@War: The Rise of the Military-Internet Complex
Page 22
It’s not clear what the NSA and Google built after the China hack. But a spokeswoman at the agency gave hints at the time the agreement was written. “As a general matter, as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers,” she said. It was the phrase “tailored solutions” that was so intriguing. That implied something custom built for the agency, so that it could perform its intelligence-gathering mission. According to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers. It was a quid pro quo, information for information. And from the NSA’s perspective, information in exchange for protection.
The cooperative agreement and reference to a “tailored solution” strongly suggest that Google and the NSA built a device or a technique for monitoring intrusions into the company’s networks. That would give the NSA valuable information for its so-called active defense system, which uses a combination of automated sensors and algorithms to detect malware or signs of an imminent attack and take action against them. One system, called Turmoil, detects traffic that might pose a threat. Then, another automated system called Turbine decides whether to allow the traffic to pass or to block it. Turbine can also select from a number of offensive software programs and hacking techniques that a human operator can use to disable the source of the malicious traffic. He might reset the source’s Internet connection or redirect the traffic to a server under the NSA’s control. There the source can be injected with a virus or spyware, so the NSA can continue to monitor it.
For Turbine and Turmoil to work, the NSA needs information, particularly about the data flowing over a network. With its millions of customers around the world, Google is effectively a directory of people using the Internet. It has their e-mail addresses. It knows where they’re physically located when they log in. It knows what they search for on the web. The government could command the company to turn over that information, and it does as part of the NSA’s Prism program, which Google had been participating in for a year by the time it signed the cooperative agreement with the NSA. But that tool is used for investigating people whom the government suspects of terrorism or espionage. The NSA’s cyber defense mission takes a broader view across networks for potential threats, sometimes before it knows who those threats are. Under Google’s terms of service, the company advises its users that it may share their “personal information” with outside organizations, including government agencies, in order to “detect, prevent, or otherwise address fraud, security or technical issues” and to “protect against harm to the rights, property or safety of Google.” According to people familiar with the NSA and Google’s arrangement, it does not give the government permission to read Google users’ e-mails. They can do that under Prism. Rather, it lets the NSA evaluate Google hardware and software for vulnerabilities that hackers might exploit. Considering that the NSA is the single biggest collector of zero day vulnerabilities, that information would help make Google more secure than others that don’t get access to such prized secrets. The agreement also lets the agency analyze intrusions that have already occurred, so it can help trace them back to their source.
Google took a risk forming an alliance with the NSA. The company’s corporate motto, “Don’t be evil,” would seem at odds with the work of a covert surveillance and cyber warfare agency. But Google got useful information in return for its cooperation. Shortly after the China revelation, the government gave Sergey Brin, Google’s cofounder, a temporary security clearance that allowed him to attend a classified briefing about the campaign against his company. Government analysts had concluded that the intrusion was directed by a unit of the People’s Liberation Army. This was the most specific information Google could obtain about the source of the intrusion. It could help Google fortify its systems, block traffic from certain Internet addresses, and make a more informed decision about whether it wanted to do business in China at all. Google’s executives might pooh-pooh the NSA’s “secret sauce.” But when the company found itself under attack, it turned to Fort Meade for help.
In its blog post, Google said that more than twenty companies had been hit by the China hackers, in a campaign that was later dubbed Aurora after a file name on the attackers’ computer. A security research firm soon put the number of targets at around three dozen. Actually, the scope of Chinese spying was, and is, much larger.
Security experts in and outside of government have a name for the hackers behind campaigns such as Aurora and others targeting thousands of other companies in practically every sector of the US economy: the advanced persistent threat. It’s an ominous-sounding title, and a euphemistic one. When government officials mention “APT” today, what they often mean is China, and more specifically, hackers working at the direction of Chinese military and intelligence officials or on their behalf.
The “advanced” part of the description refers in part to the hackers’ techniques, which are as effective as any the NSA employs. The Chinese cyber spies can use an infected computer’s own chat and instant-messenger applications to communicate with a command-and-control server. They can implant a piece of malware and then remotely customize it, adding new information-harvesting features. The government apparatus supporting all this espionage is also advanced, more so than the loose-knit groups of cyber vandals or activists such as Anonymous that spy on companies for political purposes, or even the sophisticated Russian criminal groups, who are more interested in stealing bank account and credit card data. China plays a longer game. Its leaders want the country to become a first-tier economic and industrial power in a single generation, and they are prepared to steal the knowledge they need to do it, US officials say.
That’s where the “persistent” part comes into play. Gathering that much information, from so many sources, requires a relentless effort, and the will and financial resources to try many different kinds of intrusion techniques, including expensive zero day exploits. Once the spies find a foothold inside an organization’s networks, they don’t let go unless they’re forced out. And even then they quickly return. The “threat” such spying poses to the US economy takes the form of lost revenue and strategic position. But also the risk that the Chinese military will gain hidden entry points into critical-infrastructure control systems in the United States. US intelligence officials believe that the Chinese military has mapped out infrastructure control networks so that if the two nations ever went to war, the Chinese could hit American targets such as electrical grids or gas pipelines without having to launch a missile or send a fleet of bombers.
Operation Aurora was the first glimpse into the breadth of the ATP’s exploits. It was the first time that names of companies had been attached to Chinese espionage. “The scope of this is much larger than anybody has ever conveyed,” Kevin Mandia, CEO and president of Mandiant, a computer security and forensics company located outside Washington, said at the time of Operation Aurora. The APT represented hacking on a national, strategic level. “There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now,” said Mandia, a veteran cyber investigator who began his career as a computer security officer in the air force and worked there on cybercrime cases. Mandiant was becoming a go-to outfit that companies called whenever they discovered spies had penetrated their networks. Shortly after the Google breach, Mandiant disclosed the details of its investigations in a private meeting with Defense Department officials a few days before speaking publicly about it.
The APT is not one body but a collection of hacker groups that include teams working for the People’s Liberation Army, as well as so-called patriotic hackers, young, enterprising geeks who are willing to ply their trade in service of their country. Chinese universities are also
stocked with computer science students who work for the military after graduation. The APT hackers put a premium on stealth and patience. They use zero days and install backdoors. They take time to identify employees in a targeted organization, and send them carefully crafted spear-phishing e-mails laden with spyware. They burrow into an organization, and they often stay there for months or years before anyone finds them, all the while siphoning off plans and designs, reading e-mails and their attachments, and keeping tabs on the comings and goings of employees—the hackers’ future targets. The Chinese spies behave, in other words, like their American counterparts.
No intelligence organization can survive if it doesn’t know its enemy. As expansive as the NSA’s network of sensors is, it’s sometimes easier to get precise intelligence about hacking campaigns from the targets themselves. That’s why the NSA partnered with Google. It’s why when Mandiant came calling with intelligence on the APT, officials listened to what the private sleuths had to say. Defending cyberspace is too big a job even for the world’s elite spy agency. Whether they like it or not, the NSA and corporations must fight this foe together.
Google’s Sergey Brin is just one of hundreds of CEOs who have been brought into the NSA’s circle of secrecy. Starting in 2008, the agency began offering executives temporary security clearances, some good for only one day, so they could sit in on classified threat briefings. “They indoctrinate someone for a day, and show them lots of juicy intelligence about threats facing businesses in the United States,” says a telecommunications company executive who has attended several of the briefings, which are held about three times a year. The CEOs are required to sign an agreement pledging not to disclose anything they learn in the briefings. “They tell them, in so many words, if you violate this agreement, you will be tried, convicted, and spend the rest of your life in prison,” says the executive.
Why would anyone agree to such severe terms? “For one day, they get to be special and see things few others do,” says the telecom executive, who, thanks to having worked regularly on classified projects, holds high-level clearances and has been given access to some of the NSA’s most sensitive operations, including the warrantless surveillance program that began after the 9/11 attacks. “Alexander became personal friends with many CEOs” through these closed-door sessions, the executive adds. “I’ve sat through some of these and said, ‘General, you tell these guys things that could put our country in danger if they leak out.’ And he said, ‘I know. But that’s the risk we take. And if it does leak out, they know what the consequences will be.’”
But the NSA doesn’t have to threaten the executives to get their attention. The agency’s revelations about stolen data and hostile intrusions are frightening in their own right, and deliberately so. “We scare the bejeezus out of them,” a government official told National Public Radio in 2012. Some of those executives have stepped out of their threat briefings meeting feeling like the defense contractor CEOs who, back in the summer of 2007, left the Pentagon with “white hair.” Unsure how to protect themselves, some CEOs will call private security companies such as Mandiant. “I personally know of one CEO for whom [a private NSA threat briefing] was a life-changing experience,” Richard Bejtlich, Mandiant’s chief security officer, told NPR. “General Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known about [threats to his company] but did not, and now it has colored everything about the way he thinks about this problem.”
The NSA and private security companies have a symbiotic relationship. The government scares the CEOs and they run for help to experts such as Mandiant. Those companies, in turn, share what they learn during their investigations with the government, as Mandiant did after the Google breach in 2010. The NSA has also used the classified threat briefings to spur companies to strengthen their defenses. In one 2010 session, agency officials said they’d discovered a flaw in personal computer firmware—the onboard memory and codes that tell the machine how to work—that could allow a hacker to turn the computer “into a brick,” rendering it useless. The CEOs of computer manufacturers who attended the meeting, and who were previously aware of the design flaw, ordered it fixed.
Private high-level meetings are just one way the NSA has forged alliances with corporations. Several classified programs allow companies to share the designs of their products with the agency so it can inspect them for flaws and, in some instances, install backdoors or other forms of privileged access. The types of companies that have shown the NSA their products include computer, server, and router manufacturers; makers of popular software products, including Microsoft; Internet and e-mail service providers; telecommunications companies; satellite manufacturers; antivirus and Internet security companies; and makers of encryption algorithms.
The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and US officials. Cisco, one of the world’s top network equipment makers, leaves backdoors in its routers so they can be monitored by US agencies, according to a cyber security professional who trains NSA employees in defensive techniques. And McAfee, the Internet security company, provides the NSA, the CIA, and the FBI with network traffic flows, analysis of malware, and information about hacking trends.
Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. To an extent, these openings for government surveillance are required by law. Telecommunications companies in particular must build their equipment in such a way that it can be tapped by a law enforcement agency presenting a court order, like for a wiretap. But when the NSA is gathering intelligence abroad, it is not bound by the same laws. Indeed, the surveillance it conducts via backdoors and secret flaws in hardware and software would be illegal in most of the countries where it occurs.
Of course, backdoors and unpatched flaws could also be used by hackers. In 2010 a researcher at IBM publicly revealed a flaw in a Cisco operating system that allows a hacker to use a backdoor that was supposed to be available only to law enforcement agencies. The intruder could hijack the Cisco device and use it to spy on all communications passing through it, including the content of e-mails. Leaving products vulnerable to attack, particularly ubiquitous software programs like those produced by Microsoft, puts millions of customers and their private information at risk and jeopardizes the security of electrical power facilities, public utilities, and transportation systems.
Under US law, a company’s CEO is required to be notified whenever the government uses its products, services, or facilities for intelligence-gathering purposes. Some of these information-sharing arrangements are brokered by the CEOs themselves and may be reviewed only by a few lawyers. The benefits of such cooperation can be profound. John Chambers, the CEO of Cisco, became friends with George W. Bush when he was in office. In April 2006, Chambers and the president ate lunch together at the White House with Chinese president Hu Jintao, and the next day Bush gave Chambers a lift on Air Force One to San Jose, where the president joined the CEO at Cisco headquarters for a panel discussion on American business competitiveness. California governor Arnold Schwarzenegger also joined the conversation. Proximity to political power is its own reward. But preferred companies also sometimes receive early warnings from the government about threats against them.
The Homeland Security Department also conducts meetings with companies through its “cross sector working groups” initiative. These sessions are a chance for representatives from the universe of companies with which the government shares intelligence to meet with one another and hear from US
officials. The attendees at these meetings often have security clearances and have undergone background checks and interviews. The department has made the schedule and agendas of some of these meetings public, but it doesn’t disclose the names of companies that participated or many details about what they discussed. Between January 2010 and October 2013, the period for which public records are available, the government held at least 168 meetings with companies just in the cross sector working group. There have been hundreds more meetings broken out by specific industry categories, such as energy, telecommunications, and transportation.
A typical meeting may include a “threat briefing” by a US government official, usually from the NSA, the FBI, or the Homeland Security Department; updates on specific initiatives, such as enhancing bank website security, improving information sharing among utility companies, or countering malware; and discussion of security “tools” that have been developed by the government and industry, such as those used to detect intruders on a network. One meeting in April 2012 addressed “use cases for enabling information sharing for active cyber defense,” the NSA-pioneered process of disabling cyber threats before they can do damage. The information sharing in this case was not among government agencies but among corporations.