A top FBI cyber official asked Congress for a raft of new money and enhanced statutory powers to pursue criminal and nation-state hackers who target American businesses and data.
During a House Judiciary Committee oversight hearing Tuesday, FBI Assistant Director for Cyber Bryan Vorndran laid out a number of needs for the bureau, including a bigger budget, more qualified cybersecurity personnel and more legal authorities that would give them access to private sector reporting and help impede the easy sale and use of servers, malware and botnets that help to underpin the broader cybercriminal ecosystem.
Vorndran toed a careful line in his opening statement, talking up the FBI’s ability to partner with other stakeholders to prioritize victims and its “continuing move away from an indictments- and arrest-first mentality toward a playbook where we work with the government and industry partners.” However, he also acknowledged that the FBI will not back away from its main investigative function.
“Our focus…is investigating based on information we obtain from all sources, victims, foreign intelligence services, human sources and our surveillance of adversary infrastructure, and then pushing it to whoever can do the most good for victims here and cause the most harm to hackers abroad,” Vorndran said.
He also pressed the committee for more: more money, more people and more authorities for the bureau to keep up with the threat from fat-pocketed ransomware criminals and nation-state hacking groups from Russia, China, Iran and North Korea. That includes implementing the new cyber incident reporting law “in a way that allows law enforcement to use incident reports to disrupt our adversaries.”
He also asked for a number of new authorities for FBI to wield in its missions to investigate and disrupt malicious cyber activity. Those authorities include giving prosecutors the ability to charge cybercriminals under the Racketeer Influence and Corrupt Act (RICO) statute typically used for organized crime, and enhanced punishments for hackers who damage critical infrastructure. Law enforcement and courts should also be equipped with more tools to disrupt large scale cybercrime, such as criminalizing the selling of access to botnets, injunction powers to stop ongoing or imminent mass cybercrime and improving Department of Justice forfeiture authorities to seize cybercrime network infrastructure.
It didn’t stop there. Vorndran called for increases in the FBI’s base budget to keep pace with evolving cyber threats and bemoaned the FBI’s inability to bring on or retain top cybersecurity personnel, saying the bureau is hamstrung by hiring policies that don’t allow them to come close to the pay and benefits those workers could receive in the private sector.
CISA and the Department of Homeland Security — facing similar challenges — were given specific hiring authorities by Congress that allow them to bypass many hiring mandates offer significantly higher pay to cybersecurity workers.
“Although we promote our mission to the greatest extent possible, the calling to protect American people and uphold the Constitution does not equate to paying off weighty student loans or entitle someone to a salary competitive with what’s available in the private sector,” he said. “We have found our struggles to pay those minds market value — even federal government market value — is often a dealbreaker.”
Lawmakers raise concerns with FBI's role in cyber incidents
However, some in Congress have questioned the more robust — and sometimes unilateral — role the FBI has played in recent high-profile cyber incidents, or raised questions about whether law enforcement priorities were taking precedence over helping victims. Nadler referenced two incidents that concerned the committee: the FBI’s decision to withhold the Kaseya decryption key from impacted businesses for weeks after the ransomware attack, and its decision to alter the IT infrastructure of private companies when officials last year removed webshells from the Microsoft Exchange servers of victim networks without their permission or knowledge.
More recently, the DoJ and FBI lost a public fight to convince members of Congress to give the bureau simultaneous access to cyber incident reporting at the same time as the Cybersecurity and Infrastructure Security Agency. CISA, which lacks a significant law enforcement or regulatory mission and relies primarily on trusted relationships with the private sector, is seen by many lawmakers as a better entry point for businesses to report cyber incidents, though agency officials have pledged they will share those reports with the FBI in a timely fashion.
Rep. Zoe Lofgren, D-Calif., pressed for a deeper explanation of why FBI officials determined they needed to withhold the Kaseya decryption key from businesses, in part due to concerns that the key could be infected with malware.
In the case of the Kaseya attack, Vorndran said obtaining the decryption key was not done “at Best Buy” and required methods that were “littered with potential points of vulnerability and criminal access.” That required through-testing and vetting before using it in downstream in FBI IT environments and turning it over to the private sector.
"We had a series of variables that were under consideration in that moment that ranged from providing the decryptor key immediately to letting an operational play out in an infinite time period. Once we had indications that the operational opportunities were not going to be valid, we immediately moved to deploying the decryptor" while testing it in parallel for vulnerabilities, Vorndran said.
Rep. Eric Swalwell, D-Calif., asked how FBI officials interact with potential victims when they’re initially notified of a hack, and if Vorndran could “maybe address some fears that the bureau would be looking at other, non-ransomware parts of the business, where the business may be uncomfortable with the bureau looking around.”
Such contacts are important, Vorndran said, not only to investigate the potential crime but also to gather information and threat intelligence that can be shared more broadly to prevent future attacks and provide consultation on whether paying a ransom to a group may run afoul of U.S. economic sanctions.
“What it is not...is asking us to sit behind a keyboard with administrative access, say give us unfiltered access to your systems so we can do what we want to do. I look at it as a bilateral exchange in a moment of need, and…having us engage early can definitely help in the short term and long term,” Vorndran said.