February 2016 Newsletter
The Big Mo!
By Steve Bock, President & CEO
I committed Subsentio to three pledges to both the legacy Subsentio and Neustar customers as we entered into the acquisition.
- There would be no change in your service.
- We would introduce records production as a new service to legacy clients.
- We would expand our operational base.
And we did. But we accomplished so much more. We had to separate Neustar’s Legal Compliance Service business from Neustar. Not an easy thing to do. Within 60 days of the close of the acquisition we relocated our new employees to our new office in Chantilly, VA, established a new eastern data center to house the network solutions that would support the former Neustar customers, obtained those customers’ consent to service them, and if that wasn’t enough, we developed a brand new integrated communications program to support our new records production service.
We’re far from done.
Then there is the “Just-in-Time” (JiT) solution that both companies have sold in the past that never-seem-to-work. We are going to focus on migrating those customers who have a Just-in-Time solution to a technical solution that is installed in the customer’s individual network. It requires a CALEA IAP controller on the customer premises connecting to our new GRID service. It is easy to install and test.
Subsentio never forgets that our primary goal is helping our clients meet their legal obligation to provide technical support for CALEA compliance, which is a pillar of public safety and national security. In 2015 Subsentio saw a significant increase in the number of FISA orders, which authorize surveillance in national security cases such as terroristinvestigations. Does that tell you anything? Our pledge is to do everything in our power to help law enforcement protect the American people. We can only do so much. We need your help as well.
Products & Services
Solving The Challenge: HarborGRID
We were talking about Just-in-Time a moment ago. It’s going away – and high time. What will replace JiT?
Enter Subsentio’s HarborGRID, a “real time” VoIP and broadband technical solution for lawful intercept. A CALEA IAP devise will reside within a client’s network, providing a high performance, ultra-reliable alternative to JiT for a slight monthly increase. The added legal protection is well worth the extra pennies.
Once you’re on the GRID, you’ll never want to go back. HarborGRID is easy to install and requires a minimum footprint in a client’s network. The initial product offering will support broadband intercepts where the client’s subscribers are assigned IP addresses through Radius or DHCP methodology. Static IP address assignments are also supported. By the second quarter of this year the HarborGRID Solution will support 1 GHz or 10 GHz of traffic, whether transported by copper or fiber.
What’s special about HarborGRID? First, it provides CALEA capabilities by performing broadband intercepts for multiple sites. This is achieved by routing client IP traffic and DHCP/Radius traffic thru the CALEA IAP to one of our network probe interface ports. Intercepted traffic is delivered in CALEA standard IAS format that can be directed back to Subsentio’s GRID location or directly to a law enforcement agency (LEA) collection system.
Second, it’s simplicity itself. Subsentio installs a CALEA IAP controller between the client’s network router and the Internet. The CALEA IAP controller connects to HarborGRID via the Internet.
Finally, it provides an on-site technical solution that is always ready to implement a lawful intercept for little more than what the customer is paying now for their Just-in-Time solution. HarborGRID will be available to all our Just-in-Time customers at the beginning of April.
CALEA Safe Harbor Testing Program
Believe it or not, neither federal authorities nor manufacturers of network hardware provide a simple, plain English set of guidelines for CALEA solution testing.
Subsentio decided to do something about it by creating a CALEA safe harbor test. Our test determines whether a CALEA solution installed in the network meets the specifications of an industry-published CALEA safe harbor technical standard. If the “safe harbor” standard is met, the government will regard the network as presumably compliant with the CALEA statute until some party (e.g. a law enforcement agency or privacy group) takes the unusual step of litigating the standard before the Federal Communications Commission.
The Safe Harbor CALEA Test Program is not acceptance testing as some service providers know it. Because individual networks may vary significantly, it is always possible that a network will not pass every element of the safe harbor test. So we measure success by degrees – major defects and minordefects. A significant failure to implement a lawful intercept, such as a lack of inbound or outbound call metadata, constitutes a major defect. A minor defect might be a redundant “event message” communicated to law enforcement during an intercept. In the event of a major defect the network would not conform to the applicable safe harbor standard . Subsentio would then work with the client to fix the defect as outlined in the Subsentio service agreement.
But note: It takes two to tango. Subsentio has 300-plus customers. With new installations, we conduct a very thorough test. Thereafter we want to test each customer annually. That’s almost one per day. For the annual testing we have abridged the test plan to focus on the primary surveillance capabilities. We need client technical support to do the test. Yes, we can conduct a continuity test to ensure that Subsentio’s network operations center “talks” to our probe or mediation device aligned with the client network. But for other tests, we need local technical support from the customer. That is why our Customer Care department constantly asks customers for updated technical contact information.
Help us help you. Our goal for 2016 is aggressive: a 15-minute intercept implementation following receipt of a court order. Together we can get there.
Compliance Policies & Procedures
The benefits of a merger. Back in the day, Neustar created a customer reference binder to help its clients navigate the procedures for submitting subpoenas for records production. Customer Care for Subsentio created a similar guidebook, but focused on a very different area of legal compliance: lawful intercept procedures. Now that Neustar Legal Compliance is part of Subsentio, the two areas have been combined into one complete book: the CALEA Compliance Policies & Procedures manual. If you are on the distribution list for this newsletter, you will receive an e-copy of the manual at the beginning of February. This book explains the “Who,” What,” “Where,” “When” and “How” of the procedures you need to know for both records production and lawful intercept. It is important that you read it.
First of all the “Who”? That’s us, Subsentio. Certainly the individuals who were involved in the sales process and the original testing of the solution know “Who” Subsentio is, but we have clients who have been with us for almost 10 years. Many of our original client contacts may be long gone, in another job or in the happy CALEA retirement home. So, we would like your employees to have a brief overview of just who we are.
As to the “What”, Subsentio is known for its CALEA lawful intercept solutions. Neustar mainly focused on records production services but also provided their customers with lawful intercept services. Now, combined, our customers have to know how to contact us. We tell you. In fact we tell you on our website, www.subsentio.com and in the CALEA Policies and Procedures Manual. Print it out, because people forget and when an exigent circumstance arises, you’ll want to reach us quickly.
Now for the “Where”? We assiduously try to keep current with changes in customer staffs, but equally important are the network changes. We continually ask for network diagrams. Not to be a “pain,” but so we can assess if the technical solution we have installed in your network will capture traffic as planned. Guess what? Networks grow and change. Some of our customers have doubled or even tripled in size over the years. We need to know where the “Where” is in their networks.
You would think that “When” would be the easy one. When you receive a court order you need to contact Subsentio IMMEDIATELY. We give you a lot of ways to do so: telephone, fax, and email. Remember that time is of the essence. Law enforcement expects prompt implementation of court orders and subpoenas, especially in emergencies.
“When” is attached to “How.” We tell you how to transmit the legal documents to Subsentio. We tell you “How” to verify them. We explain “How” we validate court orders, “How” we implement lawful intercepts, etc. We even provide you with the required forms. You can find them in the Policies & Procedures Manual as well as our website.
So be prepared. Read the manual. Remember that our goal for implementing a lawful intercept in 2016 is 15 minutes. The records production goal is 72 hours. That’s why our Customer Care group is so conscientious about updating our records and training our clients in their responsibilities.
Rules & Regulations
Is the New Cybersecurity Act a Surveillance Act in Disguise?
In the recent Congressional rush to pass an omnibus spending plan and keep the federal government running for another year, House Majority Leader Paul Ryan quietly inserted a cybersecurity bill into the legislative mix. Then the whole package was signed into law. Privacy advocates described the last-minute Congressional surprise as a “surveillance bill.” They complain that it will let the government spy on Internet users in violation of their privacy rights.
Summary of the Cybersecurity Act
The Cybersecurity Act of 2015 (the Act) is a modified version of a longstanding Congressional proposal. The Act essentially: (a) permits CSPs to engage in real-time automated sharing of cyber threat information with the government; and (b) gives them liability protection for such voluntary sharing. Before a CSP shares a “cyber threat indicator” it must filter out any personally identifiable information that is “not directly related to the cybersecurity threat.”
The goal of the Act is to coordinate better defenses against cyberattacks without causing privacy harm. The central coordinating role is assigned to a component of the Department of Homeland Security called the National Cybersecurity and Communications Integration Center (the “CCIC”).
The Cybersecurity Act Provision on Law Enforcement
When the CCIC receives a cyber threat indicator it may share the information with other government agencies, including law enforcement agencies, for purposes of “reporting known or suspected criminal activity.”
This provision of the Act aims to catch the hackers who perpetrate cyberattacks. It is not to facilitate government surveillance. Under the Act, the government may not force a communication service provider to disclose cyber threat indicators or any other information. The government may view only the information it receives from the company.
In any event, the Act grants no new powers to law enforcement. Government agencies, including law enforcement agencies, have always been permitted to share communications, records, and other information for purposes of criminal investigations. The Act merely confirms that the interagency sharing rules are not altered by the sharing of cyber threat indicators.
Best Practice to Implement the Cybersecurity Act
If a CSP is caught in a cyberattack, it appears extremely unlikely that its disclosure of malicious code to the CCIC would further any law enforcement surveillance. Nevertheless, CSPs should carefully filter cyber threat indicators before sharing them with the CCIC. The resulting disclosure should contain nothing more or less than the cyber data needed to combat the attack.