RON WYDEN COMMITTEES:

RANKING MEMBER OF COMMITTEE ON

FINANCE ?ni tEd tat?g Enatz SELECT COMMITTEE ON INTELLIGENCE

OREGON COMMITTEE ON FINANCE
COMMITTEE ON BUDGET
COMMTITEE ON ENERGY 8: NATURAL RESOURCES

JOINT COMMITTEE ON TAXATION

WASHINGTON, DC 20510?3703

221 DIRKSEN SENATE OFFICE BUILDING
WASHINGTON DC 20510

(202) 22445244 June 5, 2019

The Honorable William Barr
Attorney General

US. Department of Justice

950 Avenue, NW
Washington, DC. 20530

Dear Attorney General Barr:

I write to better understand the steps taken by the Department of Justice and its component
agencies to protect US. government offensive cyber capabilities from loss or theft by hackers
and hostile foreign intelligence services. Just as the American people expect the government to
protect its nuclear, chemical and biological weapons, so too do Americans expect that the
government will protect its cyber arsenal from theft by hackers and foreign spies.

Several agencies within the Department of Justice have publicly acknowledged their use of
offensive cyber capabilities, such as malware and so-called ?zero-day? software tools that exploit
cybersecurity ?aws that are not known to the creators of the software. Since 2015, the FBI has
acknowledged that it exploits zero-day ?aws. The Drug Enforcement Administration revealed in
a letter to Senator Grassley in 2015 that it had spent over $900,000 to purchase a "tool that would
allow for remote, overseas deployment of communications monitoring software? from Hacking
Team, an Italian surveillance software company. The FBI has also publicly con?rmed that it
exploited security vulnerabilities in the Firefox web browser, as part of a bulk-hacking operation
in 2015 during which the agency delivered malware to over 8,000 computers, located in 120
countries, all of which were used by individuals who visited the same FBI-controlled contraband
website on the Dark Web.

Most famously, in 2016, the FBI paid an unnamed company more than a million dollars for a
hacking tool that enabled the FBI to data stored on the San Bernardino terrorist?s iPhone.
However, the government?s use of advanced cyber-capabilities is not limited to extracting data
from seized smartphones.

DOJ has acknowledged the dangerous nature of its cyber tools and the need to keep them out of
the wrong hands. In a criminal case in 2016, DOJ asked the court not to require it to provide a
defendant, as part of the discovery process, with the web browser exploit that the FBI used to
identify him. The court agreed with DOJ, ?nding that ?the risk that the [browser exploit] might
inadvertently be leaked or otherwise used by third parties is too. great? and as a result, ?the public
should not bear this risk.?

DOJ has also revealed that the companies that supply the government with hacking tools are a
soft target for ?attacks and in?ltration by hostile entities wishing to exploit the technology they

911 NE 11TH AVENUE 405 EAST 8TH AVE SAC ANNEX BUILDING U.S. COURTHOUSE THE JAMISON BUILDING 707 13TH ST, SE

SUITE 630 SUITE 2020 105 FIR ST 310 WEST 6TH ST 131 NW HAWTHORNE AVE SUITE 285

PORTLAND, OR 97232 EUGENE, OR 97401 SUITE 201 ROOM 118 SUITE 107 SALEM, OR 97301

(503) 326?7525 (541) 431?0229 LA GRANDE, OR 97850 MEDFORD, OR 97501 BEND, OR 97701 (503) 589?4555
(541) 962?7691 (541) 858?5122 (541) 330?9142


PRINTED ON RECYCLED PAPER

provided to the DOJ revealed this information as part of a federal lawsuit in 2017 in which
the press sought information about the company that sold the FBI a tool to break into the San
Bernardino terrorist?s iPhone. The FBI acknowledged that ?the vendor likely does not have the
same resources to devote to its own security [as the and as such, is reasonable to
conclude that they would not be able to thwart the same types of attacks and in?ltration attempts
the FBI is currently able to defend against.? To that end, please provide me with responses to the
following questions by July 12, 2019:

1. Has the Department of Justice and its component agencies ever had one of their offensive
cyber capabilities ?fall into the wrong hands,? such as through a breach or by being
discovered ?in the wild? by a target, cybersecurity researchers, or a foreign government?
If yes, please describe whether that capability was subsequently abused to exploit US.
government or private sector computer systems and provide an estimate of the damage
caused.

2. Have any of the offensive cyber capabilities acquired from the private sector by the
Department of Justice and its component agencies been developed by foreign companies?
Has the Department of Justice or its component agencies audited these cyber capabilities
to determine whether they ?call home? to servers that are controlled by that company or
are located outside the United States? If no, please explain why not.

3. Does the Department of Justice and its component agencies require that private sector
suppliers of offensive cyber capabilities to the government:

a. Implement the National Institute for Standards and Technology Cybersecurity
Framework? If no, please explain why not.

b. Adopt the cyber-security best practices that the Department of Homeland Security
requires of federal civilian agencies and that are published at
gov? If no, please explain why not.

c. Be subjected to ?red team? cyber-security audits in order to discover Whether non-
public offensive cyber capabilities stored by the suppliers are suf?ciently secure
from hackers and foreign governments? If no, please explain why not.

Thank you for your attention to this serious matter.

Sincerely,

Ron Wyden I
United States Senator