Senator asks Department of Justice if it can keep a lid on its software exploits

Sen. Ron Wyden is asking what law enforcement agencies are doing to protect their hacking tools from foreign spies.
Ron Wyden
Ron Wyden during a hearing.

In recent years, Department of Justice agencies have quietly acquired and deployed hacking tools in support of their law enforcement mission. A handful of high-profile cases have brought greater scrutiny to those efforts, most notably in 2016 when the FBI used a contractor to crack the San Bernardino shooter’s iPhone.

Now, a senator is asking Attorney General William Barr for a more thorough accounting of what law enforcement agencies are doing to protect these software exploits from foreign intelligence agencies and other adversaries.

“Just as the American people expect the government to protect its nuclear, chemical, and biological weapons, so too do Americans expect that the government will protect its cyber arsenal from theft by hackers and foreign spies,” Sen. Ron Wyden, D-Ore., wrote to Barr in a letter dated June 5.

In particular, the department has invested heavily in tools to break encrypted communications, as top law enforcement officials have lamented the ability of criminals to “go dark.” Transnational crime networks “increasingly rely on encrypted communications to plan and commit crimes, thus forcing the FBI to develop sophisticated technology and methods to disrupt their activities and dismantle their organizations,” the FBI said in its fiscal 2020 budget request.


Wyden wants to know if the department’s software exploits have ever ended up in an adversary’s hands, whether through a security breach or discovery in the wild. The senator asked if any foreign companies had developed offensive cyber-capabilities for law enforcement agencies and, if so, whether those tools communicate with computer servers overseas.

Like any digital asset that is a target of attackers, hacking kits and the infrastructure that support them can benefit from rigorous “red teaming” tests that emulate adversary techniques. Wyden wants to know if Justice’s exploit-writing contractors are subject to such tests, and whether they are required to use best cybersecurity practices suggested by the Department of Homeland Security and the National Institute of Standards and Technology.

The Washington Post was first to report on the letter, which you can read below. Wyden asked for answers from Barr by July 12. A Justice Department spokesman said the department received the letter and would respond accordingly.

[documentcloud url=”” sidebar=false]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts