The Federal Bureau of Investigation’s (FBI) Cyber Guardian program, which provides cyber-attack victim notification services, is operating with “incomplete and unreliable” data, and as a result the FBI is unable to determine whether all such victims are being notified, according to a report released April 1 by the Justice Department’s Office of Inspector General.
The Cyber Guardian program’s aim is two-fold: producing and disseminating cyber-victim notifications that can help victims mitigate the impact of cyber intrusions; and increasing the potential for intelligence collection by the FBI.
“However, we found that the data In Cyber Guardian was incomplete and unreliable, making the FBI unable to determine whether all victims are being identified,” the IG said in a partially redacted report. Unreliable data was the result of typographical errors, a lack of logic controls that would prevent input errors, and incomplete inclusion of victim notifications from restricted access cases, it said.
It also found that the quality of formal requests for investigative actions was “inconsistent,” and that indexing of victims within internal systems was incomplete. The Department of Homeland Security (DHS), a partner in the Cyber Guardian program, also “was not entering information into the system as required,” which also contributed to the incompleteness of data, the OIG found.
Those problems, the OIG report said, “contributed to some notifications not being tracked properly or taking place too long after the attack for the victim to effectively mitigate the threat to its systems.”
The OIG report also said that not all cyber victims were properly informed of their rights for a number of reasons including outdated guidelines that don’t consider the needs of cyber victims, the lack of a widely accepted definition of what constitutes a victim of cybercrime, and the lack of a process to get cybercrime victim information from national security cases into the FBI’s victim notification system.
The OIG provided 13 recommendations to assist DoJ and the FBI in improving the cybercrime notification process, and also said the FBI was due in FY2019 to replace Cyber Guardian with a new system called CyNERGY. The new system, OIG said, may address some of the problems it found, but was not likely to fix them all.