The Edward Snowden Affair (38 page)

The NSA had snuggled closer to private Internet companies and become bedfellows with online security firms. With the latter, a portion of SIGINT’s $254.9 million Black Budget bought American intelligence knowledge of antivirus programs’ vulnerabilities as well as ensured backdoors would be—and would remain—available. In short, the spy agency’s Commercial Solutions Center division contracted Internet defense businesses to ignore or create and install exploitable weakness in their programs which would only be known by the intelligence community. In the NSA’s terms, the funds allowed the agency to “[ … ] covertly influence and/or overtly leverage their [U.S. and foreign IT industries’] commercial products’ design.” This includes the heightened security 4G cell phones are said to provide. When questioned if computer protection programs had built-in backdoors, many major antivirus distributors refused to comment or claimed ignorance of possible government involvement.
¹¹⁴

GCHQ and the NSA were also forced to confront private Internet companies that had responded to consumer demands for greater security. In online encryption surveillance, two types of secure data transfers are carefully monitored, Transport Layer Security (TLS) and Secure Sockets Layer (SSL). The technology was first made widely available to the public by financial institutions and then online merchandisers before becoming standard practice for most major websites worldwide. This programming assures a web surfer that only the person browsing the Internet is communicating with a specific website. A secure connection is made by a browser simultaneously sending an asymmetric or public key alongside its website request. If the browser recognizes that the website has a SSL certificate, it uses the key to establish a secure, symmetric connection between the user and website. Any website with the URL prefix “HTTPS” (as opposed to the highly vulnerable “HTTP”) is using TLS/SSL technology. The universal sign for a secure connection is a green padlock in a computer screen’s address bar.

A security certificate is an electronic document which verifies that the owner of the website has the rights to the website domain or, in laymen’s terms, it ensures a user that when a web address is entered, the individual or company claiming to own the website actually does. However, a classified document reveals in 2006, the NSA convinced the agency that oversees certificate licensing, the U.S. National Institute of Standards and Technology, to issue the NSA’s version of the draft standard. The next year two cryptographers discovered the agency had included exploitable flaws in its proposal. The result, as American intelligence itself admits, was “[ … ] NSA became the sole editor.” U.S. intelligence sought to further weaken the authority’s power in 2013. A slated agenda within the Black Budget application is to “influence policies, standards and specifications for commercial public key technologies.”

Without the encryption key, successful SSL infiltration that avoids detection is difficult and requires a large budget but is nonetheless possible. The safety feature can be compromised by instigating a “Man in the Middle” (MITM) attack.
¹¹⁵
Essentially, this type of hack does not break the SSL code but captures user data by impersonating a secure website. It reroutes a website request to a faux Internet location (which must look and operate like the desired, authentic, certified website). While the user browses the fake webpage, data is gathered without the web surfer noticing. But this is unnecessary if a spy has the encryption key for the website’s SSL certificate. The analyst merely unlocks and records the data flow.

GCHQ already had three major companies under its thumb and could access 30 types of VPNs by 2010. It hopes to have the codes of 15 Internet firms and 300 VPNs by 2015. A 2012 quarterly update suggests British intelligence has compromised Google’s security after “new access opportunities” presented themselves. GCHQ was still working on Hotmail, Yahoo and Facebook’s encryption programs. Where the information couldn’t be bought, GCHQ put personnel on the ground. British intelligence recruited and deployed undercover agents to get hired by Internet firms in order to gain access to encryption keys.

Information regarding the agencies’ decryption programs is one of their most closely kept and guarded secrets. A classified instruction slide insists, “Do not ask about or speculate on sources or methods underpinning Bullrun.” Analysts are told there is no “need-to-know” basis for relaying information about the spy tool. Even decoded data cannot be stamped as a Bullrun product: “Reports derived from BULLRUN materials shall not reveal (or imply) that the source data was decrypted. The network communication technology that carried the communication should not be revealed.” Loss of surveillance capabilities as a result of “damage to industry relationships” is the greatest fear. (Washington had asked the Post to censor the names of the nine Internet companies which appear on the PRISM slides.)
¹¹⁶
By comparison, public backlash is listed as a “moderate” concern.

Whereas
The Guardian
presented its own account of the encryption scandal,
ProPublica
and the
Times
joined forces.
ProPublica
christened its article, “Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security”
¹¹⁷
while the
Times
opted for “N.S.A. Able to Foil Basic Safeguards of Privacy on Web.”
¹¹⁸
Aside from their titles, only a few editorial amendments and two excised lines from the
ProPublica
version divide the work. As with any case of multiple reports on the same issue, the joint exposé covers much the same ground as
The Guardian
but places emphases in particular areas of interest while only mentioning aspects of the discussion Greenwald deemed more relevant. Mindful of its audience, the
Times/ProPublica
report is less concerned than
The Guardian
about GCHQ’s role in undermining encryption technology. It devotes a large portion of its time to the NSA’s pursuit of coded data.

As revealed in Greenwald’s June 20 warrantless surveillance exposé, the editorial reminds readers it is NSA policy to (capture and) store encrypted communications regardless of its (revealed) place of origin or the nationality of its sender. It adds that Bullrun had a predecessor, “Manassas.” Manassas is the Confederate title for the Battle at Bull Run but is also the name of an iron-clad ship used by the South during the Civil War. Ironically, the CSS Manassas was decommissioned shortly after being put into battle.

One of the article’s primary concerns is the manner in which encrypted data is acquired. The report notes, “In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a backdoor.” (This line was excised from the
ProPublica
rendition, as was the redundant, “Some companies have been asked to hand the government the encryption keys to all customer communications, according to people familiar with the government’s requests.”) Just as it had paid Cisco to install exploitable defects in its routers,
¹¹⁹
when a foreign intelligence target ordered new American computer hardware, the U.S. government had the manufacturer install a backdoor into the product.

The NSA’s collection of encryption keys is large enough have its own named database, the Key Provisioning Service. If the storehouse doesn’t have a key the NSA needs, the politely titled “Key Recovery Service” (GCHQ’s equivalent division is code-named “Cheesy Name”) is sent out to procure it. Following Greenwald’s claim that ground agents are given cover and engage in social engineering to get passwords companies diligently refuse to hand over, the news sources report the NSA also hacks into businesses’ databases in order to get encryption codes. Because of this, the Five Eyes only share decrypted messages if they were gathered using legally obtained keys. As an incriminatory GCHQ document states, “Approval to release to non-Sigint agencies will depend on there being a proven non-Sigint method of acquiring keys.” Yet this clause may only exist for staff morale. Snowden told Appelbaum, “They [foreign nations] don’t ask to justify how we know something, and vice versa, to insulate their political leaders from the backlash of knowing how grievously they’re violating global privacy.”
¹²⁰
Regardless, this leaves open the possibility the quintet of spy agencies—much like U.S. intelligence’s relationship with Pakistan, Israel and Germany—could be less than forthright in their joint surveillance activities since all have an alibi for withholding information. An internal NSA document even acknowledges that GCHQ has “unspecified capabilities against network technologies.”

Though the NSA expects to have “full unencrypted access” to an unnamed Internet company, a Middle Eastern Internet service, as well as the data from three foreign governments by the close of 2013, its goal is not comprehensive retrieval of encrypted data. To save time, energy and resources, it hopes to obtain the power to do to all communications what it does with Microsoft: gain direct and live pre-encryption access.

Between the two reports, the British and American spy agencies’ encryption agenda is clear. In the event they don’t already own a website’s public key, they first attempt to financially coerce the Internet company into surrendering its key. If the business refuses, it is threatened with a court order. If it obstinately stands on principle, a hacking directive is issued. Should the company’s defenses prove to be impenetrable, moles are placed within the business to commandeer the code.

Fantastico
returned on September 8 with a 13-minute feature
¹²¹
over the NSA’s monitoring of the Brazilian oil giant Petrobras, specifically the company’s internal computer network. The Rede Globo production also includes insight into the NSA and GCHQ’s surveillance techniques. Petrobras was not only surveilled, it was deemed a prime example of a target in a series of NSA training slides outlining how to conduct corporate, government and financial espionage. It includes the SWIFT network, “the cooperative that unites over ten thousand banks in 212 countries.” All international banking transfers use SWIFT. The slides cite Google and the private network of France’s Ministry of Foreign Affairs as other exemplary targets.

As with diplomatic surveillance operations, access to financial and business records provides what is essentially insider trading information to the United States. Petrobras is one of the 30 largest companies in the world.
¹²²
When questioned, GCHQ failed to respond, but the NSA reassured Brazil its economic surveillance was conducted only to aid in determining if an impending financial crisis was looming. It stated the intelligence was in no way used “to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line.” Clapper stated, “It is not a secret that the intelligence community collects information about economic and financial matters, and terrorist financing.”
¹²³
It seems unlikely the NSA suspected the oil entrepreneur of having links to terrorism. Despite the American grievance that Chinese cyberspies hacked into the Pentagon and stole millions of dollars in military defense planning, the NSA had gained access to the latest technological advances in oil detection and extraction through Petrobras. Ethically, China’s espionage dealt with a foreign nation’s defense capabilities; America’s spying focused on the private sector.

Accompanying documents also reveal two GCHQ operations code-named “Flying Pig” and “Hush Puppy.” They are used to spy on TSL and SSL data transfers. The existence of the programs implies the agency does not have access to all encryption codes because MITM attacks were being used to intercept these coded communications.
¹²⁴
The training slides tell analysts, “foreign government networks, airlines, energy and financial organizations” are susceptible to MITM intrusions.

On the first day of the G20 Summit, Brazil’s president confronted Obama about the allegations that she had been the victim of American espionage. She’d told the president, “I want to know everything that they [American intelligence agencies] have. Everything.”
¹²⁵
It was confirmed she still intended to go to the White House in October.
¹²⁶
A little over a week after the Petrobras report, Rousseff canceled the meeting.
¹²⁷

When
O Globo
first revealed American intelligence had been spying on her country, Rousseff initiated internal and external investigations into the claims. The country summarily started planning to reroute mainline undersea fiber-optic cables to bypass American connections and link directly with Europe and Africa. By August Brazil had signed a joint satellite venture with France and Italy to further secure the nation’s communications. Because of the disclosures, Brazil will have its own national encrypted email system by 2014 so citizens can abandon American communication services such as Hotmail and Google.
¹²⁸
After returning from the summit, Rousseff started pushing her legislators to pass a bill which would force foreign communication companies to store her country’s domestic data on Brazilian servers.
¹²⁹
Only the U.S. and India have more Facebook account holders.
¹³⁰

The next day
Der Spiegel
issued “iSpy: How the NSA Accesses Smartphone Data.”
¹³¹
From a public relations perspective it was a deadly blow to the surveillance debate. It confirms that GCHQ’s dream of “exploit[ing] any phone, anywhere, any time” had become a reality. The Poitras editorial begins with the tale of then-NSA chief Michael Hayden being solicited by an Apple salesperson. The employee bragged that the new iPhone had over 400,000 apps (“apps” are additional applications or programs a cell phone user can elect to download). Hayden turned to his wife and announced, “This kid doesn’t know who I am, does he? Four-hundred-thousand apps means 400,000 possibilities for attacks.”