WIRED OPINION 09.14.16 Wyden, Blaze, Landau
ABOUT RON WYDEN
Senator Ron Wyden (@ronwyden) (D-OR) is Oregon’s senior senator and
serves on the Senate Select Committee on Intelligence.
ABOUT MATT BLAZE
Matt Blaze @mattblaze is a associate professor of computer and
information science at the University of Pennsylvania.
ABOUT SUSAN LANDAU
Susan Landau (privacyink.org) is professor of cybersecurity policy at
Worcester Polytechnic Institute and author, most recently, of
Surveillance or Security? The Risks Posed by New Wiretapping Technologies.
----------------------------------------------------------------------------------
The Feds Will Soon Be Able to Legally Hack Almost Anyone
DIGITAL DEVICES AND software programs are complicated. Behind the
pointing and clicking on screen are thousands of processes and routines
that make everything work. So when malicious software—malware—invades a
system, even seemingly small changes to the system can have
unpredictable impacts.
That’s why it’s so concerning that the Justice Department is planning a
vast expansion of government hacking. Under a new set of rules, the FBI
would have the authority to secretly use malware to hack into thousands
or hundreds of thousands of computers that belong to innocent third
parties and even crime victims. The unintended consequences could be
staggering.
The new plan to drastically expand the government’s hacking and
surveillance authorities is known formally as amendments to Rule 41 of
the Federal Rules of Criminal Procedure, and the proposal would allow
the government to hack a million computers or more with a single
warrant. If Congress doesn’t pass legislation blocking this proposal,
the new rules go into effect on December 1. With just six work weeks
remaining on the Senate schedule and a long Congressional to-do list,
time is running out.
The government says it needs this power to investigate a network of
devices infected with malware and controlled by a criminal—what’s known
as a “botnet.” But the Justice Department has given the public far too
little information about its hacking tools and how it plans to use them.
And the amendments to Rule 41 are woefully short on protections for the
security of hospitals, life-saving computer systems, or the phones and
electronic devices of innocent Americans.
Without rigorous and periodic evaluation of hacking software by
independent experts, it would be nothing short of reckless to allow this
massive expansion of government hacking.
If malware crashes your personal computer or phone, it can mean a loss
of photos, documents and records—a major inconvenience. But if a
hospital’s computer system or other critical infrastructure crashes, it
puts lives at risk. Surgical directives are lost. Medical histories are
inaccessible. Patients can wait hours for care. If critical information
isn’t available to doctors, people could die. Without new safeguards on
the government’s hacking authority, the FBI could very well be
responsible for this kind of tragedy in the future.
No one believes the government is setting out to damage victims’
computers. But history shows just how hard it is to get hacking tools
right. Indeed, recent experience shows that tools developed by law
enforcement have actually been co-opted and used by criminals and
miscreants. For example, the FBI digital wiretapping tool Carnivore,
later renamed DCS 3000, had weaknesses (which were eventually publicly
identified) that made it vulnerable to spoofing by unauthorized parties,
allowing criminals to hijack legitimate government searches. Cisco’s Law
Enforcement access standards, the guidelines for allowing government
wiretaps through Cisco’s routers, had similar weaknesses that security
researchers discovered.
The government will likely argue that its tools for going after large
botnets have yet to cause the kind of unintended damage we describe. But
it is impossible to verify that claim without more transparency from the
agencies about their operations. Even if the claim is true, today’s
botnets are simple, and their commands can easily be found online. So
even if the FBI’s investigative techniques are effective today, in the
future that might not be the case. Damage to devices or files can happen
when a software program searches and finds pieces of the botnet hidden
on a victim’s computer. Indeed, damage happens even when changes are
straightforward: recently an anti-virus scan shut down a device in the
middle of heart surgery.
Compounding the problem is that the FBI keeps its hacking techniques
shrouded in secrecy. The FBI’s statements to date do not inspire
confidence that it will take the necessary precautions to test malware
before deploying them in the field. One FBI special agent recently
testified that a tool was safe because he tested it on his home
computer, and it “did not make any changes to the security settings on
my computer.” This obviously falls far short of the testing needed to
vet a complicated hacking tool that could be unleashed on millions of
devices.
Why would Congress approve such a short-sighted proposal? It didn’t.
Congress had no role in writing or approving these changes, which were
developed by the US court system through an obscure procedural process.
This process was intended for updating minor procedural rules, not for
making major policy decisions.
This kind of vast expansion of government mass hacking and surveillance
is clearly a policy decision. This is a job for Congress, not a
little-known court process.
If Congress had to pass a bill to enact these changes, it almost surely
would not pass as written. The Justice Department may need new
authorities to identify and search anonymous computers linked to digital
crimes. But this package of changes is far too broad, with far too
little oversight or protections against collateral damage.
Congress should block these rule changes from going into effect by
passing the bipartisan, bicameral Stopping Mass Hacking Act. Americans
deserve a real debate about the best way to update our laws to address
online threats.
https://www.wired.com/2016/09/government-will-soon-able-legally-hack-anyone/