@War: The Rise of the Military-Internet Complex (13 page)

“There aren't enough of the most critically skilled professionals to go around,” says Major General John Davis, senior military adviser for cyberspace policy at the Pentagon.
The military can't pay its personnel what they'd make in the private sector, where the most highly trained military hackers could easily double their salaries working for a government contractor. “The air force will never win a bidding war” with businesses, says Mark Maybury, the service's chief scientist. The same goes for the other branches of the armed forces. And there's no obvious solution to this labor problem. There's not much money in the military to hire more cyber warriors. And there's little appetite in Congress for raising the salaries of the existing force.

The military has urged colleges and universities to teach cyber warfare, like the air force does. A few undergraduate institutions do. But most regard computer hacking as unsavory business. “Universities don't want to touch [it], they don't want to have the perception of teaching people how to subvert things,” Steven LaFountain, an NSA official who helps develop new academic programs, told a reporter.
And by the time some students reach the agency, officials discover they haven't always been trained to NSA standards. “We have to teach them the technical skills we thought they should have gotten in school, and then we have to teach them the specific skills related to their mission,” LaFountain said.

The NSA has teamed up with a handful of universities to help write their curriculum. (Students who want to enroll have to pass a background check and obtain a top-secret security clearance. Part of the coursework includes classified seminars at the NSA.) The agency will also help pay for some students to get a bachelor's degree in computer science and take courses in basic security—the agency even gives them a laptop and a monthly stipend. In exchange, they go to work for the agency when they graduate. Most of these schools—which range from Princeton University to small community colleges in nearly every state—don't teach cyber offense. The NSA takes care of that part of the education when the student shows up for work.

Even before students reach college, the military sponsors cyber defense clubs and competitions for school-aged children, such as the CyberPatriot program, a nationwide competition for middle and high schoolers. The program is cosponsored by defense contractors, including Northrop Grumman and SAIC, the company that built the prototype for the RTRG. The competition partners with Boy Scout troops and the Boys & Girls Clubs of America as well as Junior ROTC programs, Civil Air Patrol squadrons, and Naval Sea Cadet Corps units. Davis calls the program “a way [for young people] to contribute to the national and economic security of this nation.”

But to attract the best talent the NSA has to compete with private industry. It recruits from the best computer science schools, including Stanford University and Carnegie Mellon. And it sends representatives to the most important annual hacker conventions, Black Hat and Def Con, in Las Vegas. In July 2012, Keith Alexander, NSA director, gave a speech at Def Con, calling on the assembled hackers to join forces with his agency, either by coming to work there or by collaborating with his team. Many of the hackers worked for security companies, but some were freelance operators who made their living discovering holes in systems and then alerting the manufacturer or developer, so they could be patched. To appeal to his audience, Alexander shed his army uniform in favor of a pair of jeans and a black T-shirt. “This is the world's best cybersecurity community. In this room right here is the talent our nation needs to secure cyberspace,” he told the hackers, any number of whom US law enforcement agencies might regard as criminals. “Sometimes you guys get a bad rap,” Alexander said. “From my perspective, what you're doing to figure out vulnerabilities in our systems is great. We have to discover and fix those. You guys hold the line.”

But Alexander wasn't the only one in Las Vegas on a recruitment campaign. On the convention floor, executives and employees from cyber security firms were handing out brochures and T-shirts of their own. Among them were former NSA employees, whom the agency had trained to become top-tier hackers.

Alexander's recruitment challenge became harder the following summer, after documents leaked by a former NSA contractor—whom the agency had trained to be a hacker—revealed extraordinary amounts of detail about clandestine efforts to spy on systems around the world, including a program that allows that agency to collect every telephone record in the United States, and another one that gathers data from some of the world's more important technology companies, including Google, Facebook, and Apple. It was hardly a secret that the NSA was in the espionage business, but the scale of the spying caught some hackers by surprise (as it did many in the public at large). Def Con rescinded an invitation for Alexander to give another keynote speech. He appeared instead at Black Hat, where he was heckled by audience members.

FOUR

B
Y THE TIME
he was named commander of US Cyber Command, in 2010, Keith Alexander had had five years to master the signals intelligence domain as the director of the NSA. He was an adept technician. “When he would talk to our engineers, he would get down in the weeds as far as they were. And he'd understand what they were talking about,” says a former senior NSA official. Then, when surveillance laws were changed in 2007 and 2008 to allow broader access to communications networks, Alexander seized the political moment and turned the NSA into the undisputed spymaster of the Internet. The agency was given the authority and the money to build up a hacker force. Technically speaking, they were intelligence agency employees, instructed only to monitor networks. But when they linked up with Cyber Command, they became warriors. The hackers flowed freely from one mission to the other and blurred the lines between espionage and combat. And one group of hackers in particular became the NSA's secret weapon.

The agency's best-trained and most skilled hackers work in its Tailored Access Operations office, or TAO.
Estimates on the number of personnel assigned there vary, from three hundred on the low end to perhaps as many as six hundred, but this latter number may include analysts and support personnel as well.

Within TAO, different groups carry out a range of espionage and attack operations. One conducts surveillance to map out the computer networks of its targets and find their vulnerabilities. Another unit researches the latest hacking tools and techniques for penetrating secure computer networks. Another builds penetration tools tailored just for telecommunications networks. Within that group are hackers who develop tools for commandeering video cameras, particularly on laptop computers, and industrial control systems, devices that control and regulate power grids, nuclear reactors, dams, and other infrastructure. And yet another unit carries out computer network attacks in conjunction with a CIA group called the Technology Management Office, which helps the NSA break in to hard-to-reach networks where a person might be required to manually insert a virus or piece of spyware with, say, a USB thumb drive.

TAO's offices are located in a secure building at Fort Meade, Maryland. To get inside, employees must pass a retinal scan and enter a six-digit code outside a large steel door manned by armed guards. The hacker unit is one of the most secretive organizations in the intelligence community. Few NSA employees have the high levels of security clearance necessary to know about what TAO does or step foot inside its fortified chamber at Fort Meade.

The TAO hackers have only one job: to get inside adversaries' networks, by hook or by crook. They steal or crack passwords, implant spyware, install backdoors, and work with CIA's networks of human spies, all in a broad effort to obtain information. There are two purposes for this espionage. One is to obtain the secrets of the United States' competitors—whether friend of foe. The other is to gather information on how to destroy those computer networks and the infrastructure attached to them should the president ever give that order. On the Internet battlefield, TAO is surveilling potential targets. Were an order to attack ever given, they would help lead the charge.

US officials and intelligence experts estimate that TAO has implanted spying devices in at least 85,000 computer systems in 89 countries, according to classified documents that were released by former NSA contractor Edward Snowden. In 2010, TAO conducted 279 operations. The unit has cracked the encryption that underpins widely used e-mail systems, including BlackBerry, in order to spy on computer users around the world. It has even gone so far as to divert the shipments of its targets' computers to an NSA facility and then implant spyware inside the computers. A TAO PowerPoint presentation detailing its exploits boasts a modified version of the familiar Intel logo. It reads, “TAO Inside.”

In most cases the infected machine's owner has no idea that TAO hackers are watching it. That's because the unit relies on a stockpile of so-called zero day vulnerabilities, which are essentially flaws in a computer system known only to the hacker. The agency buys these vulnerabilities on a gray market from hackers who have discovered them, sometimes for several thousand dollars each. In other instances the NSA pays software and hardware companies not to disclose vulnerabilities or backdoors in their products, so that the spy agency and the TAO hackers can exploit them.

Once inside those computers, a hacker can read and copy all unencrypted documents on the machine, including text files, e-mails, audiovisual files, presentations, contact lists—everything. Encrypted information is harder to read, but not impossible. Part of the NSA's mission, after all, is code breaking, and it's been the best in the business for more than sixty years.

About the only thing that the TAO hackers can't do is spy on a country with restricted access to the Internet. That's why North Korea has generally been beyond the elite group's reach. The country's connections to the outside world are so limited, and so tightly defended and monitored, that TAO has very few points of easy entry.

The same cannot be said for China.

 

China is the most important target for NSA surveillance and cyber warfare planning. And although Chinese officials have gone to great lengths to control access to and activity on the Internet from inside the country, China is a large, technologically evolving nation, and that makes it vulnerable.

The intelligence historian and journalist Matthew Aid learned that TAO “has successfully penetrated Chinese computer and telecommunications systems for almost 15 years, generating some of the best and most reliable intelligence information about what is going on inside the People's Republic of China.” Indeed, it was TAO that gave US officials the evidence that China had penetrated the computer networks of defense contractors and other US companies. Classified NSA documents show that the agency has targeted the networks of Huawei, the world's biggest telecommunications maker, which is based in China. US intelligence officials and some lawmakers have suspected for years that Huawei is a proxy for the Chinese military and intelligence services. US regulatory agencies have blocked the installation of Huawei telecom equipment, including switches and routers, in this country for fear they'll be used as a conduit for cyber spying.

Edward Snowden told Chinese journalists that the NSA broke in to computers at Beijing's Tsinghua University, one of the country's top education and research institutions.
Snowden described the hacking as extensive. On one day in January 2013, the NSA had penetrated at least sixty-three university computers or servers, according to documents Snowden showed the journalists. Those documents proved the NSA had done as he claimed, Snowden said, because they showed Internet protocol addresses that could have been obtained only by someone with physical access to the computers.

Why would the NSA be interested in hacking a Chinese university? The journalists Snowden talked to noted that Tsinghua is home to the China Education and Research Network, a government-run system from which “Internet data from millions of Chinese citizens could be mined.” That may be one reason the NSA wanted inside. But US analysts and investigators believe that Chinese universities are a major talent pool for the government. Unit 61398, the People's Liberation Army cyber outfit based in Shanghai, “aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology,” according to the computer security firm Mandiant. “The majority of ‘profession codes' describing positions that Unit 61398 is seeking to fill require highly technical computer skills.”

It's also possible that by hacking into computers at Tsinghua, the NSA was trying to get the names of Chinese recruits or learn more about how they're trained. Tsinghua's own computer science and technology department offers undergraduate-, master's-, and PhD-level classes. According to one international study, Tsinghua is the top computer science university in mainland China and ranks twenty-seventh in the world.
The university publicly bills itself as a leading institution. The NSA and the military maintain a database of all known hackers working in China. If the NSA wanted to identify future Chinese hackers when they are just getting into the business, Tsinghua would be a logical place to look.

 

China is the biggest target of late, but it's not the only one on which TAO hackers have set their sights. They assisted in tracking down hundreds of al-Qaeda terrorists and insurgents during the 2007 surge in Iraq. That year they also were recognized with an award from NSA leadership for their work gathering intelligence about the capabilities of Iran's nuclear weapons program.
Matthew Aid writes that TAO “is the place to be right now,” according to a recently retired NSA official.
Personnel who want to get promoted or win professional awards try to get transferred to TAO, where they have many opportunities to show off their electronic spying skills. One NSA official, Teresa Shea, got her job as the head of NSA's Signals Intelligence Directorate—one of the most prestigious and senior posts in the agency—thanks to the work she did as the chief of TAO, gathering intelligence that most agencies in the government could not.