WASHINGTON
— The National Security Agency has implanted software in nearly 100,000
computers around the world that allows the United States to conduct
surveillance on those machines and can also create a digital highway for
launching cyberattacks.
While
most of the software is inserted by gaining access to computer
networks, the N.S.A. has increasingly made use of a secret technology
that enables it to enter and alter data in computers even if they are
not connected to the Internet, according to N.S.A. documents, computer
experts and American officials.
The
technology, which the agency has used since at least 2008, relies on a
covert channel of radio waves that can be transmitted from tiny circuit
boards and USB cards inserted surreptitiously into the computers. In
some cases, they are sent to a briefcase-size relay station that
intelligence agencies can set up miles away from the target.
The
radio frequency technology has helped solve one of the biggest problems
facing American intelligence agencies for years: getting into computers
that adversaries, and some American partners, have tried to make
impervious to spying or cyberattack. In most cases, the radio frequency
hardware must be physically inserted by a spy, a manufacturer or an
unwitting user.
The
N.S.A. calls its efforts more an act of “active defense” against
foreign cyberattacks than a tool to go on the offensive. But when
Chinese attackers place similar software on the computer systems of
American companies or government agencies, American officials have
protested, often at the presidential level.
Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command,
have been units of the Chinese Army, which the United States has
accused of launching regular digital probes and attacks on American
industrial and military targets, usually to steal secrets or
intellectual property. But the program, code-named Quantum, has also
been successful in inserting software into Russian military networks and
systems used by the Mexican police and drug cartels, trade institutions
inside the European Union, and sometime partners against terrorism like
Saudi Arabia, India and Pakistan, according to officials and an N.S.A.
map that indicates sites of what the agency calls “computer network
exploitation.”
“What’s
new here is the scale and the sophistication of the intelligence
agency’s ability to get into computers and networks to which no one has
ever had access before,” said James Andrew Lewis, the cybersecurity
expert at the Center for Strategic and International Studies in
Washington. “Some of these capabilities have been around for a while,
but the combination of learning how to penetrate systems to insert
software and learning how to do that using radio frequencies has given
the U.S. a window it’s never had before.”
No Domestic Use Seen
There
is no evidence that the N.S.A. has implanted its software or used its
radio frequency technology inside the United States. While refusing to
comment on the scope of the Quantum program, the N.S.A. said its actions
were not comparable to China’s.
“N.S.A.'s
activities are focused and specifically deployed against — and only
against — valid foreign intelligence targets in response to intelligence
requirements,” Vanee Vines, an agency spokeswoman, said in a statement.
“We do not use foreign intelligence capabilities to steal the trade
secrets of foreign companies on behalf of — or give intelligence we
collect to — U.S. companies to enhance their international
competitiveness or increase their bottom line.”
Over
the past two months, parts of the program have been disclosed in
documents from the trove leaked by Edward J. Snowden, the former N.S.A.
contractor. A Dutch newspaper published the map
of areas where the United States has inserted spy software, sometimes
in cooperation with local authorities, often covertly. Der Spiegel, a
German newsmagazine, published the N.S.A.'s catalog
of hardware products that can secretly transmit and receive digital
signals from computers, a program called ANT. The New York Times
withheld some of those details, at the request of American intelligence
officials, when it reported, in the summer of 2012, on American cyberattacks on Iran.
President
Obama is scheduled to announce on Friday what recommendations he is
accepting from an advisory panel on changing N.S.A. practices. The panel
agreed with Silicon Valley executives that some of the techniques
developed by the agency to find flaws in computer systems undermine
global confidence in a range of American-made information products like
laptop computers and cloud services.
Embracing
Silicon Valley’s critique of the N.S.A., the panel has recommended
banning, except in extreme cases, the N.S.A. practice of exploiting
flaws in common software to aid in American surveillance and
cyberattacks. It also called for an end to government efforts to weaken
publicly available encryption systems, and said the government should
never develop secret ways into computer systems to exploit them, which
sometimes include software implants.
Richard
A. Clarke, an official in the Clinton and Bush administrations who
served as one of the five members of the advisory panel, explained the
group’s reasoning in an email last week, saying that “it is more
important that we defend ourselves than that we attack others.”
“Holes
in encryption software would be more of a risk to us than a benefit,”
he said, adding: “If we can find the vulnerability, so can others. It’s
more important that we protect our power grid than that we get into
China’s.”
From
the earliest days of the Internet, the N.S.A. had little trouble
monitoring traffic because a vast majority of messages and searches were
moved through servers on American soil. As the Internet expanded, so
did the N.S.A.'s efforts to understand its geography. A program named
Treasure Map tried to identify nearly every node and corner of the web,
so that any computer or mobile device that touched it could be located.
A
2008 map, part of the Snowden trove, notes 20 programs to gain access
to big fiber-optic cables — it calls them “covert, clandestine or
cooperative large accesses” — not only in the United States but also in
places like Hong Kong, Indonesia and the Middle East. The same map
indicates that the United States had already conducted “more than 50,000
worldwide implants,” and a more recent budget document said that by the
end of last year that figure would rise to about 85,000. A senior
official, who spoke on the condition of anonymity, said the actual
figure was most likely closer to 100,000.
That
map suggests how the United States was able to speed ahead with
implanting malicious software on the computers around the world that it
most wanted to monitor — or disable before they could be used to launch a
cyberattack.
A Focus on Defense
In
interviews, officials and experts said that a vast majority of such
implants are intended only for surveillance and serve as an early
warning system for cyberattacks directed at the United States.
“How
do you ensure that Cyber Command people” are able to look at “those
that are attacking us?” a senior official, who compared it to submarine
warfare, asked in an interview several months ago.
“That
is what the submarines do all the time,” said the official, speaking on
the condition of anonymity to describe policy. “They track the
adversary submarines.” In cyberspace, he said, the United States tries
“to silently track the adversaries while they’re trying to silently
track you.”
If
tracking subs was a Cold War cat-and-mouse game with the Soviets,
tracking malware is a pursuit played most aggressively with the Chinese.
The United States has targeted Unit 61398, the Shanghai-based Chinese Army unit
believed to be responsible for many of the biggest cyberattacks on the
United States, in an effort to see attacks being prepared. With
Australia’s help, one N.S.A. document suggests, the United States has
also focused on another specific Chinese Army unit.
Documents
obtained by Mr. Snowden indicate that the United States has set up two
data centers in China — perhaps through front companies — from which it
can insert malware into computers. When the Chinese place surveillance
software on American computer systems — and they have, on systems like
those at the Pentagon and at The Times — the United States usually
regards it as a potentially hostile act, a possible prelude to an
attack. Mr. Obama laid out America’s complaints about those practices to
President Xi Jinping of China in a long session at a summit meeting in
California last June.
At
that session, Mr. Obama tried to differentiate between conducting
surveillance for national security — which the United States argues is
legitimate — and conducting it to steal intellectual property.
“The
argument is not working,” said Peter W. Singer of the Brookings
Institution, a co-author of a new book called “Cybersecurity and
Cyberwar.” “To the Chinese, gaining economic advantage is part of
national security. And the Snowden revelations have taken a lot of the
pressure off” the Chinese. Still, the United States has banned the sale
of computer servers from a major Chinese manufacturer, Huawei, for fear
that they could contain technology to penetrate American networks.
An Old Technology
The
N.S.A.'s efforts to reach computers unconnected to a network have
relied on a century-old technology updated for modern times: radio
transmissions.
In
a catalog produced by the agency that was part of the Snowden documents
released in Europe, there are page after page of devices using
technology that would have brought a smile to Q, James Bond’s technology
supplier.
One,
called Cottonmouth I, looks like a normal USB plug but has a tiny
transceiver buried in it. According to the catalog, it transmits
information swept from the computer “through a covert channel” that
allows “data infiltration and exfiltration.” Another variant of the
technology involves tiny circuit boards that can be inserted in a laptop
computer — either in the field or when they are shipped from
manufacturers — so that the computer is broadcasting to the N.S.A. even
while the computer’s user enjoys the false confidence that being walled
off from the Internet constitutes real protection.
The
relay station it communicates with, called Nightstand, fits in an
oversize briefcase, and the system can attack a computer “from as far
away as eight miles under ideal environmental conditions.” It can also
insert packets of data in milliseconds, meaning that a false message or
piece of programming can outrace a real one to a target computer.
Similar stations create a link between the target computers and the
N.S.A., even if the machines are isolated from the Internet.
Computers
are not the only targets. Dropoutjeep attacks iPhones. Other hardware
and software are designed to infect large network servers, including
those made by the Chinese.
Most
of those code names and products are now at least five years old, and
they have been updated, some experts say, to make the United States less
dependent on physically getting hardware into adversaries’ computer
systems.
The N.S.A. refused to talk about the documents that contained these descriptions, even after they were published in Europe.
“Continuous
and selective publication of specific techniques and tools used by
N.S.A. to pursue legitimate foreign intelligence targets is detrimental
to the security of the United States and our allies,” Ms. Vines, the
N.S.A. spokeswoman, said.
But
the Iranians and others discovered some of those techniques years ago.
The hardware in the N.S.A.'s catalog was crucial in the cyberattacks on
Iran’s nuclear facilities, code-named Olympic Games, that began around
2008 and proceeded through the summer of 2010, when a technical error
revealed the attack software, later called Stuxnet. That was the first
major test of the technology.
One
feature of the Stuxnet attack was that the technology the United States
slipped into Iran’s nuclear enrichment plant at Natanz was able to map
how it operated, then “phone home” the details. Later, that equipment
was used to insert malware that blew up nearly 1,000 centrifuges, and
temporarily set back Iran’s program.
But
the Stuxnet strike does not appear to be the last time the technology
was used in Iran. In 2012, a unit of the Islamic Revolutionary Guards
Corps moved a rock near the country’s underground Fordo nuclear
enrichment plant. The rock exploded and spewed broken circuit boards
that the Iranian news media described as “the remains of a device
capable of intercepting data from computers at the plant.” The origins
of that device have never been determined.
On
Sunday, according to the semiofficial Fars news agency, Iran’s Oil
Ministry issued another warning about possible cyberattacks, describing a
series of defenses it was erecting — and making no mention of what are
suspected of being its own attacks on Saudi Arabia’s largest oil
producer.
No comments:
Post a Comment