[liberationtech] U.S. Agencies Said to Swap Data With Thousands of Firms

[Eugen Leitl]

http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html

U.S. Agencies Said to Swap Data With Thousands of Firms

By Michael Riley - Jun 14, 2013 4:44 AM GMT+0200

Thousands of technology, finance and manufacturing companies are working
closely with U.S. national security agencies, providing sensitive information
and in return receiving benefits that include access to classified
intelligence, four people familiar with the process said.

These programs, whose participants are known as trusted partners, extend far
beyond what was revealed by Edward Snowden, a computer technician who did
work for the National Security Agency. The role of private companies has come
under intense scrutiny since his disclosure this month that the NSA is
collecting millions of U.S. residents’ telephone records and the computer
communications of foreigners from Google Inc (GOOG). and other Internet
companies under court order.

Microsoft Corp., the world’s largest software company, provides intelligence
agencies with information about bugs in its popular software before it
publicly releases a fix, according to two people familiar with the process.

Photographer: Scott Eells/Bloomberg

June 14 (Bloomberg) -- Ronny Tong, a member of the Hong Kong Legislative
Council and a practicing barrister, talks about Edward Snowden, the former
national security contractor who has admitted leaked details of a U.S.
electronic surveillance program. He speaks with Rishaad Salamat on Bloomberg
Television's "On the Move." (Source: Bloomberg)

In addition to private communications, information about equipment
specifications and data needed for the Internet to work -- much of which
isn’t subject to oversight because it doesn’t involve private communications
-- is valuable to intelligence, U.S. law-enforcement officials and the
military. 

Photographer: Jacob Kepler/Bloomberg

Larry Page, chief executive officer of Google Inc., said in a blog posting
June 7 that he hadn’t heard of a program called Prism until after Edward
Snowden’s disclosures and that the company didn’t allow the U.S. government
direct access to its servers or some back-door to its data centers.
Photographer: Robert Galbraith/Pool via Bloomberg

Many of these same Internet and telecommunications companies voluntarily
provide U.S. intelligence organizations with additional data, such as
equipment specifications, that don’t involve private communications of their
customers, the four people said.

Makers of hardware and software, banks, Internet security providers,
satellite telecommunications companies and many other companies also
participate in the government programs. In some cases, the information
gathered may be used not just to defend the nation but to help infiltrate
computers of its adversaries.

Along with the NSA, the Central Intelligence Agency (0112917D), the Federal
Bureau of Investigation and branches of the U.S. military have agreements
with such companies to gather data that might seem innocuous but could be
highly useful in the hands of U.S. intelligence or cyber warfare units,
according to the people, who have either worked for the government or are in
companies that have these accords.

Microsoft Bugs

Microsoft Corp. (MSFT), the world’s largest software company, provides
intelligence agencies with information about bugs in its popular software
before it publicly releases a fix, according to two people familiar with the
process. That information can be used to protect government computers and to
access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet
security companies have been aware that this type of early alert allowed the
U.S. to exploit vulnerabilities in software sold to foreign governments,
according to two U.S. officials. Microsoft doesn’t ask and can’t be told how
the government uses such tip-offs, said the officials, who asked not to be
identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in
cooperation with multiple agencies and are designed to be give government “an
early start” on risk assessment and mitigation.

Willing Cooperation

Some U.S. telecommunications companies willingly provide intelligence
agencies with access to facilities and data offshore that would require a
judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence
Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence
agencies is legal and reaches deeply into many aspects of everyday life,
though little of it is scrutinized by more than a small number of lawyers,
company leaders and spies. Company executives are motivated by a desire to
help the national defense as well as to help their own companies, said the
people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a
company know of them, and they are sometimes brokered directly between chief
executive officers and the heads of the U.S.’s major spy agencies, the people
familiar with those programs said.

‘Thank Them’

Michael Hayden, who formerly directed the National Security Agency and the
CIA, described the attention paid to important company partners: “If I were
the director and had a relationship with a company who was doing things that
were not just directed by law but were also valuable to the defense of the
Republic, I would go out of my way to thank them and give them a sense as to
why this is necessary and useful.”

“You would keep it closely held within the company and there would be very
few cleared individuals,” Hayden said.

Cooperation between nine U.S. Internet companies and the NSA’s Special Source
Operations unit came to light along with a secret program called Prism.
According to a slide deck provided by Snowden, the program gathers e-mails,
videos, and other private data of foreign surveillance targets through
arrangements that vary by company, overseen by a secret panel of judges.

U.S. intelligence agencies have grown far more dependent on such arrangements
as the flow of much of the world’s information has grown exponentially
through switches, cables and other network equipment maintained by U.S.
companies.

Equipment Specs

In addition to private communications, information about equipment
specifications and data needed for the Internet to work -- much of which
isn’t subject to oversight because it doesn’t involve private communications
-- is valuable to intelligence, U.S. law-enforcement officials and the
military.

Typically, a key executive at a company and a small number of technical
people cooperate with different agencies and sometimes multiple units within
an agency, according to the four people who described the arrangements.

Committing Officer

If necessary, a company executive, known as a “committing officer,” is given
documents that guarantee immunity from civil actions resulting from the
transfer of data. The companies are provided with regular updates, which may
include the broad parameters of how that information is used.

Intel Corp. (INTC)’s McAfee unit, which makes Internet security software,
regularly cooperates with the NSA, FBI and the CIA, for example, and is a
valuable partner because of its broad view of malicious Internet traffic,
including espionage operations by foreign powers, according to one of the
four people, who is familiar with the arrangement.

Such a relationship would start with an approach to McAfee’s chief executive,
who would then clear specific individuals to work with investigators or
provide the requested data, the person said. The public would be surprised at
how much help the government seeks, the person said.

McAfee firewalls collect information on hackers who use legitimate servers to
do their work, and the company data can be used to pinpoint where attacks
begin. The company also has knowledge of the architecture of information
networks worldwide, which may be useful to spy agencies who tap into them,
the person said.

McAfee’s Data

McAfee (MFE)’s data and analysis doesn’t include information on individuals,
said Michael Fey, the company’s world wide chief technology officer.

“We do not share any type of personal information with our government agency
partners,” Fey said in an e-mailed statement. “McAfee’s function is to
provide security technology, education, and threat intelligence to
governments. This threat intelligence includes trending data on emerging new
threats, cyber-attack patterns and vector activity, as well as analysis on
the integrity of software, system vulnerabilities, and hacker group
activity.”

In exchange, leaders of companies are showered with attention and information
by the agencies to help maintain the relationship, the person said.

In other cases, companies are given quick warnings about threats that could
affect their bottom line, including serious Internet attacks and who is
behind them.

China’s Military

Following an attack on his company by Chinese hackers in 2010, Sergey Brin,
Google’s co-founder, was provided with highly sensitive government
intelligence linking the attack to a specific unit of the People’s Liberation
Army, China’s military, according to one of the people, who is familiar with
the government’s investigation. Brin was given a temporary classified
clearance to sit in on the briefing, the person said.

According to information provided by Snowden, Google, owner of the world’s
most popular search engine, had at that point been a Prism participant for
more than a year.

Google CEO Larry Page said in a blog posting June 7 that he hadn’t heard of a
program called Prism until after Snowden’s disclosures and that the Mountain
View, California-based company didn’t allow the U.S. government direct access
to its servers or some back-door to its data centers. He said Google provides
user data to governments “only in accordance with the law.”

Leslie Miller, a spokeswoman for Google, didn’t provide an immediate response
yesterday.

The information provided by Snowden also exposed a secret NSA program known
as Blarney. As the program was described in the Washington Post (WPO), the
agency gathers metadata on computers and devices that are used to send
e-mails or browse the Internet through principal data routes, known as a
backbone.

Metadata

That metadata includes which version of the operating system, browser and
Java software are being used on millions of devices around the world,
information that U.S. spy agencies could use to infiltrate those computers or
phones and spy on their users.

“It’s highly offensive information,” said Glenn Chisholm, the former chief
information officer for Telstra Corp (TLS)., one of Australia’s largest
telecommunications companies, contrasting it to defensive information used to
protect computers rather than infiltrate them.

According to Snowden’s information, Blarney’s purpose is “to gain access and
exploit foreign intelligence,” the Post said.

It’s unclear whether U.S. Internet service providers gave information to the
NSA as part of Blarney, and if so, whether the transfer of that data required
a judge’s order.

Less Scrutiny

Stewart Baker, former general counsel for the NSA, said if metadata involved
communications between two foreign computers that just happened to be
crossing a U.S. fiber optic cable “then the likelihood is it would demand
less legal scrutiny than when communications are being extracted one by one.”

Lawmakers who oversee U.S. intelligence agencies may not understand the
significance of some of the metadata being collected, said Jacob Olcott, a
former cybersecurity assistant for Senator John D. Rockefeller IV of West
Virginia, the Democratic chairman of the Senate Commerce Committee.

“That’s what makes this issue of oversight so challenging,” said Olcott, now
a principal at Good Harbor Security Risk Management in Washington. “You have
a situation where the technology and technical policy is far outpacing the
background and expertise of most elected members of Congress or their
staffs.”

While companies are offered powerful inducements to cooperate with U.S.
intelligence, many executives are motivated by patriotism or a sense they are
defending national security, the people familiar with the trusted partner
programs said.

Einstein 3

U.S telecommunications, Internet, power companies and others provide U.S.
intelligence agencies with details of their systems’ architecture or
equipment schematics so the agencies can analyze potential vulnerabilities.

“It’s natural behavior for governments to want to know about the country’s
critical infrastructure,” said Chisholm, chief security officer at Irvine,
California-based Cylance Inc.

Even strictly defensive systems can have unintended consequences for privacy.
Einstein 3, a costly program originally developed by the NSA, is meant to
protect government systems from hackers. The program, which has been made
public and is being installed, will closely analyze the billions of e-mails
sent to government computers every year to see if they contain spy tools or
malicious software.

Einstein 3 could also expose the private content of the e-mails under certain
circumstances, according to a person familiar with the system, who asked not
to be named because he wasn’t authorized to discuss the matter.

AT&T, Verizon

Before they agreed to install the system on their networks, some of the five
major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ).,
Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink
Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under
U.S. wiretap laws. Those companies that asked received a letter signed by the
U.S. attorney general indicating such exposure didn’t meet the legal
definition of a wiretap and granting them immunity from civil lawsuits, the
person said.

Mark Siegel, a spokesman for Dallas-based AT&T, the nation’s biggest phone
carrier, declined to comment. Edward McFadden, a spokesman for New York-based
Verizon, the second-largest phone company, declined to comment.

Scott Sloat, a spokesman for Overland Park, Kansas-based Sprint, and Monica
Martinez, a spokeswoman for Broomfield, Colorado-based Level 3, didn’t
immediately respond to requests for comment.

Linda Johnson, a spokeswoman for Centurylink, formerly Qwest Corp., said her
Monroe, Louisiana-based company participates in the Enhanced Cybersecurity
Services program and the Intrusion Prevention Security Services program,
which includes Einstein 3. Both programs are managed by the U.S. Department
of Homeland Security.

Beyond that, she said, “CenturyLink does not comment on matters pertaining to
national security.”

To contact the reporter on this story: Michael Riley in Washington at
michaelriley at bloomberg.net

To contact the editor responsible for this story: Michael Hytha at
mhytha at bloomberg.net