FBI Defends Costly Decision to Withhold Kaseya Key
The FBI’s decision to withhold the decryption key associated with the Kaseya cyberattack was made with a long-term plan of addressing Russian threats, despite the millions that businesses lost because of the decision, FBI Cyber Division Assistant Director Bryan Vorndran told the House Oversight Subcommittee Tuesday (see 2109210055). National Cyber Director Chris Inglis and Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales backed the decision.
Ranking member James Comer, R-Ky., “strongly advised” agencies in similar situations in the future to consider the hundreds of millions of dollars industry lost because of the decision to withhold the key. He criticized the FBI for not providing a briefing on the attack, despite a request from him and Chairwoman Carolyn Maloney, D-N.Y.
Vorndran said it was an effort to target and eradicate a long-term “disease” instead of trying for shorter-term results. The decrypter keys were delivered by Russian criminals, he noted: “Simply grabbing malware that’s been coded by criminals in Russia and deploying it onto U.S. infrastructure would not be a wise decision. An even worse case scenario was providing criminal-generated decrypter keys to victims” that might open new back doors to U.S. software.
The national cyber director office wasn’t in place yet, but Inglis said his understanding is the decision was a “well-discussed and consensus position” from agencies involved. If agencies act right away, the government can expose its knowledge of an incident and allow attackers to escape and target others, he said. If agencies wait, which is a subjective choice, they might be able to “remove the entire threat from the landscape,” he said. But if government waits too long, the number of victims might be unjustified, so it’s a balance, he added.
Wales said Inglis’ response was “on the money.” He called it a challenging environment in which the FBI was trying to balance long-term and short-term needs. He testified in place of CISA Director Jen Easterly. An agency official said she couldn’t testify due to a “family emergency.”
Comer and Maloney's opening remarks drew attention to high-profile ransomware payments. In March, CNA Financial reportedly paid the largest ransomware sum ever: $40 million, noted Maloney. Colonial Pipeline paid $4.4 million, and food processor JBS USA $11 million. She announced details from the committee’s supplemental memo on the three attacks. It said that “small” security lapses led to major breaches, companies lacked clear points of contact in the federal government, and companies faced pressure to quickly pay ransom. The memo said the JBS attacker, REvil, told the company: “We can unblock your data and keep everything secret. All we need is a ransom.”