@War: The Rise of the Military-Internet Complex (21 page)

 

Undoubtedly, they'll find a ready supply of talent willing and able to do the job. A survey of 181 attendees at the 2012 Black Hat USA conference in Las Vegas found that 36 percent of “information security professionals” said they'd engaged in retaliatory hack-backs.
That's still a minority of the profession, though one presumes that some of the respondents weren't being honest. But even those security companies that won't engage in hack-backs have the skills and the know-how to launch a private cyber war.

A former NSA official says that in his estimation, the best private security firms today are run by former “siginters,” and are using not just electronic intelligence but also human sources. From their NSA days, they learned to follow trends and conversations in Internet chat channels frequented by hackers, and how to pose as would-be criminals looking to buy malicious software.

One private security executive says some of the best intelligence on new kinds of malware, hacking techniques, and targets comes, not surprisingly, from the biggest source of spying and theft against the United States—China. Rick Howard, who before he became a private cyber sleuth ran the army's Computer Emergency Response Team, says he stayed in regular contact with hackers and cyber weapons dealers in China when he was in charge of intelligence for iDefense, a private security firm.
His sources told iDefense what was the latest malware on the street—as in the United States, it was sold through gray markets—who the major players were, and what targets were on the hackers' lists. Hacking is a human business, after all.

Until 2013, Howard was the chief information security officer for TASC, a large security firm that runs its own “cybersecurity operations center.” TASC is located on a sprawling office campus in Chantilly, Virginia, near the corridor of tech companies that has made Washington one of the richest metropolitan areas in the United States. TASC's offices, spread out over three buildings, resemble an NSA installation. The halls are lined with doors marked “Classified,” and the entrances are protected by keypad locks and card scanners. Stepping inside those secure rooms, you would find it hard to know for sure if you were in Chantilly or Fort Meade.

Many former NSA hackers aren't afraid to talk about their time in the government. In fact, they publicize it. Brendan Conlon, who worked in the elite TAO group, founded a cyber security company called Vahna, according to his LinkedIn profile, “after 10 years of Offensive Computer Network Operations with the National Security Agency.” Conlon began his career developing software implants, then moved on to TAO, where he was chief of the Hawaii unit. He also worked in the NSA's hunting division, which is devoted to tracking Chinese hackers. A graduate of the Naval Academy, he served with the NSA three times in Afghanistan and worked on hacking missions with the CIA. Vahna touts its employees' “years of experience inside the intelligence and defense cyber communities” and claims to have “unparalleled capabilities to assess vulnerability in your information security, mitigate risk across your technology footprint, and provide tactical incident response to security breaches.” In other words, all the things that Conlon was trained to do for the NSA, he can now do for corporations.

 

Over the past several years, large defense contractors have been gobbling up smaller technology firms and boutique cyber security outfits, acquiring their personnel, their proprietary software, and their contracts with intelligence agencies, the military, and corporations. In 2010, Raytheon, one of the largest US defense contractors, agreed to pay $490 million for Applied Signal Technology, a cyber security firm with military and government clients. The price tag, while objectively large, was a relative pittance for Raytheon, which had sales the prior year totaling $25 billion. In 2013 the network-equipment giant Cisco agreed to buy Sourcefire for $2.7 billion in cash, in a transaction that reflected what the
New York Times
called “the growing fervor” for companies that defend other companies from cyber attacks and espionage. After the acquisition was announced, a former military intelligence officer said he was astounded that Cisco had paid so much money for a company whose flagship product is built on an open-source intrusion detection system called Snort, which anyone can use. It was a sign of just how valuable cyber security expertise had become—either that or a massive bubble in the market, the former officer said.

But the companies are betting on a sure thing—government spending on cyber security. The Pentagon cyber security budget for 2014 is $4.7 billion, a $1 billion increase over the previous year. The military is no longer buying expensive missile systems. With the advent of drone aircraft, many executives believe the current generation of fighter aircraft will be the last ones built to be flown by humans. Spending has plummeted on the big-ticket weapons systems that kept Beltway contractors flush throughout the Cold War, so they're pivoting to the booming cyber market.

SEVEN

T
HE SPYWARE WAS
a triumph of engineering and cunning. It sat unnoticed on its victim's computer and recorded everything he typed. E-mails. Documents. But what it was really after was a password. One in particular—the phrase or series of letters and numbers that the victim used to start an encryption program called Pretty Good Privacy. As encryption programs went, PGP was easy for a layperson to use. It could be downloaded from the Internet, and it afforded a level of security that had previously been available only to government agents and spies. Now, with a few clicks and a password, anyone could turn one's own communications into indecipherable gobbledygook that could be unscrambled only by the intended recipient. The spyware, though, captured that password and sent it back to its master, who could then decode the encrypted messages that the victim believed were private. The designers chose an apt name for their creation, which shined a light into a previously dark space—Magic Lantern.

The creators of this malware weren't Chinese hackers. They weren't identity thieves in Russia. They were employees of the US Federal Bureau of Investigation. And they worked for one of the most secretive and technologically sophisticated operations in the entire bureau, one that, today, is the National Security Agency's indispensable partner in cyber spying and warfare.

It's called the Data Intercept Technology Unit, but insiders refer to it as the DITU (pronounced “DIH-too.”)
It's the FBI's equivalent of the NSA, a signals intelligence operation that has barely been covered in the press and mentioned in congressional testimony only a few times in the past fifteen years. The DITU is located on a large compound at the Marine Corps base in Quantico, Virginia, which is also home to the FBI's training academy. The DITU intercepts telephone calls and e-mails of terrorists and spies from inside the United States. When the NSA wants to gather mounds of information from Google, Facebook, Yahoo, and other technology giants, DITU is sent to retrieve it. The unit maintains the technological infrastructure for the agency's Prism program, which collects personal information from the large tech companies. In fact, it's the DITU's job to make sure that all American companies are building their networks and software applications in a way that complies with US surveillance law, so they can be easily tapped by the government. And if they're not, the DITU will construct a bespoke surveillance device and do it for them.

The NSA couldn't do its job without the DITU. The unit works closely with the biggest American telecommunications companies—AT&T, Verizon, and Sprint. “The DITU is the main interface with providers on the national security side,” says a technology industry representative who has worked with the unit on many occasions. It ensures that telephone and Internet communications can easily be siphoned off the massive network of fiber-optic cables those companies run. In recent years, it has helped construct a data-filtering software program that the FBI wants installed on phone and Internet networks, so that the government can collect even larger volumes of data than in the past, including routing information for e-mails, data on traffic flow, Internet addresses, and port numbers, which handle incoming and outgoing communications and can detect what applications and operating system a computer is running.

Magic Lantern was one of the unit's early triumphs. Developed in the late 1990s, it was a companion to the better-known e-mail-mining program Carnivore, which stripped the header information—the “to,” “from,” and date lines—out of an e-mail so that investigators could piece together members of a criminal network by their communications patterns. Both devices, along with other spying programs with names such as CoolMiner, Packeteer, and Phiple Troenix, were developed to help the bureau snare drug dealers, terrorists, and child-porn peddlers. But when Carnivore was revealed in news reports, it became synonymous with Big Brother–style government surveillance, and civil liberties groups said the FBI's efforts would undermine encryption for legitimate purposes, such as protecting financial data and patient privacy. The same arguments echoed more than a decade later, when the NSA was revealed to be secretly handicapping encryption algorithms.

The FBI's cyber spying programs began years before the 9/11 attacks and any attempts by the NSA to broaden its surveillance nets to cover the United States. FBI agents have been in the domestic cyber spying business for longer than their friends at Fort Meade. And today they are physically joined in those efforts. A fiber-optic connection runs between Quantico and NSA headquarters, so that the information the DITU collects from companies can be instantly transferred. FBI agents and lawyers from the Justice Department review the NSA's requests to gather e-mails from Google or monitor Facebook posts. They represent the agency before the secret Foreign Intelligence Surveillance Court, which also reviews requests to spy on Americans. It was the FBI that petitioned the court to order telephone companies to give the NSA records of all calls placed in the United States. When journalists and lawmakers say that the NSA “spies on Americans,” what they really mean is that the FBI helps them do it, providing a technical and legal infrastructure for domestic intelligence operations. Having the DITU act as a conduit also gives technology companies the ability to say publicly that they do not provide any information about their customers directly to the NSA. And that's true. They give it to the DITU, which then passes it to the NSA.

The NSA is the biggest user of the DITU. But the unit is no mere errand boy. Along with other FBI cyber and surveillance groups, it conducts some of the government's most sophisticated intelligence programs. At the FBI Academy in Quantico, the DITU shares space with the bureau's Operational Technology Division, which is responsible for all FBI technical intelligence collection, processing, and reporting. Its motto is “Vigilance Through Technology.” Among the division's publicly disclosed capabilities are surveillance of landline, wireless, and computer network communications technologies, including e-mail applications, switches, and routers; collecting audio files, video, images, and other digital evidence to use in investigations; and counter-encryption. It also specializes in black-bag jobs to install surveillance equipment and computer viruses. The DITU has negotiated with major US technology companies to get privileged access to their systems. For instance, on behalf of the NSA, it worked with Microsoft to ensure that a new feature in Outlook that allowed users to create e-mail aliases would not pose an obstacle to surveillance. The arrangement helped the government circumvent Microsoft's encryption and ensure that Outlook messages could be read by government analysts.

 

The FBI has been in the cyber hunting business since long before it became a national security priority. The first instances of FBI hacking were conducted under a program called Cyber Knight—that's when the bureau built the Magic Lantern spyware. FBI technologists built “beacons,” or programs that can be implanted in an e-mail and used to locate a computer's Internet address. The first beacons were deployed to help find abducted children. When a kidnapper contacted the parents of a child—usually the kidnapper's own ex-spouse or partner—an FBI agent would write back. And when the kidnapper opened that e-mail, the beacon went off. It might not lead agents straight to the kidnapper's doorstep, but it would tell them, at least, where the kidnapper was when the message was sent. That was a golden lead. (These beacons were an early form of the technology used to map out the networks of the Natanz nuclear facility.)

The FBI also used beacons to track child pornographers. And it planted viruses and other spyware on their computers and tagged photos of children so they could be tracked from person to person. The agents were collecting evidence for a criminal prosecution, but they were also trying to learn how child-porn peddlers shared photos. In that respect, it was an intelligence-gathering operation.

Under US law, the FBI is in charge of investigating all cybercrime, espionage, and attacks inside the United States. The bureau runs the National Cyber Investigative Joint Task Force, which was set up by presidential directive and whose members include the Secret Service, the CIA, and the NSA. In addition to cyber spies and infrastructure probes, the task force has monitored financial crime and online scams, so-called hacktivist groups that target businesses and government agencies in protest campaigns, as well as insider threats, such as government employees who leak to journalists.

Normally, it's the FBI's job to collect evidence for use in criminal prosecutions. But when it comes to cyber security, the FBI has moved away from that law enforcement mission and is acting more like an intelligence agency. It's less concerned with taking hackers to court than in forecasting and deterring future attacks.

“The bureau tends to be focused on collecting intelligence and passing it on to the NSA, the intelligence community, and the Defense Department,” says a senior law enforcement official who works on cyber investigations involving domestic and international crimes, including bank fraud and child pornography.
“The FBI is not driving toward prosecution, generally speaking.” The official says that in recent years, the FBI has shifted many of its personnel who were working on counterterrorism cases toward cyber security, which it now lists as a top “national investigative priority,” ahead of white collar crime, public corruption, and civil rights enforcement. (The number of counterterrorism and counterintelligence employees—which the bureau groups together—was already high: nearly thirteen thousand in 2013. The number of counterterrorism agents doubled between 2001 and 2009.
The rise coincided with a sharp decline in the number of criminal prosecutions for non-terrorism cases, particularly white collar and financial crime. The FBI was faulted for not doing enough to investigate mortgage and securities fraud in the run-up to the financial crisis of 2008.)