The FBI has the authority at this time to access privately owned computers without the knowledge or consent of their owners, and to remove software. It’s part of a government effort to contain ongoing attacks on corporate networks running Microsoft Exchange software, and it’s an unprecedented intrusion that raises legal questions about how far the government can go. On April 9, the United States District Court for the Southern District of Texas approved a search warrant allowing the United States Department of Justice to carry out the operation.
The software that the FBI is removing is malicious code installed by hackers to take control of the victim’s computer. Hackers have used the code to access large amounts of private email messages and to launch ransomware attacks. The authority on which the Justice Department relied and the way the FBI carried out the operation set important precedents. They also raise questions about the power of the courts to regulate cybersecurity without the consent of the owners of the target computers. As a cybersecurity scholar, I have studied this type of cybersecurity, called active defense, and how the public and private sectors have supported each other for cybersecurity for years. Public-private cooperation is critical to managing the wide range of cyber threats facing the US, but it poses challenges, including determining how far the government can go in the name of national security. It is also important that Congress and the courts monitor this balancing act. Hacking the exchange server Since at least January 2021, hacker groups have been using zero-day exploits, that is, previously unknown vulnerabilities, in Microsoft Exchange to access email accounts. The hackers used this access to insert web shells, software that allows them to remotely control compromised systems and networks. Tens of thousands of email users and organizations have been affected. One of the results has been a series of ransomware attacks, which encrypt victims’ files and keep the keys to decrypt them in exchange for a ransom. On March 2, 2021, Microsoft MSFT, + 0.14% announced that a hacking group code called Hafnium had been using multiple zero-day exploits to install web shells with unique path and file names. This makes it difficult for administrators to remove malicious code, even with the tools and patches that Microsoft and cybersecurity companies have released to help victims. The FBI is accessing hundreds of these mail servers on corporate networks. The search warrant allows the FBI to access the web shells, enter the previously discovered password for a web shell, make a copy as evidence, and then remove the web shell. However, the FBI was not authorized to remove any other malware that hackers may have installed during the breach or access content on the servers. What makes this case unique is both the scope of the FBI’s actions to remove web shells and the unprecedented intrusion into privately owned computers without the consent of the owners. The FBI carried out the operation without consent due to the large number of unprotected systems on US networks and the urgency of the threat. The action demonstrates the Department of Justice’s commitment to using “all of our legal tools,” Assistant Attorney General John Demers said in a statement. The total number of compromised companies remains murky given that the figure is worded in court documents, but it could reach 68,000 Exchange servers, potentially affecting millions of email users. New malware attacks continue to appear on Microsoft Exchange servers, and the FBI continues to take court-sanctioned action to remove malicious code Active Defense The shift to a more active American cybersecurity strategy began under the Obama administration with the establishment of from US Cyber Command in 2010. The emphasis at that time remained on denial deterrence, which means that computers are harder to hack. This includes using a layered defense, also known as defense in depth, to make it more difficult, expensive and slow to enter networks. The alternative is to go after hackers, a strategy called defend forward. Since 2018, the US government has stepped up defense, as seen in US actions against Russian groups in the 2018 and 2020 election cycles in which US Cyber Command personnel. He identified and disrupted Russia’s online propaganda campaigns. The Biden administration has continued this trend, along with new sanctions on Russia in response to the SolarWinds spy campaign. That attack, which the US government attributes to hackers connected to Russian intelligence services, used vulnerabilities in commercial software to break into US government agencies. This new FBI action also pushes the envelope. of active defense, in this case to clean up the aftermath of domestic rapes, although without the knowledge – or consent – of the organizations affected. The Law and the Courts The Computer Fraud and Abuse Act generally makes it illegal to access a computer without authorization. However, this law does not apply to the government. The FBI has the power to remove malicious code from private computers without permission thanks to a 2016 change to Rule 41 of the Federal Rules of Criminal Procedure. This review was designed in part to allow the US government to more easily combat botnets and assist other cybercrime investigations in situations where the location of the perpetrators remained unknown. It allows the FBI to access computers outside the jurisdiction of a search warrant. This action highlights the precedent, and the power, of courts becoming de facto cybersecurity regulators that can empower the Justice Department to clean up large-scale implementations of malicious code of the kind seen in the Exchange hack. In 2017, for example, the FBI used expanded Rule 41 to take down a global botnet that collected information from victims and used their computers to send spam emails. Major legal problems remain unresolved with the current FBI operation. One is the question of responsibility. What if, for example, privately owned computers were damaged in the FBI’s process of removing malicious code? Another problem is how to balance private property rights with national security needs in cases like this. What is clear, however, is that under this authority the FBI could hack computers at will and without the need for a specific search warrant. National Security and the Private Sector Rob Joyce, the NSA’s director of cybersecurity, said that cybersecurity is national security. This statement may seem indisputable. But it heralds a sea change in government responsibility for cybersecurity, which has largely been left to the private sector. Much of America’s critical infrastructure, which includes computer networks, is in private hands. However, companies have not always made the necessary investments to protect their customers. This raises the question of whether there has been a market failure in cybersecurity where the economic incentives have not been sufficient to result in adequate cyber defenses. With the FBI’s actions, the Biden administration may be implicitly acknowledging such a market failure. Scott Shackelford is Associate Professor of Business Law and Ethics, Executive Director of the Ostrom Workshop, and Chair of the Cybersecurity Program, IU-Bloomington, all at Indiana University. This was first published by The Conversation: “The FBI is breaking into corporate computers to remove malicious code, smart cyber defense or government overreach?”