Ransomware, Governance, Risk and Compliance, Threat Management

Langevin to FBI: helping victims takes precedence over disrupting ransomware groups

U.S. Rep. Jim Langevin, D-R.I., testifies during a hearing before the Energy and Power Subcommittee of the House Energy and Commerce Committee on May 31, 2011, on Capitol Hill in Washington. Langevin and Republican John Katko, R-N.Y., are among a number of cyber-focused lawmakers who have left Congress in recent years. (Photo by Alex Wong/Getty Ima...

The FBI must prioritize asset response and helping victims of ransomware attacks recover over disrupting the operations of ransomware groups, a key cyber-focused lawmaker told FBI Director Christopher Wray.

A Washington Post report this week claims that following the ransomware attack on Kaseya and its clients by ReVIL, the FBI had access to the group’s encryption key for nearly three weeks before handing it over to Kaseya, in part because they were planning to use it in a later operation to disrupt the group that never panned out.

That spurred anger among some lawmakers who expressed concerns that the FBI may have left hundreds of businesses out to dry for weeks while they struggled to restore their systems. Wray did not confirm the operation, but said that the FBI makes decisions about handing over resources to the private sector after testing and validation and that “maximizing impact is always the goal.”

In a House Homeland Security hearing today, Rep. Jim Langevin, D-R.I., chided Wray for that answer, questioning how the bureau balances its responsibility to victims of ransomware attacks when they are holding onto information or tools that could help businesses recover. He said he was “deeply concerned that your response did not reflect the harm that holding a decryption key could do to victims” and asked Wray to to clarify the bureau’s position.

“Consider this analogy: a business is on fire, there’s a strong reason to suspect arson. Police argue that letting the firefighters in to put out the fire risks damaging forensics that could be used to catch the arsonist,” Langevin said. “Certainly, that argument is valid but I don’t think anyone here would suggest we should not put out the fire even if it does not maximize the impact against an adversary.”

Wray – as he did in his Senate hearing a day earlier  – specified that he could not speak to the specific details of the Kaseya case, but indicated his comments were more about the technical testing and validation that the agency must do before it can create a safe, effective tool to hand over to private sector entities.

“So part of what I referred to when I talked [yesterday] about maximizing impact, is making sure that, to use your analogy of the house, that what we would be supplying is actually just water and not water that may have some trace of say, gasoline or some accelerant in it that would actually have all kinds of unintended consequences,” said Wray. “We recognize that asset response has to go hand in hand with threat response and that’s why we have such a close partnership with DHS and CISA, and these kinds of decisions are made in consultation with a host of interagency partners.”

That answer also did not appear to satisfy Langevin, who argued that helping businesses in the wake of an attack must take precedence over other goals.

“I would just push back and say that asset response has to be higher on the priority list. So much could have been prevented had those decryption keys been given to businesses that were impacted,” said Langevin.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.