New documents released by ex-NSA analyst Edward Snowden reveal “core secrets” framework of the secretive signals intelligence agency.
The latest tranche is probably the most damaging set of documents yet released since Mr Snowden began leaking the documents in June 2013. The files were released on The Intercept website.
In case the previously released files from Edward Snowden didn’t prove it, this new set of briefs and slides underline that Mr Snowden’s releases are not just drips or even a bucket of intelligence leaks.
Instead, the documents outlining the enormous spying programme called SENTRY EAGLE essentially reveal the very plumbing of the NSA. The files have absolutely nothing to do with individual privacy. They were released to hurt the NSA and the Five Eyes partners, including New Zealand.
SENTRY EAGLE is the controlling programme above the PAWLEYS system, which is a structure for the GCSB and others with “requirements for HUMINT acquisition of foreign cryptographic information and material” via Computer Network Exploitation (CNE).
The documents, released over the weekend, outline “the fact that CSE (Canada), DSD (Australia), GCHQ (United Kingdom) and GCSB (New Zealand) all operate the PAWLEYS programs and that NSA collaborates with each on targets of mutual interest”.
SENTRY EAGLE is an “overarching compartmented programme”. It is an umbrella programme “protecting the highest and most sensitive level of information related to the NSA” and the US government’s effort to protect America’s cyberspace.
The details listed under SENTRY EAGLE constitute “many of NSA’s most highly sensitive cryptologic or network warfare facts related to intelligence sources, methods and activities and relationships; or CNA [Computer Network Attack] operational capabilities”.
The programme is highly compartmentalised. Not even Second Party Partners like New Zealand were ever cleared to know about SENTRY EAGLE. Specific facts could be disclosed to New Zealand, depending on the relevance, but “under no circumstances will you share the totality of SENTRY EAGLE” with foreign intelligence agencies, the document warns those read into the programme.
The briefs caution that any “unauthorised disclosure of NSA/CSS relationships with industry (US and foreign)” would “critically compromise highly sensitive cryptologic US and foreign relationships, multi-year past and future NSA investments and the ability to exploit foreign adversary cyberspace while protecting US cyberspace”.
Including the overarching SENTRY EAGLE programme, the six programmes are classified above Top Secret as “Exceptionally Compartmented Information (ECI)”. This level of classification is only meant for a “very select” number of government officials outside of the NSA and in the US government.
We now know there are six levels to an NSA classification pyramid. These include: Unclassified, Unclassified/For Official Use Only Confidential, Secret and Top Secret. With the final tier of information, ECI, regarded as the “CNO Core Secrets”.
Those secrets are split into six main categories: SENTRY HAWK (Computer Network Exploitation), FALCON (Computer Network Defence), CONDOR (General Computer Network Operations), OSPREY (Human Intelligence Enabled SIGINT), RAVEN (Exploitation of Encipherment) and OWL (Relationships with Industry).
It is the final three which stand out as important and largely new information, or at least they offer more information about how the NSA conducts its cyber operations on a broad day-to-day phase.
Revealing the NSA’s plumbing
OSPREY appears to be a programme built to carry out “off net-enabling” CNE operations. This is defined as “introducing code into target computer networks” and “develop, deploy, exploit or maintain intrusive access”, among others.
These “physical subversion activities” are conducted in collaboration with Second Party Partners, which includes New Zealand. Essentially, the NSA and its Five Eyes partners send agents to real-world targets of intelligence interest to physically gain access to computer networks.
They look for “specific vulnerabilities” in a target’s IT/computer system, such as “in a firewall, operating system, software application, etc”.
The documents describe a range of clandestine field activities undertaken by a unit in the NSA called “Targeted Exploitation” or TAREX. This unit conducts Human Intelligence (HUMINT). That the NSA uses its own HUMINT is initially surprising, but not so confusing if one takes a look at the context.
These TAREX agents work with their US counterparts in the FBI, CIA, DHS and DIA to gain physical access to targets of interest. Descriptions of those responsibilities are listed as “close access-enabling”, “off net-enabling”, “supply chain-enabling” and “hardware implant-enabling”.
Journalist Glenn Greenwald already revealed in his 2013 book No Place To Hide that NSA operatives intercept computer hardware in “supply chain interdiction”. The agents implant software or signals beacons into computer hardware at “undisclosed locations” before letting it go on to the end user.
TAREX operate with the unit responsible for this called the Tailored Access Operations (TAO) from forward bases in Germany, South Korea and Beijing, China. They operate from bases in Hawaii, Texas and Georgia in the United States. The unit also work from US Embassies and other “overseas locations”.
The job of TAREX and TAO is apparently to access “data at rest”. This is an important description because of the historic turf wars between the NSA and CIA.
In the past, the distinction between “data at rest” and “data in motion” specified the roles of the two agencies and what kind of intelligence they were directly responsible for obtaining.
Traditionally, the CIA is responsible for collecting “data at rest”. Essentially this is everything from white paper stored in a safe to recorded voices on a tape or CD. Whereas the NSA was responsible for intercepting “data in motion”, or signals as they fly through the airwaves.
According to these latest documents, the thorny distinction between data “at rest” or “in motion” has obviously been impossible to clarify between the agencies. Instead, they have decided on working together to gather “data at rest”.
It’s an efficient way of sorting out the issue of whether digital data is ever really “at rest” at all. The CIA and other agencies do not receive anywhere near the same amount of funding that the NSA does annually. And that has always been a contentious point in the US intelligence community.
But it also indicates that the annual funding for the CIA, FBI, DIA and NSA can to a reasonable extent be now considered a single pool. And it shows an encouragingly higher degree of cooperation between the agencies.
The NSA responded to the publication of these secrets with the sentence “it should come as no surprise that NSA conducts targeted operations to counter increasingly agile adversaries.”
No company is unwatched
One of the main points about Mr Snowden’s leaks is that his information supplies physical, hard proof for all the NSA capabilities that people once only speculated about.
For instance, it was always assumed that the NSA had some kind of direct access to both US and foreign companies and especially to the technological devices they made.
These documents now prove that the NSA is working with “specific named US commercial entities and operational details (devices/products) to make them exploitable for SIGINT”.
In other words, the NSA along with US companies are manipulating the hardware and software of commercially available products like mobile phones and computers.
The documents also prove that the NSA has access to foreign companies as well. It says that the NSA works with “specific foreign commercial entities and operational details (devices/products) to make them exploitable for SIGINT”.
On top of this, we now know the NSA places clandestine agents into “commercial entities”. These undercover agents could be working as full time employees or they may be visiting companies under false identities or charade.
Many analysts have suspected for years that the NSA and CIA have relationships with companies enabling those agencies to legally work with employees to access company information.
However, it appears the NSA has been operating a network of employees as hidden sources inside both US and foreign commercial entities without the respective companies knowing.
This might sound duplicitous, but there are two immediate reasons for creating covert sources in private companies.
One is that some companies may not wish to give certain information to the NSA despite legal rulings ordering the handover. If that happens, the NSA will have somebody in place to deliver that information to the agency regardless of company procedures.
Another explanation is the verification of information. Having a person in place as an independent source gives the agency much more confidence in the material they have received.
This is standard practice in intelligence when penetrating a foreign agency, for instance. Especially when the compromised source is a mole. So it makes sense that the NSA would create a system of verification to confirm the accuracy of voluntarily released information.
Lessons on encryption
Nevertheless, revelations that there are people inside US and foreign companies communicating directly with the NSA is bound to cause alarm in businesses across the world. Those employees make the NSA’s job much easier by funneling critical information like encryption keys and source code directly to the agency. But CEOs will now be wondering who the mole is, that is, if it isn’t the boss in the first place.
As for the foreign companies the NSA works with, no specific names are given and it remains unknown how many companies are compromised. We now know the NSA is working with foreign companies to a much larger extent than previously known.
Considering the type of intelligence the NSA is interested in, it can safely be assumed that any company building devices capable of sending digital communications such as emails, texts, photos, chats and phone records (take your pick) has probably been penetrated by the NSA and its partners.
International companies outside the US have positioned themselves since the revelations began as better alternatives for cyber security and digital devices than their American counterparts.
Unfortunately for these companies, that’s simply not true anymore. It now looks like many of them (and it has to be assumed this means all of them) are just as compromised in security and privacy as the American companies are.
This will be a huge blow for those company’s integrity and commercial image.
The takeaway from the latest documents is that the NSA is integrated in a much greater capacity with both international and US technology and internet companies than previously thought.