The FBI Takes Too Long to Alert Victims of Cyberattacks

The FBI takes too long to notify groups when they’ve succumbed to cyberattacks, and the alerts those victims receive are often sparse on useful information, according to an internal watchdog.

The Justice Department Inspector General found the bureau’s reliance on manual data entry leads to errors that could prevent cyberattack victims from ever learning about intrusions.

When a group’s networks come under attack, the FBI is responsible for investigating the incident and alerting victims about the breach. In many cases, victims don’t know they were attacked until they’re contacted by FBI agents. But multiple flaws in the bureau’s internal procedures and IT limit the timeliness and practicality of these notifications, auditors said in a redacted report published Monday.

Agents often drag their feet in notifying groups they’ve been breached, auditors found, which can leave their networks vulnerable for longer than necessary. In one instance, the IG said, agents took nine months to notify a company it had been breached.

“Timely notification is critical because victims rely heavily on the information provided by the FBI to remediate the threat with as little damage to their infrastructure as possible,” auditors wrote. “Because victims often keep information, such as network logs, for a limited time, the information provided to the victim needs to be recent.”

Additionally, the notifications victims receive are sometimes too vague to show them where exactly they need to bolster their defenses, according to auditors. The specificity of alerts varies based on the agent who writes it, they said, and insufficient information leaves the victim “[un]able to mitigate the threat” and “diminish[es] the FBI's credibility as a partner.”

Half of the 14 victims auditors interviewed for the report said notifications came in too late or lacked enough detail for “any meaningful remediation to be made.” The IG recommended the bureau set timeliness standards and include information like IP addresses, attack timeframes and other potential identifiers.

Agents track cyber incidents and notifications by manually entering information into the Cyber Guardian IT system, which has been used to manage more than 20,000 notifications since 2014. But this process often results in typos and incorrect classifications, which could prevent the bureau from contacting cyberattack victims, the IG said.

Cyber Guardian’s architecture also prevents the Homeland Security Department, which collaborates with the FBI on cyber investigations, from inputting information into the system, according to the report.

The FBI plans to replace Cyber Guardian with a new system called CyNERGY at some point this year. While auditors said the new system would fix some of the issues they highlighted, it still leans too heavily on manual data entry and remains inaccessible to Homeland Security.