An FBI official did not deny prior reports that the agency held the decryption key from the Kaseya ransomware attacks for multiple weeks without giving it to parties victimized by the attacks but told the House Oversight and Reform Committee at a Nov. 16 hearing that it chose to do so in the interest of figuring out how to achieve the widest-ranging impact from the key.
Bryan Vorndran, assistant director of the FBI’s cyber division, did not delve too deeply into the specifics of the bureau’s deliberations but provided committee members with some insight into the thinking of the interagency group that made the decision to delay releasing the encryption key to affected parties.
“I think the question is how do we do what’s in the best long-term interests of the public and balance that with protecting the public in the short term,” Vorndran told the committee. “Stated differently, if any one of us had a loved one with a disease, and we could take a longer-term approach to completely eradicate that disease – [that] takes a little bit of time and has perhaps a little discomfort for a loved one – we’d probably prefer that over a less effective shorter-term solution. Because in the end, we know we [would] have a more long-lasting effect.”
Vorndran explained the decision to hold the Kaseya tool similarly. The software firm was attacked by ransomware group REvil in early July, resulting in up to 1,500 affected parties. A week later, the group’s website disappeared from the dark web, with some belief that it could be the result of government action. While such a takedown was the goal behind the decision not to release the tool, ultimately it was not a fruitful effort at that time.
When asked by committee ranking member Rep. James Comer, R-Ky., about the decision, Vorndran could not say whether the FBI did a cost-analysis of how much money was lost by effected institutions due to the delay, but maintained that it was an interagency decision that was not taken lightly.
“Decisions that you’re referring to and asking about are very, very complicated, and they’re ones we take seriously,” Vorndran said. “And it’s why decisions like those are not just made within the FBI, but they’re taken into an interagency environment for final determination of what makes the most sense.”
While the initial disappearance of REvil from the dark web proved to be a tactical move by the organization rather than a product of government action, it was reported in late October that a multi-government effort was utilized to knock REvil offline after a reappearance by the group. More recently, the Department of Justice announced that it had successfully apprehended one member of the REvil group and charged another.
While National Cyber Director Chris Inglis was not yet confirmed to his position at the time of the Kaseya attack, he said that from his reading up on the situation and understanding of the proceeding, the decision was agreed on by all of the agencies with a say in the matter.
“My read of the record was that this was a well discussed and a consensus position of the various agencies that had the opportunity to comment,” Inglis told the committee. “I would simply observe, as assistant director Vorndran has said, there was never a question about the desire to in a timely, broad way disrupt this action and to save the downstream effects on eventual further victims. The question at the end of the day is how do you maximize the timeliness and the breadth?”
“If you were to act in the very first instant, you might then expose your knowledge [of] what’s happening [and] allow the criminals to escape [and] to take their accesses to various other customers that haven’t yet been sprung,” he explained. “If you wait for a while – and that is, therefore, a very subjective choice, one that must be well considered – you might then be able to simply remove the entirety of this threat from the landscape. If you wait too long, then there are too many victims. And so, there’s something between zero and infinity that you have to then come down on to align timeliness and breadth.”
