Cybersecurity

Neustar? What's a Neustar?

By Paul Rosenzweig
Monday, September 29, 2014, 4:16 PM

Today's New York Times opened with an above-the-fold story entitled "Spy Agencies Urge Caution on Phone Deal."  The Wall Street Journal had a similar report, about "Security Concerns Arise with Phone Database Contract."  The gravamen of both articles was the potential national security implications of a relatively obscure decision to consider transferring a phone switching contract from an American company (Neustar) to an American division of Ericsson, the Swedish telecom giant.  The news hook for the Times article was a report from the Chertoff Group on those issues.  The Journal, in turn, referenced a letter from the House Permanent Select Committee on Intelligence, expressing security concerns.   Given the attention being paid, it seemed worthwhile to explain what all the fuss was about.

[Full Disclosure:  I am a Senior Advisor to The Chertoff Group.  I did no work on the Neustar report and hadn't seen it until it was released by the Times.  Also I spoke to the Journal author before he wrote his article.  My own familiarity with the issue comes from other work I've done and my thoughts here are just that ... mine.]

Background

The issue arises in the context of legislation that goes back to the mid-1990s.  Before that time, if you were a cell phone user and you wanted to switch carriers (from, say, Verizon to AT&T) you also had to switch phone numbers.  That's because each carrier was allocated blocks of phone numbers to give to their subscribers and your new carrier would not, of course, have the same number that had been allocated to your old carrier.  Of course, this gave consumers fits -- we all like to keep our cell numbers and, in some ways, they are now our individual unique identifiers.

And so, Congress authorized the FCC to allow the carriers to make local numbers portable -- that is, to allow my new carrier to take my old phone number and use it on their system when I switched.    This was good politics and also (though I know less on this score) good economics, since it eliminated barriers to entry and transition, allowing price competition to occur.

But now, of course there was a problem -- where, previously, everyone would know that the phone number 202-555-1234 was assigned to Verizon's block, now it could be assigned to any carrier at all.  And the first task for completing a call is to know what carrier's network to connect to.  So when I, say, call my friend Ben Wittes, my Verizon phone carrier needs to know whether to switch the call to Sprint or to T-Mobile or some other carrier to complete the call.  With everyone being able to switch and numbers floating to every carrier, a registry was needed.

Enter the job of the local-number-portability administrator (LNPA).   The LNPA is manages the Number Portability Administration Centers (NPACs), which route all calls and texts for the US and Canada.  According to the Washington Post, that's more than 650 million U.S. and Canadian phone numbers for more than 2,000 carriers.  And if, tomorrow, I were to switch from Verizon to AT&T on my cell phone, the process would be accomplished by changing the registry for my phone number at an NPAC.  On a good day it takes 5 minutes.

Today, the NPACs are managed by an American company, Neustar.  The contract is up for competitive bid though and in April an advisory committee recommended that the next contract be awarded to Telcordia's, an American subsidiary of Ericsson.  The contract is worth roughly $450 million/year.  [In case it isn't obvious, I have absolutely no idea or opinion about the economics of this debate -- I assume the recommendation was because the advisory board thought Telcordia could do it cheaper/better].  Later this year the FCC will have to award the contract.

[As an aside, the structure of this network addressing system is remarkably like that which lies at the heart of Internet addressing -- the Domain Name System.  A central registry makes changes to the root system and those changes are quickly propagated out in a distributed manner across the network.  Hence, my interest in the LNPA/NPAC system.]

Security

The main thrust of concern is that the NPACs are used by both law enforcement and intelligence agencies to identify the carrier used by targets of their investigation.  That often puts the LNPA in a sensitive spot.

As a consequence, management of the NPACs is, in some sense, a critical function -- both to the effectiveness of our phone network and to its utility as an investigative tool  Here are a few  concerns that we might want to consider (only some of which are addressed in the various reports and letters referenced above).

  • The NPACs can be vulnerable to hacking/attack with the potential disclosure of PII information.  This risk exists no matter who the LNPA is. This is also a non-intelligence/law enforcement concern directly, but a broader consumer protection issue.  As I read it cybersecurity is not, currently, a factor in the award of the new contract.
  • Law enforcement and intelligence disclosures to the LNPA may involve either the identification of classified targets or the inferential disclosure of sources and methods.  In other words, identifying a "phone number of interest" to the LNPA directly reveals who a subject of investigation might be and may also allow an observer to infer the methodology by which the number was captured from the pattern of numbers.  Some may argue that an American subsidiary of a Swedish company is a greater security risk for the disclosure of this type of information.  Others might rely on the independence of the American subsidiary as a safeguard.  It is difficult to assess this risk in the abstract, though clearly, this is a different case than if the recommended new provider were a Chinese or Russian company!
  • Non-American corporations may be subject to conflicting legal obligations.  A European company, for example, might be prohibited by European law from doing that which American law requires it to do, in terms of disclosure.  Or they might require disclosure to a data subject that his data has been requested by law enforcement.  Neither of those would be a good result.  Again, this might be ameliorated by the independent nature of the American subsidiary, but I don't know whether that is the case.

What then are we to make of all this?  Is it just a tempest in a teapot?  Is it rent-seeking by the current contract holder?  Or are these security concerns real?  To be honest, I'm not sure -- but my own assessment is that the security issues (particularly as relates to cybersecurity and data integrity) are more than purely speculative that they merit review and consideration.

Topics: