Data and Goliath
Page 9
Why? A lot of this is political and military espionage, but some of it is commercial espionage. Many countries have a long history of spying on foreign corporations for their own military and commercial advantage. The US claims that it does not engage in commercial espionage, meaning that it does not hack foreign corporate networks and pass that information on to US competitors for commercial advantage. But it does engage in economic espionage, by hacking into foreign corporate networks and using that information in government trade negotiations that directly benefit US corporate interests. Recent examples are the Brazilian oil company Petrobras and the European SWIFT international bank payment system. In fact, a 1996 government report boasted that the NSA claimed that the economic benefits of one of its programs to US industry “totaled tens of billions of dollars over the last several years.” You may or may not see a substantive difference between the two types of espionage. China, without so clean a separation between its government and its industries, does not.
Many countries buy software from private companies to facilitate their hacking. I’ll talk more about this kind of business relationship in Chapter 6. For now, consider an Italian cyberweapons manufacturer called Hacking Team that sells hacking systems to governments worldwide for use against computer and smartphone operating systems. The mobile malware installs itself remotely and collects e-mails, text messages, call history, address books, search history data, and keystrokes. It can take screenshots, record audio to monitor either calls or ambient noise, snap photos, and monitor the phone’s GPS coordinates. It then surreptitiously sends all of that back to its handlers. Ethiopia used this software to sneak onto the computers of European and American journalists.
It’s a reasonable assumption that most countries have these hacking capabilities. Who they use them against, and what legal rules control that use, depends on the country.
GOVERNMENT ATTACKS
When we first started getting reports of the Chinese breaking into US computer networks for espionage purposes, we described it in very strong language. We labeled the Chinese actions “cyberattacks,” sometimes invoking the word “cyberwar.” After Snowden revealed that the NSA had been doing exactly the same thing as the Chinese to computer networks around the world, the US used much more moderate language to describe its own actions—terms like “espionage,” or “intelligence gathering,” or “spying”—and stressed that it is a peacetime activity.
When the Chinese company Huawei tried to sell networking equipment to the US, we feared that the government had backdoored the switches and considered it a “national security threat.” But, as we eventually learned, the NSA has been doing exactly the same thing, both to Huawei’s equipment and to American-made equipment sold in China.
The problem is that, as they occur and from the point of view of the victim, international espionage and attack look pretty much alike. Modern cyberespionage is a form of cyberattack, and both involve breaking into the network of another country. The only difference between them is whether they deliberately disrupt network operations or not. Of course that’s a huge difference, but it’s a difference that might be delayed months or even years. Because breaking into a foreign network affects the territory of another country, it is almost certainly illegal under that country’s laws. Even so, countries are doing it constantly to one another.
Here’s an example. In 2012, the NSA repeatedly penetrated Syria’s Internet infrastructure. Its intent was to remotely install eavesdropping code in one of the country’s core routers, but it accidentally caused a nationwide Internet blackout. Exfiltrating data and taking out a country’s Internet involve exactly the same operations.
Governments are getting into cyberwar big time. About 30 countries have cyberwar divisions in their military: US, Russia, China, the major European countries, Israel, India, Brazil, Australia, New Zealand, and a handful of African countries. In the US, this is led by US Cyber Command inside the Department of Defense. Admiral Michael S. Rogers is in charge of both this organization and the NSA. That’s how close the missions are.
Few examples have surfaced of cyberattacks that cause actual damage, either to people or to property. In 2007, Estonia was the victim of a broad series of cyberattacks. This is often called the first cyberwar, because it coincided with increased tensions with neighboring Russia. The ex-Soviet republic of Georgia was also the victim of cyberattacks, ones that preceded a land invasion by Russian troops a year later. In 2009, South Korea was the victim of a cyberattack. All of these were denial-of-service attacks, during which selected Internet sites are flooded with traffic and stop working temporarily. They’re disruptive, but not very damaging in the long run.
In all of these cases, we don’t know for sure who the perpetrator was, or even whether it was a government. In 2009, a pro-Kremlin youth group took credit for the 2007 Estonian attacks, although the only person convicted of them was a 22-year-old Russian living in Tallinn. That sort of identifiability is rare. Like the espionage attacks discussed earlier, cyberattacks are hard to trace. We’re left to infer the attacker by the list of victims. Ethnic tensions with Russia: of course Russia is to blame. South Korea gets attacked: who else but North Korea would be motivated?
Stuxnet is the first military-grade cyberweapon known to be deployed by one country against another. It was launched in 2009 by the US and Israel against the Natanz nuclear facility in Iran, and succeeded in causing significant physical damage. A 2012 attack against Saudi Aramco that damaged some 30,000 of the national oil company’s computers is believed to have been retaliation by Iran.
A SINGLE GLOBAL SURVEILLANCE NETWORK
There’s an interesting monopolistic effect that occurs with surveillance. Earlier in this chapter, I made a distinction between government-on-government espionage and government-on-population surveillance. Espionage basically follows geopolitical lines; a country gets together with its allies to jointly spy on its adversaries. That’s how we did it during the Cold War. It’s politics.
Mass surveillance is different. If you’re truly worried about attacks coming from anyone anywhere, you need to spy on everyone everywhere. And since no one country can do that alone, it makes sense to share data with other countries.
But whom do you share with? You could share with your traditional military allies, but they might not be spying on the countries you’re most worried about. Or they might not be spying on enough of the planet to make sharing worthwhile. It makes the best sense to join the most extensive spying network around. And that’s the US.
This is what’s happening right now. US intelligence partners with many countries. It is part of an extremely close relationship of wealthy, English-language-speaking countries called the Five Eyes: US, UK, Canada, Australia, and New Zealand. Other partnerships include the Nine Eyes, which adds Denmark, France, the Netherlands, and Norway; and the Fourteen Eyes, which adds Germany, Belgium, Italy, Spain, and Sweden. And the US partners with countries that have traditionally been much more standoffish, like India, and even with brutally repressive regimes like Saudi Arabia’s.
All of this gives the NSA access to almost everything. In testimony to the European Parliament in 2014, Snowden said, “The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn’t search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.”
In 2014, we learned that the NSA spies on the Turkish government, and at the same time partners with the Turkish government to spy on the Kurdish separatists within Turkey. We also learned that the NSA spies on the government of one of its much closer surveillance partners: Germany. Presumably we spy on all of our part
ners, with the possible exception of the other Five Eyes countries. Even when the NSA touts its counterterrorism successes, most of them are foreign threats against foreign countries, and have nothing to do with the US.
It should come as no surprise that the US shares intelligence data with Israel. Normally, identities of Americans are removed before this data is shared with another country to protect our privacy, but Israel seems to be an exception. The NSA gives Israel’s secretive Unit 8200 “raw SIGINT”—that’s signals intelligence.
Even historical enemies are sharing intelligence with the US, if only on a limited basis. After 9/11, Russia rebranded the Chechen separatists as terrorists, and persuaded the US to help by sharing information. In 2011, Russia warned the US about Boston Marathon bomber Tamerlan Tsarnaev. We returned the favor, watching out for threats at the Sochi Olympics.
These partnerships make no sense when the primary goal of intelligence is government vs. government espionage, but are obvious and appropriate when the primary goal is global surveillance of the population. So while the German government expresses outrage at NSA’s surveillance of the country’s leaders, its BND continues to partner with the NSA to surveil everyone else.
The endgame of this isn’t pretty: it’s a global surveillance network where all countries collude to surveil everyone on the entire planet. It’ll probably not happen for a while—there’ll be holdout countries like Russia that will insist on doing it themselves, and rigid ideological differences will never let countries like Iran cooperate fully with either Russia or the US—but most smaller countries will be motivated to join. From a very narrow perspective, it’s the rational thing to do.
6
Consolidation of Institutional Control
Corporate surveillance and government surveillance aren’t separate. They’re intertwined; the two support each other. It’s a public-private surveillance partnership that spans the world. This isn’t a formal agreement; it’s more an alliance of interests. Although it isn’t absolute, it’s become a de facto reality, with many powerful stakeholders supporting its perpetuation. And though Snowden’s revelations about NSA surveillance have caused rifts in the partnership—we’ll talk about those in Chapter 14—it’s still strong.
The Snowden documents made it clear how much the NSA relies on US corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already building one, and tapped into it. Through programs like PRISM, the NSA legally compels Internet companies like Microsoft, Google, Apple, and Yahoo to provide data on several thousand individuals of interest. Through other programs, the NSA gets direct access to the Internet backbone to conduct mass surveillance on everyone. Sometimes those corporations work with the NSA willingly. Sometimes they’re forced by the courts to hand over data, largely in secret. At other times, the NSA has hacked into those corporations’ infrastructure without their permission.
This is happening all over the world. Many countries use corporate surveillance capabilities to monitor their own citizens. Through programs such as TEMPORA, the UK’s GCHQ pays telcos like BT and Vodafone to give it access to bulk communications all over the world. Vodafone gives Albania, Egypt, Hungary, Ireland, and Qatar—possibly 29 countries in total—direct access to Internet traffic flowing inside their countries. We don’t know to what extent these countries are paying for access, as the UK does, or just demanding it. The French government eavesdrops on France Télécom and Orange. We’ve already talked about China and Russia in Chapter 5. About a dozen countries have data retention laws—declared unconstitutional in the EU in 2014—requiring ISPs to keep surveillance data on their customers for some months in case the government wants access to it. Internet cafes in Iran, Vietnam, India, and elsewhere must collect and retain identity information of their customers.
Similar things are happening off the Internet. Immediately after 9/11, the US government bought data from data brokers, including air passenger data from Torch Concepts and a database of Mexican voters from ChoicePoint. US law requires financial institutions to report cash transactions of $10,000 or larger to the government; for currency exchangers, the threshold is $1,000. Many governments require hotels to report which foreigners are sleeping there that night, and many more make copies of guests’ ID cards and passports. CCTV cameras, license plate capture systems, and cell phone location data are being used by numerous governments.
By the same token, corporations obtain government data for their own purposes. States like Illinois, Ohio, Texas, and Florida sell driver’s license data, including photos, to private buyers. Some states sell voter registration data. The UK government proposed the sale of taxpayer data in 2014, but public outcry has halted that, at least temporarily. The UK National Health Service also plans to sell patient health data to drug and insurance firms. There’s a feedback loop: corporations argue for more government data collection, then argue that the data should be released under open government laws, and then repackage the data and sell it back to the government.
The net result is that a lot of surveillance data moves back and forth between government and corporations. One consequence of this is that it’s hard to get effective laws passed to curb corporate surveillance—governments don’t really want to limit their own access to data by crippling the corporate hand that feeds them.
The “Do Not Track” debate serves as a sterling example of how bad things are. For years, privacy advocates have attempted to pass a law mandating that Internet users have the option of configuring their browsers so that websites would not track them. Several US national laws have been proposed, but have been fought hard by Internet companies and have never been passed. California passed one in 2013, but it was so watered down by lobbyists that it provides little benefit to users. As a user, you can configure your browser to tell websites you don’t want to be tracked, but websites are free to ignore your wishes.
It’s a bit different in Europe. Laws such as the EU Data Protection Directive put more constraints on corporate surveillance, and it has had an effect. But a “safe harbor” agreement between the US and the EU means personal data can flow from the EU to participating US companies under standards less strict than those that apply in the EU.
THE PUBLIC-PRIVATE SURVEILLANCE PARTNERSHIP
Governments don’t conduct surveillance, censorship, and control operations alone. They are supported by a vast public-private surveillance partnership: an array of for-profit corporations. A 2010 investigation found that 1,931 different corporations are working on intelligence, counterterrorism, or homeland security inside the US. In a 2013 story, the Washington Post reported that 70% of the US intelligence budget goes to private firms and that 483,000 government contractors hold top-secret clearances: a third of the 1.4 million people cleared at that level. There’s a strong revolving door between government and these companies. Admiral Mike McConnell, who directed the NSA from 1992 to 1996, left to become a vice president at the powerhouse government contractor Booz Allen Hamilton, where he continues to work on national intelligence. After retiring from directing the NSA in 2013, Keith Alexander started his own Internet security consulting firm, and filed patents for security technologies he claimed to have invented on his own time. He’s hired the NSA’s chief technology officer, who continues to work for the NSA as well.
Many cyberweapons manufacturers sell hacking tools to governments worldwide. For example, FinFisher is an “offensive IT Intrusion solution,” according to the promotional material from the UK and German company that makes it, Gamma Group. Governments purchase this software to spy on people’s computers and smartphones. In 2012, researchers found evidence that the FinFisher toolkit was deployed in Bahrain, Singapore, Indonesia, Mongolia, Turkmenistan, the UAE, Ethiopia, and Brunei, as well as the US and the Netherlands.
In Chapter 5, I mentioned the Italian company Hacking Team. Its computer and cell phone intrusion and monitoring products are used by the governme
nts of Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, the UAE, and Uzbekistan. The Moroccan government employed Hacking Team’s software to target the citizen journalist group Mamfakinch via an e-mail that purported to be a message from an anonymous citizen in danger; the attached file contained a payload of malware.
In 2011, arrested dissidents in Bahrain were shown transcripts of their private e-mail and chat sessions, collected by the government with tools provided by Nokia and Siemens.
The conference ISS World—which stands for Intelligence Support Systems—has frequent trade shows in cities like Dubai and Brasilia. The 2014 brochure advertised sessions on location surveillance, call record mining, offensive IT intrusion, and defeating encryption, and the sponsor list was a Who’s Who of these capabilities. Many countries send representatives to attend. There are similar conferences in the US and Europe.
Most of the big US defense contractors, such as Raytheon, Northrop Grumman, and Harris Corporation, build cyberweapons for the US military. And many big IT companies help build surveillance centers around the world. The French company Bull SA helped the Libyan government build its surveillance center. Nigeria used the Israeli firm Elbit Systems. Syria used the German company Siemens, the Italian company Area SpA, and others. The Gadhafi regime in Libya purchased telephone surveillance technology from China’s ZTE and South Africa’s VASTech. We don’t know who built the Internet surveillance systems used in Azerbaijan and Uzbekistan, but almost certainly some Western companies helped them. There are few laws prohibiting this kind of technology transfer, and the ones that exist are easily bypassed.
These are not only specially designed government eavesdropping systems; much government surveillance infrastructure is built for corporate use. US-based Blue Coat sells monitoring and content filtering systems for corporate networks, which are also used for government surveillance in countries like Burma, China, Egypt, Indonesia, Nigeria, Qatar, Saudi Arabia, Turkey, and Venezuela. Netsweeper is a Canadian corporate filtering product used for censorship by governments in Qatar, Yemen, the UAE, Somalia, and Pakistan. Filtering software from the US company Fortinet is used to censor the Internet in Burma; SmartFilter, from the US company McAfee and normally used in schools, helps the governments of Tunisia and Iran censor the Internet in their countries. Commercial security equipment from the UK company Sophos has been used by Syria and other oppressive regimes to surveil and arrest their citizens.