Spy Games

01.17.14

How the NSA Recruits in a Post-Snowden World

The surveillance state sold itself to hackers as the coolest place to work. Now it’s seen as the enemy, and that means going elsewhere to build an army of digital cat burglars.

There’s a truism you’ll hear repeated in computer security circles: if the NSA wants to get inside your computer, they’re already in. So when Jacob Applebaum stepped on stage last month at the 30th annual Chaos Communication Congress in Hamburg, Germany his audience had an idea of what was coming.

Over the next hour, Applebaum, a Wikileaks ally and core engineer of the Tor anonymity software, revealed the technology and tactics the NSA uses to “get the un-gettable,” executed by an elite unit known as Tailored Access Operations, or TAO. Unlike the data mules and mathematicians that fill the rest of the agency, TAO is made up of what can only be described as hackers, specially trained to break into computers and steal sensitive data—a role the NSA more eloquently calls “Computer Network Exploitation.” But how the agency came to rely on such highly skilled operators is a story unto itself.

Based in a heavily-guarded section of the NSA’s Fort Meade, Maryland, headquarters and other facilities around the country, TAO is reportedly the biggest part of the NSA’s Signals Intelligence Directorate, with over 1,000 military and civilian personnel. According to documents published in Der Spiegel, TAO’s hackers have exploited vulnerabilities in consumer products, like Apple’s ubiquitous iPhone, and have a massive catalog of technology and techniques at their disposal. One device, built by an R&D division called ANT, can break into protected WiFi networks from up to eight miles away. Agents are even known to intercept packages in the mail to implant spyware on computers ordered online, a process the agency calls “interdiction.” In all, NSA specialists have reportedly compromised more than 100,000 machines worldwide, and use a radio frequency technology, which allows them to remotely access computers even when they’re not connected to the Internet.

There’s some irony here: when you think about the skillset required for such feats, Applebaum’s audience at the congress neatly fits the bill. The annual jirga of German hackers and activists is attended by some of the world’s most talented computer security specialists who, under different circumstances, might have found their way into the flock of the NSA, Britain’s GCHQ, or a similar state intelligence service.

At first blush, it’s at these hacker meet-ups where intelligence agencies seem to search for the brightest minds to pluck into their ranks. Such cases are rare exceptions, however. Two years ago at the world-famous Def Con hacking conference in Las Vegas, NSA director General Keith Alexander showed up in T-shirt and blue jeans to deliver a keynote on the “shared values” of the hacker and intelligence communities—a first of its kind for the event. The agency had its own table in the vendor hall, and a special recruitment website was set up for the festivities.

An electronic pamphlet reassured the curious: “If you have a few, shall we say, indiscretions in your past, don’t be alarmed.” It added: “By the way, if you think you saw cool things at DEF CON® 20, just wait until you cross the threshold to NSA, ‘cause you ain’t seen nothing yet.”

It was unusually aggressive posturing for the secretive agency, and the patronizing sting felt by attendees was part of a long-standing culture clash between hackers and government spooks. But no one was quite ready the following year, when a twenty-something systems administrator began leaking documents on the NSA’s mass-surveillance programs.

To find the ideal hackers, the NSA taps other avenues, mainly in academia and industry.

A few weeks after the first revelations emerged, Def Con’s founder Jeff Moss told federal agents—a regular part of Def Con’s cultural pastiche—to steer clear of the conference. Alexander returned to Vegas, but spoke instead at Def Con’s business-casual sister conference, Black Hat. There he defended the NSA’s surveillance programs to a more sympathetic audience of government agents and defense contractors—though not without some heckling, and a short-lived plot involving several cartons of eggs.

But while agencies like the NSA have had a strong presence at such events, they don’t do much actual recruiting within the hacker community. Their main goal at those meetings is to learn about the various vulnerabilities and cutting-edge techniques on display, not hunt for new blood, according to people familiar with the agency’s recruitment efforts.

To find the ideal hackers, the NSA taps other avenues, mainly in academia and industry. This week, the agency is recruiting at the Joint Mathematics Meetings, the largest math conference in the United States. In the past, the agency has had an uncontroversial presence at the event, which hosts job-seekers with newly-acquired math Ph.Ds. This year, objection has come from at least one prominent member of the American Mathematical Society, which hosts the conference.

“The NSA destroyed the security of the Internet and privacy of communications for the whole planet,” wrote Alexander Beilinson in the Society’s newsletter (PDF). “But if any healing is possible, it would probably start with making the NSA and its ilk socially unacceptable—just as, in the days of my youth, working for the KGB was socially unacceptable for many in the Soviet Union.”

Beilinson isn’t alone: 11 prominent researchers and academics have canceled their scheduled talks at this year’s RSA Security conference in San Francisco, after it was reported that the company took $10 million from the NSA to load one of its products with a faulty random number generator widely believed to be a government backdoor.

The NSA has been known to both fund and recruit at other major industry events, such as the Network and Distributed System Security Symposium (NDSS) in San Diego and various IEEE conferences. A large portion of new recruits are also culled from the 180 universities in the U.S. and Puerto Rico currently under the agency’s Centers of Academic Excellence funding banner.

Back in pre-Snowden 2012, the same year as Alexander’s address, the NSA also helped fund Def Con Kids, a special track at Def Con devoted to educating kids in the art of “white hat” hacking. It was also sponsored by strange bedfellows such as AT&T and the Electronic Frontier Foundation, the latter of which has been suing the NSA over its surveillance activities since 2006. “We try to bring the highest level people from all sides of the debate,” said Nico Sell, a lead organizer of the Kids program, which has since been renamed r00tz Asylum.

“We need to recruit from Snowden’s generation,” admitted former CIA and NSA director Michael Hayden last July. “The challenge is how to recruit this talent while also protecting ourselves from the small fraction of the population that has this romantic attachment to absolute transparency at all costs.”

Obviously it makes more sense for NSA and other agencies to recruit and train hackers young, while it’s still easy to obtain security clearances. That effort extends to High School seniors, whom the NSA attracts with paid internships under its Work Study program. Still, many who join at an early age become disillusioned and eventually move to the private sector, where salaries for hackers vastly outperform the government’s offerings.

Government recruiters do have one big supporter within the hacking world, however. Speaking via satellite during a CCC talk called “Sysadmins of the World, Unite!” Wikileaks boss Julian Assange encouraged the young and computer-savvy to get inside organizations like the FBI and NSA as a way to bring more abuses to light.

“I’m not saying don’t join the CIA, no,” he exclaimed. “Join the CIA. Go into the ballpark and get the ball and bring it out.”

As far as the NSA is concerned, they might not be in that ballpark at all. According to people familiar with the agency’s structure, many of the hackers tasked with writing software exploits for the agency are sub-contractors, meaning they often don’t know (or care) how, when, or by whom their cyberweapons will ultimately be used.

Regardless of who’s pulling the proverbial trigger, government hacking activities have become increasingly contentious. Last April, a federal judge denied an FBI request to hack into a suspect’s computer, in a move that would have allowed the Bureau to look at the contents of hard drives and even take pictures using the machine’s built-in web camera. If the FBI’s information was wrong, the judge reasoned, the spyware could easily wind up infecting the computers of innocents. In another case involving a string of bomb threats from a man named “Mo,” a different judge gave the go-ahead for FBI hacking, but the Bureau came back empty-handed.

“I think it’s slightly scary that we have slipped into a world where the government is hacking into the computers of domestic targets without us having an informed debate about it,” said Chris Soghoian, a privacy technologist with the ACLU, during another talk at the CCC. Meanwhile, computer security expert Matt Blaze has argued those methods are preferable, in a way, as they “represent far less of a threat to our privacy and security” than the NSA’s massive dragnets for phone and internet data, as well as its efforts to undermine cryptographic standards.

Most privacy advocates, including Blaze, agree with President Obama’s surveillance review panel, which recommended that government hackers disclose the computer flaws they find so they can be patched, rather than secretly stockpiled and exploited. If that unlikely reform comes to pass, the window for attacking intelligence targets would be smaller, but it might also encourage agencies to simply employ more hackers to look for new vulnerabilities. Either way, expect the future of agencies like the NSA and FBI to look less like the Stasi and more like Stuxnet.