back to article Blocking Chinese spies from intercepting calls? There ought to be a law

US telecoms carriers would be required to implement minimum cyber security standards and ensure their systems are not susceptible to hacks by nation-state attackers – like Salt Typhoon – under legislation proposed by senator Ron Wyden (D-OR). The Secure American Communications Act [PDF], if signed into law, would require the …

  1. VicMortimer Silver badge

    REPEAL CALEA

    What does this idiot think they used to get access?

    Making it possible for the pigs to see texts and hear phone calls is WHY such an attack was possible. If calls and texts were end to end encrypted by default, this crap would never have happened.

    There is no safe back door.

    1. DS999 Silver badge

      Re: REPEAL CALEA

      Wyden has been consistent during his entire time in Congress as being against all these backdoors, PATRIOT Act, all that stuff. He's just about the only true pro-privacy member of congress. Unfortunately you need half of congress to agree to pass a law (or 2/3 if the president doesn't agree) so he's on the losing side of all such votes.

      He's hoping to strike while the iron is hot with outrage over these attacks to try to rein in some of the worst abuses, but good luck when you have a new administration coming aboard looking to use all that against "the other side", including journalists and congressmen - something they have been revealed to have already been doing last time they were in office. No doubt it will be 100x worse this time. I predict a huge increase in journalists trading normal phone calls for stuff like Facetime audio, Signal or whatever to bypass the telco intercepts not because they are worried about China but because they are worried about Kash Patel's FBI.

      1. Jellied Eel Silver badge

        Re: REPEAL CALEA

        Wyden has been consistent during his entire time in Congress as being against all these backdoors, PATRIOT Act, all that stuff.

        But his proposal doesn't seem to be suggesting a repeal of CALEA, but enforcing it further. It's already the law for telcos, but might also be expanding the remit to include CSPs and apps like Facetime, Signal, WhatsApp etc. It does also seem to suggest that CALEA is the culprit and was compromised, as I suspected. But-

        The legislation doesn't specify what these safety measures should include, other than they must "prevent the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including by an advanced persistent threat."

        That's nice, but.. how? This describes some of the challenges-

        https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-lawful-intercept.html

        The mediation device uses SNMPv3 to instruct the call connect (CC) IAP to replicate the CC and send the content to the mediation device. The CC IAP can be either an edge router or a trunking gateway for voice, and either an edge router or an access server for data.

        To increase the security and to mitigate any SNMPv3 vulnerability, the following tasks are required:

        Restricting Access to Trusted Hosts (without Encryption)

        Encrypting Lawful Intercept Traffic and Restricting Access to Trusted Hosts

        And also one of the possible (probable) vulnerabilities, ie the security of the mediation device, which may not be under the telco's control. One problem with CALEA is the US has many LEAs that could lawfully request metadata or a Title III warrant. So configuring and managing trusted hosts & encrypted VPNs is non-trivial, hence why that's generally outsourced to the mediation device and service.

        Plus the telco/SP has no real way of knowing if the intercept request is lawful. An SPs counsel might see a valid Title III warrant, but that doesn't mean the warrant is lawful, ie an LEO may be abusing their powers. And you probably don't want the SP to know the target of an intercept request because if the SP's staff are compromised, maybe they tell the target that Big Brother really is watching you.

        So the problem is probably one for the LEAs and security services to solve, ie creating and maintaining a secure mediation layer that can vett and validate requests, then pass that to the mediation gateways to act on. Then it's just the small matter of ensuring that vendors like Cisco etc don't have bugs in their SNMPv3, RADIUS etc implementations that compromise whatever CALEA2.0 turns out to be. Other countries have already kinda solved this problem by restricting the audience, then again they're also complicating it by legislation requiring lawful intercept for additional classes of data, like 'social' media apps. Telcos and SPs might be able to intercept that data, but can't decode or decrypt it.

        And then there's the small matter of whether the providers of the mediation gateways can really be trusted, given they have a lot of power.

        1. Doctor Syntax Silver badge

          Re: REPEAL CALEA

          My understanding of TFA is that he's compelling the FCC to do its job. Presumably CALEA enabled FCC to do it but made it voluntary.

          1. Jellied Eel Silver badge

            Re: REPEAL CALEA

            My understanding of TFA is that he's compelling the FCC to do its job. Presumably CALEA enabled FCC to do it but made it voluntary.

            Kind of.. But as usual, it's the problem with legislation. So the general purpose of CALEA is-

            https://en.wikisource.org/wiki/Communications_Assistance_for_Law_Enforcement_Act#

            To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.

            Which has a rather vague obligation, like what 'other purposes'? Plus then some of the definitions, eg who is a 'telecommunications carrie', which then gets defined-

            (A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and...

            (C) does not include—

            (i) persons or entities insofar as they are engaged in providing information services; and

            (ii) any class or category of telecommunications carriers that the Commission exempts by rule after consultation with the Attorney General.

            So if you're deemed a 'common carrier', then you have to implement it. If you provide a telephony service, you probably have to implement it. If you're a mobile operator who's customers use WhatsApp, you have to comply with CALEA, but can't comply with a Title III warrant because FaceMelta controls WhatsApp and lobbys hard against having to comply with CALEA, and other national legislation wrt lawful intercept.

            And then there's the general policy issues, ie balancing the right to privacy with the need to enforce (some) laws because there are very bad people doing very bad things online. But then there are also very dumb politicians, especially here in the UK-

            https://www.gov.uk/guidance/digital-identity

            The Data (Use and Access) Bill includes measures to establish a statutory footing for digital verification services without creating a mandatory digital ID system or introducing ID cards.

            If you believe this isn't an enabler for mandatory digital or physical ID cards, I've got a Tower Bridge to sell you. Labour just can't let ID cards die in peace.

        2. DS999 Silver badge

          Re: REPEAL CALEA

          In an ideal world it would be great if he suggested repeal of CALEA, but we live in the real world where he knows that has 0% chance of passing. If you want something that solves the problem but also has a chance of passing congress you force the telcos to do a better job of securing their systems by having real consequences when they fail in that mission. That will force them to invest more money into making that happen.

          Let's face it, the main reason this happened is because telcos didn't invest in protecting their "lawful intercept" systems because they knew the worst that could happen is a small fine and some bad press that will blow over the second some bigger news item comes along like an overthrow of a dictator in the middle east or broad daylight assassination of a CEO. Which it did, it was in the mainstream (non tech) news for a day or two and will never be heard from again except at sites like the Reg.

          But even this will be a hard sell to an incoming administration who believes all regulation is bad and will be appointing incompetent sycophants to lead everything, all the better to prove their core belief that "government is incompetent so we should let the private sector be responsible for everything and also self regulate".

          1. Jellied Eel Silver badge

            Re: REPEAL CALEA

            But even this will be a hard sell to an incoming administration who believes all regulation is bad and will be appointing incompetent sycophants to lead everything, all the better to prove their core belief that "government is incompetent so we should let the private sector be responsible for everything and also self regulate".

            Given that members of the incoming administration appear to have been victims of unlawful intercepts, the opposite might be true. And some of them are competent and should understand some of the technology risks. And I think the problem might be that the private sector has been given too much control, and not enough oversight. But having been on the telco side most of my career, lawful intercept is one of those necessary evils. It is a licence condition, so has to be supported, but I neither need, nor want to know who is accessing probes or mediation devices. I can secure access to a degree, but would have no real way of determining if requests are lawful given they're effectively proxied.

            But it's one of those risks that was pointed out during CALEA development that seems to have come true, and isn't necessarily the telco's problem. Industry can advise, but can't necessarily resolve a problem that has been forced on them. Much of that is related to this-

            https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act#Indemnification

            Unfortunately, congressional refusal to offer indemnification remains an impediment to real collaboration. At least qualified immunity should be accorded. This is immunity of individuals performing tasks as part of the government's actions.

            Especially if this proposal places even more risk on telcos for a service that really should be under state control. Maybe the US should set up a Social Network Operational Oversight Panel comprised of industry and LEA representatives to enhance security, but there's a lot of politics around giving states more powers regarding lawful intercepts.

            1. DS999 Silver badge

              Re: REPEAL CALEA

              Given that members of the incoming administration appear to have been victims of unlawful intercepts, the opposite might be true

              They CLAIM the intercepts were unlawful. If they followed proper channels and were approved by a judge, they're legal whether or not you personally agree with the law.

              Anyway, when Trump was in office last time he used the FBI to illegally spy on journalists and even two members of congress. He sure isn't going to be better behaved than he was last time. So yeah, any unlawful spying against conservatives that may or may not have been occurring is likely to stop under Trump. But there will be even more unlawful spying, and he sure isn't going to support the repeal of the law that enables him to spy on those he doesn't like. And I'll bet he will spy on people on his side as well. He demands absolute loyalty and subservience, and doesn't want it just to his face. He wants to know if people are saying bad things about him behind his back or "leaking" information (another thing he hates when it hurts him but is 100% behind when it hurts those against him)

    2. Wang Cores

      Re: REPEAL CALEA

      It's almost like good government is cheaper and more effective than being tore 15 different ways (No! A POLICE STATE No! LET PRIVATE ENTERPRISE GET A CUT!).

  2. deevee

    What a joke, how about some laws stopping the NSA/FBI and CIA using ECHELON (and CALEA etc) to spy on phone calls from EVERYONE!

    The USA enforce spying abilities, buy making everyone buy US network equipment that is DESIGNED to allow spying. Its why they won't allow Chinese network gear, because no one could spy if all the network gear was Chinese.

    The USA has spying equipment/facilities and staff in pretty much every western country in the world, to enable this.

    1. CowHorseFrog Silver badge

      What about laws against BigTech ?

      WHy are you worried if the gov spies on. you ?

      Are you that so fucking important ?

      1. Lord Elpuss Silver badge

        Ahh, the good old "if you've got nothing to hide" defense. Gestapo, StaSi, GRU/KGB and Securitate are proud of you comrade.

      2. Doctor Syntax Silver badge

        What this episode has demonstrated is that backdoors are not accessible to only those for whom they were intended, they are accessible to anyone who made the effort - considerable effort, no doubt, but an achievable one - to investigate them. Currently the standard means of communication on the internet are no more secure than messages written on a postcard. You personally might have no dealings that risk exposure in that way. You may never, for instance, buy anything on the internet, transmitting banking details. OTOH your employers might well rely on communicating matters which they expect to be treated as commercial in confidence and leave themselves and their employees - that means you - at a disadvantage if those matters were intercepted by a competitor.

  3. CowHorseFrog Silver badge

    What about big tech advertising spies ?

    1. vtcodger Silver badge

      CAMS

      Advertising spies? Heavens no. They are simply Computer Assisted Marketing Services (CAMS) -- Tiny cogs in the wheel of marvelous technology that drives the wonderful (Donald Trump's word, not mine, I'd say instead "wildly overextended") American Economy.

      You Donna mess with the CAMS or we breaka you hands.

  4. IGotOut Silver badge

    Good luck with that ...

    ...pretty sure the FCC will soon consist of Bob the cleaner and his faithful companion, with a budget of whatever the billionaires can steal off a homeless person

  5. Anonymous Coward
    Anonymous Coward

    Insecure By Design.....

    Quote: "... Chinese spies, who we recently learned did access these systems to steal communications and other sensitive information..."

    Who says that the Chinese were the only -- or even the first -- spooks in the (insecure) door?

    Who say that the systems were not "insecure by design"?

    It is only eleven years since Snowden!! How soon we forget!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like