FBI Cyber Crimes Division Not So Great About Passing Info To Victims Of Cyberattacks
from the stop-sucking-so-much,-you-expensive-pixel-pushers dept
The FBI wanted in on the cyberwar. The problem was recruits. Years of treating Americans and their rights like garbage have turned the young ones against the feds. The FBI struggled to find enough willing and able youthful whitehats to send to the frontlines of the The Great War (Internet Edition).
The FBI had the budget, the permission, the power… but not the personnel. It also probably wasn't the best agency for the job. The FBI knows investigations, but its part in the CyberWar included sharing info with private sector hacking targets. Sharing isn't in the FBI's nature. It's appears to enjoy the sneakier parts of its cyber work, but when it comes to protecting companies and their customers, the FBI apparently isn't up to the task.
A recently-released Inspector General's report [PDF] shows the FBI is an unorganized mess when it comes to notifying victims of cyberattacks and data breaches. The FBI's Cyber Guardian system received a purpose (notifying victims of cyber intrusions) and a nifty logo (a lion wielding a sword), but not much internal guidance or outside assistance.
The FBI is breaking the law by not doing the things it's supposed to be doing. It's violating an Executive Order, as well as the DOJ's own policies on notification. Federal mandate says victims are to be notified. But failure every step of the way is apparently the process.
We found that not all victims were Informed of their rights as required by the AG Guldellnes .• This occurred because: (1) the AG Guidelines are outdated since they do not consider the needs of victims of cybercrlme; (2) there Is no widely accepted definition of what constitutes a victim of cybercrlme; and (3) there Is currently no process for getting cybercrlme victims' Information from natlonal security cases Into the FBI's Victim Notification System-the FBI system used to Inform crime victims of their rights.
Laying the groundwork for this compound failure was the system itself which did not demand enough input from agents to generate usable intel that could be passed on to victims. The securing of the homeland and its inhabitants was further held back by the Department of Homeland Security, which wasn't submitting information it possessed to the FBI's cybercrime system, resulting in even less usable info. The DHS blamed the system's user unfriendliness. The FBI agrees to a certain extent and plans to replace all of the stuff that isn't working with something that might work better sometime this year.
At this point, however, this only means there's been at least three years of mandated notifications the FBI has failed to handle competently. A little consistency would have gone a long way:
We also found that that the amount of information and instructions for leads, which are used to assign tasks to agents such as victim notifications, varied depending on the author of the leads. Leads that contained little detail often made it difficult for agents conducting the notifications to make useful notifications to victims. Similarly, we found that the timeliness and quality of cyber victim notifications affected victims' satisfaction with the process. Seven of the 14 victims we met with said that they had received at least 1 notification too late, or without enough detail, to allow any meaningful remediation to be made. At both FBI headquarters and field offices, FBI cyber personnel acknowledged the timeliness of notifications is a problem.
The FBI also manages to get in its own way when actually attempting to deliver info to affected parties.
With regard to quality, due to national security classification, the FBI cannot always share sufficient information to allow victims to take action to defend their networks or systems.
There we go again, sacrificing security for security, which is a really weird tradeoff that does little for the nation being secured. Adding to the insecurity is a lack of best practices, which meant involved agents followed no specific protocol. Some were completely unaware of how the system worked or what effect their contributions (or lack thereof) had on victim notification.
During this audit, we visited six FBI field offices and discussed the victim notification process with cyber squad Special Agents and supervisory Special Agents. In our discussions, we found that 29 of 31 field agents we interviewed do not use the "Victim Notification" lead type when setting leads for victim notification. Five of the agents had not even heard of it.
Without proper flagging, notifications never occurred. The OIG's examination of records showed only 1% were classified as "victims" in need of notification. The IG's investigation determined the actual number of victims contained in the files was closer to 30%.
As the report notes, the FBI is doing damage to its relationship with the private sector with this failure to properly handle this crucial part of its cybercrime directive. Delayed or under-informative notifications undermine the FBI's credibility as a "partner" in the private sector's own battles with cybercriminals. The FBI thinks it should have the public's trust, but its track record over the past several decades shows it hasn't done much to earn it. The agency may be dipping a toe in new waters with its cybercrime initiatives, but it still had a responsibility to handle it with the level of competence one expects from a storied agency with a healthy budget and a wealth of expertise within its ranks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybercrime, fbi, sharing, victims
Reader Comments
Subscribe: RSS
View by: Time | Thread
They are just following the standard playbook...
we can't tell people, because we might want to use the hacks ourselves... besides the NSA will leak the exploit in 3 weeks anyways then everyone can be protected.
[ link to this | view in thread ]
Re:
You're missing the attitude that so endears the FBI to... well... the rest of the planet...
Average person: "Would you like fries with that?"
FBI Agent: "Why do you want to know?"
[ link to this | view in thread ]
So reassuring...
With regard to quality, due to national security classification, the FBI cannot always share sufficient information to allow victims to take action to defend their networks or systems.
Always nice of them to admit, blatantly, that they are willing to throw anyone under the bus so long as it serves them/'national security'.
You know, just in case someone recently took a blow to the head and had the mistaken impression that the first priority of agencies like the FBI is serving/protecting the public, rather than themselves.
[ link to this | view in thread ]
Protecting the livelihood
If the FBI notified every one who was a target for malware and got them fixes, the malware wouldn't spread so much, and they would have fewer cases to investigate. Protecting their patch, and therefore jobs, is the first thing they think of when the awaken, and the last thing they think of when going to sleep. In between it's all about how to screw over the public.
[ link to this | view in thread ]
Secrecy is the enemy of security
as usual.
[ link to this | view in thread ]
Re: Protecting the livelihood
Well, let's face it - if the authorities had a way to keep their tabs on you, without you realizing it, why would they ever want to give away that privilege?
It's the backdoor the CIA always wanted!
[ link to this | view in thread ]
Cyber war
Cyber war is latest strategy of war.If you want win the war you must expert in cyber war.
https://www.gamespotnet.com
[ link to this | view in thread ]
Re: Secrecy is the enemy of security
Moss Definitely
[ link to this | view in thread ]