Swing and Miss

A recent post by my friend and fellow blogger Will Folks is an unfortunate conspiratorial regurgitation akin to that of the global warming crowd.  Will writes that the British “Interception Modernisation Programme” (IMP – also known as “Mastering the Internet”) by the Government Communication’s Headquarters (GCHQ) will

grant the British government the ability to store, track and monitor every private telephone call, text message, email or Internet browsing session in the country.

Will and those with a Big Brother paranoia are making three mistakes.

First, there is a lack of appreciation for the world communications environment and the absolute need for new and innovative approaches to combat our adversaries.

I’ve written recently that the digital information environment has grown exponentially.  A generation ago, the communications of governments – and their respective militaries – were transmitted on exclusive radio and telephone networks.  Frequencies were set aside especially for those uses and no one else was allowed to use them.  Special telephones were reserved for use by government officials distinct from those used by the general public. Although these practices are still in place to some extent, it’s not done nearly as much as it once was.

I quoted LTG Keith Alexander, Director of the National Security Agency (NSA) and GCHQ’s sister organization:

During World War II and coming up to today, the networks are pretty much separate. Point to point circuits, analog circuits. Everything was going good. Now what’s happened? The digital revolution. We’ve put all that on one network. Our government, our private, our industry, our allies — all on one network.

We don’t have a network that we defend on, a network that we exploit on, and a network that’s attacked on, or a network for one and a network for the other. And it’s not just the U.S. It’s not just the government, not just industry, it’s all of us. All together.

And what’s on this network today …? Everything. America’s business and government runs on that network. Everything that we do. All our stuff. Medical records, everything. Our national security’s on there, and our allies. So that’s the problem.

Now, encryption software can be applied to commercially-produced communications equipment that allow the highest ranking officials to communicate on the very same networks used by everyone else.  President Obama is using his Blackberry, albeit with some NSA-provided encryption to keep his communications secure from eavesdropping and intrusion.  Secretary of State Hillary Clinton used her cellphone to rescue negotiations between Armenia and Turkey.

The communications of military members in the field – via cellphone – have become problematic because of the potential security risks.  Inadvertent disclosures of locations or missions or other information can be used by adversaries listening in.

Cell phones are used to detonate improvised explosive devices (IEDs) over commercial networks just as easily as people use them to remotely turn on the lights in their homes, browse the Internet or make restaurant reservations.

Terrorists are communicating on the same cellphone and Internet networks and systems used by national and local governments, companies – from the largest corporations to the Mom-and-Pop stores – international universities and rural schools, doctors and hospitals, churches and you and your children.  Think about that.  Your fifth grader is using the same – the very same – communications network that Mullah Omar and Osama bin Laden use.

OH… and the same as international organized crime groups (the Ndrangheta, Camorra, Cosa Nostra, Triads, Russian Mob, etc.), U.S. gangsters and gangs, pedophiles, NAMBLA, the Chinese military, hackers, idiots and others that want to do us harm or have nefarious intent.

LTG Alexander also gave these statistics, taken from industry – not government – sources:

These numbers reveal a second mistake – the willingness to believe that such a massive undertaking “to store, track and monitor every private telephone call, text message, email or Internet browsing session in the country” can actually be done.

Will himself noted “every day in Great Britain approximately 3 billion emails are sent – meaning that this system will have to track well over a trillion emails each year.  And that’s before it starts snooping on citizens’ phone calls, text messages and Internet visits.“

Yes, there are means by which high value communications can be filtered from the chaff of birthday messages to grandchildren, spam, and dinnertime calls from charities.  And that’s the key.  Those filtering techniques are used to narrow the volume to the most salient communications as well as their origins, i.e. nationality.  Billions of dollars (or pounds sterling) spent on sophisticated systems are wasted if it’s spent on a vacuum cleaner approach that does nothing to extract the real intelligence from real bad guys.

Think about it like this: Millions of automobiles traverse the nation’s highways everyday.  Police units are there, using various methods to monitor that traffic.  They don’t stop every automobile, truck or motorcycle, but those they have reason to believe have committed some offense.  Sometimes they get tips and are on the lookout for a specific vehicle or one fitting a certain description.  Sometimes they observe the offense as it happens.  Occasionally, they make mistakes.  Such is the nature of the business, but has that highway surveillance kept you from traveling?  Do you feel your rights are violated because a highway patrolman is parked on the median with a speed gun?  Annoyed, maybe, but violated?  And when you learn that the cops have pulled over a drunk driver before he killed someone, do you pine for that driver’s violated rights or are you thankful that he was stopped?

Whether it’s on the vehicular or  information superhighways, there’s a lot of traffic out there and not all of it is innocent.

And then there’s the third, mistake, an automatic assumption that GCHQ (or NSA) will disobey the law.  It is illegal for GCHQ to conduct surveillance against British persons without properly vetted permission from a specially-designated court unless that person is documented as an agent of a foreign power.  And the definition of “British person” is an individual, company or other British entity.  The same law applies to NSA and U.S. “persons.”  As an idea of how constrictive this caveat is to intelligence collection, consider this:  If a terrorist boards a plane belonging to a U.S. carrier (American, United, etc) in Cairo, NSA cannot conduct surveillance against that person while (s)he is aboard that airplane unless and until (s)he has been specifically identified and permission – akin to a warrant – has been given.  If that terrorist flies to Paris and checks into a Hilton (U.S.) hotel, the same laws and apply.  GCHQ has the same limitations regarding British “persons.”

Now, the natural response is to question GCHQ’s/NSA’s adherence to the law.  As LTG Alexander said at the RSA Conference in April:

…we have great oversight. We self- report when we make a mistake. We do make mistakes. And if you think about software and the environment that we’re working in, these mistakes are something that you probably understand better than anyone. Vulnerabilities in code is a mistake and when those vulnerabilities happen, things happen on the network and we take that as an issue that we then take up to our overseers. We self-report. We fix it. And we tell them what we’re doing.

Believe what you wish, but LTG Alexander, GCHQ Director Iain Lobban, the executive management and (some may say, more importantly) the attorney’s for both agencies are adamant about following the law.

There are many more things British and Americans have to worry about than GCHQ and NSA and GCHQ and NSA have far too much to worry about than you.