Entries Tagged "national security policy"

Page 54 of 57

Applying CALEA to VoIP

Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP,” paper by Steve Bellovin, Matt Blaze, Ernie Brickell, Clint Brooks, Vint Cerf, Whit Diffie, Susan Landau, Jon Peterson, and John Treichler.

Executive Summary

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with a telephone, including the graceful accommodation of wiretapping, should be able to be done readily with VoIP as well.

The FCC has issued an order for all “interconnected” and all broadband access VoIP services to comply with Communications Assistance for Law Enforcement Act (CALEA)—without specific regulations on what compliance would mean. The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in the VoIP implementation.

Intercept against a VoIP call made from a fixed location with a fixed IP address directly to a big internet provider’s access router is equivalent to wiretapping a normal phone call, and classical PSTN-style CALEA concepts can be applied directly. In fact, these intercept capabilities can be exactly the same in the VoIP case if the ISP properly secures its infrastructure and wiretap control process as the PSTN’s central offices are assumed to do.

However, the network architectures of the Internet and the Public Switched Telephone Network (PSTN) are substantially different, and these differences lead to security risks in applying the CALEA to VoIP. VoIP, like most Internet communications, are communications for a mobile environment. The feasibility of applying CALEA to more decentralized VoIP services is quite problematic. Neither the manageability of such a wiretapping regime nor whether it can be made secure against subversion seem clear. The real danger is that a CALEA-type regimen is likely to introduce serious vulnerabilities through its “architected security breach.”

Potential problems include the difficulty of determining where the traffic is coming from (the VoIP provider enables the connection but may not provide the services for the actual conversation), the difficulty of ensuring safe transport of the signals to the law-enforcement facility, the risk of introducing new vulnerabilities into Internet communications, and the difficulty of ensuring proper minimization. VOIP implementations vary substantially across the Internet making it impossible to implement CALEA uniformly. Mobility and the ease of creating new identities on the Internet exacerbate the problem.

Building a comprehensive VoIP intercept capability into the Internet appears to require the cooperation of a very large portion of the routing infrastructure, and the fact that packets are carrying voice is largely irrelevant. Indeed, most of the provisions of the wiretap law do not distinguish among different types of electronic communications. Currently the FBI is focused on applying CALEA’s design mandates to VoIP, but there is nothing in wiretapping law that would argue against the extension of intercept design mandates to all types of Internet communications. Indeed, the changes necessary to meet CALEA requirements for VoIP would likely have to be implemented in a way that covered all forms of Internet communication.

In order to extend authorized interception much beyond the easy scenario, it is necessary either to eliminate the flexibility that Internet communications allow, or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.

Posted on June 28, 2006 at 12:01 PMView Comments

U.S. Government Sensitive but Unclassified Information

New report from the GAO: “GAO-06-385 – The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information,” March 2006:

Federal agencies report using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect sensitive information—from law or drug enforcement information to controlled nuclear information—and agencies that account for a large percentage of the homeland security budget reported using most of these designations. There are no governmentwide policies or procedures that describe the basis on which agencies should use most of these sensitive but unclassified designations, explain what the different designations mean across agencies, or ensure that they will be used consistently from one agency to another. In this absence, each agency determines what designations to apply to the sensitive but unclassified information it develops or shares. For example, one agency uses the Protected Critical Infrastructure Information designation, which has statutorily prescribed criteria for applying, sharing and protecting the information, whereas 13 agencies designate information For Official Use Only, which does not have similarly prescribed criteria. Sometimes agencies used different labels and handling requirements for similar information and, conversely, similar labels and requirements for very different kinds of information. More than half of the agencies reported encountering challenges in sharing such information. For example, DHS said that sensitive but unclassified information disseminated to its state and local partners had, on occasion, been posted to public Internet sites or otherwise compromised, potentially revealing possible vulnerabilities to business competitors.

Here’s the list:

Table 2: Sensitive but Unclassified Designations in Use at Selected Federal Agencies

Designation Agencies using designation

1 Applied Technology *Department of Energy (DOE)
2 Attorney-Client Privilege Department of Commerce (Commerce), *DOE
3 Business Confidential *DOE
4 Budgetary Information Environmental Protection Agency (EPA)
5 Census Confidential Commerce
6 Confidential Information Protection and Statistical Efficiency Act Information (CIPSEA) Social Security Administration (SSA)
7 Computer Security Act Sensitive Information (CSASI) Department of Health and Human Services (HHS)
8 Confidential Department of Labor
9 Confidential Business Information (CBI) Commerce, EPA
10 Contractor Access Restricted Information (CARI) HHS
11 Copyrighted Information *DOE
12 Critical Energy Infrastructure Information (CEII) Federal Energy Regulatory Commission (FERC)
13 Critical Infrastructure Information Office of Personnel Management (OPM)
14 DEA Sensitive Department of Justice (DOJ)
15 DOD Unclassified Controlled Nuclear Information Department of Defense (DOD)
16 Draft EPA
17 Export Controlled Information *DOE
18 For Official Use Only (FOUO) Commerce, DOD, Department of Education, EPA, General Services Administration, HHS, DHS, Department of Housing and Urban Development (HUD), DOJ, Labor, OPM, SSA, and the Department of Transportation (DOT)
19 For Official Use Only‹Law Enforcement Sensitive DOD
20 Freedom of Information Act (FOIA) EPA
21 Government Confidential Commercial Information *DOE
22 High-Temperature Superconductivity Pilot Center Information *DOE
23 In Confidence *DOE
24 Intellectual Property *DOE
25 Law Enforcement Sensitive Commerce, EPA, DHS, DOJ, HHS, Labor, OPM
26 Law Enforcement Sensitive/Sensitive DOJ
27 Limited Distribution Information DOD
28 Limited Official Use (LOU) DHS, DOJ, Department of Treasury
29 Medical records EPA
30 Non-Public Information FERC
31 Not Available National Technical Information Service Commerce
32 Official Use Only (OUO) DOE, SSA, Treasury
33 Operations Security Protected Information (OSPI) HHS
34 Patent Sensitive Information *DOE
35 Predecisional Draft *DOE
36 Privacy Act Information *DOE, EPA
37 Privacy Act Protected Information (PAPI) HHS
38 Proprietary Information *DOE, DOJ
39 Protected Battery Information *DOE
40 Protected Critical Infrastructure Information (PCII) DHS
41 Safeguards Information Nuclear Regulatory Commission (NRC)
42 Select Agent Sensitive Information (SASI) HHS
43 Sensitive But Unclassified (SBU) Commerce, HHS, NASA, National Science Foundation (NSF), Department of State, U.S. Agency for International Development (USAID)
44 Sensitive Drinking Water Related Information (SDWRI) EPA
45 Sensitive Information DOD, U.S. Postal Service (USPS)
46 Sensitive Instruction SSA
47 Sensitive Internal Use *DOE
48 Sensitive Unclassified Non-Safeguards Information NRC
49 Sensitive Nuclear Technology *DOE
50 Sensitive Security Information (SSI) DHS, DOT, U.S. Department of Agriculture (USDA)
51 Sensitive Water Vulnerability Assessment Information EPA
52 Small Business Innovative Research Information *DOE
53 Technical Information DOD
54 Trade Sensitive Information Commerce
55 Unclassified Controlled Nuclear Information (UCNI) DOE
56 Unclassified National Security-Related *DOE

I’ve already written about SSI (Sensitive Security Information).

Posted on May 19, 2006 at 7:52 AMView Comments

"The TSA's Constitution-Free Zone"

Interesting first-person account of someone on the U.S. Terrorist Watch List:

To sum up, if you run afoul of the nation’s “national security” apparatus, you’re completely on your own. There are no firm rules, no case law, no real appeals processes, no normal array of Constitutional rights, no lawyers to help, and generally none of the other things that we as American citizens expect to be able to fall back on when we’ve been (justly or unjustly) identified by the government as wrong-doers.

Posted on May 12, 2006 at 1:38 PMView Comments

NSA Warrantless Wiretapping and Total Information Awareness

Technology Review has an interesting article discussing some of the technologies used by the NSA in its warrantless wiretapping program, some of them from the killed Total Information Awareness (TIA) program.

Washington’s lawmakers ostensibly killed the TIA project in Section 8131 of the Department of Defense Appropriations Act for fiscal 2004. But legislators wrote a classified annex to that document which preserved funding for TIA’s component technologies, if they were transferred to other government agencies, say sources who have seen the document, according to reports first published in The National Journal. Congress did stipulate that those technologies should only be used for military or foreign intelligence purposes against non-U.S. citizens. Still, while those component projects’ names were changed, their funding remained intact, sometimes under the same contracts.

Thus, two principal components of the overall TIA project have migrated to the Advanced Research and Development Activity (ARDA), which is housed somewhere among the 60-odd buildings of “Crypto City,” as NSA headquarters in Fort Meade, MD, is nicknamed. One of the TIA components that ARDA acquired, the Information Awareness Prototype System, was the core architecture that would have integrated all the information extraction, analysis, and dissemination tools developed under TIA. According to The National Journal, it was renamed “Basketball.” The other, Genoa II, used information technologies to help analysts and decision makers anticipate and pre-empt terrorist attacks. It was renamed “Topsail.”

Posted on April 28, 2006 at 8:01 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.