After 20 months and dozens of stories from Edward Snowden’s classified document trove, you might’ve been tempted to think that there was nothing shocking left to learn about the lengths Western intelligence services would go in the hunt for a relative handful of spies, terrorists, and other criminals.
Think again. Two blockbuster revelations this week—one, straight from the Snowden files, the other from a Russian cybersecurity firm—shed new light on just how determined U.S. and British spies are to pry into the world’s phone and computer networks, all while potentially undermining the security and privacy of hundreds of millions of innocent people.
On Thursday, the Intercept revealed a secret U.S. and British intelligence operation that gave the nations’ spy agencies the ability to monitor “a large portion of the world’s cellular communications,” even if they were protected by encryption. The operation, apparently undertaken five years ago, gave the agencies the ability to break the codes used to encrypt phone calls, text messages, and other data sent on more than 450 wireless phone networks around the world.
The Intercept reported in detail how the intelligence agencies hacked the emails and Facebook accounts of employees at a Dutch firm, Gemalto, that manufactures about 2 billion mobile phone SIM cards every year. By mining the employees’ communications, the agencies were able to gather information that helped them steal the “keys” used to encrypt those tiny cards, thus allowing the agencies to listen in on phone calls and read messages that users believed were kept disguised by powerful technology.
The joint NSA-GCHQ operation may have far-reaching foreign policy consequences. It was mounted against a company headquartered in The Netherlands, a stalwart European ally of the United States and Britain and NATO member country, and it allowed the spy agencies to bypass legal procedures for gathering communications of citizens in countries around the world. If the agencies could intercept the calls and decrypt them on their own, they had no need to request the assistance of foreign companies or governments.
That backdoor maneuver—while exactly the type of work that one expects of a secret intelligence outfit—may nevertheless further aggravate foreign relationships at a time when the United States is seen as a global spying hegemon that disregards the privacy of foreigners. And it comes just as the Obama administration is wrestling with European partners over what to do to stop Russian military aggression in Ukraine. In 2013, revelations from the Snowden files caused a rift between America and some of its NATO allies—a rift that had largely healed. Those old wounds could be reopened by fresh revelations of massive, clandestine spying on friendly nations.
“This was the easy way: Attack a NATO [member country] company, and gain the keys for everybody,” Nicholas Weaver, a senior researcher at the International Computer Science Institute, told The Daily Beast. “But it wasn’t the elegant way. If the GCHQ wanted to target individuals and was willing to wait a day or two to decrypt a new target, they could have set up a pipeline where the GCHQ asks the Netherlands, which asks Gemalto to provide the keys for a set of targets. If they wanted to just target some countries, they could have also just targeted recipient [telecommunications companies], rather than a NATO company. But that would require more work: having to compromise a dozen companies rather than just one.”
The revelation follows another a report this week about NSA’s aggressive cyber operations. The Russian cyber security firm Kaspersky disclosed that a secret unit it called the “Equation Group” has permanently embedded surveillance and sabotage devices on computers around the world, drilling down to the level of computer hardware, an especially pernicious and highly skilled feat of hacking. Clues in the Snowden files—and in the malware Kaspersky discovered—strongly indicated that the “Equation Group” was part of the NSA.
Kevin Poulsen, the renowned former hacker, said the Group’s work was so sophisticated, and so advanced, that it was essentially the cyberwar equivalent to the Manhattan Project.
“There are update mechanisms, dozens of plug-ins, a self-destruct function, massive code obfuscation, hundreds of fake websites to serve as command-and-control, Poulsen wrote in Wired. “One of the NSA’s malware plug-ins can even reprogram your hard drive’s firmware, allowing the implant to survive a complete disk wipe—a feat that’s been demonstrated by computer scientists under laboratory conditions but never before seen in the wild.”
By secretly undermining or disabling encryption and other features that provide some measure of privacy and security to everyday computer and phone users, the NSA is arguably undermining cybersecurity on a broad scale. Previous disclosures based on documents leaked by Snowden showed that the NSA collects information on undefended vulnerabilities in computer software and operating systems, known as zero days, rather than disclosing that information to manufacturers so they can protect their customers.
In 2013, a panel of security experts recommended to President Obama that the NSA stop hoarding zero days, which, like stolen encryption keys, give the NSA privileged access to spy on computers and mobile phones, but at a significant risk to individuals’ security. The agency now errs on the side of disclosing vulnerabilities, officials say, but reserves the right to not to in the interest of national security, a significant loophole.
The revelations also come at an inopportune moment for the GCHQ, with Britain’s intelligence and policing watchdog having recently found that a regime governing sharing of intercepted electronic communications with the United States was illegal.
The new report also shows the extent to which using encryption in the first place makes one a target in the intelligence agencies’ eyes. In one instance, the GCHQ found that a Gemalto employee in Thailand was sending encrypted files, which seemed to indicate that the underlying material was valuable. If the agency wanted to dig further into Gemalto’s inner workings, “he would certainly be a good place to start,” GCHQ officials said.
The White House didn’t respond Thursday night to the revelations of SIM-card spying. But Obama has repeatedly sought to assure Americans that the NSA isn’t monitoring their phone communications without just cause.
“Nobody is listening to your telephone calls,” Obama stressed in 2013 when the first Snowden leaks revealed that the NSA was collecting Americans’ phone records en masse. There is no indication that the SIM-card operation was aimed at Americans specifically, and in any event, the U.S. government must obtain a warrant whenever it wants to listen to Americans’ phone calls.
But Obama’s reassurances did little to assuage the hundreds of millions of foreigners whose communications were fair game. And if history is any guide, they won’t be any more at ease now.