OPINION – I spent twenty years at the FBI supporting investigations into cybercrime, tracking ransomware gangs, and watching foreign adversaries tear through American networks. I've sat across the table from hospital administrators trying to figure out how to care for patients when their systems are locked. I've talked to small business owners who lost everything to a cyber operation traced back to a state-sponsored group operating with near-impunity abroad.
What I can tell you, from that vantage point, is that allowing Section 702 to lapse would create intelligence gaps that our adversaries are already positioned to exploit.
Section 702 is a vital tool. A nimble authority that provides for collection against foreign-based, non-U.S. person threat actors intent on harming Americans. The threats this authority was built to address have not slowed down while Congress deliberates. Iranian-nexus actors are actively probing U.S. critical infrastructure, Chinese operators remain embedded in telecommunications networks, and ransomware groups – some operating with the direct support or tolerance of foreign governments – are targeting hospitals, water systems, and school districts across the country.
The actors dominating today's headlines each represent a different dimension of why 702 matters to the FBI as an investigative and intelligence collection tool.
Iran has demonstrated both the intent and the capability to conduct attacks on US soil. Beyond cyber operations against critical infrastructure – including recent attacks against operational technology in water treatment plants – Iran has sought to assassinate American citizens, including senior government officials, and to silence dissidents operating on US soil. Many of these plots are planned from abroad, coordinated through the internet, and would be invisible to investigators without 702. It is the tool that lets us connect the dots before an attack is executed rather than after.
China is playing a longer game. The campaign to pre-position access inside US critical infrastructure – power grids, water systems, transportation hubs, communications networks – is patient and methodical, designed to be activated at a moment of Beijing's choosing, including in the event of a conflict over Taiwan. In the FBI's own experience, 702 has been the difference between detecting that access early and discovering it only after the damage is done. When Chinese hackers compromised a major US transportation hub, it was 702-derived intelligence and US person queries that allowed the FBI to pinpoint exactly which network infrastructure had been hit, alert operators to the specific vulnerability, and help close the backdoor.
Ransomware, which defined much of my work at FBI, has evolved from a criminal problem into a national security one. Many of the groups responsible for attacks on hospitals and pipelines operate under the protection or direction of state sponsors who understand that ransomware destabilizes the same infrastructure a military adversary would want to disable. Over the past decade, malicious cyber actors have accounted for more than half of the FBI's Section 702 targets. The authority is central to how the FBI does cyber work: identifying victims, warning them before attacks begin, and helping them close backdoors before the next wave hits.
If Section 702 authority expires, active collection against foreign targets stops. Leads go cold. Investigations that depend on 702-derived intelligence hit a wall at exactly the moment continuity is critical. Adversaries don't pause. Every day the authority lapses is a day they move more freely through networks they have already compromised.
On compliance, the record deserves an honest accounting. The FBI's pre-reform querying practices were unacceptable. Director Wray said so plainly, and he was right. But beginning in 2021, there was a genuine institutional reckoning: foundational reforms to training, supervision, and accountability that produced documented, court-verified improvement. The same court that documented FBI’s violations in the first place – the Foreign Intelligence Surveillance Court (FISC) – concluded the reforms are having the desired effect.
The same rigor that produced those improvements is exactly why this reauthorization debate deserves to be evaluated on its own merits. The concern about government acquisition of commercially available data is legitimate, but it is a separate question from 702. Conflating the two risks taking down a well-functioning authority over a fight that belongs elsewhere in statute.
From two decades working to counter these threats, I know what it costs to arrive after the damage is done. The good news is that Congress doesn't have to make that choice. The oversight architecture is working. The reforms are documented. The threats are real and they are not waiting. Reauthorize 702, address commercial data on its own track, and keep the investigative capability that makes the FBI's cyber and national security work possible.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
