I was interviewed this week for an article in ITManagement.com about CALEA compliance.
Here is the full article and a link to the original at IT Management Calea Interview – Brad Slavin
Way back in 1994, agents at the FBI were getting nervous. They saw emerging digital and wireless communications technologies as one more reason to worry — and one more way for hardcore criminals to evade capture. That year, Congress passed CALEA (Communications Assistance for Law Enforcement Act) to ensure that the FBI and other law- enforcement agencies would be able to conduct electronic surveillance — essentially, legal wiretapping — on devices beyond landline telephones. From fax machines, pagers and mobile phones, CALEA now extends also to broadband Internet communications and VoIP services.
Last year, the U.S. government required that all “telecommunications carriers??? — which the FCC (Federal Communications Commission) defines as common carriers, facilities-based broadband Internet-access providers and interconnected VoIP service providers — be compliant with CALEA by May 14, 2007. That means that a carrier’s equipment, facilities and services must be capable of allowing law enforcement to perform electronic surveillance, which is also referred to as lawful intercept. Simply put: You get a subpoena, and you must be able to immediately execute a tap on the network and transmit the data to the law-enforcement agency that served the warrant. The tricky part is this: The government has put the onus on the telecommunications industry to determine CALEA standards and solutions.
“For a long time, CALEA seemed catered to VoIP and VoIP networks. It didn’t seem to apply to us, a broadband provider,” explained Brad Slavin, vice president of engineering at Skyriver Communications Inc., an ISP near San Diego with 3,500 business subscribers. “There’s no governing body — you may not even know that this is a prerequisite.” The ISP received clarifications on the mandate in February, and Slavin spent the 90 days before the deadline pushing to become compliant.
Complying with CALEA is easier said than done, according to a March 2006 report by the U.S. Department of Justice, which sites multimillion dollar costs on the part of carriers — some of which may have no more than 1,000 subscribers — and disagreements over standards on the part of the government. Factor in the relatively unlikely chance that a carrier will be served with a warrant to execute a wiretap — in 2006, the feds authorized just 461 orders for a wiretap in all of the United States, according to the Administrative Office of the United States Courts’ 2006 Wiretap Report — and even the $10,000-per-day fine for incompliance isn’t always very compelling.
“There are people who can spend 100 grand without blinking an eye to become compliant. But it’s basically equipment that sits on the shelf until you get a warrant. Since 1994, I’ve only seen two — the chances are slim of getting a subpoena,??? Slavin said, describing the quandary many small ISPs face when weighing their options for becoming compliant with CALEA.
There’s a gamble there. But if you come up sixes, boy, you could be in a lot of trouble. The fines can be more than four to six times than the cost of our device,??? said Steve Shillingford, president and CEO of Solera Networks Inc., a Lindon, Utah, company that provides network monitoring solutions, including appliances designed to help companies meet their CALEA compliance requirements, as well as increase network quality of service.
The most recent statistics on industry wide compliance from the Department of Justice are from March 2006, when it reported that after the FBI spent $450 million reimbursing carriers for modifying their pre-1995 equipment, no more than 20 percent of wireline switches and 50 percent of pre-1995 wireless switches were updated with CALEA-compliant software. However, 90 percent of post-1995 wireless switches are CALEA compliant.
Of course, when talking about digital communications, far more data can be intercepted than old-fashioned wiretapping on the PSTN (public switched telephone network). So it’s important to note that CALEA applies only to intercepting in real-time the same information that has long been allowed by court-authorized electronic surveillance: call-identifying information, like a phone number, and call content, which is “any information concerning the substance, purport, or meaning of that communications,??? according to the FBI’s site AskCALEA. CALEA does not directly apply to stored communications, such as email.
Different Paths to Compliance
Skyriver’s Slavin explained that he had three options for becoming CALEA compliant. He could contract with a TTP (trusted third party), which would handle everything from tapping into the carrier’s network when it receives a lawful intercept request to transmitting the captured data to the law-enforcement agency. However, because Slavin’s ISP is geographically dispersed across three Southern California counties with six different points of egress in the network, the estimates from TTPs — $40,000 and more — were out of his range. Second, he could build the solution himself from a software product such as OpenCALEA, a peer-reviewed, open-source engine that captures network traffic data. But that left too many unanswered questions, such as what the data captured from a lawful intercept would look like.
His third option — and one that may also be most attractive to other geographically dispersed ISPs — was to buy a CALEA-specific appliance with a distributed architecture. He needed one that would interoperate with the lawful intercept services in the Cisco IOS software running on his Cisco routers. He chose the Solera Networks CALEA Appliance in part because he can use it to perform network-intercept tasks beyond lawful intercepts. All told, he spent only about $9,000 to make Skyriver CALEA compliant, which he attributes to not having to install a box at each egress point, a requirement made by the TTPs he investigated. In the end, he said that the most complicated part of meeting the CALEA mandate was “filling out the forms for the FCC.???
OpenCALEA and Solera Networks are not, of course, a carrier’s only choices. Larger ISPs may prefer contracting with a TTP such as VeriSign, which offers NetDiscovery Lawful Interception Services for voice networks and advanced technologies. SS8 Networks has its Xcipio Lawful Intercept Platform, which supports wireless and wireline networks, as well as VoIP and 2G/3G wireless data. Apogee Software Inc. offers its Secure Intercept Service for both carriers and higher-education institutions. These are but a few companies that have sprung up to meet the demand for compliance services.
The Search for Standards
One factor frustrating compliance is the lack of standards, which are being driven by bodies, such as ATIS (Alliance for Telecommunications Industry Solutions). For example, there is no standard for the format in which captured data is transmitted to law-enforcement agencies. Right now, most solutions use TCP Dump or PCAP Dump data, which can be read by almost every networking forensics application. ATIS is also working on standardizing how an authorized tap should be implemented and how data should be mediated back to a law-enforcement agency.
“Conforming to an open standard is imperative,??? stated Shillingford. “It will be easier and more convenient for both sides to be compliant.???
Picking at Privacy
Like every piece of legislation ever passed that could impinge on a citizen’s right to privacy, CALEA has its detractors. The EFF (Electronic Frontier Foundation) believes that the culmination of CALEA is that the U.S. government will end up dictating functionality in technology.
Perhaps CALEA’s most notable critic is U.S. cryptographer Dr. Whitfield Diffie, a pioneer of public-key cryptographey who currently serves as Sun Microsystems Inc.’s chief security officer. In a 2006 paper for the Information Technology Association of America, Diffie and his co-authors wrote, “The real cost of a poorly conceived ‘packet CALEA’ requirement would be the destruction of American leadership in the world of telecommunications and the service built on them. This would cause enormous and very serious national-security implications.???