When it comes to wireless surveillance, the federal government has some really neat tools. The FBI has discussed the domestic internet surveillance system Carnivore, and the CIA and NSA have discussed their global electronic surveillance Echelon with which the United States, the United Kingdom, Canada, Australia, and New Zealand can presumably intercept satellite, microwave, cellular, and fiber optic communications around the world, run them through data warehouses, and gather and read private information. And in May 2001, just weeks after a European Parliament committee hearing on Echelon, the U.S. government released its annual wiretap report: In 2000, sixty percent of the 1,190 wiretaps authorized by federal and state governments were for wireless devices such as mobile phones and pagers.
While some of these government incursions fill legitimate national security requirements, others are based on the belief that the government should know everything on the off chance that something of concern is mentioned. As a former head of the New York FBI office once said, as part of a plea for renewal of wiretap privileges that had recently been removed because of abuse, “If your child were kidnapped, wouldn’t you want us to be able to know what the kidnappers were saying?” This was coupled with the belief that you shouldn’t worry about government surveillance if you have nothing to hide, and an apparently-genuine belief that the system is designed for the common good, and while abuses may have happened in the past – even in the recent and immediate past – they will not happen in the future.
While private industry may have difficulty securing its data from governments, it must still attempt to secure information from others in the private sector who have resources and capabilities which may not be on a level with those of governments, but are still powerful, and not constrained by the benign good nature of the government. Controlling and maintaining a secure information environment has become a security manager’s nightmare, and it will get worse: In three years there will be more than 800 million wireless data users in the world and executives must act now to ensure that employees have wireless access to national networks, corporate servers, and each other.
While few have yet encountered serious wireless enterprise break-ins or hacks, as we noted in Wireless network party lines in the May 2001 issue of the Business Security e-Journal, this is a matter of timing and chance, not of adequate security levels. Every current danger existing for hard wire line systems exists for wireless systems, but without the boundary of the lines. New forms of wireless communications will increase the number of threats.
Many believe that they need to focus on where computers and wireless devices overlap, but the truth is that you must defend against the entirety of the problems not just the interface of the two, while actively monitoring for incursions and reacting to them.
The most vulnerable parts of wireless enterprises are where different networks connect. Many security features and standards currently in use were added as an afterthought to existing wireless protocols, and, even if adequate. Relying on any given wireless protocol to safeguard your corporate intelligence, rather than on a balance of technology, monitoring, and reaction, creates a possible opening for criminals (in which category we include corporate spies).