FBI Leaves It To Journalists To Notify US Government Targets Of Russian Hacking
from the all-the-small-things dept
The last year-and-a-half has provided plenty of evidence that the Russian government attempted to influence the 2016 presidential election. Unfortunately, most of the evidence confirming this has been delivered by entities outside the US government. The government has released reports but has omitted plenty of key details.
This hasn't done much for those affected by Russia's efforts. In almost every case, individuals targeted by Russian government-directed hacking entity Fancy Bear were made aware of this by journalists, not the FBI, despite the fact both had access to the same evidence.
The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin's crosshairs, The Associated Press has found.
Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.
"It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people."
The FBI refused to comment specifically on its disclosure efforts (or rather, the lack thereof). It offered no official excuse for its across-the-board lack of notification. Even the few that were notified could hardly be considered to be apprised of anything.
Rob “Butch” Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.
“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”
Despite evidence otherwise, the FBI claims it "routinely" notifies people and organizations about potential threats. The statement it issued to the AP would sound credible if it weren't immediately disproved by results of the AP investigation. This lack of target notification dovetails nicely with the government's handling of other disclosure efforts. The government says the same thing about the hardware and software vulnerabilities its intelligence agencies exploit. It claims to be very forthcoming about vulnerabilities and yet exploits it never informed affected tech companies about have been repeatedly leveraged to attack computers all over the world.
The FBI's unofficial excuse for this lack of notification is unavailing:
A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks.
“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
This doesn't explain why the AP was able to track down affected government employees and contractors -- using less personal information than the FBI has access to -- and inform those affected by Fancy Bear hacking. The AP unquestionably has less manpower available than the nation's largest law enforcement agency. Certainly limiting its notification efforts to just this hacking effort allowed the AP to complete this task, but even in the face of multiple hacking attacks, the FBI should have been able to provide more notification. The "there's too much to deal with properly" excuse doesn't even impress former Intelligence Community members -- people who definitely know about drowning in data.
Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn’t do the same work the AP did.
“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.”
Phishig attempts aren't murders, but the underlying assertion -- there's too much happening to do anything about -- is still worthless. The FBI wants to be the go-to agency for national security issues as well as a key player in the cyberwar, but seems unwilling to perform the mundane, but necessary, tasks that accompany those noble pursuits. The boring parts of the job still need to be done. If the FBI seriously wants people to get behind its counterterrorism efforts and cybersecurity work, it needs to make a better effort getting behind the people affected by those the agency is targeting.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fbi, hacking, journalists, russians
Reader Comments
Subscribe: RSS
View by: Time | Thread
"The AP unquestionably has less manpower available..."
Budgets are tight... full-blown agents are expensive. Sounds like the FBI needs a squad of $8/hr part-timers to do what the AP did so easily. And with Home Depot jobs harder and harder to come by, imagine how many 60+ applicants they'd have! Boost American employment stats!
They could call them "Junior G-Men".
[ link to this | view in thread ]
SO, Google can know ALL in Gmail, but the Russians can't.
[ link to this | view in thread ]
Re: SO, Google can know ALL in Gmail, but the Russians can't.
[ link to this | view in thread ]
They had a list of email accounts, and mass emailing is not that difficult to give people a heads up.
[ link to this | view in thread ]
Re: SO, Google can know ALL in Gmail, but the Russians can't.
We'd love to listen to your propaganda but sadly all your propaganda schemes were outed after the last election.
Good try though! Nostrovia!
[ link to this | view in thread ]
Re: Re: SO, Google can know ALL in Gmail, but the Russians can't.
[ link to this | view in thread ]
The best of your ability is pathetic.
[ link to this | view in thread ]
[ link to this | view in thread ]
Comey
[ link to this | view in thread ]
Easy fix:
Pull some agents away from the Terrorist Factory, get them actually helping society instead of just working on their own career promotion at hapless lost souls' expense.
[ link to this | view in thread ]
Misleading
I'm not surprised they didn't notify people however, their general policy is not to comment on an ongoing investigation. My HOPE is, they were monitoring those accounts, trying to track down the culprits but I have little faith in the FBI, or any other government agency.
[ link to this | view in thread ]
Re:
On a side note, their credibility is also outsourced.
[ link to this | view in thread ]
Re: Misleading
FBI has been outsourced to the russians, film at eleven.
[ link to this | view in thread ]
Re: SO, Google can know ALL in Gmail, but the Russians can't.
[ link to this | view in thread ]
Why buy the cow
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Misleading
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: SO, Google can know ALL in Gmail, but the Russians can't.
[ link to this | view in thread ]
Lame
Move on already. Sick and tired of every single outlet of any type anywhere spewing DNC party line bile.
You guys are even soft peddling the reversal of Net Neutrality. "Oh, don't be too hard on Ajit Pai.... We don't want to seem EXTREME..."
Pathetic.
[ link to this | view in thread ]
Re: Lame
[ link to this | view in thread ]
Re: Lame
This may surprise you, but you don't actually have to read every article. I know the magic coding makes it difficult not to, but if you try really hard I'm sure you can manage to avoid the articles you so disagree with, thereby reducing your stress levels.
[ link to this | view in thread ]
Judging a book by the cover
Not exactly. The FBI doesn't have 1000's of agents responding to these events. They barely have a few 100. Of those 100's, they are likely broken down into country specific specialties: China, Iran, Russia, etc... Now take it down further into spear-phishing, malware, exploitation, etc.. So realistically, they probably have <15 people working.
Despite them being total asshats, they are doing the best they can. They also have responsibilities to business who work on behalf of the Gov as well.
The cyber game is as complicated as the encryption debate. So how does the FBI know if Fancy Bear is spear-phishing people? They are likely camping out on some sensitive information. Running around and telling EVERYONE they are being targeted is not realistic. The FBI is likely tracking TTPs and gathering further information to figure out what is happening on strategic level. They are triaging the problem.
I love me some FBI bashing; however, this is not as straight forward as we want it to be.
To comment on the "$8/hr part-timers", what exactly do you propose? Do you want to hire a bunch of census-style people to do notifications? I just rolled my eyes at this. The media would sniff this out and then cyber actors would know they are being tracked and change TTPs making it difficult to detect them again.
[ link to this | view in thread ]