FBI Leaves It To Journalists To Notify US Government Targets Of Russian Hacking
from the all-the-small-things dept
The last year-and-a-half has provided plenty of evidence that the Russian government attempted to influence the 2016 presidential election. Unfortunately, most of the evidence confirming this has been delivered by entities outside the US government. The government has released reports but has omitted plenty of key details.
This hasn’t done much for those affected by Russia’s efforts. In almost every case, individuals targeted by Russian government-directed hacking entity Fancy Bear were made aware of this by journalists, not the FBI, despite the fact both had access to the same evidence.
The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found.
Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.
“It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”
The FBI refused to comment specifically on its disclosure efforts (or rather, the lack thereof). It offered no official excuse for its across-the-board lack of notification. Even the few that were notified could hardly be considered to be apprised of anything.
Rob “Butch” Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.
“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”
Despite evidence otherwise, the FBI claims it “routinely” notifies people and organizations about potential threats. The statement it issued to the AP would sound credible if it weren’t immediately disproved by results of the AP investigation. This lack of target notification dovetails nicely with the government’s handling of other disclosure efforts. The government says the same thing about the hardware and software vulnerabilities its intelligence agencies exploit. It claims to be very forthcoming about vulnerabilities and yet exploits it never informed affected tech companies about have been repeatedly leveraged to attack computers all over the world.
The FBI’s unofficial excuse for this lack of notification is unavailing:
A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks.
“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said.
This doesn’t explain why the AP was able to track down affected government employees and contractors — using less personal information than the FBI has access to — and inform those affected by Fancy Bear hacking. The AP unquestionably has less manpower available than the nation’s largest law enforcement agency. Certainly limiting its notification efforts to just this hacking effort allowed the AP to complete this task, but even in the face of multiple hacking attacks, the FBI should have been able to provide more notification. The “there’s too much to deal with properly” excuse doesn’t even impress former Intelligence Community members — people who definitely know about drowning in data.
Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn’t do the same work the AP did.
“It’s absolutely not OK for them to use an excuse that there’s too much data,” Sowell said. “Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, ‘It’s too much’? That’s ridiculous.”
Phishig attempts aren’t murders, but the underlying assertion — there’s too much happening to do anything about — is still worthless. The FBI wants to be the go-to agency for national security issues as well as a key player in the cyberwar, but seems unwilling to perform the mundane, but necessary, tasks that accompany those noble pursuits. The boring parts of the job still need to be done. If the FBI seriously wants people to get behind its counterterrorism efforts and cybersecurity work, it needs to make a better effort getting behind the people affected by those the agency is targeting.
Filed Under: fbi, hacking, journalists, russians
Comments on “FBI Leaves It To Journalists To Notify US Government Targets Of Russian Hacking”
"The AP unquestionably has less manpower available…"
Budgets are tight… full-blown agents are expensive. Sounds like the FBI needs a squad of $8/hr part-timers to do what the AP did so easily. And with Home Depot jobs harder and harder to come by, imagine how many 60+ applicants they’d have! Boost American employment stats!
They could call them "Junior G-Men".
Re: Re:
They have outsourced everything else – so why not?
On a side note, their credibility is also outsourced.
SO, Google can know ALL in Gmail, but the Russians can't.
Probably your slyest plug for absolute faith in Google ever.
Re: SO, Google can know ALL in Gmail, but the Russians can't.
Oh look it thinks it has a real gotcha point. How droll.
Re: Re: SO, Google can know ALL in Gmail, but the Russians can't.
No it doesn’t, it’s obviously faking.
Re: Re: SO, Google can know ALL in Gmail, but the Russians can't.
Including the non sequitur conclusion. It’s very good, for only two sentences.
Re: SO, Google can know ALL in Gmail, but the Russians can't.
Username checks out. Welcome comrade!
We’d love to listen to your propaganda but sadly all your propaganda schemes were outed after the last election.
Good try though! Nostrovia!
Re: SO, Google can know ALL in Gmail, but the Russians can't.
Google denied your unemployment; Didn’t they?
They had a list of email accounts, and mass emailing is not that difficult to give people a heads up.
“It’s a matter of triaging to the best of our ability the volume of the targets who are out there,”
The best of your ability is pathetic.
Trump is the best thing ever to happen to Russia…..and China.
Re: Re:
You got that backwards
Comey
Is there anyone left on the planet who thinks that Comey did good job and should have been allowed to keep his job?
Easy fix:
Pull some agents away from the Terrorist Factory, get them actually helping society instead of just working on their own career promotion at hapless lost souls’ expense.
Misleading
Once again, misleading title. The fact of the matter is, there are agents of every government CONSTANTLY trying to hack us and every other government.
I’m not surprised they didn’t notify people however, their general policy is not to comment on an ongoing investigation. My HOPE is, they were monitoring those accounts, trying to track down the culprits but I have little faith in the FBI, or any other government agency.
Re: Misleading
Yeah, move along – nothing to see here.
FBI has been outsourced to the russians, film at eleven.
Re: Misleading
You didn’t actually explain how the title is misleading in any way whatsoever.
Why buy the cow
when you can get the milk for free.
We’ll just have to remember the “too much data” line next time their NSA collection firehose comes up.
Lame
Every government on the face of the earth attempts to influence American elections. That’s the whole point of using the US dollar as a global reserve currency you idiots.
Move on already. Sick and tired of every single outlet of any type anywhere spewing DNC party line bile.
You guys are even soft peddling the reversal of Net Neutrality. “Oh, don’t be too hard on Ajit Pai…. We don’t want to seem EXTREME…”
Pathetic.
Re: Lame
Well…bye
Re: Lame
This may surprise you, but you don’t actually have to read every article. I know the magic coding makes it difficult not to, but if you try really hard I’m sure you can manage to avoid the articles you so disagree with, thereby reducing your stress levels.
Judging a book by the cover
“unwilling to perform the mundane, but necessary, tasks that accompany those noble pursuits. The boring parts of the job still need to be done.”
Not exactly. The FBI doesn’t have 1000’s of agents responding to these events. They barely have a few 100. Of those 100’s, they are likely broken down into country specific specialties: China, Iran, Russia, etc… Now take it down further into spear-phishing, malware, exploitation, etc.. So realistically, they probably have <15 people working.
Despite them being total asshats, they are doing the best they can. They also have responsibilities to business who work on behalf of the Gov as well.
The cyber game is as complicated as the encryption debate. So how does the FBI know if Fancy Bear is spear-phishing people? They are likely camping out on some sensitive information. Running around and telling EVERYONE they are being targeted is not realistic. The FBI is likely tracking TTPs and gathering further information to figure out what is happening on strategic level. They are triaging the problem.
I love me some FBI bashing; however, this is not as straight forward as we want it to be.
To comment on the “$8/hr part-timers”, what exactly do you propose? Do you want to hire a bunch of census-style people to do notifications? I just rolled my eyes at this. The media would sniff this out and then cyber actors would know they are being tracked and change TTPs making it difficult to detect them again.