The FBI has begun to take a more aggressive approach to ferreting out cyberattackers, a move that has some civil liberties advocates concerned.
According to Bloomberg News, the agency’s change in tactic may be rooted in an attack by state-backed Chinese hackers who got into thousands of Microsoft Exchange email servers.
On April 9, the FBI got a federal judge’s authorization to remotely access hundreds of the hacking victims to take down the attackers’ entry points and basically — as Bloomberg put it — “out-hacked the hackers.”
“The FBI has definitely decided to be more aggressive,” Elvis Chan, the agent leading cyber investigations in the FBI’s San Francisco field office, told Bloomberg. “Our toolkit hasn’t changed. We’re just using the tools a little bit more.”
Other examples of the new approach include an FBI/NSA operation to derail a Russian cyber-espionage attempt and the FBI’s recovery of the cryptocurrency paid during the ransomware attack on the Colonial Pipeline. Based in Alpharetta, Georgia, the Colonial Pipeline is among the largest in the U.S., carrying roughly three million barrels of fuel a day from Houston to New York. The company paid $4.4 million to regain control of its operations. It was the Colonial attack and others like it that led FBI Director Christopher Wray to compare cyberattacks to the Sept. 11 attacks earlier this month.
“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Wray told The Wall Street Journal. “There’s a shared responsibility — not just across government agencies, but across the private sector and even the average American.”
And just as with the aftermath of 9/11, civil liberties experts are expressing concerns that the FBI’s tactics could lead to abuses.
For example, a warrant to remotely access computer networks raises questions about how the administrators of those networks were notified, Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, told Bloomberg.
In the April case, the FBI told the judge they planned to email each victim at the address they provided when they registered their domain, but would do so 30 days after gaining entry, per the report.
Attorney Jennifer Stisa Granick, who handles surveillance and cybersecurity matters for the ACLU, said the FBI’s tactics raise concerns about the limits of the federal government intruding on private property. “During the history of novel surveillance techniques, law enforcement starts using them in a compelling case then eventually uses them in a case that’s far more questionable, once there’s a pattern and comfort established,” she said.