Under the guise of security, the Internet’s original promise of a global commons of shared knowledge now risks falling under the control of cybervillains, from governments to an emerging new militaryindustrial complex.
San Francisco, February 2012. I arrive at the RSA Conference, one of the largest computer conferences and trade shows in the world. Held annually since 1991 in the San Francisco area, the event is managed by RSA Security, one of the leading cryptography companies in the United States. This year, the theme is “The Great Cipher Mightier Than the Sword.” Ironic, I think to myself, in light of the recent rash of computer security breaches, including a major one on RSA itself that targeted its SecurID tokens, an authentication mechanism provided to thousands of employees of Fortune 500 companies to access networks remotely, and, as advertised, in a secure manner.
The June 2011 RSA breach hit the American security and defence industry particularly hard, and was one of several in 2011 that called into question the reliability of some of the most basic mechanisms of the Internet’s infrastructure: certificates, authentication mechanisms, and encryption schemes all backed by name-brand, impressive corporations. These are the systems and companies we rely on to secure not only our desktops, but our entire way of life. Verizon, Cisco, RSA, and others, all now apparently the naked emperors of cyber security. By mid-2011 there also were breaches of Lockheed Martin, Epsilon, NASA, PBS, the European Space Agency, the FBI, and Citigroup. (I dubbed it “Breachfest 2011,” and thought T-shirts should be made up with the list of victims emblazoned on the back like city stops on a rock tour.)
Despite the breach at RSA, the conference is still a must-stop on the international cyber security agenda. I grasp the size of the meeting as I walk through San Francisco’s hilly streets from my hotel: thousands of geeks streaming along the sidewalks, growing in numbers as I approach the massive Moscone Center, a sprawling interconnected set of hangar-like buildings just off San Francisco’s downtown core, and the setting for this year’s conference.
I am featured on a panel on “Active Defence,” the latest euphemism in security circles for striking back in cyberspace. Many U.S. companies and government agencies are so frustrated with their inability to deal with persistent attacks on their intellectual property and infrastructure, that they are exploring ways to go beyond defence, to reach out across borders and deal with the problem where it originates. With me are two retired U.S. generals, Kenneth Minihan and Michael Hayden. Minihan was the director of the National Security Agency under George Bush Senior, Hayden the director of both the CIA and the NSA. I meet both of them before the panel begins, General Hayden introducing himself with a slightly unsettling, piercing stare that evaporates as we exchange pleasantries. (I read once that if one were to contrive a caricature of the director of the world’s leading spy agency he might look something like Hayden. Having finally met him, I can see why.) A bald, bespectacled man, Hayden looks straight out of central casting for James Bond villainy. Minihan is a less impressive figure physically, more like a retired uncle lounging in a fairway clubhouse. He and I share empty bromides about the weather. Volleying platitudes with people who once commanded the largest security and intelligence institutions on the planet, the apex of secrecy and power, is an unsettling experience. I look into Hayden’s eyes for some hint of targeted killings or forced extraditions, but all I see is calm self-assurance.
As we sit down, my thoughts drift back to the vendor expo across the hall. A major trade fair exhibiting the latest devices, hardware, and over-the-top software from the computer security and defence industries, the expo is located in a facility the size of several football fields. Obviously, it is at least as important as the conference itself. The expo is a curious pastiche: monster trucks meet Gates; bikini-clad women hand out USB sticks to nerds in business suits; and shiny BMW motorcycles with precariously balanced laptops on their seats rotate on elevated platforms. Auctioneers of the sort one would see peddling stain removers at a county fair bark out sales pitches for the latest firewalls and antivirus software. Years ago at conferences like this, the trade-show themes were all about the “magic of connecting”: connecting people in social networks; connecting computers to each other, and to the Internet. The theme of this year’s bonanza is all about doing just the opposite: building borders, fences, and firewalls to keep unwanted intruders and hackers out. Slogans alluding to theft, espionage, and cyber attacks are emblazoned on posters and banners that hang from the ceiling over the scattered vendor booths. There is a partylike atmosphere, and a discomfiting feeling: “threats,” it would appear, are something both to fear and to celebrate.
I am featured on a panel on “Active Defence,” the latest euphemism in security circles for striking back in cyberspace.
I walk by booths for companies with names like “AlienVault” and “CheckPoint,” and stop to linger at the Narus booth. Headquartered in Sunnyvale, California, Narus Inc. was founded in 1997 by Israeli security specialists Ori Cohen and Stas Khirman, two men who had recognized a growing market for products that could sift through big data — that ever-expanding archive of our digital activities and selves — and collect and collate that information for law enforcement and intelligence-gathering purposes. The company later moved to the United States, where Boeing would eventually snap it up, and Narus is now a wholly owned subsidiary of the massive defence contractor.
Narus was one of the first companies to offer deep packet inspection, the practice of diving into Internet data at critical chokepoints to precisely identify specific packets, protocols, and other bits of information. In 2006, Steve Bannerman, Narus’s marketing VP, told Wired magazine, “Anything that comes through [an Internet protocol network] we can record…We can reconstruct emails along with attachments, see what web pages they clicked on; we can reconstruct their [Voice over Internet Protocol] calls.” I first read about Narus’s technology in a 2007 press release boasting about the company’s ability to provide “real-time precision targeting, capturing and reconstruction of webmail traffic [including from] services such as Yahoo! Mail, MSN Hotmail, and Google Gmail,” and that it “helps customers around the world like AT&T, Korea Telecom, KDDI, Telecom Egypt, Reliance India, Saudi Telecom, U.S. Cellular, Pakistan Telecom Authority.” Not entirely a rogues’ gallery, but nonetheless a disturbing list of state enterprises mostly belonging to countries with very mixed records in terms of human rights and judicial oversight.
…In 2004, Narus received some very negative publicity when AT&T whistleblower Mark Klein revealed that the NSA was running an extralegal eavesdropping facility that spied on Americans using a Narus product, STA 6400. (As it turned out, the NSA facility in which Klein worked is located at 611 Folsom Street in San Francisco, only a block and a half from the vendor expo.) The revelations led to a lawsuit launched by EFF [Electronic Frontier Foundation], and then to an amendment of the U.S. Foreign Intelligence Services Act. The new legislation didn’t ban such practices; rather, it gave the companies who participated in it, like AT&T, retroactive immunity from prosecution. As a result, EFF’s lawsuit was dismissed in 2009.
Narus re-emerged in the public spotlight during the 2011 Arab Spring when it was among several Western companies whose sales to regimes notorious for human rights violations were subject to increasingly close scrutiny by journalists, activists, and others. In Narus’s case, its sales to Telecom Egypt of deep packet inspection and other monitoring systems led to concerns that Egypt’s security service might have employed them to identify protesters’ communications.
At the 2012 RSA Conference Narus was promoting its latest addition to its flagship NarusInsight traffic intelligence system: the CyberAnalytics application. The brochure partially read: “Narus provides real-time network traffic intelligence and analytics software that analyzes IP traffic and flow data to map the digital DNA (or behavior) of the network…Through its patented analytics, Narus’s carrier-class software detects patterns and anomalies that predict and identify security issues, misuse of network resources, suspicious or criminal activity, and other events that compromise the integrity of IP networks. NarusInsight protects and manages the largest IP networks around the world, and has been deployed with commercial and government installations on five continents.”
Government installations on five continents? I asked myself, wondering what specific government installations in what countries this might refer to?
Most of these guys used to work for me. I walk down the hall and they say, ‘Hi, General, I used to be on your team.’
After thirty-three years of active service, Lieutenant General Kenneth A. Minihan retired from the U.S. Air Force on June 1, 1999. Towards the end of his celebrated career, he became the fourteenth director of the NSA and the Central Security Service, the most senior uniformed intelligence officer in the Department of Defense. (He also served as the director of the Defense Intelligence Agency during the Clinton administration.) Retirement did not slow him down, and he did not move far from his prior places of employment, directing his efforts towards vigorously developing business opportunities in military and intelligence markets for the private sector. Minihan serves on numerous boards of directors — at the time of writing, Nexidia Inc., BAE Systems Inc., Arxan Technologies Inc., Neohapsis Inc., LGS Innovations LLC., VDIworks Inc., Circadence Corporation, GlassHouse Technologies Inc., ManTech International Corporation, The KEYW Holding Corporation, Fixmo Inc., Command Information Inc. — and the Paladin Capital Group, where he is managing director and focuses his attention on developing new investment opportunities for Paladin’s Homeland Security Fund. According to its website, after 9/11 Paladin collaborated with Minihan to “discuss how private equity could play a vital role in developing and delivering effective products, technology and services for the homeland and global security sectors.” The website goes on to say: “Paladin’s investment thesis attracted luminaries in national security including former cia Director, the Honorable James Woolsey, and former Secretary of the Army, the Honorable Togo West, Jr. and others.” Minihan was also chairman of the Security Affairs Support Association (now known as the Intelligence and National Security Alliance, or INSA), the self-described “flagship operation for industry and government partnership to enhance intelligence business development.” Today, the association represents about 150 member corporations, including major American defence contractors Booz Allen Hamilton, Boeing, BAE Systems, General Dynamics, Lockheed Martin, and Northrop Grumman.
Just before the panel discussion begins I lean over to Minihan: “How about that trade show across the hall?” I say.
“I know, isn’t it fantastic!” Minihan replies with glee. “Most of these guys used to work for me. I walk down the hall and they say, “’Hi, General, I used to be on your team.’”
I feel slightly dismayed at the thought of a former director of the National Security Agency cheerleading a plethora of private sector spinoff companies, their representatives saluting him as he passes by. Welcome to the ever-growing cyber security industrial complex, a world where a rotating cast of characters moves in and out of national security agencies and the private sector companies that service them. Minihan is at the apex of this new complex.
As the lights dim in the hall and the spotlights blind me from the audience, the formal introductions of the panel begin. In that moment, I think to myself, the Internet as we once knew it is officially dead.
This excerpt is taken from Black Code: Inside the Battle for Cyberspace. Copyright © 2013 Ronald Deibert. Published by Signal, a division of Random House of Canada Limited. Reproduced by arrangement with the publisher. All rights reserved.