Below: The D.C. Metro email policy is under scrutiny after an alleged breach, and Dallas continues to feel the effect of a ransomware attack. First:

FBI’s improper surveillance of protesters, rioters and crime victims will complicate 702 reauthorization

The battle to reauthorize expiring surveillance authorities that U.S. national security officials describe as a key cybersecurity tool may have just gotten even more difficult.

The FBI has misused the powers — known as Section 702 of the Foreign Intelligence Surveillance Act — more than 278,000 times between 2020 and early 2021, according to an unsealed April 2022 court ruling by Judge Rudolph Contreras of the Foreign Intelligence Surveillance Court. “The Office of the Director of National Intelligence released a redacted version … in what officials said was the interest of transparency,” the Associated Press’s Eric Tucker reported.

Even though the FBI said it has since taken action to prevent further misuses, critics of Section 702 as-written said the opinion only validated their fears.

“Yet again, the public is learning about shocking abuses of FISA Section 702, in particular the FBI’s warrantless searches through 702 data for information on Americans,” said Sen. Ron Wyden (D-Ore.). “These abuses have been going on for years and despite recent changes in FBI practices, these systematic violations of Americans’ privacy require congressional action. If Section 702 is to be reauthorized, there must be statutory reforms to ensure that the checks and balances are in place to put an end to these abuses.”

What the opinion says

The redacted document details instances where the FBI violated its own standards when officials searched for information about Americans. Section 702 is used to spy, without a warrant, on the electronic communications of foreign targets, but that can include their communications with Americans. Agencies can later query the repository using identifiers of those Americans, such as Social Security numbers.

The FBI can do so only when agents have cause to believe that it will produce information relevant for foreign intelligence purposes, or evidence of a crime, as our colleague Devlin Barrett wrote.

Among the improper searches listed in the opinion where there was insufficient basis:

People arrested during protests about the 2020 police killing of George Floyd ;

Jan. 6 riot suspects;

More than 19,000 donors to an unnamed congressional campaign; and

Crime victims.

Also intriguing: The Foreign Intelligence Surveillance Court approved what the Office of the Director of National Intelligence described as a new “highly sensitive technique” for Section 702 collection that “is reasonably expected to result in no incidental collection of U.S. Persons’ communications.”

What happens now?

The opinion is more proof of the need for a warrant requirement before agencies conduct queries on Americans, the Brennan Center for Justice’s Elizabeth Goitein said via email. The Biden administration opposes such a requirement.

“The government is trying to dismiss these examples as irrelevant because it has since implemented changes to its training and oversight requirements,” she wrote. “But for 15 years, the government has been telling Congress and the American people that its training and oversight requirements were more than sufficient to protect Americans’ privacy. Clearly, that wasn’t true. This is a textbook case of ‘fool me once, shame on you; fool me twice, shame on me.’”

The majority of our panel of cyber experts opined this month that Section 702 should be re-upped before it expires at the end of the year, but with changes — although they cited various different changes they believed were needed.

On the Hill, there was some similar sentiment in response to Friday’s news.

The opinion “provides further evidence that a bipartisan reauthorization of FISA Section 702 must include robust measures to ensure that FBI employees conduct searches of the Bureau’s Section 702 databases in a rigorous and responsible way,” Rep. Jim Himes (Conn.), the top Democrat on the House Intelligence Committee, said in a written statement. “While meaningful reforms implemented at the FBI in the last two years have reduced the frequency of compliance incidents, it is crystal clear from our Committee’s oversight that additional changes are required to ensure that the FBI, and other agencies, are faithful stewards of this powerful and irreplaceable national security tool.”

But Himes is a Democrat, and Republicans have taken aim at the FBI since the Trump administration over what they allege is a bias against conservatives.

Darin LaHood (R-Ill.), who leads the Intelligence Committee’s FISA Working Group, said in a statement that the findings “underscore the need for Congress to reform 702 to better protect the civil liberties of Americans.” He added that the group of lawmakers “will continue to work towards reform that ensures these types of abuses never happen again.”

Meanwhile, “Republicans in Congress recently propped up a subcommittee dedicated to trying to find abuses within the FBI and other federal agencies,” my colleague Amber Phillips wrote . “It’s likely they’ll investigate how the FBI uses this database.”

Then there’s the court itself. The opinion warned that unless the officials shape up, the court will order its own changes.

The keys

D.C. Metro email policy under scrutiny following Russia-linked breach

The lead investigator of an intrusion into D.C. Metro’s systems by a former contractor’s Russia-based computer said the computer contained confidential files and had been automatically syncing from Metro’s system for years while the worker was under contract, our colleague Justin George reports. But the investigator, Metro Office of the Inspector General deputy director for cyber and data analytics James S. Smith, said he wasn’t able to trace the former contractor’s trail beyond half a year because of a Metro policy where emails are deleted after that time window.

Smith “said he began looking into the computer’s owner, a Russian national and former Metro contractor, while searching the man’s previous logins to the network, as well as his emails,” Justin writes.

“This has been going on for years, but yet we could only collect email for the past six months,” Smith said.

That deletion policy is now under scrutiny after the apparent breach was disclosed in a report last week.

The report highlighted a Jan. 4 incident where the former contractor remotely accessed his computer in Russia and logged into a Metro network that contained sensitive data on mobile fare payment programs. Metro noted that the intrusion wasn’t malicious and that the former contractor was obtaining work documents.

“In a statement, Metro said General Manager Randy Clarke, who is in his first year leading the transit agency, has asked staff to review the email retention policy and recommend updates,” Justin writes. The agency declined to address specific questions about its email protocols.

Metro has contested many of the OIG’s cybersecurity claims, including the assertion that the unauthorized intrusion amounted to a breach — partly due to CISA closing the case without comment.

Metro has said that Microsoft’s detection and response team (DART) didn’t raise significant concerns after reviewing Metro cyber preparedness. “DART found no concrete indication that on Jan. 4 content on the individual’s One Drive was synchronized to a device in Russia and no indication of persistent or ongoing malicious activity,” Metro spokeswoman Kristie Swink Benson said in a statement Saturday. Microsoft didn’t return a message on Saturday.

China warns against purchasing Micron products, citing cybersecurity review

Beijing advised critical infrastructure operators to halt purchases from U.S.-based memory chipmaker Micron, citing unspecified “serious network security risks” posing a hazard to China’s national security, Joe McDonald reports for the Associated Press.

The statement from the Cyberspace Administration of China comes as the United States, Europe and Japan work to reduce China’s access to advanced chipmaking tools and other technologies. China began investigating Micron in April after Japan joined the United States to impose chip restrictions on the country, the report adds.

“Chinese officials have warned of unspecified consequences but appear to be struggling to find ways to retaliate without hurting China’s smartphone producers and other industries and efforts to develop its own processor chip suppliers,” McDonald writes.

Memory chips are not typically considered a cybersecurity risk because they are not software based and do not run computer code, Bloomberg News notes

The announcement comes as President Biden prepares for additional tech investment restrictions against China with support from the Group of Seven nations.

Dallas police struggle to access evidence amid fallout from ransomware attack

Dallas police are struggling to procure physical and digital evidence for trials as the city continues grappling with a ransomware attack that has crippled major public services, Kelli Smith, Maggie Prosser and Jamie Landers report for the Dallas Morning News.

“The consequences played out Thursday in a murder trial, where a man was found guilty despite evidence being unavailable to jurors or lawyers. Last week, a jury couldn’t reach a unanimous verdict in another murder trial, where police were unable to produce a phone or shell casings,” they write.

“It’s the Stone Age again,” said Dallas Criminal Defense Lawyers Association president Douglas Huff told the outlet.

The attack carried out by the Royal ransomware group could take weeks to fully recover from, representatives for the city have previously said. The Dallas Police Department’s digital media evidence team was already sorting through hundreds of murder evidence cases before the attack, according to the report.

“Claire Crouch, a spokeswoman for the Dallas County District Attorney’s Office, said Wednesday that it would be impossible to determine whether any cases would be affected by the ransomware attack,” the report said.

Thanks for reading. See you tomorrow.

