The Federal Bureau of Investigation's (FBI) processes for notifying and engaging with victims of cyber crime needs updating, an audit by the Department of Justice's (DoJ) Inspector General found.
A redacted version of the original document was recently released to the public. The bureau’s review focused on improving Cyber Guardian, its database for tracking cyber victim notifications to help mitigate the damage caused by cyber intrusions.
This is what the audit found:
- Data in the Cyber Guardian was incomplete and unreliable, making the FBI unable to determine whether all victims are being notified.
- The quality of formal requests for investigative actions, or leads, set for victim notification was inconsistent.
- Not all agents indexed victims within Sentinel, the FBI’s case management system.
- The inconsistent leads and indexing contributed to some notifications not being tracked properly or taking place too long after the attack for the victim to effectively mitigate the threat to its systems.
- The Department of Homeland Security (DHS), which also uses Cyber Guardian, was not entering information into the system as required, contributing to the incompleteness of data.
- Victims identified in national security cyber cases were not informed of their rights.
As of December, 2017, some 16,000 cyber events and 20,000 victim notifications had been logged in Cyber Guardian. The FBI plans to replace Cyber Guardian this year with CyNERGY, a new system which the agency believes can solve some, but not all data quality issues. Cyber Guardian was always intended as a temporary solution.
The audit offers 13 recommendations to help the FBI and the DoJ fix the cyber victim notification process and improve data quality. Taken together, they amount to paying greater attention to detail, updating policies, upgrading data input, instituting better quality controls and improving communication. (Note: Beware “FBI speak.”)
- Ensure there are appropriate logic controls for data manually inputted into Cyber Guardian and CyNERGY, and that CyNERGY’s data input is as automated as appropriate.
- Strengthen controls for ensuring that victim notifications are tracked in Cyber Guardian.
- Ensure that agents index Victims in Sentinel.
- Ensure that all cyber victim notifications conducted in the course of restricted investigations are appropriately tracked in Cyber Guardian.
- Clearly define what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and notifying victims of their rights.
- Ensure that all victims of cybercrime are informed of their rights under the Attorney General Guidelines for Victim and Witness Assistance, Crime Victims' Rights Act, and Victims' Rights and Restitution Act.
- Establish timeliness standards in the Cyber Division Policy Guide for cyber victim notifications.
- Update Cyber Division Policy Guide to include a minimum requirement for information that should be included in a victim notification and in victim notification leads.
- Ensure Victim Contact Planning Calls are conducted for all cyber-incidents that are labeled "Medium and above" on the National Security Council's Cyber Incidents Severity Schema.
- Pursue a mutually agreeable solution with DHS for ensuring all victim notification data is entered into Cyber Guardian.
- Coordinate with the National Security Agency to identify and implement an automated solution to streamline the post-publication requests for unclassified information in order to conduct timely and useful victim notifications.
- Implement controls to ensure that all users of Cyber Guardian, and subsequently CyNERGY, are certified to handle Protected Critical Infrastructure Information.
There’s one recommendation for the DoJ:
- Coordinate with the FBI's Cyber Division and update, as necessary, the Attorney General Guidelines for Victim and Witness Assistance to incorporate the nuances of cyber victims.