19 December 2014

Espionage in the Cyber Era

2/2/2014

The Edward Snowden affair delivered a serious blow to the NSA. What lessons may be learned? Hannan Gefen, former Commander of IDF Intelligence Unit 8200 in an exclusive article

The computer system of the US National Security Agency (NSA) is probably one of the world’s most heavily protected sites. The databases of this agency store the most sensitive intelligence information collected by this huge intelligence organization all over the world. The NSA has been familiar with the cyber world since its very inception and was a partner in the shaping of many of its rules, mainly in order to safeguard the state’s abilities to monitor communication traffic, when required, and prevent hostile elements from hiding inside the information jungle. 

This organization has been exposed to the most substantial and most damaging cyber break-in any organization could have been exposed to. The damage was caused neither by a ‘Trojan Horse’ or any other state-of-the-art technology, nor by a sophisticated team of hackers, but by a single person, and to add insult to injury – that person was an outside contractor hired to carry out a seemingly technical mission of operating some of the agency’s non-mission computer systems, a kind of “transparent, back-office” type of person. 

The NSA operates under severe compartmentalization of all intelligence materials, developed methodically and through considerable effort, by the book,. The agency’s access authorization and document classification table is strictly enforced and observed. This system had not been applied, however, to their collection plans, cooperative alliances with organizations around the world and other administrative aspects that pertain to the management and collection of information. Those aspects were readily accessible by a technical administrator of computer systems who, in his free time, over a relatively short period of three months working at the NSA, managed to store on magnetic media thousands of documents and classified professional presentations and submit them to the media. 

This is not the only case where computer systems were broken into by a human element. The case of US Army Corporal Manning is very similar: a soldier serving with US military intelligence and enjoying legitimate authorizations, went on to store diversified intelligence material and eventually released it to the public. The damage he caused was massive; it had an adverse effect on US relations with numerous countries, it exposed active field agents and may have initiated change-of-government processes in several countries. 

In Israel, IDF soldier, Anat Kam, reminded us of the human factor as the weakest link in the protection of computer systems. By examining the materials leaked by Snowden, it is possible to chart the deployment of the American and world SigInt community vis-à-vis the challenges presented to it by today’s state-of-the-art computer and communication systems, or in the IDF jargon – C3 systems. 

The communication revolution cliché is more relevant to this field than to any other related subject. In the past, until about twenty years ago, C3 systems were divided into two categories: civilian stationary communication systems and military dedicated stationary and mobile systems. Computer systems were ‘closed’ systems that were not connected to any external communication network. 

This division had existed since before World War II and throughout the Cold War. The monitoring layouts of the internal security organs (police, security services) and military organizations were divided accordingly. The military systems were regarded as the higher value systems and the entire military hierarchy was managed through them, including the planning and actual conduct of operations. Civilian systems were regarded as inferior in terms of their intelligence value. The change began when the Cold War ended. 

Since the 1990s, we have witnessed a series of communication revolutions that followed one another in waves at three-year or four-year intervals, with the new one replacing the previous one or with sequential revolutions establishing synergies that empower one another. 

The infrastructure revolutions took place during the first half of the 1990s. The PC revolution decentralized computing capabilities from the center to the end units and opened the door for many applications that could be developed quickly and adjusted promptly. At the same time, the developer and user community grew considerably. The PC networks were the fertile ground on which the subsequent Internet networks developed. The cellular revolution liberated communication from the chains of the locus and converted the radio transceiver into a personal device. 

The Internet Protocol (IP, as it is more commonly known) links home computers and other computer systems to a flexible global network that replaced the protocols of limited connectivity Local Area Networks. 

These developments led to the applications that were designed for the new infrastructure. Cellular networks now offered data communication capabilities, beginning with basic SMS, Internet connection, photography and locus-dependent applications. In this way, the entire communication a person or an organization required could be managed through a single device, anywhere around the world, independently of communication systems, on the move or in a stationary position. In military terms, this was a mobile forward command post. 

The emergence of smartphones combined the infrastructure systems, the computer, the telephone and the data communication capability. They were followed by the various social networks that established user communities with prompt communication options and rich contents. 

All of these revolutions presented substantial challenges to the intelligence organizations, as terrorism and criminal organizations were the first elements that took advantage of the changes in the realm of communication. 

Cybernetic Terrorism 

The terrorist organizations that operated between countries took advantage of the sophisticated network that cannot be monitored effectively by the traditional monitoring mechanisms of the state. Many terrorist cells succeeded in implementing border-crossing operations using the new global network. The intelligence services responded slowly to the new challenge, always acting after the event. 

The turning point was the combined attack by Al-Qaeda against US government and finance targets, which caught the American government completely by surprise and shocked the American public and institutions. The complex command system that made this combined attack possible was conducted through satellite phones and the Internet from a cave in Afghanistan. Other operations of a smaller scale were performed in other Asian and European capitals, and the effect was similar – public bewilderment and confusion. 

The challenges, from the perspective of the intelligence professional, were identical: short-term, unclear and unfocused warning of an imminent terrorist activity by an unknown and unidentified party. The task facing the intelligence organizations was to establish a system that would effectively intercept this type of terrorist activity. 

Coping with the Challenge 

How do you deal with undefined entities, devoid of a permanent structure, constantly-changing and unpredictable? How do you cope with a massive amount of communication traffic that keeps growing at an alarming rate? How do you connect all of the communication appearances of an objective that can pop up in a telephone conversation, an SMS message, Skype communication, electronic mail and so forth? Finally, how do you differentiate between communication traffic you can monitor and invasion of privacy? In all of these situations, the data had not existed in the context of the “old world” of intelligence gathering. 

The documents Snowden released to the world describe the deployment of the NSA The solution, as far as they were concerned, was based on the tools the new communication world offered. The essence of the program, as revealed in the Snowden documents, was long-term collection and storage of all of the communication traffic you could lay your hands on, with no filtration. As modern communication systems cross oceans and continents, the assistance of partners was required, especially in Europe and Australia. 

The US intelligence community led this cooperation system. It consisted of three circles of alliances: at the center stood the treaty of five, which maintained an almost perfectly transparent system of reciprocal connections: the US, the UK, Canada, Australia and New Zealand. The other circles included the European countries, headed by Germany and France. 

The accumulation of all of that communication traffic (for example, sources in Spain claimed that the NSA had recorded about 60 million conversations by Spaniards each month) was made possible as all of the countries involved enacted statutes that forced communication vendors to provide local police and security organizations with access to the information transmitted to and through them. The countries involved compelled the communication services to keep, for a predetermined period of time, all of the details of the various communications and enable the retrieval thereof by a court order. 

The data communication was stored as is for the periods of time prescribed by law. The staggering amount of voice communication traffic, on the other hand, was stored as a Metadata pool which contains all of the details of each contact – who called whom, conversation start time and duration – but not the contents of the conversation itself. 

The world SIGINT community had established, in effect, a global cloud base of sorts, which could be accessed for intelligence work purposes. Now the work could be completed by creating the tools that would help find the needle in this massive haystack. Here, search and attribution mechanisms, known key words and codes, charting of links and relations between individuals, changes in traffic volumes, links between states and numerous other manipulations of the Big Data pool, according to the imagination and creativity of the intelligence personnel, were combined in order to identify examples of activities that should be monitored and tracked. 

As stated, all of this was revealed to the world by Edward Snowden, a contractor who did not have high security authorizations, but still managed to extract, on magnetic media, mountains of highly classified and extremely sensitive material – a simple and very effective cyber attack. 

Where were the alert mechanisms designed to warn of the connection of the unauthorized magnetic media devices? How did it happen that not a single red light blinked over the course of the three months during which Snowden downloaded that material? All of these questions are still being investigated by the most senior echelons of the NSA.

No comments: