Les anglonautes

About | Search | Vocapedia | Learning | Podcasts | Videos | History | Arts | Science | Translate

 Previous Home Up Next

 

History > 2014 > USA > Surveillance > N.S.A. (I)

 

 

 

New N.S.A. Chief Calls Damage

From Snowden Leaks Manageable

 

JUNE 29, 2014

The New York Times

By DAVID E. SANGER

 

FORT MEADE, Md. — The newly installed director of the National Security Agency says that while he has seen some terrorist groups alter their communications to avoid surveillance techniques revealed by Edward J. Snowden, the damage done over all by a year of revelations does not lead him to the conclusion that “the sky is falling.”

In an hourlong interview Friday in his office here at the heart of the country’s electronic eavesdropping and cyberoperations, Adm. Michael S. Rogers, who has now run the beleaguered spy agency and the military’s Cyber Command for just short of three months, described the series of steps he was taking to ensure that no one could download the trove of data that Mr. Snowden gathered — more than a million documents.

But he cautioned that there was no perfect protection against a dedicated insider with access to the agency’s networks.

“Am I ever going to sit here and say as the director that with 100 percent certainty no one can compromise our systems from the inside?” he asked. “Nope. Because I don’t believe that in the long run.”

The crucial change, he said, is to “ensure that the volume” of data taken by Mr. Snowden, a former agency contractor, “can’t be stolen again.” But the Defense Department, of which the security agency and Cyber Command are a part, made the same vow in 2010 after an Army private, Chelsea Manning, downloaded hundreds of thousands of secret State Department and Pentagon files and released them to WikiLeaks.

Notable in his comments was an absence of alarm about the long-term effects of the Snowden revelations. Like former Secretary of Defense Robert M. Gates, who urged colleagues in the Obama administration to calm down about the WikiLeaks revelations in 2010, Admiral Rogers seemed to suggest that, as technology progressed, the agency would find new ways to compensate for the damage done, however regrettable the leaks.

He repeated past warnings that the agency had overheard terrorist groups “specifically referencing data detailed” by Mr. Snowden’s revelations. “I have seen groups not only talk about making changes, I have seen them make changes,” he said.

But he then added: “You have not heard me as the director say, ‘Oh, my God, the sky is falling.’ I am trying to be very specific and very measured in my characterizations.”

His tone was in contrast to that of some politicians and intelligence professionals, including his immediate predecessor, Gen. Keith B. Alexander, who described in stark terms the risks to American and allied national security from the revelations, calling it “the greatest damage to our combined nations’ intelligence systems that we have ever suffered.”

Admiral Rogers discussed his vision of how the United States might use cyberweapons against adversaries — a subject of debate inside the administration that American officials rarely discuss in public — saying he could imagine a day when, under strict rules of armed conflict, they were used selectively but as part of ordinary military operations, like cruise missiles and drones.

He also acknowledged that the quiet working relationships between the security agency and the nation’s telecommunications and high technology firms had been sharply changed by the Snowden disclosures — and might never return to what they once were in an era when the relationships were enveloped in secrecy.

Telecommunications businesses like AT&T and Verizon, and social media companies, now insist that “you are going to have to compel us,” Admiral Rogers said, to turn over data so that they can demonstrate to foreign customers that they do not voluntarily cooperate. And some are far more reluctant to help when asked to provide information about foreigners who are communicating on their networks abroad. It is a gray area in the law in which American courts have no jurisdiction; instead, the agency relied on the cooperation of American-based companies.

Last week, Verizon lost a longstanding contract to run many of the telecommunications services for the German government. Germany declared that the revelations of “ties revealed between foreign intelligence agencies and firms” showed that it needed to rely on domestic providers.

Google has announced steps to seal gaps in its system that the security agency exploited to gain access to the company’s databases. Microsoft is challenging in court the validity of warrants to turn over data that it stores outside the United States.

“I understand why we are where we are,” said Admiral Rogers, the first career cryptologist to run the country’s code-breaking and code-making agency, and a former commander of the Navy’s Fleet Cyber Command. “I don’t waste a lot of time saying, ‘Why wouldn’t you want to work with us?’ ”

Admiral Rogers said the majority of corporations that had long given the agency its technological edge and global reach were still working with it, though they had no interest in advertising the fact. He was unapologetic about the agency’s past activities, even as he said he recognized that unlike his predecessors for the past six decades he was going to have to engage “in a public dialogue” about how the agency operated.

When asked about the changes the agency had made to prevent another insider attack like the one Mr. Snowden executed without detection — including a “two-man rule” that would require two systems operators to enter codes to gain access to sensitive data, much as two officers must enter codes to launch nuclear weapons — he refused to say whether he had embraced one major recommendation of a presidential commission on the agency’s operations.

The commission, which issued a public report in December, said it was surprised that the agency did not encrypt the vast databases of information it stores on its computers and in the Internet cloud. Had it encrypted that information, the files Mr. Snowden downloaded would have been unreadable, unless he also had the cryptologic key.

In discussing the post-Snowden changes, Admiral Rogers said the security agency had received instructions to cease its monitoring of a number of world leaders beyond Chancellor Angela Merkel of Germany, whose cellphone was monitored in a decade-long operation that President Obama halted.

“There are some specific targets where we’ve been instructed, ‘Hey, don’t collect against them anymore,’ ” he said. He declined to say how many beyond noting, “Probably more than half a dozen, but not in the hundreds by any means.”

Admiral Rogers has taken command of the agency just as its power to collect and retain “telephone metadata” — the records of numbers dialed and the duration of calls — is being stripped from the agency. Mr. Obama defended the program last summer, after the initial round of revelations. But he had a change of heart, fueled by his commission’s conclusion that it could not find a case in which the program had definitively halted a potential terrorist attack.

Mr. Obama ultimately decided to cease the government collection of the data, putting it into the hands of a third party and requiring an individual warrant from the Foreign Intelligence Surveillance Court to obtain the data.

Admiral Rogers indicated that system, so long resisted by the security agency, was workable. “I am not going to jump up and down and say, ‘I have to have access to that data in minutes and hours,’ ” he said. “The flip side is that I don’t want to take weeks and months to get to the data.”

The House passed a bill that would keep the data in the hands of telecommunications businesses; the Senate has yet to act.

“Clearly the intention,” he said, is to get the security agency “out of the data-retention business” for domestic calling records.



A version of this article appears in print on June 30, 2014, on page A1 of the New York edition with the headline: Sky Isn’t Falling After Scandal, N.S.A. Chief Says.

    New N.S.A. Chief Calls Damage From Snowden Leaks Manageable,
    NYT, 29.6.2014,
    http://www.nytimes.com/2014/06/30/us/sky-isnt-falling-
    after-snowden-nsa-chief-says.html

 

 

 

 

 

How a Court Secretly Evolved,

Extending U.S. Spies’ Reach

 

MARCH 11, 2014
The New York Times
By CHARLIE SAVAGE
and LAURA POITRAS

 

WASHINGTON — Ten months after the Sept. 11 attacks, the nation’s surveillance court delivered a ruling that intelligence officials consider a milestone in the secret history of American spying and privacy law. Called the “Raw Take” order — classified docket No. 02-431 — it weakened restrictions on sharing private information about Americans, according to documents and interviews.

The administration of President George W. Bush, intent on not overlooking clues about Al Qaeda, had sought the July 22, 2002, order. It is one of several still-classified rulings by the Foreign Intelligence Surveillance Court described in documents provided by Edward J. Snowden, the former National Security Agency contractor.

Previously, with narrow exceptions, an intelligence agency was permitted to disseminate information gathered from court-approved wiretaps only after deleting irrelevant private details and masking the names of innocent Americans who came into contact with a terrorism suspect. The Raw Take order significantly changed that system, documents show, allowing counterterrorism analysts at the N.S.A., the F.B.I. and the C.I.A. to share unfiltered personal information.

The leaked documents that refer to the rulings, including one called the “Large Content FISA” order and several more recent expansions of powers on sharing information, add new details to the emerging public understanding of a secret body of law that the court has developed since 2001. The files help explain how the court evolved from its original task — approving wiretap requests — to engaging in complex analysis of the law to justify activities like the bulk collection of data about Americans’ emails and phone calls.

“These latest disclosures are important,” said Steven Aftergood, the director of the Project on Government Secrecy at the Federation of American Scientists. “They indicate how the contours of the law secretly changed, and they represent the transformation of the Foreign Intelligence Surveillance Court into an interpreter of law and not simply an adjudicator of surveillance applications.”

The Raw Take order appears to have been the first substantial demonstration of the court’s willingness after Sept. 11 to reinterpret the law to expand government powers. N.S.A. officials included it as one of three court rulings on an internal timeline of key developments in surveillance law from 1972 to 2010, deeming it a historic event alongside once-secret 2004 and 2006 rulings on bulk email and call data.

A half-dozen current and former officials defended the order as lawful and reasonable, saying it allowed the government to best use its experts on Al Qaeda — wherever they worked — to find nuggets of intelligence hidden in hours of phone calls or volumes of emails. They also noted that the agencies receiving the data must still apply privacy protections after evaluating Americans’ information. An N.S.A. spokeswoman declined to comment about the ruling.

Still, Marc Rotenberg, the executive director of the Electronic Privacy Information Center, argued that the easing of privacy protections mandated by the Foreign Intelligence Surveillance Act of 1978 increased the risk of abuse and should not be a secret.

“The framers of FISA intended to narrowly restrict the ability of the government to disseminate this information because it has a very low standard enabling access to communications,” he said. “If the FISA court removed those safeguards, it obviously raises questions about compliance with the intent of the act.”

The number of Americans whose unfiltered personal information has been shared among agencies is not clear. Since the Sept. 11 attacks, the court has approved about 1,800 FISA orders each year authorizing wiretaps or physical searches — which can involve planting bugs in homes or offices, or copying hard drives — inside the United States. But the government does not disclose how many people had their private conversations monitored as a result.

Other Americans whose international phone calls and emails were swept up in the N.S.A.’s warrantless wiretapping program after it was legalized in 2007 might have increased those numbers. After Congress amended the surveillance act to authorize the program, the court allowed raw sharing of personal information from it, too, according to leaked and declassified documents.

The new disclosures come amid a debate over whether the surveillance court, which hears arguments only from the Justice Department, should be restructured for its evolving role. Proposals include overhauling how judges are selected to serve on it and creating a public advocate to provide adversarial arguments when the government offers complex legal analysis for expanding its powers.
 


Easing Barriers

The Bush administration sought the Raw Take order as it was trying to lower various bureaucratic barriers that impeded counterterrorism specialists across the government from working together.

Timothy Edgar, a Brown University visiting professor who worked at the Office of the Director of National Intelligence and at the White House from 2006 to 2013, said that after the Sept. 11 attacks “there was a big movement to make sure sharing took place early on and at a tactical level.”

“Without the ability to have a small group of people that would be able to share intelligence at an earlier stage, at a raw stage,” he added, “it was hard to cooperate at a more technical level.”

Some efforts took place in public. In May 2002, the surveillance court rejected a request to dismantle a “wall” that inhibited criminal prosecutors from working closely with intelligence investigators using FISA surveillance; that fall, a review court overturned the ruling. Meanwhile, the administration was also pushing in private to get around obstacles to sharing information among intelligence agencies.

Congress had enacted FISA after revelations about decades of abuses of surveillance undertaken in the name of national security — like the F.B.I.’s taping of the Rev. Dr. Martin Luther King Jr.’s extramarital affairs and its sharing of the information with the Kennedy White House. The law required agencies to “minimize” private information about Americans — deleting data that is irrelevant for intelligence purposes before providing it to others.

Exceptions had been narrow, like when an agency needed decoding or translating help from a counterpart. The Justice Department’s 2002 motion — formally called “In Re Electronic Surveillance and Physical Search of International Terrorist Groups, Their Agents, and Related Targets” — argued that the court could interpret that exception more permissively.

People familiar with the request said it cited passages from a 1978 report by the House Intelligence Committee that explained what lawmakers intended the original FISA bill to mean.

One section says that when information has not yet been examined and another agency is going to perform that task, minimization requirements are not yet in effect. Another explains that lawmakers intended that “a significant degree of latitude be given in counterintelligence and counterterrorism cases” regarding the retention or sharing of information “between and among counterintelligence components of the government.”

Justice Department officials argued that those passages showed that it would be consistent with congressional intent to allow wider sharing of unevaluated, unminimized information among analysts at the N.S.A., the F.B.I. and the C.I.A. The court agreed, granting the order.

Current and former officials said only trained analysts with a need to see the raw information may access it. Still, Jameel Jaffer, a lawyer for the American Civil Liberties Union, noted that the government had cited stringent minimization rules to justify FISA surveillance as complying with the Constitution.

“It seems that at the same time the government has been touting the minimization requirements to the public, it’s been trying behind closed doors to weaken those requirements,” he said.

The newly disclosed documents also refer to a decision by the court called Large Content FISA, a term that has not been publicly revealed before. Several current and former officials, speaking on the condition of anonymity, said Large Content FISA referred to sweeping but short-lived orders issued on Jan. 10, 2007, that authorized the Bush administration to continue its warrantless wiretapping program.

The Bush administration had sought a ruling to put the program, which had been exposed by The New York Times, on a firmer legal footing. Attorney General Alberto R. Gonzales disclosed a week after the decision that a judge had issued “innovative” and “complex” orders bringing the program under the surveillance court’s authority. But when they came up for renewal that April, another surveillance court judge balked and began requiring cumbersome paperwork, prompting the administration to seek a legislative solution, an intelligence official later explained.

We wouldn't know about this if it weren't for Edward Snowden, and every upstanding American knows that he's a traitor, so we should not be...

The documents do not explicitly say the Large Content FISA orders were the January 2007 decisions but are consistent with that explanation.

Two classification guides say that the N.S.A. used the orders during a transition to the enactment of the Protect America Act, an August 2007 law in which Congress legalized the program. It was replaced with the FISA Amendments Act in 2008.

The government has never provided details about the court’s reasoning in pronouncing the program lawful. But the orders are also mentioned in a classified draft of an N.S.A. inspector general report that Mr. Snowden disclosed, which calls them “Foreign Content” and “Domestic Content” orders. The report cites a legal theory that reinterpreted a key word in the original FISA — the “facility” against which the court may authorize spying because a terrorism suspect is using it.

Facilities had meant phone numbers or email addresses, but a judge accepted an argument that they could instead be the gateways connecting the American communications network to the world, because Qaeda militants were probably among the countless people using those switches. Privacy protections would be applied afterward, the report said.

Asked about Large Content FISA orders, Vaneé Vines, an N.S.A. spokeswoman, said: “Since the enactment of the Protect America Act and the FISA Amendments Act, all collection activities that come within the scope of those statutes have been conducted pursuant to those statutes.”
 

Foreign Governments

The Raw Take order, back in 2002, also relaxed limits on sharing private information about Americans with foreign governments. The bar was higher for sharing with outsiders: Raw information was not provided, and even information deemed relevant about a terrorism issue required special approval.

Under procedures described in a 1984 report, only the attorney general could authorize such dissemination. But on Aug. 20, 2002, Attorney General John Ashcroft, citing the recent order, secretly issued new procedures allowing the N.S.A. to provide information to foreign governments without his clearance.

“If the proposed recipient(s) of the dissemination have a history of human rights abuses, that history should be considered in assessing the potential for economic injury, physical harm, or other restriction of movement, and whether the dissemination should be made,” he wrote.

Access within the N.S.A. to raw FISA information was initially limited to its headquarters at Fort Meade, Md. But in 2006, the N.S.A. expanded sharing to specialists at its code-breaking centers in Hawaii, Texas and Georgia. Only those trained would obtain access, but a review demonstrated that wider sharing had already increased risks. A document noted that the agency was mixing two types of FISA information, each subject to different court-imposed rules, along with other records, and “it is possible that there are already FISA violations resulting from the way data has been stored in these databases.”

The sharing of raw information continued to expand after the enactment of the FISA Amendments Act. On Sept. 4, 2008, the court issued an opinion, which remains secret but was cited in another opinion that has been declassified, approving minimization rules for the new law. A video explaining the new rules to N.S.A. employees noted that “C.I.A. and F.B.I. can have access to unminimized data in many circumstances.”

A footnote in a now-declassified October 2011 opinion shows that the N.S.A. did not share one category of raw data: emails intercepted at network switches, as opposed to those gathered from providers like Yahoo. For technical reasons, the switch tactic intercepts tens of thousands of purely domestic and unrelated emails annually.

Around early 2012, the court approved the expansion of sharing to a fourth agency, the National Counterterrorism Center, a clearinghouse for terrorism threat information. A May 2012 document says the “fact that NCTC is in receipt of raw or unminimized FISA information” is classified at a level reserved for data whose disclosure would “cause serious damage” to national security.

Intelligence officials, when pressed, offered no rationale for why public knowledge of the court’s interpretation of legal limits on sharing information met that standard.

 

Charlie Savage reported from Washington,

and Laura Poitras from Berlin.

A version of this article appears in print on March 12, 2014,

on page A1 of the New York edition with the headline:

How a Court Secretly Evolved, Extending U.S. Spies’ Reach.

    How a Court Secretly Evolved, Extending U.S. Spies’ Reach,
    NYT, 11.3.2014,
    http://www.nytimes.com/2014/03/12/us/
    how-a-courts-secret-evolution-extended-spies-reach.html

 

 

 

 

 

The President on Mass Surveillance

 

JAN. 17, 2014
The New York Times
By THE EDITORIAL BOARD

 

In the days after Edward Snowden revealed that the United States government was collecting vast amounts of Americans’ data — phone records and other personal information — in the name of national security, President Obama defended the data sweep and said the American people should feel comfortable with its collection. On Friday, after seven months of increasingly uncomfortable revelations and growing public outcry, Mr. Obama gave a speech that was in large part an admission that he had been wrong.

The president announced important new restrictions on the collection of information about ordinary Americans, including the requirement of court approval before telephone records can be searched. He called for greater oversight of the intelligence community and acknowledged that intrusive forms of technology posed a growing threat to civil liberties.
Related Coverage

President Obama delivered remarks about government surveillance programs at the Department of Justice in Washington on Friday.

“Our system of government is built on the premise that our liberty cannot depend on the good intentions of those in power,” Mr. Obama said in a speech at the Justice Department. “It depends on the law to constrain those in power.”

But even as Mr. Obama spoke eloquently of the need to balance the nation’s security with personal privacy and civil liberties, many of his reforms were frustratingly short on specifics and vague on implementation.

The president’s most significant announcement was also the hardest to parse. He ordered “a transition that will end” the bulk collection of phone metadata as it currently exists, but what exactly will end? The database will still exist, even if he said he wants it held outside the government. Mr. Obama should have called for sharp reductions in the amount of data the government collects, or at least adopted his own review panel’s recommendation that telecommunications companies keep the data they create and let the National Security Agency request only what it needs. Instead, he gave the Justice Department and intelligence officials until late March to come up with alternate storage options, seeking a new answer when the best ones are already obvious.

But he added two restrictions that could significantly reduce the possibility of abuse of this information: Wherever the database resides, he said, it may be queried only “after a judicial finding or in the case of a true emergency.” (That calls for a clear definition of “emergency.”) Agency analysts will be permitted to pursue phone calls that are two “hops” removed from a number associated with a terrorist organization, instead of three. That extra hop allowed for the examination of an exponentially larger number of phone calls.

Mr. Obama did not address the bigger problem that the collection of all this data, no matter who ends up holding onto it, may not be making us any safer. That was the conclusion of the president’s review panel as well as a federal judge in Washington who ruled that the bulk-collection program was probably unconstitutional and an extensive report by the New America Foundation finding that the program “has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist-related activity.”

Mr. Obama called on Congress to create a panel of independent advocates to argue in significant cases before the intelligence court, which currently hears arguments only from the government and must rely on government officials to identify and disclose their own mistakes. That would be a huge improvement to the one-sided process that often turns the court into a rubber stamp, but Congress is likely to dither over it. It would be better for the president to create the panel himself and work with the courts to find independent members. At the same time, any public advocate must be free to decide what cases to argue and not be limited to the administration’s or the court’s view of what is “significant.”

Mr. Obama wisely sought to tamp down the international furor over surveillance of foreign leaders and ordinary citizens by announcing restrictions on the collection, use and retention of that data. He said he would extend certain protections normally afforded only to Americans. “People around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security,” Mr. Obama said.

Several of the presidential review panel’s key recommendations were not addressed on Friday. The panel said a court order should be required to search through Americans’ emails or calls that are incidentally intercepted; the president called only for unspecified reforms. He rejected the recommendation that judges sign off on the subpoenas used by the F.B.I. to demand business records, known as national security letters, saying only that they should be less secret. That doesn’t go nearly far enough to curb these orders, which have been abused. Mr. Obama said nothing about the process of selecting intelligence-court judges, which now resides solely in the hands of one man, Chief Justice John Roberts Jr. He also failed to address the panel’s call for the N.S.A. to stop undermining commercial efforts to create better encryption technology.

One of his biggest lapses was his refusal to acknowledge that his entire speech, and all of the important changes he now advocates, would never have happened without the disclosures by Mr. Snowden, who continues to live in exile and under the threat of decades in prison if he returns to this country.

The president was right to acknowledge that leaders can no longer say, “Trust us, we won’t abuse the data we collect.” But to earn back that trust, he should be forthright about what led Americans to be nervous about their own intelligence agencies, and he should build stronger protections to end those fears.

 

A version of this editorial appears in print on January 18, 2014,

on page A22 of the New York edition with the headline:

The President on Mass Surveillance.

    The President on Mass Surveillance, NYT, 17.1.2014,
    http://www.nytimes.com/2014/01/18/opinion/the-president-on-mass-surveillance.html

 

 

 

 

 

A Crucial Caveat

in Obama’s Vow on Phone Data

 

JAN. 17, 2014
The New York Times
By PETER BAKER

 

WASHINGTON — In overhauling the nation’s spy programs, President Obama vowed on Friday that he “will end” the bulk telephone data program that has caused so much consternation — “as it currently exists.”

The caveat is important. Although Mr. Obama imposed some new conditions on the program, the National Security Agency, for the time being at least, will continue to maintain and tap into its vast catalog of telephone data of tens of millions of Americans until someone can think of another way to do the same thing.

The series of surveillance changes offered by Mr. Obama on Friday were intended to reassure a wary public without uprooting programs that he argued have helped protect the country. In his most extensive response to revelations by Edward J. Snowden, the former N.S.A. contractor, Mr. Obama ordered more transparency and instituted more safeguards, but he either passed over the most far-reaching recommendations of his own review panel or left them for Congress and the security agencies themselves to hash out.

The president, in response to months of debate set off by the disclosures of Edward J. Snowden, highlighted changes to the National Security Administration’s practices.

“The reforms I’m proposing today should give the American people greater confidence that their rights are being protected, even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe,” Mr. Obama said in his speech in the cavernous Great Hall of the Justice Department. “And I recognize that there are additional issues that require further debate.”

Mr. Obama argued that the programs that have become so disputed had not been abused and yet needed reform to avoid the perception of abuse. And as he tried to satisfy critics by embracing their concerns, Mr. Obama also seemed determined to avoid alienating many of the major players involved in the country’s intelligence programs.

He deferred to James B. Comey, the F.B.I. director, by rejecting a proposal by his review panel to require court approval of administrative subpoenas known as national security letters. He avoided offending Chief Justice John G. Roberts Jr. by declining to accept a recommendation to take away his unilateral power to appoint every member of the Foreign Intelligence Surveillance Court, which oversees secret spying programs.

Mr. Obama agreed with telecommunications providers and did not back a proposal to have them keep the bulk data now housed at the N.S.A. He did not take on the N.S.A. military establishment by permitting a civilian to head the agency or by making the director’s position subject to Senate confirmation, two other recommendations of his advisers. And he acceded to Judge John D. Bates, the former surveillance court chief judge who had told Congress that any new privacy advocate appointed to argue before the court should not be an independent figure allowed to participate across the board.

Civil liberties advocates who had pressed Mr. Obama to do more reacted with a mix of optimism and disappointment. “While I appreciate the president’s effort to strike a better balance between the twin imperatives of protecting Americans from harm and ensuring their civil liberties, the steps he announced today fall short of reining in the N.S.A.,” said Representative Peter Welch, Democrat of Vermont.

Supporters of the intelligence programs, on the other hand, were skeptical, worrying that the immediate changes ordered by Mr. Obama may produce more procedural hurdles, and that the larger changes still possible down the road would hinder the search for terrorists.

Michael Allen, a national security aide in the Bush administration who also worked for the House Intelligence Committee, said that if nothing else, the changes may inspire confusion and risk aversion. Referring to the bulk data collection, Mr. Allen said, “The president says it is important, could have helped us prevent 9/11, it has worked, there are no instances of abuse, but we should change it anyway.”

The bulk data program seemed to cause the most difficulty for the president as he pondered what to do about it. His review panel suggested taking the data out of the N.S.A.'s hands and leaving it with telecommunications companies or a newly created independent entity. The N.S.A. could then tap it only in certain instances while investigating terrorist links.

Mr. Obama deemed both of those ideas unworkable and so put off a decision by saying he supported the goal of removing the data from the N.S.A. but would ask Attorney General Eric H. Holder Jr. and James Clapper Jr., the director of national intelligence, to come up with a way of doing that. He also sought ideas from Congress, which would have to pass legislation to change the program.

In the meantime, he set out a new rule that “the database can be queried” only with permission from the surveillance court, but allowed an exception “in the case of a true emergency.” He did not define what would constitute such an emergency or who would determine whether a situation qualified. Nor did he clarify whether the court would have to approve each time a new telephone number was searched or each time a new target was searched. But some program supporters expressed concern that it could take too long.

He also limited the scope of searches, allowing analysts to study data two layers removed from the target, instead of three. Intelligence officials have accepted such a change because the amount of data expands so vastly three layers out that it becomes less useful.

The details matter, and may become clearer in coming days. But for a president who came to office promising to end what he considered the excesses of the new security state, Mr. Obama’s speech on Friday was as much about the larger question of faith. Rather than throw out the programs at issue, he hoped to convince the public that they are being run appropriately.

That reflected an evolution for the president’s attitude toward the dispute. When the first of Mr. Snowden’s revelations came out last year, Mr. Obama seemed surprised at the public reaction.

“If people can’t trust not only the executive branch but also don’t trust Congress and don’t trust federal judges to make sure that we’re abiding by the Constitution, due process and rule of law, then we’re going to have some problems here,” he said last June.

By Friday, he had come to agree that Americans had every reason to be skeptical. “Given the unique power of the state,” Mr. Obama said, “it is not enough for leaders to say ‘trust us, we won’t abuse the data we collect,’ for history has too many examples when that trust has been breached. Our system of government is built on the premise that our liberty cannot depend on the good intentions of those in power; it depends on the law to constrain those in power.”

    A Crucial Caveat in Obama’s Vow on Phone Data, NYT, 17.1.2014,
    http://www.nytimes.com/2014/01/18/us/
    a-crucial-caveat-in-obamas-vow-on-phone-data.html

 

 

 

 

 

N.S.A. Devises Radio Pathway

Into Computers

 

JAN. 14, 2014
The New York Times
By DAVID E. SANGER
and THOM SHANKE

 

WASHINGTON — The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.

The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.
Related Coverage

President Obama spoke to reporters before a cabinet meeting at the White House on Tuesday morning. Mr. Obama’s speech on spying guidelines is scheduled for Friday.
Obama to Place Some Restraints on SurveillanceJAN. 14, 2014

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

The N.S.A. calls its efforts more an act of “active defense” against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level.

Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command, have been units of the Chinese Army, which the United States has accused of launching regular digital probes and attacks on American industrial and military targets, usually to steal secrets or intellectual property. But the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls “computer network exploitation.”

“What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”
How the N.S.A. Uses Radio Frequencies to Penetrate Computers

The N.S.A. and the Pentagon’s Cyber Command have implanted nearly 100,000 “computer network exploits” around the world, but the hardest problem is getting inside machines isolated from outside communications.
 


No Domestic Use Seen

There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States. While refusing to comment on the scope of the Quantum program, the N.S.A. said its actions were not comparable to China’s.

“N.S.A.'s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets in response to intelligence requirements,” Vanee Vines, an agency spokeswoman, said in a statement. “We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of — or give intelligence we collect to — U.S. companies to enhance their international competitiveness or increase their bottom line.”

Over the past two months, parts of the program have been disclosed in documents from the trove leaked by Edward J. Snowden, the former N.S.A. contractor. A Dutch newspaper published the map of areas where the United States has inserted spy software, sometimes in cooperation with local authorities, often covertly. Der Spiegel, a German newsmagazine, published the N.S.A.'s catalog of hardware products that can secretly transmit and receive digital signals from computers, a program called ANT. The New York Times withheld some of those details, at the request of American intelligence officials, when it reported, in the summer of 2012, on American cyberattacks on Iran.

President Obama is scheduled to announce on Friday what recommendations he is accepting from an advisory panel on changing N.S.A. practices. The panel agreed with Silicon Valley executives that some of the techniques developed by the agency to find flaws in computer systems undermine global confidence in a range of American-made information products like laptop computers and cloud services.

Embracing Silicon Valley’s critique of the N.S.A., the panel has recommended banning, except in extreme cases, the N.S.A. practice of exploiting flaws in common software to aid in American surveillance and cyberattacks. It also called for an end to government efforts to weaken publicly available encryption systems, and said the government should never develop secret ways into computer systems to exploit them, which sometimes include software implants.

Richard A. Clarke, an official in the Clinton and Bush administrations who served as one of the five members of the advisory panel, explained the group’s reasoning in an email last week, saying that “it is more important that we defend ourselves than that we attack others.”

“Holes in encryption software would be more of a risk to us than a benefit,” he said, adding: “If we can find the vulnerability, so can others. It’s more important that we protect our power grid than that we get into China’s.”

From the earliest days of the Internet, the N.S.A. had little trouble monitoring traffic because a vast majority of messages and searches were moved through servers on American soil. As the Internet expanded, so did the N.S.A.'s efforts to understand its geography. A program named Treasure Map tried to identify nearly every node and corner of the web, so that any computer or mobile device that touched it could be located.

A 2008 map, part of the Snowden trove, notes 20 programs to gain access to big fiber-optic cables — it calls them “covert, clandestine or cooperative large accesses” — not only in the United States but also in places like Hong Kong, Indonesia and the Middle East. The same map indicates that the United States had already conducted “more than 50,000 worldwide implants,” and a more recent budget document said that by the end of last year that figure would rise to about 85,000. A senior official, who spoke on the condition of anonymity, said the actual figure was most likely closer to 100,000.

That map suggests how the United States was able to speed ahead with implanting malicious software on the computers around the world that it most wanted to monitor — or disable before they could be used to launch a cyberattack.

 

A Focus on Defense

In interviews, officials and experts said that a vast majority of such implants are intended only for surveillance and serve as an early warning system for cyberattacks directed at the United States.

“How do you ensure that Cyber Command people” are able to look at “those that are attacking us?” a senior official, who compared it to submarine warfare, asked in an interview several months ago.

“That is what the submarines do all the time,” said the official, speaking on the condition of anonymity to describe policy. “They track the adversary submarines.” In cyberspace, he said, the United States tries “to silently track the adversaries while they’re trying to silently track you.”

If tracking subs was a Cold War cat-and-mouse game with the Soviets, tracking malware is a pursuit played most aggressively with the Chinese.

The United States has targeted Unit 61398, the Shanghai-based Chinese Army unit believed to be responsible for many of the biggest cyberattacks on the United States, in an effort to see attacks being prepared. With Australia’s help, one N.S.A. document suggests, the United States has also focused on another specific Chinese Army unit.

Documents obtained by Mr. Snowden indicate that the United States has set up two data centers in China — perhaps through front companies — from which it can insert malware into computers. When the Chinese place surveillance software on American computer systems — and they have, on systems like those at the Pentagon and at The Times — the United States usually regards it as a potentially hostile act, a possible prelude to an attack. Mr. Obama laid out America’s complaints about those practices to President Xi Jinping of China in a long session at a summit meeting in California last June.

At that session, Mr. Obama tried to differentiate between conducting surveillance for national security — which the United States argues is legitimate — and conducting it to steal intellectual property.

“The argument is not working,” said Peter W. Singer of the Brookings Institution, a co-author of a new book called “Cybersecurity and Cyberwar.” “To the Chinese, gaining economic advantage is part of national security. And the Snowden revelations have taken a lot of the pressure off” the Chinese. Still, the United States has banned the sale of computer servers from a major Chinese manufacturer, Huawei, for fear that they could contain technology to penetrate American networks.

 

An Old Technology

The N.S.A.'s efforts to reach computers unconnected to a network have relied on a century-old technology updated for modern times: radio transmissions.

In a catalog produced by the agency that was part of the Snowden documents released in Europe, there are page after page of devices using technology that would have brought a smile to Q, James Bond’s technology supplier.

One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer “through a covert channel” that allows “data infiltration and exfiltration.” Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being walled off from the Internet constitutes real protection.

The relay station it communicates with, called Nightstand, fits in an oversize briefcase, and the system can attack a computer “from as far away as eight miles under ideal environmental conditions.” It can also insert packets of data in milliseconds, meaning that a false message or piece of programming can outrace a real one to a target computer. Similar stations create a link between the target computers and the N.S.A., even if the machines are isolated from the Internet.

Computers are not the only targets. Dropoutjeep attacks iPhones. Other hardware and software are designed to infect large network servers, including those made by the Chinese.

Most of those code names and products are now at least five years old, and they have been updated, some experts say, to make the United States less dependent on physically getting hardware into adversaries’ computer systems.

The N.S.A. refused to talk about the documents that contained these descriptions, even after they were published in Europe.

“Continuous and selective publication of specific techniques and tools used by N.S.A. to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies,” Ms. Vines, the N.S.A. spokeswoman, said.

But the Iranians and others discovered some of those techniques years ago. The hardware in the N.S.A.'s catalog was crucial in the cyberattacks on Iran’s nuclear facilities, code-named Olympic Games, that began around 2008 and proceeded through the summer of 2010, when a technical error revealed the attack software, later called Stuxnet. That was the first major test of the technology.

One feature of the Stuxnet attack was that the technology the United States slipped into Iran’s nuclear enrichment plant at Natanz was able to map how it operated, then “phone home” the details. Later, that equipment was used to insert malware that blew up nearly 1,000 centrifuges, and temporarily set back Iran’s program.

But the Stuxnet strike does not appear to be the last time the technology was used in Iran. In 2012, a unit of the Islamic Revolutionary Guards Corps moved a rock near the country’s underground Fordo nuclear enrichment plant. The rock exploded and spewed broken circuit boards that the Iranian news media described as “the remains of a device capable of intercepting data from computers at the plant.” The origins of that device have never been determined.

On Sunday, according to the semiofficial Fars news agency, Iran’s Oil Ministry issued another warning about possible cyberattacks, describing a series of defenses it was erecting — and making no mention of what are suspected of being its own attacks on Saudi Arabia’s largest oil producer.

 

A version of this article appears in print on January 15, 2014,

on page A1 of the New York edition with the headline:

N.S.A. Devises Radio Pathway Into Computers.

    N.S.A. Devises Radio Pathway Into Computers, NYT, 14.1.2014,
    http://www.nytimes.com/2014/01/15/us/
    nsa-effort-pries-open-computers-not-connected-to-internet.html

 

 

 

 

 

Obama Seeks Balance in Plan

for Spy Programs

 

JAN. 9, 2014
The New York Times
By PETER BAKER
and CHARLIE SAVAGE

 

WASHINGTON — As he assembles a plan to overhaul the nation’s surveillance programs, President Obama is trying to navigate what advisers call a middle course that will satisfy protesting national security agencies while tamping down criticism by civil liberties advocates.

Mr. Obama has not tipped his hand much during the meetings he has held with intelligence officials and lawmakers before he unveils his plan as early as next Friday. But some of the proposals under consideration are forcing him to decide just how much he is willing to curtail government spying in the interest of reassuring a wary public.

The challenge was brought into stark relief on Thursday when James B. Comey, who is the director of the Federal Bureau of Investigation and was recently appointed by Mr. Obama, went public with his objections to a recommendation of a presidential review group. The panel suggested requiring court review of so-called national security letters compelling businesses, under a gag order, to turn over records about customer communications and financial transactions.

“What worries me about their suggestion that we impose a judicial procedure on N.S.L.’s is that it would actually make it harder for us to do national security investigations than bank fraud investigations,” Mr. Comey said. He added, “I just don’t know why you would make it harder to get an N.S.L. than a grand jury subpoena,” calling the letters “a very important tool that is essential to the work we do.”

Such letters have long been used in bank fraud and other cases, but their use exploded over the past decade as they were expanded to terrorism investigations, with the agency now issuing tens of thousands a year since Congress lowered the legal standard. The review panel urged Mr. Obama to require a judge to find “reasonable grounds” that the information sought “is relevant” to terrorism activities.

Mr. Obama has run into resistance from national security officials to other proposals. They oppose checks on government subversion of commercial encryption software, and they argue that further limits on another program intercepting communications would create legal, political and bureaucratic uncertainties.

But Mr. Obama has met more acquiescence on two proposals he seems likely to adopt. One would have telecommunications firms or a private consortium, rather than the government, store vast troves of telephone metadata. Another would establish a public advocate to argue against the government before a secret intelligence court that oversees surveillance.

A departing N.S.A. official said in an interview to be aired on NPR on Friday that the agency would accept a public advocate. “I would welcome that advocacy in the room,” said John Inglis, who is retiring as deputy N.S.A. director on Friday. “The question is how operationally efficient can you make it.”

Yet such moves may not satisfy vocal critics of the N.S.A. after revelations by its onetime contractor Edward J. Snowden. A committee of former N.S.A. officials released 21 recommendations on Thursday that go much further, like outlawing national security letters and revoking 2008 legislation authorizing expansive surveillance.

The debate came as lawmakers digested a report by the Defense Intelligence Agency concluding that Mr. Snowden’s revelations probably made American forces overseas more vulnerable. “Snowden’s actions are likely to have lethal consequences for our troops in the field,” said Representative Mike Rogers, Republican of Michigan and chairman of the House Intelligence Committee.

Documents leaked by Mr. Snowden revealed military techniques to secure, and interfere with, telephone and computer network communications. But the D.I.A. report remained classified and it was difficult, officials acknowledged, to quantify any damage. Ben Wizner, an American Civil Liberties Union lawyer who advises Mr. Snowden, criticized the lawmakers’ description of the account as “exaggerated national security claims.”

Mr. Obama spent 90 minutes on Thursday talking with lawmakers from both parties about the proposed policy changes, a day after meeting with Mr. Comey and other national security officials, and separately, a privacy advisory board. White House officials will also meet on Friday with technology company executives.

One adviser, who spoke about the president’s deliberations on condition of anonymity, said Mr. Obama was seeking a middle ground that probably would draw complaints from both security and privacy advocates. “Whatever he does next week will be an attempt to reach that balance, and on both sides there will be some element of dissatisfaction,” the adviser said.

Some of the 16 lawmakers who attended the meeting in the Roosevelt Room said Mr. Obama was still sorting through the complex issues. “The president is thinking through this in a very correct way, and I think he’s asking the right questions and still making up his mind,” said Senator Saxby Chambliss of Georgia, the top Republican on the Intelligence Committee.

Senator Richard Blumenthal, Democrat of Connecticut, said Mr. Obama seemed likely to support a public advocate as well as a change in the method of appointing members of the secret intelligence court. “He’s clearly given it a lot of thought — very penetrating and searching thought,” Mr. Blumenthal said.

Much of the discussion centered on the metadata program. “The critical question at the end of the day is if the program has some value, how is that weighed against the cost of collecting millions and millions of domestic call records of the American people?” asked Representative Adam Schiff, Democrat of California and a member of the Intelligence Committee. Even if Mr. Obama shifts storage of such data, officials have debated whether each telecommunications company should keep its own or a single consortium should be created to house all of it. Some officials complained it would be inefficient if the N.S.A. had to go to individual companies each time it wanted to search for a number, while critics like Mr. Schiff said creating a consortium would be pointless because it would be seen as a de facto arm of the N.S.A.

Senator Ron Wyden, Democrat of Oregon and a critic of the surveillance programs, said he objected during the meeting to the assertion that the bulk records program thwarted attacks. He said he read aloud a sentence from Mr. Obama’s review group report declaring that information gleaned by the program “was not essential to preventing attacks and could readily have been obtained in a timely manner” using conventional means.

 

Michael S. Schmidt, David E. Sanger

and Jeremy W. Peters contributed reporting.

 

 

A version of this article appears in print on January 10, 2014,

on page A12 of the New York edition with the headline:

Obama Seeks Balance In Plan for Spy Programs.

    Obama Seeks Balance in Plan for Spy Programs, NYT, 9.1.2014,
    http://www.nytimes.com/2014/01/10/us/
    obama-seeks-balance-in-plan-for-spy-programs.html

 

 

 

home Up