Dark Mirror
Page 22
“That’s a great question,” he said. “I suspect not, because I remember the first time I went there, 2004, 2005, I was struck that I’d just stepped into the 1950s. I remember walking in and seeing the old wood paneling, old-fashioned carpeting. I felt like I’d gone back in time. The support staff seemed to be mostly white women with beehive hairdos, all done up, and a lot of men in short sleeves. Kind of like what you see in a NASA movie [set in] the 1960s. That’s what it felt like. I remember, when I joked about it, someone saying a huge number of employees are legacy. Their parents worked there. It’s a family business.”
* * *
—
By doctrine the agency is supposed to assign its cover names at random. That is only sometimes true in practice. A true cryptonym, usually a pair of randomly selected words, conceals any hint of the secret it protects. BYZANTINEHADES, for instance, betrays no link to Chinese cyber espionage. But there are hundreds of other cover names that make no effort to be opaque. They are hand-selected for meaning, simple or otherwise. At times the names are artlessly literal. One classified compartment, shared with the United Kingdom’s GCHQ, is called VOYEUR. It refers to spying on another country’s spies as they spy on someone else, an especially intimate encounter. SCISSORS, a more prosaic choice, is a processing system that slices up data for sorting. Voyeurs peer through windows. Scissors cut. No mystery is intended or achieved.
The most revealing cover names are compact expressions of culture akin to street art. The culture owes a great deal to gamers, coders, and other digital natives in the outside world. Some of its products, like the sequence from BLINDDATE to NIGHTSTAND, evoke the “brotopia” of Emily Chang’s eponymous book about Silicon Valley. Some, like BOUNDLESSINFORMANT, which is a live-updated map of surveillance intake around the world, are so tone-deaf as to verge on self-parody. (The map itself, despite some breathless commentary, is nothing sinister.) In public remarks and testimony, NSA officials often speak of their “compliance culture,” humble and obedient to post-Watergate laws. There is truth in that, but when the agency’s hackers roam abroad, where far fewer restraints apply, they strike an outlaw pose. There is a whole branch of the acquisitions directorate, S31177, devoted to TRANSGRESSION. A mysterious BADASS compartment is mentioned but left unexplained. PITIEDFOOL, a suite of technical attacks on the Windows operating system, evokes the ferocity of Mr. T’s warning to enemies (“I pity the fool!”) in the film Rocky III. BLACKBELT, FELONYCROWBAR, ZOMBIEARMY, and DEVILHOUND share the macho vibe. Another whole class of cover names, including EPICFAIL and ERRONEOUSINGENUITY, jeer opsec errors by surveillance targets who imagine that they are covering their tracks.
Five months after the NSA leaks began, I spoke on a panel at the University of North Carolina with Tom Donilon, who had left his job as national security adviser to President Obama not long before. Afterward we stopped for a drink. He was too angry to talk much about Snowden, so I changed the subject to NSA hacker culture. The keyboard warriors, I told him, reminded me of fighter pilots I had known in the Navy and Air Force as a Pentagon correspondent. Donilon smiled and said, “They really want to win.”
Internal conversations drip with mock sympathy for the NSA’s hapless targets. “The approach we’ve been using recently is so terribly simple that it’s kinda sad that it even works,” wrote a Technical Directorate author from T-314, End User Solutions. His primer for colleagues offered five ways to hack into routers used by foreign rivals who think they are playing offense. “Very bad for the victim,” he observed.
The insider folkways signal membership in a tribe. The tribe likes science fiction and fantasy, comic book heroes, Star Trek, Star Wars, Harry Potter, fast food, whiskey, math jokes, programmer jokes, ethnic jokes, jokes about nontechnical people, and caustic captions on photographs. NSA nerds use “dork” and “bork” as verbs. As in: dork the operating system to exploit a device, but don’t bork it completely or the device will shut down. They illustrate reports with photos of animals in awkward predicaments; one of them likens a surveillance target to a horse with its head stuck in a tree. They condescend about “leet” (or “l33t”) adversaries, wannabe elite hackers who think they can swim with the NSA’s sharks. They boast of dining on rivals who “are honing their skillz,” another term of derision. The themes and memes of NSA network operations are telltales of a coder class that lives its life onscreen, inattentive to the social cues of people who interact “IRL”—in real life. “What we’re seeing is a culture whereby your primary outlet and mechanism for community is a digitally mediated wiki or forum,” Soltani told me.
The keyboard geekery can be whimsical. One training officer, apropos of nothing, dropped a joke about binary numbers into a cryptography lecture. “There are 10 types of people in this world: Those who understand binary and those that don’t,” the instructor wrote. A weekly briefing on surveillance operations paused to celebrate Pi Day, March 14, when the numeric form of the date is the best-known constant in math. Then there is the NSA Round Table, an electronic discussion group that invites participants to vote one another’s comments up or down. The voting system, lifted from Reddit, rewards amusing insults as much as content in a forum ostensibly devoted to classified business. “Why is a scoop of potatoes larger than a scoop of eggs in the cafeteria?” a contributor named Michael wondered one day. Paul jumped in to play the troll. “Let me be the first to down-vote you,” Paul wrote, naming several pedantic reasons. A side debate erupted: should Michael’s post be down-voted, flagged, or removed? Clyde returned to the topic at hand with a facetious theory that scoop volume is proportional to the relative size of potatoes and eggs themselves. In that case, Scott replied, what would happen if “we served eggs that were bigger than potatoes, like of an Ostrich?” Someone proposed a uniform system, “One Spoon to scoop them all,” an homage to Lord of the Rings. Punsters demanded the “inside scoop” and lamented the waste of time on “small potatoes.”
The same aspirations to nerdy wit define a large universe of NSA cover names. Somebody came up with CAPTIVATEDAUDIENCE for a software tool that listens in on conversations by switching on the microphone of a target’s mobile handset. Many, many cryptonyms juxtapose animal names—rabbits, goats, monkeys, kittens, a whole menagerie—with incongruous adjectives.
Comic book heroes and villains take prominent places in the pantheon. MJOLNIR, the mythical hammer of Thor, is an NSA weapon to break the anonymity of Tor. BATCAVE includes a digital hideout for agency hackers who emerge to steal another country’s software code. Batman’s alluring foe and sometime love interest, POISONIVY, is the cover name for a remote-access trojan used by Chinese government spies. Another program is named for DEPUTYDAWG, the cartoon sheriff in a Terrytoon children’s show. NIGHTTRAIN is harder to source with confidence, being a blues song and a country song and a Guns N’ Roses song, but it seems to refer in context to a volume of the Hellboy comic series. Inside the agency it is part of an especially sensitive program: espionage on a close U.S. ally during operations alongside the ally against a common foe. NIGHTTRAIN is the ally’s surveillance technology. The NSA hacks into it with IRONAVENGER, named for a Marvel Comics story line about robot duplicates of famous superheroes. An NSA system for automated decryption of enciphered data is named TURTLEPOWER, after the Teenage Mutant Ninja Turtles.
So it goes. Harry Potter fans dreamed up QUIDDITCH in honor of the exploits of the NSA’s Special Collection Service. SORTINGHAT, the enchanted cap that selects a Hogwarts house for each young wizard, is what the NSA calls the traffic control system for information exchanged with its British counterpart. Dystopian fiction contributes BLADERUNNER and ALTEREDCARBON, a pair of stories adapted from print to film. GROK, a verb invented by science-fiction author Robert Heinlein to signify deep understanding, is an NSA key logger that records every character a victim types. Favorite libations (MAKERSMARK, WALKERBLACK, CROWNROYAL) and junk foods (KRISPYKREME, COOKIEDOUGH, LIFESAVER) make regular appearances. UNPACMAN is a no
d to early arcade games.
Star Trek lore provides an especially rich source of memes. VULCANDEATHGRIP, First Officer Spock’s ultimate combat move, is a nerdy play on network lingo: the grip in this case seizes encryption keys during the “handshake” of two devices as they establish a secure link. BORGERKING is a two-fer: fast food and a nod to the Borg collective that overmatches Starfleet Captain Jean-Luc Picard. Trekkies account for VULCANMINDMELD and WHARPDRIVE, too, but their best work is no doubt KOBAYASHIMARU. That is what the NSA calls its contract with General Dynamics to help break into another country’s surveillance equipment. In the Star Trek oeuvre, the name refers to a simulated mission at Starfleet Academy that tests a young cadet’s character in the face of certain doom. Every path in the game is programmed to destroy the player’s ship and crew. Cadet James T. Kirk, having none of that, hacks into the simulator and adds a winning scenario. The metaphor stands for more than it may intend: not only creative circumvention, an NSA specialty, but a hacker spirit that gamifies its work.
The fun and games are sometimes dispiriting to read. In the NSA’s Hawaii operations center, civilian and enlisted personnel used their work machines to circulate dozens of photo memes that originated on Reddit, 4chan, and somethingawful.com. One photo showed a four-foot plastic Donald Duck with hips positioned suggestively between the legs of a pigtailed little girl. Another depicted a small boy tugging at a playmate’s skirt with the caption, “I would tear that ass up!” An image of blue balls accompanied a warning to a girl in her early teens against “teasing” her boyfriend without submitting to sex. Beneath a photo of smiling middle school children, one of them in a wheelchair, another caption read, “Who doesn’t belong? That’s right. Wheel your ass on outta here.” A similar photo, overlaid with an arrow that pointed to one of the boys, declared, “Everyone can be friends! Except for this little faggot.” One more, shot at the finish line of a Special Olympics footrace, advised the joyful victor, “Even if you win, you’re still retarded.”
None of that could be called official business, even if distributed at work, but ethnic and other slurs find their way into NSA briefings and training resources as well. They turn up most commonly when syllabus writers are called upon to make up foreign names. Invented names are a staple of NSA course materials because analysts in training have no need to know the identities of actual foreign surveillance targets. Instructors use fictional substitutes to teach the technical and procedural fine points of target selection.
One of the first things an analyst needs to learn is what counts as an adequate reason to judge that a prospective surveillance target is a foreign national on foreign territory. (Fourth Amendment restrictions apply otherwise.) The NSA syllabus for its Smart Target Enhancement Program walks through twelve “foreignness factors” that analysts may rely upon, each illustrated with examples. Some of the ersatz target names are merely playful: Elmer Fudd, Dr. Evil, Bad Dude, Bad Girl, Bad Guy, and Super Bad Guy. Most of them descend into stereotype. Lotsa Casho is a “Colombia-based coordinator” for a drug cartel. A Beijing-based Chinese party of interest can be found online as friedrice@hotmail.com. The Turkish target (kababs4u@yahoo.com) is “Master Kabob,” believed by the NSA “to have provided grilled kabobs for hungry Islamic cells.”
The most derisive descriptions, and the ones used most often, are reserved for fictional Arabs and Muslims. Many are named with a bastardized reference to an Arabic term of respect for fatherhood. Abu Bad Guy, Abu Evil, and Abu Raghead make appearances, among others. Another version takes the name of the Prophet: Mohammed Bad Guy, Mohammed Evil, and so on. Weekly program updates in briefings prepared for supervisors display related tropes. One report on a surveillance operation in progress took a break from matters at hand to joke about what happens when the “mulla [sic] mixes his viagra with his heroin.” (“Now he gets an erection but can’t stand up.”) Save for the last example, these are bureaucratically vetted teaching materials.
The levity extends to battlefield support for U.S. Special Forces and CIA drone operators. The work of the SIGINT Directorate, when it locates and identifies enemy combatants, can have immediate life-and-death stakes. In unguarded moments, as NSA personnel put crosshairs on an enemy, they display a gamer’s detachment from bloodshed. A surveillance photo in one official briefing depicted a man in Arab headdress strumming an instrument, oblivious to what the context suggests is his impending demise. The caption on the photo is “To Catch a Guitar Hero?” after the Activision video game. The wisecracking cover names for al Qaeda’s once-favorite encryption software, use of which helped mark a target for death, were EXPLETIVEDELETED and EXUBERANTCORPSE.
In the summer of 2006, a long and frustrating hunt for the leader of al Qaeda in Iraq was drawing to a close. The NSA and other U.S. intelligence agencies had labored for years to track Abu Musab Zarqawi, who spread monstrous carnage—hundreds of kidnappings, beheadings, and bombings—in his quest to expel foreign forces and terrorize Iraq’s Shiite majority. When U.S. warplanes finally caught up with him on June 7, 2006, NSA analysts claimed a share of the credit in a fist-bumping status report. In it they assembled half a dozen photographs of Zarqawi’s corpse. Blood pooled and congealed beneath his head, ran from his nose, and smeared his cheeks. Flies feasted on his flesh. The U.S. government later released a cleaned-up image of Zarqawi in final repose, attempting to quell any doubts about his death. The ones in the NSA document were brutal close-ups. An audio file accompanied the six frames. “Oh noooo!” exclaimed a nasal, cartoonish voice. It was an old meme of hilarity at someone else’s disappointment or pain, a staple of flame wars since early internet chat rooms. (Flamers sometimes rendered it “oh noes!” or “oh the noes!”) Television’s Saturday Night Live may have inspired the meme with a recurring comedy sketch in the late 1970s. A clay figurine named Mr. Bill, the star of a parody children’s show, closed most episodes with a high-pitched scream of “Oh noooo!” as Mr. Hands mangled, crushed, or dismembered him.
* * *
—
In the age of Trump, I found a new openness among my bitter critics in the intelligence community. People who had shunned contact after the Snowden revelations began to talk to me again. One of them, soon after retiring as director of national intelligence, was Air Force lieutenant general James Clapper. Both his parents had worked for a time at Fort Meade, and Clapper himself did a tour there as aide to the NSA director in the course of a half-century career. In 2014, Clapper had come as close as anyone in government to accusing me, along with Laura Poitras and Glenn Greenwald, of taking part in a criminal conspiracy with Snowden. Four years later, in the summer of 2018, he agreed to meet face-to-face. Clapper had responded crankily at first to my request for half a day of his time. “I need to know what this is about before I sit for an hours-long recorded interrogation,” he wrote. I made fun of his choice of noun but replied at length. Eventually he agreed to breakfast at the McLean Family Restaurant, a CIA hangout in northern Virginia, where Clapper seemed to know half the room. He made the rounds, chatting up old friends and colleagues, then ordered an egg white omelet. During several hours of conversation, long after servers cleared our plates, he listened respectfully and responded without mincing words. I recounted some of the stories I planned to tell here.
Near the end of the interview, I asked Clapper what to make of an agency culture in which hackers and analysts feel free to mock the dead and conduct official business with ethnic and sexual slurs. “These are not necessarily the people you want to be in charge,” I said.
His face tightened. “TAO,” he said, referring to Tailored Access Operations, “is supposed to be, you know, our legitimate government officially sanctioned hackers.”
“Right. They’re supposed to be,” I replied. “But if they’re snickering about—”
He interrupted, sarcastic. “But we want them to be nice. We don’t want to do anything that’s politically incorrect. Right? Isn’t that what you’re saying?”
> “What you want is to think there’s a certain level of maturity and respect for the amount of power they have.”
Clapper softened. “Well, yeah. You do. But, hey, they’re human beings, too. And I’m sure we could clean that up.”
* * *
—
Open-mindedness in a leader of Clapper’s rank is not to be taken for granted. Even so, he could have probed more deeply. Language is the symptom, not the problem. NSA geeks are not like other geeks whose folkways they share. The NSA’s Top Guns build and operate the machinery of a global surveillance hegemon, licensed to do things that would land them in prison if they tried them anywhere else. The eagle and serpent would not be alpha predators without them. Only judgment and self-control can govern them where there is some play in the rules, as there usually is in a sprawling enterprise. Digital weapons designers, like engineers everywhere, are inclined to do what works. The choices they make reach well beyond the terrain of Bad Girls and Bad Guys.
Some of the finest minds in the field assemble for Sigdev, or “signals development,” several times a year. They are incubators of the dark arts in electronic surveillance. Prodigious creative energies conjure weapons to set loose against advances in digital defense. Collateral effects are not always well contained. In 2012, the Jamboree conference took a dangerous turn.
Researchers for the NSA and CIA had been preoccupied with Apple’s iPhone since its introduction on June 29, 2007. The first mass-market smartphone was a surveillance bonanza—camera, microphone, locator beacon, and more—if the government could find a way in. That was not much of a challenge in the early years. Skillful hobbyists with far fewer resources bypassed Apple’s restrictions on unauthorized code within days of each new release of the iPhone operating system. That exercise, known as jailbreaking, unlocked the firmware and induced the phone to run software that Apple had not approved. “Any untethered jailbreak is remotely exploitable,” as one practitioner put it to me.