FBI director defends bureau’s hacking notification procedures amid scrutiny

FBI Director Christopher Wray on Thursday defended the bureau’s procedures for notifying victims of computer hacking amid questions over U.S. individuals who were reportedly not notified of Russian efforts to breach their email accounts.

Wray faced questions from Rep. Zoe Lofgren (D-Calif.) during a congressional hearing about a recent Associated Press report that the FBI had failed to contact dozens of U.S. targets of the Moscow-aligned hackers who were also behind the breaches of Democrats’ emails ahead of the 2016 presidential election.

“Can you explain why these individuals had to learn from the Associated Press that they were targets of an aggressive Russian hacking effort?” Lofgren asked at the House Judiciary Committee hearing.

Wray did not specifically address the media report, but went on to describe the “very well-established” criteria and procedures the FBI uses when assessing whether or not to notify breach victims.

“I’m not comfortable trying to discuss the specific victim engagements in a particular investigation, at least in this setting,” Wray said. “But … we have very well-established criteria and policies and procedures for questions of victim notification in cyber matters.”

Wray explained that, before making a decision, FBI agents assess whether they can properly identify the victim; whether the information they have can help the victim protect himself or mitigate any damage; and whether such notification would “potentially compromise or jeopardize an existing investigation or reveal sources and methods.”

Wray also noted it is more difficult to notify the owners of Gmail accounts than those who have corporate addresses. The individuals who were reportedly not notified by the FBI of Russian hacking efforts were targeted on their personal Gmail accounts.

“When you have a large number of people, it’s much easier for us to provide victim notification when we have official or government or corporate accounts where we can contact the chief information security officer and then they can communicate to all the people who are on that server,” Wray explained. “When you talk about Gmail accounts and all that, it gets a lot harder.”

His answers did not appear to satisfy Lofgren, who charged: “When the Democratic National Committee was hacked by the Russians, the FBI contacted an intern.” The Democratic lawmaker asked Wray if the bureau’s notification procedures have been “revised.” He said they hadn’t been.

“I think the procedures themselves remain the same and the procedures themselves I think are pretty sound,” Wray replied. “If you think about what they are, they are questions the investigators have to ask in each victim notification context.”

Other lawmakers have raised concerns about the report, Rep. Ted Lieu (D-Calif.) writing to the FBI late last month asking for a briefing on the matter.

The AP contacted 80 U.S. targets on a list of 500 identified by cybersecurity firm SecureWorks, finding that only two of the 80 had been reached by the FBI.