The Digital Arms Race: NSA Preps America for Future Battle
The NSA's mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars -- a struggle for control of the Internet that is already well underway.
An intern's tasks might also include remotely destroying the functionality of hard drives. Ultimately, the goal of the internship program was "developing an attacker's mindset."
The internship listing is eight years old, but the attacker's mindset has since become a kind of doctrine for the NSA's data spies. And the intelligence service isn't just trying to achieve mass surveillance of Internet communication, either. The digital spies of the Five Eyes alliance -- comprised of the United States, Britain, Canada, Australia and New Zealand -- want more.
The Birth of D Weapons
According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.
During the 20th century, scientists developed so-called ABC weapons -- atomic, biological and chemical. It took decades before their deployment could be regulated and, at least partly, outlawed. New digital weapons have now been developed for the war on the Internet. But there are almost no international conventions or supervisory authorities for these D weapons, and the only law that applies is the survival of the fittest.
Canadian media theorist Marshall McLuhan foresaw these developments decades ago. In 1970, he wrote, "World War III is a guerrilla information war with no division between military and civilian participation." That's precisely the reality that spies are preparing for today.
The US Army, Navy, Marines and Air Force have already established their own cyber forces, but it is the NSA, also officially a military agency, that is taking the lead. It's no coincidence that the director of the NSA also serves as the head of the US Cyber Command. The country's leading data spy, Admiral Michael Rogers, is also its chief cyber warrior and his close to 40,000 employees are responsible for both digital spying and destructive network attacks.
Surveillance only 'Phase 0'
From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows. They show that the aim of the surveillance is to detect vulnerabilities in enemy systems. Once "stealthy implants" have been placed to infiltrate enemy systems, thus allowing "permanent accesses," then Phase Three has been achieved -- a phase headed by the word "dominate" in the documents. This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation".
One NSA presentation proclaims that "the next major conflict will start in cyberspace." To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for "unconventional solutions" alone.
NSA Docs on Network Attacks and Exploitation
- Excerpt from the secret NSA budget on computer network operations / Code word GENIE
- Document about the expansion of the Remote Operations Center (ROC) on endpoint operations
- Document explaining the role of the Remote Operations Center (ROC)
- Interview with an employee of NSA's department for Tailored Access Operations about his field of work
- Supply-chain interdiction / Stealthy techniques can crack some of SIGINT's hardest targets
- Classification guide for computer network exploitation (CNE)
- NSA training course material on computer network operations
- Overview of methods for NSA integrated cyber operations
- NSA project description to recognize and process data that comes from third party attacks on computers
- Exploring and exploiting leaky mobile apps with BADASS
- Overview of projects of the TAO/ATO department such as the remote destruction of network cards
- iPhone target analysis and exploitation with Apple's unique device identifiers (UDID)
- Report of an NSA Employee about a Backdoor in the OpenSSH Daemon
- NSA document on QUANTUMSHOOTER, an implant to remote-control computers with good network connections from unknown third parties
The new documents shed some new light on other revelations as well. Although an attack called Quantuminsert has been widely reported by SPIEGEL and others, documentation shows that in reality it has a low success rate and it has likely been replaced by more reliable attacks such as Quantumdirk, which injects malicious content into chat services provided by websites such as Facebook and Yahoo. And computers infected with Straitbizarre can be turned into disposable and non-attributable "shooter" nodes. These nodes can then receive messages from the NSA's Quantum network, which is used for "command and control for very large scale active exploitation and attack." The secret agents were also able to breach mobile phones by exploiting a vulnerability in the Safari browser in order to obtain sensitive data and remotely implant malicious code.
In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or "brick" the control center of a hospital as a result of a programming error, people who don't even own a mobile phone could be affected.
Intelligence agencies have adopted "plausible deniability" as their guiding principle for Internet operations. To ensure their ability to do so, they seek to make it impossible to trace the author of the attack.
It's a stunning approach with which the digital spies deliberately undermine the very foundations of the rule of law around the globe. This approach threatens to transform the Internet into a lawless zone in which superpowers and their secret services operate according to their own whims with very few ways to hold them accountable for their actions.
NSA Docs on Malware and Implants
- CSEC document about the recognition of trojans and other "network based anomaly"
- The formalized process through which analysts choose their data requirement and then get to know the tools that can do the job
- QUANTUMTHEORY is a set of technologies allowing man-on-the-side interference attacks on TCP/IP connections (includes STRAIGHTBIZARRE and DAREDEVIL)
- Sample code of a malware program from the Five Eyes alliance
The men and women working for the Remote Operations Center (ROC), which uses the codename S321, at the agency's headquarters in Fort Meade, Maryland, work on one of the NSA's most crucial teams, the unit responsible for covert operations. S321 employees are located on the third floor of one of the main buildings on the NSA's campus. In one report from the Snowden archive, an NSA man reminisces about how, when they got started, the ROC people were "just a bunch of hackers." Initially, people worked "in a more ad hoc manner," the report states. Nowadays, however, procedures are "more systematic". Even before NSA management massively expanded the ROC group during the summer of 2005, the department's motto was, "Your data is our data, your equipment is our equipment."
NSA Docs on Exfiltration
- Explanation of the APEX method of combining passive with active methods to exfiltrate data from networks attacked
- Explanation of APEX shaping to put exfiltrating network traffic into patterns that allow plausible deniability
- Presentation on the FASHIONCLEFT protocol that the NSA uses to exfiltrate data from trojans and implants to the NSA
- Methods to exfiltrate data even from devices which are supposed to be offline
- Document detailing SPINALTAP, an NSA project to combine data from active operations and passive signals intelligence
- Technical description of the FASHIONCLEFT protocol the NSA uses to exfiltrate data from Trojans and implants to the NSA
- Part 1: NSA Preps America for Future Battle
- Part 2: How the NSA Reads Over Shoulders of Other Spies