Great question. On Tuesday, the Department of Justice announced that the FBI removed web shells from an unknown number of private servers as a security measure for the owners’ (still unnamed and currently being notified by the FBI) benefit. As discussed by Bruce Schneier and others this week, the FBI’s intent in remedying a serious security flaw is appreciated but where did the agency get the legal authority to do this?
Before diving in, “WTF is a web shell?” Microsoft explains it best by stating that a web shell is “typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.” These items of code allow hackers to “run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity” within the infected organization. The use of web shells as an attack vector is increasing with the reliance on web-based applications and virtual servers.
With that out of the way, back to the legal question: how can the FBI legally access and then alter private property without owner consent? In short, no one knows yet because the court documents are sealed but there is a pending motion to have them unsealed; at which time, the legal argument used to convince the United States District Court for the Southern District of Texas should be provided. Absent these specifics, it is a (from a purely legal perspective) perplexing question. If the owner is an American citizen, which many companies are not, the question becomes slightly alarming. That said, many entities and private individuals alike do appreciate government protection from malicious actors – just not sure if the feeling remains the same were government agents standing in a private resident replacing a defective portion of an oven or television set without knocking, seeking permission, or carrying a warrant. Here, knowing that the server owners were not notified, it is unlikely that a generic search warrant, issued under the 4th Amendment, was procured and served.
A hypothetical answer to the FBI’s legal authority is that the agency’s authority stemmed from one or more of the following laws and regulations: The Foreign Intelligence Surveillance Act (“FISA”), The Federal Information Security Management Act (“FISMA”), The National Security Act of 1947 (Title 50, Chapter 44 of the US Code), Executive Order 12333, one of the many Director of National Intelligence Directives, and the FBI’s generic authority under 28 U.S.C. §533/28 C.F.R. §0.85 et seq. Agreed, this laundry list is not helpful but again, so much is currently unknown.
For example, the following questions are extremely important in determining the potential legal authorities for any federal agency to access and alter private property absent owner permission:
Was the property located within the United States? (jurisdictional boundaries are tested by virtual property)
Is the owner a United States citizen? (always a question of rights)
Were the server owners state agencies or private entities serving as federal contractors? (potential FISMA trigger)
Were the web shell patches linked to a counter-terrorism matter? (potential EO 12333/ National Security Act /FISA matter)
Did the FBI first procure a FISA warrant?
Was this a joint task-force operation (Example: National Cyber Investigative Joint Task Force)?
These distinctions make a BIG difference. For example, FISA warrants can only be issued by FISA courts. FISA courts conduct their work outside of public purview for national security purposes. Therefore, the existence of a FISA warrant for some of the FBI’s activities regarding the web shells would not be discoverable unless and until the FBI wanted it to be discoverable.
Further, the FBI refers to itself as the lead U.S. agency combatting “Counterproliferation,” which includes the authority to stop technology-related attacks against the United States. 28 C.F.R. §0.85(I) states, in pertinent part, as follows: The FBI has “Exercise Lead Agency responsibility in investigating all crimes … which involve terrorist activities or acts in preparation of terrorist activities … this would include the collection, coordination, analysis, management and dissemination of intelligence and criminal information ...” And, Executive Order 12333 Section 2.4, which was signed under former President Ronald Reagan, is also interesting in that it prohibits the CIA and any other intelligence agency from conducting unconsented physical searched within the U.S. – but not the FBI. If you saw the movie Sicario (which is a great film), this concept is shown in action.
In short, the legal authority relied upon by the FBI in conducting the web shell activities is unknowable absent further facts. Jumping to any conclusions prematurely signals diminished intellectual integrity. However, raising eyebrows in response to the news itself is important to ensure due process. Looking forward to the court documents getting unsealed…