Why Section 702 Isn’t A Silver Bullet Against Ransomware And Cyberattacks

Guest post from Chris Weiland, Restore The Fourth – Minnesota

A Post-It note saying, "SSL Added and removed here! :-)", released during the Snowden revelations, showing that NSA had successfully hacked Google's TLS
NSA’s approach to protecting Google’s cybersecurity

Recently, current and former members of the intelligence community have been arguing that Section 702 surveillance powers are useful for thwarting ransomware attacks and protecting against cyberattacks writ large. As someone who works in the information security space, I find this argument frustrating. It is possible that the government could use Section 702 in a way that helps combat ransomware and cyberattacks, but secrecy makes it really hard to assess this claim, and the history of the government’s stances on surveillance issues and cybersecurity do not inspire confidence.

But even with incomplete information, I think it’s fair to call this argument dubious. In a recent survey, fully 80% of cybersecurity professionals support some changes to Section 702. Even if cyberattacks and ransomware justified making a deal with the devil, 702 seems like the wrong demon for the job.

The information security community has access to many kinds of tools for defending and recovering networks from attacks. I would classify Section 702 as a “threat intelligence” tool, something that gives us insight into threats and what they are getting up to.

And while threat intelligence can be useful in some circumstances, I’m skeptical of its overall utility relative to the costs. According to one industry survey, “82% of security professionals agree that their [Threat Intel program] is treated as an academic exercise, leading to threat analyst accolades but limited program success.”

This is because of the nature of the tool. Even at its best, threat intelligence mostly serves to inform executive decision-making. 702-derived intelligence can’t stop a phishing email from landing in an
inbox, or prevent a bored HR worker from opening it. It can’t close a wide-open web service with a default password or update out-of-date software.

Perhaps this is why there has been no public evidence to date which suggests that 702 is being used to actively predict and prevent attacks. Rather, public statements by the intelligence community seem to indicate that as far as cybersecurity goes, 702 is being mostly used to help find holes that have already been smashed open. And if it’s not being used as a predictive tool, there seems no exigent reason why the intelligence community can’t get a warrant.

Many robust tools are addressing the threat of ransomware and cyberattacks, without imposing 702’s significant costs to our civil liberties. There are firewalls and allow-lists and honeypots and SBOMs and mandatory update cycles and two factor authentication and bug bounty programs. At the end of the day, knowing that someone plans to throw a rock doesn’t change the fact that we live in a glass house. Even knowing when and where and what kind of rock, does not meaningfully change
the calculus.

In short, cybersecurity is indeed a real problem, but there’s no reason to think that renewing Section 702’s invasive, warrantless authorities will help solve it. Congress should focus on legislation which directly addresses the terrible condition of our nation’s digital defenses, not on re-authorizing mass surveillance.