Colonial Pipeline
Image: Colonial Pipeline / Twitter

Biden administration officials tout Colonial Pipeline case in pushing for Section 702 renewal

The U.S. government used controversial digital surveillance powers to identify the individual behind the crippling ransomware attack on Colonial Pipeline in 2021 and to claw back a majority of the millions of dollars in bitcoin the company paid to restore its systems, according to senior Biden administration officials.

In another instance, the government used information gleaned under those powers — known as Section 702 of the Foreign Intelligence Surveillance Act — to identify and mitigate an Iranian ransomware attack against a nonprofit organization's systems in 2022.

The revelations, which have not been previously reported, are two of several examples top U.S. intelligence community officials intend to share publicly with the Senate Judiciary Committee on Tuesday as part of an ongoing campaign to convince lawmakers to renew the statute before it expires at the end of the calendar year.

“We have tried our best to lean forward and we have disclosed much more in an authorized way about the use of Section 702 than in past reauthorization cycles and we are going to try to continue to do so in a very careful way moving forward,” said the Biden official, who briefed reporters Monday on condition of anonymity.

In the Colonial case, Monday’s remarks add to an announcement from early 2022 that Russia’s domestic intelligence agency had arrested the hacker responsible for the ransomware attack that forced the major fuel supplier to shut down for days. However, the new information still does not fully clarify how the U.S. identified the suspect.

Last year the clandestine community disclosed that the FBI conducted nearly 2 million queries of the 702 database concerning a Russian cyberattack on U.S. critical infrastructure, but the officials didn’t say Monday if it was the same case or a separate investigation.

The newly declassified information dovetails with the administration’s previous attempts to demonstrate the value of the surveillance program to national security, arguing it offers insights on everything from digital attacks and narcotics trafficking to human rights abuses and the proliferation of weapons of mass destruction.

The authority allows certain spy agencies to conduct warrantless surveillance of non-American citizens located outside the U.S. But Americans' digital communications with non-U.S. persons overseas often get hoovered up in the collection process and stored in a searchable law enforcement database.

Balancing powers

The administration’s public relations push has suffered setbacks in recent months due to major disclosures of improper searches by the FBI.

In March, the leader of the House Intelligence Committee’s working group devoted to 702 renewal revealed he had been the target of wrongful searches. Last month, the administration declassified two court opinions that showed the bureau had used the spy tool to search for information about individuals who participated in the 2020 George Floyd protests.

The episodes have only increased calls from some corners of Capitol Hill that FBI analysts should be required to have a warrant before they can access 702 data.

Another administration official warned that imposing such a requirement “would be profoundly harmful to our national security and to our ability to protect Americans from national security threats.”

The official cited an instance where the bureau used U.S. person queries in the 702 database to identify Chinese hackers who had achieved “successful compromises” of network infrastructure in one of the country’s transportation hubs.

In another episode, the FBI discovered Iranian hackers had conducted “extensive research” on the former chief of a federal department. Law enforcement notified the individual and the agency about the threat so that they could better secure their accounts.

The official said the agency is “acutely” focused on compliance concerns and that it would be willing to enshrine into law the various remediation steps it has implemented since mid-2021, such as requiring written justification or demanding high-level approval to conduct certain sensitive searches.

“We support codifying these measures,” the official told reporters.

The appeal came the same day a coalition of more than 20 privacy and civil liberty groups issued a statement opposing reauthorization unless there are major reforms of Section 702 and related surveillance authorities. It suggested four policy changes for Congress to make, including a mandating a warrant to search for Americans’ communications.

The first administration official said they had not seen the coalition’s letter.

“I wouldn't anticipate us giving particular responses to this or that proposal and that's because in terms of actually negotiating with Congress, we think that that happens best often in private — on this and other issues — rather than in public,” according to the official.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.