Flickr user Andrew Hart

What's the One Thing Cyber Hawks and Privacy Advocates Can Agree On?

Exploiting wireless network vulnerabilities for law enforcement purposes is a bad idea.

In a June 2014 study, Government Business Council asked 318 federal officials to list the top mobile security threats facing their agency. Perhaps unsurprisingly at the time, wireless network vulnerabilities ranked low on their lists, well behind behind malware, unsecured mobile applications, and human error. Nevertheless, recent revelations that U.S. networks are far less secure than previously thought are likely to turn a few heads.

Articles in the Harvard Journal of Law and Technology as well as Newsweek and Wired have brought to light allegations that criminal organizations and foreign governments, as well as domestic law enforcement agencies, are exploiting persistent vulnerabilities in the nation’s 2G wireless network to hack into Americans’ cell phones.

Although cyber security experts and civil liberties activists don't agree on much, both are speaking out about the potentially dangerous consequences of allowing these vulnerabilities to remain unaddressed.

Using devices known as International Mobile Subscriber Identity (IMSI) “catchers” (also known as “Stingrays”) that disguise themselves as false cell towers, operatives can hone in on a mobile phone’s unique signal, track its location, listen in on conversations, and even siphon away sensitive data.

Stingrays capitalize a glitch in 2G networks that prevents mobile phones from authenticating that the cell tower they’re connected to is real. And while this glitch was resolved in 3G and 4G networks, it’s possible to jam 3G and 4G signals and force devices to revert to running on 2G. Once too expensive for all but the best-equipped national law enforcement agencies, IMSI catchers can now be manufactured for as little as $1800 and a bit of technical know-how.

In early July, Rep. Alan Grayson (D-Fl) issued a letter to FCC Chairman Tom Wheeler expressing concern that the democratization of Stingray technology could raise serious security and civil liberties challenges. “It is extremely troubling to learn that cellular communications are so poorly secured and that it is so easy to intercept calls and track people’s phones,” said Grayson.

In response, Wheeler announced the formation of a special task force to investigate illegal Stingray use with the goal of developing “concrete solutions to protect the cellular network systematically from similar unlawful intrusions and interceptions.” Added Wheeler, "The task force can also leverage the agency's risk responsibility with our federal partners at the DOJ, FBI, and DHS in order to clamp down on the unauthorized use of these devices and promote consumer privacy."

But despite the FCC’s calls to “combat illicit and unauthorized use of IMSI catchers,” the press release gave sparse details regarding their ongoing use as a legitimate law enforcement tool. From the perspective of the Electronic Frontier Foundation and American Civil Liberties Union, these activities can infringe upon Americans' rights under the Fourth Amendment, as authorities often rely on “general warrants,” used to conduct broad surveillance activities without a defined target.

Cyber experts agree that the federal government should scrutinize the use of IMSI catchers, but for a totally different reason. According to Stephanie Pell, assistant professor and Cyber Ethics Fellow at West Point, the law enforcement benefits of Stingray technology come at the cost of undermining efforts to harden the nation’s wireless infrastructure against cyber threats:

“Given the serious cyber threats our country faces, the surveillance benefits realized by law enforcement through the use of IMSI catchers can no longer justify ignoring the cyber security weaknesses in our communications networks that enable their operation. Indeed policymakers should take a dim view of any aspects of national surveillance policy and practice that rely upon perpetual network vulnerabilities.”

Essentially, the same vulnerabilities that make it easier for law enforcement to track down suspects also make it easier for foreign operatives or cyber criminals to conduct political or corporate espionage. And while the FCC task force certainly represents a step in the right direction, says Pell, simply targeting the illegal use of IMSI catchers without resolving the broader network issues will result in merely a stopgap solution. 

This means that federal agencies interested in expanding mobile options -- both for secure and non-sensitive data environments -- will need to look to mobile technologies with robust authentication and encryption capabilities. In the long-term, however, there is no substitute for addressing the network vulnerabilities themselves.

Read the complete GBC report to learn how federal agencies are striking a balance between flexibility and security. 

Disclaimer

This post is written by Government Business Council; it is not written by and does not necessarily reflect the views of Government Executive Media Group's editorial staff. For more information, see our advertising guidelines.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.