To assist law enforcement agencies (LEAs) in gathering information on the activities, contacts, locations, behaviours and intentions of Subjects of Interest (SoI), communications service providers (CSPs) must comply with the lawful intercept mandates of their host nations.
In response to a lawfully authorised request, a CSP is required to intercept and copy the real-time communications of targeted SoIs, including voice, data, messages, email, faxes and then forward this data in the required format to the LEA controlled Law Enforcement Monitoring Facility (LEMF). This must be done in a secure and auditable way. At all times, CSPs must ensure protection of the data, ensure that no unauthorised user has access to it, and that only the correct, authorised data is ever provided in response to each individual LEA warrant.
LI is an essential tool in the LEAs fight against crime and terrorism. As CSP networks expand and adopt newer more complex technology, maintaining compliance to national requirements becomes increasingly challenging. For CSPs, the cost of LI must be borne as a cost of doing business. To prevent it becoming a cumbersome burden that side-lines resources and hinders normal business processes, it is prudent to partner with an LI expert who has a proven industry track record in LI, and can help them fulfil compliance requirements.
Helping CSPs comply seamlessly and efficiently
BAE Systems DataBridge is a core product in the BAE Systems Data Intelligence portfolio. We have over 30 years of experience working with CSPs to help them meet their regulatory obligations in a timely and efficient manner.
Upon receipt of an authorised warrant, DataBridge system operators use an intuitive web-based management interface to simplify and facilitate the configuration of CSP infrastructure to collect the required real-time content and metadata of targeted SoIs. The solution will manage the receipt of that data from the CSP’s network infrastructure, the formatting of the data according to LEA requirements, and the forwarding of the data to the appropriate LEMF. The solution facilitates effective management of LEA warrants and ensures an audit trail of activity.
Cost efficiency – Our standards-based, cloud-native approach supports LI for all types of CSPs, from the largest global tier 1 carriers with more than 100 million subscribers, to a new and growing CSP.
Secure by design – Built with security at its core, DataBridge is built and tested against CIS and OWASP security standards.
Standards focused - The DataBridge product team actively work with the 3GPP, ETSI and ATIS standards bodies to ensure that our solution and roadmap is always relevant and consistently complies with the latest standards revision.
Functionality and features
DataBridge is built on a cloud native micro-service based architecture, supporting VNF and CNF deployment models for voice and data interception on all types of fixed and mobile network, including full and proven integration with the latest 5GSA architectures. It provides the following features:
The DataBridge Warrant Management System (WMS) simplifies the processes undertaken by an internal CSP compliance team tasked with supporting lawful access to communications data. The work carried out by this team is often the subject of strict processes, procedures and scrutiny. The DataBridge WMS provides CSPs with a modern and intuitive web based user interface designed specifically to meet the requirements of warrant data entry, authorisation, automated network provisioning, auditing and reporting.
DataBridge WMS can be deployed as part of a complete DataBridge LI solution or as a workflow tool, integrating with a CSPs existing LI infrastructure.
DataBridge is designed and built from the ground up as a cloud native platform, enabling the freedom and flexibility to support the widest possible range of virtualisation technologies, and allowing us to align the solution with our customer’s chosen technical direction.
Whether deployed as Container Network Functions (CNFs) within a public cloud like AWS, as virtual network functions deployed on a private cloud such as ESXI, or deployed on dedicated COTS x86 hardware, DataBridge’s cloud native architecture combined with our team’s depth of experience will streamline and simplify deployment and integration.
As 5G mobile architectures are deployed by CSPs, a benefit to users comes through significant enhancements to user privacy and security. This has been achieved through the introduction of concealed and temporary session based identifiers, which replace the attributable and trackable identifiers found on the 2G, 3G and 4G radio interfaces. While these improvement are welcome from a user privacy perspective, providing protection against nefarious organisations and individuals, it makes the job of law enforcement much harder.
To address the gap in LEA capability introduced through these privacy protections, BAE Systems has developed and introduced the DataBridge 5G Identifier Association Function (IAF).
Based on the latest 5G LI 3GPP standards, the DataBridge 5G IAF allows authorised law enforcement agencies to attribute, in real time, observed 5G radio identifiers to a subscriber’s permanent identifier.
The 5G Identifier Association Function can be deployed either as part of an existing DataBridge LI deployment or as a standalone capability alongside a CSPs or LEAs existing LI solution.
BAE Systems DataBridge is deployed at some of the world’s largest Tier 1 fixed line and mobile operators, supporting ultra-high-speed services such as nationwide wholesale open access infrastructure, fibre-to-the-premises (FTTP) and multi-gigabit per second 5G mobile data services.
In support of these high-speed services, DataBridge offers up to 10Gbps of data mediation for a single intercept, with the total mediation capacity scalable on demand and ensuring mediation resource is always in excess of the inbound intercepted traffic rates.
Whether its FTTP fixed line services or 5G Mobile services, the bandwidth available to subscribers is ever increasing. While DataBridge has and will continue to support high rate mediation and delivery in line with our customers high-speed service offerings, in some circumstances LEAs request that CSPs reduce the delivery rates by removing specific low-intelligence value traffic types, such as high-rate video streaming services (e.g. YouTube).
In support of this requirement, DataBridge offers a fully integrated content filtering capability which can be invoked on either a global or per SoI basis. This capability supports law enforcement by performing granular traffic reduction at a per SoI and protocol level, while continuing to generate metadata about the filtered content flows.
DataBridge Content Filter can be enabled in any DataBridge deployment, but can also be deployed at the boundary between the CSP and the LEAs as a stand-alone function without modification to a CSP’s existing LI capabilities.
A key part of any LI solution is the provision of a monitoring function that demonstrates clearly to regulators and law enforcement agencies that a CSP is meeting their regulatory obligations.
This monitoring functionality should provide a highly-granular historic and real time view of all the intercepted traffic that is requested, received and delivered to law enforcement by the CSP’s LI solution.
The BAE Systems DataBridge advance system monitoring function (DBStats) supports CSPs in this requirement by providing a holistic view of system performance across the entire LI platform, covering every byte of data that is received, processed and delivered.
While the majority of LI can be performed in partnership with LI interfaces imbedded within the network functions, there are some scenarios where intercepting traffic directly from the transport network is more cost effective or appropriate.
In support of these use cases, DataBridge 1G, 10G or 100G cloud native software-based probes can be deployed to provide intercept capability for the following use cases:
IP voice interception with SIP and RTP protocols
IP data interception on fixed and mobile networks
Roaming IP data on the S8 and N9 interfaces of a mobile network
Home routed IP Voice carried over the S8 (S8HR) or N9 (N9HR) interfaces
Radius, diameter and DHCP access and session information
To learn more about BAE Systems Databridge download the brochure below or contact us to speak with one of our experts