US Phone Spying: Integrity Does Not Switch On and Off

I am not a fan of Huawei and the Chinese government’s determination to supply every telecoms network everywhere, but they do have one argument which is difficult to ignore. Whenever they are described as a security threat, Huawei and China can point a finger at US leaders and telcos before making one simple observation: whatever you accuse us of doing, Americans did it first.

In September the Ninth Circuit Court of Appeals observed in United States v. Moalin that the NSA’s bulk collection of phone call records violated the law, and they did so whilst reviewing one of only four cases where the NSA has publicly said their phone spying program averted a terrorist attack. The world was already aware that US intelligence forces, and by extension their political bosses, had broken their own country’s laws. What was both new and damning was that the judges repeatedly stated that government claims about the efficacy of the bulk call spying program were “inconsistent with the contents of the classified record”. In other words, the spies and their masters had not only broken the law, but they also exaggerated the usefulness of the data they collected to avoid appearing foolish.

The court’s judgment was welcomed by the man who blew the whistle on US phone spying.

Time keeps moving forward, but we should avoid having a selective memory of the past. The benefits of the US phone spying program were overstated by a large number of US politicians of both major parties. Amongst them was President Barack Obama, who tried to win back the favor of the German people by telling them during a June 2013 press conference with Angela Merkel that:

This is not a situation in which we are rifling through the ordinary emails of German citizens or American citizens or French citizens or anybody else. This is not a situation where we simply go into the Internet and start searching any way that we want. This is a circumscribed, narrow system directed at us being able to protect our people. And all of it is done under the oversight of the courts.

And as a consequence, we’ve saved lives. We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany. So lives have been saved. And the encroachment on privacy has been strictly limited by a court-approved process to relate to these particular categories.

Obama was not alone in claiming that over 50 terrorist attacks had been prevented as a result of the NSA’s telecoms spying program. The most common claim was that 54 terrorist attacks were prevented. The NSA only had the confidence to offer details about four of those instances. One of those cases is the subject of United States v. Moalin, where the Ninth Circuit Court of Appeals made it clear that the illegal nature of the phone spying program was not important to the defendant’s case because the government had exaggerated the importance of the evidence gathered through the phone spying program. This begs a question about how many lives were really saved as a result of the illegal mass phone surveillance program defended by Obama and others.

I share all this because I believe some Americans are guilty of having a selective memory about the past transgressions of their telecoms companies. Those companies may have been told to act like spies by their government, but Ed Snowden can explain why being compelled to deceive is not consistent with choosing to be honest. So I was surprised to see Edward Amoroso, former Chief Security Officer of AT&T, taking to LinkedIn to give a sermon about honesty and integrity in politics as if he was oblivious to any major political phone spying scandals during his tenure. In an article entitled “How Cyber Security Should Influence Your 2020 Presidential Vote” he listed six requirements of security officers and political leaders. The last of these was:

Does the candidate possess the highest levels of honesty and integrity?

This is the most important skill in any cyber security leader. Without 100% confidence in the honesty and integrity of the candidate, the Board and C-Suite cannot possibly achieve its highest objectives for a meaningful cyber defense. This one personal attribute cannot be compromised ever – and if not present, should be viewed as a disqualifying trait.

If I was Chinese I would laugh scornfully at Amoroso’s supposed naivety. The leaders of the USA used telecoms networks to indiscriminately spy on millions of innocent people, both within their country and elsewhere. They broke their own laws. Obama went to Germany to apologize to Merkel for spying on her. First they lied about the extent of spying, then they lied about the benefits of spying. The lies were offered spontaneously. It has taken a lot longer to reveal the truth. And they claimed that they did this to increase security, not just in the USA, but in other countries too. After all this dishonesty, how can Amoroso now argue that honesty and integrity is vital to security? Has he simply forgotten about all those call records that AT&T handed over, and who they were handed to?

That phone spying program has now been halted but it can always be brought back. There are no excuses for Americans to be complacent about this matter. There has been far too much complacency already.

The choices made by Americans have ramifications elsewhere, just as the choices made by telcos can affect the privacy of everyone who uses their network, wherever they are based. I doubt Amoroso was thinking of the reception his article might receive outside of the USA, though he should. Telecoms is global, not national. You cannot be secure by being careful in one country if the same information is passed across an insecure network in another country. That is why it matters when a chunk of US traffic mysteriously gets redirected through mainland China. And it also matters that the USA spent several years engaged in a tone-deaf conversation about whether it was okay to spy on phone users so long as they are not US citizens. They might as well instruct other countries not to deal with US firms, just as the US recommends against using Huawei.

The sad truth is that the US has lost its right to moral leadership in the field of communications security because of its past behavior. They will not earn new respect by pretending they never lost it. That is true no matter who is elected President.

The rest of the world is not just a bunch of aimless people waiting to be told what to do by the next President of the USA. If Americans still have any money in future then people in other countries may sell things to them, and if Americans still make anything in future then people in other countries may buy from them. But if Americans want to lead they must practice what they preach, and that is also true in the domain of security. There are risks in buying from Huawei, but at least their equipment is cheap and works. Empty talk about integrity is even cheaper, but will not sell so well. It might be a while before the USA has a leader worth listening to, and a message that the rest of the world will buy.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.