FBI deviated from its policy on alerting hacking victims
By JEFF DONN, DESMOND BUTLER and RAPHAEL SATTER
Nov. 29, 2017
WASHINGTON (AP) — The FBI deviated from its own policy to notify victims of computer hacking when it left U.S. officials and other Americans in the dark about Kremlin-aligned attempts to break into their personal Gmail accounts, The Associated Press has learned.
FBI policy calls for notifying victims, whether individuals or groups, to help thwart both ongoing and future hacking attempts. The policy , which was released in a lawsuit filed earlier this year against the FBI by the nonprofit Electronic Privacy Information Center, says that notification should be considered "even when it may interfere with another investigation or (intelligence) operation."
That robust notification doesn't appear to have happened in the case of the Russian government-aligned hacking group known as Fancy Bear, which tried to break into the Gmail accounts of more than 500 U.S.-based targets between 2015 and 2016, according to data obtained by AP. The news agency interviewed nearly 80 of them, including senior policymakers, and found only two who said they learned of the efforts to hack into their Gmail accounts from the FBI.
"It's just remarkable to me that the Bureau did not do what it was supposed to do," said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
"I was stunned because these are people that, if they were compromised, could result in harm to national security, and that fact that they weren't notified seems totally unacceptable," added Democratic Rep. Ted Lieu of California, a member of the House Judiciary Committee, in an interview late Tuesday.
His office released a letter he wrote to FBI Director Christopher Wray complaining of the agency's response. He also called for a hearing before his committee.
The FBI did not immediately respond to requests for comment on this story. Late last week, the agency declined to discuss its investigation into the spying campaign and said in a statement: "The FBI routinely notifies individuals and organizations of potential threat information." The agency also said it collaborates with partners in all levels of government to keep the public informed, adding, "The FBI takes all potential threats to public and private sector systems very seriously."
However, three people familiar with the matter — including a current and a former government official — said the FBI has known about the Gmail spying operation for more than a year.
A senior FBI official, who would only speak on condition of anonymity to discuss the matter, said the Bureau was overwhelmed by the sheer number of attempted hacks. "It's a matter of triaging to the best of our ability the volume of the targets who are out there," he said.
In the face of a tidal wave of malicious phishing attempts, the FBI sometimes passes on information about the attacks to service providers and companies, who can then relay information to clients or employees, he added.
The AP, which acquired a list of about 4,700 targeted email accounts, has reported in recent weeks on the global reach of the hacking operation and the strategy used to steal the emails of the Democratic Party and presidential campaign of Hillary Clinton. Tens of thousands of those emails were leaked online in advance of the November election. U.S. intelligence agencies have concluded that Fancy Bear works for the Russian government and meant to push the election in favor of Donald Trump. The Russian government has denied interfering.
Many of those who were told they were in the Kremlin's cross-hairs were long-retired, but some were still in government or held security clearances at the time they were targeted. It's not clear how many may have given up their email passwords or what the hackers may have acquired in stolen email.
However, some accounts held emails dating back years, when even many of the retired officials still occupied sensitive posts. And intelligence experts say Russian spies can use personal correspondence as a springboard for further hacking, recruitment or even blackmail.
"The onus is on the FBI right now to explain why they didn't follow their policies, as we are reading them," said Elizabeth Hempowicz, director of public policy at the Project on Government Oversight.
Other government watchdogs said that the government agents who respond to such foreign hacking operations need more oversight as they respond to this ballooning problem — and public accountability.
"There should be a public report about how widespread this activity is, so that every American will know about it — and that didn't happen here," said Louis Clark, CEO of the Government Accountability Project.
Donn reported from Plymouth, Massachusetts. Raphael Satter reported from London.
Read the FBI policy: https://www.documentcloud.org/documents/4311379-FBIPolicyGuide.html
Donn, Butler and Satter can be reached at: