Hacking Against Cybercrime: The FBI’s New Approach

What if the U.S. government could force entry—in other words, hack—into electronic devices around the world, using only one warrant, even if the owners of those devices were not suspected of any criminal activity – and it would be legal?

The U.S. Department of Justice has made new changes to Rule 41 of the Federal Rules of Criminal Procedure to do just that.  These changes—made without meaningful congressional debate—allow the FBI to hack multiple devices under a single warrant.

The new provisions under the law—which went into effect this month—are intended to give the FBI the necessary tools to address cybercrime as they face the new world of borderless global Internet infrastructure. However, critics argue the new law gives the FBI sweeping powers that not only infringe on privacy rights of innocent people, but could also undermine overall cybersecurity.

But what is the rationale behind giving these new powers to law enforcement and what will its implementation look like? Why has the new provision drawn such criticism?

The changes to Rule 41 are the result of two converging trends: the global nature of the Internet that allows criminals to quickly conduct predatory behavior across borders, thereby avoiding some legal ramifications; and the growth of what the Justice Department calls “warrant-proof technology,” like strong encryption and anonymizing equipment that hides a criminal’s identity through a series of misdirection regarding their physical location.

With global cybercrime costs expected to rise to $2 trillion by 2019, it is worth exploring new ways to tackle criminal use of our own technology against us. Traditionally, the FBI has sought international cooperation with law enforcement of foreign countries, but to date the United States has inter-law enforcement cooperative agreements with less than half the countries around the world. Furthermore, the Mutual Legal Assistance Treaty (MLAT) process to access foreign stored digital evidence is cumbersome—taking an average of ten months to complete.

These problems make investigations into cybercrime a logistical nightmare, particularly when data is fragmented across multiple jurisdictions and constantly being moved around the globe. Elaine Lammert, former Deputy General Counsel at the FBI, argues that “requiring law enforcement to go to a court in each jurisdiction district where an infected computer is located would cause unnecessary delays that would negatively impact the investigation as well as be an ineffective use of investigative resources.”

Criminal schemes like the campaign by the Gameover Zeus botnet, and the child pornography site Playpen, give insight into the scale and types of cybercrime the FBI faces.

In 2014, the Justice Department disrupted the Gameover Zeus botnet—a global network of infected computers belonging to unwitting citizens exploited by cyber criminals to deploy banking credential harvesting malware and ransomware to elicit payment from victims. The campaign infected a million computers worldwide, 25 percent of which were within the United States, while the stolen banking credentials were used to wire transfer over $100 million to the criminals’ accounts overseas.

Botnets like Gameover Zeus—or more recently the Mirai-based botnets piggy-backing off Internet of Things (IoT) devices to boost distributed denial of service (DDoS) attacks against Internet infrastructure like the domain service provider Dyn last month—are part of the reason behind the recent changes in Rule 41.

But U.S. Senator Ron Wyden (D-OR) points out that “the Justice Department failed to explain exactly how it will fight these botnets. One likely approach is a ‘mass hack’ where the FBI uses this new authority under Rule 41 to hack thousands or millions of devices as part of a ‘mass search’.” Senator Wyden goes on to ask “What kind of hacking tools will the Justice Department use? Are they tested to be safe and not damaging to computer systems? Could criminals exploit these same tools? The Justice Department has never fully addressed these questions. Its answer, essentially, is ‘trust us’.”  The FBI could not be reached for comment.

The answers to these questions are not only important for privacy reasons—in fact, the Justice Department feels it is on the frontlines of ensuring the privacy of citizens from cyber criminals—but also in the context of broader attempts to secure cyberspace.

While lawful hacking is a necessary tool for law enforcement, there is always a balance to be found between offense and defense. Every exploit the FBI finds, criminals and other nation-states can find too, and critics note that by exploiting it, as opposed to reporting it so that it can be patched, the FBI is essentially revealing the vulnerabilities and keeping systems insecure. There are also potentially unknown consequences of infecting systems with malware that could lead to a form of collateral damage, as well as creating an international norm to breach devices globally, possibility legitimizing hacking by other countries such as China, Russia, Iran and North Korea.

Another reason the Justice Department has expanded its reach via these changes to Rule 41 is the rise of the online criminal service industry—the sale of drugs, counterfeit documents, arms, hacking toolkits, and child pornography. These are widely available on the dark net, an area of the Internet only accessible through encrypted browsers like Tor, which are intended to maintain users’ anonymity.

The FBI’s hacking operation on the dark net child pornography site Playpen, revealed in January prior to the changes in Rule 41, is a look into the future of the FBI hacking. In February 2015, the FBI seized the site, but rather than shutting it down, allowed it to continue operations from a government server for nearly two weeks. During this time, the FBI deployed a piece of malware called a network investigative technique (NIT) that included a zero-day exploit, or malicious code for a previously unknown vulnerability, targeting the Tor browsers of those who visited certain threads on the site.

The virtual sting operation, also known as a watering-hole attack, was approved by a single magistrate judge, and accessed over 8,000 devices of suspects—revealing their IP addresses and likely more—across 120 different countries. The operation revealed 1,000 IP addresses within the United States, leading to around 200 active criminal cases and the rescue of 49 children. But judges in some cases have decided the evidence was obtained improperly because it was derived from a single warrant.  Because this was before the changes to Rule 41, the single warrant only applied within the legal jurisdiction of the court that granted it. While the changes in Rule 41 fix this technicality, critics point out that it could allow the FBI to “forum shop” by finding a judge in any district overseeing one of the devices with a predisposition to grant a sweeping warrant.

Senator Wyden argues “there is no question law enforcement needs tools to fight crime in the digital age, [but] mass hacking with no known protections for Americans’ Fourth Amendment rights and potentially massive collateral damage is not the answer.”

Lammert, on the other hand, suggests “the safeguards and oversight are found within the rule itself,” and that “law enforcement must [still] show probable cause to justify the search.” She goes on to clarify that “the amendments do not authorize the government to remotely search a computer via any techniques that are not already authorized by law” and “all the protections under the Fourth Amendment remain.”

Either way, we can expect large-scale operations similar to those that took down Playpen and Gameover Zeus to become the new normal in fighting cybercrime—and maybe even creating viable criminal deterrence online.

Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.