Communication service providers in the US are generally required by the federal CALEA statute to equip their networks with hardware/software solutions that facilitate lawful electronic surveillance. CALEA solutions provide the technical capabilities law enforcement agencies need to conduct court-ordered surveillance in criminal and terrorist investigations. For example, a state police department may need to intercept the calls of a criminal suspect using a cell phone. Or the FBI may monitor the broadband signals of a terrorist suspect communicating on the Internet.

When employed by a law enforcement agency pursuant to a court order, electronic surveillance can solve crimes and save lives. In addition, CALEA can actually help make our digital lives more secure.

Some critics complain CALEA solutions weaken network security

Some critics of CALEA complain the statute endangers network security. They argue that upgrading a communication network with a surveillance solution creates a “back door” in the system that can be exploited by criminals or terrorists to spy on someone’s private communications. In their view, the government should not mandate such network “vulnerabilities.”

To be sure, any technology that provides network access – be it network software to enable E911 emergency location-finding, a deep packet inspection tool to balance network traffic, a VPN device that gives employees remote access to an enterprise network, or a CALEA solution – must be designed and operated in a strictly secure manner. That explains why trusted-third party CALEA service providers observe high standards of information security and physical security. Communication industry engineers also work diligently to keep their CALEA solutions secure. In a typical CALEA compliance program, only specially trained and authorized individuals can access the CALEA solution, and even then only in accordance with strict protocols.

To date there have been no publicly-reported cases in the US where an unauthorized person has hijacked a CALEA solution, even though the CALEA mandate has been in effect for as long as 23 years. The record of clean CALEA operation contrasts sharply with the many publicized cyber attacks that have commandeered other avenues of access to communication networks, as well as the networks of financial institutions, retail stores, government agencies, health care organizations, and other Internet-based entities.

A CALEA solution may enhance network security 

A CALEA solution differs from anti-virus programs and other cyber-security protection software. However, CALEA technology may improve network security in its own way. To see how, it helps to review the range of network security threats.

Criminals use communications networks not only to communicate with each other but to victimize other network users.  For example, “phishing attacks” prey on users by tricking them into complying with phony email messages that request personal financial information.  Just clicking on a link in an innocent-looking email can trigger a virus that takes control of the victim’s PC or mobile phone.  Foreign agents have used this type of deception to penetrate US networks and steal classified information, corporate trade secrets, and other private data.

Voice communications also figure commonly in criminal schemes.  Some fraudsters call senior citizens to talk them out of their savings.  Robo calls tempt people to call back a certain number to win a fictitious vacation or other prize.

Some criminal exploits misuse the communication network itself.  A denial-of-service attack can immobilize a web site or corporate email server by overloading it with messages.  Other crooks have illegally intercepted VoIP communications using tricks unrelated to CALEA.  Still other bad guys use fake identities to register for communication service with no intention of paying the bills.  Theft of service raises the cost of service for all users.

Terrorists leverage communications networks to cause even greater harm.  For instance, they cheaply rig cell phones to detonate homemade bombs.  State-sponsored terrorists have shut down critical infrastructure in other nations.  Virtually any group with a malevolent manifesto can use a communication network for purposes of propaganda, fundraising, radicalization, recruiting, training, and coordinating attacks.

In the above-described scenarios, whether the wrongdoers are classified as criminals, cyber criminals, or terrorists, they can be difficult to apprehend, especially if they employ anonymization technologies to hide their identities.  One of the best tools law enforcement has to catch them is lawful electronic surveillance.  If an authorized law enforcement agent, pursuant to a court order, can monitor a suspect on a network, the given crime or terrorist plot may be prevented or readily solved.  Lawful surveillance can gather ironclad evidence of a crime without harming the privacy of innocent communication users.

A complete security strategy should include a well-managed CALEA solution

Unfortunately, some communication service providers subject to the CALEA mandate don’t bother installing CALEA upgrades in their networks.  The compliance oversight leaves their customers and the networks themselves at risk.

As long as a CALEA solution is properly managed it can provide a valuable addition to a network security strategy.   The solution should be activated only in response to a valid court surveillance order. It should facilitate only the type of surveillance described in the court order. And it should be promptly deactivated at the end of the timeframe stated in the order.

If a criminal or terrorist on a network tries to attack other network users or the network itself, and the network architecture contains a well-run CALEA solution, law enforcement agents can catch the culprit faster than they otherwise could.  Simply put, a network that supports CALEA supports security for network users.