|
Vol. XXXVIII
No. 01 January 05, 2014 |
The
NSA and Its Corporate Partners
Prabir Purkayastha
THE
third most important set of revelations from Snowden’s
treasure trove of NSA
documents took place last week. Der Spiegel, a
leading German newspaper,
published a set of reports that show how networks and
computers have been
compromised by the NSA. This was complemented by Jacob
Appelbaum’s address in
the 30th Chaos Communications Congress in
which brought out the range of
methods that NSA uses to take over and eavesdrop on networks
and systems. What
also stands out is the number of American companies that
have such backdoors
in their systems and equipment. The conclusions are
inescapable either
American companies produce really poor hardware and
software, or they are full
partners in the
spying efforts.
THE SETS OF
REVELATIONS
The
first set of Snowden revelations had nailed the Internet
giants Google,
Microsoft, Yahoo, Facebook and others who were allowing
the NSA to read in
real time every bit of communications that passed through
their networks. All
of them had built the next generation of cloud facilities
where data would be
stored in the cloud read stored in the massive array of
servers of these
companies in the
Once it became clear that cloud means unrestricted NSA
surveillance, as all
such data come under the
laws, cloud has taken a beating.
and now
have started talking about data being retained within
countries in which
companies do business, a step which would spell death knell
to cloud as a business
model. EU has already taken up its privacy laws and
potential conflict for data
of Europeans stored in the cloud. With threat to their
business model, the
Internet majors have now come out in the open, asking the
government
for permission to clarify the scale and extent of NSA
surveillance, so that
they can placate the angry users of cloud.
The
second set of revelations is regarding the telecom
companies. This is the
second pillar of NSA’s mass surveillance. The data packets
going over the
telecom network can be tapped with the assistance of the
telecom companies.
The mass surveillance of telecom data is collated with
Internet companies data
to work out who is talking to whom and what they are talking
about. NSA also
tracks what are the websites that subjects are looking at or
what topics. As a
bulk of the Internet traffic still passes through the
to duplicate and store all such
communication. Appelbaum stated in his talk that these data
are retained for
a period of 15 years and can be searched any time
retrospectively.
From
mass surveillance, we come to Tailored Access Operating
Group (TAO), a new and
rapidly expanding part of the NSA. Spiegel reports:
It (TAO)
maintains its own covert network, infiltrates computers
around the world and
even intercepts shipping deliveries to plant back doors
in electronics ordered
by those it is targeting. In other words, from
inserting rogue code on
different machines and networks, it also takes control
of machines in transit
from the manufacturer/dealer to the target, and implants
hardware and software
into it. And such targets are not just individuals but
governments and
companies as well.
COMPANIES
IN NSAS
SURVEILLANCE
SCHEMES
Make no
mistake. TAO is not about surveillance alone it is about
targeting of
machines and networks of any entity, and modifying either
their software or
even their hardware for taking control of such machines.
It is an offensive
weapons unit it attacks computers and network of others.
It is such an attack
of the Supervisory Control and Data Acquisition System
(SCADA) in Natanz fuel
enrichment plant that took out 1,000 centrifuges. The
principle is the same
implant rogue hardware or software and take control of
such machines. And Spiegel
makes clear that targets are not
just terrorists; they include agencies of friendly
governments (
senior
officials or politicians such as Angela Merkel, Dilma
Roussef, Indian Mission
for UN, and companies such as Petrobras, etc. The list
goes on.
The
list of equipment manufacturers, in whose equipment NSA
has found security
holes or connived with their help to create such holes,
are who-is-who in the
computer industry. It includes computer manufacturers such
as Dell and HP,
I-Phone, I-Pad and Mac systems of Apple’s, network routers
from Juniper and
Cisco. It is widely known that Android phones also have
similar backdoors. All
of them have issued bland denials they do not work with
NSA to create
backdoors. What some of them have added is quite
interesting they have said
that they comply with the laws of the countries they
operate in. Does it mean
giving NSA the encryption keys? Does it mean reporting to
NSA known security
holes in their systems so that NSA can use them?
The
interesting part of the NSA’s laundry list of companies’
hardware they have
broken into include Huwawei, the Chinese network company.
It now appears that
NSA knows about security holes also in Huwawei’s network
equipment and is able
to use it to hack into private and public networks.
Presumably, Huwawei did not
cooperate with NSA on this, so it is possible that some of
the other companies
may be unknowing partners of the NSA as well. But the
range of equipment and
the scale of the security holes that NSA uses would lead
to one to believe that
American companies have been a part of NSA’s mass
surveillance schemes.
The
list of network equipment that NSA can take over raises
some other questions.
Snowden had mentioned earlier that NSA takes over giant
routers that direct
Internet traffic and have done so in
Now we know how they have
done so all the networks use a combination of CISCO,
Huwawei and other
suppliers equipment, all of which has been compromised by
the NSA.
INTERESTING
QUESTION
This
also brings out another interesting question. Appelbaum
says that when the NSA
uses a computer to attack targets, the computer IP address
is rarely in the
address
is the identification of your computer on the Internet in
the same way as the
phone number is the identifier for telecom networks.) In
other words, either
NSA fudges the IP address or uses computers that it has
taken control of but
which are not in the
Remember the huge campaign we had prior to Snowden’s
revelations of Chinese
hacking the whole world as
was found to be the major originator of such attacks? If
what Appelbaum says
is true, then we need to re-evaluate these data. It could
as easily be NSA
masquerading as Chinese hackers.
The
always
pointed to the Chinese as dangerous, as their electronic
industry is largely
owned by the Chinese government. We now learn that the
indeed knows
how backdoors can be created in the hardware and systems
of manufacturers
they have been doing it for years! From Fedex that
delivers mail to companies
that produce computers and systems, the NSA has active
partners that help
subvert machines and networks. It is this knowledge of
what they are doing that
prompted the attack on the Chinese. If there are backdoors
in equipment, it
must be NSA’s and nobody else’s.
Some of
the holes that NSA has created are indeed extremely
dangerous. In a 60-minute
TV programme, NSA’s information assurance director Debora
Plunkett spoke about
the threat of a BIOS implant that part of the software
that boots all the
rest and how the malevolent Chinese were hacking into
it, endangering the
whole world. IF BIOS is infected, no virus checking
software can uncover it. It
now transpires that BIOS threat really exists, but from
the NSA. It routinely
infects the BIOS, making all measures against such malware
irrelevant. Even if
you change the hard disk or reformat it, your machine will
still stay infected.
The
kinds of gadgets that NSA has engineered are striking.
They provide USB
sticks that contain wireless communications and can be
used to control or read
from the machines. The smart phones have been cracked
the NSA uses
implanted software to provide all information in the phone
to NSA. It has a
high power wave generator that from a distance can bounce
signals of your
monitor and see what your monitor is displaying. Remember
Snowden: NSA can read
your thoughts as you type them on your computer,
pooh-poohed by experts?
Well, we now know it is true.
Appelbaum
said in his speech that if there are 10 ways to break into
your computer, NSA
will find 13 ways to do so. NSA’s motto is: Collect it
all. Pretty similar to
what used to be the mercenaries motto in wars: kill them
all and let god sort
it out.
OUR
STRATEGIC
REQUIREMENT
For
countries such as
we need to take a hard look at our policies. With the IT
agreement signed in
the aftermath of the WTO treaty, we reduced our duties on
hardware to zero. The
consequence has virtually been wipe-out of our indigenous
electronics industry.
Department of Electronics and Information Technology as
well as Department of
Telecom are now creating policies that will privilege
indigenous manufacture.
The
problem with all of this is that success of such policies
it depend on private
capital or even multinational capital. However, such
policy goals have no interest
for them. Indeed, for many of these companies, an Indian
hardware platform is
against their corporate and country interests. If
Indian government
truly believes that it needs indigenous manufacturing, and
the recent
revelations make clear why this is a strategic
requirement, they need to create
in public sector with public investments for Indian
electronics manufacturing.
Writing reams of well-meaning documents will not create an
electronics
manufacturing sector; public investments will.
Remember
ECIL? Without ECIL the Indian atomic energy programme
would have failed. All
the control systems in the nuclear plants have come from
ECIL. ECIL indeed
seeded the entire electronics and computer industry in the
country. What we
need today is a major effort to create similar companies
that will be tasked
with creating strategic electronics equipment and that
includes the telecom
network. Whether we use Cisco’s or Huwawei’s equipment
the questions are the
same. There is no safe networking equipment unless you
build it yourself.
Even after that, we need to be cautious as Huwawei is
discovering, but at least
it would be a start.
For a
serious discussion on security for the Indian network, we
need to reboot these
discussions. Too long, NASSCOM and FICCI have been
pretending to be the Indian
industry. The reality is NASSCOM has been taken over by US
Internet companies
such as Google and Microsoft. FICCIs telecom group is
again lead by foreign
companies AT&T, Vodafone, Yahoo and others. If we
want a serious discussion,
we have to remove foreign players from the core discussion
on national
security. Otherwise, we may as well invite the NSA (or the
Chinese) to
formulate our cyber security policies.
