The NSA and the erosion of trust

In olden days, the National Security Agency was just a few large, fortified buildings and a parking lot in Fort Meade, Md., where math wizards with white shirts and pale complexions worked to crack the code of foreign entities. While the NSA launched spy satellites and its analysts were glued to their computer screens, the CIA and FBI got all the public attention, with macho starring roles in movies, TV, and books. The nerdy NSA was itself a cipher. NSA stood for "No Such Agency."

James Bamford's books brought the shadowy agency into the light, but few paid much attention, until revelations from NSA internal documents leaked by Edward Snowden.  Now the NSA has been has been revealed as the real star of the U.S. intelligence constellation, with the capability to covertly infiltrate every kind of electronic device, the Internet, and global communications.

For example, according to areport from Der Speigel and security researcher Jacob Appelbaum, an NSA program called DROPOUTJEEP gives the spy agency backdoor access to any iPhone. The spyware, from the NSA's ANT toolbox of exploits, can access contact lists and voice mail; use cell towers data to locate a phone; intercept text messages; and activate the device's microphone and camera.

The leaked DROPOUTJEEP document, dated 2008, claimed a 100 percent success rate in accessing iPhones. However, the exploit required physical access to the device. It's likely that in the last five years the NSA has found ways to remotely plant the spyware even as Apple and others try to make their phones more secure.

In a statement issued Tuesday, the iPhone maker said: Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products."

The NSA's toolbox also includes a $175,800 fake cell tower that lets the agency eavesdrop on phone calls and text messaging. It's not difficult to imagine that the NSA has similar technology to gain access to any brand of device connected to the Internet of cellular networks.

As Der Speigel reported, based on leaked internal NSA documents, the agency is practically omniscient:

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives -- from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

The NSA isn't just focused on high-tech exploits. The agency's Tailored Access Operations (TAO) unit works with the CIA and FBI to intercept shipments of hardware, taking it to a "secret workshop" to insert spyware into the devices. Based on internal NSA documents, Der Spiegel reported that the NSA gained access to computers, hard drives, routersand other electronic accessories from companies such as Cisco, Dell, Western Digital, Seagate, Maxtor, Samsung, and Huawei.

Let's suppose that the NSA wants to plant spyware on laptops going to a person or company known to have some connection to a terrorist organization or some other criminal actors on its radar. Does the NSA gets a court order to approve the operation? Or does the NSA simply alert the manufacturer that it has some top-secret government business to attend to that involves a few boxes of their electronics equipment? Does the delivery service, such as FedEx, UPS and the US Postal Service, know that the NSA is going to borrow some boxes for a few hours? Whatever the case, in the chain of custody someone has to know something. It's unlikely that covert agents working with the NSA hijack delivery trucks in transit.

Companies contacted by Der Spiegel claimed they had no knowledge of any NSA backdoors into their equipment. If they do have knowledge of such interventions, they are likely prohibited by the government from acknowledging it.

In a statement, the NSA said: "Tailored Access Operations (TAO) is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies. We won't discuss specific allegations regarding TAO's mission, but its work is centered on computer network exploitation in support of foreign intelligence collection."

It's a murky situation. Elected government officials on intelligence committees don't really understand enough about the technical prowess and operations of the NSA to manage it. Nor the does the FISA court, which gives the agency license to carry out surveillance activities. Tech companies are stuck in the middle, cooperating with the NSA as required by law, patriotism, or fear. They don't want to be painted as untrustworthy by their customers or as impediments to preventing a terrorist attack.

The prominent security firm RSA was allegedly paid $10 million by the NSA to implement backdoors on its encryption tokens. The company denies that entered into any contract or engaged in any project with the intention of weakening its products, but the security community remains skeptical.

It's not exactly a cover up, but all those in the orbit of the NSA are looking for cover in the wake of the revelations about what might be called the excesses of the spy agency. Tech company CEOs met with President Obama and are calling for reforms to the NSA and more transparency about government requests for user information. The Final Report of the Review Group on Intelligence and Communications Technologies commissioned by the White House issued 46 recommendations, calling for more judicial oversight and public transparency.

Spying has been going on since the beginnings of civilization. Technology has made it easy and pervasive. In the connected world, everyone is accessible to prying eyes. Every country does it, and many corporations use some form of tradecraft to get intelligence on the competition. Putting the brakes on some aspects of the NSA's practices won't do much to ease the erosion of trust. Nor will the NSA be asked to alter any practice that would put the U.S. government in a less advantageous position versus its perceived enemies.

As security expert Bruce Schneier sees it, tech companies will not be able to escape the tentacles of the NSA:

Even though we don't know which companies the NSA has compromised -- or by what means -- knowing that they could have compromised any of them is enough to make us mistrustful of all of them. This is going to make it hard for large companies like Google and Microsoft to get back the trust they lost. Even if they succeed in limiting government surveillance. Even if they succeed in improving their own internal security. The best they'll be able to say is: "We have secured ourselves from the NSA, except for the parts that we either don't know about or can't talk about."