National Security


How J. Edgar laid the groundwork for the NSA's surveillance state.

As the controversy surrounding the revelation that the National Security Agency (NSA) has been collecting metadata regarding the telephonic and Internet activities of average Americans continued to swirl out of control -- including the name and video confession of the admitted leaker -- the following question was posed to me: "How do I communicate with folks without having it casually Hoovered up by the NSA?"

Ignoring for a moment the slander involved in invoking both the names of the former FBI director and the renowned international vacuum company in connection with the most recent intelligence security debacle, the quick answer to the question is: "You can't." Absent the use of one-time encryption on closed communication systems, both the Internet and virtually all telephonic conversations are capable of being intercepted.

In fact, all types of electronic data are collected, collated, stored, and analyzed for retrieval by almost every modern industry in existence. It is not just the NSA that is doing the mass collection of data. Everyone is tapping into metadata, toll records, Internet data logs, credit reports, and public databases that collect millions of mundane bits of information. Doctors, lawyers, credit agencies, banks and real estate brokers, and every city, state, and federal government agency that regulates our lives collect and store digital information about all of us. The information they collect is there for the asking and can be purchased by anyone.

If this sounds onerous and Orwellian to you, it is simply because of the erroneous belief that collecting metadata is intrusive and a violation of privacy rights. After all, the United States has a long-standing tradition of resisting government intrusion into private lives. But the collection of metadata has been conducted as long as there have been companies willing to do the collecting.

Before there was Google, there were reverse telephone directories, reverse address books, business locator encyclopedias, tax records, and voter registration rolls -- along with myriad private services that would research a name, address, or telephone number for you. Reporters of a certain vintage will remember all of these data-collection tools. The key to understanding modern data collection is that (1) everyone is doing it and everyone is in the data, and (2) publicly available information about known or potential bad guys collected by both government and non-governmental companies is how modern-day investigators, including the FBI, solve crime. That is a fact. And if it makes you uncomfortable, perhaps you should emulate Ted Kaczynski, become a neo-luddite, and live the rest of your life in a remote Montana cabin writing manifestos in long-hand or on a typewriter. Living as a hermit is about the only way that you will avoid the digital collection onslaught that has become part of modern daily life.

In the current dust-up involving the NSA, people seem to be offended that it is the government using the data. They seem to miss the point that government isn't actually doing the collecting; the metadata is merely being provided pursuant to legal court order after first being collected by both the telephone companies and Internet service providers. Both industries have way more information about you than the government has ever sought to collect.

There have been many good articles describing the legal rationale for the NSA's collection of the data, including one by Stewart Baker, former general counsel for the agency. I will not attempt to repeat the legal or civil libertarian counterarguments here that have been made by others far more informed than me. Rather, since Americans can't avoid the collection of our digital signatures by either the government or private corporations that knowingly sell it to anyone willing to pay a fee, perhaps it's time to take a closer look at exactly how the government uses the information that it has "Hoovered," in order to help lower our collective anxiety about Big Brother.

By mentioning Hoover, my questioner reminded me of a little-remembered fact about the late director that may provide some background and insight into the current controversy and how American investigators, primarily the FBI, use information collected by the NSA. Prior to obtaining his law degree and becoming director of the FBI, J. Edgar Hoover was a clerk at the Library of Congress.

There he learned that the collating and cross-referencing of information for easy recovery was important, and easy access by FBI investigators to law enforcement intelligence was what was needed to solve crime on a national scale. He later adapted what he learned at the Library of Congress for use in the FBI's manual records management systems. As a young FBI agent -- before computerized databases or even cell phones -- I recall being issued red and blue pencils to mark documents for indexing in the FBI's non-digital records system. Director Hoover recognized the investigative value of information contained in FBI files and designed a system wherein both field office and bureau file numbers were recorded on index cards along with whether the name being indexed was a "main subject" or merely a reference within the file. This system allowed clerks in any field office to connect bits of information back to the subject's main file, which might be in a different office. It was a slow and laborious system, but very effective for tracking information across multiple field offices, states, and FBI headquarters.

Library science is also the perfect metaphor for making sense of the way the NSA uses metadata to protect the United States. The explanation for why -- if not technically how -- the NSA was collecting and using this data is important to understanding the potential for abuse that seems to be at the center of the controversy. In a way, the NSA functions like a giant reference library for the entire intelligence community, collecting books of information and electronic data on foreign individuals and corporations around the world. The books of information on foreigners are available to be checked out by any member of the intelligence community that has the proper clearance and a need to know the information. Members of the intelligence community request specific books on foreigners, and if the book doesn't exist in the current catalog, the NSA library will attempt to obtain it.

Initially, the NSA was restricted to only collecting on foreign individuals and scrupulously avoided any collection that included Americans or domestic surveillance. All of that changed with the passage of the Patriot Act in 2001. We now know that the NSA library has been obtaining and cataloging encyclopedias of information about U.S. persons -- loosely defined as U.S. citizens, permanent resident aliens, and U.S.-based corporations -- pursuant to a Foreign Intelligence Surveillance Act (FISA) court order since at least 2008. Like any good reference library, however, the collection of books on American citizens has been segregated into a special restricted access section that could only be accessed with a library card, consisting of a FISA court order. They could not be checked out and no one at the library was allowed to read the books or even acknowledge the existence of this special collection. The names on the books in the collection were kept secret.

Initially, the FBI was only allowed to place requests with the reference librarian to check the catalog for foreign names. To gain access to a book about Americans in the special access collection, the FBI had to rely on the reference librarian at the NSA to determine if a foreign target was providing content to one of the books in the American section and relay that information to them. Then -- and only then -- could the FBI use that information to obtain a FISA court order and read the book on the American citizen.

Further information from the American books -- content or interception of real-time conversations -- would require another probable cause statement and affidavit to the Foreign Intelligence Surveillance Court essentially proving that the U.S. individual was being directed by a foreign power. The person could not just be a member, associate, or affiliate, but had to be an actual agent of a foreign power, before any actual interception of content or conversations could take place.

That very restrictive process to access the NSA library on U.S. metadata by the FBI continues today.

How do FBI agents and other investigators use metadata in their investigations? For the investigator, information is fundamental. The ability to query a known or suspected terrorist telephone number and get back all of the numbers he or she has called in the past three to six months or longer is a tremendous investigative advantage. The data assists the investigator in focusing his efforts on the most likely suspects and associates of the actual target for asset or informant development, to locate other possible suspects, or as a cooperating witness against the actual target of the investigation.

Metadata may narrow the suspect pool from over a thousand suspects to maybe a half dozen or more, certainly a more manageable number. It is important, however, to remember that data absent content -- that is the actual conversation between two individuals -- is of limited probative value. It only provides items of lead value and correlation, not evidence of a crime, although analytical products can sometimes be used as circumstantial evidence at trial. Metadata is primarily used to establish reasonable suspicion for opening a case and occasionally probable cause to request legal process to obtain further information from the NSA.

In my career, I have had several opportunities to work with the NSA and metadata, but pre-9/11, FBI investigations utilizing NSA data only targeted known or suspected foreign terrorist groups or members, never U.S. persons. The standard for investigating a U.S. person was significantly higher, requiring probable cause to obtain a FISA wiretap warrant.

In the 1980s, I investigated the American end of a known foreign terrorist group. The problem then -- as is frequently the case now -- was that all of the American suspects were either naturalized U.S. citizens or U.S. persons. It made the investigation significantly more difficult because the use of any invasive extraordinary techniques like wiretaps or surreptitious searches required the FBI to meet the highest probable cause standards. And when one of the subjects of the investigation had what a national security lawyer at the Department of Justice referred to as a "Damascus conversion" and claimed to no longer be a member of the group being investigated, that ended the wiretap.

Today, the NSA neither provides information on U.S. persons, nor targets them for data interception absent a court order. If the FBI requests information on a U.S. person, what is often returned by the NSA consists of an affirmative or negative response that the signals intelligence being requested -- usually a telephone or credit card number -- exists in their database. It is then up to the FBI to develop the probable cause necessary to obtain a court order or warrant to obtain the actual information from the NSA. While creative writing can be used to develop probable cause -- and was sometimes suggested by more senior agents -- my boss at the time used to say, "You can't make chicken salad out of chicken shit." The evidence either existed or it didn't, and no agent worth his salt would really bet his badge and credentials by stretching the truth to make up probable cause when discovery of the fabrication would surely result in dismissal and prosecution.

Now that the leaker has been revealed to be Edward Snowden, a 29-year-old contractor for Booz Allen, the true problem of a digital library of information on Americans comes to light. That is, anyone with access to the NSA library can steal a book about Americans and publish the information if they choose to do so. The irony of the situation involving Snowden is that, if he is convicted, it will be based, at least in part, on his own telephonic communications and Internet data logs compiled by the NSA and provided to the FBI in response to a FISA court order -- exactly the way the domestic digital collection system involving the investigation of Americans is supposed to work. Snowden's revelations have also proven that we have crossed the digital Rubicon; there is no going back to a time when FBI and NSA files were manual and reasonable internal security measures were sufficient to safeguard our individual privacy.

It's time to learn to either live with it, or legislate the collection of metadata by the government into oblivion and risk the inherent consequences of that decision. The choice is yours.


National Security

Inside the NSA's Ultra-Secret China Hacking Group

Deep within the National Security Agency, an elite, rarely discussed team of hackers and spies is targeting America's enemies abroad.

This weekend, U.S. President Barack Obama sat down for a series of meetings with China's newly appointed leader, Xi Jinping. We know that the two leaders spoke at length about the topic du jour -- cyber-espionage -- a subject that has long frustrated officials in Washington and is now front and center with the revelations of sweeping U.S. data mining. The media has focused at length on China's aggressive attempts to electronically steal U.S. military and commercial secrets, but Xi pushed back at the "shirt-sleeves" summit, noting that China, too, was the recipient of cyber-espionage. But what Obama probably neglected to mention is that he has his own hacker army, and it has burrowed its way deep, deep into China's networks.

When the agenda for the meeting at the Sunnylands estate outside Palm Springs, California, was agreed to several months ago, both parties agreed that it would be a nice opportunity for President Xi, who assumed his post in March, to discuss a wide range of security and economic issues of concern to both countries. According to diplomatic sources, the issue of cybersecurity was not one of the key topics to be discussed at the summit. Sino-American economic relations, climate change, and the growing threat posed by North Korea were supposed to dominate the discussions.

Then, two weeks ago, White House officials leaked to the press that Obama intended to raise privately with Xi the highly contentious issue of China's widespread use of computer hacking to steal U.S. government, military, and commercial secrets. According to a Chinese diplomat in Washington who spoke in confidence, Beijing was furious about the sudden elevation of cybersecurity and Chinese espionage on the meeting's agenda. According to a diplomatic source in Washington, the Chinese government was even angrier that the White House leaked the new agenda item to the press before Washington bothered to tell Beijing about it.

So the Chinese began to hit back. Senior Chinese officials have publicly accused the U.S. government of hypocrisy and have alleged that Washington is also actively engaged in cyber-espionage. When the latest allegation of Chinese cyber-espionage was leveled in late May in a front-page Washington Post article, which alleged that hackers employed by the Chinese military had stolen the blueprints of over three dozen American weapons systems, the Chinese government's top Internet official, Huang Chengqing, shot back that Beijing possessed "mountains of data" showing that the United States has engaged in widespread hacking designed to steal Chinese government secrets. This weekend's revelations about the National Security Agency's PRISM and Verizon metadata collection from a 29-year-old former CIA undercover operative named Edward J. Snowden, who is now living in Hong Kong, only add fuel to Beijing's position.

But Washington never publicly responded to Huang's allegation, and nobody in the U.S. media seems to have bothered to ask the White House if there is a modicum of truth to the Chinese charges.

It turns out that the Chinese government's allegations are essentially correct. According to a number of confidential sources, a highly secretive unit of the National Security Agency (NSA), the U.S. government's huge electronic eavesdropping organization, called the Office of Tailored Access Operations, or TAO, has successfully penetrated Chinese computer and telecommunications systems for almost 15 years, generating some of the best and most reliable intelligence information about what is going on inside the People's Republic of China.

Hidden away inside the massive NSA headquarters complex at Fort Meade, Maryland, in a large suite of offices segregated from the rest of the agency, TAO is a mystery to many NSA employees. Relatively few NSA officials have complete access to information about TAO because of the extraordinary sensitivity of its operations, and it requires a special security clearance to gain access to the unit's work spaces inside the NSA operations complex. The door leading to its ultramodern operations center is protected by armed guards, an imposing steel door that can only be entered by entering the correct six-digit code into a keypad, and a retinal scanner to ensure that only those individuals specially cleared for access get through the door.

According to former NSA officials interviewed for this article, TAO's mission is simple. It collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the messages and data traffic passing within the targeted email and text-messaging systems. The technical term of art used by NSA to describe these operations is computer network exploitation (CNE).

TAO is also responsible for developing the information that would allow the United States to destroy or damage foreign computer and telecommunications systems with a cyberattack if so directed by the president. The organization responsible for conducting such a cyberattack is U.S. Cyber Command (Cybercom), whose headquarters is located at Fort Meade and whose chief is the director of the NSA, Gen. Keith Alexander.

Commanded since April of this year by Robert Joyce, who formerly was the deputy director of the NSA's Information Assurance Directorate (responsible for protecting the U.S. government's communications and computer systems), TAO, sources say, is now the largest and arguably the most important component of the NSA's huge Signal Intelligence (SIGINT) Directorate, consisting of over 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers.

The sanctum sanctorum of TAO is its ultramodern operations center at Fort Meade called the Remote Operations Center (ROC), which is where the unit's 600 or so military and civilian computer hackers (they themselves CNE operators) work in rotating shifts 24 hours a day, seven days a week.

These operators spend their days (or nights) searching the ether for computers systems and supporting telecommunications networks being utilized by, for example, foreign terrorists to pass messages to their members or sympathizers. Once these computers have been identified and located, the computer hackers working in the ROC break into the targeted computer systems electronically using special software designed by TAO's own corps of software designers and engineers specifically for this purpose, download the contents of the computers' hard drives, and place software implants or other devices called "buggies" inside the computers' operating systems, which allows TAO intercept operators at Fort Meade to continuously monitor the email and/or text-messaging traffic coming in and out of the computers or hand-held devices.

TAO's work would not be possible without the team of gifted computer scientists and software engineers belonging to the Data Network Technologies Branch, who develop the sophisticated computer software that allows the unit's operators to perform their intelligence collection mission. A separate unit within TAO called the Telecommunications Network Technologies Branch (TNT) develops the techniques that allow TAO's hackers to covertly gain access to targeted computer systems and telecommunications networks without being detected. Meanwhile, TAO's Mission Infrastructure Technologies Branch develops and builds the sensitive computer and telecommunications monitoring hardware and support infrastructure that keeps the effort up and running.

TAO even has its own small clandestine intelligence-gathering unit called the Access Technologies Operations Branch, which includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations," which is a polite way of saying that they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and/or telecommunications systems overseas so that TAO's hackers can remotely access them from Fort Meade.

It is important to note that TAO is not supposed to work against domestic targets in the United States or its possessions. This is the responsibility of the FBI, which is the sole U.S. intelligence agency chartered for domestic telecommunications surveillance. But in light of information about wider NSA snooping, one has to prudently be concerned about whether TAO is able to perform its mission of collecting foreign intelligence without accessing communications originating in or transiting through the United States.

Since its creation in 1997, TAO has garnered a reputation for producing some of the best intelligence available to the U.S. intelligence community not only about China, but also on foreign terrorist groups, espionage activities being conducted against the United States by foreign governments, ballistic missile and weapons of mass destruction developments around the globe, and the latest political, military, and economic developments around the globe.

According to a former NSA official, by 2007 TAO's 600 intercept operators were secretly tapping into thousands of foreign computer systems and accessing password-protected computer hard drives and emails of targets around the world. As detailed in my 2009 history of NSA, The Secret Sentry, this highly classified intercept program, known at the time as Stumpcursor, proved to be critically important during the U.S. Army's 2007 "surge" in Iraq, where it was credited with single-handedly identifying and locating over 100 Iraqi and al Qaeda insurgent cells in and around Baghdad. That same year, sources report that TAO was given an award for producing particularly important intelligence information about whether Iran was trying to build an atomic bomb.

By the time Obama became president of the United States in January 2009, TAO had become something akin to the wunderkind of the U.S. intelligence community. "It's become an industry unto itself," a former NSA official said of TAO at the time. "They go places and get things that nobody else in the IC [intelligence community] can."

Given the nature and extraordinary political sensitivity of its work, it will come as no surprise that TAO has always been, and remains, extraordinarily publicity shy. Everything about TAO is classified top secret codeword, even within the hypersecretive NSA. Its name has appeared in print only a few times over the past decade, and the handful of reporters who have dared inquire about it have been politely but very firmly warned by senior U.S. intelligence officials not to describe its work for fear that it might compromise its ongoing efforts. According to a senior U.S. defense official who is familiar with TAO's work, "The agency believes that the less people know about them [TAO] the better."

The word among NSA officials is that if you want to get promoted or recognized, get a transfer to TAO as soon as you can. The current head of the NSA's SIGINT Directorate, Teresa Shea, 54, got her current job in large part because of the work she did as chief of TAO in the years after the 9/11 terrorist attacks, when the unit earned plaudits for its ability to collect extremely hard-to-come-by information during the latter part of George W. Bush's administration. We do not know what the information was, but sources suggest that it must have been pretty important to propel Shea to her position today. But according to a recently retired NSA official, TAO "is the place to be right now."

There's no question that TAO has continued to grow in size and importance since Obama took office in 2009, which is indicative of its outsized role. In recent years, TAO's collection operations have expanded from Fort Meade to some of the agency's most important listening posts in the United States. There are now mini-TAO units operating at the huge NSA SIGINT intercept and processing centers at NSA Hawaii at Wahiawa on the island of Oahu; NSA Georgia at Fort Gordon, Georgia; and NSA Texas at the Medina Annex outside San Antonio, Texas; and within the huge NSA listening post at Buckley Air Force Base outside Denver.

The problem is that TAO has become so large and produces so much valuable intelligence information that it has become virtually impossible to hide it anymore. The Chinese government is certainly aware of TAO's activities. The "mountains of data" statement by China's top Internet official, Huang Chengqing, is clearly an implied threat by Beijing to release this data. Thus it is unlikely that President Obama pressed President Xi too hard at the Sunnydale summit on the question of China's cyber-espionage activities. As any high-stakes poker player knows, you can only press your luck so far when the guy on the other side of the table knows what cards you have in your hand.