Centralized Back Door in Protect America Act: Fails Do No Harm Test

bellovinblaze.jpg Matt Blaze has been spreading the word about a forthcoming paper by him and a Who’s Who of Internet security experts (Steve Bellovin and Matt Blaze are pictured to the right).
Although the Bush administration calls it a vital weapon against terrorism, its domestic wiretapping effort could become a devastating tool for terrorists if hacked or penetrated from inside, according to a new article by a group of America’s top computer security experts.

Domestic Wiretapping Could Pose ‘An Awesome Risk’ to National Security, By JUSTIN ROOD, ABC News, Feb. 1, 2008—

This is about the act passed last year that the Senate is debating extending or modifying right now. It’s that bad even before the administration strongarms Congress into approving retroactive immunity for the warrantless wiretapping it perhaps legitimizes, thus sweeping a host of illegal activities and other possible misdeeds under the rug.

What’s so bad about the Protect America Act?

Building surveillance technologies into communication networks is risky. The Greeks learned this lesson the hard way; two years ago, they discovered that legally installed wiretapping software in a cellphone network had been surreptitiously enabled by parties unknown, resulting in the wiretapping of more than 100 senior members of the government for almost a year.1 Things are not much better in Italy, where a number of Telecom Italia employees have been arrested for illegal wiretapping (with attempts at blackmail).2

Risking Communications Security: Potential Hazards of the “Protect America Act”, Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford. IEEE Security and Privacy, Vol. 6, No. 1, January/February 2008, pp. 24-33, to appear.

Funny how when you build a centralized back door into a network, you can’t always tell who will use it, or for what. Security people like to mention a tenet of medical ethics variously ascribed to Hippocrates or Galen: “First, do no harm.” The Protect America Act fails that test, making the Internet less secure.

Lest you think it’s only Greeks and Italians who have this problem, the U.S. is no better. The FBI designed an intercept system to implement the Communications Assistance to Law Enforcement Act (CALEA). The paper says of that system:

Its auditing system was primitive, surprising for a system intended for evidence collection. The system has no unprivileged user IDs, relying on passwords rather than token-based or biometric authentication, and even uses an outdated hashing algorithm (MD5 appears in a 2007 “system security plan,”23 several years after Chinese researchers found serious problems with this already weak hashing algorithm). Most seriously, the system relied on a single shared login, rather than a login per authorized user. The system’s ability to audit user behavior depended entirely on following proper processes, including using a manual log sheet to show who was using the system at a given time. Remote access–in an insecure fashion–is permitted from other DCS 3000 nodes, making the system vulnerable to insider attacks. These are a real risk: recall that the most damaging spy in FBI history, Robert Hanssen, abused his authorized access to internal FBI computer systems to steal information and track progress of the investigation aimed at him.
A closed system built by a closed process ends up open to many sorts of abuse, because none of its design, specification, implementation, or use had adequate review or safeguards.

To sum up:

When you build a system to spy on yourself, you entail an awesome risk.
Centralizing a network usually does fail the Do No Harm test. The Internet’s strength has always been its decentralization. Many telco and government people have never understood that, and apparently still don’t. They should read this paper.

Who would have motive to misuse such a back door? Enemy foreign actors, whether states or not. Them, plus:

(…there is little foreign intelligence value in wiretapping a transmission of the latest Hollywood movie.)
Maybe little foreign intellgence value, but suppose the ISP providing the data has publicly announced that it will police its network to prevent what it or Hollywood considers to be copyright violations of Hollywood movies….

Sure there are real enemies out there, but with this Act:

In an age so dependent on communication, the loss could well be greater than the gain.

What would make the Internet stronger and more secure would be more competitors, each protecting the security of its own network, without government back doors. If Congress must have back doors, at least have them conttroled by multiple levels of ovesight by multiple parties, all the way from design to use to forensic examination of how they were used. And having more different ISPs handling different parts of the Internet would still increase overall security.