We’ve all been through information assurance training. Hopefully, after years of going through the same script over and over again, we all know how to spot phishing, spear phishing, and whaling attempts when they hit our inboxes. The necessity of remaining vigilant for attempted cyber-espionage and cybercrime has been, one hopes, hammered home sufficiently.
We’ve also been trained to report any suspected attempts to compromise our information to our security manager. After all, if you don’t tell someone about the intrusion attempt, no one can try to identify and neutralize the attacker.
Fancy Bear’s targets left in the dark
But not every hacking attempt uses social engineering, or is so obvious. Apparently, while the FBI expects you and me to tell someone when we think we’ve been targeted, it does not feel the need to return the favor. As the Associated Press reported this week, the Bureau failed to notify what could be thousands of targets of the Russian hacking outfit codenamed Fancy Bear that their Gmail accounts had been the target of hacking attempts.
The AP combed through thousands of files provided by cybersecurity firm Secureworks to determine who the targets of Fancy Bear’s hacking attempts were. As the wire service reported on Sunday, those files comprise “19,000 lines of targeting data.” The reporters were able to identify “more than 500 U.S.-based people or groups and reached out to more than 190 of them, interviewing nearly 80 about their experiences.”
While there is no telling how many people’s credentials were compromised, the AP found that 131 of the “312 U.S. military and government figures” clicked on Fancy Bear’s malicious link.
They also found that of the 80 people they interviewed, the FBI had notified only two that their email accounts had been in Fancy Bear’s crosshairs. Among those not notified that their information was compromised is retired Army Lt. Gen. Patrick Hughes, who commanded the Defense Intelligence Agency from 1996 to 1999, served as the first assistant secretary for information analysis at the newly-formed Department of Homeland Security, and then became vice president of L3’s homeland security business.
And retired Lt. Gen. David Deptula, who was the Air Force’s deputy chief of staff for intelligence, surveillance, and reconnaissance from 2006 to 2010, and is now dean of the Mitchell Institute for Aerospace Studies, a national security think tank. And Eric Edelman, who was the under secretary of defense for policy during President George W. Bush’s second term, advised Mitt Romney’s 2012 presidential campaign, and currently writes for several think tanks.
FBI repeatedly violated its own policy
If you or I repeatedly ignored our organization’s cybersecurity policy, we’d be out of both our job and our clearance. But that is exactly what the FBI has done in this case. That policy was exposed as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center earlier this year. It says that the FBI must notify potential victims of hacking attempts “even when it may interfere with another investigation or (intelligence) operation.”
A small team of reporters was able to uncover who the potential victims were, but the FBI either could not or did not. It stretches the bounds of credulity to think that they could not figure out who was targeted. So the only answer is that they ignored their policy and left hundreds of current and former military and government officials potentially exposed.
Heads should roll, but they won’t. But the lesson to be learned here is that anyone with a security clearance is a potential target, and you can’t depend on the FBI to tell you if you’re one of the unlucky ones. So don’t let down your guard, even after you retire.