The FBI is sometimes delayed—by up to nine months—in notifying victims of cyber crimes, according to a new report from the Justice Department’s Office of the Inspector General.
“Timely notification is critical because victims rely heavily on the information provided by the FBI to remediate the threat with as little damage to their infrastructure as possible,” according to the report, for which officials interviewed 14 victims of cyber crimes about their experience. “Because victims often keep information, such as network logs, for a limited time, the information provided to the victim needs to be recent.”
In one case, a company was notified nine months after an event and had to bring in a third-party company for help dealing with the intrusion, according to the report.
Other issues affecting victim notifications included typographical and other input errors in an FBI system called Cyber Guardian that’s used to track victim information, which could lead to confusion or unintentional duplicate notifications. Victims didn’t always receive proper notifications of their rights under DOJ guidelines, according to the report, which might partly be due to ambiguities about who is considered the victim of cyber crimes. Some other agencies, including the Department of Homeland Security, also don’t always input data about victims they notify into the FBI’s systems, sometimes due to technical challenges.
“According to the FBI, duplicate notifications may damage the FBI’s relationship with the private sector by making the Government appear unprofessional and disorganized, and those relationships are essential for information and intelligence sharing,” according to the report.
Still, most of the victims surveyed “thought highly of the FBI and those interactions” they had with the bureau, according to the report. The publicly released, redacted version of the report didn’t disclose information about the identities of the victims or the nature of the crimes affecting them.
A new system called CyNERGY, slated to be rolled out this year to replace Cyber Guardian, may help solve some of the issues. It includes better controls to catch data entry problems, such as requiring companies’ Dun & Bradstreet DUNS numbers, rather than just names, which should alleviate some problems with typos, for instance.