Section 702 data helped take down Colonial Pipeline hacker, Biden administration says

The White House is declassifying material about how a controversial surveillance law is used in hopes of building support for its renewal.
WASHINGTON, DC - MAY 11: Sen. Dick Durbin (D-IL) (Photo by Win McNamee/Getty Images)

Intelligence collected under the Section 702 surveillance authority allowed the U.S. government to successfully identify the hacker behind the 2021 ransomware attack on Colonial Pipeline, senior Biden administration officials told reporters Monday in the White House’s latest push to declassify intelligence material that might build support for reauthorizing the law.

Monday’s briefing with reporters came ahead of a hearing Tuesday before the Senate Judiciary Committee that will feature a collection of senior U.S. intelligence officials and will consider the controversial surveillance tool, which sunsets at the end of this year.

According to Biden administration officials who briefed reporters ahead of that hearing on condition of anonymity, Section 702 of the Foreign Intelligence Surveillance Act allowed the U.S. government to recover the majority of the $4.4 million ransom paid by Colonial Pipeline to the hackers. In another example newly made public, Section 702 data helped the U.S. government to identify and mitigate a 2022 Iranian ransomware attack against a nonprofit, allowing the organization to recover without paying the ransom.

This newly declassified intelligence is just some of what the U.S. intelligence officials testifying on Tuesday are expected to describe in making the case to a deeply skeptical Congress to renew the law.


Since appealing to lawmakers in February to renew the tool, the Biden administration has argued that Section 702 is vital to combat an array of national security threats to the homeland and that it plays an especially vital role in combating cyber threats. A senior FBI adviser recently told CyberScoop that a “plurality” of Section 702 searches by the agency pertain to investigations into nation-state cyberattacks.

Section 702 allows intelligence agencies to collect the communications of non-U.S. persons abroad whose communications transit U.S. telecommunications systems. However, the program’s incidental collection of Americans’ data, which can then be searched by the FBI, has raised oversight concerns from civil liberties advocates and many lawmakers.

In a letter released Monday, a coalition of 19 civil liberties groups called for substantial reforms to Section 702 and urged Congress not to reauthorize the law without a warrant requirement.

Senior administration officials stressed on Monday that the White House has “heard loud and clear” a desire for conversations around reform and that “those conversations are underway.” Reform proposals under consideration include codifying recent reforms by the FBI in how it limits access to 702 information, such as requiring agents to opt-in to search the 702 database and requiring high-level approvals for some searches.

Requiring a warrant for Section 702 searches “would have very serious national security costs,” according to a senior administration official. “They would essentially lead us the government to turn a blind eye to information lawfully in the U.S. government’s possession, including in situations where that information could provide critical protections to victims of malicious foreign activity,” the official said.


Another senior administration official noted that U.S. person queries against Section 702 allowed the FBI to identify where Chinese hackers had attempted to infiltrate the network of a U.S. transportation firm. U.S. person queries also allowed the FBI to identify that Iranian hackers had “conducted extensive research on the former head of a federal department” and allowed agents to warn the department to take precautions against the threat.

Outside of cyber, Section 702 intelligence has been used to gain insights into the activities of foreign adversaries, including Russia’s actions in Ukraine and China’s tracking of dissidents. It has also played a key role in law enforcement efforts targeting narcotics trafficking, according to a senior administration official.

In seeking Section 702’s renewal, the Biden administration faces an uphill fight in Congress, where members of both parties have made it clear that they won’t consider reauthorization without serious reforms.

“This authority should not be renewed without significant reforms to safeguard Americans’ privacy and constitutional rights,” Senate Judiciary Chairman Dick Durbin, D-Ill., tweeted in May after unsealed court documents showed wrongful FBI uses of the database.

In addition to their public testimony on Tuesday, intelligence officials will also provide a classified briefing on Section 702 to Senate Judiciary members. Testifying at Tuesday’s hearing will be officials from the CIA, NSA, FBI, Office of the Director of National Intelligence and Department of Justice.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts