{"id":48629,"date":"2014-10-13T12:00:39","date_gmt":"2014-10-13T11:00:39","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=48629"},"modified":"2015-05-05T21:29:39","modified_gmt":"2015-05-05T20:29:39","slug":"core-secrets-nsa-saboteurs-in-china-and-germany","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/10\/core-secrets-nsa-saboteurs-in-china-and-germany\/","title":{"rendered":"Core Secrets: NSA Saboteurs in China and Germany"},"content":{"rendered":"

\"sentry<\/a><\/p>\n

The National Security Agency has had agents in China, Germany, and South Korea working on programs that use \u201cphysical subversion\u201d to infiltrate and compromise networks and devices, according to documents obtained by The Intercept<\/em>.<\/p>\n

The documents, leaked by NSA whistleblower Edward Snowden, also indicate that the agency has used \u201cunder cover\u201d operatives to gain access to sensitive data and systems in the global communications industry, and that these secret agents may have even dealt with American firms. The documents describe a range of clandestine field activities that are among the agency\u2019s \u201ccore secrets\u201d when it comes to computer network attacks, details of which are apparently shared with only a small number of officials outside the NSA.<\/p>\n

\u201cIt\u2019s something that many people have been wondering about for a long time,\u201d said Chris Soghoian, principal technologist for the American Civil Liberties Union, after reviewing the documents. \u201cI\u2019ve had conversations with executives at tech companies about this precise thing. How do you know the NSA is not sending people into your data centers?\u201d<\/p>\n

Previous disclosures about the NSA\u2019s corporate partnerships have focused largely on U.S. companies providing the agency with vast amounts of customer data, including phone records and email traffic. But documents published today by The Intercept<\/em> suggest that even as the agency uses secret operatives to penetrate them, companies have also cooperated more broadly to undermine the physical infrastructure of the internet than has been previously confirmed.<\/p>\n

In addition to so-called \u201cclose access\u201d operations, the NSA\u2019s \u201ccore secrets\u201d include the fact that the agency works with U.S. and foreign companies to weaken their encryption systems; the fact that the NSA spends \u201chundreds of millions of dollars\u201d on technology to defeat commercial encryption; and the fact that the agency works with U.S. and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries. Many of the NSA\u2019s core secrets concern its relationships to domestic and foreign corporations.<\/p>\n

Some of the documents in this article appear in a new documentary, CITIZENFOUR<\/em>, which tells the story of the Snowden disclosures and is directed by Intercept<\/em> co-founder Laura Poitras. The documents describe a panoply of programs classified with the rare designation of \u201cExceptionally Compartmented Information,\u201d or ECI, which are only disclosed to a \u201cvery select\u201d number of government officials.<\/p>\n

Sentry Eagle<\/strong><\/p>\n

The agency\u2019s core secrets are outlined in a 13-page \u201cbrief sheet\u201d about Sentry Eagle<\/a>, an umbrella term that the NSA used to encompass its most sensitive programs \u201cto protect America\u2019s cyberspace.\u201d<\/p>\n

\u201cYou are being indoctrinated on Sentry Eagle,\u201d the 2004 document begins, before going on to list the most highly classified aspects of its various programs. It warns that the details of the Sentry Eagle programs are to be shared with only a \u201climited number\u201d of people, and even then only with the approval of one of a handful of senior intelligence officials, including the NSA director.<\/p>\n

\u201cThe facts contained in this program constitute a combination of the greatest number of highly sensitive facts related to NSA\/CSS\u2019s overall cryptologic mission,\u201d the briefing document states. \u201cUnauthorized disclosure\u2026will cause exceptionally grave damage to U.S. national security. The loss of this information could critically compromise highly sensitive cryptologic U.S. and foreign relationships, multi-year past and future NSA investments, and the ability to exploit foreign adversary cyberspace while protecting U.S. cyberspace.\u201d<\/p>\n

The document does not provide any details on the identity or number of government officials who were supposed to know about these highly classified programs. Nor is it clear what sort of congressional or judicial oversight, if any, was applied to them. The NSA refused to comment beyond a statement saying, \u201cIt should come as no surprise that NSA conducts targeted operations to counter increasingly agile adversaries.\u201d The agency cited Presidential Policy Directive 28, which it claimed \u201crequires signals intelligence policies and practices to take into account the globalization of trade, investment and information flows, and the commitment to an open, interoperable, and secure global Internet.\u201d The NSA, the statement concluded, \u201cvalues these principles and honors them in the performance of its mission.\u201d<\/p>\n

Sentry Eagle includes six programs: Sentry Hawk (for activities involving computer network exploitation, or spying), Sentry Falcon (computer network defense), Sentry Osprey (cooperation with the CIA and other intelligence agencies), Sentry Raven (breaking encryption systems), Sentry Condor (computer network operations and attacks), and Sentry Owl (collaborations with private companies). Though marked as a draft from 2004, it refers to the various programs in language indicating that they were ongoing at the time, and later documents in the Snowden archive confirm that some of the activities were going on as recently as 2012.<\/p>\n

\"surveillance<\/a><\/p>\n

TAREX<\/strong><\/p>\n

One of the most interesting components of the \u201ccore secrets\u201d involves an array of clandestine activities in the real world by NSA agents working with their colleagues at the CIA, FBI, and Pentagon. The NSA is generally thought of as a spying agency that conducts its espionage from afar\u2014via remote commands, cable taps, and malware implants that are overseen by analysts working at computer terminals. But the agency also participates in a variety of \u201chuman intelligence\u201d programs that are grouped under the codename Sentry Osprey. According to the briefing document\u2019s description of Sentry Osprey, the NSA \u201cemploys its own HUMINT assets (Target Exploitation\u2014TAREX) to support SIGINT operations.\u201d<\/p>\n

According to a 2012 classification guide describing the program<\/a>, TAREX \u201cconducts worldwide clandestine Signals Intelligence (SIGINT) close-access operations and overt and clandestine Human Intelligence (HUMINT) operations.\u201d The NSA directs and funds the operations and shares authority over them with the Army\u2019s Intelligence and Security Command. The guide states that TAREX personnel are \u201cintegrated\u201d into operations conducted by the CIA, FBI, and Defense Intelligence Agency. It adds that TAREX operations include \u201coff net-enabling,\u201d \u201csupply chain-enabling,\u201d and \u201chardware implant-enabling.\u201d<\/p>\n

According to another NSA document<\/a>, off-net operations are \u201ccovert or clandestine field activities,\u201d while supply-chain operations are \u201cinterdiction activities that focus on modifying equipment in a target\u2019s supply chain.\u201d<\/p>\n

The NSA\u2019s involvement in supply-chain interdiction was previously revealed in No Place to Hide<\/em>, written by Intercept<\/em> co-founder Glenn Greenwald. The book included a photograph of intercepted packages being opened by NSA agents, and an accompanying NSA document explained the packages were \u201credirected to a secret location\u201d where the agents implanted surveillance beacons that secretly communicated with NSA computers. The document did not say how the packages were intercepted and did not suggest, as the new documents do, that interception and implants might be done by clandestine agents in the field.<\/p>\n

The TAREX guide lists South Korea, Germany, and Beijing, China as sites where the NSA has deployed a \u201cforward-based TAREX presence;\u201d TAREX personnel also operate at domestic NSA centers in Hawaii, Texas, and Georgia. It also states that TAREX personnel are assigned to U.S. embassies and other \u201coverseas locations,\u201d but does not specify where. The document does not say what the \u201cforward-based\u201d personnel are doing, or how extensive TAREX operations are. But China, South Korea, and Germany are all home to large telecommunications equipment manufacturers, and China is known to be a key target of U.S. intelligence activities.<\/p>\n

Although TAREX has existed for decades, until now there has been little information in the public domain about its current scope. A 2010 book by a former Defense Intelligence Agency officer, Lt. Col. Anthony Shaffer, described TAREX operations in Afghanistan as consisting of \u201csmall-unit, up-close, intelligence-gathering operatives. Usually two-to-three man units.\u201d<\/p>\n

\u201cUnder Cover\u201d Agents<\/strong><\/p>\n

The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into \u201ccommercial entities.\u201d The briefing document states that among Sentry Eagle\u2019s most closely guarded components are \u201cfacts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A\/B\/C).\u201d<\/p>\n

It is not clear whether these \u201ccommercial entities\u201d are American or foreign or both. Generally the placeholder \u201c(A\/B\/C)\u201d is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder \u201c(M\/N\/O).\u201d The NSA refused to provide any clarification to The Intercept<\/em>.<\/p>\n

The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the \u201ccommercial entities,\u201d or whether they are visiting commercial facilities under false pretenses. The CIA is known<\/a> to use agents masquerading as businessmen, and it has used shell companies<\/a> in the U.S. to disguise its activities.<\/p>\n

There is a long history of overt NSA involvement with American companies, especially telecommunications and technology firms. Such firms often have employees with security clearances<\/a> who openly communicate with intelligence agencies as part of their duties, so that the government receives information from the companies that it is legally entitled to receive, and so that the companies can be alerted to classified cyber threats. Often, such employees have previously worked<\/a> at the NSA, FBI, or the military.<\/p>\n

But the briefing document suggests another category of employees\u2014ones who are secretly working for the NSA without anyone else being aware. This kind of double game, in which the NSA works with and against its corporate partners, already characterizes some of the agency\u2019s work, in which information or concessions that it desires are surreptitiously acquired<\/a> if corporations will not voluntarily comply. The reference to \u201cunder cover\u201d agents jumped out at two security experts who reviewed the NSA documents for The Intercept<\/em>.<\/p>\n

\u201cThat one bullet point, it\u2019s really strange,\u201d said Matthew Green, a cryptographer at Johns Hopkins University. \u201cI don\u2019t know how to interpret it.\u201d He added that the cryptography community in America would be surprised and upset if it were the case that \u201cpeople are inside [an American] company covertly communicating with NSA and they are not known to the company or to their fellow employees.\u201d<\/p>\n

The ACLU\u2019s Soghoian said technology executives are already deeply concerned about the prospect of clandestine agents on the payroll to gain access to highly sensitive data, including encryption keys, that could make the NSA\u2019s work \u201ca lot easier.\u201d<\/p>\n

\u201cAs more and more communications become encrypted, the attraction for intelligence agencies of stealing an encryption key becomes irresistible,\u201d he said. \u201cIt\u2019s such a juicy target.\u201d<\/p>\n

Of course the NSA is just one intelligence agency that would stand to benefit from these operations. China\u2019s intelligence establishment is believed to be just as interested in penetrating American companies as the NSA is believed to be interested in penetrating Chinese firms.<\/p>\n

\u201cThe NSA is a risk [but] I worry a lot more about the Chinese,\u201d said Matthew Prince, chief executive of CloudFlare, a server company. \u201cThe insider threat is a huge challenge.\u201d Prince thinks it is unlikely the NSA would place secret agents inside his or other American firms, due to political and legal issues. \u201cI would be surprised if that were the case within any U.S. organization without at least a senior executive like the CEO knowing it was happening,\u201d he said. But he assumes the NSA or CIA are doing precisely that in foreign companies. \u201cI would be more surprised if they didn\u2019t,\u201d he said.<\/p>\n

Corporate Partners<\/strong><\/p>\n

The briefing sheet\u2019s description of Sentry Owl indicates the NSA has previously unknown relationships with foreign companies. According to the document, the agency \u201cworks with specific foreign partners (X\/Y\/Z) and foreign commercial industry entities\u201d to make devices and products \u201cexploitable for SIGINT\u201d\u2014a reference to signals intelligence, which is the heart of the NSA\u2019s effort to collect digital communications, such as emails, texts, photos, chats, and phone records. This language clarifies a vague reference to foreign companies<\/a> that appears in the secret 2013 budget for the intelligence community, key parts of which were published last year from the Snowden archive.<\/p>\n

The document does not name any foreign companies or products, and gives no indication of the number or scale of the agency\u2019s ties to them. Previous disclosures from the Snowden archive have exposed the agency\u2019s close relationships<\/a> with foreign intelligence agencies<\/a>, but there has been relatively little revealed about the agency gaining the help of foreign companies.<\/p>\n

The description of Sentry Hawk, which involves attacks on computer networks, also indicates close ties with foreign as well as American companies. The document states that the NSA \u201cworks with U.S. and foreign commercial entities\u2026in the conduct of CNE [Computer Network Exploitation].\u201d Although previous stories from the Snowden archive revealed a wide range of NSA attacks on computer networks, it has been unclear whether those attacks were conducted with the help of \u201ccommercial entities\u201d\u2014especially foreign ones. The document does not provide the names of any of these entities or the types of operations.<\/p>\n

Green, the cryptography professor, said \u201cit\u2019s a big deal\u201d if the NSA is working with foreign companies on a greater scale than currently understood. Until now, he noted, disclosures about the agency\u2019s corporate<\/a> relationships<\/a> have focused on American companies<\/a>. Those revelations have harmed their credibility, nudging customers to foreign alternatives that were thought to be untouched by the NSA. If foreign companies are also cooperating with the NSA and modifying their products, the options for purchasing truly secure telecommunications hardware are more limited than previously thought.<\/p>\n

The briefing sheet does not say whether foreign governments are aware that the NSA may be working with their own companies. If they are not aware, says William Binney, a former NSA crypto-mathematician turned whistleblower, it would mean the NSA is cutting deals behind the backs of friendly and perhaps not-so-friendly governments.<\/p>\n

\u201cThe idea of having foreign corporations involved without any hint of any foreign government involved is significant,\u201d he said. \u201cIt will be an alert to all governments to go check with their companies. Bring them into parliament and put them under oath.\u201d<\/p>\n

The description of Sentry Raven, which focuses on encryption, provides additional confirmation that American companies have helped the NSA by secretly weakening encryption products to make them vulnerable to the agency. The briefing sheet states the NSA \u201cworks with specific U.S. commercial entities\u2026to modify U.S manufactured encryption systems to make them exploitable for SIGINT.\u201d It doesn\u2019t name the commercial entities or the encryption tools they modified, but it appears to encompass a type of activity that Reuters revealed<\/a> last year\u2014that the NSA paid $10 million to the security firm RSA to use a weak random number generator in one of its encryption programs.<\/p>\n

The avalanche of NSA disclosures since the Snowden leaks began in 2013 has shattered whatever confidence technologists once had about their networks. When asked for comment on the latest documents, Prince, the CEO of CloudFlare, began his response by saying, \u201cWe\u2019re hyper-paranoid about everything.\u201d<\/p>\n

Documents:<\/strong><\/p>\n