News broke this weekend that Chinese-backed hackers have compromised the wiretapping systems of several U.S. telecommunications and Internet providers, likely in an effort to gather intelligence on Americans.
Wiretapping systems, as mandated by a 30-year-old U.S. federal law, are some of the most sensitive on a telecommunications or Internet provider’s network, typically granting a select few employees nearly unlimited access to information. about your customers, including their Internet traffic. and browsing histories.
But for technologists who for years have sounded the alarm about backdoor security risks, news of the compromises is the “I told you so” moment they hoped would never come but knew would come one day.
“I think it was absolutely inevitable,” Matt Blaze, a Georgetown Law professor and expert on secure systems, told britcommerce of the latest commitments from telecommunications and Internet providers.
The Wall Street Journal first reported on Friday that a Chinese government hacking group called Salt Typhoon broke into three of the largest U.S. Internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access the systems they use to provide customer data to authorities and governments. The attacks may have reportedly resulted in a “vast collection of Internet traffic” from telecommunications and Internet giants. cnn and Washington Post He also confirmed the intrusions, and that the US government’s investigation is in its early stages.
The goals of the Chinese campaign are not yet fully known, but the Journal cited national security sources calling the breach “potentially catastrophic.” Salt Typhoon, the hackers in question, is one of several related Chinese-backed hacking units that are believed to be laying the groundwork for destructive cyber attacks in the event of an anticipated future conflict between China and the United States, potentially over Taiwan.
Blaze told britcommerce that Chinese intrusions into American wiretapping systems are the latest example of malicious abuse of a backdoor apparently intended for legal purposes. The security community has long advocated against backdoors, arguing that it is technologically impossible to have a “secure backdoor” that cannot be exploited or abused by malicious actors.
“The law says your telecommunications companies must make your calls interceptable (unless you encrypt them), creating a system that was always a target for bad actors,” said Riana Pfefferkorn, a Stanford scholar and policy expert. encryption, in a thread in Bluesky. “This stunt exposes the lie that the U.S. [government] You need to be able to read every message you send and listen to every call you make, for your own protection. “This system is putting you in danger, it is not protecting you.”
‘The only solution is more encryption,’ said Pfefferkorn.
The 30-year-old law that laid the groundwork for recent backdoor abuse is the Communications Assistance for Law Enforcement Act, or CALEA, which became law in 1994 at a time when cell phones They were a rarity and the Internet was still in its infancy.
CALEA requires any “communications provider,” such as a telephone company or Internet provider, to provide the government with all necessary assistance in accessing a customer’s information when presented with a legal order. In other words, if there is a means to access a customer’s data, phone companies and Internet providers must provide it.
Wiretapping became big business in the post-2000 era, following the attacks of September 11, 2001. The subsequent introduction of post-9/11 laws such as the Patriot Act greatly expanded surveillance and data collection. US intelligence, including on Americans. CALEA and other surveillance laws of this era led to an entire industry of wiretapping companies which helped phone and Internet companies comply with the law by wiretapping on their behalf.
Much of how those expanded wiretapping laws and provisions worked in practice—and what access the government had to Americans’ private data—was kept largely secret until 2013, when former NSA contractor Edward Snowden leaked thousands of classified American documents, widely exposing government actions. surveillance techniques and practices over the past decade, including the vast collection of Americans’ private data.
While much of the Snowden surveillance scandal focused on how the US government and its closest allies collected secret data on their top foreign intelligence targets, such as foreign terrorists and adversary government hackers, the espionage revelations of the US government caused a stir in Silicon Valley. technological giants, whose systems in some cases had been intervened without knowing it by US intelligence agencies. Silicon Valley collectively fought back, leading in part to the demise of years of secrecy and general obscurity over government-mandated wiretaps.
In the years that followed, tech giants began encrypting as much customer data as they could, realizing that companies couldn’t be forced to hand over customer data they couldn’t access on their own (although there is still some unproven legal exceptions). The tech giants, once accused of facilitating American surveillance, began publishing “transparency reports” detailing how many times companies were forced to hand over a customer’s data over a certain period of time.
While tech companies began locking down their products so that outside snoops (and in some cases even the tech companies themselves) couldn’t access their customers’ data, phone and Internet companies did little to encrypt the data. telephone and Internet traffic of its own clients. As such, much of the United States’ telephone and Internet traffic remains available for wiretapping under CALEA.
It’s not just the United States that has an appetite for backdoors. Around the world, there continues to be an ongoing and persistent effort by governments to push for laws that undermine, circumvent, or otherwise compromise encryption. Across the European Union, member states are working to legally require messaging apps to scan their citizens’ private communications for suspected child abuse material. Security experts maintain that there is no technology capable of achieving what the laws would require without risking nefarious abuse by malicious actors.
Signal, the end-to-end encrypted messaging app, has been one of the staunchest critics of encryption backdoors, citing the recent breach of American internet providers by the Chinese as the reason why the proposals European companies represent a serious threat to cybersecurity.
“There is no way to build a backdoor that only the ‘good guys’ can use,” Signal president Meredith Whittaker said. writing in mastodon.
Speaking of some of the more advanced tailgate proposals that have emerged in recent years, “CALEA should be considered a cautionary tale, not a success story, for tailgates,” Blaze said.