Hacks, Backdoors, and Cyberwars
You could be forgiven for thinking that the Oscar win by Citizenfour, Laura Poitras’s documentary about Edward Snowden, represented a symbolic capstone to our country’s surveillance story. Perhaps the well of new revelations had run dry, and we were now in the realm of theater, congratulations, and prizes. We know the stakes; time to do something about it.
But in the past week, some vital leaks have appeared that offer a much clearer sense of the U.S. government’s surveillance and cyberwarfare practices. Combined with a listless public appearance by the NSA director on Monday, it’s fair to ask if our dear unelected officials of America’s security apparatus have any idea what they’re doing.
First, Reuters’s Joseph Menn—who had previously reported about alleged secret payments from the NSA to security company RSA to weaken one of its encryption products—wrote about findings by Russian cybersecurity firm Kaspersky Lab that a powerful hacking group had managed to manipulate the firmware on a number of major manufacturers’ hard drives. (Kaspersky didn’t credit the work to any particular agency, but they might as well have planted a sign that said, “NSA WUZ HERE.”)
Firmware is a small piece of software that lives on a piece of hardware; if you hack a hard drive’s firmware, you essentially own it. For instance, you can tell the hard drive that it’s blank when you’ve actually hidden a piece of malware on it. Even wiping the hard drive leaves the firmware untouched. Next to physically installing a surveillance device, this is as close as it gets to mastering an adversary’s system. As Menn wrote in his story, it gives the NSA “the means to eavesdrop on the majority of the world’s computers.”
On Thursday, The Intercept’s Jeremy Scahill and Josh Begley published another story about network exploitation on an astonishing scale. According to their report, the NSA and its British counterpart GCHQ had stolen encryption keys for millions of SIM cards manufactured by Gemalto, a Dutch company. Each year, Gemalto produces 2 billion SIM cards, which are used by cell phone providers around the world. With these keys in hand, the NSA doesn’t need to try to break or bypass the encryption on individual suspects’ phones; it can just passively listen and accumulate data from untold millions of cell phone users.
Finally, the New York Times’ David Sanger published an article on Sunday that paints a picture of the NSA and Cyber Command, the U.S. military’s cyberwarfare operation, as instigators in a long-running, covert cyberwar with Iran. Working with GCHQ (and at times in uneasy cooperation with Israel’s Unit 8200), their “attacks on Iran’s nuclear infrastructure…kicked off [a] cycle of retaliation and escalation.” Sanger wrote that a cyber-attack against Iran’s oil industry—by whom, he doesn’t say—provoked a retaliatory attack in 2012 against Saudi Aramco, crippling thousands of the state-owned oil company’s computers.
In the last few months, intelligence and White House officials, including the president himself, have publicly refused to answer specific questions about U.S. surveillance and cyberwarfare practices, while also solemnly declaring that they’re “glad to be having this discussion.” Monday’s appearance by Admiral Mike Rogers, who directs the NSA and Cyber Command, at a New America Foundation conference was no different. Rogers bullshitted his way through questions from the audience, and refused to name or even acknowledge a single case in which dragnet surveillance of Americans’ phone records had disrupted a terrorist attack. Echoing statements from British and U.S. government officials, Rogers insisted that law enforcement should have access to backdoors in encryption products.
At one point, Alex Stamos, Yahoo’s CISO, asked Rogers some good questions: isn’t placing a backdoor, or a deliberate defect, in an encryption product “like drilling a hole in a windshield”? Should companies like Yahoo also give backdoors to other countries in which they operate, like Russia and Saudi Arabia? Rogers refused to take these questions seriously. Instead, he fell back on platitudes, saying, “I think we can work through this.” He repeated the statement three times, as if doing so would magically transport him home to Fort Meade and away from this horrible accountability.
The trend is clear: from surveillance to cyberwarfare to encryption, the NSA prefers policies that give it maximum tactical advantage, even if it compromises the security and economic welfare of millions. It’s also now apparent that technologists like Stamos simply don’t take Rogers seriously anymore. (Discussion on Twitter during the event consisted of assorted security researchers and commentators howling incredulously.)
And why should they take him seriously? The NSA and its partners hack into major corporate systems, stalk network administrators online, and instigate cyberwar in direct contravention of peaceful diplomatic efforts. They’ve catalyzed a gray-market for zero days. Their exploits cause real economic harm. Still, the agency pleads for understanding and ever more power.
If you’re a tech executive and don’t consider this a description of an adversary, you’re either on the take, or as willfully obtuse as Rogers himself.