Comment UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing.
In the middle of last week the American authorities made waves after deleting web shells from Exchange Server deployments compromised in the Hafnium attacks. The agency had gone to the US federal courts for permission, which it received.
The entire infosec world had been bellowing at IT admins to update and mitigate the vulns, which were being exploited by skilled and malicious people who found the remote-code-execution bug. Nonetheless, some laggards still hadn't bothered – and with compromised boxen providing a useful base for criminals to launch further attacks from, evidently the FBI felt the wider risk was too great not to step in.
The move didn't go unnoticed in the UK. Former National Cyber Security Centre chief Ciaran Martin praised it on Twitter:
Would love to know more, but at first glance this looks like a creative US Gov’t cyber intervention that is:— Ciaran Martin (@ciaranmartinoxf) April 14, 2021
- technically astute;
- lawful, though some will understandably be uneasy;
- going to reduce vulnerability to specific cyber harm.
Please tell me what I’ve got wrong! https://t.co/ulsbAztVIg
Could NCSC have copied the FBI and done such a thing over here? Although the initial reaction of many would have been to say the Computer Misuse Act 1990 blocks it (either the section 1 "unauthorised access" offence or the 3ZA gotcha, which carries 10 years in prison if you're guilty of breaking into someone else's device while being "reckless as to whether serious damage of a material kind" is caused to "a system of communication"), tech lawyer Neil Brown of decoded.legal told The Reg that GCHQ (and the NCSC) could have done it with a warrant.
Brown pointed to section 5 of the Intelligence Services Act 1994. 5(2)(iii) read together with section 3(2)(a) (the latter being GCHQ's raison d'être) can be read as giving GCHQ the legal power to apply for a warrant to remove web shells from compromised Exchange Servers, provided a minister agreed that removing the malware was necessary for British economic well-being.
Brian Honan, infosec consultant and founder of Ireland's CSIRT, warned that "the road to hell is paved with good intentions," telling us: "The reasoning this action was allowed by the [US] courts was under the guise of 'national security'... What would have happened if the action taken by the FBI had resulted in downtime of some of the systems? We need to ensure there are appropriate legal, transparency, and accountability controls in place should this type of action or similar be considered again."
Honan is right: while it would be legal for NCSC to copy the FBI, it would open a large can of worms if it went down the same route. There is no framework GCHQ/NCSC could adopt to ensure that its use of any such powers would be proportionate and kept within lawful bounds.
One American commentator, ex-NSA lawyer Stewart Baker, reckoned that under US federal law the FBI were on sound ground unless someone popped up with proof that the feds had caused damage:
8/9 The FBI would of course be in legal hot water if its seizures caused harm to the property of the computer owner or the landlord. But the FBI said it could avoid such harm, and there is no evidence that it caused any.— stewartbaker (@stewartbaker) April 15, 2021
While the NCSC declined to put anyone up for interview, in a brief statement the agency said it had stopped short of scrubbing infected servers clean without their owners' knowledge: "The NCSC has gone above and beyond to support vulnerable and compromised Exchange owners with the removal of webshells, including working with partners and proactive outreach."
"Organisations can greatly reduce the threat of being compromised by applying the latest security updates, such as recommended in Microsoft's latest guidance to Exchange owners," it added. Clearly, new chief exec Lindy Cameron's interventionist approach to British infosec stops short of doing industry's work for it.
Representatives of the CyberUp campaign, which aims to reform the Computer Misuse Act, declined to comment when The Register asked if they supported or opposed any moves to amend the act and make it easier for the authorities to pull off web-shell-scrubbing moves in future. While easing the path for UK.gov to unilaterally interfere with your web-facing infrastructure would be hugely controversial, coming out for the status quo on that point couldn't do any harm either.
Still, with lots of cyber-earmarked cash set to be thrown at industry, perhaps nobody wants to be seen to be thinking too publicly about government policy. ®