FCC Rule Could Cost Colleges $7 Billion
By Benjamin P. Gleitzman
A new mandate from the Federal Communications Commission may require universities and even libraries to replace infrastructure in a costly manner that could contribute to breaches in network security. Those in the information technology field are bracing themselves against the advancing efforts by the FCC to tighten its grip on the flow of network communications.
This expansion, estimated to cost $7 billion according to the American Council on Education, would require massive overhauls in network infrastructure. The ACE has filed a lawsuit against the FCC in response to the mandate.
“The worst-case scenario,” said Jeffrey I. Schiller ’79, MIT Network Manager, “would require remote monitoring of any communication between two computers,” a tall order for network administrators. Such access, “which may have to be employed on a moment’s notice in the middle of the night,” would force colleges and universities to build backdoor systems into network infrastructure and poses a security risk, Schiller said.
The FCC ruled in August that certain providers of broadband communication, such as libraries and college campuses, must comply by May 2007 with the 1994 Communications Assistance for Law Enforcement Act (CALEA) and allow remote monitoring and packet level access of network communications. The ruling arose as a result of petitions from the Department of Justice, the Drug Enforcement Administration, and the Federal Bureau of Investigation.
“This isn’t a step forward,” Schiller said, “but in a sideways direction.”
Beyond the issue of cost, the post-9/11 expansion of phone and wiretap capabilities raises concerns about potential infringements on civil liberties enabled by the remote monitoring of computer networks, for example at private institutions like MIT, which were not heretofore required to comply with such standards.
The ACE’s lawsuit against the FCC claims that “it will be incredibly expensive for colleges and universities to make their networks CALEA-compliant, not to mention the damper on innovation and the privacy issues that will need to be addressed,” according to a press release.
As of 2003, only a small percentage of wiretaps already placed by law enforcement officials actually targeted computer networks, calling into question the necessity of large monetary investments for compliance procedures.
A key issue with monitoring network systems involves Voice over Internet Protocol, or VoIP, a relatively new system of routing voice conversations over the Internet or other IP-based networks.
Schiller said that monitoring such systems can be quite a challenge, especially considering that on most modern networks, every port of every hub functions as a switch, obstructing access to information from outside the server. Thus, it would be difficult to create remote access for FBI headquarters, where wiretapped VoIP conversations would hypothetically be sent.
Another stumbling block involves the lucidity of CALEA itself, a document that contradicts itself in numerous places. Additionally, many of the technical requirements regarding CALEA compliance have yet to be clearly enunciated, leaving network administrators puzzled as to which measures they ought to be in compliance with by the 2007 deadline.
MIT officials have not released a statement in response to the demands of the FCC.