In a major speech on Internet freedom last week, Secretary of State Hillary Clinton urged American tech companies to “take a proactive role in challenging foreign governments’ demands for censorship and surveillance.” Her call to action followed a series of dazzlingly sophisticated cyberattacks against online giant Google and more than thirty other major technology companies, believed to originate in the People’s Republic of China. Few observers have found the Chinese government’s staunch denials of involvement persuasive–but the attacks should also spur our own government to review the ways our burgeoning surveillance state has made us more vulnerable.
The Google hackers appear to have been interested in, among other things, gathering information about Chinese dissidents and human rights activists–and they evidently succeeded in obtaining account information and e-mail subject lines for a number of Gmail users. While Google is understandably reluctant to go into detail about the mechanics of the breach, a source at the company told ComputerWorld “they apparently were able to access a system used to help Google comply with [US] search warrants by providing data on Google users.” In other words, a portal set up to help the American government catch criminals may have proved just as handy at helping the Chinese government find dissidents.
In a way, the hackers’ strategy makes perfect sense. Communications networks are generally designed to restrict outside access to their users’ private information. But the goal of government surveillance is to create a breach-by-design, a deliberate backdoor into otherwise carefully secured systems. The appeal to an intruder is obvious: Why waste time with retail hacking of many individual targets when you can break into the network itself and spy wholesale?
The Google hackers are scarcely the first to exploit such security holes. In the summer of 2004, unknown intruders managed to activate wiretapping software embedded in the systems of Greece’s largest cellular carrier. For ten months, the hackers eavesdropped on the cellphone calls of more than 100 prominent citizens–including the prime minister, opposition members of parliament, and high cabinet officials.
It’s hard to know just how many other such instances there are, because Google’s decision to go public is quite unusual: companies typically have no incentive to spook customers (or invite hackers) by announcing a security breach. But the little we know about the existing surveillance infrastructure does not inspire great confidence.
Consider the FBI’s Digital Collection System Network, or DCSNet. Via a set of dedicated, encrypted lines plugged directly into the nation’s telecom hubs, DCSNet is designed to allow authorized law enforcement agents to initiate a wiretap or gather information with point-and-click simplicity. Yet a 2003 internal audit, released several years later under a freedom-of-information request, found a slew of problems in the system’s setup that appalled security experts. Designed with external threats in mind, it had few safeguards against an attack assisted by a Robert Hanssen-style accomplice on the inside. We can hope those problems have been resolved by now. But if new vulnerabilities are routinely discovered in programs used by millions, there’s little reason to hope that bespoke spying software can be rendered airtight.