This past Tuesday the FBI reported that it had conducted a multi-month operation to remove Chinese government-linked malware from more than 4,200 computers in the U.S. The effort removed the PlugX program, which is reportedly used by Twill Typhoon.
This is not the first (or second) time this has happened. I thought it was a mistake before, and nothing has changed since then.
I’m not casting aspersions on anyone, but lest anyone forget, COINTELPRO was a thing. FISA Section 702 violations were a thing. PATRIOT Act abuses were a thing. The list goes on and on from the earliest days of the Bureau till today. I don’t doubt that everyone involved in this effort had the best intentions at heart, but let’s not pretend that it takes much effort to go from doing the right thing, to becoming the internet <insert your favorite historical rights-abusing entity here>.
If you’ve ever worked in a national security organization then you know what comes next. Someone will see this as a tool to advance their career. To force themselves into activities they shouldn’t be involved in because of “equities.” As a means to remain relevant in a problem set that since its formation has been resistant to police work.
“Resistant to police work?”
Indictments of foreign hackers/intelligence officers? I’m trying to think of something less meaningful. Yes, IF they happen to get to a place where you can roll them up its handy, but how likely is that? Arrests of major cyberthreat actors? They’re notable because they’re so rare. Convictions? Onesies and twosies there and there are not making a dimple of a dent in the problem.
Law enforcement has an incredibly hard job and the people doing it work like dogs to do that job with integrity. But they have rules they have to follow, which is good, because when you can take away people’s liberty there should be guardrails on what the government can do to you.
But the people on the other side of this equation are not so burdened. Being a bad guy online is cheap and easy and if you are smart, not greedy, and OK living where you can’t be extradited, you’ve got an excellent chance of getting away with it. How is the fuzz supposed to compete with that?
The fact of the matter is they can’t. Oh, they can keep doing what they’re doing: “things we know how to do,” but absent some change in how we pursue cybercrime cases, they’re never going to scale to the level required to be relevant. I wish I had some inkling of an idea of what a new legal approach to these issues would look like but I don’t. It’s a problem that has vexed me since the early days when a DOJ attorney chewed me out for…let’s save that for the bar in Vegas…
I don’t know if third time’s the charm, but it is precedence. Expect more of this, and keep a very close eye on whether or not they carry out a little extra somethin’ somethin’ while they’re there (for the greater good), or the standards/justifications start to slip. If they do, you know that stack of blocks is about to come crashing down around us, and the internet will never be the same.