Communications Litigation Today was a Warren News publication.
No ‘Swap’ or ‘Concession’

FBI Cyber Director Dodges Questions on Release of Russian Hacker

Russia didn’t offer any “swap” or “concession” in exchange for the U.S. release of Russian cyber hacker Aleksei Burkov in August, FBI Cyber Division Assistant Director Bryan Vorndran told the House Judiciary Committee at a hearing Tuesday. The division can’t comment on the wisdom of the release because it’s the Secret Service’s case, he said.

Burkov was sentenced in June to nine years in prison for “facilitation of payment card fraud, computer hacking, and other crimes.” He was released from prison and deported in August, about a year before completing his adjusted sentence. Ranking member Jim Jordan, R-Ohio, pressed Vorndran for an opinion on the decision, citing President Joe Biden’s recent warning about Russian cyberthreats (see 2203220001).

Vorndran said he wasn’t consulted on the decision, deferring to the department and saying it was the Secret Service’s case, which he said was handled through a normal U.S. courts process. Vorndran said his understanding was that there was no “swap” or “concession” from Russia for Burkov’s release. “We didn’t get anything for it?” Jordan asked. It’s a question for DOJ, said Vorndran, saying the cyber division is its own agency.

Chairman Jerry Nadler, D-N.Y., focused remarks on Russia but didn’t bring up Burkov. He referenced attacks on critical infrastructure, noting the Russian attack on Ukraine hasn’t spilled over into cyberattacks against the U.S. Nadler asked Vorndran for the origin of the most common cyberattacker. Russia and its surrounding region, said Vorndran.

Rep. Steve Chabot, R-Ohio, suggested Congress should consider making it illegal for companies to pay cyber ransoms. He said it could make malware extortion less lucrative. Vorndran advised against that, saying it might put companies in an even worse position, heightening the level of extortion if they’re facing further legal liability. It should be considered, said Chabot, arguing the status quo isn’t working on ransomware payments.

Rep. Zoe Lofgren, D-Calif., questioned the wisdom of building vulnerabilities into encrypted devices to create back doors for police investigations (see 2002100046). It’s important police have access through an official court process to vital investigatorial material on devices, said Vorndran. Some members of Congress have suggested legislators could be forced to alter encryption standards if the tech industry doesn’t act to allow better access in investigations.

Rep. Ted Lieu, D-Calif., discussed tactics international groups are using to track the phones of members of Congress. He referenced the Israel-based NSO Group, which headed the Pegasus Project and used the SS7 method of tracking cellphone location. Rep. Thomas Massie, R-Ky., also raised issues about Pegasus. Vorndran wouldn’t answer questions on whether the FBI has investigated SS7 tracking, citing classification. He committed to giving members a classified, bipartisan briefing on Pegasus, NSO and SS7 attacks. It’s “very important to keep that as an open invitation” and provide any access possible, said Vorndran.

Vorndran credited Congress for passing mandatory cyber incident reporting legislation, which became law earlier this month (see 2203160051). Vorndran said the FBI is working with the Cybersecurity and Infrastructure Security Agency to implement the law. He noted the FBI struggles to compete with the private sector when recruiting talent because of salary gaps. He stressed the urgency for Congress to fund the division.