surprised and upset? covert HUMINT against domestic corporations

coderman coderman at gmail.com
Fri Oct 10 18:49:57 PDT 2014


https://firstlook.org/theintercept/2014/10/10/core-secrets/

Core Secrets: NSA Saboteurs in China and Germany
By Peter Maass and Laura Poitras

The National Security Agency has had agents in China, Germany, and
South Korea working on programs that use “physical subversion” to
infiltrate and compromise networks and devices, according to documents
obtained by The Intercept.

The documents, leaked by NSA whistleblower Edward Snowden, also
indicate that the agency has used “under cover” operatives to gain
access to sensitive data and systems in the global communications
industry, and that these secret agents may have even dealt with
American firms. The documents describe a range of clandestine field
activities that are among the agency’s “core secrets” when it comes to
computer network attacks, details of which are apparently shared with
only a small number of officials outside the NSA.

“It’s something that many people have been wondering about for a long
time,” said Chris Soghoian, principal technologist for the American
Civil Liberties Union, after reviewing the documents. “I’ve had
conversations with executives at tech companies about this precise
thing. How do you know the NSA is not sending people into your data
centers?”

Previous disclosures about the NSA’s corporate partnerships have
focused largely on U.S. companies providing the agency with vast
amounts of customer data, including phone records and email traffic.
But documents published today by The Intercept suggest that even as
the agency uses secret operatives to penetrate them, companies have
also cooperated more broadly to undermine the physical infrastructure
of the internet than has been previously confirmed.

In addition to so-called “close access” operations, the NSA’s “core
secrets” include the fact that the agency works with U.S. and foreign
companies to weaken their encryption systems; the fact that the NSA
spends “hundreds of millions of dollars” on technology to defeat
commercial encryption; and the fact that the agency works with U.S.
and foreign companies to penetrate computer networks, possibly without
the knowledge of the host countries. Many of the NSA’s core secrets
concern its relationships to domestic and foreign corporations.

Some of the documents in this article appear in a new documentary,
CITIZENFOUR, which tells the story of the Snowden disclosures and is
directed by Intercept co-founder Laura Poitras. The documents describe
a panoply of programs classified with the rare designation of
“Exceptionally Compartmented Information,” or ECI, which are only
disclosed to a “very select” number of government officials.
Sentry Eagle

The agency’s core secrets are outlined in a 13-page “brief sheet”
about Sentry Eagle, an umbrella term that the NSA used to encompass
its most sensitive programs “to protect America’s cyberspace.”

“You are being indoctrinated on Sentry Eagle,” the 2004 document
begins, before going on to list the most highly classified aspects of
its various programs. It warns that the details of the Sentry Eagle
programs are to be shared with only a “limited number” of people, and
even then only with the approval of one of a handful of senior
intelligence officials, including the NSA director.

“The facts contained in this program constitute a combination of the
greatest number of highly sensitive facts related to NSA/CSS’s overall
cryptologic mission,” the briefing document states. “Unauthorized
disclosure…will cause exceptionally grave damage to U.S. national
security. The loss of this information could critically compromise
highly sensitive cryptologic U.S. and foreign relationships,
multi-year past and future NSA investments, and the ability to exploit
foreign adversary cyberspace while protecting U.S. cyberspace.”

The document does not provide any details on the identity or number of
government officials who were supposed to know about these highly
classified programs. Nor is it clear what sort of congressional or
judicial oversight, if any, was applied to them. The NSA refused to
comment beyond a statement saying, “It should come as no surprise that
NSA conducts targeted operations to counter increasingly agile
adversaries.” The agency cited Presidential Policy Directive 28, which
it claimed “requires signals intelligence policies and practices to
take into account the globalization of trade, investment and
information flows, and the commitment to an open, interoperable, and
secure global Internet.” The NSA, the statement concluded, “values
these principles and honors them in the performance of its mission.”

Sentry Eagle includes six programs: Sentry Hawk (for activities
involving computer network exploitation, or spying), Sentry Falcon
(computer network defense), Sentry Osprey (cooperation with the CIA
and other intelligence agencies), Sentry Raven (breaking encryption
systems), Sentry Condor (computer network operations and attacks), and
Sentry Owl (collaborations with private companies). Though marked as a
draft from 2004, it refers to the various programs in language
indicating that they were ongoing at the time, and later documents in
the Snowden archive confirm that some of the activities were going on
as recently as 2012.
TAREX

One of the most interesting components of the “core secrets” involves
an array of clandestine activities in the real world by NSA agents
working with their colleagues at the CIA, FBI, and Pentagon. The NSA
is generally thought of as a spying agency that conducts its espionage
from afar—via remote commands, cable taps, and malware implants that
are overseen by analysts working at computer terminals. But the agency
also participates in a variety of “human intelligence” programs that
are grouped under the codename Sentry Osprey. According to the
briefing document’s description of Sentry Osprey, the NSA “employs its
own HUMINT assets (Target Exploitation—TAREX) to support SIGINT
operations.”

According to a 2012 classification guide describing the program, TAREX
“conducts worldwide clandestine Signals Intelligence (SIGINT)
close-access operations and overt and clandestine Human Intelligence
(HUMINT) operations.” The NSA directs and funds the operations and
shares authority over them with the Army’s Intelligence and Security
Command. The guide states that TAREX personnel are “integrated” into
operations conducted by the CIA, FBI, and Defense Intelligence Agency.
It adds that TAREX operations include “off net-enabling,” “supply
chain-enabling,” and “hardware implant-enabling.”

According to another NSA document, off-net operations are “covert or
clandestine field activities,” while supply-chain operations are
“interdiction activities that focus on modifying equipment in a
target’s supply chain.”

The NSA’s involvement in supply-chain interdiction was previously
revealed in No Place to Hide, written by Intercept co-founder Glenn
Greenwald. The book included a photograph of intercepted packages
being opened by NSA agents, and an accompanying NSA document explained
the packages were “redirected to a secret location” where the agents
implanted surveillance beacons that secretly communicated with NSA
computers. The document did not say how the packages were intercepted
and did not suggest, as the new documents do, that interception and
implants might be done by clandestine agents in the field.

The TAREX guide lists South Korea, Germany, and Beijing, China as
sites where the NSA has deployed a “forward-based TAREX presence;”
TAREX personnel also operate at domestic NSA centers in Hawaii, Texas,
and Georgia. It also states that TAREX personnel are assigned to U.S.
embassies and other “overseas locations,” but does not specify where.
The document does not say what the “forward-based” personnel are
doing, or how extensive TAREX operations are. But China, South Korea,
and Germany are all home to large telecommunications equipment
manufacturers, and China is known to be a key target of U.S.
intelligence activities.

Although TAREX has existed for decades, until now there has been
little information in the public domain about its current scope. A
2010 book by a former Defense Intelligence Agency officer, Lt. Col.
Anthony Shaffer, described TAREX operations in Afghanistan as
consisting of “small-unit, up-close, intelligence-gathering
operatives. Usually two-to-three man units.”
“Under Cover” Agents

The most controversial revelation in Sentry Eagle might be a fleeting
reference to the NSA infiltrating clandestine agents into “commercial
entities.” The briefing document states that among Sentry Eagle’s most
closely guarded components are “facts related to NSA personnel (under
cover), operational meetings, specific operations, specific
technology, specific locations and covert communications related to
SIGINT enabling with specific commercial entities (A/B/C).”

It is not clear whether these “commercial entities” are American or
foreign or both. Generally the placeholder “(A/B/C)” is used in the
briefing document to refer to American companies, though on one
occasion it refers to both American and foreign companies. Foreign
companies are referred to with the placeholder “(M/N/O).” The NSA
refused to provide any clarification to The Intercept.

The document makes no other reference to NSA agents working under
cover. It is not clear whether they might be working as full-time
employees at the “commercial entities,” or whether they are visiting
commercial facilities under false pretenses. The CIA is known to use
agents masquerading as businessmen, and it has used shell companies in
the U.S. to disguise its activities.

There is a long history of overt NSA involvement with American
companies, especially telecommunications and technology firms. Such
firms often have employees with security clearances who openly
communicate with intelligence agencies as part of their duties, so
that the government receives information from the companies that it is
legally entitled to receive, and so that the companies can be alerted
to classified cyber threats. Often, such employees have previously
worked at the NSA, FBI, or the military.

But the briefing document suggests another category of employees—ones
who are secretly working for the NSA without anyone else being aware.
This kind of double game, in which the NSA works with and against its
corporate partners, already characterizes some of the agency’s work,
in which information or concessions that it desires are
surreptitiously acquired if corporations will not voluntarily comply.
The reference to “under cover” agents jumped out at two security
experts who reviewed the NSA documents for The Intercept.

“That one bullet point, it’s really strange,” said Matthew Green, a
cryptographer at Johns Hopkins University. “I don’t know how to
interpret it.” He added that the cryptography community in America
would be surprised and upset if it were the case that “people are
inside [an American] company covertly communicating with NSA and they
are not known to the company or to their fellow employees.”

The ACLU’s Soghoian said technology executives are already deeply
concerned about the prospect of clandestine agents on the payroll to
gain access to highly sensitive data, including encryption keys, that
could make the NSA’s work “a lot easier.”

“As more and more communications become encrypted, the attraction for
intelligence agencies of stealing an encryption key becomes
irresistible,” he said. “It’s such a juicy target.”

Of course the NSA is just one intelligence agency that would stand to
benefit from these operations. China’s intelligence establishment is
believed to be just as interested in penetrating American companies as
the NSA is believed to be interested in penetrating Chinese firms.

“The NSA is a risk [but] I worry a lot more about the Chinese,” said
Matthew Prince, chief executive of CloudFlare, a server company. “The
insider threat is a huge challenge.” Prince thinks it is unlikely the
NSA would place secret agents inside his or other American firms, due
to political and legal issues. “I would be surprised if that were the
case within any U.S. organization without at least a senior executive
like the CEO knowing it was happening,” he said. But he assumes the
NSA or CIA are doing precisely that in foreign companies. “I would be
more surprised if they didn’t,” he said.
Corporate Partners

The briefing sheet’s description of Sentry Owl indicates the NSA has
previously unknown relationships with foreign companies. According to
the document, the agency “works with specific foreign partners (X/Y/Z)
and foreign commercial industry entities” to make devices and products
“exploitable for SIGINT”—a reference to signals intelligence, which is
the heart of the NSA’s effort to collect digital communications, such
as emails, texts, photos, chats, and phone records. This language
clarifies a vague reference to foreign companies that appears in the
secret 2013 budget for the intelligence community, key parts of which
were published last year from the Snowden archive.

The document does not name any foreign companies or products, and
gives no indication of the number or scale of the agency’s ties to
them. Previous disclosures from the Snowden archive have exposed the
agency’s close relationships with foreign intelligence agencies, but
there has been relatively little revealed about the agency gaining the
help of foreign companies.

The description of Sentry Hawk, which involves attacks on computer
networks, also indicates close ties with foreign as well as American
companies. The document states that the NSA “works with U.S. and
foreign commercial entities…in the conduct of CNE [Computer Network
Exploitation].” Although previous stories from the Snowden archive
revealed a wide range of NSA attacks on computer networks, it has been
unclear whether those attacks were conducted with the help of
“commercial entities”—especially foreign ones. The document does not
provide the names of any of these entities or the types of operations.

Green, the cryptography professor, said “it’s a big deal” if the NSA
is working with foreign companies on a greater scale than currently
understood. Until now, he noted, disclosures about the agency’s
corporate relationships have focused on American companies. Those
revelations have harmed their credibility, nudging customers to
foreign alternatives that were thought to be untouched by the NSA. If
foreign companies are also cooperating with the NSA and modifying
their products, the options for purchasing truly secure
telecommunications hardware are more limited than previously thought.

The briefing sheet does not say whether foreign governments are aware
that the NSA may be working with their own companies. If they are not
aware, says William Binney, a former NSA crypto-mathematician turned
whistleblower, it would mean the NSA is cutting deals behind the backs
of friendly and perhaps not-so-friendly governments.

“The idea of having foreign corporations involved without any hint of
any foreign government involved is significant,” he said. “It will be
an alert to all governments to go check with their companies. Bring
them into parliament and put them under oath.”

The description of Sentry Raven, which focuses on encryption, provides
additional confirmation that American companies have helped the NSA by
secretly weakening encryption products to make them vulnerable to the
agency. The briefing sheet states the NSA “works with specific U.S.
commercial entities…to modify U.S manufactured encryption systems to
make them exploitable for SIGINT.” It doesn’t name the commercial
entities or the encryption tools they modified, but it appears to
encompass a type of activity that Reuters revealed last year—that the
NSA paid $10 million to the security firm RSA to use a weak random
number generator in one of its encryption programs.

The avalanche of NSA disclosures since the Snowden leaks began in 2013
has shattered whatever confidence technologists once had about their
networks. When asked for comment on the latest documents, Prince, the
CEO of CloudFlare, began his response by saying, “We’re hyper-paranoid
about everything.”




More information about the cypherpunks mailing list