FBI Leaves It To Journalists To Notify US Government Targets Of Russian Hacking

The last year-and-a-half has provided plenty of evidence that the Russian government attempted to influence the 2016 presidential election. Unfortunately, most of the evidence confirming this has been delivered by entities outside the US government. The government has released reports but has omitted plenty of key details.

This hasn't done much for those affected by Russia's efforts. In almost every case, individuals targeted by Russian government-directed hacking entity Fancy Bear were made aware of this by journalists, not the FBI, despite the fact both had access to the same evidence.

The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin's crosshairs, The Associated Press has found.

Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting.

"It's utterly confounding," said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. "You've got to tell your people. You've got to protect your people."

The FBI refused to comment specifically on its disclosure efforts (or rather, the lack thereof). It offered no official excuse for its across-the-board lack of notification. Even the few that were notified could hardly be considered to be apprised of anything.

Rob "Butch" Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a "foreign actor" was trying to break into his account.

"He was real cloak-and-dagger about it," Bracknell said. "He came here to my work, wrote in his little notebook and away he went."

Despite evidence otherwise, the FBI claims it "routinely" notifies people and organizations about potential threats. The statement it issued to the AP would sound credible if it weren't immediately disproved by results of the AP investigation. This lack of target notification dovetails nicely with the government's handling of other disclosure efforts. The government says the same thing about the hardware and software vulnerabilities its intelligence agencies exploit. It claims to be very forthcoming about vulnerabilities and yet exploits it never informed affected tech companies about have been repeatedly leveraged to attack computers all over the world.

The FBI's unofficial excuse for this lack of notification is unavailing:

A senior FBI official, who was not authorized to publicly discuss the hacking operation because of its sensitivity, declined to comment on timing but said that the bureau was overwhelmed by the sheer number of attempted hacks.

"It's a matter of triaging to the best of our ability the volume of the targets who are out there," he said.

This doesn't explain why the AP was able to track down affected government employees and contractors -- using less personal information than the FBI has access to -- and inform those affected by Fancy Bear hacking. The AP unquestionably has less manpower available than the nation's largest law enforcement agency. Certainly limiting its notification efforts to just this hacking effort allowed the AP to complete this task, but even in the face of multiple hacking attacks, the FBI should have been able to provide more notification. The "there's too much to deal with properly" excuse doesn't even impress former Intelligence Community members -- people who definitely know about drowning in data.

Charles Sowell, who previously worked as a senior administrator in the Office of the Director of National Intelligence and was targeted by Fancy Bear two years ago, said there was no reason the FBI couldn't do the same work the AP did.

"It's absolutely not OK for them to use an excuse that there's too much data," Sowell said. "Would that hold water if there were a serial killer investigation, and people were calling in tips left and right, and they were holding up their hands and saying, 'It's too much'? That's ridiculous."

Phishig attempts aren't murders, but the underlying assertion -- there's too much happening to do anything about -- is still worthless. The FBI wants to be the go-to agency for national security issues as well as a key player in the cyberwar, but seems unwilling to perform the mundane, but necessary, tasks that accompany those noble pursuits. The boring parts of the job still need to be done. If the FBI seriously wants people to get behind its counterterrorism efforts and cybersecurity work, it needs to make a better effort getting behind the people affected by those the agency is targeting.