Feature article
April 1, 2014
… and the parties involved
Since June 2013, the debate surrounding the effects of industrial espionage has taken on an extra dimension thanks to Edward Snowden’s revelations about the work of the National Security Agency. One of the largest US intelligence agencies, the NSA’s official remit is to do anything within its power to help the American government and its allies gain an advantage when it comes to decision-making. In the main, the NSA obtains information from abroad by intercepting signals of all kinds – Signals Intelligence, or SIGINT, for short – before collecting the data and subjecting it to a risk analysis. In addition, the NSA is also responsible for ensuring that sensitive US government information does not fall into the hands of foreign powers. To facilitate this, the agency has taken on the lead role in the field of encryption techniques and is charged not only with developing products and services for computer networks but also with monitoring their use by other agencies. The primary focus is on international terrorism, the narcotics trade and any other activities deemed hostile towards the United States.
In total, there are sixteen different agencies belonging to the US intelligence community, all of which come under the jurisdiction of the Director of National Intelligence, who is appointed by the President himself. The most powerful intelligence services are the CIA, the NSA, the DIA, the NRO and the NGA, also known as the “Big Five”. Of these five, only the CIA is independent, while the rest report to the US Department of Defence. Not to be confused with the “Big Five” are the “Five Eyes” (FVEY), an Anglophonic alliance comprising Australia, New Zealand, Canada, the US and the United Kingdom, which is controlled by the NSA and the British intelligence and security organisation, Government Communication Headquarters (GCHQ). It has emerged that in the past three years, the latter has received funding to the tune of £100 million from its American counterpart.
But GCHQ is not the only European intelligence organisation to have been placed under scrutiny recently. The French newspaper Le Monde, for instance, has reported that the country’s own Direction Générale de la Sécurité Extérieure (DGSE) has been collecting data from text messages, telephone conversations, emails and communications via Facebook and Twitter and storing it long-term for analysis. Meanwhile, both Norwegian and Swedish intelligence agencies (NIS and Forsvarets Radioanstalt respectively) enjoy a bilateral data exchange with the NSA, with a focus of their cooperation being activities taking place in Russia.
Despite hundreds of press reports detailing the alleged collection of millions of data records, the nature of Germany’s relationship to foreign intelligence agencies such as the NSA remains unclear. The fact that cooperation between both domestic and foreign partner agencies has been strengthened is generally justified by pointing to the complexity of terrorist networks. One of the only public pronouncements has been the acknowledgement of a trial programme called “Projekt 6”, which uses analysis software to evaluate any data collected. The software was adapted to the demands of the Federal Office for the Protection of the Constitution with the help of an anonymous partner agency. Although the programme was discontinued in 2010, it has proved instrumental in the development of information systems that are still being used today. Further details have been declared classified, as their acknowledgement could both hinder the work of German intelligence agencies and jeopardise the relationship between Germany and its foreign partners. That said, the latest revelation that two employees of the German agency provided confidential documents to the CIA caused quite a stir as it came only months after the revelation that various cell phone conversations of Bundeskanzlerin Angela Merkel were recorded. Merkel herself informed the American President in no uncertain terms that she disapproved of such practices. The CIA representative responsible was expelled from Germany and left the country in July 2014.
16 members of the intelligence community of the US government
The individual programmes
With the programme PRISM, the NSA has combined different tools which enable data to be mined by accessing the servers of specific internet companies. Details from emails, documents, chats and video conferences (video and audio), as well as information from social networks and data sent to third parties, can be specifically selected and targeted to individual accounts. According to the information released, a number of major companies have been engaged as “sources” since 2007. In chronological order: Microsoft, Yahoo, Google, Facebook, YouTube, Skype, AOL and, most recently, Apple. UPSTREAM is also a data collection and analysis programme. However, it is different from PRISM because it enables data to be collected through fibre-optic cables as it is being transferred. The NSA recommends that their analysts use PRISM and UPSTREAM parallel to each other. Similarly, the British programme, TEMPORA, has enabled GCHQ to tap into and store data drawn from 200 fibre-optic cables. On the basis of the figures alone, it has been estimated that up to 21 petabytes (roughly equivalent to four billion MP3 files each measuring five megabytes) can be collected daily.
In December 2013, it was revealed that British Telecom, Verizon, Vodafone, Global Crossing, Level 3, Viatel, and Interoute all agreed to cooperate with GCHQ in their use of the programme. According to the information made public thus far, X-KeyScore is the NSA’s most comprehensive data analysis programme, encompassing some 700 servers spread across 150 different sites around the world, and capable of scaling linearly. On the one hand, it allows analysts to run queries on specific search terms such as individual email or Mac addresses; on the other hand, it also enables them to search for data using descriptive attributes such as country, language, file-type (document or spreadsheet) and file characteristics (encrypted, non-encrypted).
STATEROOM refers to a Five Eyes espionage programme, which involves the interception of radio and satellite signals, and is operated worldwide out of the diplomatic suites, embassies and consulates of signatories to the multilateral UKUSA Agreement. Alongside Berlin, programme headquarters were in Geneva, which led to the Swiss Prosecutor’s office laying charges against persons unknown, and eventually launching their own investigation into the matter. Other programmes include the whimsically titled ROYAL CONCIERGE, with the help of which diplomats’ hotel reservations can be monitored. Meanwhile, over 200 million international text messages are served up to the NSA on a daily basis thanks to the programme DISHFIRE. One can only guess at the personality of the NSA employee who came up with the name BULLRUN for the agency’s highly clandestine decryption programme. However, there is altogether less mystery surrounding MUSUCULAR: an initiative that has seen the communication links connecting Google and Yahoo data centres around the world brutally prized open. Nor is there any QUANTUM of solace to be found in the NSA’s method of installing specific radio-wave technology in computers (hidden in external USB connectors or installed directly via mini-circuit boards). With the help of an outstation no bigger than an attaché case, data can be intercepted up to distances of 13km away, even when a computer is not connected to a network. The programme’s main goal was to monitor the Chinese Army.
The TAO-TAILORED ACCESS OPERATIONS, carried out by the agency’s own hackers, require some serious leg-work. Servers, computers, external hard-drives and wireless routers are intercepted at the delivery stage so that hackers can add hardware backdoors or directly install surveillance programmes. The description of this process as ANT-ADVANCED/ACCESS NETWORK TECHNOLOGY borders on the sarcastic. Device manufacturers such as Cisco Systems, Dell, Hewlett Packard, Huawei, Juniper Networks, Samsung Electronics, Seagate Technology/Maxtor and Western Digital are all affected. In the same context, it was also revealed that the IT security firm RSA was paid $10 million by the NSA to provide weak encryption systems. Alongside all these surveillance programmes, it is worth remembering that the US government not only has access to all EU bank transaction data (thanks to the SWIFT-agreement), but also to biometric data such as iris-scans and fingerprints.
But what is the situation in the free market economy? Through the SAFE-HARBOR-AGREEMENT, which more than 1,000 American companies have already entered into, major companies like IBM, Microsoft, Google and Facebook have access to EU citizens’ data. Owing to their questionable data-protection practices, Facebook and Google, in particular, have recently been subject to intense scrutiny. In the past few years, Google has gone from being an internet company to a global conglomerate, and is venturing into more and more industry branches. The latest coups are the formation of the Open Automotive Alliance (OAA) with vehicle manufacturers Audi, GM, Honda and Hyundai; and the acquisition of the thermostat making company Nest Labs. Alongside the mobile phone, the internet giant, it seems, is increasing their hold on consumers’ lives with each passing day.
Industrial espionage in the free market economy
There is no technology on the market that can offer a 100% guarantee against espionage. Nevertheless, the Snowden case shows that one of the principal risks actually lies elsewhere. According to one former NSA employee, simple human weakness is often a factor: agents can be recruited through money, ideology, coercion or ego. A recent corporate trust study suggests that industrial espionage led to $4.2 billion worth of damage to the German economy. The same study indicates that more than half of German companies have already fallen victim to industrial espionage; and that in more than 50% of cases, the process was set in motion by company employees themselves. The most sought-after data concerns prices and clients, closely followed by information about production and development strategies. Almost a quarter of recorded incidents take place in mid-size companies, with around a fifth occurring in major companies. Small businesses, where 15% of incidents are said to take place, appear to be the least affected.
In more than 20% of cases of industrial espionage, company employees fall victim to the increasingly widespread practice of social engineering. Employees respond in good faith to questions (which can also be personal in nature) posed over the telephone or at trade fairs. Trojans are then smuggled onto employees’ devices through their email addresses, usually with the help of an innocuous looking link. Once the Trojan has infiltrated the system, it can be used to search an employee’s hard-drive, bug their webcam and microphone, or even monitor their keyboard. Owing to current developments, the risks are increasing exponentially. One example is the automotive industry. More and more clients are being asked to install mobile-end devices or similar applications in their cars. In turn, a desire to keep pace with the ever-changing demands of the consumer industry has led car manufacturers to install radio access networks in their vehicles and thus provide consumers with software updates. Given that employees of the American agency DARPA managed, in 2013, to control braking and accelerating functions remotely through the diagnostic port, it is surely only a matter of time before this is also possible via wireless technology. With the Internet of Things, meanwhile, the future could take on a genuinely terrifying appearance. From the remote regulation of electricity and water, to the potential to manipulate a diabetic’s wireless insulin pump, the possibilities are seemingly endless.
First published in German: Der NSA Skandal und die gezielte Industriespionage – Magazin keNEXT 1-2/2014
