[Congressional Record Volume 162, Number 171 (Wednesday, November 30, 2016)]
[Senate]
[Pages S6585-S6587]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
UNANIMOUS CONSENT REQUEST--S. 2952
Mr. WYDEN. Mr. President, absent Senate action, at midnight tonight,
this Senate will make one of the biggest mistakes in surveillance
policy in years and years. Without a single congressional hearing,
without a shred of meaningful public input, without any opportunity for
Senators to ask their
[[Page S6586]]
questions in a public forum, one judge with one warrant would be able
to authorize the hacking of thousands--possibly millions--of devices,
cell phones, and tablets. This would come about through the adoption of
an obscure rule of criminal procedure called rule 41. Rule 41 isn't
something folks are talking about in coffee shops in Alaska, in Oregon,
and in other parts of the country, but I am convinced Americans are
sure going to come to Members of Congress if one of their hospitals--
one of their crucial medical programs--is hacked by the government. It
is a fact that one of the highest profile victims of cyber attacks are
medical facilities, our hospitals.
The Justice Department has said this is no big deal. You basically
ought to trust us. We are just going to take care of this. I will tell
you, generally, changes to the Federal rules of procedure are designed
for modest, almost housekeeping kinds of procedural changes, not major
shifts in policies. When you are talking about these kinds of rules,
they talk about who might receive a copy of a document in a bankruptcy
proceeding. That is what the Rules Enabling Act was for. It wasn't for
something that was sweeping, that was unprecedented, that could have
calamitous ramifications for Americans the way government hacking
would. As I have indicated, this would go forward without a chance for
any Member of the Senate to formally weigh in.
The government says it can go forward with this rule 41 and conduct
these massive hacks--large-scale hacks--without causing any collateral
damage whatsoever and ensuring that Americans' rights are protected.
Oddly enough--again, breaking with the way these matters are usually
handled--the government will not tell the Congress or the American
people how it would protect those rights or how it would prevent
collateral damage or even how it would carry out these hacks. In
effect, the policy is ``trust us.''
I think that right at the heart of our obligations is to do vigorous
oversight. I always thought Ronald Reagan had a valid point when he
said: You can trust but you ought to verify. That is especially
important under this policy, where innocent Americans could be
victimized twice--once by their hackers and a second time by their
government.
We are going to have the opportunity to do something about it before
this goes into effect in just over 12 hours. I want to emphasize that
those of us who would like the chance for Members of Congress to weigh
in and be heard--our concern has been bipartisan. Senator Coons.
Senator Daines. We have worked in a bipartisan fashion on this for
months.
This morning we are going to offer three unanimous consent requests
to block or delay this particular change in order to make sure our
colleagues have an opportunity to do what I think is Senate 101: to
have a hearing and have a review that is bipartisan, where Senators get
to ask questions, to be able to get public input in a meaningful kind
of fashion.
I urge every Senator to think, and think carefully, before they
prevent this body from performing the vigorous oversight Americans
demand of Congress. That is right at the heart of what Senator Coons,
Senator Daines, and I will be talking about. This rule change will give
the government unprecedented authority to hack into Americans' personal
phones, computers, and other devices. Frankly, I was concerned about
this before the election, but we now know that the administration--it
is a new administration--will be led by the individual who said he
wanted the power to hack his political opponents the same way Russia
does. These mass hacks could affect cell phones, desktop computers,
traffic lights, not to mention a whole host of different areas. During
these hacks and searches, there is a considerable chance that the
hacked devices will be damaged or broken, and that would obviously be a
significant matter. Don't take my word for it.
Mr. President, I ask unanimous consent to have an article that I
wrote with renowned security experts Matt Blaze and Susan Landau
printed in the Record.
There being no objection, the material was ordered to be printed in
the Record, as follows:
[From Wired.com, Sept. 14, 2016]
The Feds Will Soon Be Able To Legally Hack Almost Anyone
(By Senator Ron Wyden, Matt Blaze and Susan Landau)
Digital devices and software programs are complicated.
Behind the pointing and clicking on screen are thousands of
processes and routines that make everything work. So when
malicious software--malware--invades a system, even seemingly
small changes to the system can have unpredictable impacts.
That's why it's so concerning that the Justice Department
is planning a vast expansion of government hacking. Under a
new set of rules, the FBI would have the authority to
secretly use malware to hack into thousands or hundreds of
thousands of computers that belong to innocent third parties
and even crime victims. The unintended consequences could be
staggering.
The new plan to drastically expand the government's hacking
and surveillance authorities is known formally as amendments
to Rule 41 of the Federal Rules of Criminal Procedure, and
the proposal would allow the government to hack a million
computers or more with a single warrant. If Congress doesn't
pass legislation blocking this proposal, the new rules go
into effect on December 1. With just six work weeks remaining
on the Senate schedule and a long Congressional to-do list,
time is running out.
The government says it needs this power to investigate a
network of devices infected with malware and controlled by a
criminal--what's known as a ``botnet.'' But the Justice
Department has given the public far too little information
about its hacking tools and how it plans to use them. And the
amendments to Rule 41 are woefully short on protections for
the security of hospitals, life-saving computer systems, or
the phones and electronic devices of innocent Americans.
Without rigorous and periodic evaluation of hacking
software by independent experts, it would be nothing short of
reckless to allow this massive expansion of government
hacking.
If malware crashes your personal computer or phone, it can
mean a loss of photos, documents and records--a major
inconvenience. But if a hospital's computer system or other
critical infrastructure crashes, it puts lives at risk.
Surgical directives are lost. Medical histories are
inaccessible. Patients can wait hours for care. If critical
information isn't available to doctors, people could die.
Without new safeguards on the government's hacking authority,
the FBI could very well be responsible for this kind of
tragedy in the future.
No one believes the government is setting out to damage
victims' computers. But history shows just how hard it is to
get hacking tools right. Indeed, recent experience shows that
tools developed by law enforcement have actually been co-
opted and used by criminals and miscreants. For example, the
FBI digital wiretapping tool Carnivore, later renamed DCS
3000, had weaknesses (which were eventually publicly
identified) that made it vulnerable to spoofing by
unauthorized parties, allowing criminals to hijack legitimate
government searches. Cisco's Law Enforcement access
standards, the guidelines for allowing government wiretaps
through Cisco's routers, had similar weaknesses that security
researchers discovered.
The government will likely argue that its tools for going
after large botnets have yet to cause the kind of unintended
damage we describe. But it is impossible to verify that claim
without more transparency from the agencies about their
operations. Even if the claim is true, today's botnets are
simple, and their commands can easily be found online. So
even if the FBI's investigative techniques are effective
today, in the future that might not be the case. Damage to
devices or files can happen when a software program searches
and finds pieces of the botnet hidden on a victim's computer.
Indeed, damage happens even when changes are straightforward:
recently an anti-virus scan shut down a device in the middle
of heart surgery.
Compounding the problem is that the FBI keeps its hacking
techniques shrouded in secrecy. The FBI's statements to date
do not inspire confidence that it will take the necessary
precautions to test malware before deploying them in the
field. One FBI special agent recently testified that a tool
was safe because he tested it on his home computer, and it
``did not make any changes to the security settings on my
computer.'' This obviously falls far short of the testing
needed to vet a complicated hacking tool that could be
unleashed on millions of devices.
Why would Congress approve such a short-sighted proposal?
It didn't. Congress had no role in writing or approving these
changes, which were developed by the US court system through
an obscure procedural process. This process was intended for
updating minor procedural rules, not for making major policy
decisions.
This kind of vast expansion of government mass hacking and
surveillance is clearly a policy decision. This is a job for
Congress, not a little-known court process.
If Congress had to pass a bill to enact these changes, it
almost surely would not pass as written. The Justice
Department may need new authorities to identify and search
anonymous computers linked to digital crimes. But this
package of changes is far too broad, with far too little
oversight or protections against collateral damage.
Congress should block these rule changes from going into
effect by passing the bipartisan, bicameral Stopping Mass
Hacking Act.
[[Page S6587]]
Americans deserve a real debate about the best way to update
our laws to address online threats.
Mr. WYDEN. In the op-ed, we point out that legislators and the public
know next to nothing about how the government conducts the searches and
that the government itself is planning to use software that has not
been properly vetted by outside security experts. A bungled government
hack could damage systems at hospitals, the power grid, transportation,
or other critical infrastructure, and Congress has not had a single
hearing on this issue--not one.
In addition, the Rules Enabling Act gives Congress the opportunity to
weigh in, which is exactly what my colleagues hope to be doing now on
this important issue.
Because of these serious damages, I introduced a bill called the Stop
Mass Hacking Act with a number of my colleagues, including Senators
Daines and Paul. This bill would stop these changes from taking effect,
and I am here this morning to ask unanimous consent that the bill be
taken up and passed.
Mr. President, I ask unanimous consent that the Judiciary Committee
be discharged from further consideration of S. 2952 and the Senate
proceed to its immediate consideration, that the bill be read a third
time and passed, and the motion to reconsider be considered made and
laid upon the table with no intervening action or debate.
The PRESIDING OFFICER. Is there objection?
The majority whip.
Mr. CORNYN. Mr. President, reserving the right to object, I respect
our colleague's right to come to the floor and ask unanimous consent. I
understand that there are three unanimous consent requests, and I will
be objecting to all three of them. I will reserve my statement as to
why I am objecting after the third request.
At this point, I object to the unanimous consent request.
The PRESIDING OFFICER. Objection is heard.
Mr. WYDEN. Mr. President, I wish to recognize my colleague from
Montana, and after my colleague from Montana speaks, my friend from
Delaware will address the Senate.
The PRESIDING OFFICER. The Senator from Montana.
Mr. DAINES. Mr. President, I thank my colleague from Oregon, Senator
Wyden, for talking about this important issue on the floor today.
We shop online with our credit cards, order medicine with our
electronic health care records, talk to friends, share personal
information, Skype, post beliefs and photos on social media, or
Snapchat fun moments, all the while believing everything is safe and
secure. It is more important now than ever to ensure that the
information we store on our devices is kept safe and that our right to
privacy is protected, and that is what we are really talking about here
today. How can we ensure that our information is both safe and secure
from hacking and government surveillance?
Certainly technology has made our lives easier, but it has also made
it easier for criminals to commit crimes and evade law enforcement. In
short, our laws aren't keeping up with 21st-century technology
advances. But the government's solution to this problem we are talking
about today, the change to rule 41 of the Federal Rules of Criminal
Procedure, represents a major policy shift in the way the government
investigates cyber crime. This proposed solution essentially gives the
government a blank check to infringe upon our civil liberties. The
change greatly expands the hacking power of the Federal Government,
allowing the search of potentially millions of Americans' devices with
a single warrant. What this means is that the victims of hacks could be
hacked again by their very own government.
You would think such a drastic policy change that directly impacts
our Fourth Amendment right would need to come before Congress. It would
need to have a hearing and be heard before the American people with
full transparency. But, in fact, we have had no hearings. There has
been no real debate on this issue.
My colleagues and I have introduced bipartisan, bicameral legislation
to stop the rule change and ensure that the American people have a
voice. The American people deserve transparency, and Congress needs
time to review this policy to ensure that the privacy rights of
Americans are protected.
The fact that the Department of Justice is insisting this rule change
take effect on December 1--that is tonight at midnight--frankly, should
send a shiver down the spines of all Americans.
My colleagues and I are here today to not only wake up Americans to
this great expansion of powers by our government but also to urge our
colleagues to join this bipartisan effort to stop rule 41 changes
without duly considering the impact to our civil liberties. Our civil
liberties and our Fourth Amendment can be chipped away little by little
until we barely recognize them anymore. We simply can't give unlimited
power for unlimited hacking which puts Americans' civil liberties at
risk.
Again, I thank my colleagues from Delaware and Oregon for joining me
here today, and I yield to my friend and colleague from Delaware,
Senator Coons.
The PRESIDING OFFICER. The Senator from Delaware.
____________________