Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (46 page)

11.4 The Right Policy Stance

At the present time, there appears to be close to a complete absence of a
government role in ensuring that domestic communications surveillance
is done securely. That sounds hard to believe-and yet it is true. Consider
the agencies involved in telecommunications and surveillance issues: the
FBI, the NSA, the National Institute of Standards and Technology (NIST),
and the FCC.

The NSA has always had a dual role with respect to communications:
its job is to secure government communications and to conduct foreign
signals intelligence. These two responsibilities feed off one another in a
very useful way. The communications-security side of the agency and the
signals intelligence side constantly test each other's products to ensure that
these are doing the job they are supposed to do. While communications
security and signals intelligence are on opposite sides, the NSA has no
conflict in doing both: the agency's role is to secure U.S. government communications and conduct surveillance of foreign communications.41 The NSA has no official role in ensuring nongovernmental communication
systems are secure.

Under the 1987 Computer Security Act,42 NIST43 was to be responsible
for the development of standards for protecting the security and privacy
of sensitive information within civilian federal systems (the official term
is "nonnational security systems"). As one might expect, this was turf that
the NSA had viewed as its own, and there were battles over the passage of
the act as well as over its implementation.44 By the late 1990s, the NSA
had ceded to NIST the role of developing cryptography standards for the
nonnational security side of the federal government. NIST ran a highly
successful competition for an Advanced Encryption Standard to replace the
aging DES.

NIST's Computer Security Division (CSD) has various responsibilities for
communications security. CSD develops new cryptographic standards and
is currently at work on a new hash algorithm to replace SHA-1. In conjunction with Canada's NSA equivalent, the Communications Security Establishment, CSD runs the Cryptographic Module Validation Program for
testing commercial cryptography products. NIST's reputation as an honest
broker means that CSD participation in international standards efforts is
highly regarded, and helps to further security standards. CSD develops
numerous guidelines for secure use of IT systems, including VoIP, IPv6,
and DNSSEC, which aid both the public and private sector in their
implementation.

What CSD does not do is evaluate the security of the nation's communications infrastructure. It does not even evaluate the security of the
federal government's nonnational security communications infrastructure.
CSD has traditionally been quite underfunded and is a poor cousin to
NSA;45 it simply lacks the resources to do the type of testing and evaluations needed to ensure that fielded communications systems are appropriately secure. In addition, NIST does not have the authority to require that
government agencies implement the security guidelines that CSD prepares;
the Office of Management and Budget has that role. Without a doubt, the
broader issue of securing private-sector communications systems is well
outside NIST's bailiwick.

The Federal Communications Commission and the Department of
Homeland Security have programs to ensure that emergency communications work in times of national crisis; programs include GETS, which
enables first responders to have priority on communications networks
during emergencies, and SAFECOM, which focuses on ensuring interoperability for the communications systems used by emergency response agencies. But neither the FCC nor DHS has programs for securing the
nation's private communications networks.

As a result of CALEA, the FBI was given the role of developing standards
for interception in digitally switched networks, standards that have since
been extended to cover broadband Internet access providers and providers
of interconnected VoIP services. The FBI is concerned with communications interception; security of communications infrastructure is not an
FBI issue.

While the FBI has been involved in some programs to protect business
computer systems,46 the bureau does not examine the long-term issues of
national competitiveness and global strength. That is not a law enforcement issue, but a national-security one, and the bureau is a crime-fighting
agency. In that guise, the FBI appropriately seeks to use communications
interception during investigations and wants interception capabilities such
as CALEA, Carnivore, and CIPAV. It is not in the FBI's investigative interest
to publicize weaknesses in communications infrastructure that allow the
bureau to deploy its various investigative tools. Or as a senior intelligence
agency official once remarked, "If there is a hole in your fence, counterintelligence doesn't want to fix it the right way."

The problem is that providing such communications-security protection
is not an NSA responsibility either. It would be a confusing role for an
agency whose responsibilities are for protecting national-security systems
and gathering foreign intelligence. Yet if the FBI is using CIPAV, the U.S.
government should be concerned as to who else might be doing so. Currently there is no agency in the U.S. government chartered with securing
private-sector communications infrastructure.

There have been occasions when the NSA has informed U.S. companies
that they were being spied on and suggested appropriate changes to secure
their communications. However, the NSA has no statutory responsibility
for securing the nation's private communications infrastructure. The intelligence agency can help secure a particular company's systems only under
very narrow circumstances. There is no problem securing communication
systems if the products are for use in the DoD. If the product is for use by
the nonnational security side of the government, the NSA can be involved
in securing the system only if aid has been requested by a federal agency
(e.g., Department of the Treasury) and then only if the help is of a narrow
and specific nature. Such a request must pass legal review before the NSA
is permitted to participate.

Few are comfortable with the idea that the NSA should aid communications providers in securing their systems. It is the U.S. government agency with the most expertise in communications security, but its role in communications intelligence presents serious problems. The fact that the NSA
was involved in warrantless wiretapping not just from the 1940s to the
1970s but within the last decade creates serious problems for the agency
playing a role in civilian communications security. Some in the intelligence community understand this problem well. One official remarked
that while he would be perfectly comfortable with his agency working with
service providers to secure their networks, for civil liberties reasons he
would feel very queasy if a different three-letter agency was involved in
doing so.

We communicate via increasingly insecure systems. While it is possible
to secure communications using end-to-end encryption, few people do.47
No government agency is responsible for ensuring the security of the communications infrastructure, though one is responsible for designing interception systems to be placed in the system. Even knowing the history, it
is difficult to understand how the United States might have ended up with
such a policy. It is not a solution designed for securing the nation.

11.5 CALEA's Use in Packet-Based Networks Should Be Narrowly Limited

When the Communications Assistance for Law Enforcement Act was
passed in 1994, almost all communications were circuit switched. Packetbased communications existed, but the Internet had not yet made a serious
dent in public-switched networks. CALEA had a clear exemption for "information services." The FBI was pressing for a law for wiretapping digitized
circuit-switched networks and at the time did not see the Internet as a
serious concern.

Packet-based communications are rapidly replacing circuit-switched
ones, and in 2003 the FBI sought to extend CALEA to some instances of
VoIP. It was successful in doing so. In 2006 the bureau sought further
extensions and floated a bill in Congress. An Internet CALEA would have
very negative effects on innovation48 and on security49 and ultimately the
bill did not move forward. The attempt to extend CALEA to a completely
new model of communications-packet-based networks-brings serious
problems.

We live in a very different communications and security environment
than the period in which CALEA was passed. It is worth recapping the
salient features of interception in the context of CALEA, the Internet's
growth, the rise of terrorism, and increasing globalization:

• Wiretaps can be extremely useful in certain types of law enforcement and
national-security investigations. Content may be less important than the
knowledge that two parties have been communicating. In particular, it is
very important to be able to capture the fact that communications between
suspected terrorists outside the United States and people inside the country
have occurred. The essential aspect of such cases is discovering with whom
inside the United States the communication is happening; details of the
actual communication may be much less important.

• We are rapidly moving from a circuit-switched to a packet-based communications system. Packet-based networks are significantly harder to
secure than centralized circuit-based networks. Our communications are
highly mobile. Surveilling mobile communications provides more challenges than wiretapping communications to a fixed line. Wiretapping
packet-based, mobile communications can be even more difficult; how
difficult depends on the type of technology employed. It is not packetbased communications that make interception hard, and it is not mobility
that does so, but the combination. Depending on how and where the
surveillance mechanisms are configured, wiretapping may create serious
risks that put the security of the underlying communications network in
jeopardy."

• Economic espionage threatens both the nation's economy and its
national security. Because of increasing reliance on electronic communications for everything from managing supply chains to managing remote
workers, the need for secure communications for U.S. business is a nationalsecurity concern. Sophisticated adversaries are able to take advantage of
security weaknesses in U.S. systems to exfiltrate data and to install code
for exploitation at a later date.

• Weaknesses in an enterprise's communication system expose that enterprise to risk; weaknesses in a service provider's network expose all users in
the system to risk.

The ability of the government to wiretap under legal authorization is
an important tool for law enforcement and national security-but the
ability of the government to wiretap under legal authorization is quite different
from the government requiring that the network be architected to accommodate
legally authorized wiretaps. The latter should not be done if interception
jeopardizes communications security.

Law enforcement and national-security investigations against the few
should not require reducing security for the many. Tapping mobile packetbased communications may be more difficult than law enforcement or national security would like. So be it. We need laws and technologies that
provide secure communications, not laws and technologies that undermine the security of communication networks. Extending CALEA functionality to packet-based networks is to create unwarranted risk.

11.6 Wiretapping without CALEA-type Systems

In arguing against the expansion of CALEA to packet-based communication systems, the argument is not against the use of legally authorized
wiretaps but against designing interception capabilities into communications infrastructures. That does not prevent law enforcement and national
security from conducting communications surveillance in other ways.

The inundation of new communications technologies means that government investigations proceed in ways unimagined even a decade ago.
With location data, pen registers, and CDRs easily available in real time,
law enforcement has far more investigative capability than ever before.
Transactional data enables the mapping of an individual's social network
and an organization's chain of command. Following the metadata has
become an important investigative tool for law enforcement and national
security.

Tasks that once took days of an investigator's time can be accomplished
in seconds. Cell phone location data enabled the U.S. Marshal service to
cut the average time to find fugitives from forty-two days to two. Such data
similarly enabled the rapid arrest in Rome of one of the men convicted in
the 2005 attempted bombings of the London underground. Browsing
history stored on Najibullah Zazi's laptop quickly revealed his interest in
obtaining bombing materials, which led to his arrest and indictment days
before he intended to detonate explosives in the New York City subway.
This information would have been far slower to obtain if done the oldfashioned way through following Zazi and interviewing shopkeepers.

Despite the plethora of new communications technologies, wiretapping
voice remains quite useful, and some of the old wiretapping technologies
are still employed. So while alligator clips and placing taps at the central
office are considerably less useful than they once were, these techniques
are occasionally used. Cell phones are often what matters; by 2009, 96
percent of Title III wiretaps were for mobile devices (cell phones and
pagers).51 Wiretapping cell phones is more complex than wiretapping landlines; it is accomplished through a tap at the target's Mobile Switching
Center or through the use of more expensive tracking technologies such
as Triggerfish. But by supplying location information, tapped cell phones and other mobile communications provide richer investigative data than
tapped landlines ever had done.