CISOs, Don’t Ignore the FISA Section 702 Debate

Chief information security officers (CISOs) in the U.S. and abroad may not realize the stake they have in a congressional battle shaping up this year. 

The two of us have spent our careers advising CISOs: the men and women battling hackers at Google, Yahoo!, the National Security Agency, the Department of Homeland Security, and the Department of Justice as well as in private law practice.

Now, we have some new advice for CISOs: Pay attention to the debate over renewing Section 702 of the Foreign Intelligence Surveillance Act (FISA). 

Because if it expires, CISOs could be some of the biggest losers. 

A little background is in order. 9/11 taught the country a harsh lesson. While the National Security Agency was surveilling terrorists abroad and the FBI was doing the same at home, neither had been doing a good job of following communications between terrorists located overseas and those located in the U.S. Anticipating that more attacks on U.S. soil were imminent, the Bush administration created a secret program to close that intelligence gap by wiretapping foreign terror suspects communicating into the U.S. When the program was leaked, it underwent searing public scrutiny, and the executive branch terminated it. Congress stepped in and enacted a precursor to Section 702. The legislation preserved the basic approach but expanded it beyond terrorism, and added oversight by Congress and the courts, and more transparency. Over the years, more protections have been added by Congress, the courts, and the executive branch.

Under the current Section 702, the government may serve what amounts to a wiretap order on U.S. phone carriers and internet companies to collect communications to or from a specific foreign user based on, for example, email address or phone number. The government may not target its collection on U.S. citizens, lawful permanent residents, or anyone the government knows is located in the U.S. And regardless of the target, the government’s purpose must be to collect foreign intelligence information. 

Now here’s why 702 should matter to CISOs. As the Biden administration has recognized, protecting cybersecurity is as much an element of national security as is thwarting terrorists. As such, Section 702 can be used to protect national security by tracking and defeating state-sponsored hackers, ransomware gangs like the ones who took down Colonial Pipeline, and others who threaten network security. In fact, administration officials have said publicly that Section 702 is a major cybersecurity tool. A top Justice official revealed that Section 702 has “prevented ransomware hacks and thwarted cyberattacks by China, North Korea, Iran and Russia.” Public details are scarce, but no classified information is needed to understand how 702 could be used in this context. All you need is an understanding of the law and of how foreign hackers attack U.S. networks. 

How would 702 help the U.S. fight ransomware? Broadly, Section 702 allows an intelligence agency to target a ransomware gang located outside the U.S. if it’s using U.S.-based services (as it must to attack U.S. networks). The government is authorized to identify the attacker’s infrastructure (servers, email and IP addresses, and the like) and to collect information being sent to and from that foreign infrastructure. Once the ransomware gang is under surveillance, if it tries to compromise another U.S. network, the government will be able to see the attempt in real time and warn the victim. For systems that are already compromised, the government can also get some idea of the degree of damage based on the amount of data flowing to the attacker from the victim’s system and provide the victim with valuable information about the nature of the attack. Cyber threat actors can change their infrastructure rapidly, but Section 702’s strength is its nimbleness—if a threat actor changes the infrastructure it uses in its attacks, the agency can shift targets just as quickly.

Once 702 interception begins, many of the actor’s techniques can be put at risk. Its efforts to do reconnaissance and vulnerability scanning can be identified early. Phishing emails can be intercepted, and the malware they’re transmitting can be extracted for analysis. Victims can be identified, perhaps before they open the message. Stolen data can be spotted and tracked, maybe even recovered. Victims can be identified and warned, perhaps in real time. The FBI and other agencies have already begun to disclose vulnerabilities being exploited by foreign nations so that vendors and their customers can protect themselves. Section 702 may have been a source for some of these disclosures; certainly nothing prevents the Cybersecurity and Infrastructure Security Agency and the FBI from using what they learn from 702 intercepts to warn vendors about hardware or software exploits so that they can be patched, or to send advisories to the security community about how to mitigate a threat’s impact. 

Indeed, threat actors under 702 surveillance can be confronted not just with the usual commercial defenses but with the harsher tactics available only to Cyber Command and other U.S. intelligence agencies. If “release the hounds” is your prescription for dealing with ransomware gangs, Section 702 could supply the scent that quickly sets them on the right trail. 

Perhaps most important from the perspective of a CISO is that the government can use this information to warn intended victims of an impending attack. Section 702 allows the government to collect TTPs (tactics, techniques, and procedures), signals, malware signatures, and other information that a CISO can use to take defensive action—and to do it before a compromise is attempted. If the government learns of the attack only after a compromise, it can still notify the CISO and may provide invaluable details about what vulnerability was exploited, what servers were involved, and perhaps an idea of the damage inflicted. With a sufficiently speedy link between intelligence collectors and CISOs, for example, ransomware gangs could even be stopped before they’ve fully encrypted victim networks. 

Victim notifications are typically done through the FBI, which earlier this year promised “Ritz Carlton-level customer service” for victims. Using Section 702 to bolster network defenses could be a part of that service, even if the government is circumspect in describing its sources. In fact, there’s no reason this sort of sharing has to be exclusive to CISOs in the U.S. The FBI works with government counterparts throughout the world to warn network operators of cyberattacks.

That’s what Section 702 could do for CISOs. Indeed, there’s good reason to believe that some of the potential we’ve described is already a reality. In addition to the Justice official’s remarks we’ve already noted, the National Security Agency has said as much and the Office of the Director of National Intelligence (ODNI) has said that Section 702 is used to collect, analyze, and share communications from hackers.

Recently, the ODNI disclosed that in 2021 the FBI performed 3.4 million queries of its 702 database for American identities. This raised eyebrows (and the recent numbers are far lower), but the government’s explanation said a lot about Section 702 and cybersecurity. It turns out that the bulk of the queries were efforts to identify victims of a single cyberattack, according to reporting from the Wall Street Journal:

More than half of the reported searches—nearly two million—were related to an investigation into a national-security threat involving attempts by alleged Russian hackers to break into critical infrastructure in the U.S. Those searches included efforts to identify and protect potential victims of the alleged Russian campaign, senior U.S. officials said.

This is all good news for CISOs. Ransomware actors depend on darkness and impunity, and 702 will mean more light and more consequences. 

If you like that idea, though, you should know that Section 702 is set to expire. There’s a spirited debate underway about whether it should be renewed at all, and about how it could be changed. CISOs who see the value of 702 for securing networks can make an important contribution to the discussion. Many proposed changes are on the table. Some of them are worthwhile. But some could make it much harder to use 702 to identify victims and notify CISOs when they’re at risk of attack. 

For Section 702 to be an effective weapon against cyberattacks, CISOs must become informed participants in the debate. If you are one of the many CISOs who think the government should do more to thwart attacks on your networks, your voice in defense of 702 is critical. But you should also hold the government’s feet to the fire to make 702’s potential real, through effective real-time threat sharing.

Perhaps the easiest way for corporate CISOs to get started is by educating company government affairs staff. Once you’ve explained what Section 702 could do to protect the company—especially if the government adopts measures to quickly share information with CISOs—you just need to ask that the company’s public stance on Section 702 take into account the big contribution the law could make toward protecting the company’s own networks.