Washington is nervous about cellphone spying. There’s no doubt about that.
The problem is, no one knows quite what to do about it.
Recent reports that surveillance devices known as IMSI catchers are quietly operating near the White House and other sensitive locations have sent lawmakers fishing for solutions. But as a panel of cybersecurity experts indicated in a congressional hearing Wednesday, there’s no easy way to detect the machines that malicious hackers and foreign snoops can use to secretly intercept calls and texts. In the meantime, everyone’s communications could be vulnerable.
“While awareness is important, it is simply not enough to acknowledge an issue needs to be addressed,” said Rep. Ralph Abraham (R-La.), who chairs the House Science, Space and Technology Committee's oversight panel. “Instead, we must also gain an understanding of the technological nature and complexity of disruptive technologies like IMSI catchers to alleviate the challenges they present.”
The devices, also known as cell site simulators or StingRays, trick nearby phones into connecting to them as if they were cell towers. In addition to intercepting communications, they can pinpoint a phone’s location.
While law enforcement agencies across the country deploy them in criminal investigations, a recent Department of Homeland Security study found evidence that some have been operating near federal facilities across Washington, as my colleague Craig Timberg reported this month. While DHS did not determine where they came from, the revelation added to long-standing fears that foreign spies or other adversaries are listening in on official conversations.
But it's clear from the House hearing that lawmakers' work to find a solution is just beginning. Here are a few key takeaways:
1. Catching an IMSI catcher is extremely hard.
Authorities have tools that can pick up hints that an IMSI catcher is nearby, but they aren’t very effective, witnesses said Wednesday.
“I’m not aware of any instance where a law enforcement agency has successfully tracked down one of these devices,” Jonathan Mayer, a chief technologist at the Federal Communications Commission’s Enforcement Bureau, told the subcommittee. Nor has the Justice Department prosecuted anyone for operating a cell site simulator, he added.
The challenge, Mayer said, was that there was no “telltale sign of cell site simulation . . . there are only indicia that give rise to suspicion.”
DHS has also acknowledged that it doesn’t have the technical capability to detect an IMSI catcher, multiple lawmakers noted.
Authorities can try to root them out by looking at anomalies such as unusual cell site configurations. But that approach suffers from a “‘spy-versus-spy’ phenomenon whereby improvements in detection technologies result in improvements in spoofing technologies,” said Charles Clancy, an electrical and computer engineering professor at Virginia Tech. “Any detection strategy would need to constantly evolve as adversary capabilities improve.”
2. All mobile users are vulnerable — including the president.
Democrats on the subcommittee said they were worried President Trump himself could get ensnared by a foreign intelligence service’s surveillance devices, especially in light of news reports that he uses a cellphone that isn’t equipped with sophisticated security features.
Rep. Don Beyer (D-Va.) asked the panel how Trump’s reportedly unsecured cellphone might put him at risk of being hacked or penetrated by foreign spies.
“Any senior official in any of the branches of government — and for that matter, any senior executive in the private sector — should take heightened precautions with respect to their telecommunications equipment,” Mayer responded. “There are possible attacks involving interception of voice and text messages … there are also cell site simulator risks. In addition, there’s an issue of security updates not getting delivered to consumer devices such that they could be remotely compromised. Anyone in a sensitive position should take heightened precautions.”
And the problem isn’t just restricted to government types. Mayer added that criminal uses of cell site simulators were “only limited by our collective imagination.” By intercepting private communications, he testified, criminals could steal people’s people's financial information, medical data or other personal details that could be used for fraud or blackmail.
3. Defense may be the best offense.
IMSI catchers work in part by getting phones to connect to 2G networks, whose security is notoriously weak. Clancy said wireless carriers that have already decommissioned 2G networks — and most have — should update their policies so that their phones connect only to more secure networks unless they’re roaming. Current iPhones, for example, don't have this capability, and Androids require users to take special steps to disable 2G. “This will address the majority of the security concerns around cellphone surveillance,” he said.
Congress can protect officials against the threats posed by cell site simulators by making sure that the services and devices it procures every year implement security best practices, Mayer said.
“Congress should condition its substantial wireless outlays on implementation of appropriate cybersecurity safeguards,” he said. Mayer added that the National Institute of Standards and Technology, which falls under the committee’s jurisdiction, could play a role by updating those standards.
"While it is worth spending time on attempting to improve detection of these devices, the far more effective focus for federal policy would be on defense," he said. “We know how to defend against the worst of these attacks."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The man who called Russia's interference in the 2016 election a “true act of war” finalized plans for a meeting between President Trump and Russian President Vladimir Putin, The Washington Post's Anton Troianovski and Philip Rucker report. “We did indeed talk about Russian interference in the elections and I expect it'll be a subject of conversation between the two presidents as well,” national security adviser John Bolton told reporters in Moscow on Wednesday after meeting with Putin. Bolton declined to comment on his previous criticism of Putin's denial about Russian interference in the U.S. election, according to Troianovski and Rucker. “I don't really address what I've written in the past or what I've said on television,” Bolton said. “It's all out there. Right now, I'm an adviser to President Trump. It's his agenda that we're pursuing, and that's the agenda that I intend to advance.”
Yuri Ushakov, a foreign policy aide to Putin, said Putin and Bolton spoke “very briefly” about allegations of interference in the U.S. presidential election, Troianovski and Rucker report. “From our side, it was clearly stated that the Russian state did not interfere and does not interfere in domestic political processes in the United States, and most certainly did not interfere in the 2016 election,” Ushakov said, as quoted by Troianovski and Rucker.
Trump weighed in this morning:
Russia continues to say they had nothing to do with Meddling in our Election! Where is the DNC Server, and why didn’t Shady James Comey and the now disgraced FBI agents take and closely examine it? Why isn’t Hillary/Russia being looked at? So many questions, so much corruption!— Donald J. Trump (@realDonaldTrump) June 28, 2018
PATCHED: Lawmakers on the Hill continue to press their case against ZTE. Rep. Steve Chabot (R-Ohio), the chairman of the House Small Business Committee, said Wednesday that the combination of Chinese tech products' cheaper prices and the need for U.S. businesses to control their expenses is “a recipe for disaster.” Chabot made the comments during a hearing about the threat that Chinese tech giant ZTE poses to small American businesses. “Now let me clear, I don't believe for a minute that an American small-business owner would purposely buy a product that puts their own operations at risk, let alone jeopardize our national security,” Chabot said. “However, the problem is that most small businesses won't even know that they're using a product or service that's been provided by a nefarious actor.”
Andy Keiser, a national security expert and principal at the consulting firm Navigators Global, told the committee that Huawei and ZTE seek strategic advantage instead of financial profit. “Huawei and ZTE are not in this for a profit,” said Keiser, who also served as a staffer for former House Intelligence Committee chairman Mike Rogers (R-Mich.). “They're unlike any Western company. They're not beholden to shareholders. This is a strategic plan by the Communist Chinese government to at least have the capability to collect information around the world, and perhaps more concerningly, to turn off a switch in the event of potential conflict and create havoc that, you know, we don't even want to think about in this committee.”
PWNED: A program encouraging private companies to share information about cyberthreats with the government has hardly drawn any participants since it started more than two years ago, Nextgov's Joseph Marks reports. Only six companies and nonfederal organization share such information with the government under the Cybersecurity Information Sharing Act, according to Marks. “That’s compared with about 190 such entities and about 60 federal departments and agencies that are receiving cyber threat data from Homeland Security’s automated indicator sharing program, a Homeland Security official told Nextgov,” Marks writes. “That low figure for private-sector participation is an additional blow to the program, which has struggled to provide companies and government agencies with the sort of actionable cyber intelligence that was promised by the Cybersecurity Act of 2015.”
Rep. Jim Langevin (D-R.I.), who supported the bill, told Marks that he was hoping thousands of companies would be sharing data by now. Langevin also suggested that incentives may not be enough and the government could explore mandating information-sharing instead, according to Nextgov. “We need to get realistic about the fact that public-private partnerships haven’t yet borne the kind of fruit that we want,” Langevin said, as quoted by Marks. “Public-private partnerships are preferable but, at some point, good intentions will only get us so far.”
More cybersecurity news:
— Federal investigators posed as cryptocurrency launderers on Dark Web drug markets, identified vendors of illegal drugs and opened 90 active cases across the nation, Motherboard's Joseph Cox reports. Derek Benner, the acting executive associate director of U.S. Immigration and Customs Enforcement's Homeland Security Investigations, said in a statement released on Tuesday by the Justice Department that “HSI special agents were able to walk amongst those in the cyber underworld to find those vendors who sell highly addictive drugs for a profit.” “The DOJ announcement added that on Wednesday various law enforcement agencies arrested more than 35 alleged dark web vendors, including those allegedly selling cocaine, marijuana, and LSD,” Cox writes. “Investigators also seized quantities of Xanax and the high-powered opioid fentanyl. A number of the defendants are charged with weapon possession offenses.”
— A top cybersecurity official at DHS says U.S. businesses can generally take care of their own cyberdefenses but resisting cyberattacks from nation-states demands a “military-grade level of investment,” CyberScoop's Sean Lyngaas reports. Christopher C. Krebs, the undersecretary of the department's National Protection and Programs Directorate, said Wednesday that China, Iran, North Korea and Russia took cyberattacks to a new level in 2017, Lyngaas writes. “We’ve known for years that there are primarily four nation-state actors that are most active in the cybersecurity space, but push really came to shove” last year, Krebs said, as quoted by Lyngaas.
— Waheba Issa Dais, a Wisconsin woman who is accused of accessing hacked social media accounts to try setting up terrorist attacks, pleaded not guilty on Wednesday to charges of providing material support to terrorists, the Associated Press reports. “The FBI said its investigation found that Dais used hacked social media accounts to discuss possible attacks with self-proclaimed members of the Islamic State group, but authorities haven’t connected her to any attack plots,” according to the AP.
— More cybersecurity news from the public sector:
— The NotPetya cyberattack, which the United States and Britain say was carried out by Russian hackers, struck a year ago this week, and companies that were hit are still feeling the pain, the Wall Street Journal's Kim S. Nash, Sara Castellanos and Adam Janofsky report. “After NotPetya, FedEx has spent roughly $400 million in remediation and related expenses, the company told analysts in an earnings call last week,” Nash, Castellanos and Janoksky write. “At Merck, NotPetya temporarily disrupted manufacturing, research and sales operations, leaving the company unable to fulfill orders for certain products, such as the Gardasil 9 vaccine, which prevents cancers and other diseases caused by the human papillomavirus.”
— Facebook is investigating how external app developers used huge amounts of personal information from users of the social network, but the company is having trouble locating the data, the Journal’s Deepa Seetharaman reports. “Facebook is now trying to forensically piece together what happened to large chunks of data, and then determine whether it was used in a way that needs to be disclosed to users and regulators,” according to Seetharaman. “In cases where the company spots red flags, Facebook said it would dispatch auditors to analyze the servers of those developers and interrogate them about their business practices.” Additionally, the developers that Facebook contacts are under no legal obligation to comply with the company's probe, Seetharaman writes.
— More cybersecurity news from the private sector:
- House Foreign Affairs Committee markup of the Cyber Deterrence and Response Act of 2018.
- Deputy Attorney General Rod J. Rosenstein and FBI Director Christopher A. Wray appear before the House Judiciary Committee.
- Cyber Security Summit: DC Metro in McLean, Va.
- SIA GovSummit in Washington.
- National Homeland Security Conference in New York on July 9 through July 12.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphia on July 13 through July 16.
Mexico fans celebrate outside South Korean embassy:
Trump to Portugal's president: Will Cristiano Ronaldo ever run against you?
"Lowlife” late-night TV hosts with “no talent” parody Trump's insults: