Secret No More: A Closer Look at the US Government’s Role in Addressing Cybersecurity Threats

• Bookmarks: 53


In a 1993 Congressional hearing on telecommunications network security, security researcher Tsutomu Shimomura demonstrated that radio scanners can intercept cellular communications made by nearby analog phone users. Rather than mandating improvements in cellular network security, Congress simply outlawed the sale of radio scanners. Now, over two decades later, the United States still suffers from the repercussions of that decision. Cellular communications of millions of people are under close surveillance by their own government, foreign governments, and criminals. Yet, cybersecurity researchers observe that the government is still reluctant to improve cellular network security or to disclose network vulnerabilities to its citizens.

Stephanie Pell and Christopher Soghoian, from Stanford Law School and Yale University, address Congress’ regulation of cellular communication security in their recent study on the role of the US government in cell phone surveillance and consumer security protection. For decades, the government has relied on cellular surveillance as a law enforcement tool. An invasive cell phone surveillance device, known as Stingray, has been used to track suspects by sending out signals to trick all cell phones in the area (including the ones belonging to innocent bystanders) into transmitting their locations and identifying information.

Agent Bradley S. Morrison, the head of the FBI team responsible for the agency’s use of cellular surveillance technology, warns that disclosure of the FBI’s surveillance technology “could result in the FBI’s inability to protect the public from terrorism and other criminal activity because, through public disclosures, this technology has been rendered essentially useless for future investigations.” As a result, all parties involved in deploying surveillance technology—including the manufacturer, the FBI, the Department of Homeland Security, and state and local law enforcement agencies—are required to enter into a nondisclosure agreement about its existence and capabilities. In 2014, federal marshals stepped in and seized the documents when the American Civil Liberties Union (ACLU) filed a public record request with the Sarasota Police Department in Florida for information about the Department’s use of cell phone tracking devices. It is believed that the government’s ability to effectively use cellular surveillance technology depends on the technology remaining secret.

This strategy’s efficacy has been called into question: despite the US government’s determined efforts to shroud cellular interception technology in secrecy, the technology has nevertheless become widely accessible. As Pell and Soghoian point out, the government’s monopoly over cellular surveillance technology was largely due to its cost. However, cellular surveillance technology has become more affordable and available overtime. Devices similar to Stingray can now be purchased in the open market from online retailers. Furthermore, with the revolution in software-defined radio technology, researchers and hobbyists are able to develop their own cellular interception devices for only $1,500—just one percent of Stingray’s price. As a result, the government’s monopoly over cellular surveillance technology has vanished. Cheap interception devices like these allow anyone to intercept and listen to other people’s phone calls.

Unchecked cell phone surveillance can quickly get out of hand. A Newsweek article from last year reported that foreign intelligence agencies use invasive cellular interception devices to spy on the US government and corporations, according to an ex-FBI officer. As cellular interception devices become more available for purchase online, the average American faces increased security threats. In some cases, tech-savvy criminals even deploy their own versions of “Stingray” to eavesdrop on victims’ phone conversations.

Vulnerable cellular networks in the US are regularly exploited by bad actors. Yet, network operators have delayed upgrading cellular encryption algorithms, which are supposed to protect cellular communication from interception. A5/1, one of the most widely used algorithms, was created in 1988 and was proven to have critical security flaws more than a decade ago. However, it is still in use by major wireless carriers AT&T and T-Mobile for their 2G networks in the US. Upgrading to newer, more secure technology will not only protect networks from illicit surveillance, but it will also create challenges for US government agencies engaging in lawful surveillance. It will ultimately become more difficult to track a target’s cell phone with surveillance devices, such as Stingray.

Given the serious threat that the nation faces, the benefit of using cellular surveillance for law enforcement may no longer justify the cost of ignoring cellular network vulnerabilities and shielding information about cellular interception technology from public disclosure. Pell and Soghoian urge Congress to address cellular network vulnerabilities, and the surveillance technologies they enable, as an important part of the larger cybersecurity debate. Policymakers should consider options to build a stronger cellular network and adopt anti-surveillance technologies in order to safeguard citizens’ communications.

Article Source: Pell, Stephanie K. and Soghoian, Christopher. “Your Secret Stingray’s No Secret Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy.” Harvard Journal of Law and Technology (2014).

Featured Photo: cc/(William Doran)

129 views
bookmark icon