Amoroso and Milch of CCS argue against FBI “Hack to Patch” operation

Are law enforcement officials justified in hacking thousands of computers if the end result is a patch that corrects a critical vulnerability? In an editorial in JustSecurity posted on April 30, two faculty members from NYU’s Center for Cybersecurity (CCS) argue that, in a recent case when the FBI engaged in a “hack to patch,” operation, the ends did not justify the means. 

The editorial was penned by Randal S. Milch,  Co-Chair of CCS and a Professor of Practice at the NYU School of Law and Edward G. Amoroso, Chief Executive Officer of TAG Cyber LLC, and a Distinguished Research Professor at CCS, in response to a recent action by the Federal Bureau of Investigation.  On April 9, a federal magistrate judge in Texas issued a warrant allowing the Bureau to access, copy, and remove the web shells from “hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service,” according to the motion filed in the United States District Court for the Southern District of Texas.  The action followed a security problem identified in a Microsoft Exchange Server several weeks earlier after hackers linked to the Chinese government exploited at least four zero-day vulnerabilities in Microsoft’s code. As a result, it allowed remote access to sensitive data. While the agency’s actions seem in line with the threat they were facing, Amoroso and Milch warn that “a dangerous precedent has been set, “ one which “leads us to fear more ambitious hack-to-patch operations in the future. From an information security perspective, this is a troubling prospect.”

The article goes on to elaborate why the authors feel this is a practice that should not become commonplace. Amoroso and Milch note that such operations lack the clear boundaries that would normally be set when systems are tested, including keeping the security teams for the companies informed. Also, they point out, it sets up the potential for such “collateral damage” as “outages, degradations, performance issues, or leaks.”

Mostly though, as the authors say in their concluding statement, if not questioned, such operations are likely to continue. “We worry that the government’s ambitions in this area will only grow. Efforts to continue this type of activity for future vulnerabilities will exacerbate the technical, security, and policy issues we have noted. Fighting capable adversaries is already tough. Mixing benign hacking into the mix will make it tougher. In the end, law enforcement should recognize that its role is not system administration, but the maintenance of public safety.”

You can read the full editorial here.