with Aaron Schaffer
“We … are moving more and more in a direction where if we don't come up collectively with some kind of solution it's not going to matter how bulletproof the legal process is or how horrific the crime is or how heartbreaking the victims are we will not be able to get access to the content and the evidence that we need to protect the American people,” Wray told members of the Senate Judiciary Committee on Tuesday. “I think, we will all rue the day.”
The warnings come as Capitol Police warn of a possible plot by a militant group to today breach the Capitol, Tom Jackman, Matt Zapotosky, Michael Brice-Saddler and Craig Timberg report. Some followers of the extremist ideology QAnon falsely claim that former president Donald Trump will return to the White House on March 4. While online chatter around the event is less than that around the Jan. 6 attack, researchers aren't ruling out smaller attacks being planned on encrypted channels, my colleagues report.
Wray's first major jab at encryption under the Biden administration is just the latest marker in a years-long struggle between tech companies and the government over whether law enforcement should have special access to secure data.
Wray and other law enforcement leaders charged that “end-to-end” encryption limits their ability to access critical evidence and detect crimes. That risk has gotten worse as more and more tech companies adopt the technology, which protects data so only the sender can access it. No third party, including the tech company offering the service that sent the data, has access to the material.
Many top cybersecurity experts argue there is no way to provide special access to law enforcement without also creating tech vulnerabilities hat could easily be exploited by bad actors.
Wray denied the government is looking for such a “backdoor” into technology, and said unnamed technologists have assured it's possible for tech companies “to build a way to have legal access when confronted with a proper legal authority.”
“We are not going to have a key, we are not asking for a backdoor; that is a myth, an urban legend that has been directed our way,” he told Congress.
Experts say that's window dressing for the same arguments law enforcement has been making for over half a decade.
Riana Pfefferkorn, a researcher scholar at the Stanford Internet Observatory:
This is very troubling because it's pushing the narrative that encryption was somehow responsible for 1/6 (it wasn't, the rioters plotted in the wide open). Still, "user-only-access encryption" is a less despicable term than "warrant-proof encryption," and an interesting shift. https://t.co/b3wg2agkUJ— Riana Pfefferkorn (@Riana_Crypto) March 2, 2021
“FBI Director Wray’s statements regarding encryption yesterday show a fundamental lack of understanding of what an encryption backdoor is and the security risks it poses to both personal and national security,” Ryan Polk, senior policy adviser with the Internet Society, a global nonprofit focused on Internet policy, technology and development.
“Any method that gives third-party access to encrypted data is a backdoor, a vulnerability that weakens the security and privacy millions of Americans rely on each day, including members of our armed forces,” Polk said.
Some lawmakers are also opposed.
“While Director Wray has long campaigned to weaken encryption and mandate government encryption backdoors, I urge the Biden-Harris administration to turn the page on this misguided effort," Sen. Ron Wyden (D-Ore.) said in a statement. "It is especially short-sighted following the devastating SolarWinds hack, which showed how urgently our country needs to secure our systems.”
Opponents of giving law enforcement special access to encrypted technologies also point out that law enforcement already has ample tools to access most cellphone data, including tools that can unlock phones and make accessing encrypted messages easier.
Wray claimed in his written testimony that the expansion of end-to-end encryption "will continue to diminish and ultimately overwhelm State and local capacity to investigate even common crimes."
There's currently no definitive data on how many law enforcement cases go unsolved because of encryption. A 2018 internal investigation showed that Wray repeatedly cited numbers to Congress that inflated the number of devices police couldn't access because of encryption.
Wray also mentioned the Jan. 6 attack on the Capitol as well as an attempted plot to kidnap Michigan Gov. Gretchen Whitmer (D) as two recent incidents where attackers used encrypted technologies. Experts point out that law enforcement was able to find out about both plots ahead of time without a backdoor.
The Biden administration has not announced a formal policy on encryption.
Correction: The original version of this story misidentified Polk's affiliation.
A U.S. cybersecurity agency told government agencies to update systems in the wake of Chinese hackers exploiting vulnerabilities in Microsoft software.
The Cybersecurity and Infrastructure Security Agency, or CISA, said that Chinese hackers’ use of Microsoft software to get unfettered access to networks and email accounts “poses an unacceptable risk” and “requires emergency action.” In a statement, Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, underscored the scope of the attack, saying that it “appears to be yet another significant cyber incident impacting a wide range of potential victims within the government and the private sector.”
CISA gave federal agencies until Friday to check and report back about whether they had been compromised in the attack. It told the agencies to update their software if they had not been compromised. Microsoft and cybersecurity companies announced the hacking campaign on Tuesday and said that the group behind it, Hafnium, has targeted infectious-disease researchers, law firms, universities, defense contractors and nongovernmental organizations.
Vaccine scam websites are skyrocketing, researchers say.
Hackers are registering more dangerous vaccine-related websites in the wake of increased attention on coronavirus vaccines, Check Point Research says. The firm found that vaccine-related websites rose 300 percent within the last eight months, while vaccine-related sites set up by scammers and criminals increased by 29 percent. Many of those sites are designed to trick users into handing over passwords or install malware on their computers.
U.S. government agencies have issued alerts in recent months about coronavirus vaccine frauds, with the Department of Health and Human Services warning that hackers are taking over social media accounts to impersonate trusted people.
The White House reiterated its cybersecurity priorities.
The Biden administration said in its interim national security strategic guidance that it will make cybersecurity “an imperative” across the federal government, with increased investment on infrastructure. It also said it planned to work with partners and allies “to uphold existing and shape new global norms” for cybersecurity, and reiterated that it will “hold actors accountable” and “respond swiftly and proportionately” with cyber and non-cyber capabilities in retaliation for cyberattacks. The administration is preparing to attribute the attack on SolarWinds and other software to Russia, and it is also planning a response to the attack.
State Department spokesman Ned Price, meanwhile, called 5G technology a “high priority” for the Biden administration. He said the administration is “concerned about the dangers of installing networks with equipment that can be manipulated, disrupted, or even controlled” by China.
The House passed a bill last night that would set a bevy of new election security standards.
The expansive legislation creates uniform national voting standards, Mike DeBonis reports.
Among the bill's provisions is additional federal support to modernize election technology and increase use of paper ballots.
The bill also includes an amendment that will establish a senior cyber policy adviser on the staff of the Election Assistance Commission (EAC) and explicitly calls out cybersecurity as an ongoing EAC duty.
The bill faces an uncertain future in the Senate where it faces fierce opposition from Republicans.
Cloud computing company Qualys confirms it was a victim of a ransomware attack on fire-transfer software Accellion.
Hackers linked to CL0P ransomware leaked documents they claimed had data on Qualys customers. Qualys chief security officer Ben Carr said in a blog that only a limited number of customers were affected and that the incident didn't affect any data hosted by Qualys itself.
A group behind the attack, which is being called “UNC2546,” has used multiple unpatched vulnerabilities in Accellion’s file-transfer software to attack other Accellion clients including grocery chain.
The group has extorted other companies for money to not leak their data. It's not clear if they made the same request to Qualys.
The company is working with cybersecurity firm FireEye Mandiant, who worked with Accellion on the larger attack.
Experts say the attack drives home just how susceptible all companies are to ransomware attacks.
Dave Kennedy, founder of cybersecurity firm TrustedSec:
You won't see me poke fun at a security company @qualys getting compromised.— Dave Kennedy (@HackingDave) March 3, 2021
It can happen to anyone, and the capabilities for ransomware groups have been evolving for years.
Large to small orgs: everyone is on notice to bolster defenses.
This isn't stopping anytime soon.
Rendition founder Jake Williams:
Hackers compromised employee data in a ransomware attack against a rural Navajo Nation hospital.
Hackers obtained access to information including background checks, injury reports and job applications in the attack of New Mexico’s Rehoboth McKinley Christian Health Care Services, NBC News’s Kevin Collier reports.
Hackers posted the data of four employees in an effort to pressure the hospital into paying a ransom for its data. Traditional ransomware attacks only involve locking up an organization's computer systems in exchange for ransom. Now, hackers are increasingly turning to leaking data to add pressure.
Four people whose personal data was posted online said that the hospital did not alert them about the hack. The hackers did not respond to emailed questions, but they removed the hospital’s data from their website, indicating that the hospital may have ceded to its demands.
The hospital declined to answer specific questions about the attack, including whether it paid a ransom.
“With the guidance of outside cybersecurity experts, we have since implemented additional security measures,” hospital development director Ina Burmeister said. “Although some of those measures have caused occasional slowdowns with our system, patient safety has remained our top priority during this time.”
More cyber insecurity
- The Atlantic Council hosts a cybersecurity event with industry leaders today at 1 p.m.
- Anne Neuberger, the deputy national security adviser for cyber and emerging technology, delivers a keynote address at the annual ICS Security Summit on Friday at 9 a.m.
- House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution on Friday at 11 a.m.
- Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work on Friday at noon.
- The Aspen Institute hosts an event on international Internet blackouts on March 9 at noon.
- U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on March 10 at 4:30 p.m.