David MacMahon, director of Homeland Security and Critical Infrastructure Protection, Bell Security Solutions, has more than 20 years experience in security risk and intelligence, with the military and the public and private sector. A recognized authority in telecom security, infrastructure protection, intelligence threat analysis and operational risk management. He was the principal threat risk analyst for the National Assessment on Cyber Threat and is a published author on the subject. He was also consulted on the drafting of the Government Security Policy and the Lawful Access legislation that we are expecting soon. Dave has an engineering degree. From the perspective of a modern telecom company, he discusses some of the real world issues that need to be considered in the concept of lawful access.
Technology has evolved and privacy issues discussed include access issues, cost and recovery. To their credit, law enforcement agencies are now airing the issue in public for somewhat public discussion. To a certain extent, public policy is sort of playing catch up, in a way.
Communication intercept is as complex as any engineering discipline, any business activity. Bell manages 27 million connections, so it has an interest in communication intercept.
The subject is the matter of convergence from analog world to digital world, which has a grave impact on law enforcement and the telecom industry.
We are also now going to another evolution, which is convergence: the convergence of traditional telephony, Internet, wide bands, wireless. Everything is converged very rapidly; everything is on the Internet, it’s all in the interconnection of networks per se.
This has not only technological implications, but also social implications. It has implications for the threat (of the) environment, the targets that are presumed and where the lawful access exactly is implemented. You probably will not see it within the lawful access legislation itself; it’s an underlying technological issue of enormous proportions.
Policy and legislation tend to lag technological development. (We are) trying to rationalize the spirit of what we want to do with the practicality and the way it is actually done.
We’ve gone through a number of innovations and lawful access is one opportunity to do this. And one of the benefits is perhaps the application of real standards that we push down to people who actually have to implement this.
It’s pretty difficult with lawful access legislation to bring it down to technicians and say, ‘you have to implement this’. It’s a huge gap to overcome.
Again, the devil is in the details. It’s not just a question of someone coming and saying, ‘let me read this’, or ‘give me access to this’. It’s a question of interface requirements, a question of transport processing, how much processing, what is the configuration and management, how you co-ordinate that, how you manage that, how you oversee it.
Whenever you connect two organizations together with a piece of fibre, you connect not only the technology in the systems, you’re connecting people and processes and that technology process, their social environment, the policies in which they are bound, and a whole bunch of other issues including shared risks.
There’s the question of cost-sharing. Where do you draw the line? This is a matter of great debate. A good level of processing is required. Which standards are you going to adhere to? You can’t have one police force saying ‘I want all interception real-time format or quick time format’ and the other saying ‘I want them analog.’ That is a judiciary nightmare. It eclipses all the other issues.
The concept about a paradox in security. By its very nature, any type of access to the system opens up a security hole. You then have to spend extra effort to put safeguards – technical, procedure, personnel, fiscal safeguards – to get back up to where you started.
In this day and age, when carriers are also providing security services to people and at the same time…in defining lawful access legislation, it’s a very fine balance for assuring the people you are providing services to, that their network is secure, you’re protecting their privacy and at the same time you are able to execute lawful orders.
So this is a balance that has to improve internally on an operational level all the time. It’s also a question of liability that falls within that: where do the responsibilities lie in the occurrence of inadvertent intercept? How do you handle this? You can’t deny that they will never occur.
The introduction of a new system, for example, has liability repercussions. How do you plan for that from the business management point of view?
It’s also instituting best practice. We have best practice for security. We need to see similar best practices for lawful access, sort of level of guidance and reference so that everyone knows where they stand.
The last thing is outsourcing. In some countries a lot of lawful access is held by the state. What part of the work is done by telecos and ISPs and what part of the work is done by the state?