For many organizations, FBI agents knocking on the door is frequently the first indication they have that they have been hit by a cyberattack. That visit kicks off an investigation and only then does the organization learn how long the attackers had successfully breached the company and what kind of damage they caused.
However, many organizations may not be notified promptly because some incidents were not being tracked properly, according to a recent report from the Department of Justice’s Office of the Inspector General. The audit, which focused on the “the Federal Bureau of Investigation's processes and practices for notifying and engaging with victims of cyber Intrusions,” found inconsistencies in how agents handled incident information in its Cyber Guardian system.
“We found that the data in Cyber Guardian was incomplete and unreliable, making the FBI unable to determine whether all victims are being notified,” OIG Inspector General Michael E. Horowitz wrote in the report.
The FBI uses Cyber Guardian to track the “production, dissemination, and disposition of cyber-victim notifications.” Formal requests for investigative actions are called leads. The quality of leads for victim notifications were inconsistent, and the audit found that some agents did not index the victims appropriately. The combination of the two factors meant that by the time the victims were notified, too much time had passed since the attack to effectively mitigate the threat.
Agents classify incidents they uncover during the course of their investigations to understand the severity—Level 5 poses an “imminent threat to the provision of wide-scale critical infrastructure services” while Level 1 is “unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence”—and to determine whether the victim needs to be notified. The FBI is expected to provide as much information as possible—sans classified information—so that the victim organization can take steps to address the attack.
The quality of leads varied depending on the agent entering the information into the system, the audit found. Some agents were more thorough about including information and instructions in the leads than others. The agent handling notifications is not always well-versed in the details of the case, and less-detailed leads means the agent can’t really make “useful notifications,” the report noted. A useful notification would include IP addresses affected by the malicious activity, date or range of dates the activity occurred, data the victim organization can use to search for in the logs, and any available unclassified information.
There is a specific lead type— “Victim Notification”—that is supposed to be used when setting leads for victim notification. The auditors found that 29 of 31 field agents interviewed did not use that lead type; five had not even heard of the type. Most were using “Action,” which is intended for investigative tasks, not notifications. The agent may not realize that a lede with the “Action” type may contain an instruction to notify the victim, thus delaying the process.
While most of the victim organizations the OIG interviewed as part of the audit “thought highly of the FBI” and the notifications, some “complained about the timeliness of the notifications and whether the Information provided by the FBI was adequate to remediate the threat to its systems.”
The audit also warned that many organizations don’t learn they’ve been impacted because it isn’t clearly defined what requires notification. Victim notification letters are sent in criminal cyber-cases, but not in cyber-related national security cases, “resulting in many victims that are not informed of their rights,” the audit found.
Cyber Guardian data contained “logical and typographical” errors, such as misspellings of the entity’s name and notifications with an earlier date in the “Date/Time Notified” field than in the “Incident Observed Data/Time” field (suggesting the incident was reported before it was found). Issues with how the victim names are listed may result in duplicate notifications, which can be as bad as not notifying the victims at all.
“Duplicate notifications may damage the FBI's relationship with the private sector by making the Government appear unprofessional and disorganized, and those relationships are essential for information and intelligence sharing,” the report said.
The FBI is also hampered by the fact that not all government agencies use Cyber Guardian, making the data incomplete. The Department of Homeland Security does “not document the majority of the victim notifications it conducts in Cyber Guardian.” Without complete cyber victim data, the FBI cannot determine whether all victims are being notified, potentially making victims poorly positioned to defend themselves against cyber threats.
Considering that many organizations are typically unaware of the intrusion in their networks until they receive notification from the FBI, the fact that some of them aren’t getting notified means they remain in the dark about the unauthorized activity on their systems and with the data. Delays may mean the organization misses the window of opportunity to stop the attack, or minimize the amount of data.
To address these challenges, the OIG report made recommendations, such as ensuring that victims get notified for all incidents labeled “Medium” (Level 2) or higher, and clearly defining what makes an organization a cybercrime victim so that it can be indexed properly and notified. Agents also need to be instructed to include a certain amount of detail, at minimum, in the leads to make the notifications useful.
The FBI is currently switching to a new system CyNERGY, and the OIG report recommended that data input be automated instead of relying on the current manual entry. There should also be logic controls in CyNERGY (such as date checking) and controls to make sure agents are using the correct lead types.
CyNERGY “may solve some, but not all data quality Issues,” the report noted.