The Government Can Now Hack Private Servers

An Executive Order issued May 12, 2021, could be the first step in implementing federal cybersecurity requirements for private industry. Currently, the order applies primarily to agencies of the federal government and their software supply chains. Still, some of the order’s provisions indicate that new regulatory requirements affecting larger sections of the private sector may be just around the corner.

The executive order comes on the heels of the FBI’s controversial “hack-to-patch” action in April 2021. The agency obtained court approval to hack into hundreds of privately-owned servers without prior notice or consent of system owners to remove malware from Microsoft Exchange installations.

Taken together, the Executive Order and the FBI’s recent actions are prompting some cybersecurity professionals to express their concerns regarding the government’s methodologies and potential level of involvement in and regulation of private technology providers.

An overview of the Executive Order

The May 2021 Executive Order begins with statements of concern regarding the increasing number of cyberattacks against public and private sector systems within the United States and calls on the government to “identify, deter, protect against, detect, and respond” to these attacks. The order requires careful examination of cyber incidents and the application of lessons learned and states that a partnership between the government and the private sector will be necessary. The order also says that private industry must “ensure its products are built and operate securely” while calling for increased transparency within the industry.

This Executive Order calls on the government to make “bold changes” and to “bring to bear the full scope of its authorities” to accomplish the goals set forth. It calls upon private industry providers of services that contract with the government to collect, preserve, and share information about attacks with the FBI and other federal agencies and recommends that their contract language be changed to require them to do so.

Section 4 of the order is entitled, “Enhancing Software Supply Chain Security.” This section applies to commercial software development companies but isn’t limited to those that provide application software to government entities. It requires that, within 270 days of the order’s issuance, certain agencies within the federal government identify safe practices for the development of applications to be distributed to consumers or that they evaluate potential labeling requirements for consumer software. This section of the order, Section 4(u), requires specific government agencies to identify security practices and, possibly, comprehensive testing and assessment processes.

The order also requires that a “Cyber Safety Review Board” be established by the Secretary of Homeland Security and the Attorney General. This board will investigate significant cybersecurity incidents. Also included are dates and deadlines by which strategies, recommendations, and requirements must be implemented. These are only a few points addressed in the Executive Order. The full text of the document is available at whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

Some of the concerns expressed

While many praise the Executive Order as a significant step toward increasing cybersecurity during dangerous times, some in the cybersecurity industry have concerns. In his May 27 article posted by Threatpost.com, David Wolpoff, Chief Technology Officer, hacker, and digital forensics expert, affirms his personal belief that the industry has long needed government regulation of cyberinfrastructure. He goes on to state, however, that some actions called for in the order will likely create vulnerabilities. Wolpoff calls the Executive Order a “rush job.” He contends that it promotes a rapid transition from on-premises operations to cloud environments, leading to mistakes that will create more vulnerabilities for attackers to exploit. Wolpoff calls for taking a more systematic approach to the transition that will allow time to implement fail-safes. He believes the order does not effectively convey the importance of creating resilient systems during cloud migration and testing them to ensure that they can withstand attacks.

Stu Sjouwerman is the founder and CEO of cybersecurity training provider KnowBe4. His May 28 article posted at blog.knowbe4.com states that, although the order primarily focuses on federal agencies and their contracted service providers, the private technology sector should prepare now for the possibility that new laws and/or regulations directly impacting them could soon follow. Sjouwerman points out that new regulations will lead to increased regulatory scrutiny. If Sjouwerman’s prediction comes to fruition and new regulatory requirements are applied, businesses will need to devote additional resources to maintaining compliance and responding to inquiries and audits. Given the current and worsening shortage of qualified IT professionals available for hire, doing so could be difficult.

About the “hack-to-patch” initiative

On April 13, 2021, a month before the issuance of the cybersecurity Executive Order, the Justice Department released an announcement disclosing that a “hack-to-patch” operation had been conducted to remove malware from Microsoft Exchange software installed on hundreds of privately-owned servers. Federal authorities actually hacked into these systems without the system owners’ advanced knowledge or consent to remove the malware. The operation was conducted pursuant to an April 9 warrant secretly obtained by the FBI from a federal court magistrate.

JustSecurity.org is an entity with the stated mission of educating and offering solutions to its community of readers, including “congressional staff, policymakers, experts, and national security journalists.” In its response to the hack-to-patch initiative, the organization took the position that many negative technical impacts could result from this approach. JustSecurity.org also cited potential security and policy issues associated with this activity and expressed concern that more ambitious operations of this nature could be conducted in the future based on the precedent set. The entire article can be accessed at justsecurity.org/75955/hack-to-patch-by-law-enforcement-is-a-dangerous-practice/ and includes a link to the FBI announcement.

In closing…

No matter which side of the debate you choose to support, there are arguments on both sides regarding the issue of increased government involvement in private technology operations. Dissenting views are widely available online. Questions to consider could include whether industry or government is better suited to address security concerns in the private sector. And, under what circumstances the government should have the authority to access private systems and make changes without the system owners’ knowledge or consent. Interestingly, the federal government suffered what many experts consider to be the most damaging cyberattack in history. Perhaps it is in the FBI’s best interest to focus on the government’s cybersecurity first and then the private sector’s.