The Washington Post reported earlier this week that Chinese hackers gained access to Google’s surveillance database –- potentially obtaining years worth of data related to search warrants and Foreign Intelligence Surveillance Act (FISA) orders — in a counterintelligence operation several years ago known as Operation Aurora. While this recent revelation is troubling in and of itself, the fact that this sensitive, and presumably well-secured, information was breached may also serve to validate concerns about the security risks of a proposed update to a wiretapping law.
According to the Post, Google discovered the surveillance database had been compromised in the course of investigating the 2009 Aurora hackings and the company alerted the FBI. Although Google publicly disclosed a breach and identified China as the source of the assault in 2010, it was identified then as an attempt to spy on Chinese human rights activists.
The new revelations suggest Aurora was a Chinese counterintelligence operation, similar to the one exposed in a report from cybersecurity firm Mandiant earlier this year, and one of its goals was to discover which Chinese agents were under surveillance by U.S. law enforcement. Aurora reportedly targeted at least 34 companies, including other major tech companies that likely maintain similar databases such as Yahoo. A Microsoft official speaking at a conference this April suggested they were facing attacks in the same time period, and identified the Chinese as “trolling” for information about surveillance orders.
Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, declined to comment on either the Microsoft or Google cases to the Washington Post, but said these type of intrusions should serve as “a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector” which “clearly need strengthening.” But despite those concerns, the government continues to pursue policies that put a great deal of responsibility in the the hands of private sector actors.
For instance, proposed updates to the Communications Assistance for Law Enforcement Act (CALEA) would charge companies like Google with the creation and security of secret backdoor access points in communications software. CALEA is a wiretapping law that requires telecommunications companies to provide a way for law enforcement to snoop on communications as it happens. It was originally passed in 1994 to ensure that law enforcement maintained access to wiretapping capabilities as the telephone infrastructure went digital, and has since been expanded to include VoIP and broadband internet traffic. But the law currently doesn’t apply to third party non-telecom companies, like Google and Facebook. Officials say that when those companies started using end-to-end encryption (ironically, after Google’s systems were compromised during Operation Aurora) it became prohibitively difficult to carry out real-time snooping on some targets. That’s because end-to-end encryption basically creates a protected tunnel information can flow through without being directly accessed by the telecom companies that are required to have intercept capabilities.