Feeds

US wiretap plan will leave door open for spooks and hackers

Congress should think again

The Essential Guide to IT Transformation

A top-drawer American cryptography boffin has expressed grave doubts about Bush administration plans to let spooks build wiretapping capabilities into the US comms infrastructure.

Writing in the Washington Post, Susan Landau, distinguished engineer at Sun Labs, described the capabilities sought by the National Security Agency (NSA) as a serious security vulnerability for America.

"Grant the NSA what it wants and within 10 years the United States will be vulnerable to attacks from hackers across the globe, as well as the militaries of China, Russia and other nations," she writes.

The NSA has recently been awarded temporary powers to conduct massive automated wiretapping in the United States without benefit of a warrant from the secret surveillance court, provided that at least one end of the communication is thought to be outside the USA. In order to carry out its analysis, the spook agency needs to be permanently plugged into most of the American comms backbone.

"NSA will need to build massive automatic surveillance capabilities into telephone switches," says Landau.

"Here things get tricky: Once such infrastructure is in place, others could use it... Intercept capabilities are likely to be managed remotely, and vulnerabilities are as likely to be global as local. In simplifying wiretapping for US intelligence, we provide a target for foreign intelligence agencies and possibly rogue hackers."

In the old days, a lot of voice and data went wirelessly - via microwave, line-of-sight, or satellite. The NSA could listen in on foreigners using expensive hardware which nobody else had: Landau says this was safe enough, as nobody could gain access to America's own comms by these means.

Nowadays, however, bulk info goes mainly by fibre, which needs to be physically tapped into. This is occasionally done overseas; certain parts of the US special forces, for instance, are reputed to have specialists who can sneak into a country of interest and place undetectable taps on fibre lines without being noticed. But a lot of foreign comms passes through America - where it can be tapped safely and simply.

To some degree, the NSA must have already put the systems that so worry Landau in place; the NSA's massive automated trawling of voice and data in and out of the USA began not long after 9/11 and is thought to have ceased only in recent months, when a secret-surveillance judge refused to renew a key warrant. That led to the recent change in the law.

Landau's argument isn't about the wrongness or rightness of spooks listening in on any conversation that any American has with a foreigner - or perhaps, at least in some cases, conversations between Americans. She's simply saying the technology itself will open up a backdoor into US communications which could be used by America's enemies.

"In its effort to provide policymakers with immediate intelligence, the NSA forgot the critical information security aspect of its mission: protecting US communications against foreign interception."

When a heavyweight security brain like Landau says that, you have to pay attention.

This isn't just an American issue. The UK intelligence community doesn't have the computer resources to do massive automated surveillance on an NSA scale, but it does wiretap its own people a lot - and in the case of the UK the warrants have always been signed by politicians rather than (relatively) trustworthy judges. Telecoms companies provide official backdoors in the UK and many another country. These too will be vulnerabilities to a greater or lesser degree.

But Landau suggests that constant massive access, potentially over a period of years, has to be a lot worse than relatively limited and targeted taps, and that does sound reasonable. Noted security heavyweight Bruce Schneier - who provides services to our own British Telecom - agrees with her too, saying:

"Last week, Congress gave President Bush new wiretapping powers. I was going to write an essay on the security implications of this, but Susan Landau beat me to it."

Landau recommends that Washington politicos think hard before rubberstamping the blanket wiretap warrant again.

"Lawmakers granted the warrantless wiretapping only for six months," she says. "They need to look carefully before it endangers US national security for the long term."

The full text is here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.