WASHINGTON — An FBI operation that gave law enforcement remote access to hundreds of computers to counter a massive hack of Microsoft Exchange email server software is a tool that is likely to be deployed “judiciously” in the future as the Justice Department, aware of privacy concerns, develops a framework for its use, a top national security official said Wednesday.
The department this month announced it had obtained a warrant from a federal judge in Texas to remove web shells, or malicious code that gives hackers a foothold into networks, from hundreds of vulnerable computers affected by a hack Microsoft has blamed on a group operating from China.
The FBI operation was designed to disrupt the effects of a hack that affected an untold thousands of servers running the Microsoft Exchange email program. Many victims took steps on their own to safeguard their systems, but for those that who did not, the Justice Department stepped in to do it for them with a judge’s approval.
It was the virtual equivalent of police going around the neighborhood locking doors that criminals had opened remotely.
“We have a decision to make, which is are we going to go ahead and do that action ourselves or are we just going to leave that malware there, sort of unremediated,” said Assistant Attorney General John Demers, speaking at a virtual discussion hosted by the Project of Media & National Security at George Washington University.
He said the operation was one of the very first of its kind and was discussed extensively beforehand by the FBI and the Justice Department. The department is figuring out how it plans to use the tool in the future.
“We don’t yet have sort of worked out what our criteria are going to be going forward,” Demers said. “Now that we’ve had this experience, that’s the kind of discussion we’re having internally now.
“This is not a tool of first resort that we’re going to be using a couple times a week as different intrusions come up,” he said. “This does require working with the private sector on the right solution. It does require testing to be sure that you’re not going to otherwise disrupt someone’s computer system.”
Demers acknowledged concerns from some privacy advocates that the government, without permission of the computer system operators, had gone ahead. But he pointed out the department did have a judge’s permission and said the government felt motivated to act because after a period of several weeks, there were still web shells that served as access point for “hackers of all stripes.”
“And so the choice that the government had was just continue to leave those open or take the court-authorized action that we did, and ultimately we decided to move ahead,” Demers said. “But to the extent possible before then, we had been notifying every victim that we could identify of the intrusion.”