NSA agents successfully
targeted “the entire business chain” connecting foreign cafes to the internet,
bragged about an “all-out effort” to spy on liberated Iraq, and began systematically
trying to break into virtual private networks, according to a set of internal
agency news reports dating to the first half of 2005.
British spies, meanwhile, were
made to begin providing new details about their informants via a system of
“Intelligence Source Descriptors” created in response to intelligence failures
in Iraq. Hungary and the Czech Republic pulled closer to the National Security
Agency.
And future Intercept backer
Pierre Omidyar visited NSA headquarters for an internal conference panel on
“human networking” and open-source intelligence.
These stories and more are
contained in a batch of
294 articles from SIDtoday, the internal news website of the NSA’s core
Signals Intelligence Directorate. The Intercept is publishing the articles in
redacted form as part of an ongoing project to release material from the files
provided by NSA whistleblower Edward Snowden.
In addition to the
aforementioned highlights, summarized in further detail below, the documents
show how the NSA greatly expanded a secret eavesdropping partnership with
Ethiopia’s draconian security forces in the Horn of Africa, as detailed
in an investigation by longtime Intercept contributor Nick Turse. They
describe the NSA’s operations at a base in Digby, England, where the agency
worked with its British counterpart GCHQ to help direct drones in the Middle
East and tap into communications through the Arab Spring uprisings, according
to a separate article by Intercept reporter Ryan Gallagher. And they show
how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer
file sharing through the apps Kazaa and eDonkey, as
explained here by Intercept technologist Micah Lee.
NSA did not comment for this
article.
American Intelligence Agents
Outed Themselves Online
Members of the U.S.
intelligence community routinely thwarted a system designed to mask their
identities online by using it for personal shopping and to log on to websites,
according to an NSA information technology manager.
The system, called “AIRGAP,”
was run by “one of the world’s largest ISPs” and created around 1998 at the
behest of the NSA, according to NSA Internet Program Manager Charlie Speight, writing
in SIDtoday. Its purpose was to allow “non-attribution internet access,”
Speight added, meaning that intelligence analysts could surf the internet
without revealing that they were coming from U.S. spy agencies. By 2005, it was
used by the whole U.S. intelligence community.
One early concern about the
firewall was that it funneled all internet traffic through a single IP address,
meaning that if any activity on the address was revealed to be associated with
U.S. spies, a broad swath of other activity could then be attributed to other
U.S. spies. More IP addresses were subsequently added, but “occasionally we
find that the ISP reverts to one address, or does not effectively rotate those
assigned,” Speight wrote.
Speight added that the
“greater security concern” was the very intelligence agents the system was
designed to protect. “Despite rules and warnings to the contrary, all too
frequently users will use AIRGAP for registering on web sites or for services,
logging into other sites and services and even ordering personal items from
on-line vendors,” Speight wrote in a classified passage. “By doing so, these
users reveal information about themselves and, potentially, other users on the
network. So much for ‘non-attribution.'”
This sort of sloppiness
mirrors behavior that has undermined Russian intelligence operatives. A slide
presentation by Canadian intelligence, dating to 2011 or later, labeled
as “morons” members of a Russian hacking group code-named “MAKERSMARK,” who
thwarted a “really well-designed” system to hide their identities by using it
to log on to their personal social and email accounts.
The two situations are not
perfectly comparable; the U.S. system was managed as part of a network
for obtaining unclassified information, while the Russian system was used
for the more sensitive activity of staging hack attacks. But Speight hinted at
aggressive use of the U.S. system, writing in his piece that the NSA had begun
“using AIRGAP for reasons and in volumes not intended in its formation” — the
agency thus began developing its own separate firewall.
The NSA had systems with the
same goal as AIRGAP — anonymization — but for phone calls. According to a February
2005 SIDtoday article, the NSA controlled 40,000 telephone numbers, but
these were almost all prefixed with area- and exchange-code combinations that
were publicly associated with the agency. An analyst who needed to make a
public phone call without leaking their affiliation could use “anonymous
telephones,” most of them registered to Department of Defense, or “cover
telephones,” registered using alias names and P.O. boxes. No security protocol
lapses were described in connection with the old-fashioned voice networks.
NSA Targeted “the Entire
Business Chain” to Spy on Internet Cafes
While hiding, or at least
trying to hide, its own online operations, the NSA launched an all-encompassing
campaign to trace online activity in internet cafes, down to specific
seats.
A program called “MASTERSHAKE”
accomplished this by exploiting equipment used by the cafes, including
satellite internet modems, according to top-secret information reported by
SIDtoday. “MASTERSHAKE targets the entire business chain, from manufacturer to
Internet café installation, to ascertain any and all available data regarding …
geolocation, the network connectivity of the modem, as well as the actual
physical location of the installation,” according
to SIDtoday.
MASTERSHAKE data was
“enriched” with other information, including “geolocatable
phone events,” as well as intelligence from throughout the NSA’s
Signals Intelligence Directorate and from the agency’s XKeyscore search system.
The NSA knew the precise
location of over 400 internet cafes. For over 50 of these cafes, it could
locate a target to a specific seat within the cafe. One goal of the monitoring
was to hunt down Al Qaeda leaders, like Abu Musab al-Zarqawi. SIDtoday focused
on the use of MASTERSHAKE in Iraq, describing an incident in the city of Ramadi
where two “counterterrorism targets” began using a messenger service at an
internet cafe, and “within about 15 minutes the two men were arrested.” But it
also indicated the system was used more broadly, “in the Middle East and
Africa.”
As the Intercept previously
reported, the NSA has surveilled internet cafes in Yemen, Afghanistan,
Syria, Lebanon, and Iran, as detailed
in agency documents.
An “All-Out Effort” To Spy on
Liberated Iraq
The NSA’s surveillance against
Iraqis went far beyond cafe computers. Two years after President George W.
Bush’s infamous “Mission Accomplished” speech and a year after the Coalition
Provisional Authority handed over the reins to the Iraqi Interim Government,
the agency was trying to tap the nation’s communications — and enlist friendly
Iraqis and the new government to do likewise.
In a top-secret
SIDtoday report, an NSA “data acquisition lead” in Baghdad described “an
all-out effort to penetrate Iraqi networks using everything in the tool box of
the most sophisticated SIGINT agency in the world.” The “very forward-leaning
and aggressive” collection effort brought “our technology to bear at the
optimum access points” in the country. The identity of those access points is
hinted at by the list of people the NSA staffer met with as the “field rep on a
number of projects”: “Iraqi government personnel engaged in telecommunications
and IT issues for Iraq; small and medium sized Iraqi communications
contractors; the CEO’s and Chief Technical Officers of the major Iraqi
telecommunications service providers; [and] Iraqi cabinet level officials,”
among others.
Another
article confirmed the NSA was spying on Iraqi telecommunications,
describing a “dramatic drop” in information the agency collected from links
carrying mobile phone traffic between Fallujah and northern Baghdad and a
consequent gap in intelligence gathering. A team from the NSA and CIA was able
to restore the collection within two weeks by targeting microwave signals
carrying the traffic.
In addition to its own
electronic spying within Iraq, the NSA sought to rebuild the country’s ability
to spy on itself through another joint project with the CIA, along with GCHQ.
The Western intelligence entities would build a new Iraqi spy agency, dubbed
the Iraq SIGINT Element, according to another SIDtoday article. The Iraqi
SIGINT Element’s expertise would come, of course, from veterans of Saddam
Hussein’s regime; the NSA and GCHQ made a list of candidates “gleaned from
years of targeting the Iraqi civil and military SIGINT units,” SIDtoday
reported. The former targets were the new recruits. The CIA assisted in the
vetting process with polygraphers, psychologists, and background checks, and
the NSA trained the selected candidates on “how we do SIGINT.” The new
intelligence agents’ first assignment was to find communications of former
Saddam “elements” and insurgents in Baghdad. They went covertly into Baghdad
neighborhoods, which U.S. and U.K. forces were unable to do.
It was at the behest of the
director of central intelligence that the NSA “moved aggressively to help
[Iraq] establish and enhance their signals intelligence capabilities,” SIDtoday
reported
separately. A similar effort was underway in Afghanistan. “Both
relationships come with risks, but the overall benefit to U.S. objectives in
the region outweighs these risks,” wrote an NSA foreign affairs staff officer.
Targeting Bombers in Iraq
Mass surveillance efforts in
Iraq were part of a broader NSA effort to address the consequences of the
coalition’s victory over Saddam Hussein. Immediately after the Ba’athist
government fell to the invading forces in 2003, signals intelligence collection
on the regime ceased to exist. NSA staff, some of whom had been monitoring the
country for more than a decade, woke up to “no more audio cuts, no more
transcripts … no more product reports,” according to an
account in SIDtoday. One official wondered, “Will we lose resources because
of our success?” Postwar insurgency and sectarian strife ensured this was not
the case.
For example, an NSA team set
about thwarting detonation systems for bombs set by insurgents. The bombs,
known within the U.S. military as improvised explosive devices, were triggered
from a distance, often using high-powered cordless phone systems, in which a
common base station, controlled by a triggerman, connects to a cluster of
wireless handsets. The team devised a way to locate triggermen: Intercepting
and identifying security codes emitted by captured handsets. The codes,
intended to tether a handset to a particular base station, could then be used
to locate base stations, resulting in military targeting and “hopefully, the
IED makers neutralized,” SIDtoday
stated.
The NSA may have had a chance
to deploy this technique at the end of January 2005, when Iraq’s first
parliamentary elections took place. An article
in SIDtoday said that signals intelligence helped prevent 50 to 60 suicide
bombers from making it into polling centers. Still, 285 other insurgent attacks
occurred that day, and CNN reported
several incidents of suicide bombings that hit police officers and Iraqis
waiting to vote.
How British Spies Were Made To
Atone for Bad Iraq Intel
In Iraq and elsewhere, the NSA
expanded the scope of its intelligence sharing to U.S. government “customers,”
as described in a
January 2005 article, in which an NSA staffer in Baghdad read a new sharing
guideline aloud to a hesitant colleague: “It’s OK to talk about, show and share
evaluated, minimized unpublished SIGINT to customers/partners in order to
facilitate analytic collaboration.”
Even amid the aggressive
intelligence sharing, the NSA was taking note of what could happen when such
sharing went terribly wrong. A
SIDtoday story about a British government inquiry into prewar
intelligence on Iraq, the Butler Review, describes how the U.K.’s signals
intelligence agency GCHQ was now required to provide “Intelligence Source
Descriptors” on all intel reports. This requirement came in response to the
finding that the British foreign spying agency, MI6, did not adequately check
human sources and relied on third-hand reporting about Iraqi chemical weapons,
including “seriously flawed” information from “another country’s intelligence service.”
The new British source
descriptors would include identification of sources by name or role along with
judgments on whether the source had direct or indirect access to the
information reported. The GCHQ descriptor would also indicate whether a source
is “reliable,” “unknown,” or “uncertain” as to reliability. “There are no plans
at present to use a like program on NSA reports,” SIDtoday reported.
Despite reporting on fallout
from the U.K. postwar review, SIDtoday did not cover a U.S. presidential commission
that prominently reported
in March 2005 on how the American intelligence community was “dead wrong” in
its prewar assessment of weapons of mass destruction in Iraq.
NSA Works with Hungary,
Pakistan, Ethiopia — and an Eager Czech Republic
In parallel with its efforts
to share information with more U.S. government and intelligence agencies, the
NSA also forged connections with foreign partners whose collaboration would
have, in previous decades, seemed inconceivable.
In early 2005, the NSA entered
into a partnership with Hungary’s Military Intelligence Office, inviting the
spy agency to “work with NSA as part of our extended SIGINT enterprise,” according
to SIDtoday, and “write SIGINT reports for dissemination through the NSA
system to our intelligence community customers.” The partnership allowed the
NSA to tap into the Hungarian agency’s “unique access to Serbian and Ukrainian
military targets.”
A contemporaneous NSA visit to
the Czech Republic, as
described in SIDtoday, showed how such “third party” partnerships can come
to fruition. The trip was conducted to establish whether the NSA should partner
with the Czech External Intelligence Service, or ÚZSI, which wanted to tap NSA
expertise “on many technical issues.” In order to win over the Americans, spy
agency “personnel essentially opened the door to their SIGINT vault,”
displaying an “exceptional degree of openness.” The NSA team came away
impressed, judging ÚZSI “exceptionally good at analysis of material associated
with Russian [counterintelligence] targets,” and impressed with the agency’s “very
good analytic effort against Russian and Ukrainian HF networks” and “overall
levels of sophistication, knowledge, practical experience, ingenuity and
enthusiasm that allow them to overcome many financial and equipment
shortfalls.” Perhaps best of all, ÚZSI “has not requested financial support
from the NSA.” The Czech Republic eventually became
a third-party partner.
A March 2005
SIDtoday article, summarizing a briefing from the NSA’s principal director
for foreign affairs, alluded to agency “relationships” with Pakistan and
Ethiopia, “work” with Iraq (discussed elsewhere in this article) and
Afghanistan, and a “multinational collaboration in the Pacific.”
More generally, third parties
became vital at this time simply for providing additional staffing and
coverage. For instance, after the U.S. closed several bases, the NSA developed
a reliance on third-party partners to participate in High Frequency
Directional Finding networks for locating the origins of targeted radio
signals. And the U.S. partnered with Hungary’s military intelligence
organization in part because
it “has been instrumental in providing intelligence that answers high-priority
CIA and DIA (Defense Intelligence Agency) requirements that NSA would otherwise
not be able to answer due to manpower constraints.”
Intercept Backer Spoke at NSA
Headquarters
Back in the U.S., the NSA’s
post-9/11 “transformation,” initiated by Director Michael Hayden, promoted
information sharing and collaboration to the traditionally closed community at
Fort Meade. Invitations to participate at agency seminars and conferences were
made not just to partners from the intelligence and military communities, but
also to members of private industry and academia.
An announcement
in SIDtoday for the third annual Analysis Conference from the NSA’s
Analysis and Production division proclaimed the need to “keep communications
open and leverage our partners’ insights.” Speakers at the May 2005 event, held
at agency headquarters, included authors, U.S. senators, corporate executives,
and journalists.
One “high-powered panel” at
the conference on “human networking” featured eBay founder Pierre Omidyar, who
would go on to provide funding for The Intercept, which covers and is
frequently critical of the NSA. A separate
SIDtoday article touting the panel indicated that corporate
anthropologist Karen Stephenson and Wired founding executive editor Kevin Kelly
also participated and that panelists were recruited through the Global Business
Network, a consulting firm specializing in scenario-based forecasting. The GBN
had been asked to harness its network of experts, “most of whom have had no
previous involvement with the intelligence community,” to apply strategies from
“the competitive marketplace” to NSA challenges.
Omidyar told The Intercept
that the GBN “asked me to participate in an unclassified meeting at NSA
headquarters at Fort Meade on the topic of ‘open source’ intelligence. My
recollection of the people I met there is that they were very smart and
genuinely interested in bringing outside ideas into the agency. I stayed
involved with the GBN for some time after that meeting but when they approached
me many months later to participate in additional meetings with the NSA, I
declined. The invitation was made after news broke in December 2005 about the
agency’s ‘warrantless wiretapping’ — and those events were deeply
concerning to me. In addition, I didn’t have anything else to add beyond
what I had already shared. I was not asked to meet with the NSA again after
declining that invitation.”
Omidyar said he was not paid
for his appearance.
Advanced Word on Indian
Nuclear Weapons
A series of nuclear weapons
tests conducted by India in the spring of 1998 took the intelligence community
by surprise, prompting an internal investigation into why these tests had not
been foreseen; a subsequent
report was harshly critical of the U.S. intelligence community. A similar
lapse in data gathering would not happen again in 2005. An Australian NSA site,
RAINFALL, isolated a signal it suspected was associated with an Indian nuclear
facility, according
to SIDtoday. Collaboration between RAINFALL and two NSA stations in
Thailand (INDRA
and LEMONWOOD) confirmed the source of the signals and allowed for the
interception of information about several new Indian missile initiatives.
Although these missile systems did not come to public attention for several
more years (the Sagarika submarine-launched ballistic missile was first
tested in 2008), the NSA’s access to these signals gave them foreknowledge
of their Third
Party SIGINT partner’s (see last image) actions.
Attacking VPNs
An NSA working group focused
on virtual private networks, or VPNs, was established in November 2004 to
“conduct systematic and thorough SIGINT Development of VPN communications
(typically encrypted),” SIDtoday
reported — meaning that the agency wanted to break into the networks.
The group published regular “VPN Target Activity Reports” on a large number of
countries throughout Europe, the Middle East, North Africa, Russia, and China,
as well as “specific financial, governmental, communication service providers
and international organizations.” These reports may help analysts “exploit
targets’ VPNs more successfully.”
Women at the NSA
Sonia Kovalevsky Days take
place at schools and colleges nationwide, with competitions and talks to
encourage young women to pursue careers in mathematics. Although the events’
namesake was a radical socialist and pioneering female mathematician, members
of the NSA’s Women in Mathematics Society participated as part of the agency’s
effort to recruit more female mathematicians. The NSA believed
itself to be the largest employer of mathematicians in the country, but
between 1987 to 1993, only one of the 30 math Ph.D.s the agency hired
identified as a woman, and only 26 percent of women hired into the agency’s
mathematics community had an advanced degree, according
to SIDtoday. After the Women in Mathematics Society was formed, from 1994
through 2005, about 38 percent of women mathematicians hired into NSA had a
doctoral degree and 27 percent held a master’s degree.
Hold the Spam, Please
“Spam affects NSA by impeding
our collection, processing and storage of [Digital Network Intelligence]
traffic,” said the author of a February
2005 SIDtoday article. “Unfortunately, filtering out spam has proven to be
an extremely difficult and cumbersome task.”According to the author, analysts
developed technology that tagged “an average of 150,000 spam sessions a day,”
which greatly reduced the amount of spam that shows up in “daily searches” of
intercepted emails.
No comments:
Post a Comment