Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (44 page)

When the Internet was a DARPA effort, what little security there was
focused on protecting network communications. As the Internet became
a public system in the mid-1990s, the computer-security conversation
moved to the risks posed by and to networked systems. A new word, cybersecurity, emerged to describe such perceived dangers. Cybersecurity posited
new types of threats: threats to the reliability and availability of the network
itself; threats created by use of the network by criminals for communication, theft, and child pornography, and by terrorists for operational planning and recruitment; and threats created by the use of the network to
support much societal infrastructure.' This is the distinction between traditional computer security, which protects machines through reducing
vulnerabilities and providing defense in depth, and cybersecurity, which
checks the road to see who is out there, what they are doing, and why are
they doing it.'

The distinction is useful, for it helps put into perspective the conflict
over the intrusive communication surveillance regime that has developed
since the mid-1990s. As NYU professor Helen Nissenbaum has observed,
controversial surveillance laws and technologies-proposed expansion of
CALEA to IP-based communications, Einstein 3,3 deep packet inspectionare of the cybersecurity flavor. Public objection stems from the way that
everyone, and not just potential suspects, is caught within the "net of
suspicion."'

These technologies are a response to the ubiquitous networking that
has radically altered the boundaries of organizations. Is an employee's
home laptop connected via a VPN inside the corporate network or outside?
If it is inside, and then later connects to a family network, what happens
when it connects back to the corporate network? The machine has traveled
far outside the confines of the corporation. Firewalls are insufficient, since
there are many ways to access a network that bypass such protection (recall this was how the Slammer worm was released in the Davis-Besse
nuclear plant).

The cybersecurity model developed with the idea of preventing bad
activity by stopping malware from ever reaching the end hosts. This would
prevent machines from infecting other machines, thwart the installation
of hidden code for later use, and halt the exfiltration of data. Surveilling
the Information Superhighway is immensely attractive, and the idea found
natural takers in law enforcement, who always want more data to help
solve crimes; intelligence agencies, which have never turned down an extra
bit of information if they could have it; and service providers, who want
more data in order to better protect their networks (and if they can also
create new business opportunities in the process, so much the better).

The problem is that this viewpoint is flawed. This protection model
conflates widely disparate problems. Attacks on end hosts, either by planting code and compromising the host for later use in a botnet, or for identity theft, are criminal activities of a very different nature than exfiltration
of large amounts of data from industry and military sites. The latter are
typically highly targeted and cleverly crafted efforts, unlikely to be uncovered in a broad surveillance effort. Successful attacks against critical infrastructure can be expected to be similarly subtle and custom tailored. These
custom attacks are unlikely to be discovered by a network surveillance
system programmed to look for the Internet equivalent of shoplifters.

This surveillance solution poses a serious security threat. Along with
energy, finance, and government services, information and communications technology (ICT) is an enabling critical infrastructure. ICT can be
viewed as the most fundamental critical infrastructure, for its role is to
support all the others. Wiretapping integrated into a communication
network is an architected security breach. An exploitable weakness in a
wiretapping system puts society broadly at risk.

When unknown outsiders broke into NASA systems, they were able to
remove a large number of plans.' If these intruders had instead broken into
a service provider's switch, then unless communications transiting the
switch were encrypted, the intruders would be able to eavesdrop on all
communications traveling through the switch-which was what was done
at Vodafone Greece in 2004. If intruders instead were able to access DPI
equipment at the switch, unless Tor or other anonymizing technologies
were used for routing communications, these intruders would be able to
build full dossiers on the activities of anyone whose communications
transited the switch. Or if the intruders were able to access databases at
the provider of the DPI equipment (perhaps a company doing DPI to provide advertisements for the service provider), they would access full
dossiers on anyone whose communications transited the switch and who
did not use anonymizing technologies for communication.

Given the difficulty of getting the technology right (consider the wiretapping at Vodafone Greece and the exploits possible in the Cisco surveillance architecture) and the threat of attacks by insiders or nation-states,
the decision to build surveillance capabilities deeply within network infrastructure appears poorly considered. The context is providing communication for a highly mobile society grown dependent on instant, always
available, communication. Threats will come from both friends and
enemies of the United States. (That "friends" are a threat may be surprising,
but economic competition is global, and much of the world does not view
the theft of industrial secrets as criminal.') In the middle of this maelstrom
lies the Internet, an overwhelmingly successful experiment that has been
a remarkable driver of worldwide economic growth since the mid-1990s.
Can we possibly get communications security right?

Although the fact that there are frequent attacks on the network is well
known, the details and scope of the problem are less well understood.
There has been a tendency to focus on hacking and DDoS attacks. The
genuinely serious threats are, however, intrusions into industrial and
military systems. These may leave code embedded for later use, or may
exfiltrate data-or both. These national-security threats are the backdrop
to the issue of whether building surveillance into communication infrastructures is a security benefit.

Many governments, including the U.S. government', are developing
capabilities to alter and disrupt, deceive and degrade, and even destroy
their enemy's information systems.' Some of these cyberattack systems are
apparently already being tested against the United States. Effects can be
devastating. The power and force with which a government can attack a
computer system can be overwhelming. It is one thing when an Israeli
competitor spies on Recon Optical, and quite another when the spy is the
Israeli government.

Israel is not the main threat, however. It is a small country with only
seven and a half million people. As noted earlier, beginning in 2007 U.S.
industry and government computers, along with those of New Zealand,
Australia, India, Belgium, Germany, and the United Kingdom, were penetrated, with information exfiltrated and perhaps code infiltrated.' The
perpetrators appear to be hackers in China unofficially working for the
government.10 China's People Liberation Army is roughly three million
people. Cyberwar, the use of such cyberexploitation and cyberattack for military gain, is of strong interest, and the problem of surveillance of U.S.
information systems and exfiltration of data is unlikely to disappear soon.
In coming years the network will change. The dominant form of computing is likely to be not computers, nor even cell phones or PDAs, but billions
and billions of small, embedded processors acting as sensors or actuators."
This, then, is the confusing context for future communication networks
that should, among many other requirements, support secure communications and legally authorized wiretapping.

11.1 Envisioning the Future

After the initial euphoria over the resounding success of the Internet in
the 1990s, it became clear that there are also problems with the network,
the first and foremost being security. Across the globe there are projects
on a clean-slate network architecture: What would we do if we could design
Internet protocols anew? How would we do it?

What do we want from the current and future network? We know that
the packet-based model and the end-to-end principle-that the application
knows best how to implement the function in question"-work. The
Internet architecture enables the innovation and running of applications
sufficiently rich to accomplish what end users need and seek.

We want to share rich content-movies, music, voice communicationin real time. We want to enable smart grid technology (the ability to
control electricity usage to maximize efficiency). We want to deliver
complex services, such as emedicine, over the network (this might include
long-distance consultation with specialists, for example). We want to be
able to measure much more-the temperature and humidity of cropland
and the activity of an older person living on their own-and to use the
data to respond in real time to the needs that are indicated. These are just
some applications, but they give a flavor of the varying types of communications we expect to be supported. A future Internet should enable all
these things. It should be

• A network for people to connect through voice communications, data,
and video

• A tool for corporations to operate in an environment where outsourcing
and global supply chains are common aspects of business

• A system for sensors and actuators to transmit data ranging from measurement of natural phenomena (soil temperature to carbon emissions) to
personal data (movement of a housebound individual)

• A communications system for the transmittal of nonclassified government information

• A communications system for the transmittal of classified government
information

• A medium for control of critical infrastructure

These communications will, of course, have differing needs for confidentiality, authenticity, integrity, anonymity, and availability. The question
is how to have a secure network that supports these needs. In fact, there
are already ways available to accomplish much of what is required.

A National Research Council study recommended that information
technology systems develop a defensive strategy of encrypting communications between system elements, keeping Internet exposure minimal for
systems that do not need the exposure, using strong authentication mechanisms when appropriate, and robustly configuring the systems (that is,
making sure all the security knobs were set appropriately).13 That was
in 2002. These changes did not happen.

Consider the security flaws that Tom Cross found in 2010 in deployed
wiretapping systems for IP communication.14 There were a number of
reasons for the problems. Among the most important were design flaws
allowing implementers more flexibility than necessary.15 While the system
design recommended encryption, some implementations omitted it.16
The architecture recommended throwing out interception-request hashes
shorter than 12 bytes, but many implementations failed to do so. These
errors left them open to an easy-to-mount brute-force attack that enabled
guessing a valid password.17 Because there was no effort to validate implementations, there was no cost to companies that did not follow the suggested implementation. Security solutions cannot solely rely on technical
means. It is clear that there are at least two different sets of issues to getting
security "right": technical concerns and economic ones.

11.2 The Right Technical Stance

In designing for a future Internet, we need to incorporate protections
where they are most needed. We also need to acknowledge that the communications system will not work perfectly. A system as flexible and open
to innovation as the Internet will necessarily also be open to problems.
That is a compromise one makes. There was little petty crime in the
German Democratic Republic,18 but few would argue that the trade-off of
loss of freedom was worth the absence of shoplifting and minor theft.

The Internet is not simply a piece of technology; it is a piece of technology embedded with human values. David Clark was chief protocol architect for the Internet Activities Board in the 1980s; now he is working with
the U.S. National Science Foundation on a next-generation project, Future
Internet Design. In considering what a future Internet might look like,
Clark wrote:

It is not realistic to imagine that a set of technical solutions will produce a network
that is free of all vulnerabilities or attacks. The Internet is a technical artifact deeply
embedded in a social, economic and human context. Attacks involve all those
modalities. Our goal for the network technology should be to narrow the range of
attacks, simplify the problem of detection and response, degrade certain forms of
attack to the point that they are not useful to an attacker, and to allow the design
of operational procedures for security to be positioned in the context of a clear
model of what the network can and cannot do.19