Some victims may not have been notified, and the system is prone to making simple errors, including spelling mistakes.
The FBI’s Cyber Guardian system is not living up to its name.
Rather than a beacon of trust, as the moniker implies, an audit report from the Justice Department’s internal watchdog paints a picture of a guardian that is not dependable, given to simple errors and late with needed information.
The Cyber Guardian system is designed to work with individuals and organizations that are victims of cyberattacks — attacks that can go unnoticed. It was created in the wake of President Barack Obama’s 2013 executive order declaring that “it is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
But the system has trouble fulfilling its mission, according to a report by the department’s Office of the Inspector General.
“We found that the FBI’s database for cyber intrusions was incomplete and unreliable,” said Bill Blier, the deputy inspector general. “As a result, the FBI was unable to determine if victims of cybercrime were notified of intrusions.”
If information is power, the lack of information fosters powerlessness.
“Without appropriate notification, companies, organizations, and individuals who are victimized may be unaware they have suffered an intrusion,” Blier added. “Consequently, they may not take steps to limit or mitigate the damage done by the intrusion and may not take appropriate steps to strengthen their cyber defenses.”
The Guardian system was always meant to be a temporary fix to comply with the executive order’s mandate to establish a method that quickly circulates information about cyber threats. As of December 2017, it had registered more than 16,400 cyber events and over 20,800 victim notifications.
Days after the audit was released earlier this month, the Electronic Privacy Information Center (EPIC) urged the House Appropriations Committee to “ensure that the FBI improve its cyberattack victim notification procedures.”
The center, a public-interest research organization, previously sued the FBI to obtain documents related to Russia’s 2016 election interference. “The IG’s finding is consistent with the documents EPIC obtained,” the organization said in a letter to the committee. “… It is stunning that the FBI failed to follow its own written procedures, particularly where the cyber attack threatened national security and the integrity of democratic institutions.”
Eleni Kyriakides, EPIC’s international counsel, told the Federal Insider that the “records obtained by EPIC undergirded an Associated Press investigation which concluded that the FBI notified only a ‘fraction of Russian hackers’ US targets.’”
The 2017 AP story said, “The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts, despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs.”
In this age of high technology, the Cyber Guardian program’s effectiveness was damaged because of small things such as spelling mistakes.
“Specifically, we found instances in which victim identifiers, such as names of entities, cities, and states, were spelled incorrectly,” the report said.
In other cases, notifications of cyber incidents simply didn’t make sense, because notifications were dated prior to the incidents being reported.
The investigators discovered “at least 61 notifications which, according to the data in Cyber Guardian, took place before the incident was observed by the reporting agency. In these examples, the ‘Date/Time Notified’ was a date earlier than the ‘Incident Observed Date/Time.’”
These and other issues led the inspector general’s office to conclude that “the data in Cyber Guardian was unreliable due to typographical errors, a lack of controls that would prevent input errors, and the exclusion of many cyber victim notifications from especially sensitive investigations.”
Because the quality of the information was so poor, the FBI was “unable to determine whether all victims are being notified.” In some cases, information about the invasion of computer systems was almost useless because it was provided “too long after the attack for the victim to effectively mitigate the threat to its systems.”
Furthermore, not all victims were notified, as required by attorney general guidelines, because, according to the redacted report, the guidelines “are outdated since they do not consider the needs of victims of cybercrime,” “there is no widely accepted definition of what constitutes a victim of cybercrime” and “there is currently no process for getting cybercrime victims’ information from national security cases into the FBI’s Victim Notification System — the FBI system used to inform crime victims of their rights.”
Cyberattack victims praised FBI agents but also told the IG investigators “that the quality of the information provided by the FBI at times lacked substance, making it difficult to pinpoint where the intrusion entered their system.”
FBI officials admitted there were problems, according to the IG audit, “with both the timeliness and quality of information it provides. The FBI said those issues were usually the result of classified information being involved.”
The Office of the Inspector General issued 12 recommendations. It urged the FBI to increase training, “strengthen controls to ensure victim notifications are tracked” and use “appropriate logic controls” to prevent erroneous notifications of cyber incidents dated before they were noticed.
FBI officials refused to comment for this column. The press office referred to the agency’s written response to the inspector general, which agreed with the recommendations.
“We agree that it is important to strengthen procedures for setting victim notification leads and indexing victims,” wrote Suzanne Turner, an FBI section chief in the inspection division. “Additionally, we agree it is imperative that victims of cybercrime are informed of their rights under the requisite authorities.”