Editorial : Making Money With ISS

When you bring up the subject of intelligence support systems (ISS), telecommunications service providers generally say that having ISS is of course in the public interest, but just like E-911 and the local number portability mandates, it’s a huge investment with no return on investment (ROI).

Well, they are wrong about the ROI because it’s there. And their equipment suppliers are wrong when they say their customers aren’t going to spend any money on ISS products, so why develop them.

So What’s ISS?

First, ISS is not about security; it’s about intelligence. Security is providing firewalls on IP gateways for Internet access or having a security guard at the front door of a central office. In short, security is about guarding against loss.

The “I” for intelligence in ISS is about gathering information about illegal activities and applying that knowledge to increase security where applicable. ISSs are those software elements or units that interface with or are part of billing, ordering, provisioning and authentication systems as well as interface with or are part of law enforcement support systems.

Why Do You Need ISSs?

Society needs telecommunications service providers to include ISS in their infrastructure because criminals rely on telecommunications networks to carry out acts of terrorism, sell illegal drugs and more. There are three specific ISS needs:

1) Lawful Interception Mandates

Service providers don’t have an option regarding support for lawful interceptions for law enforcement officials. It’s not only the law in the United States but most of the world as well. Congress has passed laws such as CALEA, the USA-PATRIOT Act and the Department of Homeland Security Act.

Has lawful interception (LI ) produced results? Without a doubt, yes. When you hear that an al Qaeda captain was arrested in Pakistan, Somalia and so forth, it’s not because their neighbors turned them in. The terrorists communicate, recruit, raise money, plan and basically live on the Internet. Surveillance is about how you can catch them.

By the way, if you are unclear as to why the U.S. Court of Appeals recently upheld the Justice Department’s policy of not releasing the names of the 700 people arrested for immigration violations in connection with the 9-11 terrorist attack, then think of that 1990s cartoon in The New Yorker of a dog sitting in front of a computer with the caption, “When you’re on the Internet, they don’t know you’re a dog.” If al Qaeda doesn’t know that a particular member has been captured, then they think the online FBI agent is actually one of theirs.

2) IP Technology

You can fill a book or conduct a three-day seminar on the complexity that IP technology introduces when it comes to lawful interception. Here are some examples:

Voice over IP (VoIP) Today’s voice surveillance and intercept laws and practices are written around circuit-switched technology and BSS/OSS infrastructure. In this legacy world, LI is simple. The target is associated with a physical local loop, and surveillance activities don’t overflow to the subscribers. The circuit switch and the provisioning systems software is in place and paid for out of Congress’ $500 million CALEA allocation for pre-1995 infrastructure compliance.

Along comes VoIP, and things fall apart because legacy ISSs don’t work, particularly when you are talking on a phone attached to a PC or a SIP phone on a LAN. Consider the following:

• Most Internet or IP addresses are temporary or private if behind a corporate gateway router. It’s not easy to determine who’s talking to whom.

• Voice and data packets are intermixed. If you are sending VoIP through today’s DSL provider and/or ISP, they don’t have the wherewithal to separate voice from the data packets.

• Add VoIP capabilities using a Wi-Fi connection where identity theft is a piece of cake, then your authentication goes out the window.

The bottom line is the Internet and IP networks in general are problematic regarding authentication and surveillance.

3) Volumes of IP Traffic

How many times have you heard that the capacity of new fiber technology today allows for the transmission of the entire set of the Encyclopedia Britannica in a number of seconds. That may be true, but you can’t read all those volumes in seconds or months for that matter.

The situation is this, there are billions of packets per second going every which way imaginable that have to be monitored, but they can’t be stored. The bad news is that law enforcement must deal with these large volumes of packets to gather intelligence. The good news is Internet surveillance technology can be deployed to do the job.

Infrastructure Protection

What’s good about the Internet is its global reach. What’s bad about the Internet (from a security perspective) is its global reach. What’s good about the Internet is that it’s the basis for our 21st century economy. What’s bad about the Internet (from a security perspective) is that it’s the basis for our 21st century economy.

Add the two bads together, and you can come to the realization that hackers from anywhere in the world can bring anyone’s economy to a grinding halt. These same tools that hackers use are readily available to terrorists. Worse yet, for complicated schemes like distributed denial of service attacks, simple networking tools have been developed and are readily available.

The bottom line is the Internet has to be proactively protected in real time. The good news is that technologies can be deployed to gather intelligence to protect networks. The bad news is little is being done in commercial IP networks to protect infrastructure.

Martha Stewartizing a Service Provider

So what are service providers doing to support lawful interception? ILECs, ISPs and wireless service providers are basically doing the required minimum. For cable operators, it’s panicville because they realize that today’s voice over cable architectures are not LI friendly. Nor are they in any way secure from a denial of service attack focused on IP phone customers. On the other hand, cable companies don’t spend much on BSSs/OSSs let alone ISSs.

So what’s it going to take to get service providers on the ISS bandwagon? It would take one grabbing headline about a LI support failure.

Picture this: An al Qaeda cell is identified, and the Department of Homeland Security moves from a yellow to an orange alert. Law enforcement requests lawful surveillance support from a service provider to target al Qaeda customers or associates of a target customer, and the service provider does nothing. A disaster happens, and people are killed. The next day headlines read, “Such and such service provider failed to support law enforcement requests.”

Politicians can rally around a classic headline such as this and provide a 10-second sound bite identifying the problem and the villain. “Terrorist attack not prevented; service provider failed in its LI duties.”

So what happens next? Congress and the Bush administration will be out to get the specific service provider and easily pass legislation to create stricter LI support mandates. Potentially, the service provider’s investors could sue because it broke the LI support laws causing the service providers stock to crash. Of course, you have lawyers representing the families of the deceased suing the service providers. In short, a service provider and an industry will get “Martha Stewartized.”

Show Me the Money

The ISS money will flow in short order because of one of these events or reasons.

1) Terrorist Attack. Hopefully this won’t happen, but it is hardly a remote possibility. My observation is law enforcement officials as a group see service providers as not being as cooperative as they would like. In my opinion, law enforcement would blast the industry given the opportunity. And they would have the opportunity should the above case scenario occur.

2) The Western European Model. The western Europeans are far ahead of North America regarding LI standards and the issue of law enforcement ownership of ISS infrastructure including ISS colocation in operator facilities. Very shortly, North American law enforcement will have a solution for service providers that stonewall: Either you implement ISS or we will do it for you, under our own control. And by the way, we have the budget to do it now.

3) Asia-Pacific Model. Some governments in the Asia-Pacific region don’t even know how to spell privacy. Why will this drive ISS? The largest new markets for telecommunications equipment are in Asia-Pacific. You won’t be able to sell into these markets shortly without ISSs to support lawful and/or other kinds of interception. Asia-Pacific will create an ISS market on its own.

4) Voice/Data Convergence. The idea that a service provider is going to offer a public IP service that can’t support lawful interception is unreal. If a provider won’t implement CALEA and support the other LI mandates, that business model is dead in the water. Convergent service requires ISSs.

5) The Federal Market. The U.S. government spends $9 billion per year on telecommunications services. The U.S. government’s IP networks are continuously assaulted by hackers and likely al Qaeda attacks. The U.S. government is about to spend big bucks on e-government initiatives requiring precise authentication. The bottom line is if you are a service provider looking to do business with the government, you better have ISSs in place.

Think Y2K

So again, where’s the money? You have got to think back about year 2000 expenditures and the many mandates by the Feds. Billions were spent to upgrade computers on the eve of Y2K with no ROI expected other than you will still have a viable business in the 21st century. Software, computer companies, systems integrators, consultants, lawyers and others made a fortune over this mandate. The model applies here to the ISS market.

If you need more information or want to see first hand how the ISS industry takes shape, join us at the TeleStrategies ISS World conference and exhibition on November 12-14, 2003 in McLean, Va. Visit www.telestrategies.com for more information.