Security and the Phone System Redux

Paul Rosenzweig
Friday, April 29, 2016, 2:15 PM

Back in the Fall of 2014, a little noticed contactual battle surfaced some significant security concerns with the management of the American telephone system. It involved the local-number-portability administrator (LNPA). The LNPA manages the Number Portability Administration Centers (NPACs), which route all calls and texts for the US and Canada. This is the system that allows, for example, me to transfer my mobile number from Verizon to AT&T, if I wish.

Published by The Lawfare Institute
in Cooperation With
Brookings

Back in the Fall of 2014, a little noticed contactual battle surfaced some significant security concerns with the management of the American telephone system. It involved the local-number-portability administrator (LNPA). The LNPA manages the Number Portability Administration Centers (NPACs), which route all calls and texts for the US and Canada. This is the system that allows, for example, me to transfer my mobile number from Verizon to AT&T, if I wish. This is an essential function -- it is the core log for identifying whose number is serviced by which carrier, so that when I call my friend Ben Wittes my carrier, Verizon, knows to switch the call to Ben's carrier (which may be Sprint today and AT&T tomorrow).

For years, the LNPA was an American company, Neustar. In 2014, the FCC was considering awarding the contract to a foreign company. As I wrote at the time, that raised some significant security concerns. For example, identifying a "phone number of interest" to the LNPA (as law enforcement or the IC might do) directly reveals who a subject of investigation might be and may also allow an observer to infer the methodology by which the number was captured from the pattern of numbers. Some argued that an American subsidiary of a Swedish company (the proposed new owner) would be a greater security risk for the disclosure of this type of information than an American company. Notwithstanding these concerns, the FCC decided to award the LNPA contract to Telcordia, a subsidary of the Swedish company Ericcson.

It seems the chickens have come home to roost. According to today's Washington Post, the FCC and the FBI are concerned because Telcordia used a Chinese citizen on the project:

Federal officials fear that national security may have been jeopardized when the company building a sensitive phone-number database violated a federal requirement that only U.S. citizens work on the project.

The database is significant because it tracks nearly every phone number in North America, making it a key tool for law enforcement agencies seeking to monitor criminal or espionage targets.

Now Telcordia, a Swedish-owned firm, is being compelled to rewrite the database computer code — a massive undertaking — to assuage concerns from officials at the FBI and Federal Communications Commission that foreign citizens had access to the project.

That's comforting .... not ....


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare