Senate's latest Russia report backs new rules for cyber vendors

Federal investigators may need new authorities to probe cybersecurity breaches in sensitive non-governmental networks, according to the unclassified version of the Senate Select Committee on Intelligence's report on foreign interference in the 2016 election.

The fifth and final volume of the report, released with redactions on Aug. 18, concludes in part with recommendations on what authorities the FBI might need to obtain cooperation from hacking victims whose purloined data and compromised networks could have public impacts – especially when the integrity of an election is at stake. That advice could form the basis of new policy or possibly legislation to empower the FBI in probes of network breaches.

"While the Committee understands FBI's reluctance to force solutions on hacked victims, FBI should develop a clear policy to address how to escalate victim notifications within a hacked entity, particularly for those involved in an election, when it appears that entity has not successfully remediated a cyber breach," the report states.

The report also calls for the FBI's Cyber Division to develop policy to pressure victims that don't respond to investigators and "in narrow situations where the security of the election is at risk, the potential use of compulsory process" and to pursue legislation to mandate that "third-party cybersecurity vendors to report indicators of nation-state compromise" to government law enforcement officials.

"Any sharing mandate should also include suitable protections for personally identifiable information or other sensitive or privileged material," the report states.

Much of the report details the circumstances and players involved in the hack of the Democratic National Committee by Russia's GRU intelligence directorate. While publicly the DNC made a show of cooperation with law enforcement and hired the cybersecurity firm Crowdstrike to investigate, it's clear from the report that there were some tensions and delays. According to an interview with James C. Trainor, Jr., then assistant director of the FBI's Cyber Division, that is cited in the report, the bureau faced obstacles obtaining information on some of the details about the intrusion, including an unredacted copy of the Crowdstrike analysis of the attack on the DNC.

"Trainor told the Committee that he was not aware of any situation during his tenure in the Cyber Division where the FBI ever used [redacted] to secure victim cooperation," the report states. Because of the redaction it's unclear how the FBI obtained cooperation from Crowdstrike and the DNC, but the Senate report appears to suggest that relying on voluntary cooperation is not always in the best interests of law enforcement.

In its account of the hack, Crowdstrike has stated, "We have never declined any request for information from the FBI related to this investigation, and there are no pending requests for information by the FBI."

The report calls on the FBI to "downgrade and share" classified information with network defenders where possible, and to identify individuals with appropriate security clearances who can be briefed and debriefed for the purposes of incident response. Additionally, the report recommends the FBI develop a set of best practices for interacting with vendors hired by victim entities to conduct incident response.

Separately, the Cybersecurity and Infrastructure Security Agency at DHS is pursuing, with help from some in Congress, authority to issue administrative subpoenas to internet service providers to pursue cybersecurity investigations in which the identification of victims is made difficult by the mode of the attack.