Book Read Free

The Perfect Weapon

Page 9

by David E. Sanger


  Shortly after the Snowden fiasco, the agency announced new safeguards: No longer would systems administrators with access to vast databases be able to download documents by themselves. There would now be a “two-man rule”—reminiscent of the dual keepers of the keys for the launch of nuclear weapons—to protect against lone actors.

  But the NSA’s solution was either too late, or ineffective. Over the next few years, the NSA demonstrated time and again that it could not keep its own secrets. Snowden is simply the most famous insider so far.

  * * *

  —

  In the days after Snowden showed up in Hong Kong and began doling out parts of his trove of government secrets to the Guardian, the problem of reliance on outside government contractors took center stage: why was the US government depending on Booz Allen to run its most sensitive intelligence operations? Sen. Dianne Feinstein, then the chairwoman of the Senate Intelligence Committee, told me in 2013 that soon “we will certainly have legislation which will limit or prevent contractors from handling highly classified and technical data.” That never happened.

  Astoundingly, Booz Allen never made public why it assigned Snowden to such a sensitive set of tasks, and why it left him so loosely supervised that he could download highly classified documents that had nothing to do with his work as a system administrator. Nor did the firm lose any of its contracts with the NSA.

  Furthermore, the talk in Washington about cutting down on the use of contractors who dealt with the nation’s deepest secrets fizzled almost immediately. “We had to go to Congress and quietly explain how cyberweapons get developed,” one NSA official said to me. In short, the NSA told Congress, cyberweapons get built the way everything else gets built—by private firms. The Pentagon relies on Lockheed Martin to build the F-35, with a raft of subcontractors and partners. General Atomics builds the Predator and Reaper, the two best-known drones. Boeing builds satellites. Booz Allen, and many firms from the outskirts of Fort Meade to Silicon Valley, build cyberweapons.

  Those firms hunt for—or surreptitiously purchase—“zero-day” flaws: software flaws in a system that an invader can exploit to spy or destroy. The programming talent required to turn those flaws into weapons is expensive, and contractors can afford top talent. They offer their best coders salaries many times what the government can pay. “People would be shocked,” one young employee of one of the most successful cyber contractors told me, “how much the government relies on contractors to build the weapons and maintain them,” even in foreign systems. That explains why about one-third of the 1.4 million people with top-secret clearances in 2012 were private contractors. (And yes, the background checks for those contractors are often performed by other contractors.)

  The man who put Booz Allen on the NSA’s map was J. Michael McConnell, who knew life on both sides of the revolving door of the cyber-industrial complex. A former navy intelligence officer who made his name in the backwaters of the Mekong Delta during the Vietnam War, McConnell was a pale and stooped man with wire-rim glasses, giving him a vague resemblance to George Smiley, the complex character at the center of John le Carré’s novels about life in the bowels of British intelligence. Indeed, McConnell looked more like a bureaucrat than a cyber warrior. Looks were deceiving.

  In McConnell’s years as director of the NSA under President Clinton, he became increasingly concerned about America’s growing cyber vulnerability. By the time he returned to government as director of national intelligence under President Bush, he was ready to enter a new arms race. In Bush’s second term, it was McConnell, along with Hayden and Cartwright, who pushed the country into the business of sophisticated cyber projects by overseeing Olympic Games and other offensive operations. And when Barack Obama was preparing to take office, it was McConnell who briefed him on America’s covert actions abroad, from Afghanistan to Iran.

  After he left his post, McConnell returned to Booz Allen in 2009—for a whopping $4.1 million his first year back—to ramp up its cyber capabilities for the era of conflict he clearly saw coming. He pressed for the development of “predictive” intelligence tools that companies and governments could use to scour the web for anomalies in behavior that could warn of an approaching cyber or terror attack. The work paid off for Booz Allen: Just before the Snowden revelations, the company won a $5.6 billion contract to conduct intelligence analysis for the Defense Intelligence Agency, and another $1 billion from the navy to help with “a new generation of intelligence, surveillance, and combat operations.” Similarly, when the United Arab Emirates decided to shop around for a complete signals-intelligence, cyber-defense, and cyberwarfare unit of its own—one that would befit its role as one of the United States’ closest partners in the Arab world—it turned to Booz Allen, and specifically to McConnell, to assemble it. “They are teaching everything,” one senior Arab official explained to me. “Data mining, web surveillance, all sorts of digital intelligence collection.”

  McConnell made a persuasive case to me during Bush’s time in office that private firms are needed to jolt the government out of its attachment to old systems. The air force, as he pointed out frequently, fought the concept of drones for years.

  But he also argued in 2012, just before the Snowden debacle forever changed Booz Allen’s reputation, that the private sector had to take the security of its own systems more seriously. “It should be a condition for contracts,” he said. “You cannot be competitive in the cyber era if you don’t have a higher level of security.”

  He may have been wrong there. With the subsequent arrest of another of his employees, the company’s stock took a brief plunge on the expectation that the firm was in trouble. Then the stock bounced back to all-time highs as investors poured their money into a sure bet to profit from the newest arms race.

  Just as some companies in America proved too big to fail, some contractors were simply too important to ditch.

  * * *

  —

  For months, Snowden’s disclosures roiled Washington. Unlike the CIA, the NSA had never been plagued with insiders or double agents. There was both real outrage and faux outrage about the kind of data the NSA was retaining—but insisted it was rarely looking at—about American citizens.

  The Snowden revelations that got some of the biggest headlines in the United States revolved around a single document: a copy of the “Verizon order” from the Foreign Intelligence Surveillance Court. It revealed that the secret court had adopted a legal theory that the USA PATRIOT Act—passed in the days after 9/11—could be interpreted to require Verizon and other big carriers, like AT&T, to turn over the “metadata” for every call made into and out of the United States. And then, it added, for good measure, all calls “wholly within the United States.”

  “Metadata” do not include what callers said to their husband, boss, or kids. They are a record of the numbers called, how long the call lasted, and how it was routed. Today, nearly two decades after 9/11, collecting that data for all Americans, on their home lines and their cell phones, seems like a pretty clear case of surveillance-state overreach. And it was: the flood of data was so large that it was of extremely limited use. But its collection was a prime example of how the 9/11 attacks so bent the judgment of otherwise smart officials that they began hoarding all kinds of information simply because one day it might be useful—likely not thinking much about the precedent they were setting around the world, especially in countries like China and Russia whose leaders were looking for any excuse to tighten the noose on dissent.

  The more troubling problem about the phone-call metadata program was not how it was being used but rather that a series of American officials had lied before Congress about its existence. Snowden’s revelations exposed them. The incident was yet another illustration of the way the over-secrecy surrounding how the government uses its cyber powers forced officials to attempt to conceal a program that could easily have been made public without harming its eff
ectiveness.

  Yet in the end Snowden’s biggest impact wasn’t in the defense of privacy. For all the talk on Capitol Hill and cable television about reassessing the balance between security and privacy rights, little changed. Congress renewed the NSA’s surveillance powers, with very modest adjustments.

  The public debate around privacy issues obscured what was truly revelatory in the Snowden trove: PowerPoint after PowerPoint documented how the NSA’s Tailored Access Operations unit—known as TAO—found ways to break into even the most walled-off, well-secured computer systems around the world.

  Informally, everyone still uses the name TAO. Formally, the TAO no longer exists; it has been absorbed into the agency’s other offensive units. It began small, but since its founding two decades ago, it has grown into the agency’s most storied unit, spreading more than a thousand elite hackers over sites from Maryland to Hawaii and Georgia to Texas.

  The unit cannot compete with Silicon Valley salaries, but the mission is irresistible. The hacking unit attracts many of the agency’s young stars, who thrill to the idea of conducting network burglaries as a form of patriotic covert action. And their target list is vast: Chinese leadership, Saudi princes, Iranian generals, German chancellors, North Korea’s own Reconnaissance General Bureau. Much of TAO’s ouput is labeled “exceptionally controlled information,” and often makes it into the President’s Daily Brief.

  There is a pecking order in the TAO, its alumni say. The veterans plot ways to get into foreign networks, then hand the operational challenge off to more junior members of the team who spend days and nights “exfiltrating” information the way the CIA used to exfiltrate foreign spies. “Sometimes it happens quickly; sometimes we take a long time,” one former senior member of the organization told me. And what works this week may not work the following week.

  That is why TAO workers are constantly designing new malware implants that can lurk in a network for months, maybe years, secretly sending files back to the NSA. But the same implant can alter data or a picture, or become the launching pad for an attack.

  And one of the juiciest targets for TAO, it turned out from Snowden’s reports, was a country that Americans worried was targeting us: China.

  * * *

  —

  For years, American officials had considered Huawei (pronounced WAH-way), the Chinese telecommunications giant, a huge security threat to the United States. It feared that Huawei’s equipment and products—everything from cell phones to giant switches that run telephone networks to corporate computer systems—were riddled with secret “back doors.” Classified intelligence reports and unclassified congressional studies all warned that one day the People’s Liberation Army and China’s Ministry of State Security would exploit those back doors to get inside American networks.

  In 2005 the air force hired the RAND Corporation to examine the threat from Chinese networking firms. Huawei was high on the list of threats: RAND concluded that a “digital triangle” of Chinese firms, the military, and state-run research groups were working together to bore deeply into the networks that keep the United States and its allies running. At the center of the action, they suggested, was the founder of Huawei, Ren Zhengfei, a former PLA engineer who, the Americans suspected, had never really left his last job.

  Little proof was offered, at least in public. Nonetheless, the word went out across Washington: Buy Chinese equipment at your peril. There was no hope of banning the company from global networks, as Huawei was on course to becoming the largest telecommunications equipment company in Asia—its inexpensive phones are ubiquitous from Beijing to Mandalay—and the third largest in the world. Its equipment, down to the chips used in cell phones, was integrated into products around the world, from Britain to South Korea. The firm boasted that it connected one-third of the world’s population. But egged on by Huawei’s American competitors, Washington decided to draw a firewall around the United States. When Huawei tried to buy 3Com, a failing American firm, the Committee on Investments in the United States—a little-known government agency run as an offshoot of the Treasury Department—blocked the purchase on national-security grounds.

  In classified briefings to Congress, the NSA laid out its fears: It was almost impossible to know what hidden capabilities Huawei could etch into its hardware, or bury in its software. If there was a hot war with China—or even just a nasty regional dispute—Huawei might be the vehicle for shutting down servers or crippling the US telecommunications grid. Once the telecommunications system was corrupted, other networks would follow. And there was always the fear of theft: What better way to route secret communications to the PLA than through an already established phone company?

  The paranoia was not limited to Huawei, of course. After Lenovo, a Chinese computer upstart, bought IBM’s personal computer division in 2005, the State Department and the Pentagon largely banned its indestructible laptops. But Huawei, because of the dominance of its products, was a constant focus of investigations by the House Intelligence Committee and American intelligence agencies. The problem was that they could cite no evidence, at least in their unclassified reports, to confirm their suspicions that the Chinese government pulled the company’s strings or ordered it to sweep up data. (That did not stop the House from concluding that Huawei and another Chinese company, ZTE, must be blocked from “acquisitions, takeover or mergers” in the United States and “cannot be trusted to be free of foreign state influence.”)

  The apparent absence of evidence gave birth to “Shotgiant.”

  That was the name of a covert program, approved by the Bush White House, to bore a way deep into Huawei’s hermetically sealed headquarters in Shenzhen, China’s industrial heart. And while American officials would not describe it this way, the essential idea was to do to Huawei exactly what Americans feared the Chinese were doing to the United States: crawl through the company’s networks, understand its vulnerabilities, and tap the communications of its top executives. But the plan went further: to exploit Huawai’s technology so that when the company sold equipment to other countries—including allies like South Korea and adversaries like Venezuela—the NSA could roam through those nations’ networks.

  “Many of our targets communicate over Huawei-produced products,” one NSA document describing Shotgiant reported. “We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.

  There was another goal as well: to prove the American accusation that the PLA was secretly running Huawei and that the company was secretly doing the bidding of Chinese intelligence.

  The American concern about Huawei was justifiable. No country had made more of an effort to get deep inside US networks than China. “China does more in terms of cyber espionage than all other countries put together,” the expert James Lewis noted to me in the midst of the investigation into Shotgiant. “The question is no longer which industries China is hacking into. It’s which industries they aren’t hacking into.”

  So Huawei was a natural source of concern. Any firm built in an authoritarian, government-takes-all environment is going to turn over to the state whatever data it is told to turn over. The same worries, officials told me, applied to Kaspersky Lab, the Russian antivirus software maker, whose products were making it easy for Russian intelligence agents to exfiltrate secret American documents.

  But when the German weekly Der Spiegel and the Times published the details of Shotgiant, based on Snowden documents, the depth of the hypocrisy struck not only the Chinese but also many American allies. “You are essentially doing to the Chinese exactly what you are accusing them of doing to you,” one European diplomat, whose country was also wrestling with the Huawei problem, said to me one morning over breakfast. He paused for a minute. “Fair enough,” he said. “We should probably help you.”

  Naturally, the American officials who were willing to talk about Shotgiant wh
en it was revealed in 2013 had a different explanation. The United States, they argued, breaks into foreign networks only for “legitimate” national-security purposes. “We do not give intelligence we collect to US companies to enhance their international competitiveness or increase their bottom line,” said Caitlin Hayden, then the spokeswoman for the National Security Council. “Many countries cannot say the same.”

  The problem was that the Chinese did not distinguish between “economic advantage” and “national security advantage.” To a country whose power rests on keeping the economy growing, there is no such distinction. Chinese officials looked at the American explanation as self-serving at best, and deceptive at worst. Clearly, one senior Chinese diplomat assigned to Washington at the time argued to me, the NSA’s real purpose “is to stop Huawei from selling their equipment so that Cisco can sell its own.”

  The slides explaining Shotgiant in the Snowden trove gave a sense of the NSA’s thinking: “If we can determine the company’s plans and intentions,” an analyst wrote, “we hope that this will lead us back to the plans and intentions of the PRC.” The NSA saw an additional opportunity: As Huawei invested in new technology and laid undersea cables to connect its networking empire, the agency was interested in tunneling into key Chinese customers, including “high priority targets—Iran, Afghanistan, Pakistan, Kenya, Cuba.”

  In short, eager as the NSA was to figure out whether Huawei was the PLA’s puppet, it was more interested in putting its own back doors into Huawei networks. It was a particularly important mission because the Chinese firm was popular in hard-to-access countries where American telecommunications companies were unlikely ever to get a contract. In other words, Huawei might serve as a back door to the PLA, but it would also be host to another back door, one it didn’t know about: to the NSA.

 

‹ Prev