The third most important set of revelations from Snowden’s treasure trove of NSA documents took place last week. Der Spiegel, the leading German newspaper published a set of reports that show how networks and computers have been compromised by the NSA. This was complemented by Jacob Appelbaum’s address in the 30th Chaos Communications Congress in Hamburg, which brought out the range of methods that NSA uses to take over and eavesdrop on networks and systems. What also stands out is the number of American companies that have such “backdoors” in their systems and equipment. The conclusions are inescapable – either American companies produce really poor hardware and software, or they are full partners in the US spying efforts.
The first set of Snowden revelations had nailed the Internet giants – Google, Microsoft, Yahoo, Facebook and others – who were allowing the NSA to read in real time every bit of communications that passed through their networks. All of them had built the next generation of cloud facilities – where data would be stored in the “cloud” – read stored in the massive array of servers of these companies in the US. Once it became clear that cloud means unrestricted NSA surveillance, as all such data comes under the US laws, cloud has taken a beating. Brazil and now India have started talking about data being retained within countries in which companies do business, a step which would spell death knell to cloud as a business model. EU has already taken up its privacy laws and potential conflict for data of Europeans stored in the cloud. With threat to their business model, the Internet majors have now come out in the open, asking the US government for permission to clarify the scale and extent of NSA surveillance, so that they can placate the angry users of cloud.
The second set of revelations are regarding the telecom companies. This is the second pillar of NSA’s mass surveillance. The data packets going over the telecom network can be tapped with the “assistance” of the telecom companies. The mass surveillance of telecom data is collated with Internet companies data to work out who is talking to whom and what they are talking about. NSA also tracks what are the websites that subjects are looking at or what topics. As a bulk of the Internet traffic still passes through the US, this allows the US to duplicate and store all such communication. Appelbaum stated in his talk that this data is retained for a period of 15 years. And can be searched any time retrospectively.
From mass surveillance, we come to Tailored Access Operating Group (TAO), a new and rapidly expanding part of the NSA. Spiegel reports, “It (TAO) maintains its own covert network, infiltrates computers around the world and even intercepts shipping deliveries to plant back doors in electronics ordered by those it is targeting.” In other words, from inserting rogue code on different machines and networks, it also takes control of machines in transit from the manufacturer/dealer to the target, and implants hardware and software into it. And such targets are not just individuals but governments and companies as well.
Make no mistake. TAO is not about surveillance alone – it is about targeting of machines and networks of any entity, and modifying either their software or even their hardware for taking control of such machines. It is an offensive weapons unit – it attacks computers and network of others. It is such an attack of the Supervisory Control and Data Acquisition System (SCADA) in Natanz fuel enrichment plant that took out 1,000 centrifuges. The principle is the same – implant rogue hardware or software and take control of such machines. And Spiegel makes clear that targets are not just terrorists; they include agencies of friendly governments (Mexico), senior officials or politicians such as Angela Merkel, Dilma Roussef, Indian Mission for UN, and companies such as Petrobras, etc. The list goes on.
The list of equipment manufacturers, in whose equipment NSA has found security holes or connived with their help to create such holes, are who-is-who in the computer industry. It includes computer manufacturers such as Dell and HP, I-Phone, I-Pad and Mac systems of Apple’s, network routers from Juniper and Cisco. It is widely known that Android phones also have similar backdoors. All of them have issued bland denials – they do not work with NSA to create backdoors. What some of them have added is quite interesting – they have said that they comply with laws of countries they operate in. Does it mean giving NSA the encryption keys? Does it mean reporting to NSA known security holes in their systems so that NSA can use them?
The interesting part of the NSA’s laundry list of companies’ hardware they have broken into include Huwawei, the Chinese network company. It now appears that NSA knows about security holes also in Huwawei’s network equipment and is able to use it to hack into private and public networks. Presumably, Huwawei did not cooperate with NSA on this, so it is possible some of the other companies may be unknowing partners of the NSA as well. But the range of equipment and the scale of the security holes that NSA uses would lead to one to believe that American companies have been a part of NSA’s mass surveillance schemes.
The list of network equipment that NSA can take over raises some other questions. Snowden had mentioned earlier that NSA takes over giant routers that direct Internet traffic and have done so in China. Now we know how they have done so – all the networks use a combination of CISCO, Huwawei and other suppliers equipment, all of which has been compromised by the NSA.
This also brings out another interesting question. Appelbaum says that when the NSA uses a computer to attack targets, the computer IP Address is rarely in the US. In other words, either NSA fudges the IP address (IP address is the identification of your computer on the Internet in the same way as the phone number is the identifier for telecom networks) or uses computers that it has taken control but which are not in the US. Remember, the huge campaign we had prior to Snowden’s revelations of Chinese hacking the whole world as China was found to be the major “originator” of such attacks? If what Appelbaum says is true, then we need to re-evaluate this data. It could as easily be NSA masquerading as Chinese hackers.
The US has always pointed to the Chinese as dangerous as their electronic industry is largely owned by the Chinese government. We now learn that the US indeed knows how backdoors can be created in the hardware and systems of manufacturers – they have been doing it for years! From Fedex that delivers mail to companies that produce computers and systems, the NSA has active partners that help subvert machines and networks. It is this knowledge of what they are doing that prompted the attack on the Chinese. If there are backdoors in equipment, it must be NSA’s and nobody else’s.
Some of the holes that NSA have created are indeed extremely dangerous. In a 60-minute TV program, NSA’s Information Assurance Director Debora Plunkett spoke about the threat of a BIOS implant – that part of the software that boots all the rest – and how the “malevolent” Chinese were hacking into it, endangering the whole world. IF BIOS is infected, no virus checking software can uncover it. It now transpires that BIOS threat really exists, but from the NSA. It routinely infects the BIOS, making all measures against such malware irrelevant. Even if you change the hard disk or reformat it, your machine will still stay infected.
The kind of “gadgets” that NSA have engineered are striking. They provide USB sticks that contain wireless communications and can be used to control or read from the machines. The smart phones have been “cracked” – the NSA uses implanted software to provide all information in the phone to NSA. It has a high power wave generator that from a distance can bounce signals of your monitor and see what your monitor is displaying. Remember Snowden, that NSA can read your thoughts as you type them on your computer, pooh-poohed by “experts”? Well, we now know it is true.
Appelbaum said in his speech that if there are 10 ways to break into your computer, NSA will find 13 ways to do so. NSA’s motto is collect it all. Pretty similar to what used to be the mercenaries motto in wars – “kill them all and let god sort it out”.
For countries such as India, we need to take a hard look at our policies. With the IT Agreement signed in the aftermath of the WTO Treaty, we reduced our duties on hardware to zero. The consequence has been virtually wiping out of our indigenous electronics industry. Department of Electronics and Information Technology, as well as Department of Telecom are now creating policies that will privilege indigenous manufacture. The problem with all of this is that success of such policies it depend on private capital or even multinational capital. However, such policy goals have no interest for them. Indeed, for many of these companies, an Indian hardware platform is against their corporate and country interests. If Indian government truly believes that it needs indigenous manufacturing, and the recent revelations make clear why this is a strategic requirement, they need to create in public sector with public investments for Indian electronics manufacturing. Writing reams of well-meaning documents will not create an electronics manufacturing sector; public investments will. Remember ECIL? Without ECIL the Indian Atomic Energy program would have failed. All the control systems in the nuclear plants have come from ECIL. ECIL indeed seeded the entire electronics and computer industry in the country. What we need today is a major effort to create similar companies that will be tasked with creating strategic electronics equipment – and that includes the telecom network. Whether we use Cisco’s or Huwawei’s equipment – the questions are the same. There is no “safe” networking equipment unless you build it yourself. Even after that, we need to be cautious as Huwawei is discovering, but at least it would be a start.
For a serious discussion on security for the Indian network, we need to reboot these discussions. Too long, NASSCOM and FICCI have been pretending to be the Indian industry. The reality is NASSCOM has been taken over by US Internet companies such as Google and Microsoft. FICCI”s telecom groups is again lead by foreign companies – AT&T, Vodafone, Yahoo and others. If we want a serious discussions, we have to remove foreign players from the core discussions on national security. Otherwise, we may as well invite the NSA (or the Chinese) to formulate our cyber security policies.