Wyden: CALEA Hack Proves Dangers Of Government-Mandated Backdoors
Techdirt. 2024-10-16
When Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994, they were assured by then-FBI Director Louis Freeh that the mandated wiretap backdoors posed no security risks. Fast forward to today, following the news of a massive CALEA hack and Senator Ron Wyden is reminding the DOJ of that history, while urging the Attorney General to better protect Americans’ security, in part by no longer demanding backdoors in encryption systems.
Last week, we wrote about the bombshell story of the Chinese hacking group Salt Typhoon apparently having “months or longer” access to the mandated wiretapping system found within our phone system. We noted how this story should put an end to the idea — often pushed by lawmakers and law enforcement — that surely we can put similar “backdoors” into encrypted communications.
Senator Ron Wyden has now sent a letter to the FCC and the DOJ highlighting a bit of the history behind CALEA, the statute that mandated wiretapping of the phone lines. In particular, Wyden points out that cybersecurity professionals warned Congress at the time that CALEA would lead to massive vulnerabilities in our phone system and could put everyone’s communications at risk.
These telecommunications companies are responsible for their lax cybersecurity and their failure to secure their own systems, but the government shares much of the blame. The surveillance systems reportedly hacked were mandated by federal law, through the Communications Assistance for Law Enforcement Act (CALEA). CALEA, which was enacted in 1994 at the urging of the Federal Bureau of Investigations (FBI), forced phone companies to install wiretapping technology into then-emerging digital phone networks. In 2006, acting on a request from the FBI, the Federal Communications Commission (FCC) expanded this backdoor mandate to broadband internet companies.
During the Congressional hearings for CALEA, cybersecurity experts warned that these backdoors would be prime targets for hackers and foreign intelligence services. However, these concerns were dismissed by then-FBI Director Louis J. Freeh, who testified to Congress that experts’ fears of increased vulnerability were “unfounded and misplaced.” Congress, relying on the FBI Director’s assurances that the security risks experts warned about could be addressed, passed the law mandating backdoors. The Department of Justice (DOJ) received $1 billion in today’s dollars to provide industry grants for the development and purchase of new wiretapping technology.
The letter suggests that the DOJ should use this to start pushing back on efforts to backdoor encryption:
DOJ must stop pushing for policies that harm Americans’ privacy and security by championing surveillance backdoors in other communications technologies, like encrypted messaging apps. There is, and has long been, broad consensus among cybersecurity experts that wiretapping capabilities undermine the security of communications technology and create an irresistible target for hackers and spies. Even so, law enforcement officials, including your predecessor, as well as the current and former FBI Directors, have denied this reality, spread disinformation about non-existent secure backdoors, and sought to pressure companies to weaken the security of their products.
The letter also asks the FCC to issue rules regarding security on CALEA wiretaps. The FCC has had the ability to do this for decades, but has mostly chosen to stay out of it:
Chairwoman Rosenworcel, your agency has the authority to require strong cybersecurity defenses in these systems today. The FCC should initiate a rulemaking process to update the CALEA regulations to fully implement the system security requirements in the law. At a minimum, these updated regulations should establish baseline cybersecurity standards for telecommunications carriers, enforced by steep fines; require independent, annual third-party cybersecurity audits; require board-level cybersecurity expertise; and require senior executives annually sign certifications of compliance with the cybersecurity standards.
Overall, this is a good letter. It would be nice if the DOJ, at least, started pushing back on backdooring encryption, rather than (as it has done for years) pushing for such a security disaster.