Busted

12.30.13

NSA Stabs Silicon Valley in the Back

When tech companies wouldn’t cooperate on surveillance, the spies bugged and hacked them like everyone else. Maybe now they’ll fight for privacy.

The National Security Agency’s sprawling surveillance architecture has long been enabled by cozy partnerships with private sector technology and telecommunications firms. But the honeymoon may be ending, as the continuing disclosures from Edward Snowden’s trove of classified documents make it increasingly clear how fundamentally opposed the interests of Fort Meade and Silicon Valley really are. By doing their best to prove the paranoid right, NSA is undermining the essential trust on which American tech companies depend.

Imagine, for instance, the reaction of a Microsoft engineer reading in Germany’s Der Spiegel this weekend, that NSA was vacuuming up automated error-reporting messages from the company’s software as a way of identifying targets and sizing them up for attack.  They’d even mocked up a parody version of the company’s familiar dialog box: “This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine.” One more reason for users worldwide to be wary of the very system Microsoft relies on to improve and secure its software. Microsoft’s Internet Explorer browser is also singled out as “especially popular with the NSA hackers”—which is to say, especially vulnerable.

The same story also has fresh details about the QUANTUM system used by NSA’s elite hacker corps, known as Tailored Access Operations (TAO), to target computers for intrusion by hijacking ordinary Web browsing sessions.  One cheerful document notes that the system has had its “greatest successes” hijacking the services of Facebook and Yahoo—a fact that executives at those companies may not be so quick to celebrate. Mark Zuckerberg can at least take comfort in knowing that NSA has also spoofed the popular social networking site LinkedIn as part of a campaign targeting a Belgian telecommunications company.

American hardware manufacturers have reason to groan too now—a companion piece noted that the agency has “burrowed its way into nearly all the security architecture made by the major players in the industry—including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.” TAO hackers have also developed specialized software designed to exploit vulnerabilities in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung—all but Samsung are U.S. firms.

Though TAO specializes in compromising “endpoint devices,” the Spiegel story makes clear that they’re not just interested in bugging individual terrorists’ laptops, but in much bigger game: “servers, workstations, firewalls, routers, handsets, phone switches,” and industrial control systems.  Why waste time on retail spying when you can hack an entire platform or telecommunications network?  As the numbers makes clear, NSA’s philosophy is to build as many backdoors as it can, on the theory that you never know what will come in handy down the road. Spiegel reports that an astonishing  “85,000 computers worldwide are projected to be infiltrated by the NSA specialists by the end of this year”—four times the number compromised as of 2008. Soon, NSA hopes to deploy a system capable of simultaneously managing “millions of implants.”

NSA is undermining the essential trust on which American tech companies depend.

Tech companies have ample reason to fear that their own machines are included in that tally. When NSA’s hunger for data isn’t sated by the limited information that “partner” companies willingly provide through the front door, via programs like PRISM, the spy juggernaut is only too happy to build a back door.  Executives at one U.S. “partner,” Google, were outraged to learn in November that they were victims as well:  Their overseas data centers had been compromised to allow NSA to vacuum up user data in bulk.

Earlier this month, it was American security firm RSA’s term to feel the knife in its back, when  Reuters reported that NSA had leveraged a $10 million contract with the firm to get an insecure algorithm entrenched by default in one of the company’s security suites.  As President Obama’s own handpicked surveillance review group concluded in a recent report, such broad efforts to enable easier surveillance also undermine user security—and the trust American firms rely on.

Long before these latest disclosures, one think tank estimated (PDF) that American cloud-computing providers alone stand to lose up to $35 billion over three years thanks to declining global trust in the wake of the Snowden stories, and analysts with Forrester Research have suggested the figure could be far higher.

Like the CIA’s shortsighted and widely-condemned effort to use a vaccination program in Pakistan as cover to collect DNA samples from Osama bin Laden’s family in Abbottabad, NSA’s blunderbuss approach myopically serves short-term intelligence goals without considering the broader consequences for U.S. technology companies when—inevitably—it proves impossible to keep large scale, systemic surveillance secret forever.

Little wonder, then, that a group of major technology companies earlier this month jointly declared the “urgent need” for surveillance reform.  As Microsoft VP Brad Smith put it: “People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.”  As each new story confirms that fear, NSA’s erstwhile partners have new reasons to fight for stronger privacy protections.