Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (28 page)

The Morris worm made the front page of the New York Times in November
1988. As computers and connections to the Internet have become
widespread, so have attacks on computer systems, and these now only
rarely make the news. Two other aspects of cyberattacks have changed as
well. Such exploits once carried a certain prank status and occasionally
even an outlaw romantic air. That is long gone in the wake of the serious
disruption caused. The other change has been in the nature of the
attackers.

Originally computer-system vulnerabilities were exploited by those
seemingly curious to test their ability to raise havoc. That role has been
taken over by "script kiddies," people who download preconfigured tools
that they then use to launch assaults. This group is not without ability to
cause economic harm, but because these prefabricated attacks are already
well known, appropriate defense is frequently in place. Exploits by script
kiddies tend to be less disruptive than other attacks.

New technologies are usually taken up by criminals, and the Internet
has been no exception. Spam, offering bargains in drugs or stocks too good
to be true-and they are too good to be true-is quite common. A study
of stock spam, which urges people to buy penny stocks, shows that there
is a small bump in the stock price shortly after the mail is sent. Because
these bumps occur on a predictable timetable, spammers are able to sell at
the right moment and make a small profit.'

Spammers often use compromised machines, or bots.2 These bots may
have been compromised through malware from an infected web page, or
perhaps through a virus or worm received in an email; the bots form a
network controlled by a single entity, a botnet, and in at least one instance,
a botnet included infected PCs from U.S. defense agencies.' The varied IP
addresses of the botnet participants provide a way of disguising the initial
phases of an assault, and this complicates defenses.

Botnets distribute a task over thousands of hosts across the Internet,
and range in size from several thousand to well over a hundred thousand
endhosts, or computers.' Bots regularly check in with a server that provides
new software to download, gives instructions on a site to attack, and so
on. Spammers can rent a botnet for about $1,000 an attack.' The use of
spam for the penny stocks showed that renting botnets is "on average a
profitable business model (for spammers).i6

In 2007 the nation of Estonia was subjected to a major DDoS attack.
First the Estonian foreign minister's website was bombarded with packets,
but soon the attack was extended to other government agencies as well as
Estonian businesses.' In the initial two weeks, there were 128 separate DDoS
attacks on Estonian websites. Most of the incidents were short, but seven
lasted at least ten hours.' The cost to mount the attacks was estimated at
under $100,000;9 the cost to Estonia, in terms of lost business and disruption, was far greater. A more serious DDoS attack was made against Georgian
government and media websites during the Russian invasion of Georgia
in August 2008, effectively shutting these information sources down.
Because Georgia was not particularly dependent on the Internet for critical
functions, the effect of the cyberattack was limited to silencing the Georgian government's voice.10 Although this was the first instance of cyberattacks coordinated with a physical one, the 2007 attack on Estonia, which
is a more cyber-dependent society, was, in fact, more disruptive.

Cyberattacks and cyberexploitation share a number of characteristics:
existence of a vulnerability, access to exploit the vulnerability, and software
to perform the exploitation." The payload may be a virus, a Trojan horse,
or a rootkit, a program with access to the computer's functions that can
remain hidden from the host computer's operating system. It may arrive
accidentally downloaded from a website, it may be in an email attachment,
or it may be rogue software on a USB flash drive. Where cyberattacks and
cyberexploitation differ is in execution: cyberattacks are about disrupting
or destroying the host, while cyberexploitation's purpose is gaining information. Espionage is most effective if the host is unaware that such exploitation has occurred, for then the spying may continue indefinitely.
Vulnerabilities created by building surveillance into communications infrastructure enable cyberexploitation. They may or may not enable direct attacks.
Thus I will mostly concentrate on cyberexploitation rather than cyberattacks.

7.1 Is Anyone Spying?

The best way to find out about a nation's military capabilities and intentions is to spy on its government and military, but there are other valuable sources of information as well. Whether in fictional accounts regarding the
German army's purchases of wool in 1940-a signal that could indicate
that Germany was intending to attack the Soviet Union-or apocryphal
accounts concerning late-night purchases of pizza near the Pentagon
toward the end of 1990-indicating that planning for an attack on Iraq
was occurring-eavesdropping on business communications is a wellknown espionage technique. Such sources help agents flesh out the target's
plans. So while at first the Soviet Union focused on U.S. government
communications, by the early 1970s Soviet attention had shifted to include
defense contractors. In 1971, a KGB directive ordered agents to target
scientific and technical work, and specified such U.S. companies as
Grumman, Fairchild, GE, IBM, Sperry Rand, and General Dynamics.12 An
NSA history reported that the Soviets were believed to have "obtained
information on the most sophisticated new weapons systems, including
the F-14 fighter, B-1 bomber, Trident submarine, and advanced nuclear
weapons developments."13

Protecting civilian sites was more difficult than protecting government
targets. Contractors are more widely spread across society and are softer
targets than military ones. If Soviet spies were listening in on defenseindustry communications, then their communications would need to be
secured. This necessitated a change in the U.S. defense posture.

The first concern was microwave transmissions. Such transmissions
spread out, with the signal larger than the antenna dish. This allows nearby
receivers, say on the tops of buildings close by, to access the signal. A large
number of defense contractors are located around the Washington Beltway,
and the Soviet embassy is located in a relatively high part of Washington,
its roof bristling with antennas. With the realization that the Soviets were
listening to business communications, National Security Advisor Henry
Kissinger issued a "highly sensitive" national-security memorandum directing that "Washington area microwave communications be buried to the
extent possible."" Defense-related communications turned out to be one
part of an increasingly complex problem.

Domestic communications about even mundane things had nationalsecurity implications. In 1972, the same year that the United States was
enjoying a bumper wheat crop, the Soviet crop failed. The Soviets had been
monitoring transmissions between wheat traders and the Department of
Agriculture and had a better picture of prices and crop status than the U.S.
government and its farmers did. In a matter of a few weeks, the Soviet
Union purchased 1.5 million tons of wheat from the United States. This
was five times as much as it had previously purchased; it occurred at a time
when the wheat-crop failure extended to much of the world. The Soviet purchase was shrewdly done. It was expensive for the United States.
Domestic wheat prices increased by several hundred percent between June
1972 and February 1974.15

Soviet monitoring was not limited to Washington. The Soviets had
purchased a country home in Glen Cove, a suburb of New York. The Long
Island dacha happened to be perfectly situated so as to eavesdrop on
microwave communications along the Eastern Seaboard. IBM headquarters
and corporate offices were located in Westchester County, not far from
Glen Cove as the crow or microwave signal flies. The NSA discovered that
Soviet agents were listening to calls of IBM executives on the company's
private microwave network and warned the U.S. company.16 In the late
1980s a similar incident occurred with a different U.S. corporation;17 IBM
changed its communication policies.

Another Soviet eavesdropping station was in Lourdes, Cuba, strategically
located a hundred miles from Key West. This site consisted of twentyeight square miles bristling with antennas monitoring satellite communications between the United States and Europe. Lourdes became active in
1962.18 For many decades the site listened in on unencrypted commercial
communications traffic between the United States and its trading
partners.

The ease of microwave eavesdropping was a two-way street, for the
United States benefited from the insecurity of transmissions in Cuba,
which used microwave relay systems rather than landlines (these had been
built by RCA International in 1957). These unprotected links provided an
easy way for the NSA to listen to all telecommunications between Havana
and the rest of the island.19

After a 1970s government study, the United States became quite concerned about the extent of Soviet electronic espionage of defense contractors.20 The CEOs participating in the study were "shocked" by the extent
of the eavesdropping. While burying microwave communications would
solve part of the problem, a more complete solution was needed. The
government embarked on a program to deliver secure phones to a large
portion of the defense industry.21

That was solving only a piece of an increasingly large problem. While
during the Cold War U.S. intelligence focused its attention on the Soviet
Union, some U.S. allies were also targeting U.S. industry. Some made
no bones about it. The former director of the French intelligence agency,
Direction Generale de la Securite Exterieure (DGSE), Pierre Marion,
who initiated a program of spying on U.S. business, explained, "It would
not be normal that we spy on the United States in political matters or in military matters, but in the economic and technical spheres, we are competitors; we are not allies."22 Spy they did.

The French government passed along product information to French
competitors of U.S. companies. Intelligence agents were reported to have
taken "unusually sensitive technical information for a struggling [French]
company."" Seeking to support France's defense sector, French intelligence
agents were said to have focused on U.S. companies working on missile and
satellite espionage technologies.24 France targeted Boeing, General Dynamics, Hughes Aircraft, Lockheed, McDonnell Douglas, Martin Marietta, and
the Office of the U.S. Trade Representative (responsible for negotiating U.S.
trade agreements)" and placed spies in Corning, IBM, and Texas Instruments.26 In one instance Cie. des Machines Bull sued Texas Instruments
(TI) for patent infringement only to have the U.S. company discover that
the patent in question had been stolen by a French mole working at TI
years earlier.27

Israel, another close ally of the United States, was described in a 1996
U.S. government report28 as having stolen technologies for numerous military systems; some of these were shared with Israeli companies.29 One
documented case occurred at the Illinois company Recon Optical.

Recon was building state-of-the-art airborne surveillance systems capable
of peering seventy miles. The company signed a $45 million contract with
the Israeli government to develop a system to be able to see twice as far,
and three Israeli Air Force officers went to work at the Illinois company.
The contract between Recon and Israel specified that all intellectual property rights belonged to the U.S. company. A few months into the effort,
the Israeli officers were caught stealing proprietary material, which they
were sending to Israel. The officers were dismissed, the contract abrogated.
After a four-year trial, a panel of arbitrators ordered Israel to pay Recon $3
million for the theft of secrets.30

Asia is another part of the economic espionage picture. Japan, with a
small military and virtually no defense-based industries, focuses on
consumer-oriented technologies. Much of the Japanese industrial spying
is done by private companies, but Japan's Ministry of Economy, Trade
and Industry (METI)31 and the Japanese External Trade Organization have
aided the efforts. Corporate espionage by Japanese firms runs across
multiple U.S. industries. Hitachi, having purchased a partial set of stolen
guides of product specifications for future IBM systems, attempted to
obtain the full set; the conspirators were arrested and the out-of-court
settlement was reputed to be $3 million.32 Fifteen Japanese firms targeted
Honeywell for its single lens reflex autofocusing technology, while Fuji attempted to illegally obtain Kodak's disposable 35 mm camera.33 When
Mitsubishi was unable to buy Celanese's formula for a high-quality
industrial film the company had developed, it turned to illegal means to
obtain it.34