The FBI’s top cyber official called Russia a “formidable foe” in an oversight hearing Tuesday by the House Judiciary Committee.
“We have an absolute strategic warning that Russia plans to hit us. We will do our best among our interagency partners to provide more real-time updates as we already have for specific sectors,” Bryan Vorndran, assistant director at the FBI’s cyber division, testified to the committee.
He told lawmakers that although the FBI was limited in the tactical warnings it could provide to industry, in the past three weeks, the bureau has been “in the ballpark” in providing timely information.
Vorndran confirmed recent White House reports of increased Russian scanning of critical infrastructure, a precursor to any actual hacking activity.
In light of the Russian threat, Republicans expressed concerns with the Justice Department’s release in September of high-profile Russian hacker Aleksei Burkov. Vorndran said he didn’t have knowledge about why Burkov, who was investigated by the Secret Service and not the FBI, was released.
“But you’re the cyber man … you’re the key guy,” said ranking member Rep. Jim Jordan, R-Ohio. “You’re the guy the administration sent here today to talk about cyber in light of the fact that last week President Biden said the threat from Russia was imminent.” Vorndran said he was in no position to comment on the case.
Lawmakers expressed broader concerns about the FBI’s approach to balancing the need to help victims with taking down hackers. A separate Senate Homeland Security Committee investigation recently chided the agency for prioritizing investigations over victims, including withholding a decryption key from victims of a major hack on software management firm Kaseya over the summer.
Vorndran defended the practice, saying that the FBI needed to not only weigh the value of withholding the key in order to pursue an investigation but also simultaneously test the key for any potential downstream effects.
He praised Congress’ recent passage of a mandatory cyber incident reporting law. Justice Department officials initially expressed concerns that the bill would hinder the FBI from receiving reports the same time as the Department of Homeland Security’s cybersecurity agency.
When asked by Rep. Joe Neguse, D-Colo., what kind of additional legislation would be useful to the FBI, Vorndran pointed to new legal tools including organized crime and racketeering charges for cybercrimes, enhanced punishments for attacks on critical infrastructure and making it illegal to sell infrastructure to botnet operators.
Not included, however, was outlawing ransomware payments. When asked by Rep. Chabot, R-Ohio, if he thought a federal ban on payments to ransomware gangs would make attacks less lucrative, Vorndran shared agency concerns that it could create a new ransom opportunity for hackers.
“If you make the paying of ransoms illegal, you’re creating a third extortion. Which means if a company chooses to pay and has now broken the law then a cyber adversary now has the ability to hold them accountable for that in the public’s eye and threaten them with an even higher extortion,” he said
The FBI’s starring role in a longstanding fight between the Justice Department and the tech industry over encryption also got a quick spotlight.
Rep. Zoe Lofgren, D-Calif., asked the top official to “square” the FBI’s longstanding insistence for a backdoor to encrypted services with the recent emphasis by cybersecurity officials on the importance of encryption. Vorndran responded that the FBI “needs the ability to get data pursuant to a warrant.”
He gave a clearer answer when Lofgren asked if he agreed with some security experts that the operability requirements in the European Union’s new data interoperability rule could potentially create vulnerabilities that undermine encryption.
“Yes ma’am,” he said.