Two weeks ago, the Federal Bureau of Investigation (FBI) admitted in an Associated Press (AP) investigation that it knew for more than a year that the Russia-linked Fancy Bear cyber attackers were behind break-ins to private the Gmail accounts of dozens of U.S. government individuals and organizations but declined to alert the potential targets.
How can that be? Why had the agency elected to keep that information to itself? At the time, a senior FBI official would only say that the law enforcement body “routinely notifies individuals and organizations of potential threat information.” Obviously, that’s not a whole lot to go on, particularly considering that the Fancy Bear hackers apparently also attacked the private email accounts of Democrat leaders in the 2016 presidential election.
But evidently it was just enough to prompt a congressional hearing to ask FBI director Christopher Wray, why the lapse? Suffice it to say, we still don’t know. When asked by Rep. Zoe Lofgren (D-CA), Wray referenced established standards and procedures the agency uses to determine whether to inform breach victims, The Hill reported.
“I’m not comfortable trying to discuss the specific victim engagements in a particular investigation, at least in this setting,” Wray said. In general, he said, the FBI’s process is to identify the victim with certainty, decide if the information, if disclosed, can help the person better safeguard themselves, and determine if imparting it would interfere with an ongoing investigation.
To a degree, Wray appeared to lay some of the blame on the victims themselves for not having government or corporate email accounts, The Hill reported.
“When you have a large number of people, it’s much easier for us to provide victim notification when we have official or government or corporate accounts where we can contact the chief information security officer, and then they can communicate to all the people who are on that server,” he said. “When you talk about Gmail accounts and all that, it gets a lot harder.”
When Lofgren asked if the bureau’s notification procedures have been updated, Wray reportedly said that the procedures haven’t been changed and the FBI believes the criteria is “pretty sound. If you think about what they are, they are questions the investigators have to ask in each victim notification context.”
In its inquiry into the Fancy Bear email leaks, the AP identified some 500 potential targets and subsequently contacted 80 government officials. Of those only two confirmed prior knowledge from the FBI of their exposure to the Fancy Bear cyber espionage.