The FBI must prioritize asset response and helping victims of ransomware attacks recover over disrupting the operations of ransomware groups, a key cyber-focused lawmaker told FBI Director Christopher Wray.
A Washington Post report this week claims that following the ransomware attack on Kaseya and its clients by ReVIL, the FBI had access to the group’s encryption key for nearly three weeks before handing it over to Kaseya, in part because they were planning to use it in a later operation to disrupt the group that never panned out.
That spurred anger among some lawmakers who expressed concerns that the FBI may have left hundreds of businesses out to dry for weeks while they struggled to restore their systems. Wray did not confirm the operation, but said that the FBI makes decisions about handing over resources to the private sector after testing and validation and that “maximizing impact is always the goal.”
In a House Homeland Security hearing today, Rep. Jim Langevin, D-R.I., chided Wray for that answer, questioning how the bureau balances its responsibility to victims of ransomware attacks when they are holding onto information or tools that could help businesses recover. He said he was “deeply concerned that your response did not reflect the harm that holding a decryption key could do to victims” and asked Wray to to clarify the bureau’s position.
“Consider this analogy: a business is on fire, there’s a strong reason to suspect arson. Police argue that letting the firefighters in to put out the fire risks damaging forensics that could be used to catch the arsonist,” Langevin said. “Certainly, that argument is valid but I don’t think anyone here would suggest we should not put out the fire even if it does not maximize the impact against an adversary.”
Wray – as he did in his Senate hearing a day earlier – specified that he could not speak to the specific details of the Kaseya case, but indicated his comments were more about the technical testing and validation that the agency must do before it can create a safe, effective tool to hand over to private sector entities.
“So part of what I referred to when I talked [yesterday] about maximizing impact, is making sure that, to use your analogy of the house, that what we would be supplying is actually just water and not water that may have some trace of say, gasoline or some accelerant in it that would actually have all kinds of unintended consequences,” said Wray. “We recognize that asset response has to go hand in hand with threat response and that’s why we have such a close partnership with DHS and CISA, and these kinds of decisions are made in consultation with a host of interagency partners.”
That answer also did not appear to satisfy Langevin, who argued that helping businesses in the wake of an attack must take precedence over other goals.
“I would just push back and say that asset response has to be higher on the priority list. So much could have been prevented had those decryption keys been given to businesses that were impacted,” said Langevin.