ACLU Technologist: Algorithm to Protect Phone Calls Has Long Been Broken

(Washington, DC)  The algorithm used to protect phone calls is broken and government officials refuse to acknowledge this vulnerability because law enforcement exploits it for their own purposes, ACLU’s Principal Technologist Christopher Soghoian said yesterday.  Speaking at a Carnegie Mellon University forum held here, Soghoian said “it’s been known that the algorithm used to protect our phone calls has been broken. We’re still using that algorithm today.”

“Everyone’s communication is going over the wire in unencrypted form or very weak encrypted form,” which makes anyone who purchases certain equipment –including foreign governments--capable of listening to private calls, Soghoian said. What makes the problem more urgent now is that the easily-purchased equipment needed to eavesdrop on phone calls has plummeted in price over recent years from over $100,000 ten years ago to as low as $1,200 today.

This vulnerability in the phone system has not been acknowledged by either phone companies or the federal government because law enforcement relies on this security hole to eavesdrop on targets. “We haven’t seen any government officials warn the public,” Soghoian said. “The reason for this is that law enforcement is actively exploiting this system.”

This situation is a classic example of where “the offense and defense conflict” in cybersecurity practices and policies in the U.S. according to Soghoian. “You cannot have a system that is easy to spy on that is secure.”

Cybercrime has become the single most pressing cybersecurity problem because of the difficulties in identifying and prosecuting cyber criminals across the globe, Jody Westby, CEO of Global Cyber Risk said. “Cybercrime today has become the perfect crime” because criminals are seldom caught, arrested or jailed due to the lack of harmonized cybercrime laws around the world. “We have a situation where cybercrime has no borders but law enforcement does.”

Internet Security Alliance CEO Larry Clinton agreed.  “The attack team is getting better and better all the time.”

The rapid technological change that has moved the U.S. from a service economy to an information economy has fostered cyber insecurity for the time being, Matt Scholl, Deputy Chief of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST) said. “We have not caught up with the consequences of this change in technology.”

The cybersecurity framework released by NIST last month could change the cybersecurity calculus, Earl Crane, Senior Principal of the Promontory Financial Group, said.  “We’re already seeing the impact of the framework where organizations are already adopting the framework and using it.”

A shortage of cybersecurity experts exist, David Brumley, engineering professor at Carnegie Mellon, said, but even with more experts, the U.S. will be outnumbered by countries such as China.  “We need more cyber experts but more security experts are not enough.[W]e’re going to be outnumbered. What are you going to do when there are more of them than there are of you?”


Post a Comment

Note: Only a member of this blog may post a comment.

Twitter Delicious Facebook Digg Stumbleupon Favorites More