US government taking creative steps to counter cyberthreats
The FBI operation was the virtual equivalent of police going around the neighborhood locking doors that criminals had opened, officials said
By Eric Tucker
WASHINGTON — An FBI operation that gave law enforcement remote access to hundreds of computers to counter a massive hack of Microsoft Exchange email server software is a tool that is likely to be deployed “judiciously” in the future as the Justice Department, aware of privacy concerns, develops a framework for its use, a top national security official said Wednesday.
The department this month announced that it had obtained a warrant from a federal judge in Texas to remove web shells, or malicious code that gives hackers a foothold into networks, from hundreds of vulnerable computers affected by a hack that Microsoft has blamed on a group operating from China.
The FBI operation was designed to disrupt the effects of a hack that affected many thousands of servers running the Microsoft Exchange email program. Many victims took steps on their own to safeguard their systems, but for those that who did not, the Justice Department stepped in to do it for them with a judge's approval.
It was the virtual equivalent of police going around the neighborhood locking doors that criminals had opened remotely.
“We have a decision to make, which is are we going to go ahead and do that action ourselves or are we just going to leave that malware there, sort of unremediated,” said Assistant Attorney General John Demers, speaking at a virtual discussion hosted by the Project for Media & National Security at George Washington University.
He said the operation was one of the very first of its kind and was the subject of extensive discussion by the FBI and the Justice Department. The department is figuring out how it plans to use that capability in the future.
“We don't yet have sort of worked out what our criteria are going to be going forward,” Demers said. "Now that we've had this experience, that's the kind of discussion we're having internally now.
“This is not a tool of first resort that we're going to be using a couple times a week as different intrusions come up," he added. “This does require working with the private sector on the right solution. It does require testing to be sure that you're not going to otherwise disrupt someone's computer system.” Such operations will be done judiciously in the future, he said.
Demers acknowledged concerns from some privacy advocates that the government, without permission of the computer system operators, had gained remote access and removed the web shells. But he pointed out that the department did obtain a judge's permission and said the government felt compelled to act because, after a period of several weeks, there were still unremediated web shells that continued to serve as access point for “hackers of all stripes.”
“And so the choice that the government had was just continue to leave those open or take the court-authorized action that we did, and ultimately we decided to move ahead,” Demers said. “But to the extent possible before then, we had been notifying every victim that we could identify of the intrusion.”