13 March 2017

Journalism after Snowden: A new age of cyberwarfare

By David E. Sanger 

EDITOR’S NOTE: This piece is a chapter in Journalism After Snowden: The Future of Free Press in the Surveillance State, a recently released book from Columbia University Press. The book was part of the Journalism After Snowden initiative, a yearlong series of events and projects from the Tow Center for Digital Journalism in collaboration with CJR. The initiative is funded by The Tow Foundation and the John S. and James L. Knight Foundation. Also read contributions to the book from Alan Rusbridger, Clay Shirky, and Jill Abramson—and Emily Bell’s interview with Edward Snowden.

In the end, what kind of change did Edward J. Snowden bring about? In the realm of privacy protection, not much—at least so far. For all the talk on Capitol Hill in the summer of 2013—immediately after the Snowden leaks—about a reassessment of the balance between security and privacy rights, no significant legal changes to the authorities of the National Security Agency or the Foreign Intelligence Surveillance Court have passed Congress since the Snowden leaks.

The biggest change in NSA practice ordered by President Barack Obama—his announcement in January 2014 that the government would get out of the business of amassing a vast database of metadata for all the telephone calls made into or out of the United States—finally went into effect at the end of 2015. It gets the government out of the business of retaining the call records of Americans and puts that responsibility on the telecommunications firms. They were reluctant and had to be compelled (and paid) by the government to play this role. Some intelligence officials (and a few candidates for president) have complained that the change will make it harder for the United States to track terrorist communications. But they forget that the NSA itself had considered, at various points, giving up the metadata collection because it was yielding so little.

Sign up for CJR's daily email

But beyond that, three years after the Snowden revelations, there has been very little government compulsion of the private sector to take on roles in surveillance. Apple and others have resisted the calls to allow “back doors” for encrypted communications—and the Obama administration, at this writing, has been unwilling to take them on. It is another sign of how the tensions between Silicon Valley and the government, born of the Snowden revelations about the government’s exploitation of data collected by American companies, has poisoned a once-vital relationship.

Inside the NSA, Snowden’s influence has been more profound—but perhaps not in the ways he imagined. Unlike the CIA, which has had many insiders clean out the family jewels, the NSA never really imagined the damage that could be done by a single disgruntled, or ideological, officer or contractor. So Snowden had the run of the agency’s computer systems. Today, systems administrators like him, with access to vast numbers of documents, can no longer download or move them alone; there is now a “two-man rule” reminiscent of the keepers of the keys for launching nuclear weapons, to protect against lone actors. New detection technology, the agency says, would make it impossible for someone to launch a “web crawler,” as Snowden did, that could sweep up hundreds of thousands of documents without setting off alarms.

But all this suggests that Snowden’s biggest impact on the NSA was not a reconsideration of its activities but a reconfirmation of its fear of leaks, largely to the news media. Oddly enough, the internal committee at the NSA that assessed the damage done by Snowden and recommended internal changes was titled the “Media Leaks Task Force,” as if the problem here had been newspapers or broadcasters or new web publishers who spread the Snowden documents around the globe once they were in the public domain. The problem, of course, was not the media; it was a poorly supervised insider who was given far more access to sensitive material than he needed. (A more appropriate name for the committee might have been the “Insider Threat and Internal Mismanagement Task Force.”) As some NSA officials acknowledge privately, there was a lack of imagination about how vulnerable the agency was to an insider who defeated the NSA’s protections to exfiltrate huge amounts of data. And perhaps because the NSA had never before suffered such an embarrassing loss, it did not regularly conduct a review to weigh the intelligence value of what it was collecting against the political cost should its activities ever become known. That kind of review is held annually at the CIA, as it evaluates the cost of covert actions. Yet as one longtime intelligence official said soon after the Snowden disclosures: “The CIA is used to leaks—and usually weighs the possibility of disclosure when it acts. The NSA did not.” Today, of course, it no longer has that luxury—every week, more of its documents are still dribbling out into the public realm.

Now, with the benefit of hindsight, Snowden’s impact turned out to be greatest in those areas he appears to have thought little about when he was planning his disclosures. While he was hoping to awaken American citizens, the far bigger reaction came in the way allies see the United States, in the way other nations around the world have seized on the evidence of American spying for their own economic and trade benefit, and in the way he revealed the size and scope of the American offensive cyberactivities. He created an opening for countries around the world that were looking for ways to stymie American technological dominance in their markets—and suddenly found in the argument that to “buy American” is to let the NSA into local networks.

Moreover, in revealing the depths that the NSA and other intelligence agencies went to pierce the encryption and transmission systems of American firms, Snowden drove a wedge between the US government and the companies, from Apple to Google to Microsoft and Silicon Valley startups, that need those markets to grow. He ended the era, which ran from the cracking of the Enigma codes in World War II to the long years of post–September 11 counterterrorism, in which corporations based in the United States felt a national obligation to help the government in its surveillance activities and in the development of new ways to counter cyberthreats. Now many of those companies are declaring that they must be international firms first, even if that means working against American interests, in an effort to preserve their business abroad.

Whether these are good developments or bad, whether they were inevitable even without Snowden’s disclosures, is up for debate. But they are far less discussed in Washington than are the tensions between privacy and security or the question of what kind of oversight should exist over the NSA. Over time, however, they could well prove to be the lasting legacy of Snowden—a divide between the government and the technology firms that are the sources of America’s economic power. It is an argument playing out every week now, as Silicon Valley and the likes of Apple, Google, and Microsoft engage in an arms race. The government is racing to preserve its access to the communications systems of the digital age. And the companies are determined to stop the NSA and other intelligence agencies in their tracks.

To start with the most obvious, the world now knows a lot more about how the NSA operates. And collecting a vast database of metadata about the calls placed or received inside the United States is the least of it.

The agency’s biggest challenge in the past decade has been to stay ahead, or at least abreast, of a world of connected computers. Much of that job requires traditional espionage, updated for the digital age: Tapping into the computer communications of suspected terrorists, the Skype calls made by foreign adversaries and even many allies, the spreadsheets and photos and apps of anyone that the US government needs to know about. The agency became what Scott Shane of the New York Times called “an electronic omnivore of staggering capabilities,” not just for its ability to eavesdrop but for its ability to use its abilities to design offensive cyberweapons.

It is the development of those weapons that is probably the biggest and most secret governmental technology effort since the Manhattan Project, the effort to build the atomic bomb. No American president has ever talked about the country’s cybercapabilities, other than to refer to them in the most oblique way—President Obama mentioned our “capabilities” in an interview early in 2015—and then quickly move on. But while billions of dollars are being spent on those systems each year, both at the NSA and in US Cyber Command, the sister organization also run by the NSA’s director, the government has squelched virtually all of the debate about how those powerful new tools should be used.

The government’s fear of those revelations predated Snowden. The largest and most sophisticated cyberattack of modern times, conducted jointly by the United States and Israel, was the “Stuxnet” attack on Iran’s nuclear facilities. It was part of a far larger program called “Olympic Games,” the code name for an ambitious program to use a cyberweapon to accomplish a task that previously could be conducted only by bombing a nuclear facility or sending in saboteurs. Instead, working together, the United States and Israel developed computer code that was inserted in the controllers that ran Iran’s huge nuclear-enrichment complex at Natanz. Suddenly, nuclear centrifuges spun out of control and often blew up. The Iranians were mystified. At the NSA and Cybercommand, it was the proof of concept: a software “implant” could be, in the NSA’s parlance, “weaponized.” President Obama oversaw the program closely but also expressed fears that once it was exposed, as he knew it eventually would be, other countries would feel free to head down that road as well.

The “Stuxnet” worm exposed itself, because of a flaw in the software, in the summer of 2010. Two years later, the New York Times revealed the broader program, triggering a major leak investigation. Though the stories revealed extensive evidence of the central role that Washington, and the Bush and Obama administrations, had played in the program, the decision was made not to acknowledge the role of the United States. It seemed too fraught, at a moment the United States was negotiating with Iran over the future of its nuclear program and was often at odds with its Israeli allies. Then came the Snowden revelations, which described a vast infrastructure of which “Olympic Games” was just a part—a huge investment in a new kind of warfare. The Obama administration again could have chosen to acknowledge the effort, capitalizing on the revelations to deter other countries—from China to Russia to North Korea and Iran—that have attacked the United States with cyberweapons of their own. Instead, they decided to retain whatever secrecy around the programs they could salvage.

That secrecy appears based on three fears. One is that to talk in anything beyond the most banal generalities about America’s offensive cyber capabilities is to risk exposure of scores, if not hundreds, of still-sensitive programs. The second is that no one in the US government can agree on what kinds of limits should be put on the American development of cyberweapons, or how to use the capability to negotiate something akin to arms control. So, just as the United States avoided nuclear treaties until two decades after Hiroshima and Nagasaki, it wants more time to enjoy its nuclear technological lead. And the third fear is that the mere acknowledgment of American capabilities might seem to justify the development of similar weapons by American adversaries. The result was a huge gap between the government’s words and the evidence: the Snowden revelations had revealed a Manhattan Project–size effort that had stretched over two presidencies. But no one could figure out how to talk about it.

That effort had started small: President Bush had made use of some primitive weapons during the Iraq War, using NSA capabilities to get inside the laptops or networks of individual terrorists, sometimes manipulating data to make sure that specific individuals showed up at a specific time or place for a meeting or supposed operation; there, a team of Special Forces or a drone, might be waiting for them. But by the end of his presidency, he had ordered the far more ambitious effort against Iran.

News of that effort leaked out in the last days of the Bush presidency. Obama, who at the time was just learning about America’s offensive cyber capabilities, was outraged and told his defense secretary, Robert Gates, that there should be a major leak investigation, something Gates reported years later in his memoir Duty. Curiously, Obama was not alone in his anger at the disclosure. Edward Snowden, writing under a thinly created pseudonym in a weblog, also denounced the disclosures as a breach of national security, a view he apparently revised later.

But in retrospect, that moment was an important one: it marked the beginning of a series of decisions by the new president to keep the American cyber capability among the country’s deepest held secrets. That was wishful thinking. No government can team up with allies to blow up centrifuges in Iran, get inside North Korea’s systems for both espionage and potential destructive attacks, or infiltrate China’s fast-expanding networks without leaving footprints. And now, we see those footprints far more clearly.

What we have learned from the Snowden disclosures is that the attack on Iran, while customized to fit the target, was part of a much larger effort, reaching back a decade, to develop a far more comprehensive way to get inside the computer networks and computer systems of both allies and adversaries. It is a program far larger than the domestic-surveillance effort that seized the initial headlines that Snowden sought. And in many respects far more technically and politically challenging. The idea was to mark every major thoroughfare and intersection of global networks with an “implant” that can act as an early-warning system for cyberattacks—the equivalent of the undersea microphones the United States placed strategically in oceans to track Soviet boomers during the Cold War. But these implants were designed to do more than just passive surveillance: once in place, they can be used to exploit a network—changing data, for instance—or to destroy it.

Two years after the Snowden revelations, the NSA still fights efforts by news organizations to report even basic facts about this effort. Its concern about revealing sources and methods is understandable, but its opposition to publishing the basic facts gets more mystifying over time. Early in the Snowden inquiry, American officials contended that Russia and China almost certainly had full copies of his trove of data, obtaining it during his time in Hong Kong and then Moscow. Snowden denies this. But whether they have the full trove or not, they now know far more about the implant program, in part because of documents Snowden released that have nothing to do with personal privacy but that shed tremendous light on the NSA’s activities.

They described, for example, the ANT program (an open-source build tool from Apache), which enabled the United States to leap into computers that are walled off from the Internet, something that many countries and companies now do routinely in an effort to secure their systems. Segregating computer systems offers a false sense of security: Iran, for example, had walled off the computers that operated its nuclear centrifuges as the ultimate defense against cyberintrusions. But the United States and Israel were able to leap the “air gap” fairly easily, using an array of new and old technologies. In fact, Snowden’s documents included a catalog of products that can be used to get USB cards or electronic boards into a target’s computer, making it possible to beam in code from seven miles away, using a low-frequency radio transmission.

Similar techniques pierced Huawei, the telecommunications and network-switching giant that many American officials believe is a front for the Chinese People’s Liberation Army. The operation against Huawei apparently found no evidence that was true. Nonetheless, the United States placed “implants” in the Chinese systems that would enable them to get inside though servers once they were shipped to American adversaries—in Latin America, for example, or in Europe. In one of the great ironies, for years Huawei was all but banned from the US market for fear it would do something similar in American networks.

We know this strange history because the Snowden documents that have leaked out bit by bit long after the initial disclosures have provided documentary evidence. No doubt readers found their eyes glazing over: it was hard sometimes to remember what programs had previously been revealed, what programs were incremental improvements over others, and what represented truly new capabilities. Everyone knew, for example, that the NSA was looking for ways to get into foreign telephone systems—but it was still a surprise that the NSA attacked the European firm that makes SIM cards for smartphones, hoping to place an implant directly into the circuitry. Everyone knew that the NSA was worried about the encryption on the iPhone, but it was still surprising to discover its willingness to implant secret “backdoors” into the products of American companies, without telling the firms.

Journalistically, the steady drip of new Snowden documents, combined with reporting that the old trove of documents has launched, creates a running debate between the government and a few news organizations that plays out every month. Government officials ask, “What is the public good in revealing a program like this?” After all, they argue, the NSA is a foreign intelligence service—breaking into foreign cell phones, or companies like Huawei, or disrupting the Iranian nuclear program to buy more time for negotiations is what Congress organized the agency to do six decades ago. So why publish?

The answer is not always simple, and sometimes operational details are removed from the reportage. But the case for publication boils down to this: in the digital age, Americans are the most vulnerable society on earth to hacking. We are targets, from our Home Depot credit cards to our bank accounts at JPMorgan Chase to the health information stored in Anthem’s computer systems, which contains private medical data for Blue Cross/Blue Shield claims. When the NSA routinely breaks into computer systems around the world, for either espionage or destructive activity, it creates pathways that other powers can follow. As one executive who challenged Admiral Michael Rogers, the head of the NSA, at a forum in Washington in early 2015, said, every NSA effort to weaken encrypted systems is like “drilling a hole in your windshield.” It is not only the NSA that will fly in. The People’s Liberation Army hacking operation, Unit 61398, will be right behind it, along with the Iranian cybercorps.

Moreover, the most extreme of the American actions—the cyberattacks on foreign computer systems—raise questions about what kinds of rules the United States wants to negotiate with other nations around the world to create some sense of arms control in the cyberworld. To use the example most cited by American officials, President Obama frequently talks about creating some cyber “norms” so that countries do not steal one another’s intellectual property. But we are not going to get to set those norms alone, even on American terms. China views American efforts to break into Huawei with the same alarm that the United States views the theft of plans for the F-35 Joint Strike Fighter. Yet in the American telling of events, targeting Huawei is a legitimate national security operation, yet targeting the jet’s blueprints is illegal corporate theft. The rest of the world doesn’t see it that way.

All these issues need to be aired, just as the issues of nuclear deterrence were debated in public throughout the Cold War. While the analogy is imperfect, it is also instructive. Like cyberweapons, nuclear weapons are highly classified, yet we understood their terrible destructive capability and managed to have a public, unclassified debate about how and when to use them. We can do the same with cyber, even though its effects are quite different and often far harder to discern. (At the same time, we have to acknowledge that nuclear weapons are in the hands of very few players, making the conversation about controlling them far easier; cyberweapons are in the hands of states, terror groups, criminal organizations, and teenagers. And most of those groups don’t sign treaties.)

It may turn out that the Snowden disclosures, like the revelation of the attacks on Iran that preceded Snowden, were a catalyst for that debate—forcing the US government to acknowledge its capabilities. That is the first step in discussing how to control those weapons. If so, the Snowden affair will have contributed significantly to a critical American discourse—though intelligence officials argue that there must be a better way to do that than the wholesale release of America’s secrets.

There was a second surprising effect of the Snowden revelations: it triggered a war between Silicon Valley and Washington that will not end for years, if not decades.

From the end of World War II to recent times, many American technology firms had an unspoken deal with the government. With Washington as one of their biggest purchasers, they would become partners in many classified programs and often help out with surveillance: IBM’s giant federal systems division built mainframes for the federal government and put the computers aboard the space shuttle; AT&T wired the country but also the government’s classified systems, and when help was needed with call records or other surveillance, it often quietly provided the information—sometimes without benefit of a court order. The firms viewed themselves as Americans first and global enterprises second.

Today that is the exception, not the rule. Robert Litt, the general counsel for the Director of National Intelligence, acknowledged as much in early 2015 in an appearance at the Brookings Institution: “One of the many ways in which Snowden’s leaks have damaged our national security is by driving a wedge between the government and providers and technology companies, so that some companies that formerly recognized that protecting our nation was a valuable and important public service now feel compelled to stand in opposition.” Those providers feel compelled to be in opposition because buyers around the world learned the extent to which American products had been pierced by American intelligence agencies—and seized on that news to justify shunning American products. Many countries passed “data localization” laws to require firms to put servers in their own territories, rather than in the United States. (Why these countries think that practice will slow the NSA’s ability to burrow into their networks is mystifying.) India, Nigeria, China, and Russia have all insisted that American firms place the servers on their soil, presumably to ensure sovereignty over the data stored there. China has issued new regulations to require firms to turn over source code for their products—essentially giving the Chinese their most valuable intellectual property.

All these regulations are costly to American companies, and some, especially those imposed by China, would have likely been imposed even if the Snowden revelations never happened. But the cost is being borne by companies and ultimately their consumers; at no point did the NSA consider the potential economic impact on America’s technology sector if its programs ever be revealed. In other words, it was unconsciously counting on the companies to take the downside economic risk for the NSA’s intelligence programs.

The companies are fighting back in ways that today have the intelligence agencies deeply worried. Tim Cook, the chief executive of Apple, has made it clear that he will spend whatever it takes to demonstrate to the world that the company’s products cannot be pierced by the NSA. So far the most vivid example has been the introduction of a new operating system for the iPhone in which users, not Apple, hold the encryption keys. Even if served with a court order to turn over data from an iPhone—contact lists or pictures or e-mail—Apple has no way to decipher the contents; it hands over gibberish. The director of the FBI, James Comey, protested this change, as did the heads of the intelligence agencies. Litt appealed to corporations to embrace “a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.” Technology executives insist that compromise might sound nice, but it is impossible; to create a backdoor for the NSA is to create a hole through which others will find a way to squeeze through.

In the end, Snowden’s legacy will be mixed. He wanted to be known for the changes he would bring about in altering the government’s monitoring of American citizens. That seems unlikely. But he opened the world’s eyes to a new world of surveillance and cyberwarfare. There, what he revealed cannot be stuffed back into a black box—and will change the way we view American power over the next decade.

Has America ever needed a media watchdog more than now?

No comments: