The Snowden Reader
Page 22
NSA, Classification Guide for Project BULLRUN on Defeating Encryption, June 16, 2010 [disclosed September 5, 2013].
Source: Electronic Frontier Foundation, https://www.eff.org/document/2013-09-05-guard-bullrun.
18
NSA’s SIGINT Strategy, 2012–2016
This document provides an excerpt from the leak of the NSA’s top secret strategy for signals intelligence adopted in 2012 and intended to guide the agency through 2016. The New York Times described it as “essentially a National Security Agency mission statement with broad goals, including a desire to push for changes in the law to provide the agency with expanded surveillance powers.” The strategy contains objectives underscoring the NSA’s strategic interest in countering encryption challenges to its signals intelligence missions. It also contained language that NSA critics seized upon as evidence of the menace the agency presented to cyber security, such as the goals to “dramatically increase mastery of the global network” and to have the ability to collect signals intelligence “from anyone, anytime, anywhere.” This latter phrase recalled Snowden’s Moscow airport statement in July 2013 (see Document 5) in which he controversially asserted that, at the NSA, he had the power to read “[a]nyone’s communications at any time.”
TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
. . .
SIGINT Goals for 2012–2016
1. (U//FOUO) Revolutionize analysis—fundamentally shift our analytic approach from a production to a discovery bias, enriched by innovative customer/partner engagement, radically increasing operational impact across all mission domains.
1.1. (U//FOUO) Through advanced tradecraft and automation, dramatically increase mastery of the global network
1.2. (U//FOUO) Conduct original analysis in a collaborative information space that mirrors how people interact in the information age
1.3. (U//FOUO) Disseminate data at its first point of relevance, share bulk data, and enable customers to address niche requirements
1.4. (U//FOUO) Drive an agile technology base mapped to the cognitive processes that underpin large scale analysis, discovery, compliance and collaboration
2. (U//FOUO) Fully leverage internal and external NSA partnerships to collaboratively discover targets, find their vulnerabilities, and overcome their network/communication defenses.
2.1. (U//FOUO) Bolster our arsenal of capabilities against the most critical cryptanalytic challenges
2.1.1. (S//SI//REL) Employ multidisciplinary approaches to cryptanalytic problems, leveraging and integrating mid-point and end-point capabilities to enable cryptanalysis
2.1.2. (S//REL) Counter the challenge of ubiquitous, strong, commercial network encryption
2.1.3. (TS//SI//REL) Counter indigenous cryptographic programs by targeting their industrial bases with all available SIGINT and HUMINT capabilities
2.1.4. (TS//SI//REL) Influence the global commercial encryption market through commercial relationships, HUMINT, and second and third party partners
2.1.5. (S//SI//REL) Continue to invest in the industrial base and drive the state of the art for High Performance Computing to maintain preeminent cryptanalytic capability for the nation
2.2. (TS//SI//REL) Defeat adversary cybersecurity practices in order to acquire the SIGINT data we need from anyone, anytime, anywhere
2.3. (S//SI) Enable discovery capabilities and advanced tradecraft in the collection architecture to enable the discovery of mission-critical persona, networks, accesses, signals and technologies
2.4. (S//SI) Integrate capabilities into the mission architecture, deepen workforce skill base in advanced network and signals analysis, and optimize processes and policies for the benefit of discovery
3. (S//SI//REL) Dynamically integrate endpoint, midpoint, industrial-enabled, and cryptanalytic capabilities to reach previously inaccessible targets in support of exploitation, cyber defense, and cyber operations
3.1. (C//REL) Drive the SIGINT mission architecture to underpin synchronized, integrated, multi-capability operations, extending it to mission partners
3.2. (TS//SI//REL) Integrate the SIGINT system into a national network of sensors which interactively sense, respond, and alert one another at machine speed
3.3. (U//FOUO) Continuously rebalance our portfolio of accesses and access capabilities based on current and projected contributions to key SIGINT missions
3.4. (S//SI//REL) Identify new access, collection, and exploitation methods by leveraging global business trends in data and communications services
. . .
NSA, SIGINT Strategy, 2012–2016 (February 23, 2012), 4 [disclosed November 22, 2013].
Source: “A Strategy for Surveillance Powers,” New York Times, November 23, 2013, http://www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategy-document.html.
19
Office of the Director of National Intelligence
and James R. Clapper, Director of National
Intelligence, Statements on NSA
Cryptological Capabilities
The disclosures about NSA efforts on encryption provoked the Office of the Director of National Intelligence and the director of national intelligence to issue statements in September and October 2013 about the NSA’s interest in, and responsibilities to counteract, encryption used by U.S. adversaries. Shortly after exposure of the encryption projects, the Guardian ran stories based on Snowden-leaked documents exposing NSA efforts to compromise online anonymity provided by the TOR network. TOR, which stands for “The Onion Router,” is a software program that helps web users anonymize cyber activities to strengthen the security and privacy of Internet searches and communications. The TOR stories prompted the director of national intelligence to explain why the NSA must address the problems that online anonymity, encryption, and other techniques pose for gathering needed foreign intelligence.
Office of the Director of National Intelligence, Statement on the Unauthorized Disclosure of NSA Cryptological Capabilities, September 6, 2013
It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption. Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.
While the specifics of how our intelligence agencies carry out this cryptanalytic mission have been kept secret, the fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news. Indeed, NSA’s public website states that its mission includes leading “the U.S. Government in cryptology . . . in order to gain a decision advantage for the Nation and our allies.”
The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday’s disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.
James R. Clapper, Director of National Intelligence, Why the Intelligence Community Seeks to Understand Online Communication Tools & Technologies, October 4, 2013
Recently published news articles discuss the Intelligence Community’s interest in tools used to facilitate anonymous online communication. The articles accurately point out that the Intelligence Community seeks to understand how these tools work and the kind of information being concealed.
However, the articles fail to make clear that the Intelligence Community’s interest in online anonymity services and other online communication and networking tools is based on the undeniable fact that these are the tools our adversaries use to communicate and coordinate attacks against the United States and our allies.
The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.
Within our lawful mission to collect foreign intelligence to protect the United States, we use every intelligence tool available to understand the intent of our foreign adversaries so that we can disrupt their plans and prevent them from bringing harm to innocent Americans.
In the modern telecommunications era, our adversaries have the ability to hide their messages and discussions among those of innocent people around the world. They use the very same social networking sites, encryption tools and other security features that protect our daily online activities.
Americans depend on the Intelligence Community to know who and what the threats are, and where they come from. They want us to provide policy makers with the information necessary to keep our nation safe, and they rightfully want us to do this without compromising respect for the civil liberties and privacy of our citizens.
Many of the recent articles based on leaked classified documents have painted an inaccurate and misleading picture of the Intelligence Community. The reality is that the men and women at the National Security Agency and across the Intelligence Community are abiding by the law, respecting the rights of citizens and doing everything they can to help keep our nation safe.
Office of the Director of National Intelligence, Statement on the Unauthorized Disclosure of NSA Cryptological Capabilities, September 6, 2013, and James R. Clapper, Director of National Intelligence, Why the Intelligence Community Seeks to Understand Online Communication Tools & Technologies, October 4, 2013.
Source: Office of the Director of National Intelligence, IC on the Record, http://icontherecord.tumblr.com/post/60428572417/odni-statement-on-the-unauthorized-disclosure-of and http://icontherecord.tumblr.com/post/63103784923/dni-statement-why-the-intelligence-community.
20
NSA Briefing Slides on the
QUANTUM Project
Snowden provided journalists with information about various NSA technological and intelligence capabilities. This category of disclosures included documents on programs through which the NSA implanted software exploits onto target computers and networks, as shown by these briefing slides on implant capabilities in a project code named QUANTUM. The overarching effort is apparently called QUANTUMTHEORY, within which are techniques for using implants for computer network exploitation, defense, or attack. One of these techniques, QUANTUMINSERT, involves detecting a target’s Internet activities, redirecting a target’s Internet communications to NSA servers, injecting malware onto the target computer from the NSA servers, and monitoring or exploiting the target’s computer through the implant. QUANTUMINSERT uses other NSA capabilities, including TURMOIL and TURBINE, as identified in the slides. TURMOIL is a surveillance system that detects web activity of a target, and TURBINE is the capability that permits redirection to NSA servers, which facilitates injection of implants. These capabilities give the NSA the ability to use tailored implants to achieve “industrial-scale exploitation,” as another NSA document put it. The last slide notes QUANTUMINSERT’s success and describes other techniques, including QUANTUMHAND, which allows NSA to “[e]xploit the computer of a target who uses Facebook.” Exposure of these capabilities generated controversies about the impact of such activities on cyber security in the United States and around the world.
NSA Briefing Slides on QUANTUMTHEORY, QUANTUMINSERT, and Other QUANTUM Techniques (dates unknown) [disclosed March 12, 2014].
Source: Der Spiegel, http://cdn1.spiegel.de/images/image-584098-galleryV9-jsgn.jpg; and The Intercept, https://firstlook.org/theintercept/document/2014/03/12/quantum-insert-diagrams/; https://firstlook.org/theintercept/document/2014/03/12/one-way-quantum/.
21
NSA Public Affairs Office, Statement in
Response to Press Allegations
Snowden’s disclosures about the NSA’s implant programs and capabilities brought a response from the NSA’s Public Affairs Office. This terse statement reinforces themes in NSA reactions to the revelations by Snowden, namely that media reports include inaccurate information and allegations and that the NSA only exercises its capabilities for purposes, and within frameworks, anchored in policy-appropriate and lawfully authorized intelligence operations. On the same day this NSA statement appeared, Facebook founder and CEO Mark Zuckerberg, undoubtedly provoked by QUANTUMHAND’s exploitation of Facebook, vented his displeasure with the NSA’s activities, describing how he called President Obama “to express my frustration over the damage the government is creating for all of our future.”
Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed.
NSA’s authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false.
NSA Public Affairs Office, Statement in Response to Press Allegations, March 13, 2014.
Source: National Security Agency, Public Affairs Office, http://www.nsa.gov/public_info/_files/speeches_testimonies/2014_03_14_press_allegations_response.pdf.
Norms of Responsible Behavior in Cyberspace?
U.S. Cyber Operations
22
Presidential Policy Directive 20 on
U.S. Cyber Operations Policy
The third Snowden disclosure occurred on June 7, 2013, when the Guardian revealed Presidential Policy Directive/PPD-20, a top secret document under which President Obama established U.S. policy for cyber operations not involving foreign intelligence collection. The media focused on the provision instructing the government to identify potential targets for offensive cyber operations. But the directive also included guidance on defensive cyber operations, making it a comprehensive attempt to establish policy for cyber activities not involving intelligence. The Obama administration developed the directive in response to concerns that “rules of engagement” for U.S. cyber operations were not clear. The directive declared that all U.S. offensive and defensive cyber operations shall comply with U.S. and international law. The directive contains no information about specific U.S. cyber operations, but disclosures in August 2013 included information that the U.S. government conducted 231 offensive cyber operations in 2011 against government targets in China, Iran, North Korea, and Russia—the year before PPD-20 was adopted. This disputed information, along with PPD-20, connected these disclosures with alleged U.S. involvement in the Stuxnet cyber attack on Iranian nuclear centrifuges discovered in 2010. Fidler’s chapter in this volume analyzes the foreign policy implications of PPD-20’s disclosure, which include questions about how U.S. offensive cyber operations relate to the U.S. government’s desire for “norms of responsible behavior in cyberspace.”
TOP SECRET/NOFORN
PRESIDENTIAL POLICY DIRECTIVE/PPD-20
. . .
SUBJECT: U.S. Cyber Operations Policy (U)
. . .
I. Definitions (U)
The following terms are defined for the purposes of this directive and should be used when possible in interagency documents and communications on this topic to ensure common understanding. (U)
Cyberspace: The interdependent network of informat
ion technology infrastructures that includes the Internet, telecommunications networks, computers, information or communications systems, networks, and embedded processors and controllers. (U)
Network Defense: Programs, activities, and the use of tools necessary to facilitate them . . . conducted on a computer, network, or information or communications system by the owner or with the consent of the owner and, as appropriate, the users for the primary purpose of protecting (1) that computer, network, or system; (2) data stored on, processed on, or transiting that computer, network, or system; or (3) physical and virtual infrastructure controlled by that computer, network, or system. Network defense does not involve or require accessing or conducting activities on computers, networks, or information or communications systems without authorization from the owners or exceeding access authorized by the owners. (U)
Malicious Cyber Activity: Activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. (U)
Cyber Effect: The manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. (U)
Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence—including information that can be used for future operations—from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. (C/NF)