failing to notify victims, the committee report states that even when the FBI did reach out, the agency failed to reach a “desired outcome.” In other words, law enforcement received no assurances from these targets that they would take future preventative measures to avoid getting hacked again.
The report cites testimony from former FBI Director James Comey, saying that, in hindsight, the agency should have done more to notify potential victims.
“We would have sent up a much larger flare. Yeah, we would have just kept banging and banging on the door, knowing what I know now. We made extensive efforts to notify. I might have walked over know there myself, knowing what I know now,” the report quotes Comey as saying.
In the report’s recommendations, the committee said that when U.S. critical infrastructure, such as election infrastructure, is the target of foreign cyberattacks, officials should engage victims on a more elevated level.
“Although the FBI maintained an on going dialogue with the [Democratic National Committee] related to the the Russian intrusions, engagement remained at the-working level. These interactions continued for months, despite no signs of effective mediation to the problem,” the report says.
The committee faults the DNC for not handling the attacks “with the level of seriousness it deserved”, but says that the onus was on the FBI to elevate its engagement with the DNC to a more senior level.
“[T]he FBI should update its internal processes to make it clear that if a victim is neither willing nor able to take remedial measures in the event of a significant national security cyber event, FBI leadership should contact the victim and engage at the leadership level,” the report says.