Wyden: CALEA Hack Proves Dangers Of Government-Mandated Backdoors
from the backdoors-are-bad,-full-stop dept
When Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994, they were assured by then-FBI Director Louis Freeh that the mandated wiretap backdoors posed no security risks. Fast forward to today, following the news of a massive CALEA hack and Senator Ron Wyden is reminding the DOJ of that history, while urging the Attorney General to better protect Americans’ security, in part by no longer demanding backdoors in encryption systems.
Last week, we wrote about the bombshell story of the Chinese hacking group Salt Typhoon apparently having “months or longer” access to the mandated wiretapping system found within our phone system. We noted how this story should put an end to the idea — often pushed by lawmakers and law enforcement — that surely we can put similar “backdoors” into encrypted communications.
Senator Ron Wyden has now sent a letter to the FCC and the DOJ highlighting a bit of the history behind CALEA, the statute that mandated wiretapping of the phone lines. In particular, Wyden points out that cybersecurity professionals warned Congress at the time that CALEA would lead to massive vulnerabilities in our phone system and could put everyone’s communications at risk.
These telecommunications companies are responsible for their lax cybersecurity and their failure to secure their own systems, but the government shares much of the blame. The surveillance systems reportedly hacked were mandated by federal law, through the Communications Assistance for Law Enforcement Act (CALEA). CALEA, which was enacted in 1994 at the urging of the Federal Bureau of Investigations (FBI), forced phone companies to install wiretapping technology into then-emerging digital phone networks. In 2006, acting on a request from the FBI, the Federal Communications Commission (FCC) expanded this backdoor mandate to broadband internet companies.
During the Congressional hearings for CALEA, cybersecurity experts warned that these backdoors would be prime targets for hackers and foreign intelligence services. However, these concerns were dismissed by then-FBI Director Louis J. Freeh, who testified to Congress that experts’ fears of increased vulnerability were “unfounded and misplaced.” Congress, relying on the FBI Director’s assurances that the security risks experts warned about could be addressed, passed the law mandating backdoors. The Department of Justice (DOJ) received $1 billion in today’s dollars to provide industry grants for the development and purchase of new wiretapping technology.
The letter suggests that the DOJ should use this to start pushing back on efforts to backdoor encryption:
DOJ must stop pushing for policies that harm Americans’ privacy and security by championing surveillance backdoors in other communications technologies, like encrypted messaging apps. There is, and has long been, broad consensus among cybersecurity experts that wiretapping capabilities undermine the security of communications technology and create an irresistible target for hackers and spies. Even so, law enforcement officials, including your predecessor, as well as the current and former FBI Directors, have denied this reality, spread disinformation about non-existent secure backdoors, and sought to pressure companies to weaken the security of their products.
The letter also asks the FCC to issue rules regarding security on CALEA wiretaps. The FCC has had the ability to do this for decades, but has mostly chosen to stay out of it:
Chairwoman Rosenworcel, your agency has the authority to require strong cybersecurity defenses in these systems today. The FCC should initiate a rulemaking process to update the CALEA regulations to fully implement the system security requirements in the law. At a minimum, these updated regulations should establish baseline cybersecurity standards for telecommunications carriers, enforced by steep fines; require independent, annual third-party cybersecurity audits; require board-level cybersecurity expertise; and require senior executives annually sign certifications of compliance with the cybersecurity standards.
Overall, this is a good letter. It would be nice if the DOJ, at least, started pushing back on backdooring encryption, rather than (as it has done for years) pushing for such a security disaster.
Filed Under: backdoors, calea, doj, encryption, fcc, ron wyden, salt typhoon, wiretaps
Comments on “Wyden: CALEA Hack Proves Dangers Of Government-Mandated Backdoors”
If we voted in just 1 ethical and technically competent federal lawmaker, we would double our national supply.
Re:
Alternately, voting in a federal lawmaker who can and will gather an ethical and technically competent staff … and then listen to said staff.
That too, would work.
But then, we’re talking about the bodies that demolished the Office of Technical Assessment so they could say they “didn’t know”.
Re: Re:
We’re gonna need politicians like that in every country at this point.
The people who are pushing for backdoors think that they would not be punished for opening up vulnerabilities in communications that would be exploted by hackers.
Re:
Just show them how their dividends are in jeopardy.
Re: Re:
Who knew leopards would eat my dividends‽
The only outcomes I see from this is either the DoJ sticking their fingers in their ears, or it being suggested that this warrants a counterhacking operation. ‘You can listen to my phone, well now I can listen to yours!’
Re:
Ironically, I’m pretty sure that THIS was the counterhacking operation. The US has had pretty good control over the international telecommunications system for decades.
Next time encryption and mandatory backdoors comes up during hearings, I think Wyden needs to respond to the LEAs rejecting the idea that they could be compromising encryption in any way with “So, you’re claiming that the Chinese Salt Typhoon group didn’t get access to our telecommunications infrastructure through the CALEA backdoor?”. And then don’t back off until they square up their statements with the evidence.
Same as with Section 230 and Net Neutrality, no one can argue against encryption without lying.
Re:
small quibble: Should be:
I can argue against weak/backdoor-ed encryption truthfully all day.
Case and point: If your system depends on DES, 2TDES, or 3TDES, it is in dire need of updating. you probably shouldn’t use it at all.
And if those are the selling points of a “modern” thing, run screaming, and never talk to that vendor again.
Re: Re:
“Probably” is an important word here. 3DES is not insecure per se, but is a pretty negative shibboleth: a sign of a protocol or software stack that nobody’s updated in decades. It might be fine in things like bank card PIN handling, or offline file encryption. Worrying in “live” encryption such as HTTPS, due to Sweet32 (which can be fixed by limiting session length, but why bother?).