“I’ll tell you as much as I can.” It’s an intriguing opening remark from Rodney Joffe, a top cyber security adviser to the White House and a senior VP and technologist at analytics firm Neustar. Joffe has met President Obama and is in regular contact with various US government agencies, including the Office of Science and Technology Policy (OSTP).
Joffe’s accomplishments include leading the Conficker Working Group (a coalition of security experts working to defeat the Conficker worm) sitting on the US government’s cyber security intelligence panel, and in 2013 receiving the FBI director’s award for outstanding cyber investigation for his role in uncovering and taking down the Butterfly Botnet.
Joffe believes that since Obama took office in 2008, the issue of cyber security has become one of the administrations top priorities, and rightly so. He cites the conflicts in Ukraine and the Middle East as ones where social media is playing an increasingly influential role, and argues that Wikileaks and the revelations from NSA whistleblower Edward Snowden have dramatically changed the way that governments look at security.
“These things have existed since the Cold War but all of a sudden the Snowden revelations have made the public much more aware of what is going on,” he says. “But what becomes more visible to adversaries with these leaks is not so much the information but the techniques that are critical to national security. So now many countries are developing different methods and techniques in order to still have visibility of the actions of the bad guys,” he adds.
But what about the good guys? Some of Snowden’s latest documents suggest that online polls could be rigged and that social media feeds are manipulated to make people think certain things – where should the line be drawn?
“I’m sure it is a concern internationally and as a US citizen it would be a concern for me too if those things were going on. Are those things possible? Absolutely, they are possible, and not just for bad guys but for good guys too,” he says.
But when asked whether the alleged NSA and GCHQ surveillance practices exposed by Snowden are necessary, Joffe says that he hasn’t seen any of the Snowden documents.
“Because of the position I’m in, I’ve not seen any of the Snowden documents. It’s one of those things that you have to be very careful of in that field because a lot of information may be classified. So if anyone has any kind of security and classification background, you are prohibited to look at information that you’re not allowed to look at,” he says.
“I’m one of a group of people that have never actually looked at or read about the specific documents that have been leaked. I don’t read the Guardian, Wall Street Journal, New York Times or Washington Post – I hear second-hand reports but those aren’t really definitive,” he adds.
But while Joffe may not be familiar with Snowden’s documents, Snowden and his supporters certainly know about the firm Joffe works for, which has been accused of being part of the NSA’s mass surveillance project.
Neustar has more than $900m (£528m) in annual revenue and provides services including one that enables consumers to keep their phone numbers when switching carriers. It also owns several top level domains such as .biz, .us and .co, provides security consulting, and supplies Caller ID services, which include “real-time identification and location services to more than 1,000 businesses in the US across multiple industries”.
A report dating back to 2012 from BuzzFeed suggested that Neustar is involved in the US government’s surveillance operations, echoing suspicions first raised in 2008 by the Washington Post that the company was “part of an evolving telecom industry that is creating caches of information attractive to the government without clear guidelines governing who may have access and under what circumstances”.
But Neustar swiftly responded to claims that it supplied personally identifiable information (PII) to the US government, saying, “We do not receive, nor do we distribute, any information about the subscribers themselves, their locations, or the content of their calls”.
Joffe claims the company has very strict rules over PII. “We don’t share and provide information to the US government; we have no contracts with the US government,” he says.
Unless a US court order asks for Neustar to provide certain information, that is.
“We have a group that makes sure that we comply with US laws,” he states.
But are those laws stringent enough to ensure that the government is only accessing the right data for the right reasons?
Joffe states that it “is a very rare event that we’re required to provide information to the US government that is identifiable, so I’m not sure if I’m aware of circumstances that the laws we have today need to be strengthened or weakened”.
More recently, the Canadian Broadcasting Corporation reported on a secret presentation prepared by the Canadian spy agency, CSEC, which appeared to show that CSEC had snooped on Wi-Fi information from travellers at a Canadian airport in a test to see whether Wi-Fi-enabled devices could be tracked through the signals they generate and the data delivered through those signals.
According to security expert Bruce Schneier, the data was from a combination of sources: an unnamed Canadian source which has user ID details such as Facebook login information, and geographic locations for IP addresses from Quova, a company that was acquired by – you guessed it – Neustar, in 2010.
Officially, Neustar does not work with the US government at present. It currently has a contract with NPAC, the group that manages the phone numbering system, but that is not a government body.
But that doesn’t mean that the company is avoiding public contracts. When President Obama announced that a huge database of all US phone records would be moved outside of the NSA and kept either with phone companies or a third party, Joffe reportedly told Foreign Policy that Neustar would welcome the responsibility, adding that “whoever does this has to be in an incredible position of trust”.
Of course, if all the rumours about the company are true, then Neustar is already very much a trusted partner. But perhaps the bigger issue for the company’s commercial ambitions isn’t trust, but the fact that it’s a relatively unknown entity.
Neustar is in the middle of a battle with Swedish firm Ericsson AB, which is going after a number of portability contracts that it has held for nearly two decades. The contracts currently make up nearly half of Neustar’s revenues. In its attempts to ward off Ericsson AB’s challenge, Neustar is claiming that services would suffer and that porting phone numbers would take longer with a new company, but it remains to be seen if these arguments cut any ice with the US Federal Communications Commission.
If, however, it does get Obama’s backing to retain the contracts then the reports in 2012 that required a response from Neustar’s public policy manager Scott Blake Harris will be just the merest foretaste of the kind of intense scrutiny that the company is likely to face.
This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy