In early April 2021, the U.S. District Court for the Southern District of Texas granted the Department of Justice the authority to disrupt the exploitation of Microsoft Exchange server vulnerabilities. This authority empowered the Federal Bureau of Investigation (FBI) to “hack” into private sector computers without having to notify those organizations. The intent was to protect infected systems by identifying malicious code designed to take control of the victimized computers. The FBI has accessed hundreds of these servers in various corporate networks, where it has copied evidence and deleted web shells implanted by the offending Hafnium advanced persistent threat group. The FBI was not allowed to remove any other malware that might have been installed by Hafnium or access the contents of the infected servers.
This latest development of how the United States is trying to improve its cybersecurity may prove effective, but raises concerns of government over-reach, the preservation of private sector rights, and data privacy. The new measure puts a new law enforcement spin on “defend-forward,” the U.S. Cyber Command’s strategy to proactively identify, monitor, and engage adversaries rather than rely on them to attack first before taking action. Only, rather than taking the fight to them in foreign owned and controlled systems in foreign geographic boundaries, the U.S. national law enforcement agency is now allowed to go into any U.S.-based private organization’s networks under the guise of mitigating and remediating cyber threats.
On the surface, such an initiative has its advantages. The United States continues to struggle with bolstering its cyber security posture, a challenge that perseveres as technology advancements like Cloud services and the Internet-of-Thingscontinue to reshape the cyberspace landscape. And with the constant identification and disclosure of vulnerabilities in software and hardware, organizations regardless of size have difficulty in patch management. Time consumption, lack of resources, efficient testing and deployment of patches, and patch prioritization are just some common obstacles organizations have to implementing effective patch cycles. As many cyber attacks have successfully exploited known vulnerabilities, it is incumbent on organizations to be able to mitigate threats via patch management, or else suffer the consquences.
However, having the FBI allowed to enter and access an organization’s networks whenever critical vulnerabilities are disclosed without the organization’s consent doesn’t seem a good way to further deepen and refine cyber security. Nor does it help further encourage and instill a cyber security culture in the private sector. Reliance on the FBI or any other government entity to essentially do the job these organizations should be doing creates an expectancy that surpasses the responsibilities of what the FBI should be doing. Worse, there is no criteria that has been established defining the conditions (what defines a large-scale infection?), roles, and responsibilities governing if such an over-reaching act is required again. Such lack of clarity potentially risks creating an illusory expectation as to the timing and extent of FBI support, thereby giving organizations a false sense of the security. If the FBI is not mandated to work with organizations prior to accessing their networks, how will organizations know if they have been accessed, reviewed, and ultimately safeguarded of the threat?
Additionally, such a measure calls into question FBI liability of damaging the networks and systems of an organization it is trying to help, as well as data privacy rights. And what if the organization does not want the FBI’s help in the first place? According to the order, it appears that the FBI has the right to do so regardless of if the organization wants it or not. This certainly suggests that the FBI not only has the legal right to do these types of activities on a private sector organization, but that it has the responsibility of doing so. I’m sure this revelation is raising some eyebrows of some senior officials and shareholders in the private sector. Can organizations and shareholders ultimately “sue” the FBI because remediation did not go as planned or yield the intended result? These are considerations that are not currently reflected in the April 13, 2021 court order granting this new authority to the FBI.
While some may argue that this effort will likely be “scoped” and the definitions crafted to limit the FBI’s actions, many with a healthy skepticism may think otherwise. In 2016, a change to Rule 41 of the Federal Rules of Criminal procedure empowered the FBI to remove malware from private computers. However, this was specifically granted to address botnets and online child pornography where perpetrator location was not known, and more than likely, outside its legal jurisdiction. The current situation differs as many of the victimized machines were likely based in the United States, and as such fall under the purview of the U.S. Computer Fraud and Abuse act that generally prohibits anyone gaining unauthorized access to a computer. By virtue of the court order, no permission was required.
Additionally, proponents of this action will assert that the FBI received legal consent – the court order – that gave it permission to do this. Recent history reveals that just because a court gave its approval doesn’t mean that the decision was ultimately right. The most pertinent example of this is the Director of National Intelligence’s redacted disclosure of three redacted opinions of the Foreign Intelligence Surveillance Court’s (FISA Court) findings that the FBI’s procedures for accessing Americans’ communications that were “incidentally” collected under Section 702 of FISA violated both the statute and the Fourth Amendment. Despite government appeal the FISA Court of Review upheld the determination, forcing the FBI to revise its procedures. Per a think tank article, these findings revealed the fourth major FISA Court opinion on Section 702 in 10 years that documented substantial non-compliance rules.
What makes people question this move is that it ultimately puts the FBI in control of when it decides it is “necessary” for it to get involved in cyber events. Right now, it appears that mitigating large-scale deployments of malicious code is the threshold, but that is a slippery slope and one easily modified to suit justification. A smaller deployment of more advanced code, the type of targets impacted, or individuals associated with any of these activities may warrant further action, which if the current parameters are any indication, would not require additional warrants. This is very disconcerting. Too many times before government agencies not subject to strict oversight have pushed boundaries under the guise of altruistic justification. This mindset has to change, especially in the cyber domain where trust is difficult to establish and even harder to maintain.
That is not to say a program like this doesn’t have merits. It certainly does, as organizations continue to scramble to defend against the latest threats. But it needs to be done in a manner that’s completely transparent, monitored closely, and subject to strict auditing to ensure that the U.S. premier law enforcement agency stays within its tightly defined role. Instruction and making organizations more resilient should be the objective of such actions, which will be a positive step in maintaining true public-private collaboration. Otherwise, it risks being another example where the government has overstepped its authorities, thinking that an apology after the fact is just as good as asking permission up front.
