IS YOUR LAWFUL INTERCEPT SOLUTION SECURE?
Communication service providers are sometimes served with court orders to implement lawful electronic surveillance – known as lawful intercepts or “LI” — on criminal suspects using their networks. These CSPs typically prepare for the judicial demands by equipping their networks with LI solutions, as required by the CALEA lawful surveillance statute. But are those solutions secure?
If your LI solution falls victim to a security breach, the resulting liability could be devastating. The judge that ordered the LI could fine you for disobeying the order. The Department of Justice could prosecute you for noncompliance with CALEA. A Federal Trade Commission investigation may determine you failed to observe “reasonable” security measures and thereby compel you to sign a consent decree forcing you to pay a monetary penalty. The Federal Communications Commission may impose more money damages on the theory that you improperly disclosed “customer proprietary network information” (i.e. customer account information). And the communication subscriber whose privacy was infringed may file a civil suit.
To avoid the above-described nightmare scenario, a CSP should keep its LI solution as secure as possible. Subsentio has established a set of best practices for the operation of its LI services. By striving to maintain these high standards we believe we provide our clients with the highest possible cyber security protection. A proper LI cyber security program requires close attention to the LI solution itself, the staff that operates it, and certain surrounding practices. For each of the three categories, the following provides a brief checklist of security measures that all CSPs should consider.
A. Install an LI solution with strong security features
- Passwords & authentication: LI operations should be managed by the principle of least privilege (“POLP”), which limits each user to the minimum access privileges needed to perform his or her job. Access controls for the users should use two-factor authentication.
- Encryption: All LI data should be transmitted, both within the network and on the external delivery interface, with strong encryption.
- Host hardening: The LI solution device(s) should be equipped with a robust host intrusion detection system to guard against unauthorized users.
- Network hardening: The network should contain properly-configured firewalls and use routing methods to keep the LI functionality and data segregated from all other network activity.
- Network monitoring: A network monitoring system, including a network intrusion prevention system and a network intrusion detection system, enables you to see which users enter and exit the network and when. The system also monitors uptime and downtime on different devices and gives visibility into broadband utilization and link status.
- Dedicated solution: The LI solution should be dedicated to LI purposes only. Trying to leverage the LI device for commercial uses such as traffic monitoring may expose the equipment to unauthorized use or operational risks.
B. Hire and train an LI staff to meet high security standards
- Background checks: Some background checks are more thorough than others. For any employee hired to operate a device as sensitive as an LI solution, a comprehensive check should be performed by a professional screening firm. The search should inquire into work history, education history, credit history, criminal records, and home addresses. A drug test is also recommended. All checks should be successfully completed before the employee’s start date.
- Physical security: The LI staff should work in a space isolated from other employees, ideally with their own access-controlled entry system.
- LI training: The LI staff should be trained by the LI solution vendor on the workings of the system so they can participate in any needed troubleshooting or recovery from a cyber attack. They should also learn how to validate law enforcement emergency requests, which are used when there is no time to obtain a regular court order.
- Government Clearance: Although no law requires an LI staff to obtain security clearances, if the CSP is served with a Foreign Intelligence Surveillance Act (“FISA”) order, which is used in national security investigations, having a cleared employee on staff would make the process faster and more efficient. Assume time is of the essence in any national security investigation.
- Confidentiality: LI work requires complete confidentiality. The staff should not discuss its LI activities with anyone else, including fellow employees.
- Storage of records: The FCC requires certain record-keeping of LI cases to comply with CALEA. Because these records contain case-sensitive information they must be securely stored.
- Potential Breach reporting: Any compromise or potential compromise of an LI must be reported to law enforcement.
C. Observe a full LI security management program
- Testing: Once the LI solution is installed it must be tested. The communication features to be tested will vary depending on the type of network (e.g. broadband, wireless, VoIP) and the communication features offered on the given network.
- Periodic testing: As we know, communication networks evolve over time. A network change may disable or impair the workings of the LI solution. For this reason the network operator should schedule periodic testing of the solution.
- Software maintenance: Like most forms of software, an LI solution requires maintenance. Any LI licensing agreement should arrange for patches, updates and upgrades as needed. Specifically, all security patches and updates for all LI platforms must be installed and kept current.
- Penetration testing: In a penetration test, an external entity searches for cyber vulnerabilities in the LI solution and tries to “hack” into it. The Department of Homeland Security offers external penetration testing for free. Private cyber security firms also offer the service. It can be an effective test to defend against hackers and identify network security deficiencies.
- Security policy: the LI security policy should be included in the CSP’s written network security policy, which should implement industry standards such as ISO 27001 or NIST SP 800 series.
- Cyber security insurance: This specialized form of insurance can mitigate losses from cyber crime, other types of cyber breaches, and cyber accidents that may create legal violations and/or network damage. Although critics question whether cyber security insurance is worth the money, Subsentio has a cyber policy because we consider it one useful component of a complete cyber defense. The policy will protect our clients in the unlikely event that a Subsentio LI solution is breached.
When it comes to your LI solution responsibilities, you cannot just “set it and forget it.” Maintaining LI capabilities in a secure manner requires a rigorous, ongoing compliance program.