A backdoor for anybody is a backdoor for everybody.
(DPST/Newscom)
For as long as law enforcement has sought a way to monitor people's conversations—though they'd only do so with a court order, we're supposed to believe—privacy experts have warned that building backdoors into communications systems to ease government snooping is dangerous. A recent Chinese incursion into U.S. internet providers using infrastructure created to allow police easy wiretap access offers evidence, and not for the first time, that weakening security for anybody weakens it for everybody.
Musk Says Cybercab to Cost Under $30,000
Subverted Wiretapping Systems
"A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported last week. "For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data."
Among the companies breached by the hacker group, dubbed "Salt Typhoon" by investigators, are Verizon, AT&T, and Lumen Technologies. The group is just one of several linked to the Chinese government that has targeted data and communications systems in the West.
While the Journal report doesn't specify, Joe Mullin and Cindy Cohn of the Electronic Frontier Foundation (EFF) believe the wiretap-ready systems penetrated by the Chinese hackers were "likely created to facilitate smooth compliance with wrong-headed laws like CALEA." CALEA, known in full as the Communications Assistance for Law Enforcement Act, dates back to 1994 and "forced telephone companies to redesign their network architectures to make it easier for law enforcement to wiretap digital telephone calls," according to an EFF guide to the law. A decade later it was expanded to encompass internet service providers, who were targeted by Salt Typhoon.
"That's right," comment Mullin and Cohn. "The path for law enforcement access set up by these companies was apparently compromised and used by China-backed hackers."
Ignored Precedents
This isn't the first time that CALEA-mandated wiretapping backdoors have been exploited by hackers. As computer security expert Nicholas Weaver pointed out for Lawfare in 2015, "any phone switch sold in the US must include the ability to efficiently tap a large number of calls. And since the US represents such a major market, this means virtually every phone switch sold worldwide contains 'lawful intercept' functionality."
Two decades ago, that mandatory wiretapping capability was subverted by hackers targeting Vodafone Greece. They intercepted phone conversations of the country's prime minister and high political, law enforcement, and military officials, among others.
Which is to say that nobody appears to have learned anything between the 2004 hacking of government-mandated wiretapping capabilities at a Greek telecom and the 2024 hacking of government-mandated wiretapping capabilities at U.S. internet service providers. Well, unless we're counting the Chinese hackers. They seem to have learned quite a bit from the earlier experience.
It should be needless to say, but let's say it anyway: this was all predictable and preventable.
'The Problem With Backdoors'
"The problem with backdoors is known—any alternate channel devoted to access by one party will undoubtedly be discovered, accessed, and abused by another," David Ruiz of the internet security firm Malwarebytes Labs wrote in 2019. He noted that cybersecurity researchers had been making that argument for years. They've been repeating themselves for years because their warnings appear to fall on deaf ears.
Even some believers in backdoors on specific devices concede that building wiretapping into whole communications systems is too dangerous to contemplate. A 2019 paper from the Carnegie Endowment for Peace's Encryption Working Group thought "some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed," but cautioned that compromising the security of what it called "data in motion" (communications networks) "would create a massive target for criminal and foreign intelligence adversaries."
Such foreign intelligence adversaries, for instance, as hackers sponsored by the Chinese government to penetrate U.S. internet firms.
So, just how dangerous was the Salt Typhoon hack?
'A Potentially Catastrophic Breach'
"The widespread compromise is considered a potentially catastrophic security breach," adds The Wall Street Journal. "It appeared to be geared toward intelligence collection."
China's state-sponsored hackers are continuously targeting U.S. infrastructure, including water-treatment facilities and the electricity grid. They've also penetrated pipeline systems. "The PRC's targeting of our critical infrastructure is both broad and unrelenting," FBI Director Christopher Wray warned in April, referring to the People's Republic of China.
The U.S. Cybersecurity and Infrastructure Security Agency cautionsthat "PRC state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States."
And yes, the U.S. government is probably returning the favor by hacking systems in China and elsewhere. But that will be cold comfort if the lights go out here because the feds essentially rolled out the red carpet for foreign infiltration of American networks.
The debate over information security has raged for years with people like Edward Snowden pointing out that law enforcement agencies can't be trusted with access to our communications, or to abide by the rules that theoretically define when and how they can snoop. Now we know that they aren't competent custodians of wiretapping systems that privacy advocates warned were open invitations to bad actors.
Salt Typhoon may have done enormous damage to American security by penetrating internet systems relied on by private individuals, businesses, utilities, and government agencies. If it leads to the end of government-mandated backdoors that offer easy access to hackers, some good could come of this.