Babak Pasdar, President and CEO of Bat Blue Networks, is an information technology security expert. Pasdar holds five network and security patents and is certified by the International Council of E-Commerce Consultants as an “ethical hacker.” In 2008 Pasdar reported his discovery of an unrestricted portal into a major telecommunications company’s data network to Congress.
Mike German, a Fellow at the Brennan Center for Justice at NYU Law School, interviewed Babak Pasdar on August 19, 2014. The following is an edited transcript of that interview.
Q: Hi, my name is Mike German. I'm a Fellow with the Brennan Center for Justice at NYU Law School and today I'm with Babak Pasdar. Babak is the president and CEO of Bat Blue Networks. He's been a network security expert for twenty-five years and a technologist. You're a certified ethical hacker and you have five network security patents. In 2003 you were hired to help upgrade the data networks, the mobile data networks, of a major telecommunications provider. Why don't you tell us what happened?
PASDAR: Sure, Verizon Wireless hired me and my team to do some rapid deployment upgrades for some of their security infrastructure. They were rolling out the camera phones that we've all come to know and love, and the infrastructure they had could not support the projected usage. So they hired us to, on a rapid basis, upgrade their infrastructure to facilitate the use of the camera phones. It was during that time when we were doing the upgrade to the security infrastructure, where I discovered what came to be known as the Quantico Circuit. And for myself, I treated it just like any other element of connectivity into the carrier; I wanted to secure it by implementing controls around it and implementing visibility, so there would be a record of the communications that would traverse this connection. And…
Q: So this was a circuit that connected into what, exactly?
PASDAR: Into a third party, as far as I know. Now, the termination point I, it's not known to me. But what was very unusual about that particular circuit was that, whereas all the other points of entry and egress into that carrier's data center were controlled, there were controls around it and there was logging around it. That particular circuit they recognized as the Quantico Circuit had no controls and no meaningful logging around it. And when I went to implement the controls and logging to have it adhere to the carrier's security policy and security standards, there was a lot of resistance from the carriers all the way up to the Director of Security for the carrier whom I reported to.
Q: So this is basically an open portal that some third party has into the company's data. What type of information is, or would be, available through that portal?
PASDAR: Sure. It was a completely open portal; there was overtures of logging that they made to make it appear as though they were logging, though the system they were sending logs to was so overwhelmed. Just by nature of how logging functions, if you don't collect it the first time it's generated, it's lost forever. So I would say, easily based on the metrics that we took, 75-80% of the logs generated were lost. So, they implemented the appearances of logging, though there was nothing meaningful there. To answer your question more directly, the type of content it would have access to was the entirety of the carrier's data center infrastructure. It included customer records, data, all internet communications, emails, browsing, text messages, and most importantly, it also included the carrier's fraud detection system. And it seems benign on the surface, but what the fraud detection system does is track all mobile devices by geography. And if, for example, you make a call and you're in New York, and then twenty minutes later you make a call from the same mobile number, the ESN number, from let's say, Phoenix, Arizona, it would deem one of those fraudulent and it would trigger an alert. So the fraud detection system actually had access to track individual users of the phone. So it had access to all of it. Essentially, it had access to the entirety of the carrier's critical infrastructure. And it was even odder to have some third party that is unknown have zero controls, zero loggings, and zero visibility into the entirety of a carrier's system.
Q: And you're there to help them improve their security. So what is this type of a portal do to the security of all those… all that data?
PASDAR: Completely undermines it. You cannot be half secure, just like you can't be half pregnant. You have to implement security broadly and consistently across the board. You can't selectively say, "Some third party can have completely unfettered access into my environment versus other third parties can only have limited access based on their specific rights that are assigned. So it flew against the security policies that the organization had for themselves.
Q: So, for all the customers of this company, the security of their information is compromised by this access.
PASDAR: Absolutely. And, you know, there a term in our industry called carrier grade. Carrier grade means the highest performing, most resilient, most secure platform. Thereby carriers use it because there's such a dependence on critical infrastructure. Carrier grade is both a technology rating as well as an approach. And the approach by no means met the, or even come close to the term, carrier grade.
Q: And when there is this sort of a vulnerability, I mean, even if the company trusted this third party 100%, there could be bad actors within that entity or could other hackers exploit that avenue into the data center?
PASDAR: So, from a security standpoint, there is no 100% trust. Nobody. You don't even trust your own employees or your own CEO 100%. You implement controls, based on what their requirements are to perform their job and you always implement logging. You always implement visibility elements that you can go back and reference to determine what was actually done. So from a security standpoint, there's never a 100% trust scenario- as was the case with the Quantico Circuit.
Q: And again, you're hired to improve their security. Did you or others working there feel like they couldn't talk about this Quantico Circuit?
PASDAR: The others… the others absolutely did not feel that they could talk about it; they got very squirrelly. I saw lots of glances back and forth and we were, you know, when you work with a group of people and you spend so many late nights together… It's one of those projects, there's quite a degree of openness that comes along with it where you rely on each other to deliver on the success of the project. And the dynamic and the mood of the situation completely changed when I insisted that we had to adhere to the security policy and I had to adhere to my mandate- even though they told me that, "Hey! Move on! Don't worry about this one! Move on!" And it was just not something I could do. And as I investigated it further and further and as I pushed the issue further, the Director of Security actually got in his car and drove to the data center, which was an incredibly. incredibly unprecedented move to point his finger in my face and tell me that if I couldn't take his direction then he would find somebody who would.
Q: And, ultimately in 2008, you came forward and reported this to Congress and the public, so that they could understand more about it. Now, because of, years later, a different concerned insider, Edward Snowden, we now know a lot more about what the government has been doing. Given that you know a lot more about what the government's been doing in this space, does that give you some perspective on what you think this Quantico Circuit was?
PASDAR: It does. I could only come to the same conclusions as everybody else. Ultimately, my focus was to report the facts as I knew them and understood them. And you know, it's up to I guess, folks smarter than I am, and with a greater level of access than I, to determine what the conclusions were. But Edward Snowden seemed to really validate a lot of the concerns that a lot of citizens had, especially with regard to this Quantico Circuit issue and other programs.
Q: And, of course, a lot of people have criticized Snowden for coming public with this. But based on your experience, is there a way to work inside to get these issues resolved? Or does it need that kind of public disclosure?
PASDAR: So, I can't speak from personal experience, but I can speak from the perspective of having listened to a lot of other folks who tried to work within the system. The system does not seem to be very interested in getting feedback and getting criticism. And it seems to be overt about its desire to punish people who just don't toe the line, regardless of if it was right or wrong. So from that perspective, I would say that Ed Snowden had to take some extreme measures because other folks who had tried to operate within the system got quite a shellacking, both professionally and in terms of their personal lives. And certainly Ed Snowden, it didn't fall far from that tree, you know? He certainly is the subject of lots of shellacking. But, the one thing I can speak from personal experience with is that, you know, it's so easy for somebody that has not gone through this exercise to say, "Well, they should've done this…" or "They should've done that." But once you make a disclosure, what happens to that data, what happens to the machinery that's set in motion is completely outside of somebody's control. I know it was for me. I made a disclosure to folks that represented themselves to be my attorneys prior to finding the Government Accountability Project, and the very next day they took my information and filed a $233,000,000,000 lawsuit with my disclosure as a John Doe anonymous disclosure. So, you know, I'm not sure if Ed Snowden really had the means to control what happened to the information once he disclosed it, but I'm sure he felt that he was compelled to disclose it. And I can opine that it's a lot easier for the NSA and the government agencies to create new systems than it is for us to go back and try to undo the precedent that was set from a Constitutional perspective. So as it relates to that, I have to support him and I think the guy was incredibly brave to do what he did. Right or wrong, it took a lot of guts to do what he did.
Q: And in your own experience, I mean you felt it was necessary for the public to know about what you knew?
Q: And… because that's… why did you think it was so important for the public to know?
PASDAR: For some of the very same reasons I just said. It's a lot easier for the government to create new systems than it is for us to go back and try to take back Constitutional powers. You know, part of the challenge is that we're in a very unique time in the country's life, in that previously, technology could not do what it did. We did not have the technological resources to operate in this fashion, and that was a little bit of a safety mechanism for the Constitution. But, you know, now that we have these technological capabilities, we have to make sure we enforce what is constitutionally appropriate, and not let technology get ahead of the Constitution. And that's one of the main reasons I did this. Because previously we had the concept, from a technology perspective, we called it biological overload, right? People could not absorb enough information in order to effectuate such a broad and sweeping level of access that the NSA and some of these government agencies have over citizens. But now they do. And it's really, really important that they learn how to operate within the boundaries of the Constitution.
Q: One of the other things that we've learned that the NSA was doing was going out and undermining encryption standards, and even working with some US companies to insert backdoors in software and even hardware. What does undermining encryption do for cyber security writ large?
PASDAR: It's troubling, to say the least. And it was a concern I always had, you know? A few years ago, they did a competitive analysis of various encryption standards and Rijndael standard was selected. And then something was modified where it became an advanced encryption standard. And it made me very suspicious. I'm not sure exactly what was modified in the code, but certainly some of the ciphers they have in there are, you know, they are able to decrypt on the fly and… And they're also, by the way, they're also leveraging technologies and developing technologies that let them have access to encrypted communications without having to decrypt it by reading spaces in between communications and things to that effect. So it's troubling. It's troubling that they would intercept hardware and they would plant spyware into equipment. And you know, it's… and folks like RSA- RSA, the organization- to comply with them and to do something illegal like that is, uh, it just really speaks to the morality of the organization, and how little they care about the integrity of their customers' data and the privacy of the customers' communication that they portray they're committed to uphold. So it's very, very troubling and it's a very overt and aggressive act – this is not a defensive posture. They're not functioning as a "Blue Team." Blue Teams are folks that are charged with defending the integrity, and the privacy, and the availability of systems and data. That's a very overt and aggressive act and it really undermines all our…all of the integrity of the communications that's out there.
Q: And of course, we… anybody with a computer knows that there are bad actors out there. There are hackers, there are virus creators, there are all sorts of different people who would want to intrude into your system to steal data. When a government security agency… a national security agency, is actually undermining cybersecurity, how does that challenge the ability of all of us to protect ourselves?
PASDAR: Well… Look, if they've got access to it then, there's a lot of smart guys out there, you know? The NSA doesn't, you know, have the only smart folks out there. So when they weaken standards, it weakens the integrity of all internet communications, it weakens the integrity of all electronic communications. So if they have access to it, chances are somebody else will get access to it. And when you look at the way that organizations and people operate, they don't upgrade, they don't adhere to the latest patches. So it really opens up a whole Pandora's Box in terms of you know, access to vulnerable systems, vulnerable communications, and to folks that put their lives on the line, relying on encryption- to students in Iran, or the folks that are in Egypt that are looking to have the same type of freedom that we have, these guys are relying on that encryption standard with their lives. And it's unfortunate that, you know, it could be that the very same organizations they're concerned about would have access to all those communications and not so good things could happen to them.
Q: So, as a US technology company owner actually working in this field, what have these revelations about the NSA's activities done to the US technology market? Or, are we even starting to feel that impact?
PASDAR: Well, there's been a huge transition to the cloud and a lot of organizations want to move to the cloud because there's a lot benefits that go along with it. But, it has had a chilling effect on business. And it's had a very specific chilling effect on technology in the US. US has always been the central hub of technology, and we're starting to see a lot of organizations talking about moving their cloud infrastructure, or moving their data into Europe or other countries that don't have such a troubling history with privacy and integrity. And it's a shame because the cloud market was slated to grow from $131,000,000,000 to $677,000,000,000 by 2016. I’m not sure what all of these revelations in terms of dollar impact have had on it, but I would imagine there have been some organizations that have decided not to operate in the US. 59% of that number was supposed to operate in the US, and I'm sure some organizations have decided not to operate in the US. Some have been very public about it.
Q: Right. So these negative consequences of the NSA's activities- both the negative impact on security that they create, obviously the negative impact on privacy and the negative impact on the US economy, these were foreseeable, right? Anybody could've sat down with a little bit of time and said, you know, "What possible harm could come from this activity?” Obviously, the NSA had some interest in gaining access to communications but what are the ramifications of that? Wouldn't you expect an agency that's an intelligence agency to incorporate those possible negative outcomes into their decision to engage in this type of activity?
PASDAR: So, I think you're right on. When you erode the integrity of the standards, you erode confidence, and when you erode confidence, it has an impact on the economy. I can't get into their mind, but I would imagine that there is a mindset of, "We need to achieve our objective at all costs," and, you know, this is my opinion on this. So unfortunately I think there's a little bit of a tunnel vision. But personally, what concerns me more than somebody blowing up a bus in the US is the Constitution being undermined. I think that's far, far more damaging. It becomes an irrecoverable act compared to somebody that does not like us and wants to do something physical to us. So, you're absolutely right: no act of terrorism can really undermine confidence the way you know, undermining the Constitution, the way undermining the integrity of the systems and tools that we would use, would have.
Q: And there's also some indication that the NSA has sort of two roles: one, it's a part of the Department of Defense. It's a military organization, so it actually has offensive activities that it's involved in. What kind of an example does the NSA set for the rest of the world when it's engaged in those kinds of offensive tactics?
PASDAR: I think this is something that everybody's learning as we go along. Interestingly enough, as part of what we do, we act in a defensive way on behalf of our customers in protecting their systems, in protecting the integrity of their data, the availability of their systems, and privacy of their data. And we're seeing that there's a big battle going on, and there are three types of actors out there. There are the hacktivists that are very ideologically driven, there are the financial hackers who are very motivated by emptying your bank account, and then there are the nationalized actors. It's very, very difficult to tell who is doing what out there because of the nature of hacking, and how it could be made to look like somebody's coming from one country when they're actually somewhere else. So we’re not sure what that offensive capability is doing in terms of impact. There's a lot of offensive stuff going on. We just recently found out that the British were using a technology called Hacienda to scan almost every computer out there; it's an incredibly large-scale scanner that would let them know what's out there and who's out there and who's doing what, perhaps even what the applications are. So, there's a lot of stuff like that going on, and a lot of these governments are homesteading in terms of trying to get their cyber legs under them.
Q: Is there a built-in conflict of interest for the NSA to be doing both defensive cybersecurity and offensive cyberattacks?
PASDAR: Well, I would imagine that what they're doing is trying to figure out what their tools are and what their arsenal is. And just based on the dynamic threat landscape that we're dealing with, they're probably testing out tools that you know, you can buy a rifle and that rifle has a life of quite a few years; but when you find an exploit, when you find an offensive capability, that offensive capability has a life of weeks or months. So I would imagine that's what they're doing. It's tough for me to comment on what they're doing versus what they're not doing because I'm not really privy to what their offensive capabilities are, and some of the approaches they're taking. I do find that it's probably illegal and overly aggressive to kind of put spyware in intercepted hardware, but a lot of this is tough to know what they're doing and what they're not doing and how legitimate it is, or not…
Q: And obviously, we know a lot more now because of leaks; not because of the oversight systems that are built in. Obviously, you went to Congress trying to expose some of the problems that are being created by the activities that these agencies are involved in. What do you think of the oversight in your experience with Congress?
PASDAR: It's a joke. There is no oversight. You have agencies with unlimited budgets and no oversight – it sets a dangerous precedent.
Q: Okay. As you said, moving to the cloud is the future, and there are all sorts of economic benefits that will be realized from that, but people won't do it if they don't feel their data will be protected in that environment. How can we, as a community, try to protect that information better?
PASDAR: You know, I could talk about the standard commercial ways of doing that. Part of the challenge is that when the integrity of your data can be undermined with a national security letter, it becomes extremely difficult. You know, folks that were demanded to have their encryption keys handed over, and things to that effect. It's very, very difficult to do anything other than make sure you've got oversight, and make sure there's not overreach.
Q: And changing the laws, perhaps… that protect our privacy?
PASDAR: It… yeah, but I think it's tough to hold your breath waiting for Congress to act on something, but yeah, it really does require a different perspective on what the agencies' roles are and what's legitimate and what's not.
Q: Okay. If somebody wanted to learn more about cybersecurity and the nature of the threat today, even the threat from our own National Security Agency, and intelligence agencies, what would you suggest they would read? Is there a particular blog, or books that you think really get to the point?
PASDAR: Well, I think it’s important not to promote anybody, but I think there are a lot of legitimate journalists out there that have a very tempered approach to this, that actually conduct legitimate journalism to investigate and present their information; I would point to them.
Q: And who among the journalists?
PASDAR: Well, I don’t want to get into any names.
PASDAR: You know, there's quite a few of them out there. Obviously, from a publication standpoint, WIRED Magazine has always been very good with regard to that. The Guardian has been very good with regard to that. I would encourage people to look at the Government Accountability Project website, and some of the things that they're dealing with. I think that would offer some insight into some of what's happening. And I would encourage people to look at some of the public disclosures of whistleblowers that have come out and some of the sacrifices that the whistleblowers have made in order to get that information out. From a technology perspective, I think it's critically important that people be as educated as possible, though it's extremely, extremely hard to get good information, especially amongst all the, you know, pardon the expression – fluff – that's out there about the cloud, right? So, there are a lot of folks out there talking about it, but not all of it is meaningful or substantive.
Q: And as far as information from the government agencies themselves, obviously they've been out speaking in public about the programs and the nature of the work they're doing. How reliable do you think the things that they've been saying publicly are?
PASDAR: To be honest with you, Mike, I just ignore it. I don't know if there's any amount of faith or trust I have in anything they say publicly.
Q: Okay. Was there anything I forgot to ask you?
PASDAR: No, I think you got it.
Q: Okay, great. Babak, I really appreciate your time.
PASDAR: Oh, my pleasure.
Q: Thanks a lot.