The Washington Post reported earlier this week that Chinese hackers gained access to Google’s surveillance database –- potentially obtaining years worth of data related to search warrants and Foreign Intelligence Surveillance Act (FISA) orders — in a counterintelligence operation several years ago known as Operation Aurora. While this recent revelation is troubling in and of itself, the fact that this sensitive, and presumably well-secured, information was breached may also serve to validate concerns about the security risks of a proposed update to a wiretapping law.
According to the Post, Google discovered the surveillance database had been compromised in the course of investigating the 2009 Aurora hackings and the company alerted the FBI. Although Google publicly disclosed a breach and identified China as the source of the assault in 2010, it was identified then as an attempt to spy on Chinese human rights activists.
The new revelations suggest Aurora was a Chinese counterintelligence operation, similar to the one exposed in a report from cybersecurity firm Mandiant earlier this year, and one of its goals was to discover which Chinese agents were under surveillance by U.S. law enforcement. Aurora reportedly targeted at least 34 companies, including other major tech companies that likely maintain similar databases such as Yahoo. A Microsoft official speaking at a conference this April suggested they were facing attacks in the same time period, and identified the Chinese as “trolling” for information about surveillance orders.
Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, declined to comment on either the Microsoft or Google cases to the Washington Post, but said these type of intrusions should serve as “a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector” which “clearly need strengthening.” But despite those concerns, the government continues to pursue policies that put a great deal of responsibility in the the hands of private sector actors.
For instance, proposed updates to the Communications Assistance for Law Enforcement Act (CALEA) would charge companies like Google with the creation and security of secret backdoor access points in communications software. CALEA is a wiretapping law that requires telecommunications companies to provide a way for law enforcement to snoop on communications as it happens. It was originally passed in 1994 to ensure that law enforcement maintained access to wiretapping capabilities as the telephone infrastructure went digital, and has since been expanded to include VoIP and broadband internet traffic. But the law currently doesn’t apply to third party non-telecom companies, like Google and Facebook. Officials say that when those companies started using end-to-end encryption (ironically, after Google’s systems were compromised during Operation Aurora) it became prohibitively difficult to carry out real-time snooping on some targets. That’s because end-to-end encryption basically creates a protected tunnel information can flow through without being directly accessed by the telecom companies that are required to have intercept capabilities.
While the details of a proposed legislative update to CALEA have not yet been disclosed publicly, the Washington Post reported the update would extend the expectation of intercept capabilities to end-to-end communication software and pressure companies to enable law enforcement officials to intercept online communications as they happen by levying hefty fines for non-compliance. The only way to do that would be to essentially build backdoors into software and networks, something experts say would leave digital communication channels even less secure than they currently are — and potentially lead to more digital snooping by malicious actors like, say, Chinese military hackers.
A report from twenty computer scientists about the risks of building the backdoors that would be required to comply released by the Center for Democracy and Technology last week noted:
All networks, software, and communication tools that support “lawful intercept” include features that are designed to breach the confidentiality of communications without detection by any party involved in the communication. When parties communicate using services with such features, there is an increased likelihood that an unauthorized and/or malicious adversary with the right technical knowledge and access to the system could capture communications contents without detection. The general nature of CALEA-style mandates and the necessarily clandestine nature of intercept mechanisms increase security risks further.
Of course, the lawful interception tools already used by telecommunications companies have suffered from their own set of security concerns, as evidenced by a peer-reviewed examination of CISCO’s lawful interception technology that uncovered several possible vulnerabilities. But the revelation that Google, one of the best resourced tech outfits in the world, was unable to secure sensitive national security information left in their care gives credence to the argument that asking tech companies to build in vulnerabilities to their code is only going to make everyone who relies on digital communication channels less secure.