I realize that New Zealand is *not* in North America (hence NANOG),
but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act
of 2013 is in effect in New Zealand and brings in several drastic
changes for ISPs, telcos and service providers. One of the country's
spy agencies, the GCSB, gets to decide on network equipment
procurement and design decisions (PDF), plus operators have to
register with the police and obtain security clearance for some staff.
Somewhat illogically, the NZ government pushed through the law
combining mandated communications interception capabilities for law
enforcement, with undefined network security requirements as decided
by the GCSB. All network operators are subject to the new law,
including local providers as well as the likes of Facebook, Google,
Microsoft, who have opposed it, saying the new statutes clash with
overseas privacy legislation."
It got a pretty firefight discussion at the NZNOG. None of the ISPs feel
comfortable with it, but in avoiding a shoot-the-messenger syndrome they
tried to give good feedback to the reps from GCSB who came to talk.
Basically, a lot of post-act variations are expected to clarify what
changes do and do not have to be notified.
There was a lot of bitter humour about calling them at 3am to report BGP
failures and ask permission to remediate.
So is there just reluctant acceptance of this law, or is there
push-back and plans to repeal, or...?
I guess my question is something along the lines of "Are people just
reluctantly accepting that government surveillance & micromanagement
of private businesses/networks is a fact of life?"
I am purposefully making a distinction here between the U.S. CALEA [1]
and NSLs [2] and a NZ spy agency getting "...to decide on network
equipment procurement and design decisions".
I can't speak to that Paul. I attended NZNOG as a guest, I'm from
Australia. Others will have to say how the NZ industry is approaching this,
I'd get it wrong if I tried!
To: Paul Ferguson
Cc: NANOG
Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I can't speak to that Paul. I attended NZNOG as a guest, I'm from Australia. Others will have to say how the NZ industry is approaching this, I'd get it wrong if I tried!
The industry in New Zealand is responding with "Nobody listened to us and we have no damn choice but to do what the government orders us to do". The general public is completely unaware of what has just happened and as long as there is still beer in the fridge and the game on TV they don't seem to give much of a toss.
Hey, now, that's not fair. The NSA is just doing what any large player who dominates their space does - try to block out the competition!
Copy/pasting from a friend of mine (he can out himself if he likes): http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden
- But while American companies were being warned away from supposedly
untrustworthy Chinese routers, foreign organisations would have been
well advised to beware of American-made ones. A June 2010 report from
the head of the NSA's Access and Target Development department is
shockingly explicit. The NSA routinely receives or intercepts routers,
servers, and other computer network devices being exported from the US
before they are delivered to the international customers.
- The agency then implants backdoor surveillance tools, repackages the
devices with a factory seal, and sends them on. The NSA thus gains
access to entire networks and all their users. The document gleefully
observes that some "SIGINT tradecraft is very hands-on (literally!)".
- Eventually, the implanted device connects back to the NSA. The report
continues: "In one recent case, after several months a beacon
implanted through supply-chain interdiction called back to the NSA
covert infrastructure. This call back provided us access to further
exploit the device and survey the network."
- It is quite possible that Chinese firms are implanting surveillance
mechanisms in their network devices. But the US is certainly doing the
same.
- Warning the world about Chinese surveillance could have been one of
the motives behind the US government's claims that Chinese devices
cannot be trusted. But an equally important motive seems to have been
preventing Chinese devices from supplanting American-made ones, which
would have limited the NSA's own reach. In other words, Chinese
routers and servers represent not only economic competition but also
surveillance competition.
Should we as a community look at Open Hardware when we start to lose trust in vendors and governments? Can we make boards/ASIC/FPGA commodity enough to scale?
While I applaud NZ being open and honest about it, I do think that they have gone quite a bit further than the NSA and that their proposal is far more damaging.