Black Code: Inside the Battle for Cyberspace
Page 19
• • •
The evolution of human – computer interaction has taken many twists and turns over the decades but there is an undeniable trajectory. With the first giant mainframe computers – mechanical structures sprouting wires and vacuum tubes that took up entire rooms – one computer was shared by many people. Today almost half the world has access to several computing devices that they individually own and operate. At home I have a MacBook Air (more like a large mint wafer than a computer), a sleek Power Mac G5 in my office, and the now omnipresent iPhone in my pocket. We are evolving into a species of ubiquitous computing, with tiny digital devices embedded in just about everything around us, much of it operating without any direct human intervention at all.
Eugene Kaspersky, Richard Clarke, and others may sound like broken records or self-serving fear-mongers, but there is no denying the evolving cyberspace ecosystem around us: we are building a digital edifice for the entire planet, and it sits above us like a house of cards. We are wrapping ourselves in expanding layers of digital instructions, protocols, and authentication mechanisms, some of them open, scrutinized, and regulated, but many closed, amorphous, and poised for abuse, buried in the black arts of espionage, intelligence gathering, and cyber and military affairs. Is it only a matter of time before the whole system collapses? “If one extrapolates into the future,” Arthur Koestler once said with respect to the nuclear predicament, “the probability of disaster approaches statistical certainty.” Is cyberspace any different?
Analogies to the Cold War and the logic of mutual assured destruction (MAD) come to mind. In those recent times, humans let their baser competitive instincts threaten civilization itself. But it didn’t happen. And now? With critical infrastructure a vector for armed conflict and all of us interdependent to such a substantial degree, shouldn’t the same perverse logic that restrained policy-makers from dropping the atomic bomb restrain them from dropping cyber bombs? Cold War expert Fred Kaplan sums it up this way: “Cyberwar is very different from nuclear war: less destructive but also less tangible. Yet they’re similar in one important way: It is illusory to talk about ‘winning’ either.” Will our complex interdependence on shared communication systems reach a threshold of mutual assured crashes (MAC)? As theories, MAD, MAC, game theory, and so on all assume that human beings are rational and that, in the end, we will always act in our own best interests. But in evolutionary terms, humans are still very much connected to our animal instincts, to lizard brains that drive us towards our baser emotions and that occasionally interfere with the neat and tidy reasoning assumed by theories based on the rationality principle.
On June 8, 2012, there was a news update related to Flame. Researchers at Symantec noticed that the virus, which Kaspersky’s team had now linked to the authors of Stuxnet, had begun silently removing itself from infected computers. They discovered the “suicide” commands by monitoring their own honeypot computer infected with the Flame virus, which was eliminated by the commands, and which left no trace after the job was done. Traces from the very machines it had once compromised, crawling back across the fibre-optic cables and radio waves to the black hole from which it emerged in the first place. Like a genie, back in the bottle, gone for the moment, but not extinguished.
12.
The Internet Is Officially Dead
San Francisco, February 2012. I arrive at the RSA Conference, one of the largest computer conferences and trade shows in the world. Held annually since 1991 in the San Francisco area, the event is managed by RSA Security, one of the leading cryptography companies in the United States. This year, the theme is “The Great Cipher Mightier Than the Sword.” Ironic, I think to myself, in light of the recent rash of computer security breaches, including a major one on RSA itself that targeted its SecurID tokens, an authentication mechanism provided to thousands of employees of Fortune 500 companies to access networks remotely, and, as advertised, in a secure manner.
The June 2011 RSA breach hit the American security and defence industry particularly hard, and was one of several in 2011 that called into question the reliability of some of the most basic mechanisms of the Internet’s infrastructure: certificates, authentication mechanisms, and encryption schemes all backed by name-brand, impressive corporations. These are the systems and companies we rely on to secure not only our desktops, but our entire way of life. Verizon, Cisco, RSA, and others, all now apparently the naked emperors of cyber security. By mid-2011 there also were breaches of Lockheed Martin, Epsilon, NASA, PBS, the European Space Agency, the FBI, and Citigroup. (I dubbed it “Breachfest 2011,” and thought T-shirts should be made up with the list of victims emblazoned on the back like city stops on a rock tour.)
Despite the breach at RSA, the conference is still a must-stop on the international cyber security agenda. I grasp the size of the meeting as I walk through San Francisco’s hilly streets from my hotel: thousands of geeks streaming along the sidewalks, growing in numbers as I approach the massive Moscone Center, a sprawling interconnected set of hangar-like buildings just off San Francisco’s downtown core, and the setting for this year’s conference.
I am featured on a panel on “Active Defence,” the latest euphemism in security circles for striking back in cyberspace. Many U.S. companies and government agencies are so frustrated with their inability to deal with persistent attacks on their intellectual property and infrastructure, that they are exploring ways to go beyond defence, to reach out across borders and deal with the problem where it originates. With me are two retired U.S. generals, Kenneth Minihan and Michael Hayden. Minihan was the director of the National Security Agency under George Bush Senior, Hayden the director of both the CIA and the NSA. I meet both of them before the panel begins, General Hayden introducing himself with a slightly unsettling, piercing stare that evaporates as we exchange pleasantries. (I read once that if one were to contrive a caricature of the director of the world’s leading spy agency he might look something like Hayden. Having finally met him, I can see why.) A bald, bespectacled man, Hayden looks straight out of central casting for James Bond villainy. Minihan is a less impressive figure physically, more like a retired uncle lounging in a fairway clubhouse. He and I share empty bromides about the weather. Volleying platitudes with people who once commanded the largest security and intelligence institutions on the planet, the apex of secrecy and power, is an unsettling experience. I look into Hayden’s eyes for some hint of targeted killings or forced extraditions, but all I see is calm self-assurance.
As we sit down, my thoughts drift back to the vendor expo across the hall. A major trade fair exhibiting the latest devices, hardware, and over-the-top software from the computer security and defence industries, the expo is located in a facility the size of several football fields. Obviously, it is at least as important as the conference itself. The expo is a curious pastiche: monster trucks meet Gates; bikini-clad women hand out USB sticks to nerds in business suits; and shiny BMW motorcycles with precariously balanced laptops on their seats rotate on elevated platforms. Auctioneers of the sort one would see peddling stain removers at a county fair bark out sales pitches for the latest firewalls and antivirus software. Years ago at conferences like this, the trade-show themes were all about the “magic of connecting”: connecting people in social networks; connecting computers to each other, and to the Internet. The theme of this year’s bonanza is all about doing just the opposite: building borders, fences, and firewalls to keep unwanted intruders and hackers out. Slogans alluding to theft, espionage, and cyber attacks are emblazoned on posters and banners that hang from the ceiling over the scattered vendor booths. There is a partylike atmosphere, and a discomfiting feeling: “threats,” it would appear, are something both to fear and to celebrate.
• • •
I walk by booths for companies with names like “AlienVault” and “CheckPoint,” and stop to linger at the Narus booth. Headquartered in Sunnyvale, California, Narus Inc. was founded in 1997 by Israeli security specialists Ori Cohen and Stas
Khirman, two men who had recognized a growing market for products that could sift through big data – that ever-expanding archive of our digital activities and selves – and collect and collate that information for law enforcement and intelligence-gathering purposes. The company later moved to the United States, where Boeing would eventually snap it up, and Narus is now a wholly owned subsidiary of the massive defence contractor.
Narus was one of the first companies to offer deep packet inspection, the practice of diving into Internet data at critical chokepoints to precisely identify specific packets, protocols, and other bits of information. In 2006, Steve Bannerman, Narus’s marketing VP, told Wired magazine, “Anything that comes through [an Internet protocol network] we can record … We can reconstruct emails along with attachments, see what web pages they clicked on; we can reconstruct their [Voice over Internet Protocol] calls.” I first read about Narus’s technology in a 2007 press release boasting about the company’s ability to provide “real-time precision targeting, capturing and reconstruction of webmail traffic [including from] services such as Yahoo! Mail, MSN Hotmail, and Google Gmail,” and that it “helps customers around the world like AT&T, Korea Telecom, KDDI, Telecom Egypt, Reliance India, Saudi Telecom, U.S. Cellular, Pakistan Telecom Authority.” Not entirely a rogues’ gallery, but nonetheless a disturbing list of state enterprises mostly belonging to countries with very mixed records in terms of human rights and judicial oversight.
As outlined in Chapter 2, in 2004, Narus received some very negative publicity when AT&T whistleblower Mark Klein revealed that the NSA was running an extralegal eavesdropping facility that spied on Americans using a Narus product, STA 6400. (As it turned out, the NSA facility in which Klein worked is located at 611 Folsom Street in San Francisco, only a block and a half from the vendor expo.) The revelations led to a lawsuit launched by EFF, and then to an amendment of the U.S. Foreign Intelligence Services Act. The new legislation didn’t ban such practices; rather, it gave the companies who participated in it, like AT&T, retroactive immunity from prosecution. As a result, EFF’S lawsuit was dismissed in 2009.
Narus re-emerged in the public spotlight during the 2011 Arab Spring when it was among several Western companies whose sales to regimes notorious for human rights violations were subject to increasingly close scrutiny by journalists, activists, and others. In Narus’s case, its sales to Telecom Egypt of deep packet inspection and other monitoring systems led to concerns that Egypt’s security service might have employed them to identify protesters’ communications.
At the 2012 RSA Conference Narus was promoting its latest addition to its flagship NarusInsight traffic intelligence system: the CyberAnalytics application. The brochure partically read: “Narus provides real-time network traffic intelligence and analytics software that analyzes IP traffic and flow data to map the digital DNA (or behavior) of the network … Through its patented analytics, Narus’s carrier-class software detects patterns and anomalies that predict and identify security issues, misuse of network resources, suspicious or criminal activity, and other events that compromise the integrity of IP networks. NarusInsight protects and manages the largest IP networks around the world, and has been deployed with commercial and government installations on five continents.”
Government installations on five continents? I asked myself, wondering what specific government installations in what countries this might refer to?
• • •
After thirty-three years of active service, Lieutenant General Kenneth A. Minihan retired from the U.S. Air Force on June 1, 1999. Towards the end of his celebrated career, he became the fourteenth director of the NSA and the Central Security Service, the most senior uniformed intelligence officer in the Department of Defense. (He also served as the director of the Defense Intelligence Agency during the Clinton administration.) Retirement did not slow him down, and he did not move far from his prior places of employment, directing his efforts towards vigorously developing business opportunities in military and intelligence markets for the private sector. Minihan serves on numerous boards of directors – at the time of writing, Nexidia Inc., BAE Systems Inc., Arxan Technologies Inc., Neohapsis Inc., LGS Innovations LLC., VDIworks Inc., Circadence Corporation, GlassHouse Technologies Inc., ManTech International Corporation, The KEYW Holding Corporation, Fixmo Inc., Command Information Inc.—and the Paladin Capital Group, where he is managing director and focuses his attention on developing new investment opportunities for Paladin’s Homeland Security Fund. According to its website, after 9/11 Paladin collaborated with Minihan to “discuss how private equity could play a vital role in developing and delivering effective products, technology and services for the homeland and global security sectors.” The website goes on to say: “Paladin’s investment thesis attracted luminaries in national security including former CIA Director, the Honorable James Woolsey, and former Secretary of the Army, the Honorable Togo West, Jr. and others.” Minihan was also chairman of the Security Affairs Support Association (now known as the Intelligence and National Security Alliance, or INSA), the self-described “flagship operation for industry and government partnership to enhance intelligence business development.” Today, the association represents about 150 member corporations, including major American defence contractors Booz Allen Hamilton, Boeing, BAE Systems, General Dynamics, Lockheed Martin, and Northrop Grumman.
Just before the panel discussion begins I lean over to Minihan: “How about that trade show across the hall?” I say.
“I know, isn’t it fantastic!” Minihan replies with glee. “Most of these guys used to work for me. I walk down the hall and they say, ‘Hi, General, I used to be on your team.’ ”
I feel slightly dismayed at the thought of a former director of the National Security Agency cheerleading a plethora of private sector spinoff companies, their representatives saluting him as he passes by. Welcome to the ever-growing cyber security industrial complex, a world where a rotating cast of characters moves in and out of national security agencies and the private sector companies that service them. Minihan is at the apex of this new complex.
As the lights dim in the hall and the spotlights blind me from the audience, the formal introductions of the panel begin. In that moment, I think to myself, the Internet as we once knew it is officially dead.
13.
A Zero Day No More
In the aftermath of the 2011 revolution that brought down Egypt’s Hosni Mubarak, protesters burst into the building that housed the state security services and combed through thousands of documents left by the departing regime. Among the files listing paid informants, tortured confessions, and acts of secret manipulation was one rather exceptional document: a contract from an obscure British firm, Gamma Group International, selling what appeared to be special infiltration software to the Egyptian intelligence services. Gamma Group had given the Egyptian State Security Investigations Service (SSIS) a five-month free trial version of their system. Based on the trial testing, Egyptian authorities reported in a memo (also found in the cache) that “the system has a high-level penetration of any type of e-mail (Hotmail, Google, Yahoo),” and that it was successful “in breaking through personal accounts on Skype network, which is considered the most secure method of communication used by members of the elements of the harmful activity because it is encrypted.” The memo discussed how the product enabled the “recording of voice and video chats; recording the movement of the target by using his computer and even recording him if the computer has a camera; full control of the target computer and the ability to copy anything on his computer.” Also found were files on activists that contained transcripts of communications, including Skype conversations. The documents, which the protesters posted on the Internet, provided a glimpse into the black arts of the growing commercial market for offensive cyber warfare and surveillance technologies.
A more detailed peek – indeed, more like a strip show – was provided in December 2011 by the whistleblower organization, WikiLeaks. Working with a
number of organizations (including Privacy International), the renegade outfit released what they dubbed the “Spy Files,” a collection of restricted documents, brochures, and manuals from dozens of obscure companies. This type of information is never posted on the Web or circulated publicly; rather it is disseminated at closed-door industry conferences with exorbitant registration fees, meetings that are restricted to a narrow circle of intelligence, law enforcement, and defence agencies. Privacy International personnel managed to infiltrate this inner sanctum, gather up promotional materials, and use WikiLeaks to shed light on this underground but massively expanding industry. I wrote the foreword to the release of “Spy Files” for Privacy International (on whose advisory board I sit). “Not too long ago, Internet pundits mocked slow-footed authoritarian regimes and predicted their demise,” I remarked. “Today, they are prime customers for the tradecraft of cyberspace controls.”
Among the brochures in “Spy Files” is a PDF for a product, FinSpy, marketed by Gamma Group and described as a “Remote Monitoring and Infection Solution.” The glossy brochure resembles something you might casually peruse in a dentist’s office or perhaps at the Apple store, except that in Canada and many other countries, the product being advertised, if used by a consumer, would be in clear violation of the law. FinSpy breaks into and secretly monitors the computers of its unwitting targets. The brochure describes how FinSpy is a “field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries” [bold and capitalization in the original]. Mobile and security-aware targets that change location? Reside in foreign countries? An apt description of the globally networked, popular insurrection that faced off against the Egyptian government in 2011. No wonder the product was sold there.