Last weekend, news broke that Chinese-backed hackers had penetrated the eavesdropping systems of several U.S. telecommunications and internet providers, presumably to collect information about Americans.
Required by a 30-year-old U.S. federal law, wiretapping systems are among the most secretive systems within a telecommunications or Internet provider's network, typically allowing a select few employees to monitor Internet traffic. Allows nearly unlimited access to information about customers, including: and browsing history.
But for technologists who have long been sounding the alarm about the security risks of backdoors, news of the breach is the “I told you so” moment they hoped would never come, but knew would come.
“I think this was absolutely inevitable,” Matt Blais, a Georgetown Law professor and secure systems expert, told TechCrunch about the latest breach of telecom and internet providers. .
The Wall Street Journal reported Friday that a Chinese government hacking group called Salt Typhoon had breached three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, and made customer data available to law enforcement agencies and others. It was the first to report that the company had accessed a system used to provide information to law enforcement agencies. government. The hack reportedly resulted in “massive harvesting of internet traffic” from telecom and internet giants. CNN and the Washington Post also confirmed the breach and said a U.S. government investigation was in its early stages.
The purpose of China's operation is not yet fully clear, but the Journal cited national security officials who believe the breach was “potentially catastrophic.” The hacker in question, Salt Typhoon, is believed to be laying the groundwork for a devastating cyberattack in preparation for an expected future conflict between China and the United States over Taiwan. One of the related hacking units.
Blaze told TechCrunch that China's infiltration of US eavesdropping systems is the latest example of malicious misuse of backdoors intended for ostensibly lawful and lawful purposes. The security community has long advocated against backdoors, arguing that it is technically impossible to have a “secure backdoor” that cannot be exploited or exploited by malicious actors.
Liana Pfefferkorn, a scholar and encryption policy expert at Stanford University, said, “The law requires carriers to make calls available for eavesdropping (unless they encrypt the calls); “Systems are always a target for bad actors,” he said in a Blue Sky thread. “This hack exposes the lies America has told.” [government] To protect yourself, you need to be able to read every message you send and listen to every call you make. This system is not protecting you, it is putting you at risk. ”
“The only solution is to strengthen the encryption,” Pfefferkorn said.
The 30-year-old law that is the setting for the latest backdoor fraud is the Communications Assistance for Law Enforcement Act (CALEA). CALEA became law in 1994, when cell phones were rare and the internet was still in its infancy.
CALEA requires “telecommunications providers” such as telephone companies and internet providers to provide the government with all necessary assistance to access their customers' information if lawfully ordered to do so. In other words, if there is a way to access customer data, phone companies and internet providers must provide it.
Eavesdropping became big business after 2000, following the 9/11 attacks in 2001. The subsequent introduction of post-9/11 legislation, such as the Patriot Act, significantly expanded U.S. surveillance and intelligence collection, including of American citizens. CALEA and other surveillance laws around this time created an entire industry of wiretapping companies that help phone and internet companies comply with the law by wiretapping on their behalf.
Much of how these expanded wiretapping laws and provisions worked in practice, and what access the government had to American citizens' personal data, was revealed in 2013 by former NSA contractor Edward・It was largely kept secret until Mr. Snowden leaked thousands of classified U.S. documents and exposed government secrets on a large scale. Surveillance technologies and practices over the past decade, including vast collections of Americans' personal data.
While much of the Snowden surveillance scandal focused on how the U.S. government and its closest allies collected sensitive data about key foreign intelligence targets such as foreign terrorists and hostile government hackers, the U.S. government 's spying revelations led to an uproar in Silicon Valley. The tech giant's systems were, in some cases, unwittingly eavesdropped by U.S. intelligence agencies. Silicon Valley banded together to fight back, which led, in part, to peel back years of secrecy and general cover-up of government-mandated wiretapping.
In the years that followed, tech giants realized they couldn't force them to hand over customer data they didn't have access to, so they began encrypting as much customer data as possible (though there are still a number of untested legal exceptions). or exist). Tech giants once accused of facilitating U.S. surveillance have begun publishing “transparency reports” detailing how many times they were forced to hand over customer data over a given period of time.
While tech companies have begun to lock down their products and prevent outside prying eyes (and in some cases even the tech companies themselves) from accessing their customers' data, phone and internet companies have begun to lock down their customers' phones. and rarely encrypted Internet traffic. Therefore, much of the United States' Internet and telephone traffic is still available for eavesdropping under CALEA.
The United States isn't the only country interested in backdoors. There are ongoing and persistent efforts by governments around the world to push laws that undermine, circumvent, or violate encryption. Across the European Union, member states are working to legally require messaging apps to scan citizens' private communications for suspected child abuse material. Security experts argue that no technology exists that can accomplish what the law requires without risking nefarious abuse by malicious parties.
Signal, an end-to-end encrypted messaging app, has been one of the most vocal critics of encryption backdoors, citing Chinese claims as why the European proposal poses a serious threat to cybersecurity. He cited recent breaches of U.S. internet providers.
“There is no way to build a backdoor that only the 'good guys' can use,” Signal president Meredith Whitaker wrote about Mastodon.
“CALEA should be seen as a cautionary tale, not a backdoor success story,” Blaise said of some of the more advanced backdoor proposals that have come out in recent years.