Sen. Ron Wyden, D-Ore., requested information on how the Department of Justice (DoJ) is securing its offensive cyber tools in a June 5 letter to Attorney General William Barr.
Wyden, who is a member of the Senate Intelligence Committee, said he wanted to “better understand the steps taken by the Department of Justice and its component agencies to the protect U.S. government offensive cyber capabilities from loss or theft by hackers and hostile foreign intelligence services.”
In the letter, he said that several component agencies within DoJ have already publicly acknowledged their use of offensive cyber capabilities – including malware and zero-day software – and said the agency has already acknowledged “the dangerous nature of its cyber tools and the need to keep them out of the wrong hands.” He also said DoJ reported that the companies which supply the government with its hacking tools are already a “soft target for ‘attacks and infiltration by hostile entities wishing to exploit the technology [the companies] provide to the FBI.’”
With that in mind, Wyden requested answers by July 12 to the following:
- “Has the Department of Justice and its component agencies ever had one of their offensive cyber capabilities ‘fall into the wrong hands,’ such as through a breach or by being discovered ‘in the wild’ by a target, cybersecurity researchers, or a foreign government? If yes, please describe whether that capability was subsequently abused to exploit U.S. government or private sector computer systems and provide an estimate of the damage caused.
- Have any of the offensive cyber capabilities acquired from the private sector by the Department of Justice and its component agencies been developed by foreign companies? Has the Department of Justice or its component agencies audited these cyber capabilities to determine whether they ‘call home’ to servers that are controlled by that company or are located outside the United States? If no, please explain why not.
- Does the Department of Justice and its component agencies require that private sector suppliers of offensive cyber capabilities to the government:
- Implement the National Institute for Standards and Technology Cybersecurity Framework? If no, please explain why not.
- Adopt the cyber-security best practices that the Department of Homeland Security requires of Federal civilian agencies and that are published at https://cyber.dhs.gov? If no, please explain why not.
- Be subjected to ‘red team’ cybersecurity audits in order to discover whether non-public offensive cyber capabilities stored by the suppliers are sufficiently secure from hackers and foreign governments? If no, please explain why not.”