REDACTED FOR PUBLIC RELEASE Office of the Inspector General U S Department of Justice OVERSIGHT INTEGRITY GUIDANCE Audit of the Federal Bureau of Investigation's Cyber Victim Notification Process REDACTED FOR PUBLIC RELEASE The full version of this report contains information that the Department considered to be classified and therefore could not be publicly released To create this public version of the report the Office of the Inspector General redacted blacked out portions of the fu ll report REDACTED FOR PUBLIC RELEASE _ l ·· ' U Executive Summary - ' ' ---_ ' - - - - - U Objective U Audit Results U eThe objective of this audit was to evaruata thee Federal Bureau of Invastrgatlon's FBI processueande practices for notifying and engaging with victims ofe cyber Intrusions Speclftcally we examined the FBI'se adherence to Executive Order 13636 Improving crttlcale Infrastructure Cybersecurlty and the FBI Cyber Dlvlstone Policy Guida 0853PG as well as other related polldes e U eRellablllty of Cyber Guardian Data - We founde that the data In Cyber Guardian was unreliable due toe typographtcal errors a lack of loglc controls that woulde prevent Input errors and Incomplete Inclusion of victime notlflcatlons from restricted access cases e U Results in Brief U eThe FBI established Cyber Guardian for tracking thee production dissemination and disposition of cyber­ vlctlm notifications which can help victims mitigate thee damage caused by cyber Intrusions and Ina-ease thee potential for Intelligence collectlon by the FBI e However we found that the data In Cyber Guardian wase Incomplete and unreliable making the FBI unable toe determine whether all victims are being notified Thee quallty 0f fl lnnel requests for lnvestlgDtlve actions e called leads set for victim notification wu lnconslstllnt e In addition not all agents Indexed victims withine Sentinel as required Together the Inconsistent leadse and Indexing conb1buted to soma notifications not beinge tracked properly or taking place too long after thee attack for the victim to effKtlvaly mitigate the threat toe Its systems Furthar the Department of Homelande Security DHS -a partner In using Cyber Guardian-wase not entartng lnfl lrmatlon Into the system as required e conb1butlng to the Incompleteness of data In Cybare Guardian We also found that victims Identified Ine national Hcurtty cyber cases were not Informed of theire rights as required by the Attorney General Guidelinese for Victim and Witness Assistance AG Guidelines Thee FBI plans to replace Cyber Guardian In fiscal year FY e 2019 with CyNERGY a new system which may solvee some but not all data quality Issues e U Recommendations U eOur report contains 13 recommendations to assiste the FBI and the Department of Justice In Improving thee effldency and err ct1vaness of the cybar victime notification process e U eNotifying Vlc tlms of their Rights under the AG Guidelines - We found that not all victims weree Informed of their rights as required by the AGe Guldellnes • This occurred because 1 the AGe Guidelines are outdated since they do not consider thee needs of victims of cybercrlme 2 there Is no widelye accepted definition of what constitutes a victim ofe cybercrlme and 3 there Is currently no process fore getting cybercrlme victims' Information from natlonale security cases Into the FBI's Victim Notificatione System-the FBI system used to Inform crime victims ofe their rights e U eQuality and Consistency of Leads The qualitye of leads set for victim notification varied depending one the author of the lead and lass-detailed leads oftene made It dlfflcult for agents who are not well-versed Ine the details of the case to make useful notifications toe victims According to FBI Spacial Agents expertencade with making cyber victim notifications for a notificatione to be helpful to a victim the followlng Informatione needs to be provided 1 Internet Protocol addressese affected by the mallclous activity 2 a date or range ofe dates the activity occurred 3 any Information aboute the attack that the victim can use to search for thee activity In their logs and 4 In national security cases e a section of unclasslfled Information that can be sharede with the victim e U eVlc tlm Engagement - We met with or receivede comments from 14 victims to discuss their Interactione with the FBI and found that the majority thought highlye of the FBI and those Interactions However somae victims complained about the tlmellness of thee notifications and whether the Information provided bye the FBI was adequate to remedlata the threat to Itse systems e 5ECA ET N8F8A N U Coordination with Other Government Agencies • We found several Issues In Instances where the FBI coordinates victim notifications with Other Government Agencies Victim Contact Planning calls which are lnteragency conference calls for coordinating Initial contact with victims were not conducted for all cyber Incidents that required coordination first by the Cyber Division Threat Prioritization Matrix then beginning In July 2015 by the National Security Council's Cyber Incidents Severity Schema Also DHS did not enter the victim notifications that lt conducted Into Cyber Guardian contributing to the incompleteness of data In Cyber Guardian According to DHS technical constraints contributed to Its difficulty entering cyber events Into Cyber Guardian Finally we found that some notifications were delayed because of the need to protect the Identities of victims Identified by another government agency U CyNERGY System to Replace Cyber Guardian In FY 2019 the FBI plans to replace Cyber Guardian with a new system called CyNERGY CyNERGY was still under development at the time of our audit so we were unable to thoroughly evaluate the system and make definitive judgments on Its performance We found that if the system performs as Intended some of the Issues we observed with Cyber Guardian such as logical Input errors and the ease of making changes to the system should be addressed However other concerns will remain without addltlonal fixes such as the need for CyWatch-an FBI Cyber Division unit that coordinates cyber Incident management-to manually Input data In the system and therefore rely on agents to use a specific type of lead category or to Index victims properly In addition we found that the FBI did not have controls In place to ensure that Cyber Guardian users were up to date with their training for handling Protected Critical Infrastructure Information which will also be an Issue with CyNERGY Finally the new system wfll also reside on the Secret enclave which will not solve the problem DHS says prevents It from easily entering Its data Into Cyber Guardian ii SECA ET NOFOA N SECRET NOFORN U AUDIT OF THE FEDERAL BUREAU OF INVESTIGATION'S CYBER VICTIM NOTIFICATION PROCESS U TABLE OF CONTENTS U INTRODUCTION 1 U Background 2 U Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2 U Presidential Policy Directive 41 United States Cyber Incident Coordination 3 U Agency Incident Response 4 U Attorney General Guidelines for Victim and Witness Assistance 4 U Cyber Victim Notification 5 U OIG Audit Approach 8 U AUDIT RESULTS 10 U Cyber Guardian System for Tracking Cyber Victim Notifications 11 U Reliability of Cyber Guardian Data 12 U Logical and Typographical Errors 12 U Victim Notification Leads 13 U Indexing Victims in Sentinel 16 U Tracking Victim Notifications in Restricted Access Cases 17 U Notifying Cybercrime Victims of their Rights under the Attorney General Guidelines · 18 U Quality and Consistency of Leads 20 U Victim Engagement 22 U Coordination with Other Government Agencies 23 U First Look and Victim Contact Planning Call 23 U Cyber Guardian Usage by Agency 24 U Challenges in Notifying Victims Identified by Other Government Agencies 27 SECAET NOFORN SECRET NOFORN U CyNERGY System to Replace Cyber Guardian 30 U CONCLUSION AND RECOMMENDATIONS 34 U STATEMENT ON INTERNAL CONTROLS 36 U STATEMENT ON COMPLIANCE WIT LAWS AND REGULATIONS 37 U APPENDIX 1 OBJECTIVE SCOPE AND METHODOLOGY 38 U APPENDIX 2 FEDERAL BUREAU OF INVESTIGATION'S RESPONSE TO THE DRAFT AUDIT REPORT 39 U APPENDIX 3 OFFICE OF THE DEPUTY ATTORNEY GENERAL'S RESPONSE TO THE DRAFT AUDIT REPORT 43 U APPENDIX 4 OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT 44 SECRET NOFORN SECRET NOFORN U AUDIT OF THE FEDERAL BUREAU OF INVESTIGATION'S CYBER VICTIM NOTIFICATION PROCESS U INTRODUCTION U The Federal Bureau of Investigation's FBI Cyber Division CyD is responsible for protecting the national security economic and information infrastructure of the United States from cyber intrusion activity 1 To accomplish these responsibilities CyD shares investigative information with cyber intrusion victims to protect compromised systems investigates losses and damages and helps prevent future attacks In addition the CyD provides administrative and operational support to the FBI's 56 field offices in all computer intrusion matters As of January 2018 the FBI had 721 Special Agents dedicated to cyber investigations including cyber victim notifications U According to FBI personnel victims of cyber intrusions are typically identified by the FBI or its partner agencies in the course of their investigative activities 2 As a result many cyber victims most of which are companies or organizations are unaware that they are victims of an intrusion until the FBI notifies them U The goal of the FBI's cyber victim identification and notification process is to mitigate ongoing and future intrusions at targeted entities 3 In addition the FBI must adhere to the Attorney General Guidelines for Victim and Witness Assistance AG Guidelines These AG Guidelines create a mandatory victim notification paradigm that requires federal investigators and prosecutors to identify victims of crime and notify them of the crime except when the notification would interfere with an ongoing investigation The CyD Policy Guide extends this requirement further by requiring cyber agents in coordination with operational stakeholders to consider victim notification even when it may interfere with an investigation 1 U A cyber Intrusion Is an event occurring on or conducted through a computer network that actually or Imminently jeopardizes the Integrity confidentiality or avallablllty of computers Information or communications systems or networks physical or virtual Infrastructure controlled by computers or Information systems or Information resident thereon 2 U The Attorney General Guidelines for Victim and Witness Assistance define a victim as a person that has suffered direct physical emotional or pecuniary harm as a result of the commission of a crime includlng cases where the victim Is an Institutional entity 3 U Targeted entitles Include both victims of a cyber-compromlse or Intrusion and those that may be targeted but have not yet suffered a compromise or intrusion SECRET NOFORN 1 SECRET NOFORN U Background U Executive Order 13636 on Improving Critical Infrastructure Cybersecurity E O 13636 issued in 2013 and Presidential Policy Directive 41 PPD-41 United States Cyber Incident Coordination issued in 2016 have helped establish the FBI's current cyber victim notification responsibilities The CyD's strategic objective is to proactively identify pursue and defeat cyber threat perpetrators while protecting the freedom privacy and civil liberties of U S persons The nature of technology including the internet further demands that the FBI approach each cyber threat through coordinated partnerships with government agencies Victim notification is a compelling way for the CyD to contribute to network defense for the protection of individual commercial and government users of the internet as well as for the protection of the infrastructure itself It is CyD's policy to notify and disseminate meaningful information to victims and the computer network defense community in a timely manner to the extent to which it does not interfere with ongoing law enforcement or U S Intelligence Community investigations operations methods sources or technologies U FOUO In a computer intrusion investigation the victim that receives notification is the individual organization or corporation that is the owner or operator of the computer at the point of compromise Victims are identified to the extent possible by the FBI and its partner agencies during investigations of suspected cybercrimes and cyber-related threats Without appropriate notification victims may be unaware they have suffered an intrusion and may not take steps to limit or miti ate the dama e done b the intrusion and stren then their c ber defenses other presidentia directives have ad notification U Executive Order 13636 Improving Critical Infrastructure Cybersecurity U Coordination between the FBI and its partner agencies is critical for timely and efficient notification of cyber victims E O 13636 addressed the need for such cooperation and mandated steps to improve the process SHNF With regard to cyber victims E O 13636 Section 4 b required the establishment of a system for tracking the production dissemination and disposition of cyber incidents The National Security Council required the National Cyber Investigative Joint Task Force NCIJTF to lead the development and SECRET NOFORN 2 SIEEiAA' N9F9AN • • • domestic law enforcement response to criminal and national security cyber intrusions targeted entity notifications and cyber incident management U According to the FBI Cyber Guardian was a temporary solution designed to quickly comply with the mandate contained in E O 13636 Section 4 b The FBI is currently developing a system called CyNERGY to replace Cyber Guardian U Presidential Policy Directive 41 United States Cyber Incident Coordination U PPD-41 proscribes policy for U S cyber incident coordination PPD-41 sets forth the principles governing the federal government's response to any cyber incident whether involving government or private sector entities For significant cyber incidents PPD-41 establishes lead federal agencies and an architecture for coordinating the broader federal government response PPD-41 also requires the Department of Justice and the Department of Homeland Security OHS to maintain 4 U The NOJTF was established to serve as the natlanal focal point for the U S government's coordination Integration and Information sharing to support cyber threat Investigations supply and support Intelligence analysls for community decision-makers and provide value to other ongoing efforts In the fight against the cyber threat to the nation National Security Presldentlal Dlrectlve-54 Homeland Security Presidential Dlntd lve-23 signed on January 8 2008 directed the creation of the NOJTF and appointed the FBI as the lead agency SEEiAET N9F9AN 3 SECRET 'NOFORN updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents UJ Agency Incident Response U For significant cyber incidents the Department of Justice acting through the FBI is designated as the lead agency for threat response activities because significant cyber events often involve the possibility of a nation-state actor or have some national security nexus 6 Threat response activities include conducting appropriate law enforcement and national security investigative activity at the affected entity's site collecting evidence and gathering intelligence providing attribution linking related incidents identifying additional affected entities identifying threat pursuit and disruption opportunities developing and executing courses of action to mitigate the immediate threat and facilitating information sharing and operational coordination with asset response DHS is designated as the lead federal agency for asset response activities which include furnishing technical assistance to affected entities to protect their assets mitigate vulnerabilities and reduce impacts of cyber incidents U Attorney General Guidelines for Victim and Witness Assistance U The AG Guidelines establish guidelines to be followed by Department of Justice personnel in the treatment of victims of and witnesses to crime and apply to all personnel who are engaged in or support investigative prosecutorial correctional or parole functions within the criminal justice system The Victims' Rights and Restitution Act VRRA 42 U S C § 10607 2006 and the Crime Victims' Rights Act CVRA 18 U S C § 3771 2006 Supp III 2009 are the laws the form the foundation of the AG Guidelines 7 U Department personnel are required by law and under the AG Guidelines to identify victims of a crime notify them of their rights and offer them services as described in the AG Guidelines Victims however are not required to exercise their rights or to accept these services and may choose at any point in the criminal justice process to decline to receive further services or exercise their rights 6 U A significant cyber Incident Is a cyber-lncldent that ls-or group of related cyber Incidents that together are-likely to result In demonstrable harm to the national security Interests foreign relations or economy of the United States or to the public confidence civil liberties or public health and safety of the American people 7 U The Attorney General Guldelfnes refer to the Victims' Rights and Restitution Act 42 U S C § 10607 however that law was subsequently reclassified as section 20141 of Title 34 Crime Control and Law Enforcement SECRET NOFORN 4 EGAET N9F9AN U Cyber Victim Notification U F-OUO The CyD Policy Guide details when victim notifications should be conducted I Victim notifications can ori inate based on several sources of victim information victim self-reporting s are partner-agency inte igence or t roug FBI investigations or inte igence collection Once CyWatch receives information indicating that an entity has been victimized the FBI determines the severity of the threat and labels the incident based on the National Security Council's Cyber Incident Severity Schema The schema which is shown below provides a general definition of each level of severity and handling precedence for interagency coordination and targeted entity contact EGAA' N9F9AN 5 E6AET N9F9AN U F9Y9 Figure 1 National Security Council's Cyber Incident Severity Schem• kely to result in • demonstrable mpact to public health or safety atlonal security economic rtty foreign relations clvll lbertles or public confidence ay impact public health or safety atlonal security economic ecurtty foreign relations dvll lbertles or public confidence nlikely to impact public health or fety national security economic rtty foreign relations dvll lbertles or public confidence nsubstantlated or Inconsequential ·vent U Source FBI SEGAET N9F9AN 6 SECRET NOFORN U Once an incident is labeled CyWatch creates a lead in Sentinel the FBI's case management system and sends the lead to the appropriate Threat Manager 10 The Threat Manager reviews the information provided by the intelligence report and determines whether to notify the victim After CyWatch receives notification approval from the Threat Manager CyWatch sends a new Sentinel lead to the field office FO that covers the territory where the victim is located When the FO receives the lead it conducts the victim notification Contact with the victim is made in one of three ways 1 in person 2 via phone call or 3 through email Unless the FO has a prior relationship with the victim most of which are companies or organizations agents prefer to conduct the notification in person When contact is made with the victim the victim is under no obligation to cooperate with the FBI unless a subpoena or legal process has been issued Without improperly disclosing classified information the FBI will provide as much information as possible to the victim to allow the victim to mitigate the threat The FBI often asks the victim for permission to monitor the victim's system s to observe the adversary's activity and for the victim to provide activity logs for the affected systems 9 U The CyTRACKer Is an annual report that highlights computer Intrusion trends across critical Infrastructure sectors Including commercial transportation financial services healthcare defense communications and a host of other areas 10 U Sentinel provides electronic management of cases records tasks workflow and Items collected as evidence A lead Is a request for work to be done A lead may require action by the receiver or It may simply be for the purpose of transmitting Information In either case once the work Is complete the lead Is marked covered A lead may be sent to one or more receiving parties which Sentinel refers to as locations When a location receives a lead it ls assigned to a person to cover Threat Managers are GS-14 supervisors at CyD Headquarters that manage and coordinate the operational aspects for a specific threat SECRET NQFQAN 7 SECRET NOFORN U Figure 2 Cyber Victim Notification Process FBI FBI Field Office Victim Self Reporting • Victim Notification Other Govemment Agency ► Guardian Victim Notification Other Government Agencies U Victims can self-report cyber Incidents through Guardian which feeds Into Cyber Guardian or through the public access line which Is documented In Sentinel or they can report incidents directly to their local FBI field office a U Source OIG Review of FBI Data U OIG Audit Approach U The objective of this audit was to evaluate the FBI's processes and practices for notifying and engaging with victims of cyber intn 1sions Specifically we examined the FBI's adherence to E O 13636 Improving Critical Infrastructure Cybersecurity Presidential Policy Directive 41 United States Cybersecurity Incident Coordination and the FBI CyD Policy Guide 0853PG dated February 14 2017 as well as other related policies Our audit focused on the period following November 2014 when Cyber Guardian was first used to satisfy the requirements of E O 13636 Section 4 b SECRET NOFORN 8 SEGRET NOFORN U To accomplish our objective we interviewed FBI officials and conducted fieldwork at FBI Headquarters in Washington D C and several FBI field offices including Washington Boston New Haven Philadelphia Chicago and Baltimore We also met with personnel from the NSA and DHS In addition we met with 14 organizations that received victim notifications from the FBI to discuss those interactions The scope of our audit generally covered cyber victim notification activity from November 2014 to December 2017 approximately 20 000 Cyber Guardian entries Additional information about our approach to this audit can be found in Appendix 1 SEGRET NOFORN 9 SECRET NOFORN U AUDIT RESULTS U The FBI established Cyber Guardian to track the production dissemination and disposition of cyber victim notifications however we found the data within Cyber Guardian is incomplete and unreliable due to 1 logical and typographical errors 2 agents not setting leads properly 3 agents not indexing victims within the automated case management system-Sentinel-as required and 4 victim notifications linked to cases with restricted access in Sentinel not being tracked in Cyber Guardian Additionally we found that in response to the Attorney General Guidelines the Victim Services Division sends victim notification letters to victims in criminal cyber-cases but not to victims in cyber-related national security cases resulting in many victims that are not informed of their rights as required by the Attorney General Guidelines for Victim and Witness Assistance U We also found that that the amount of information and instructions for leads which are used to assign tasks to agents such as victim notifications varied depending on the author of the leads Leads that contained little detail often made it difficult for agents conducting the notifications to make useful notifications to victims Similarly we found that the timeliness and quality of cyber victim notifications affected victims' satisfaction with the process Seven of the 14 victims we met with said that they had received at least 1 notification too late or without enough detail to allow any meaningful remediation to be made At both FBI headquarters and field offices FBI cyber personnel acknowledged the timeliness of notifications is a problem With regard to quality due to national security classification the FBI cannot always share sufficient information to allow victims to take action to defend their networks or systems Victims and FBI Special Agents we interviewed told us that some cyber threat information is classified limiting the FBI's ability to provide victims with timely and actionable information Some Special Agents said they had to have the classification of certain information downgraded so it could be made available to a victim U Other Government Agencies OGA within the Federal Cybersecurity Centers are required to utilize Cyber Guardian and update information appropriately 11 We found the FBI enters the vast majority of incidents in Cyber Guardian however through our analysis it appears that DHS does not document the majority of the victim notifications it conducts in Cyber Guardian Without complete cyber victim data the FBI cannot determine whether all victims are being notified potentially making victims poorly positioned to defend themselves against cyber threats The FBI stated that Cyber Guardian would be a much more useful 11 U The Federal Cybersecurlty Centers Include the Defense Cyber Crime Center the Intelligence Community Security Coordination Center the National Cybersecurlty and Communications Integration Center the National Cyber Investigative Joint Task Force CyWatch the National Security Agency Central Security Service National Cyber Threat Operations Center and the United States Cyber Command Joint Operations Center SECRET NOFORN 10 SECRET NOFORN tool if OHS entered all of its victim notification information reducing the risk of duplicate victim notifications and identifying trends in current and emerging cyber threats As described in more detail later in the report OHS stated that technical constraints make it difficult for OHS to enter cyber events into Cyber Guardian Finally we found that the FBI did not have controls in place to ensure that Cyber Guardian users were up to date with their training for handling Protected Critical Infrastructure Information U Cyber Guardian System for Tracking Cyber Victim Notifications U In response to E O 13636 Improving Critical Infrastructure Cybersecurity Section 4 b the FBI established the Guardian Victim Analysis Unit and assigned it the responsibility creating a system for cyber victim tracking The FBI created Guardian for Cyber in response to E O 13636 Section 4 b and relied on the same code as the Counterterrorism Division's CTD Guardian system because it had the capability to transfer data between unclassified and classified systems or networks However the FBI found that operating a CyD system within the confines of a system built for CTD cases presented challenges such as having to rely on CTD to make changes to the system because CyD personnel did not have authority to make changes to the system Therefore in November 2014 Cyber Guardian was developed as a separate system and the data from Guardian for Cyber was manually transferred over to the new system At the time of our audit CTD Guardian and Cyber Guardian continued to share the same infrastructure and Cyber Guardian continues to rely on CTD Guardian system developers for changes and upgrades U FOUO Before September 2018 Cyber Guardian automatically ingested information at the unclassified level from iGuardian and InfraGard and Law Enforcement Sensitive information from eGuardian 12 Subsequent to our fieldwork on this audit the FBI told us that in September 2018 it changed the way cyber threat events from iGuardian and eGuardian were handled routing them to the field offices through CTD Guardian rather than to CyWatch through Cyber Guardian Additionally Cyber G u a t i o n from the FBI's case management at the Secret level system Sentinel and - 12 U Guardian is a platform through which the FBI's law enforcement partners provide potential terrorism-related threats and suspicious activity reports lnfraGard Is a partnership between the FBI and the private sector It Is an association of persons who represent businesses academia state and local law enforcement agencies and others dedicated to sharing information and Intelligence to prevent hostile acts against the United States The eGuardlan system collects and shares terrorism-related activities amongst law enforcement agencies across various jurisdictions The Information captured In eGuardlan Is also migrated to the FBI's Internal Guardian system SECRET NOFORN 11 SECRET NOFORN U The FBI and its NCIJTF partners use Cyber Guardian to manage and coordinate victim information The system is maintained by CyWatch on the FBI's Secret network 13 CyWatch provided us with a data export from Cyber Guardian which showed the Targeted Entities and Cyber Incidents in Cyber Guardian as of December 2017 According to the data as of December 2017 Cyber Guardian had 16 409 cyber incidents and 20 803 victim notifications including older incidents transferred from previous databases U Reviewing the data provided we found that the information on cyber events in Cyber Guardian includes but is not limited to the • • • • • • • • targeted entity's name 14 serial number to identify the incident statuses of the incident and the notification date and time of the notification if one was made priority level threat actor type agency that identified the event and targeted entity and agency that conducted the victim notification if one was made U Reliability of Cyber Guardian Data U We could not completely assess the notification process and determine whether victims were notified timely because during our audit we identified missing and inaccurate data Specifically our review found issues with Cyber Guardian data including logical and typographical errors incorrect types of leads used in Sentinel incorrect indexing of victims in Sentinel and data from restricted cases not being entered into Cyber Guardian These issues are discussed in greater detail below U Logical and Typographical Errors U We reviewed notification data from Cyber Guardian and found several issues with the quality of the data For example we found errors with at least 61 notifications which according to the data in Cyber Guardian took place before the incident was observed by the reporting agency 15 In these examples the Date Time Notified was a date earlier than the Incident Observed Date Time We also found typographical errors related to the manual entry of data into the 13 U The Guardian Victim Analysis Unit was Incorporated into the CyWatch Unit at the NCIJTF 14 U Within CyD investigations it is not always clear whether an entity was victimized or simply targeted by a threat actor therefore CyD uses the term Targeted Entity within Cyber Guardian 15 U The reporting agency can be any of the member agencies of the NCIJTF SECRET NOFORN 12 SECRET NOFORN system Specifically we found instances in which victim identifiers such as names of entities cities and states were spelled incorrectly Similarly some entities were entered with many variations for example U S Air Force US Air Force or U S Department of the Air Force Typographical spelling errors and name variations can potentially cause problems with duplicate notifications if a Cyber Guardian user searches for notifications made to a specific company or organization and finds no records in the system because the entity's name was misspelled or inconsistently entered Further these errors reduce confidence in the reliability of the data contained within Cyber Guardian U We discussed these issues with CyWatch officials and they acknowledged that data input errors are a concern Those officials said that Cyber Guardian does not have controls that would prevent users from inputting dates that do not make logical sense such as notifications that occur prior to a cyber-incident being detected They also stated that many errors were due to the manual effort to transfer data from the original Guardian for Cyber system into the newer Cyber Guardian system Because the accuracy of the data housed in Cyber Guardian is critical to coordinating the Government's response to cyber incidents as directed by E O 13636 we recommend that the FBI ensures there are appropriate logic controls for data that are manually input into Cyber Guardian and CyNERGY and that CyNERGY's data input is as automated as appropriate U Victim Notification Leads U Sentinel includes a lead function with a primary purpose to allow investigative work to be assigned to other units or field offices As it relates to victim notification an agent can identify a victim of a cybercrime in another area and set a lead in Sentinel requesting that the victim be notified by an agent in the field office responsible for the area in which the victim is located There are different types of leads that can be set in Sentinel including • • • Information Only Action and Victim Notification U In an effort to ensure all victim notifications are captured in Cyber Guardian CyWatch relies on a team of six contractors dedicated to quality assurance and data input who manually search Sentinel daily for victim notifications requested through Action leads and if found manually enter those notifications into Cyber Guardian However when agents set leads as Victim Notification leads those leads are flagged for CyWatch contractors to enter into Cyber Guardian U Victim Notification leads were added to Sentinel as part of a 2013 update In 2014 the FBI's CyD convened a Guardian for Cyber Focus Group focus group to evaluate the cyber victim notification process The focus group discussed SECRET NOFORN 13 SE6AET N9F9AN impediments to cyber victim notifications and possible solutions to those impediments The focus group concluded that it was burdensome to require agents in the field to enter victim information into both Sentinel and Cyber Guardian Based on the focus group's conclusions the CyD's Assistant Director directed field agents to only use Sentinel and made CyWatch responsible for ensuring that data is transferred between the two systems The focus group also detailed the importance of proper data entry into Sentinel to ensure the information gets captured in Cyber Guardian Two factors highlighted by the focus group to achieve improvements included that victims must be indexed as victims in Sentinel and that leads for victim notification must use the nvictim Notification lead type not Action leads Additionally five Lyne and Learn training sessions were provided to CyD personnel to inform agents on the proper way to use Sentinel for documenting cyber incidents and victim notifications However these training sessions were a one-time offering and were not mandatory U During this audit we visited six FBI field offices and discussed the victim notification process with cyber squad Special Agents and supervisory Special Agents In our discussions we found that 29 of 31 field agents we interviewed do not use the Vict m Notification lead type when setting leads for victim notification Five of the agents had not even heard of it The agents with whom we spoke stated that they primarily used Action leads when requesting other field offices to conduct a victim notification and that the leads they receive for cyber victim notifications are also typically Action leads In response to our raising this point CyWatch said it believes that some agents are not sure which type of lead to use when multiple tasks are requested in the same lead induding victim notification and other strictly investigative tasks 17 U We determined this by reading the leads and associated Sentinel documentation and looklng for key words and phrases such as Please notify person organization that they may have been targeted by a spear phlshlng campaign Some were not obvious but we used our professlonal Judgment to determine whether or not the lead was for a victim notification SE6AET N9F9RN 14 SE6AR 'N9F9AN U In another example the victim's identity at the time of the intrusion was different than when the notification was made due to one company acquiring the other The supporting documentation from Sentinel had the company's original name but the new name was used for the record in Cyber Guardian This again illustrates data accuracy issues that must be considered for Cyber Guardian users SEGAE r N9F9AN 15 SECRET NOFORN U We also found one notification that should have been in Cyber Guardian and upon further research after we raised this concern CyWatch discovered that several notifications found through a daily search of Sentinel were not transferred into Cyber Guardian The reason for this was unclear but this discovery highlights the risk of the manual search of Sentinel for victim notifications This risk could be mitigated by increasing the automation of data entry into Cyber Guardian U Finally a victim was notified by the FBI in one instance but the notification was entered into Cyber Guardian under his employer's name These examples show why the quality of the data in the system is important for users who want to check the system to determine whether a victim has already been informed prior to making a notification U Using Action leads to request victim notifications increases the risk that notifications are not tracked in Cyber Guardian as required by E O 13636 and increases-the chance of duplicate notifications by another agency that cannot see that the victim was already notified According to the FBI duplicate notifications may damage the FBI's relationship with the private sector by making the Government appear unprofessional and disorganized and those relationships are essential for information and intelligence sharing In addition agents have expressed concerns that another agency conducting a duplicate notification could spook a cooperating victim that agreed to consensual monitoring or compromise ongoing Foreign Intelligence Surveillance Act collections thereby jeopardizing sensitive intelligence collection 19 Therefore we recommend that the FBI strengthen controls for ensuring that victim notifications are tracked in Cyber Guardian to include agents using Victim Notification 11 leads in Sentinel as required by CyD Policy Guide 0853PG U Indexing Victims in Sentinel U In addition to using Victim Notification leads in Sentinel it is also important that victims are correctly indexed as Victims in Sentinel Indexing is a function in Sentinel that allows agents to connect entities and attributes within the case management system For example if an agent indexes John Doe as a Victim and associates an Internet Protocol IP address a particular threat actor and a method of attack used against that person it will allow agents in other cases to discover potential connections between cases Further for victim notification tracking indexing an entity as a Victim allows CyWatch to find and manually transfer victim notification information from Sentinel to Cyber Guardian CyWatch searches Sentinel for recently indexed victims that are associated with cyber cases 19 U Consensual monitoring Is when a victim voluntarily agrees to let the FBI monitor the activity on the victim's systems to gather evidence of llliclt activity by the cyber threat actor SECRET NOFORN 16 SECRET NOFORN 5 NF Using a risk based approach we selected a National Security Cyber case C y Case bA rto determine how entities were indexed in Sentinel We identified indexed ber Case A and showed 99 percent were indexe as References - 1 percent were indexed as Victims Because there were so few victims indexed in this case we were concerned that victim notifications made in this case were not tracked in Cyber Guardian To address our concerns we reviewed from the case-accounting for approximately 30 percent of the e n n d found incorrectly indexed as references Of t h o s e _ the Sentinel documentation showed that notified We wereoiiiy able t o - 34 p e r c e n notifications listed in Cyber Guardian CyWatch confirmed that the 66 percent victim notifications were not in Cyber Guardian These notifications dated back to 2014 during the transition between Guardian for Cyber and Cyber Guardian According to CyWatch notifications associated with National Security cases were not fully entered into Cyber Guardian until the end of 2015 as the initial focus was on criminal cyber intrusion cases U Cyber Guardian relies on agents properly indexing victims in Sentinel in order to capture all victim notifications Therefore we recommend that the FBI ensures that agents index Victims in Sentinel as required by the Indexing User Manual for Sentinel to support FBI investigative and administrative matters U Tracking Victim Notifications in Restricted Access Cases U An especially sensitive case can have access to its Sentinel case file restricted with approval of the division's Assistant Director A case's files can be restricted when the investigation involves the protection of sources whose lives are at risk or unauthorized disclosure of the subject of the investigation or intelligence topic creates substantial and serious risk Details of restricted cases can only be viewed by the agents investigating the case their chain of command and other personnel specifically provided with access Sentinel users that search the system may find results from restricted cases but the details will be masked U CyWatch demonstrated for us the restricted case capability using one of the multiple restricted cyber-intrusion cases related to one of the victims with whom we spoke The results of a search of the case number in Sentinel returned a list of documents in the case file but when the files were opened all of the text was replaced with Xs 20 This sample case involved multiple victims Some of the victim notifications from this case appeared in Cyber Guardian this 20 U Restricted cases can also be set up so that If a Sentinel user searches for names or other details of a restricted case no search results are returned but the case agent is notified that someone was searching for details of that case SECRET NOFORN 17 SEGRET NOFORN occurred when the victim was identified through that was sent directly to CyWatch 21 As anticipated CyWatch c a few of the notifications from our sample case were in Cyber Guardian All of those notifications resolved back to one or more restricted cases including our sample case U FOUO As with non-restricted cases victim notifications are automatically entered into Cyber Guardian if the agent sets the leads in Sentinel as Victim However Notification leads or if the victims were identified unlike non-restricted cases when CyWatch conducts its daily review of Sentinel for victim notifications that were not automatically included in Cyber Guardian it can only see that a notification was conducted for a restricted case CyWatch cannot view any of the pertinent information necessary to create a Cyber Guardian entry such as the name of the victim or any details of the threat Although we did not determine the number of cyber victim notifications associated with restricted cases we found evidence that suggested this issue may be significant Victim notifications from restricted cases not being entered in Cyber Guardian increases the risk of a U S Government agency conducting a duplicate notification to a victim and possibly compromising an ongoing FBI investigation or intelligence collection operation Therefore we recommend that the FBI ensure that all cyber victim notifications conducted in the course of restricted investigations are appropriately tracked in Cyber Guardian U Notifying Cybercrime Victims of their Rights under the Attorney General Guidelines U In addition to improving the accuracy of Cyber Guardian indexing victims of cybercrime as Victims in Sentinel also has an effect on whether the victims are notified of their rights as required by law When entities in Sentinel are indexed as victims Victim Specialists who fall under the purview of the FBI's Office of Victim Assistance OVA within the Victim Services Division begin the process of informing victims of their rights The AG Guidelines apply to all personnel in the Department of Justice who are engaged in or support investigative prosecutorial correctional or parole functions within the criminal justice system 22 Department personnel are required to identify victims of a crime notify them of their rights and 22 U The Attorney General Guidelines for Victim and Witness Assistance are based on the Victims' Rights and Restitution Act of 2006 and the Crime Victims' Rights Act of 2006 supplemented In 2009 SECRET NOFORN 18 SECRET NOFORN offer them services as described in the AG Guidelines 23 According to the OVA the primary methodology for notifying cyber victims of their rights is by letter However two agents that we met with at two different field offices stated that they were aware of agents not indexing victims in Sentinel as Victims because those agents do not want the victim to receive the OVA notification An agent told us that he does not index victims in Sentinel because he is afraid that the letter will jeopardize fragile agreements with the victims to allow consensual monitoring of their systems This agent said that it is sometimes difficult to persuade a victim to agree to consensual monitoring and that monitoring provides valuable intelligence U For Cyber Case A discussed previously in the Indexing Victims in Sentinel section of this report we sent to OVA all 44 victim notifications we identified in that case to determine whether those victims received victim notification letters or were notified of their rights under the AG Guidelines in any other way OVA informed us that none of the 44 victims received notification from OVA OVA stated that it does not send out victim notification letters to victims identified in national security cyber cases it only sends notification letters to victims in criminal cyber cases with a 288A case classification code which is the designation for criminal cyber intrusion cases U To track the status of the victim notifications the OVA uses the Victim Notification System an unclassified system used by the Department and other components that provides important information to victims 24 Criminal cyber cases in the 288A classification code which contain only unclassified information are automatically entered into the Victim Notification System from Sentinel However since much of the information in national security cyber cases is classified the Victim Notification System does not automatically ingest information from national security cases There are only two ways that a victim from a national security cyber investigation would receive a victim notification letter 1 if an FBI cyber agent received a Victim Notification lead covered the lead and documented the notification in an unclassified electronic communication which was referenced to a 288A administrative case file or 2 if a cyber-agent specifically asked a victim specialist to send a letter to a specific victim The OVA acknowledged that both scenarios are unlikely In fact according to OVA personnel they searched the Victim Notification System and found information from only one national security cyber case OVA personnel stated that even that one case should not have made it 23 U Victims however are not required to exercise their rights or to accept these services and may choose at any point in the criminal justice process to decline to receive further services or exercise their rights Investigators are given latitude to not make notifications If It would negatively affect the Investigation however if the victims have been notified of the fact that they were victimized It should be appropriate to Inform them of their rights as welt 24 U The Victim Notification System ls a Department of Justice system used by the FBI Federal Bureau of Prisons United States Attorneys' offices and the United States Postal Inspection Service SECRET NOFORN 19 SECAET NOFOAN into the system Because Cyber Case A was a national security case it was unclear whether OVA did not send letters to the victims identified in the case only because the case was a national security case or if the victims not being indexed properly contributed to the problem U OVA informed us that it is aware of gaps in coverage for advising cybercrime victims of their rights OVA provided three reasons for these gaps 1 The AG Guidelines are out of date with respect to victims of cybercrime 2 There is no widely accepted definition of what constitutes a victim of cybercri me 3 There is currently no process for getting cybercrime victims' information from national security cases into the Victim Notification System U We discussed these issues with the Department of Justice Office of the Deputy Attorney General ODAG The ODAG is part of the Department of Justice's Cyber-Digital Task Force which is tasked with canvass ing the many ways that the Department is combatting the global cyber threat and identify ing how federal law enforcement can more effectively accomplish its mission in this vital and evolving area ODAG told us that it would consider updates to the AG Guidelines and a generally accepted definition of a cyber victim and it would present these issues to the task force U While investigators are given latitude to not make notifications if it would negatively affect the investigation we found that victims have been notified of the fact that they were victimized but not informed of their rights under the AG Guidelines Since the FBI determined it was operationally safe to notify the entities of their victimization it should be appropriate to inform them of their rights as well Due to these gaps in coverage not all victims are being informed of their rights according to the AG Guidelines Therefore we recommend that the Department of Justice coordinate with the FBI's Cyber Division and update as necessary the Attorney General Guidelines for Victim and Witness Assistance to incorporate the nuances of cyber victims In addition we recommend that the FBI clearly define what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and to ensure that all victims of cybercrime are informed of their rights under the AG Guidelines Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate U Quality and Consistency of Leads U During our interviews of cyber agents at FBI field offices agents expressed concerns about the content of leads they received requesting victim notifications These agents said that the quality of leads varied depending on the author of the lead and less-detailed leads often made it difficult for agents who are not well versed in the details of the case to make useful notifications to victims We believe this problem is the result of two factors First different field offices SECRET NOFOAN 20 SECRET NOFORN conduct business in different ways so some field offices send more detailed leads than others Second CyD Policy Guide 0853PG explains when victim notifications should be made but it does not explain what information should be included in leads requesting a notification or the minimum amount of information needed to conduct a notification U We asked agents who expressed concerns about the quality and consistency of the leads they receive what information they need to be able to conduct a useful victim notification The following is what they told us should be provided to victims in order to be helpful • • • • IP addresses affected by the malicious activity a date or range of dates the activity happened any information about the attack that the victim can use to search for the activity in their logs and an unclassified tear-line for information to share with the victim 25 U Additionally as discussed further in the next section of this report we met with victims of cybercrime that told us that the quality of the information provided by the FBI at times lacked substance making it difficult to pinpoint where the intrusion entered their system FBI officials acknowledged issues with both the timeliness and quality of information it provides The FBI said those issues were usually the result of classified information being involved The intelligence the FBI receives from OGAs is almost always classified at a level of Secret or above Agents will attempt to get as much information downgraded to the unclassified level as possible to ensure the information given to the victim is actionable Overall in our interviews with victims we were told that each notification to be useful should include the date and time the intrusion occurred an infected IP address and what activity was observed U When insufficient information is shared with the victim the victim may not be able to mitigate the threat and the relationship between the FBI and the victim-potentially a source of evidence or intelligence in the FBI's cyber mission­ can be damaged by diminishing the FBI's credibility as a partner The relationships between the FBI and the private sector are important sources of intelligence and evidence for ongoing investigations Therefore to ensure consistency and effectiveness of victim notifications and to promote partnerships between the FBI and victims we recommend that the FBI update Cyber Division Policy Guide 25 U A tear-line Is a section of text classified at a level lower than the rest of a document for the purpose of Increased ablllty to share the Information For example a classlfled report on a cyber­ lntruslon may have a secret-level tear-line to allow some of the Information to be documented In Sentinel and an unclassified tear-line to allow information to be shared with a victim that does not have security clearance SEGRET NOFORN 21 SECRET NOFORN 0853PG to include a minimum requirement for information that should be included in a victim notification and in victim notification leads U Victim Engagement U From the Cyber Guardian data provided by the FBI we selected and either met with or received comments from 14 victims of cybercrime that had received victim notifications from the FBI We asked the victims to discuss their interactions with the FBI so we could learn how the notifications worked from the victim's perspective Specifically we discussed how the notifications took place and whether the notifications were effective from their perspective as victims The victims we met with came from various sectors industries and organizations including • • • • local and federal government the private sector including the technology and manufacturing sectors universities and public utilities U For the 14 victims we met with or received comments from all of the victim notifications made were initiated by a phone call or an in-person meeting with an agent According to FBI agents that we interviewed a cyber victim notification is both a service-providing the victim with indicators of compromise and other information about the attack-and an opportunity to develop or enhance a working relationship with the victim Relationships are vital to the FBI's cyber mission because they help the FBI gather information about cyber threats by gaining consensual access to information and networks of personnel with expertise about cyber-related topics Victims are under no obligation to cooperate with the FBI to further the investigation of an intrusion and can deny the FBI's services Ongoing relationships also simplify communication with victims that suffer multiple intrusions A victim official is much more likely to take a phone call from an agent that person already knows ultimately saving time and resources Additionally we were told that developed relationships also foster information sharing Of the 14 victims with whom we discussed these interactions 13 said they proactively share information with the FBI through the local FBI field office U Although many of the victim organizations we interviewed spoke highly of the FBI and their close relationships with their respective field offices half of the victims we met had complaints with the timeliness and quality of the information provided Additionally of those 14 victims 4 29 percent were not satisfied overall with their interactions including one instance in which the FBI notified the wrong point of contact Timely notification is critical because victims rely heavily on the information provided by the FBI to remediate the threat with as little damage to their infrastructure as possible Because victims often keep information such as network logs for a limited time the information provided to the victim needs to be recent In one instance a company told us it received a victim notification for an SECRET NOFORN 22 SECRET NOFORN event that took place 9 months prior Although the information the company received from the agent was thorough the company had issues obtaining logs that dated back 9 months and was forced to bring in a third-party remediation firm to alleviate the problems associated with the intrusion The FBI cannot always control the amount of time that elapses between the date of a cyber-intrusion and when the intrusion is discovered however it can control how long it takes to notify the victim once the attack and victim have been identified Therefore we recommend that the FBI establishes timeliness standards in the Cyber Division Policy Guide 0853PG for cyber victim notifications as appropriate U Coordination with Other Government Agencies U Cooperation and coordination with OGAs conducting notifications to victims of cybercrime is important to avoid missed or duplicative victim notifications In order to facilitate this coordination the agencies that comprise the other Federal Cybersecurity Centers employ the First Look Standard Operating Procedures use Victim Contact Planning Calls and use the Cyber Guardian System U First Look and Victim Contact Planning Call U The First Look Standard Operating Procedures are maintained by both the FBI's CyWatch and DHS's NCCIC and dictate how to coordinate the U S government's response to newly discovered cyber incidents This process covers activity from the initial identification of a developing cyber incident to victim notification An agency with victim contact responsibilities such as one of the NCIJTF partner agencies that becomes aware of a developing cyber incident will determine whether the incident warrants a Victim Contact Planning Call VCPC VCPCs are interagency conference calls for coordinating initial contact with victims If the engagement thresholds are met the identifying agency will make a request to the Federal Cybersecurity Centers that a VCPC be scheduled The identifying agency is responsible for facilitating and guiding the discussion during the call U The First Look Standard Operating Procedures state that initial contact of cyber victims should be coordinated if the incident poses a threat to national security or critical infrastructure involves cyberterrorism or has the potential to impact multiple sectors or to have cascading impacts across sectors The FBI is responsible for all investigative matters related to the incident while DHS is responsible for matters related to mitigation of the victim network and evaluation of the risk to critical infrastructure and key resources U According to the First Look Standard Operating procedures VCPC participants should discuss all aspects of victim contact including investigation and mitigation options The objective of the VCPC discussion is to generate a coordinated plan for initial contact and subsequent engagement with the victim of a cyber-incident All relevant information regarding the incident including known actors ongoing threat activity and mitigation efforts should be shared during the SECRET NOFORN 23 E6AET N9F8AN call This information sharing is intended to ensure a comprehensive and coordinated response effort The goal is for a VCPC to take place within 4 hours of the identification of a developing cyber-incident If a developing cyber incident is identified outside of business hours the goal is to conduct a VCPC within the first 4' hours of the next business day unless the nature of the incident dictates a more urgent response e oun at t e ow num er o inci ents wit at east a Me ium severity ranking may be the result of the Severity Schema itself We were told by the FBI that the elements of the Severity Schema are subjective and two agents may score the same incident differently which contributes to the small number of incidents that were classified as Medium during this time period U We recommend that the FBI ensures Victim Contact Planning calls are conducted for all cyber-incidents that are labeled Medium and above on the National Security Council's Cyber Incidents Severity Schema U Cyber Guardian Usage by Agency U The FBI's partner agencies that participate in the NCIJTF have access to Cyber Guardian and the responsibility to update the system as appropriate However according to CyWatch the FBI enters the bulk of data contained in Cyber Guardian CyWatch tracks usage of Cyber Guardian by all users and provided us with the following summary of cyber incidents entered in the system by NCIJTF agencies 26 U Prior to the adoption of the National Security Council's Cyber Incidents Severity Schema In July 2015 the FBI used the •eyo Threat Prioritization Matrix which requJred coordination on cyber Incidents dasslfled at priority level three Elevated or higher which ils roughly equivalent to the current severity schema SESAE r N8F8AN 24 SEGAET N9F9AN U Source FBI U E O 13636 directs both the Departments of Justice and Homeland Security to develop and use a system to track and disseminate victim notifications and the system created to meet this requirement is Cyber Guardian However according to the Cyber Guardian usage data it appears that DHS is not entering data into the system appropriately According to the FBI OHS regularly conducts victim notifications but does not enter the corresponding Information into Cyber Guardian potentially creating many notifications that are not being tracked as required by E O 13636 SEGA T N8F9AN 25 SEEiAE r N9F9AN V U Traffic Light Protoc ol ndudes four colors that Indicate how widely the Information's originator wlll allow the referenced ntannatlon to be disseminated Red - cannot be disseminated outside named Individuals Amber- limited within the recipient's organization to others with a need to know Green - Community wide not to be posted publldy and White - unlimited distribution a U An equity evaluation Is a rav ew to determine whether dlsclosura of that Information wlll negatively Impact an Investigation or Intelligence operation SEEiAE r N9FOAN 26 EGA Eif NOFGA N U We spoke with the FBI and OHS regarding these examples and received conflicting information While we were unable to definitively determine the root cause of the issues described in the preceding paragraphs these examples demonstrate communication issues between the FBI and OGAs which can lead to disjointed victim notifications ere ore we recommen at e FBI pursue a mutua y agreea e so ution wit DHS for ensuring all victim notification data is entered into Cyber Guardian We also referred this matter to the DHS Office of Inspector General to take action as it deems appropriate U Challenges in Notifying Victims Identified by Other Government Agendes U As stated in E O 13636 It is the policy of the United States Government to increase the volume timeliness and quality of cyber threat information shared with U S private sector entities so that these entities may better protect and defend themselves against cyber threats U In addition to victims self-reporting cyber-attacks and the FBI identifying victims during the course of its investigations OGAs will also report potential victims to the FBI While Cyber Guardian contains data on when a cyber-threat was first observed the victim was identified and the victim was notified due to the issues we found with the reliability of Cyber Guardian's data we were unable to rely on the data in Cyber Guardian to determine the average length of time between observation of a cyber-threat and notification of the victim Victim notifications can occur a long time after the attack for reasons beyond the controls of the notification process For example if an attack is not discovered immediately a substantial time may pass between the attack and the notification However we also found delays in the notifications of victims identified by OGAs EGA if NGFOA N 27 SEEiAET N8F8AN 29 U Masked U S Identities lndude lndlvlduals and organization names as well as U S Internet protocol addresses SEEiAET N8F8AN 28 E6AET N8F8AN U • For FY 2018 the numbers are year to data as of January 11 2018 U Source FBI 6AR NOF8AN 29 SE6AET N9F9AN U CyNERGY System to Replace Cyber Guardian U The FBI estimated the development costs for Cyber Guardian from 2014 through 2017 were approximately $2 2 million 30 This includes the cost of a team of eight contractors responsible for software development From 2015 through 2017 Operations and Maintenance costs were approximately $2 S million 31 U According to CyWatch Cyber Guardian was intended to be an interim solution to the E O 13636 Section 4 b requirement As a result in 2014 the NCDTF formed a Joint Requirements Team JRTI to determine the features needed in a new permanent system to replace Cyber Guardian The JRT was co-led by OHS the Department of Justice and the Department of Defense and included the following agencies • • • • • • OHS NCCIC FBI Defense Cyber Crime Center Defense Security Service NSA and Other DoD Components which included sector specific agencies and other government agencies interested in participating U The requirements proposed by the JRT were accepted by the National Security Council and memorialized in an April 10 2015 document titled Executive Order E O 13636 Section 4 b Support capability Requirements for Notification of Critical Infrastructure Targeted Entities The new system is named CyNERGY and the FBI's Information Technology Branch began developing CyNERGY in 2016 U The costs of developing and maintaining CyNERGY are projected to be twice the costs for Cyber Guardian and between FY 2016 and FY 2018 30 U The same developers supported both Guardian and Cyber Guardian and did not log their time between the two systems therefore the FBI railed on an estimate from the vendor on the breakout of development costs between the two systems 31 U Operations and maintenance casts for the purpose of this report Include support staff for hardware such as database and system administrators hardware costs and software costs such as licenses and maintenance SE6AET N9F9AN 30 SECRET NOFORN development costs for CyNERGY are projected to be approximately $4 9 million 32 Operations and maintenance costs for CyNERGY are projected to be approximately $4 2 million during the same time period for an average of $1 4 million per year U In November 2017 CyWatch provided us with a demonstration of CyNERGY which the FBI aims to deploy in FY 2019 After deployment the FBI intends to enhance it with additional features At initial deployment CyNERGY will have a simplified data input utilizing only the fields used most often in Cyber Guardian including the • • • • • • title of the cyber event and classification of the title reporting agency and related reference number receipt method activity type event date and time and victim's information U Because CyNERGY was designed and built specifically for CyD future changes should be much easier to make than they were with Cyber Guardian because changes will no longer need to be made by the Counterterrorism Division CyWatch demonstrated some of CyNERGY's features that should be improvements over Cyber Guardian One of those features queries Dun Bradstreet's database to automatically load the Data Universal Numbering System DUNS number for each victim 33 This should help lower the risk of duplicate notifications and identify previous notifications because DUNS numbers are unique and not subject to how a particular user enters a company's name into the system According to CyWatch another control it plans to implement will provide validity checks along with automated checks against FBI information databases to limit the manual entry of specific fields further limiting the risk of typographical errors U CyWatch also showed us the dashboard area of the system which shows pertinent information in a more visually appealing and easy to understand format From this view users can easily see metrics about • • • outstanding victim notifications the time between the date of attack to the event being entered in CyNERGY and the time between entry in CyNERGY and notification of the victim 32 U Both the development costs and operations and maintenance costs Include projections for FY 2018 33 U The DUNS number Is a unique nine-character number used by Dun and Bradstreet to maintain up-to-date Information on more than 285 million global businesses Including Information on companies' parent and sister companies SECRET NOFQRN 31 SECRET NOFORN Additionally users from any NCIJTF agency should be able to make changes to many aspects of a cyber-event or notification including • • • what agency is responsible for the notification the severity of the event and equity evaluation CyWatch explained that changes to an entry about an incident will be logged in an auditable way and all users who have a role in that entry will be alerted via automatic email when changes are made 34 U As mentioned earlier OHS has requested that a machine-to-machine application programming interface be included in CyNERGY to automatically transfer victim notification data from its internal tracking system into CyNERGY OHS does not believe the feature will be in the initial version of the system but it is confident the feature will be in a subsequent version OHS expressed concerns that both the current system Cyber Guardian and the new system CyNERGY do not have controls in place to ensure that users are certified to handle Protected Critical Infrastructure Information PCII PCII is critical infrastructure information that is voluntarily shared with the federal government for homeland security purposes and is protected by the Critical Infrastructure Act of 2002 We discussed this with CyWatch and it told us that the FBI ensures that new Cyber Guardian users submit proof that they have completed PCII Authorized User training on the proper handling and safeguarding of PCII before being granted access to Cyber Guardian However CyWatch admitted that once a user is granted access there are no controls in place to ensure that the user takes the training annually as required to maintain authorization to handle PCII Therefore we recommend that the FBI implement controls to ensure that all users of Cyber Guardian and subsequently CyNERGY are certified to handle PCII U CyNERGY was still under development at the time of our audit so we were unable to thoroughly evaluate the system and make definitive judgments on its performance However based on the system requirements document and the demonstration provided by CyWatch we believe that if implemented according to plan there will be improvements over Cyber Guardian While CyNERGY should address issues we identified with Cyber Guardian we also found that some issues present in Cyber Guardian will likely remain in CyNERGY For example CyNERGY will rely on FBI agents using Victim Notification lead types for automatic ingest of FBI notifications through Sentinel As a result CyWatch will still need to search Sentinel for missed victim notifications to manually input into CyNERGY and similar to the current process this manual search will rely on agents properly indexing victims in Sentinel In addition CyNERGY will reside on the secret enclave and will 34 U Roles Include notifier mltlgator Investigator observer and outreach SECRET NOFORN 32 SEGRET NOFORN not solve the issue with DHS having difficulty entering information into Cyber Guardian These problems may result in manual errors therefore we recommend that the FBI ensures that CyNERGY's data input is as automated as appropriate SECRET NOFORN 33 SEGRET NOFORN U CONCLUSION AND RECOMMENDATIONS U We found that in response to Executive Order 13636 Improving Critical Infrastructure Cybersecurity Section 4 b the FBI in conjunction with partner agencies developed and deployed Cyber Guardian a system to track and disseminate notifications to victims of cybercrime Although FBI and DHS personnel agree that the coordination of victim notifications has improved significantly since E O 13636 was signed and while Cyber Guardian has been a useful tool for this purpose we found issues with the completeness and the quality of the data stored in the system The system relies too heavily on manual input of data that leads to errors and poor data reliability U We also found that FBI cyber agents are not following procedures for setting victim notification leads or indexing victims properly resulting in some notifications not being tracked in Cyber Guardian as required The FBI also needs to ensure that notifications made to victims identified in restricted access cases are properly tracked in Cyber Guardian The CyD Policy Guide 0853PG details when notifications should be made to victims of cybercrime which can help victims mitigate the damage caused by current and future intrusions and increase the potential for intelligence collection by the FBI but does not describe how to conduct those notifications We found that this has led to inconsistency in the quality of leads sent between field offices which in turn negatively affects the quality and timeliness of notifications made to victims of cybercrime Half of the victims we met with complained that they have received at least one notification too late or without enough detail to allow the victims to mitigate the threats to their systems although sometimes this is due to factors outside the FBI's control Despite DHS being identified as a partner to the FBI in E O 13636 we found that DHS is not entering data into Cyber Guardian as required The FBI is developing a new system called CyNERGY to replace Cyber Guardian and although we were unable to test the system we believe that if CyNERGY operates as intended it could provide improvements to the current system However CyNERGY will still rely on manual data entry Finally victims of cybercrimes investigated in national security cases are not being notified of their rights in accordance with the Attorney General Guidelines for Victim and Witness Assistance U We recommend that the FBI 1 U Ensure there are appropriate logic controls for data that is manually input into Cyber Guardian and CyNERGY and that CyNERGY1s data input is as automated as appropriate 2 U Strengthen controls for ensuring that victim notifications are tracked in Cyber Guardian to include agents using 11Victim Notification leads in Sentinel as required by Cyber Division Policy Guide 0853PG SECRET NOFORN 34 SEGRET NOFORN 3 U Ensure that agents index Victims in Sentinel as required by the Indexing User Manual for Sentinel to support FBI investigative and administrative matters 4 U Ensure that all cyber victim notifications conducted in the course of restricted investigations are appropriately tracked in Cyber Guardian 5 U Clearly define what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and notifying victims of their rights under the Attorney General Guidelines for Victim and Witness Assistance as appropriate 6 U Ensure that all victims of cybercrime are informed of their rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate 7 U Establish timeliness standards in the Cyber Division Policy Guide 0853PG for cyber victim notifications as appropriate 8 U Update Cyber Division Policy Guide 0853PG to include a minimum requirement for information that should be included in a victim notification and in victim notification leads to ensure the consistency and effectiveness of victim notifications 9 U Ensure Victim Contact Planning Calls are conducted for all cyber-incidents that are labeled Medium and above on the National Security Council's Cyber Incidents Severity Schema 10 U Pursue a mutually agreeable solution with OHS for ensuring all victim notification data is entered into Cyber Guardian 11 U Coordinate with NSA to identify and implement an automated solution to streamline the post-publication requests for unclassified information in order to conduct timely and useful victim notifications 12 U Implement controls to ensure that all users of Cyber Guardian and subsequently CyNERGY are certified to handle Protected Critical Infrastructure Information U We recommend that the Department of Justice 13 U Coordinate with the FBI's Cyber Division and update as necessary the Attorney General Guidelines for Victim and Witness Assistance to incorporate the nuances of cyber victims SEGA ET NOFOA N 35 SECRET NOFORN U STATEMENT ON INTERNAL CONTROLS U As required by the Government Auditing Standards we tested as appropriate internal controls significant within the context of our audit objective A deficiency in an internal control exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to timely prevent or detect 1 impairments to the effectiveness and efficiency of operations 2 misstatements in financial or performance information or 3 violations of laws and regulations Our evaluation of the FBI's internal controls was not made for the purpose of providing assurance on its internal control structure as a whole FBI management is responsible for the establishment and maintenance of internal controls U As noted in the Audit Results section of this report we identified deficiencies in the FBI's internal controls that are significant within the context of the audit objective and based upon the audit work performed that we believe may adversely affect the FBI's ability to effectively track and disseminate notifications to all identified victims of cybercrime U Because we are not expressing an opinion on the FBI's internal control structure as a whole this statement is intended solely for the information and use of the FBI This restriction is not intended to limit the distribution of this report which is a matter of public record However we are limiting the distribution of this report because it contains sensitive information that must be appropriately controlled 35 35 U A redacted copy of this report with sensitive Information removed will be made available publicly SEGRET NOFORN 36 SECRET NOFOR N U STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS U As required by the Government Auditing Standards we tested as appropriate given our audit scope and objective selected transactions records procedures and practices to obtain reasonable assurance that the FBI's management complied with federal laws and regulations for which noncompliance in our judgment could have a material effect on the results of our audit FBI's management is responsible for ensuring compliance with applicable federal laws and regulations In planning our audit we identified the following laws and regulations that concerned the operations of the auditee and that were significant within the context of the audit objective · • • • Executive Order 13636 Presidential Policy Directive-41 Attorney General Guidelines for Victim and Witness Assistance U Our audit included examining on a test basis the FBI's compliance with the aforementioned laws and regulations that could have a material effect on the FBI's operations through interviewing FBI personnel analyzing data examining procedural practices and assessing internal control procedures As noted in the Audit Results section of this report we found that the FBI did not comply with the Attorney General Guidelines for Victim and Witness Assistance SEGRET NOFOR N 37 SECRET NOFORN U APPENDIX 1 U OBJECTIVE SCOPE AND METHODOLOGY U Objective U The objective of our audit was to evaluate the FBI's Cyber Victim Notification and Engagement Process U Scope and Methodology U We conducted this performance audit in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective U To accomplish our objective we interviewed 51 FBI officials including individuals from the FBI's CyWatch unit and other components that are involved in the cyber victim notification process Cyber Division Headquarters and the Office of Victim Assistance We visited 6 FBI field offices including Washington Boston New Haven Philadelphia Chicago and Baltimore We also interviewed staff from the National Security Agency's National Cyber Threat Operations Center and the Department of Homeland Security's National Cybersecurity and Communications Integration Center to learn about their interaction with the FBI's cyber victim notification process In addition we met with or received comments from 14 organizations that received victim notifications from the FBI to discuss those interactions The scope of our audit generally covered cyber victim notification activity from November 2014 to December 2017 approximately 20 000 Cyber Guardian entries U We reviewed Cyber Division policy guidance plans and assessments including FBI Cyber Division Policy Guide 0853PG Dated February 14 2017 Executive Order 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 41 United States Cyber Incident Coordination To assess victim notification internal controls we reviewed the Attorney General Guidelines for Victim and Witness Assistance along with the two laws that support those guidelines the Victims' Rights and Restitution Act of 2006 and the Crime Victims' Rights Act of 2006 supplemented in 2009 SECRET NOFORN 38 SECRET NOFORN U APPENDIX 2 U FEDERAL BUREAU OF INVESTIGATION'S RESPONSE TO THE DRAFT AUDIT REPORT U S Department of Justice • Federal Bureau of lnvcstiga1ion W11shington D C 20535-0001 December 21 2018 U The Honorable Michael E Horowitz Inspector General Office of the Inspector General U S Department of Justice 950 Pennsylvania Avenue N W Washington DC 20530 U Dear Mr Horowitz U The Federal Bureau of Investigation FBI appreciates the opportunity to review and respond lo your office's report entitled Audit ofthe Federal Burca q lm C Stigatian 's Cybcr Victim No1i ica1 on Process U We agree that it is important to strengthen procedures for setting victim notification leads and indexing victims Additionally we agree it is imperative that victims of cybcrcrime are infonned of their rights under the requisite authorities In that regard we concur with your twelve recommendations for the FBI U Should you have nny questions feel free to contact me We greatly appreciate the professionalism of your audit staff throughout this matter U Sincerely U S Section Chief External Audit and Compliance Section Inspection Division U Enclosure SECRET NOFORN 39 SEGRET NOFORN U The Fedenl Bureau of Investigation's FBI Response to tbe Office of the Inspector Genenl's Audit of the FBl's Cyber Victim Notification Process U Recommendation #1 The OIG recommends the FBI ensure there are appropriate logic controls for data that is manually input into Cybcr Guardian and CyNERGY and that CyNERGY's data input is as automated as appropriate U FBI Response to Recommendation #1 Concur Working through the Sentinel team FBI will develop structured fields e g pick lists validated fonn fields mandatory fields within the victim data cards in order to ensure complete and accurate data entry and enable automated pulling of data from Sentinel to Cybcr Guardian Cynergy U Recommendation #2 The OIG recommends the FBI strengthen controls to ensure victim notifications are tracked in Cybcr Guardian to include agents using Victim Notification leads in Sentinel as required by Cybcr Division Policy Guide 0853PG U FBI Response to Recommendation #2 Concur Working through the Sentinel team Cybcr Division will work to update the technical process to allow for the automated ingest of data Cybcr Division will update its policy guide to reflect the requirement to report victim notifications e g should report to will report to CyWatch for inclusion in Cyber Guardian Additionally Cyber Division will execute training and an awareness campaign for the use of victim notification leads U Recommendation #3 The OIG recommends the FBI ensure agents index Victims in Sentinel as required by the Indexing User Manual for Sentinel to support FBI investigative and administrative matters U FBI Response to Recommendation #3 Concur Cyber Division will execute training and an awareness campaign for the use ofindexing per policy U Recommendation #4 The OIG recommends the FBI ensure that all victim notifications conducted in the course of restricted investigations are appropriately tracked in Cyber Guardian U FBI Response to Recommendation #4 Concur Cyber Division conducts sensitive investigations that require restricted designations In these instances Cyber Division will comply with victim notification policy with regards to the actual victim However victim notification reporting for inclusion in Cyber Guardian may be delayed as CyWatch does not have visibility into restricted cases U Recommendation #5 The OIG recommends the FBI clearly define what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and notifying victims of their rights under the Attorney General Guidelines for Victim Witness Assistance as appropriate SEGRET NOFORN 40 SECAET NOFOAN U FBI Response to Recommendation #5 Concur Cyber Division will work with OGC's National Security and Cyber Law Branch NSCLB to ensure there is clear guidance and a definition for what or whom constitutes a victim of cybercrime for purposes of Sentinel indexing Cyber Division will also work closely with OGC's NSCLB to get guidance as needed with regard to the Attorney General Guidelines for Victim Witness Assistance in order to ensure the Guidelines are being followed when appropriate U Recommendation #6 The OIG recommends the FBI ensure that all victims of cybercrime are informed of their rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate U FBI Response to Recommendation #6 Concur Within six months of the completion of the report VSD will work with CyD to ensure that notice to victims of cybercrime whether the notice comes from CyD or from VSD includes basic infonnation on their rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' rights and Restitution Act as appropriate as well as a VSD point of contact for accessing their rights and any appropriate and available victim assistance services VSD will also participate in any efforts coordinated by DOJ to update the Attorney General Guidelines for Victim and Witness Assistance 2011 to incorporate guidance on cybercrime victim notification and assistance U Recommendation #7 The OIG recommends the FBI establish timeliness standards in the Cyber Division Policy Guide 0853PG for cyber victim notification as appropriate U FBI Response to Recommendation #7 Concur Cyber Division will incorporate additional guidance regarding timeliness of victim notification into its policy guide U Recommendation #8 'The 010 recommends the FBI update Cyber Division Policy Guide 0853PG to include a minimum requirement for information that should be included in a victim notification and in victim notification leads to ensure the consistency and effectiveness of victim notification U FBI Response to Recommendation #8 Concur Cyber Division will update its policy guide to reflect minimum requirements as outlined in the recommendation U Recommendation #9 ••The OIG recommends the FBI ensure Victim Contact Planning Calls are conducted for all cyber incidents that are labeled Medium and above on the National Security Council's Cyber Incidents Severity Schema U FBI Response to Recommendation #9 Concur CyWatch will initiate Victim Contact Planning Calls VCPCs as recommended and make corresponding changes to its watch procedures SECAET ' NOFOAN 41 SECRET NOFORN U Recommendation #10 The 010 recommends the FBI pursue a mutually agreeable solution with DHS for ensuring all victim notification data is entered into Cyber Guardian U FBI Response to Recommendation #10 Concur Cyber Division will pursue a solution with DHS executive management regarding Cyber Guardian Cynergy data submission U Recommendation #II The OIG recommends the FBI coordinate with NSA to identify and implement an automated solution lo streamline the post-publication requests for unclassified information in order to conduct timely and useful victim notifications U FBI Response to Recommendation #11 Concur Cyber Division will coordinate with NSA to identify and implement solutions to streamline post-publication requests which may include automated solutions and new dissemination policies U Recommendation #12 The 010 recommends the FBI implement controls to ensure that all users of Cyber Guardian and subsequently CyNERGY are certified to handle Protected Critical Infrastructure Information U FBI Response to Recommendation #12 Concur Cyber Guardian currently has the capability for incident and note restrictions allowing users to restrict information such as PU or PCII Cynergy will also have a similar feature to restrict information at the first release to production One of the future requirement enhancements to Cynergy is to have a features in user's profile to restrict a user from viewing PII or PCl1 information until training has been completed and a certificate has been provided SECRET NOFORN 42 SECRET NOFORN U APPENDIX 3 U OFFICE OF THE DEPUTY ATTORNEY GENERAL'S RESPONSE TO THE DRAFT AUDIT REPORT us Department of Justice Office of the Deputy Anomey General w_ D C 205J0 U MEMORANDUM U TO Michael Horowitz Inspector General Office of the Inspector i'l - U FROM Bradley Weinshcimer ' t '-­ Associate Deputy Attom General Office of the Deputy Attorney General U DATE February 19 2019 U SUBJECT Department of Justice Comments on Draft Audit Report-Audit of The Federal Bureau of Invcstigation1 s Cyber Victim Notification Process U Thank you for the opportunity to comment on your draft audit report Audit of The Fedetal Bureau of Investigation's Cybcr Victim Notificalion Process In the draft report you have made the following n commendation Recommendation 13 to the Department of Justice Department We recommend that the Department of Justice coordinate with the FBl's Cyber Division and update as necessary• the Attorney General Guidelines for Victim and Witness Assistance to incorporate the nuances of cyber victims U As you know for a number of reasons the Department objected to the language of the recommendation as imprecise and unclear To the extent the recommendation is intended to recommend that the Department of Justice consider updating the Attorney Ocncral Guidelines for Victim and Witness Assistance Guidelines to incorporate the nuances ofidcntifying cyber victims the Department does not oppose the recommcodation Indeed as you know the Department including the FBl's Cyber Division is actively engaged in reviewing and proposing updates as appropriate to the Guidelines on victim and witness notification SECRET NOFORN 43 SECRET NOFORN U APPENDIX 4 U OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT U The OIG provided a draft of this audit report to the Federal Bureau of Investigation FBI and the Office of the Deputy Attorney General ODAG The FBI's response is incorporated in Appendix 2 of this final report and ODAG's response is in Appendix 3 In response to our audit report the FBI concurred with our recommendations and discussed the actions it will implement in response to our findings The ODAG did not oppose our recommendation As a result the status of the audit report is resolved The following provides the OIG analysis of the responses and summary of actions necessary to close the report U Recommendations for the FBI 1 U Ensure there are appropriate logic controls for data that is manually input into Cyber Guardian and CyNERGY and that CyNERGY's data input is as automated as appropriate U Resolved The FBI concurred with our recommendation In its response the FBI stated that it is working to develop structured fields within Sentinel to ensure complete and accurate data entry and enable automated pulling of data from Sentinel to Cyber Guardian and CyNERGY U This recommendation can be closed when we receive evidence that the FBI has implemented appropriate logic controls for data manually entered into Cyber Guardian and CyNERGY and that CyNERGY's data input is automated as appropriate 2 U Strengthen controls for ensuring victim notifications are tracked in Cyber Guardian to include agents using Victim Notification leads in Sentinel as required by Cyber Division Policy Guide 0853PG U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will work to update the technical process to allow for the automated ingest of data In addition Cyber Division will execute training and an awareness campaign for the use of victim notification leads U This recommendation can be closed when we receive evidence that the FBI has ensured victim notifications are tracked in Cyber Guardian including agents using Victim Notification leads in Sentinel as required by Cyber Division Policy Guide 0853PG SECRET NOFORN 44 SECRET NOFORN 3 U Ensure that agents index Victims in Sentinel as required by the Indexing User Manual for Sentinel to support FBI investigative and administrative matters U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will execute training and an awareness campaign for the use of indexing U This recommendation can be closed when we receive evidence that the FBI has ensured that agents index Victims in Sentinel as required by the Indexing User Manual for Sentinel to support FBI investigative and administrative matters 4 U Ensure that all cyber victim notifications conducted in the course of restricted investigations are appropriately tracked in Cyber Guardian U Resolved The FBI concurred with our recommendation However in its response the FBI stated that it will comply with victim notification policy to notify victims identified in restricted cases but including those notifications in Cyber Guardian may be delayed because CyWatch does not have visibility into restricted cases U This recommendation can be closed when we receive evidence that victim notifications conducted in restricted investigations are documented in Cyber Guardian s U Clearly define what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and notifying victims of their rights under the Attorney General Guidelines for Victim and Witness Assistance as appropriate U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will work with the FBI Office of General Counsel's National Security and Cyber Law Branch to ensure there is clear guidance and definition of what or whom constitutes a victim of cybercrime for the purpose of indexing in Sentinel The Cyber Division will also work with the National Security and Cyber Law Branch to ensure victims are notified of their rights under the Attorney General Guidelines when appropriate U This recommendation can be closed when we receive evidence that the FBI has clearly defined what constitutes a victim of cybercrime for the purposes of indexing victims in Sentinel and is notifying victims of their rights under the Attorney General Guidelines for Victim and Witness Assistance as appropriate SEGRET NOFORN 45 SECRET NOFORN 6 U Ensure that all victims of cybercrime are informed of their rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate U Resolved The FBI concurred with our recommendation In its response the FBI stated that within six months of the issuance of this report the Victim Services Division will work with the Cyber Division to ensure that cybercrime victim notifications include basic information on their rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate The FBI will also provide the victim with a point of contact at Victim Services Division to help the victim access any available services Finally the FBI stated that the Victim Services Division will participate in any Department of Justice efforts to update the Attorney General Guidelines to incorporate guidance on cybercrime victim notification and assistance U This recommendation can be closed when we receive evidence that victim notifications include information about the victims' rights under the Attorney General Guidelines for Victim and Witness Assistance Crime Victims' Rights Act and Victims' Rights and Restitution Act as appropriate 7 U Establish timeliness standards in the Cyber Division Policy Guide 0853PG for cyber victim notifications as appropriate U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will incorporate additional guidance regarding timeliness of victim notification into its policy guide U This recommendation can be closed when we receive evidence that the FBI has updated the Cyber Division Policy Guide to include timeliness standards 8 U Update Cyber Division Policy Guide 0853PG to include a minimum requirement for information that should be included in a victim notification and in victim notification leads to ensure the consistency and effectiveness of victim notifications U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will update its policy guide to include minimum standards for information include in victim notifications U This recommendation can be closed when we receive evidence that the FBI has updated the Cyber Division Policy Guide to include a minimum requirement for information that should be included in a victim notification and in victim notification leads SECRET NOFORN 46 SECRET NOFOAN 9 U Ensure Victim Contact Planning Calls are conducted for all cyber­ incidents that are labeled Medium and above on the National Security Council's Cyber Incidents Severity Schema U Resolved The FBI concurred with our recommendation In its response the FBI stated that it will make the Victim Contact Planning Calls as recommended and update its procedures accordingly U This recommendation can be closed when we receive evidence that the FBI has ensured Victim Contact Planning Calls are conducted for all cyber­ incidents that are labeled Medium and above on the National Security Council's Cyber Incidents Severity Schema 10 U Pursue a mutually agreeable solution with OHS for ensuring all victim notification data is entered into Cyber Guardian U Resolved The FBI concurred with our recommendation In its response the FBI stated that the Cyber Division will pursue a solution with the Department of Homeland Security's DHS executive management regarding entering data into Cyber Guardian and Cynergy U This recommendation can be closed when we receive evidence that the FBI has pursued a mutually agreeable solution with DHS for ensuring all victim notification data is entered into Cyber Guardian and Cynergy 11 U Coordinate with NSA to identify and implement an automated solution to streamline the post-publication requests for unclassified information in order to conduct timely and useful victim notifications U Resolved The FBI concurred with our recommendation In its response the FBI stated that it will coordinate with NSA determine a way to streamline the post-publication process for unclassified victim notification information U This recommendation can be closed when we receive evidence that the FBI has coordinated with NSA to streamline the process for receiving unclassified NSA information in order to conduct timely and useful victim notifications 12 U Implement controls to ensure that all users of Cyber Guardian and subsequently CyNERGY are certified to handle Protected Critical Infrastructure Information U Resolved The FBI concurred with our recommendation In its response the FBI stated that Cyber Guardian already has the capability to restrict SEGRET NOFOAN 47 SECRET NOFOAN Protected Critical Infrastructure Information In addition to that capability the FBI also said that CyNERGY will have future feature that will restrict a user from viewing Protected Critical Infrastructure Information until training has been completed and a certificate has been provided U This recommendation can be closed when we receive evidence that the FBI has implemented controls to ensure that all users of Cyber Guardian and subsequently CyNERGY are certified to handle Protected Critical Infrastructure Information U Recommendation for the Department of Justice 13 U Coordinate with the FBI's Cyber Division and update as necessary the Attorney General Guidelines for Victim and Witness Assistance to incorporate the nuances of cyber victims U Resolved The Office of the Deputy Attorney General objected to the language of the recommendation but did not oppose the intent of the recommendation According to the ODAG the Department and the FBI Cyber Division is actively engaged in reviewing and proposing updates as appropriate to the Attorney General Guidelines for Victim and Witness Assistance U This recommendation can be closed when we receive evidence that the ODAG and FBI Cyber Division have reviewed the Attorney General Guidelines for Victim and Witness Assistance and determined whether updates are necessary to incorporate the nuances of cyber victims SEGAET NOFOR N 48 REDACTED FOR PUBLIC RELEASE The Department of Justice Office of the Inspector General DOJ OIG is a statutorily created independent entity whose mission is to detect and deter waste fraud abuse and misconduct in the Department of Justice and to promote economy and efficiency in the Department's operations To report allegations of waste fraud abuse or misconduct regarding DOJ programs employees contractors grants or contracts please visit or call the DOJ OIG Hotline at oig justice qov hotline or 800 869-4499 U S DEPARTMENT OF JUSTICE OFFICE OF THE INSPECTOR GENERAL 950 Pe1111sylv rnia Avc11 ue Northwe' t Suite 4 70G Wc1sl11r1gton DC 20 530-0001 Website Twitter YouTube o ig j u ti ce gov ci •J u' ti ceO IC J LI ' t1 ceO IG Also at Ovt rsight gov REDACTED FOR PUBLIC RELEASE