Dark Mirror
Page 8
Snowden touted his accomplishments in an unclassified curriculum vitae he prepared that summer. At Dell, he wrote, he had helped set “strategy, policy and planning direction” for multimillion-dollar contract proposals, “regularly briefing C-level executives.” In a rather grand allusion to EPICSHELTER, he took credit for “driving a modernization initiative for the entire OCONUS backup infrastructure.” (In Pentagon-speak, that meant “outside the continental United States.”) In places, the résumé took some license with his credentials. A teenage job at a two-person firm based at a town house on Army base housing became “IT Consultant” at “Fort Meade.” He cited computer certifications from “Johns Hopkins University,” which was not the same thing as the Computer Career Institute at Johns Hopkins, where he studied. In reference to his job as a night shift security guard, the one where he was caught browsing the internet, he cast himself as having trained the networking staff “on IT security procedures, access, and CI awareness.” He had successfully communicated, he wrote, in “Japanese, French, Mandarin Chinese, Spanish, Bosnian, Italian, Romanian, and Thai.”
The résumé’s most intriguing line described Snowden’s invention of “an uncensorable method of asset communication that functions in the event of the originator’s death or detainment.” An asset, in this context, meant an intelligence agent, a foreign national recruited by U.S. handlers. In colloquial terms, Snowden had devised a high-tech “dead man’s switch.” The foreign agent could queue up an emergency message, knowing it would be transmitted within twenty-four hours unless he took specific steps to reset the clock. Here again, Snowden’s ingenuity showed a double edge. A dead man’s switch could be a valuable addition to the human intelligence toolkit. It could also be put to use for Snowden’s own clandestine work, a guarantee that the NSA documents he took would reach the three journalists he chose no matter what happened to him. Snowden told me on several occasions that shortly before leaving Hawaii, when the risk of arrest reached its peak, he had set up a dead man’s switch to convey the documents to journalists if he became unable to send them himself. “At a certain point in the process, your preparations have been made so that you can’t lose,” he told me in late 2013, declining to speak of the details. “The truth is going to get out. The truth is coming. It’s not going to be stopped. When you are a fucking engineer it is not that hard to figure out how to do that.”
* * *
—
Snowden became more open about his politics as he recovered from his seizure at the end of 2011. In March 2012, just before departing for Hawaii, he donated $250 to the presidential campaign of the Libertarian Party nominee, Ron Paul, a fierce critic of government surveillance even then. He sent another $250 in May. Inside the Kunia Tunnel, he wore a hoodie with a parody logo of the NSA. Sold by the Electronic Frontier Foundation, a frequent agency adversary in court, the hoodie depicted a bald eagle wearing comically oversized headphones plugged into AT&T telephone cables. He also kept a copy of the U.S. Constitution on his desk, the better to invoke the Fourth Amendment in conversations with coworkers about surveillance as a form of “search and seizure.”
On November 18, 2012, Snowden wrote anonymously to Runa Sandvik, a developer at the Tor Project. Tor allowed anyone to surf the web privately by routing connections through relays around the world. Its network depended on volunteers to supply the connections. Snowden told Sandvik that he contributed some of Tor’s fastest “exit relays,” which become the apparent point of origin for traffic routed through Tor. That alone was risky for a man who worked at the NSA. Exit relays are visible to anyone on the web, and their operators commonly receive copyright notices and “letters from law enforcement,” Sandvik said. If the FBI discovered a relay run by an intelligence contractor, there might be more questions than usual. Snowden knew from Sandvik’s Twitter feed that she planned to visit Honolulu. Could she bring some Tor stickers and T-shirts? His explanation would have astounded her if she knew his employer. “I’m talking some of the more technical guys at work into starting additional fast servers up, and I thought some swag-on-hand might incentivize them to do it in the ‘tonight’ time frame instead of ‘eventually,’” he wrote. Snowden was openly recruiting surveillance coworkers to help support the leading countersurveillance technology. “If shirts are available, black is preferable, but will gladly pass out whatevs,” he added two days later.
When Sandvik wrote back that she would gladly oblige, Snowden also volunteered to cohost a “cryptoparty” with her. These were increasingly popular gatherings, pairing hipster evangelism with practical instruction on keeping Big Brother at bay. Snowden, incautiously, corresponded with Sandvik about this public event from the same anonymous email address, cincinnatus@lavabit.com, that he would use the following month for first contact with Glenn Greenwald. He did not mention his NSA job, but he sent Sandvik his full name and home address for delivery of the Tor swag. He taught the class alongside her as “Ed.”
By this time Snowden had either crossed the line into illegal document gathering or was on the brink of doing so. Any gesture of dissent carried risk. Why would he poke his head up when exposure would surely land him in prison? For a long time, I read his choices in those months as reckless. More recently, I have come to think they may have been considered acts of camouflage. Small expressions of sympathy for NSA critics might inoculate him against darker suspicions. They did not fit the profile of a stealthy “inside threat.” He was just one of those guys. Every office has one. Sardonic, contrarian, eccentric maybe, but harmless in the end.
An old NSA maxim, one analyst told me, is that “there is no traffic fairy.” No one magically intuits what data you want and intercepts it on your behalf. The lesson for newbies, the analyst said, is supposed to be that “you have to cultivate your own collection, not rely on other people to get it for you without being asked.” In Snowden’s fourteen months in Hawaii, he embarked on a private version of that exercise.
Despite his experience in Langley, Geneva, and Japan, the network at Kunia was “a completely foreign setup, completely new permissions, completely new servers,” he said. Slowly and carefully, he explored the boundaries of his electronic universe. “To do something like this, first you have to know the domain,” he said. “You have to understand the rules. You have to understand what’s being monitored; you have to understand what’s not being monitored. You have to understand what you have access to, what you don’t have access to. You have to understand how everything lays out and how it fits together.”
Certainly he could not just browse at will. The NSA’s access control system specified fine-grained clearances and permissions in a digital certificate for every authorized user. The certificate was known in shorthand as the PKI, for public key infrastructure. At the Pentagon, employees carried their certificates in a chip embedded in a wallet-sized card. At the NSA, there was no hardware involved. The certificates were stored in each user’s computer network profile.
The credentials in Snowden’s PKI were close to the worst-case scenario for the NSA’s internal defenses. The risk he posed, from that point of view, was a nightmare of acronyms: TS//SI//G//TK//HCS. Anyone who worked in the Tunnel had at least the first of those, a Top Secret clearance, and probably the second one, too. “Special intelligence,” the control system for compartmented information about surveillance sources and methods, was the bread and butter of Kunia’s mission. Not all of Snowden’s colleagues held the third credential, short for Gamma, which opened the door to the contents of intercepted communications. The fourth credential may also have been less common. Talent Keyhole covered secrets about spy satellites and other overhead collection systems. Rarest at the NSA was Snowden’s clearance for HCS, the HUMINT Control System. (Military and intelligence agencies like to stack acronyms. HUMINT meant “human intelligence,” the clandestine work of U.S. case officers.) That one came as a legacy of Snowden’s time at the CIA, which did not revoke his credentials upon departure.
/> On top of all that came the privileged access of a top-tier system administrator. That status enabled Snowden to stop, start, and alter computing processes at the root level, where the fundamental workings of the network were controlled. He could disable, edit, or erase some of the activity logs that would otherwise leave evidence of his digital movements. He could move or copy files and override restrictions on the use of external storage devices such as thumb drives.
It would be easy to overstate the access that the U.S. government officially granted Snowden. Circumstance had given him a set of credentials that few of his Kunia coworkers could match. That did not mean the government entrusted him with all its big secrets, or most of them, or any large fraction. His four major clearances—SI, TK, G, and HCS—made him eligible for those categories of sensitive information, but they did not grant the access on their own. They were threshold credentials, necessary but not sufficient. Before Snowden could be “read into” any given compartment, before he could examine the files inside, proper authorities had to certify his need to know. His final job in Hawaii, for example, cleared him to read files marked BYZANTINEHADES and SEEDSPHERE, which were concerned with Chinese government hacking. He did not have a need to know compartmented information about the Chinese Politburo or hackers from Iran.
That, at any rate, was how the limits were supposed to work. Snowden, by lifelong habit, looked for side channels. He had never served in a clandestine role, but he borrowed a classic method of misdirection. His official duties, openly performed, provided “cover for presence” and “cover for action” in digital neighborhoods where he might otherwise attract suspicion.
* * *
—
Early on, Snowden repurposed a routine security audit that he performed in the Windows engineering division. The task, in essence, was to find misfiled secrets—restricted information that had migrated somehow to less restricted locations on the network. He was supposed to delete those files, but he had other options. Once he took possession, according to the NSA’s chief technical officer, Lonny Anderson, “he used his sys admin privileges to exfiltrate. He would move the data as part of the sys admin job to a place that he was comfortable, ‘Here I can exfil the data.’”
Snowden ran “dirty word searches” across the network domains under his administrative control. A dirty word was a search term that was supposed to come up empty. If everyone followed security protocols, there would be nothing to find. He might search for the term “NOFORN” in a system accessible to the Five Eyes, the NSA’s closest foreign counterparts. If he found a hit, it meant that someone had dropped a “don’t show foreigners” file in a bucket marked “show our foreign friends.”
Another kind of dirty word search took Snowden deeper. He looked for files marked “ECI,” or exceptionally controlled information. Nothing classified at that level belonged on the network servers. Information that sensitive was supposed to be stored in a cipher-locked room on a system that required special access credentials. Similar restrictions applied to files labeled “FISA” or “FAA 702,” a reference to communications intercepted within the United States under authority of the FISA Amendments Act, Section 702. In general, said the NSA’s Anderson, Snowden was authorized for reports and presentations, “not access to what we would call data, so he’s not going into repositories and getting access to raw data.” That was true, officially, at Kunia, though not in his final position in Hawaii. It was a poor description of what he could reach in practice.
The NSA’s digital machinery is operated by humans, and humans make mistakes. Humans also take shortcuts when the approved procedures get too much in the way of their jobs. In one case, a group of analysts curated and shared their working copies of files drawn from a large, restricted database of raw intelligence. They wanted to collaborate and avoid redundant work. Each of them had authority to read the material, but the files did not belong in the system they used for sharing. Snowden found and copied them, he told me later, in order to show how many innocent people are swept into the NSA’s net.
Snowden’s dirty word searches improved when he turned up a list of cover names for ECI compartments. He was not cleared to look inside the compartments, but his credentials, his PKI certificate, allowed him to see what those compartments were called. His search terms expanded to include “AMBULANT,” “BLACKAXE,” “CRUMPET,” “DEVILFISH,” “FLYLEAF,” “HYSSOP,” “KESSELRUN,” “LIGHTNINGTHIEF,” and at least seventy more ECI cover names. Every time he found a hit, something new and quite sensitive, previously beyond reach, popped up on his screen.
One day, such a search produced hits on “STARBURST,” “WHIPGENIE,” and “STELLARWIND.” If any one event pushed Snowden over the edge, this might have been it. The three cover names referred to different stages of one evolving set of operations, carried out between 2001 and 2007. Under orders from President Bush, the NSA spied on Americans in ways that Congress had expressly forbidden since 1978. The domestic surveillance, without judicial or legislative authority, was conceived and overseen after the September 11 attacks by Vice President Cheney and his general counsel, David Addington. Eventually, in 2004, the Justice Department ruled that some of the operations were illegal. In broad outline, this much had been made public by the time Snowden arrived in Hawaii.
What Snowden found that day was something new: a near-final draft of the NSA inspector general’s report on the episode, classified and compartmented as ECI. Its fifty-seven pages laid out a detailed history of the warrantless surveillance programs, culminating in the collapse of Justice Department legal support. Cheney and his lawyer maintained that no one in the executive, judicial, or legislative branches had the power to limit the president’s warmaking authority. Intelligence gathering, which is inherent in war, was the exclusive prerogative of the commander in chief. When the acting attorney general, James B. Comey, refused to certify that the operations were lawful, Cheney’s lawyer telephoned the NSA’s director, Michael V. Hayden.
“On 11 March 2004,” the report said, “General Hayden had to decide whether NSA would execute the Authorization without the Attorney General’s signature. General Hayden described a conversation in which David Addington asked, ‘Will you do it?’”
Hayden said yes.
“It was the STELLARWIND memo that really affected me,” Snowden told me. “The fact that Hayden knew there was no statutory authority.” Hayden’s career, Snowden noted, continued to thrive in the aftermath. He was not disciplined, charged with an offense, or subjected to hard questions about his choice in a public hearing. When Congress learned of the secret programs, it gave retroactive legal immunity to those who carried them out and authority for future presidents to keep them going. The lesson Snowden drew was that even in the most extreme case, when an NSA director knowingly broke the law as the attorney general defined it, no branch of government was prepared to hold him accountable. The public had no idea what transpired. Snowden believed it should. In November 2013, months after Snowden brought the episode to light, Hayden and I met onstage at Duke University. He argued that every program Snowden disclosed was legal. I noted that he had kept one of them active after the Justice Department said otherwise. Afterward, in a hallway, Hayden accused me of taking a cheap shot. He had agreed to extend STELLARWIND for only forty-five days, he said, in order to allow time for a legal fix. He did not explain why he chose that course rather than halt operations until such a fix was made.
Snowden appears to have made some of his most consequential finds by taking advantage of an efficiency feature in the NSA’s configuration of user accounts. You could sign on to any NSA workstation in the world and your “active directory profile”—working files and folders, browser settings, identity certificates—would appear, same as always. If a visitor came to Kunia from some distant office, such as Fort Meade headquarters, remote access could be balky and slow. In such cases, the system was designed to copy the visitor’s profile to a temporary local c
ache. The consequence was this: each time a VIP arrived at Kunia, memos and spreadsheets and slide decks poured into a folder under Snowden’s administrative control. Joseph J. Brand, then the NSA’s associate director for community integration, policy, and records, unknowingly contributed one collection. Based on my own analysis of the metadata, the hidden properties of the files, Brand’s temporary folder supplied Snowden with the STELLARWIND report.
“The biggest hurdle to get over for everyone on the ‘how it happened’ story is to understand that the NSA’s security is about 15 years out of date,” Snowden wrote to me. “Their defense is the airgap, a fenceline and some cops.”
The ramparts all faced outward. An air gap, meaning physical separation, ensured that sensitive systems did not connect electronically to the wider world. Fences and guards kept adversaries on the other side. There was no effective defense against a skillful insider with the nerve to keep probing day after day, month after month, even as he conversed with journalists.
* * *
—