The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Surveillance numbers drop, but critics aren’t satisfied

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Good morning, everybody. I may have set the record for number of hours a human being has slept in one weekend. Time zone switches and an inability to snooze on flights means it hit me all at once.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The SolarWinds breach was detected months earlier than first reported, and a key U.S. Marshals computer network is still down, more than two months after a ransomware attack. First:

Warrantless searches of Americans’ communication take a big dip — but interpretations of results vary

Warrantless FBI searches of Americans’ communications dropped steeply last year, according to an intelligence community report that said the number fell from around 3 million to around 120,000.

The Office of the Director of National Intelligence released the figure in an annual report Friday amid an intensifying battle on whether, and how, to reauthorize expiring surveillance powers under a law permitting warrantless spying on foreign targets, who may also be communicating with Americans.

It’s a “huge decrease” that points to the effectiveness of measures the Biden administration has put into place to improve compliance with the Foreign Intelligence Surveillance Act, said a senior Justice Department official who spoke on the condition of anonymity under ground rules set by the government. Section 702 of that law, which authorizes warrantless collection of foreign target communications even when they are communicating with Americans, is due to expire at the end of 2023. U.S. officials tout the law as one of their most potent intelligence-gathering tools on foreign targets.

But that decrease did not satisfy advocates for overhauling Section 702. They say the number is still too large and that there needs to be more privacy safeguards for U.S. citizens. 

One of the biggest such proposed safeguards is requiring a warrant when seeking Americans’ communications, an idea that U.S. officials say is unworkable in cases such as when they’re trying to protect victims of cyberattacks.

The positive view

The top cause for the drop in the warrantless surveillance figure is a change the FBI made in June of 2021, the official said. Before, it was easier for authorized personnel to inadvertently query Section 702 information. (Under the law, the FBI can search the program’s query system using identifiers of Americans, such as their names or email addresses.)

Now, they “need to affirmatively ‘opt-in’ to querying such information,” according to a February Justice Department memo about Biden administration changes to improve FISA compliance. “This system change was designed to address the large number of inadvertent queries of [raw] Section 702 information DOJ had identified in its reviews, in which FBI personnel did not realize their queries would run against such collection.”

“This is a huge decrease in the number of U.S. person queries,” the official said. “It’s because of the remedial measures that were put in place beginning in the summer of 2021. The most critical measure was the change in the FBI system to an affirmative opt-in.” 

The notion of a warrant requirement for U.S. person queries is often unworkable, the official said.

  • “We’re not going to meet a probable cause standard to get a warrant in a lot of these query scenarios because, for example, a number of them are going to be queries relating to [discovering] victims of cyber intrusions,” the official said.
  • Tonya Ugoretz, assistant director of the FBI’s directorate of intelligence, made a similar argument about cyber cases last month.

The National Security Agency’s database of Section 702 data has information on around 246,000 targets, and the agency gives the FBI data on just 3.2 percent of those targets, the official said. To search the database — which has the contents of emails and some online chats sent or received by the targets — agents need a “factual basis” to believe the query will return foreign intelligence information or evidence of a crime, which generally means “some nexis to a foreign power or some factual connection to threats to national security”  such as international terrorism, espionage or foreign cyber intrusions, a senior FBI official said.

U.S. national security officials say that Section 702, originally focused on counterterrorism, now counts defending against cyberattacks as one of its top uses.

The negative view

The decline in warrantless searches is the wrong focus, said Elizabeth Goitein, senior director of the Brennan Center for Justice's liberty and national security program.

“Is 200,000 warrantless queries better than 3.4 million warrantless queries? When you ask the question, you get a sense of how warped the universe we're in is — that somehow 200,000 warrantless searches a year are an acceptable number,” she said, citing a separate set of figures from the report using a different counting method. “We're talking about surveillance on just a huge scale when you're talking about 200,000 warrantless searches.”

She also found the argument in opposition to a warrant requirement unconvincing. She said there’s no “victim exception” to the Fourth Amendment.

“They are basically admitting that they're searching Americans’ communications and most private personal information without probable cause,” she said. “That is why you should have a warrant requirement, not why you shouldn't have one.”

  • In other kinds of cases, she said, “Law enforcement agencies do this every day in the domestic context, and they manage to keep people safe using investigative techniques that comport with the Fourth Amendment.”

In addition, some analysts think the cybercrime victim example doesn't clearly explain what officials think the legal problem is. A criminal search warrant may be obtained, for instance, if the agent believes it will yield evidence of a crime, which could include discovering victims, they say.

“The legal question at the end of the day is whether these searches are reasonable,” says a former senior national security official who spoke on the condition of anonymity because of the matter’s sensitivity. “People are arguing about these U.S. person queries because it reflects that it’s not clear that they’re reasonable under the Fourth Amendment.”

Even lawmakers who are supportive of renewing Section 702 saw the report as a mixed bag.

“FISA 702 is one of the most critical tools at the Intelligence Community’s disposal, and it is absolutely essential that Congress renew it before the end of the year,” said Rep. Jim Himes (Conn.), the top Democrat on the House Intelligence Committee. “That said, there is an obvious need for legislative reform within the program to uphold Americans’ constitutionally protected rights.”

  • “The transparency report released today provides strong evidence that the reforms already put in place, particularly at FBI, are having the intended effects,” he continued. “Congress’ task will be to build on that success and put in place additional safeguards to ensure this critical tool is used appropriately and in a way that protects our national security, our safety, and our civil liberties.” 

Others looked to the overall surveillance figure since Congress reauthorized Section 702 in 2018, rather than the 2022 plunge.

“Today’s report highlights the urgent need for reforms to government surveillance programs in order to protect the rights of law-abiding Americans,” said Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee. “The number of targets of the Section 702 program has almost doubled since the program was last reauthorized, requiring stronger protections for the Americans whose communications are swept up.”

The keys

A U.S. Marshals computer network has been down for 10 weeks in wake of ransomware attack

A U.S. Marshals computer network that “has existed outside regular Justice Department computer systems for years, unnoticed in the open, crowded internet,” has been offline for more than two months as officials work to respond to a ransomware attack, our colleague Devlin Barrett reports

“The computer network was operated by the Marshals’ Technical Operations Group (TOG), a secretive arm within the agency that uses technically sophisticated law enforcement methods to track criminal suspects through their cellphones, emails and web usage,” Devlin writes. “Its techniques are kept secret to prolong their usefulness, and exactly what members of the unit do and how they do it is a mystery even to some of their fellow Marshals personnel.”

The response to the hack is raising some questions.

  • To limit the hack’s reach, officials decided to remotely wipe devices belonging to people who worked in the hacked network, clearing out their emails and contacts on a Friday night.
  • The TOG collects some data through pen register/trap and trace, a type of cellphone surveillance that can also monitor email but doesn’t collect the contents of conversations. It also operates airplanes in some U.S. cities to track planes. The ransomware attack has hampered the TOG’s real-time data searches, and people familiar with the situation said that has impacted its ability to find fugitives. However, a “Marshals official disagreed with that assertion, saying the agency has other methods of hunting fugitives,” Devlin writes.

The Justice Department has called the hack a “major incident” and notified Congress. “Shortly after that discovery, the USMS disconnected the affected system, and the Department of Justice initiated a forensic investigation,” the Marshals said in a statement. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees. … We are working swiftly and effectively to mitigate any potential risks as a result of the incident.”

SolarWinds breach detected months earlier than first disclosed

The Justice Department, Microsoft and Mandiant were aware of the SolarWinds breach six months before it was previously reported, Kim Zetter reports for WIRED

“WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020 — but the scale and significance of the breach wasn’t immediately apparent,” Zetter writes, citing sources familiar with the incident.

The hack, which was linked to Russia’s foreign intelligence service, compromised several federal agencies and led to the United States further cracking down on Russian hacking operations. 

SolarWinds engineers at the time were reportedly unable to find a vulnerability in the Orion server that led to the breach. Zetter writes: “A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.”

  • “A DOJ spokesperson confirmed that the incident and investigation occurred but wouldn’t provide any details about what investigators concluded,” the report says.
  • “WIRED confirmed with sources that Mandiant, Microsoft, and SolarWinds were involved in discussions about the incident and investigation. All three companies declined to discuss the matter,” it added.

Canadian intelligence watchdog questions cybersecurity agency’s hacking justifications

Canada’s National Security and Intelligence Review Agency (NSIRA) questioned the nation’s Communications Security Establishment’s (CSE) legal ability to launch hacking campaigns against foreign entities, saying that the latter’s response was lacking justification for its actions that were not properly examined under international law, Catharine Tunney reports for Canadian Broadcasting Corp. News.

The NSIRA this week publicly released a 2020 report about the CSE’s 2019 operations, Tunney writes.

  • “CSE, because we are the ones who deal with foreign cyber operations, did not violate international law. We did not even come close to violating international law,” Nabih Eldebs, CSE deputy chief of authorities, compliance and transparency, told CBC News.

CSE in 2018 was granted the authority to launch cyber operations against adversarial groups seeking to disrupt Canada’s national security. 

  • “Eldebs said the federal government was still developing its official stance on cyberspace and international law as CSE was beginning to launch these operations,” Tunney writes.

Government scan

Chinese hackers outnumber FBI cyber staff 50 to 1, bureau director says (CNBC)

Privacy patch

To become an Amazon Clinic patient, first you sign away some privacy (By Geoffrey A. Fowler)

Industry report

How to keep calm and carry on in a supply chain attack (The Register)

National security watch

Amid concerns about TikTok, Commerce details effort to secure U.S. data (Reuters)

RSA: State Dept. cyber chief notes ‘seismic shift’ in collaboration (MeriTalk)

Global cyberspace

Countering disinformation a hemisphere-wide conflict, officials say (StateScoop)

Cyber insecurity

FDA warns of security vulnerability in Illumina’s DNA sequencing machines (STAT News)

Ontario casino ransomware attack 'as bad as it gets,' expert says (CTV News Barrie)


  • The Intelligence and National Security Alliance holds a discussion about how the Biden administration’s national cybersecurity strategy ties to critical infrastructure protections tomorrow at 2 p.m.
  • Stanford University’s Center for International Security and Cooperation convenes an event on AI and military decision-making tomorrow at 4 p.m.

Secure log off

Thanks for reading. See you tomorrow.