How America Lost Its Secrets
Page 26
Under Putin, Russia had built one of the leading cyber-espionage services in the world. According to a 2009 NSA analysis of Russian capabilities, which was obtained by The New York Times in 2013, Russia’s highly sophisticated tools for cyber espionage were superior to those of China or any other adversary nation. For example, investigators from FireEye, a well-regarded Silicon Valley security firm, found that in 2007 Russian hackers had developed a highly sophisticated virus that could bypass the security measures of the servers of both the U.S. government and its private contractors. According to one computer security expert, the virus had made protected Internet websites “sitting ducks” for these sophisticated Russian hackers. The cryptographer Bruce Schneier, a leading specialist in computer security, explained, “It is next to impossible to maintain privacy and anonymity against a well-funded government adversary.”
Nor has the Russian cyber service made a secret out of the fact that it targets Tor software. It even offered a cash prize to anyone in the hacking community who could break Tor. Prior to 2013, according to cyber-security experts, it spent over a decade building cyber tools aimed at unraveling the Tor networks used by hacktivists, criminal enterprises, political dissidents, and rival intelligence operatives. To this end, it reportedly attempted to map out computers that served as major Tor exit nodes (such as the one Snowden operated in 2012 near an NSA regional base in Hawaii). It also reportedly attached the equivalent of “electronic ink” to messages, which would allow it to trace the path of messages that passed through them. Through this technology, it could tag and follow Tor users as their communications traveled across the Internet. It could even borrow their Internet identities. To be sure, the NSA also had such a capability. The Silk Road founder, Ross Ulbricht, discovered to his distress that his Tor software did not make his computer server in Iceland invisible. According to a former top official in the Justice Department, the NSA was able to locate it by cracking the Tor software (Ulbricht is currently serving a life sentence for his activities). Unlike adversary services, however, the NSA needs a warrant to investigate U.S. citizens who use Tor.
The NSA is hardly immune from an attack on its own computers. As the former CIA deputy director Morell wrote in his 2015 book, The Great War of Our Time, many financial institutions have “better cyber security than the NSA.” The Internet certainly helped make the activities of U.S. intelligence workers visible to the SVR.
But to achieve its goals, the SVR still had to find at least one disgruntled civilian contractor inside the NSA who had access to the sealed-off computer networks. Did it find its man? If so, was it before or after Snowden arrived in Hong Kong with the Level 3 NSA files?
CHAPTER 22
The Chinese Puzzle
The first [false assumption] is that China is an enemy of the United States. It’s not.
—EDWARD SNOWDEN, Hong Kong, 2013
ON AUGUST 11, 2014, in the Atlantic Ocean, an event took place of enormous concern to U.S. intelligence. A Chinese Jin-class submarine launched an intercontinental ballistic missile. The missile released twelve independently targeted reentry vehicles, each simulating a nuclear warhead. Some forty-four hundred miles away, in China’s test range in the Xinjiang desert, each of the twelve simulated nuclear warheads hit its target within a twelve-inch radius.
The test firing, which was closely monitored by the NSA, was a strategic game changer. It meant that a single Jin-class submarine, which carried twelve such missiles and 144 nuclear warheads, could destroy every city of strategic importance in the United States. U.S. intelligence further reported that China would soon use stealth technology to make it more difficult to detect newer submarines and give “China its first credible sea-based nuclear deterrent” against an American attack.
By 2015, as its test in the Atlantic had foreshadowed, China had armed its land-based as well as sea-based missiles with multiple independently targeted warheads. Combined with the state-of-the-art technology it had licensed from Russia, its systematic use of espionage even made it possible for China to build its own stealth fighters.
Unlike the United States, China did not achieve this remarkable capability to launch independently targeted miniaturized nuclear weapons and stealth them by investing hundreds of billions of dollars in developing them. It obtained this technology mainly through espionage. The Chinese intelligence service stole a large part, if not all, of America’s secret technology for weaponizing nuclear bombs during the 1980s and 1990s. The theft was so massive that in 1998 the House of Representatives set up a special bipartisan investigative unit called the Select Committee on U.S. National Security and Military/Commercial Concerns with the People’s Republic of China. Based on the intelligence amassed by the NSA, the CIA, and other intelligence services, it concluded in its report that the Chinese intelligence service had obtained both by electronic and by conventional spying the warhead design of America’s seven most advanced thermonuclear weapons. Moreover, it found that espionage successes allowed China to so accelerate the design, development, and testing of its own nuclear weapons that the new generation of Chinese weapons would be “comparable in effectiveness to the weapons used by the United States.” Further, the committee reported that these thefts were the “results of decades of intelligence operations against U.S. weapons laboratories.” The Chinese intelligence service further obtained from private U.S. defense contractors through cyber espionage important elements of the stealth technology used in advanced planes and submarines. China shared (or exchanged) the fruits of its espionage on nuclear warhead design with North Korea, Pakistan, Iran, and Russia.
Despite its formidable intelligence coups in the United States, the Chinese intelligence service managed to remain among the most elusive of America’s intelligence adversaries. Its espionage organizations are hidden behind layers of bureaucracy in the Ministry of State Security, Chinese Communist Party structures, and the second, third, and fourth department of the General Staff of the People’s Liberation Army. Much of its cyber-espionage units are concealed on the campuses of its universities. Its hierarchy is also obscure. Few traces have been uncovered of any conventional espionage networks in the United States, and no major Chinese spy has ever been arrested. Part of the reason that Chinese espionage has proved so elusive to the eyes of Western counterintelligence is that, unlike Russia, it did not ordinarily rely on intelligence officers in its embassies to recruit penetration agents to steal secrets. It did not even have an embassy in the United States during most of the Cold War. Instead, its services specialize in mosaics of intelligence assembled from a wide variety of sources, including nonclassified documents, returning graduate students, scientific conferences, exchanges with allies, and a vast operation of hacking into computers, or cyber espionage.
Such espionage is indeed a vast enterprise in China. Graduating over 150,000 computer science engineers in the 1990s, it had no shortage of personnel. It had also developed the cyber tool kit to gain access to the computer networks of U.S. government contractors and consultants in the private sector and government agencies, planting “sleeper” bugs in networked computers. Like human sleeper agents, these hidden programs can be activated when needed for operational purposes. Chinese controllers can often retrieve e-mails and documents and can turn on the cameras and microphones of personal computers, tablets, and smart phones.
By 2007, Paul Strassmann, a top U.S. defense expert on cyber espionage, reported that China had inserted “zombie” programs in some 700,000 computers in the United States, which could be used to mount cyber attacks to retrieve e-mails from other computers. The Chinese service also reportedly penetrated companies that provide Internet services, including Google, Yahoo!, Symantec, and Adobe, which allowed it to track e-mails and enclosures of individuals. With such an invisible army of zombie computers, it is not entirely surprising that China finds little need to employ human sleeper agents.
Chinese cyber specialists used this capability to hack into the computers of outside contractors, inclu
ding Booz Allen and other companies that supplied technologists to the NSA. It also had notable successes in obtaining the dossiers of U.S. employees and independent contractors at the NSA, the CIA, and other intelligence services. Its intrusions, as previously noted, into computer networks at the Office of Personnel Management traced back to 2009. Eventually, by 2015, according to U.S. estimates, the cyber attack had harvested over twenty million personnel files of past and present federal government employees. In addition, it reaped over fourteen million background checks of intelligence workers done by the Federal Investigative Services.
All intelligence workers with a sensitive compartmented information clearance, such as Snowden, were required to provide information on these forms about all their foreign acquaintances, including any non-U.S. officials whom the applicant knew or had had relationships with in the past. They also had to list their foreign travel, family members, police encounters, mental health issues, and credit history. For good measure, Chinese hackers obtained the confidential medical histories of government employees by hacking into the computers of Anthem and other giant health-care companies. If China’s intelligence services consolidated the fruits of these hacking attacks, it would have a searchable database of almost everyone working in the American defense and intelligence complex. From this database, it could track individuals with high security clearances vulnerable to being bribed, blackmailed, or tricked into cooperating. No one doubted that the Chinese would use their cyber capabilities to take advantage of opportunities presented in foreign computer systems.
General Hayden said of the massive theft of intelligence personnel records, “Those records are a legitimate foreign intelligence target.” He added, “If I, as director of the NSA or CIA, would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice.” If that opportunity did not arise for the NSA or the CIA during Hayden’s tenure, it might have been because no insider in the Chinese intelligence services provided U.S. intelligence with a road map to it.
Cyber espionage was not the Chinese intelligence service’s only powerful resource in the intelligence war. To get both electronic intelligence and human intelligence about the United States, China also had a highly productive intelligence-sharing treaty with Russia. It was signed in 1992 after the Soviet Union was dissolved. Although the terms of this exchange remain secret, defectors from the Russian KGB and SVR reported that Chinese intelligence received from Russia a continuous stream of communications intelligence about the United States in the late twentieth and early twenty-first centuries. Russia’s intelligence resources during this period were formidable. They included geosynchronous satellites, listening stations in Cuba, sleeper agents, and embassy-based spy networks. Presumably, this relationship further deepened under President Putin’s regime. Putin asserted in speeches in 2014 that Russia and China continued to share a key strategic objective: countering the United States’ domination of international relations, or what Putin terms “a unipolar world order.” China’s president, Xi Jinping, expressed a very similar view, saying in 2014 in a thinly veiled reference to the United States that any attempt to “monopolize” international affairs will not succeed.
Since the end of the Cold War, Russia has been the major supplier of almost all of China’s modern weaponry. It licenses for manufacture in China avionics, air defense systems, missile launchers, stealth technology, and submarine warfare equipment. To make these arms effective, it also provides China with up-to-date intelligence about the ability of the United States and its allies to counter them. While such intelligence cooperation may be limited by the reality that China and Russia still compete in many areas, they still have reason to share much of the fruits of their cyber and conventional espionage against the NSA in accordance with their intelligence. After all, the NSA works to intercept the military and political secrets of both these allies. Moreover, as the CIA’s former deputy director Morell points out in his book, NSA secrets are a form of currency for adversaries in the global intelligence war, saying that part of Snowden’s cache could be traded by a country that acquired it to the intelligence services of Iran and North Korea.
—
Snowden’s stay in Hong Kong from May 20 to June 23 in 2013 made the Chinese intelligence service, willy-nilly, a potential player in whatever game he was involved in. China’s full responsibility for Hong Kong’s national security and foreign affairs includes monitoring foreign intelligence operatives. Chinese intelligence maintains there its largest intelligence base outside mainland China. A large contingent of its officers are stationed officially in the Prince of Wales skyscraper in central Hong Kong and unofficially maintain informers in Hong Kong’s police, governing authority, airport administration, and other levers of power. It checks the computerized visitors entering Hong Kong and has the capability to ferret names that match those in the immense database its global cyber espionage has amassed. When it detects the entry of any person of possible intelligence interest, it can use its sophisticated array of cyber tools to attempt to remotely steal data from that individual. Such remote surveillance was so effective in 2013 that the U.S. State Department had instructed all its personnel in Hong Kong to avoid using their iPhones, Androids, BlackBerry phones, and other smart phones when traveling to Hong Kong or China. Instead, it supplied them with specially altered phones that disable location tracking and have a remotely activated switch to completely cut off power to its circuitry. No one in the intelligence community doubts the prudence of taking such precautions in China, and it is nearly inconceivable that Snowden, whose prior position at the NSA included teaching military personnel about Chinese capacities, could himself be unaware of Chinese intelligence service capabilities to acquire travelers’ data in Hong Kong.
Once Hong Kong had served as a window into China for Western intelligence, but in the first decade of this century the Chinese intelligence service had achieved such a pervasive presence in Hong Kong, and such ubiquitous electronic coverage of diplomats and other foreigners even suspected of involvement in foreign intelligence work, that the CIA and British intelligence found it almost as difficult to operate in Hong Kong as in mainland China. Even though the CIA kept officers there in 2013, it was considered “hostile territory,” according to the former CIA officer Tyler Drumheller.
Snowden apparently knew the limits of CIA operations in Hong Kong, which provided him with an envelope of protection. He told Greenwald that he was counting on the Chinese presence in Hong Kong to deter the CIA from intruding on their meetings.
When he flew to Hong Kong in May 2013, he took with him NSA secrets, which he knew would be of great interest to China. In fact, he advertised that he had such secrets in his interview with the South China Morning Post. Whatever he might have assumed about the inability of the CIA to stop him in Hong Kong, he could not assume that Chinese intelligence services would relegate themselves to a purely passive role when secret NSA documents were in a hotel room in Hong Kong. Snowden might have esteemed himself to be an independent actor playing Prometheus on a global stage provided by YouTube, but the Chinese might have viewed him very differently indeed.
CHAPTER 23
A Single Point of Failure
A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.
—Wikipedia
SNOWDEN DESCRIBED anyone who was the sole repository of secrets that could undo the NSA’s intelligence gathering as “the single point of failure.” While still shielding his own identity in May 2013, he wrote to Gellman that U.S. intelligence “will most certainly kill you if they think you are the single point of failure that could stop this disclosure and make them the sole owner of this information.” Such a person of course would be of even greater interest to adversary intelligence services if they were aware of the payload of secrets that person was carrying because they could use it to unravel the NSA’s sources and methods.
Snowden saw himself as that �
��single point of failure.” We know that while still in Hong Kong he said he had obtained access to computers that the NSA had penetrated throughout the world and in Moscow he added that he had had “access to every [NSA] target, every [NSA] active operation,” against the Chinese. “Full lists of them,” which, if he chose to share them, could make China “go dark.” To be sure, he did not refer to Russian intelligence activity in any interview that he ever gave in Moscow under Russian protection, but he had similar access to NSA operations against Russia in his job at the NSA’s Threat Operations Center.
The enormous power of the NSA rested in its ability to keep its sources and methods secret from its foes. A queen on the chessboard could be captured by a lowly pawn if it was well-placed. In this case, the person who had it in his power to expose the NSA’s critical sources and methods would no doubt be considered fair game by America’s adversaries, including the Chinese and Russian cyber services. Indeed, how could they resist such a prize?
Snowden might have believed that he was in control, but the CIA believed that confidence was misinformed. “Snowden thinks he is smart,” Morell said, after reviewing the case on a panel appointed by President Obama, “but he was never in a position in his previous jobs to fully understand the immense capabilities of our Russian and Chinese counterparts.” He could adopt a cocky tone in his postmortem conversations with journalists in Moscow, but in truth he had no means to block the efforts of the Chinese or Russian services in Hong Kong. Even before Snowden contacted its diplomats in Hong Kong, the Russian intelligence service would swing into action to determine his intelligence value.