The FBI’s New Malware Eradication Service Is on Thin Legal Ice – Bloomberg Law

The U.S. Attorney for the Southern District of Texas issued a news release on April 13 announcing an FBI operation to copy and remove malicious web shells from hundreds of vulnerable computersrunning on-premises versions of Microsoft Exchange Server software" The announcement coincided with the partial unsealing of a search warrant.

The legal authority the FBI used for this operation was Rule 41 of the Federal Rules of Criminal Procedure, a rule detailing the requirements and process for issuing search warrants.

Yet its clear from the unsealed search warrant that the primary purpose of the FBIs operation here was to remove malicious code surreptitiously; an admirable goal, but a slippery slope when it comes to the legal basis upon which executed.

The Fourth Amendment guarantees a persons right to be secure in theirhouses, papers, and effects, against unreasonable searches and seizures, and requires that in order for a search to occur in these private spaces, the government must secure a search warrant, issued based upon probable causeparticularly describing the place to be searched, and the persons or things to be seized. Rule 41 basically provides the road map for adhering to these Fourth Amendment requirements, through issuance of that probable cause warrant.

Putting aside the question as to how the government establishes probable cause when the search warrant doesnt provide identifying information about the victims whose servers are to be accessed nor the places to be searched, the point is that Rule 41s purpose is to further investigative evidence gathering, not to disrupt crime nor delete code (which ironically, is evidence in itself).

Its true that Rule 41 was amended in 2016 to allow remote searches and seizures (Section (b)(2)(6)), but the premise of this amendment was to aid investigations that span across more than five federal districtsnot to clean and secure victim computers.

This time the government removed rogue nation-state code; something most agree is dangerous. But what if the next time its Saudi Arabia objecting to their portrayal in a movie? Lets call this Sony Pictures Part 2, after North Koreas infamous 2014 attack on Sony Pictures, because its movie The Interview portrayed Kim Jong Un in a negative light?

What if this time, the FBI decides that Saudi Arabias concerns warrant hacking into private networks to delete all copies of the offending movie, under the premise of stopping a national security threat, a move arguably violative of the 1st Amendment?

Having been a member of both the law enforcement and intelligence communities, Ive seen first hand the motivation that drives people to serve, and the dedication they bring. And while the FBIs heart was in the right place, heart alone doesnt suffice.

In this case, the FBI is knowingly causing the transmission of a program, information, code, or command to intentionally damagedamage having been defined to include deleting information protected computers (in this case, the victims servers), without the authorization of the victims whose systems are being accessed.

In any other context, this would be criminal under Section 1030(a)(5)(A) of the Computer Fraud and Abuse Act (CFAA), which ironically, is one of the very statutes the FBI alleges was violated by the Chinese nation-state group known as Hafnium, at the heart of the threat to Microsoft Exchange Servers. But two wrongs dont make a right. Not even in 2021.

From a practical perspective, if the motivation was to search computers for evidence, in virtually any other case there would be a point where the additional evidence to be gained would be duplicative, and the marginal return too low, to warrant searching additional computers. And that point would be long before searching over 100 victims servers.

Notably, Section 1030(f) of the CFAA states that this section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency... But not prohibiting an action is different from lawfully authoriz[ing] one. And with no court having interpreted application of 1030(f), we return to the FBIs need for a route to secure court-authorization, which brings us back to Rule 41.

Interestingly, the FBI used Rule 41 in 2017 when it neutered a virulent botnet called Kelihos. But in that case, the operation involved rerouting victim computers, as opposed to gaining access and clean[ing] them. This newest operation is therefore the next step down the slippery slope that law professors, activists, and defense attorneys love to argue when challenging governmental action.

Yet with the damage done in just the past few months by Solar Winds and the Hafnium hacks alone, we clearly need a fresh approach. And the FBIs solution here is just that. But its a solution without a clear legal basis.

So, whether it means amending the CFAA or passing a new law, one thing is clear: Contorting a long-standing federal procedural rule in a way for which 22 Senators raised concerns back in 2016, concerns precisely about using Rule 41 to clean computerssurely cannot be the right answer.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Author Guidelines

Joel Schwarz is director at MBL Technologies and serves as the firms privacy and data protection lead. He is an adjunct professor at Albany Law School and previously served as the civil liberties and privacy officer for the National Counterterrorism Center, and was a cybercrime prosecutor for the Justice Department and the New York Attorney Generals Office.

See the rest here:
The FBI's New Malware Eradication Service Is on Thin Legal Ice - Bloomberg Law