Reports surfaced last month suggesting that Carnegie Mellon University (CMU) has been helping the FBI crack Tor, the secure browsing application used by privacy-conscious Internet users for both legal and illegal activities. Normally, an academic institution assisting law enforcement in fighting crime wouldn’t raise any eyebrows, particularly if that assistance came in the form of responding to subpoenas. But this isn’t your average case. Beyond the complicated (and unclear) set of facts involved, CMU houses the Computer Emergency Response Team Coordination Center (CERT/CC), one of the world’s most important hubs for coordinating information about various cybersecurity vulnerabilities and attacks.
More than a month after the news first broke, the details are murky at best. Tor has alleged that the FBI paid CMU to crack the system’s anonymity feature in exchange for payment. CMU’s own statement about the incident says that many of the media reports have been inaccurate, but acknowledges that the university — and by extension CERT/CC — complies with valid subpoenas that it receives (as it must). It also said that it receives “no funding for compliance.” The FBI has said that reports on the payment are inaccurate, but stopped short of saying no payment was made. And Tor has responded by saying that these vague responses raise a whole host of questions on their own.
The public saga leading up to the recent accusations began in July 2014, when Ed Felten, the then-director of Princeton’s Center for Information Technology Policy, noted that CERT/CC researchers at CMU had submitted a presentation abstract to organizers of the Black Hat security conference discussing a new vulnerability they had found in Tor. The timing of CERT/CC’s pitch to Black Hat aligned with a large-scale attack on Tor that lasted from January to July 2014, during which CERT/CC researchers shared only “hints” about the vulnerability they had discovered. As for the abstract, it was abruptly withdrawn in July when CMU failed to approve the content of the talk for public release.
Eyebrows were again raised in January 2015, after the arrest of a man who allegedly helped run Silk Road 2.0, a large online trading post on the dark web whose visitors often use Tor to access the site. At the time, some speculated that his arrest was tied to the attack against Tor in the first half of 2014.
Most recently, in mid-November, Tor accused CMU of accepting payment and assisting the FBI — in ways that indicate a warrant was not involved — to “attack hidden services users in a broad sweep, and then sift through their data to find people.” These allegations are hugely problematic for CERT/CC. As an entity that espouses to be “a trusted, authoritative organization dedicated to improving the security of computer systems and networks,” finding and not disclosing vulnerabilities is a good way to undermine that trust. Exploiting those vulnerabilities is even worse.
But let’s take a step back for a moment. Why, beyond the obvious privacy concerns raised by Tor, is this such a big deal?
CERT/CC, and indeed the Computer Security Incident Response Team (CSIRT) community as a whole, is a pillar of global cybersecurity. (CSIRT is another term often used to describe the type of organization CERT/CC is.) Generally, CSIRTs are responsible for receiving, reviewing, and responding to computer security incident reports from a set of clients, which can include government agencies, private companies, security researchers, and ordinary Internet users.
Since the late 1980s, CERT/CC, as the name suggests, has been a major coordination center for global CSIRT activities. As as result, it has access to a wide array of incident information and vulnerabilities, which could, hypothetically, be used to help crack Tor’s anonymity feature. In addition, the organization — initially funded as a DARPA project and still funded with federal money — is largely transnational in nature and serves as the secretariat for national CSIRTs, more than 100 of which are distributed across the globe.
CSIRTs are increasingly referenced in international discussions as a key component in efforts to build global capacity to combat cybersecurity threats and develop norms of behavior among nations in the cyber realm. For example, the United Nations Group of Governmental Experts on cybersecurity suggested this summer that special teams authorized to respond to cybersecurity incidents, such as CSIRTs, should not be used to “engage in malicious international activity” and should not be the target of attacks. If CSIRTs are to be held out as off limits, they need to be impartial (like, say, the Red Cross) and cannot be political actors, lest they become legitimate targets.
CERT/CC, and many other CSIRTs around the world, collect information that can be very useful for both identifying and capturing criminals. They rely heavily on the trust incident reporters and vulnerability researchers have in the CSIRTs, trust that is garnered after developing close ties with the constituencies they serve. When a CSIRT is discovered, or even rumored, to be acting in a way that is negligent or undermines network security of perfectly legal services, this bond of trust is fractured. Less trust means less information for CSIRTs.
To pour salt on the wound, the controversy around the latest story undermines the effectiveness of CERT/CC both to carry out its own duties and to assist the FBI in the future. Though it is often not explicit in documentation, a relationship between CSIRTs and law enforcement agencies is often assumed. Indeed, such cooperation can be helpful for both law enforcement and CSIRTs. Law enforcement can obtain important technical information about incidents from CSIRTs, which in turn helps law enforcement identify and pursue cyber-criminals. On the flipside, some industries (particularly in the US) have close relationships with law enforcement that result in law enforcement becoming an important reporter of incidents to the CSIRT. But if these two types of bodies are to have close working relationships, they should follow explicit and transparent guidelines in accordance with due process. If the FBI is engaging with CSIRTs to essentially break a feature of Internet security en masse, it is making its own life more difficult down the line by removing the legitimacy of a key ally in cyber criminal investigations.
To be clear: This is not an indictment of CSIRTs working with law enforcement. As I explain in detail with my colleagues Isabel Skierka, Mirko Hohmann, and Tim Maurer in our recent report, cooperation between CSIRTs and law enforcement is not necessarily a bad thing. A comprehensive approach to addressing cybercrime would ideally meld the technical expertise and access CSIRTs have painstakingly developed with traditional law enforcement expertise found in agencies like the FBI. In fact, many national-level CSIRTs actually sit within law enforcement, intelligence, or national security organizations or have formal liaisons with those agencies.
Indeed, most in the CSIRT community seem ready to accept that CSIRTs have reached a point in their maturity where a formal, transparent relationship with law enforcement is practicable. This is because the quandary facing CSIRTs is one that has pervaded the American intelligence community for decades: Some activities simply do not pass the front-page test; meaning that some actions, when they come to light, will hurt the reputation of the organization. As New America Cybersecurity Fellow and Georgia Tech professor Peter Swire wrote earlier this year, the half-life of secrets is diminishing, and interactions like CERT/CC’s with the FBI are likely to become known much sooner than they would in the past. For the CSIRT community, which relies so heavily on trust for effectiveness, keeping their relationships with the government secret will be both extremely difficult and may undermine their reputations once they come to light.
The news of CMU’s possible assistance in compromising Tor’s most critical feature, anonymity, presents an opportunity for many to attack the integrity of CERT/CC and the researchers at the Software Engineering Institute. Bruce Schneier and others have been quick to point out that this incident has erased (or at least greatly diminished) CERT/CC’s hard-earned reputation as an honest broker. It is certain to be a warning to other CSIRTs around the world that they should transparently define their relationships with law enforcement agencies.
Regardless of how fault should be apportioned in this particular instance, the news comes as part of a larger trend in the CSIRT community. Once relatively apolitical, these technical teams are undergoing a process of politicization. National level CSIRTs, many of which once resided outside of government in academic institutions and non-governmental organizations, are being pulled into government structures. At the same time, their relationships with law enforcement agencies are becoming closer and (to those outside of the agencies) more opaque.
What can be done to protect the credibility and neutrality of these important pillars in the network security ecosystem? The recommendations we outline in our report provide a roadmap:
- The first step to protect trust in these teams is to reverse the recent trend and not place them under the control of law enforcement and intelligence agencies. Such agencies are incentivized to use the tools at their disposal to investigate crime, collect intelligence, and pursue threat groups, and thus will often disregard the apolitical information coordination role CSIRTs play.
- Second, CSIRTs and law enforcement must more transparently define the terms of their cooperation, including how and under what circumstances they interact. They should also clearly define what kinds of information and expertise are exchanged and what direction(s) shared information flows.
- Third, for CSIRTs to remain trusted brokers, they must clarify their mandates and missions. Traditionally, a CSIRT has placed remediating damage from incidents and returning systems to operation as top priorities. Is this still the case, or is CSIRT expertise being poured into combating cybercrime and assisting law enforcement agencies in developing tools and methods to discover criminals?
Finally, though not included in our recommendations in the report, to recover the trust it has recently lost, CERT/CC’s mission and role needs to be clearly defined by the organization itself, its funders, its partners, and its constituency. Is it essentially a second US national CSIRT alongside the Department of Homeland Security’s US-CERT, or is it something closer to a private CSIRT that plays a role in maintaining global cybersecurity? If it is a global, non-government CSIRT, transparently defining its relationship with law enforcement, intelligence, and other political actors — both inside and outside the US — is all the more important.
In the end, the actions of the computer security professionals at CERT/CC who allegedly aided the FBI are somewhat understandable. Their overarching goal is to secure computer systems. The traditional CSIRT approach focuses on technical identification and remediation of incidents, in addition to promoting technical measures to protect systems from attacks in the first place. The goal of law enforcement bodies in cybersecurity is to lend a helping hand in preventing attacks from taking place by rounding up the likely and past perpetrators. That aligns with the CSIRT community’s goal. But the allegations of the researchers’ work (the cybersecurity applicability of which is dubious at best) to crack Tor demonstrate the damage that can be done when when a CSIRT’s interaction with law enforcement is not openly and strictly governed.
The controversy surrounding this story represents something much larger than the alleged incident. CSIRTs are meant to be apolitical actors concentrating on computer and network security. The ramifications of politicization and muddied mandates could permeate up to states’ efforts to develop international norms of behavior in cyberspace, like those outlined by the UN Group of Governmental Experts, that rely on the integrity and independence of global CSIRTs. By undermining these norms before they take root, the FBI, and by extension the US government, undermine their own efforts to promote an open and secure cyberspace through norms for responsible state behavior.