Surveillance or Security?: The Risks Posed by New Wiretapping Technologies


Posted on by Ben Rothke

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is a hard book to categorize.  It is not about security, but it deals extensively with it.  It is not a law book, but legal topics are pervasive throughout the book.  It is not a telecommunications book, but extensively details telco issues.  Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times.

Surveillance or Security? is one of the most pragmatic books on the topic is that the author never once uses the term Big Brother.  Far too many books on privacy and surveillance are filled with hysteria and hyperbole and the threat of an Orwellian society.  This book sticks to the raw facts and details the current state, that of insecure and porous networks around a surveillance society. 

In this densely packed work,Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University details the myriad layers around surveillance, national security, information security and privacy.  Landau writes that her concern is not about legally authorized law enforcement and nationally security wiretapping; rather about the security risks of building surveillance into communications infrastructures. 

Landau details numerous reasons why communications security is hard to do right; but an imperative for our ultimate security, privacy and digital wellbeing. 

In 250 pages, Landau makes a compelling case.  In addition to her superb handle on the topic, the book has over 80 pages of footnotes, where every quote, statement and claim is verified and confirmed.  The book is a great launching pad for a much deeper analysis on the topic. 

The main theme of the book is that digital communications have revolutionized the way in which society interacts.  The Internet is now the lifeblood of many businesses and governments, including a significant part of our critical infrastructure.  The fact that this infrastructure lacks comprehensive security and privacy controls are a troubling concern. 

In 11 dense chapters, Landau notes that since security and privacy have not been fully integrated into this infrastructure; this leaves us exposed and vulnerable to cyberattacks. 

In the introduction, Landau notes that with this new computing and telecommunications paradigm, the job of law enforcement has become much more challenging.  In previous years, surveillance was relatively easy.  Once law enforcement had physical access to a phone line, they were in.  Today, with cell phones, VoIP, Internet cafes, anonymizing services and more, the dynamics have changed and this has caused quite a shock for law enforcement; who are often struggling to deal with this new paradigm. 

Landau notes that the surveillance and eavesdropping technologies that have been deployed since 9/11 are being used to catch one set of enemies.  But other antagonists may be posed to turn these tools against us, and we are putting into place something for our enemies to use that they could not afford to do on their own.  As to this and other difficult questions that Landau brings up; there are no simple answers. 

Chapter 3 - Securing the Internet is Difficult - notes that the original creators of TCP/IP did not have security in their design.  Their concerns were more along the lines of traffic breakdowns, packet loss, robustness and more; but not security and privacy.  In some ways, this may be been a blessing, as Dennis Jennings, who ran theNSF program that built theNFSNET; states that “had we known what was to come, we’d have been terrified and the Internet would never have happened. 

In chapter 5 - The Effectiveness of Wiretapping – Landau notes that the biggest use of wiretapping tools is not actually the capture of conversation.  But something that is not really wiretapping at all: the capture of transactional information. 

Chapter 7 – Who are the Intruders?  What are They Targeting? – is one of the best chapters in the book.  Landau details both the internal threat and industrial espionage, and it is not a pretty picture.  Landau provides numerous cases where nation-states used networks, rather than people to infiltrate US interests, governmental, industrial and scientific areas.  She notes that these insider attacks are often the most difficult to detect; the reason being that insiders know the systems, know where the important data is, and what the auditors are looking at.  This ultimately makes insiders attack particularly pernicious.

So how significant are nation-states infiltrating US networks?  Landau quotes a confidential government source that the NASA network was “completely open to the Chinese”.

Landau makes her message loud and clear in chapter 8 when she notes that it does not help to tell people to be secure; rather security must be built into their communications systems.  Security must be ubiquitous, from the phone to the central office and from the transmission of a cell  phone to its base station to the communications infrastructure itself.

In chapter 9 – Policy Risks Arising from Wiretapping – Landau details how deep packing inspection (DPI) is used by ISP’s.   It is the ISP’s who have the capability to know what you are browsing, what your email says, your VoIP conversation and much more.  In a short amount of time, the ISP can develop a dossier on the user, and as noted, it has the ability to amass data to an amount that the Stasi could only dream of.  This surveillance ability is what is most troubling to the author. 

Landau continues that the only way for a person to avoid the risk from ubiquitous uses of DPI by an ISP would be to encrypt everything.  While not completely done now, Gmail and Skype do bulk encryption. 

The book closes with chapter 11 – Getting Communications Security Right – and there are no easy answers.  Landau notes that across the globe, there are projects on clean-slate network architectures.  But our current infrastructure is quite insecure and porous. 

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is an extremely important book on the topic of the many risks posed by new wiretapping technologies.  Landau has the remarkable talent of taking very broad issues and detailing them in a concise, yet comprehensive manner.  The book should be seen as the starting point for discussion on a most important topic. 

Landau does an excellent job of detailing how unwarranted surveillance can undermine security and affect our rights, while noting that security for every citizen is paramount to the very spirit of the Constitution. 

The book closes with the very principles of what it means to get communications security right and that adhering to these principles cannot guarantee that we will be completely secure.  But failure to adhere to them will guarantee that we will not. 

As toSurveillance or Security?: The Risks Posed by New Wiretapping Technologies, required reading it is, but that term does not do justice to the importance of this book.  Simply put, this book is the definitive text on the topic and it is a title that needs to be read.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Privacy

data security privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs