Although the Bush administration calls it a vital weapon against terrorism, its domestic wiretapping effort could become a devastating tool for terrorists if hacked or penetrated from inside, according to a new article by a group of America's top computer security experts.
The administration has said little about the program except to defend it against charges it amounts to illegal spying on U.S. citizens. When news of the program broke in 2006, then-White House spokesman Scott McClellan called the program a "limited" effort "targeted at al Qaeda communications coming into or going out of the United States."
But documents submitted in an ongoing court case indicate the program involves data centers at major telecommunications hubs that siphon off and analyze billions of bytes of Americans' emails, phone calls and other data.
By diverting the flow of so much domestic data into a few massive pools, the administration may have "[built] for its opponents something that would be too expensive for them to build for themselves," say the authors: "a system that lets them see the U.S.'s intelligence interests...[and] that might be turned" to exploit conversations and information useful for plotting an attack on the United States.
The Office of the Director of National Intelligence referred a request for comment on the article to the interagency National Counterterrorism Center, which directed calls to the National Security Agency, which reportedly runs the program. The NSA declined to comment for this story.The White House referred calls to the NSA.
The [.pdf] article, slated to appear in an upcoming issue of the journal IEEE Security & Privacy, was written by six experts from Sun Microsystems, Columbia University, Princeton University, the University of Pennsylvania and California-based research giant SRI International.
The data centers for the classified program are reportedly housed in "secure" rooms within telecommunications hubs around the country, and connect to operations buried within the NSA's highly classified facilities. But judging by past breaches, the authors conclude this system could be compromised also from within or outside.
In 2004, hackers cracked a wiretapping function on a Greek national cell phone network. For 10 months, they intercepted conversations by the country's prime minister and its ministers of defense, foreign affairs and justice, and roughly 100 other officials and parliament members, the authors note. The hackers were never caught.
"Although the NSA has extensive experience in building surveillance systems, that does not mean things cannot go wrong," the authors state. "When you build a system to spy on yourself, you entail an awesome risk."
Just as dangerous is the possibility that an insider could access the system undetected, according to the experts. Poorly-designed surveillance technology used by the FBI relies on a "primitive" system to track people who use the operation to wiretap phone conversations, the authors say, creating what they call a "real risk" of an insider attack.
They note that convicted spy Robert Hanssen, one of the most destructive moles in the bureau's history, exploited similar weaknesses to steal information and follow the investigation into himself on FBI computers without leaving a trail.
Last August, a federal judge ruled the program was unconstitutional. The administration is appealing the decision. The Senate is currently considering a White House-backed effort to retroactively immunize telecommunications companies which have participated in the program from civil suits, several of which have been filed since the program came to light. The legislation, the authors say, would allow the program to continue without ensuring proper oversight, accountability and security, creating "a long-term risk."