Investigation

The CIA's New Black Bag Is Digital

When the NSA can't break into your computer, these guys break into your house.

During a coffee break at an intelligence conference held in The Netherlands a few years back, a senior Scandinavian counterterrorism official regaled me with a story. One of his service's surveillance teams was conducting routine monitoring of a senior militant leader when they suddenly noticed through their high-powered surveillance cameras two men breaking into the militant's apartment. The target was at Friday evening prayers at the local mosque. But rather than ransack the apartment and steal the computer equipment and other valuables while he was away -- as any right-minded burglar would normally have done -- one of the men pulled out a disk and loaded some programs onto the resident's laptop computer while the other man kept watch at the window. The whole operation took less than two minutes, then the two trespassers fled the way they came, leaving no trace that they had ever been there.

It did not take long for the official to determine that the two men were, in fact, Central Intelligence Agency (CIA) operatives conducting what is known in the U.S. intelligence community as either a "black bag job" or a "surreptitious entry" operation. Back in the Cold War, such a mission might have involved cracking safes, stealing code books, or photographing the settings on cipher machines. Today, this kind of break-in is known inside the CIA and National Security Agency as an "off-net operation," a clandestine human intelligence mission whose specific purpose is to surreptitiously gain access to the computer systems and email accounts of targets of high interest to America's spies. As we've learned in recent weeks, the National Security Agency's ability to electronically eavesdrop from afar is massive. But it is not infinite. There are times when the agency cannot gain access to the computers or gadgets they'd like to listen in on. And so they call in the CIA's black bag crew for help.

The CIA's clandestine service is now conducting these sorts of black bag operations on behalf of the NSA, but at a tempo not seen since the height of the Cold War. Moreover, these missions, as well as a series of parallel signals intelligence (SIGINT) collection operations conducted by the CIA's Office of Technical Collection, have proven to be instrumental in facilitating and improving the NSA's SIGINT collection efforts in the years since the 9/11 terrorist attacks.

Over the past decade specially-trained CIA clandestine operators have mounted over one hundred extremely sensitive black bag jobs designed to penetrate foreign government and military communications and computer systems, as well as the computer systems of some of the world's largest foreign multinational corporations. Spyware software has been secretly planted in computer servers; secure telephone lines have been bugged; fiber optic cables, data switching centers and telephone exchanges have been tapped; and computer backup tapes and disks have been stolen or surreptitiously copied in these operations.

In other words, the CIA has become instrumental in setting up the shadowy surveillance dragnet that has now been thrown into public view. Sources within the U.S. intelligence community confirm that since 9/11, CIA clandestine operations have given the NSA access to a number of new and critically important targets around the world, especially in China and elsewhere in East Asia, as well as the Middle East, the Near East, and South Asia. (I'm not aware of any such operations here on U.S. soil.) In one particularly significant operation conducted a few years back in a strife-ridden South Asian nation, a team of CIA technical operations officers installed a sophisticated tap on a switching center servicing several fiber-optic cable trunk lines, which has allowed NSA to intercept in real time some of the most sensitive internal communications traffic by that country's general staff and top military commanders for the past several years. In another more recent case, CIA case officers broke into a home in Western Europe and surreptitiously loaded Agency-developed spyware into the personal computer of a man suspected of being a major recruiter for individuals wishing to fight with the militant group al-Nusra Front in Syria, allowing CIA operatives to read all of his email traffic and monitor his Skype calls on his computer.

The fact that the NSA and CIA now work so closely together is fascinating on a number of levels. But it's particularly remarkable accomplishment, given the fact that the two agencies until fairly recently hated each others' guts.

Ingenues and TBARs

As detailed in my history of the NSA, The Secret Sentry, the CIA and NSA had what could best be described as a contentious relationship during the Cold War era. Some NSA veterans still refer to their colleagues at the CIA as 'TBARs,' which stands for 'Those Bastards Across the River,' with the river in question being the Potomac. Perhaps reflecting their higher level of educational accomplishment, CIA officers have an even more lurid series of monikers for their NSA colleagues at Fort Meade, most of which cannot be repeated in polite company because of recurring references to fecal matter. One retired CIA official described his NSA counterparts as "a bunch of damn ingenues." Another CIA veteran perhaps put it best when he described the Cold War relationship amongst and between his agency and the NSA as "the best of enemies."

The historical antagonism between the two agencies started at the top. Allen W. Dulles, who was the director of the CIA from 1953 to 1961, disliked NSA director General Ralph Canine so intensely that he deliberately kept the NSA in the dark about a number of the agency's high-profile SIGINT projects, like the celebrated Berlin Tunnel cable tapping operation in the mid-1950s. The late Richard M. Helms, who was director of the CIA from 1966 to 1973, told me over drinks at the Army-Navy Club in downtown Washington, D.C. only half jokingly that during his thirty-plus years in the U.S. intelligence community, his relations with the KGB were, in his words, "warmer and more collegial" than with the NSA. William E. Colby, who served as Director of Central Intelligence from 1973-1976, had the same problem. Colby was so frustrated by his inability to assert any degree of control over the NSA that he told a congressional committee that "I think it is clear I do not have command authority over the [NSA]." And the animus between CIA director Admiral Stansfield Turner (CIA director from 1977-1981) and his counterpart at the NSA, Admiral Bobby Ray Inman, was so intense that they could only communicate through intermediaries.

But the 9/11 terrorist attacks changed the operational dynamic between these two agencies, perhaps forever. In the thirteen years since the 9/11 terrorist attacks, the NSA and CIA have largely, but not completely, moved past the Cold War animus. In addition, both agencies have become increasingly dependent on one another for the success of their respective intelligence operations, leading to what can best be described as an increasingly close symbiotic relationship between these two titans of the U.S. intelligence community.

While the increasingly intimate relationship between the NSA and CIA is not a secret, the specific nature and extent of the work that each agency does for the other is deemed to be extremely sensitive, especially since many of these operations are directed against friends and allies of the United States. For example, the Special Collection Service (SCS), the secretive joint CIA-NSA clandestine SIGINT organization based in Beltsville, Maryland, now operates more than 65 listening posts inside U.S. embassies and consulates around the world. While recent media reports have focused on the presence of SCS listening posts in certain Latin America capitals, intelligence sources confirm that most of the organization's resources have been focused over the past decade on the Middle East, South Asia, and East Asia. For example, virtually every U.S. embassy in the Middle East now hosts a SCS SIGINT station that monitors, twenty-four hours a day, the complete spectrum of electronic communications traffic within a one hundred mile radius of the embassy site. The biggest problem that the SCS currently faces is that it has no presence in some of the U.S. intelligence community's top targets, such as Iran and North Korea, because the U.S. government has no diplomatic relations with these countries.

At the same time, SIGINT coming from the NSA has become a crucial means whereby the CIA can not only validate the intelligence it gets from its oftentimes unreliable agents, but SIGINT has been, and remains the lynchpin underlying the success over the past nine years of the CIA's secret unmanned drone strikes in Pakistan, Yemen and elsewhere around the world.

But the biggest changes have occurred in the CIA's human intelligence (HUMINT) collection efforts on behalf of NSA. Over the past decade, foreign government telecommunications and computer systems have become one of the most important targeting priorities of the CIA's National Clandestine Service (NCS), which since the spring of this year has been headed by one of the agency's veteran Africa and Middle East hands. The previous director, Michael J. Sulick, is widely credited with making HUMINT collection against foreign computer and telecommunications systems one of the service's top priority targets after he rose to the top of the NCS in September 2007.

Today, a cadre of several hundred CIA NCS case officers, known as Technical Operations Officers, have been recruited and trained to work exclusively on penetrating foreign communications and computer systems targets so that NSA can gain access to the information stored on or transmitted by these systems. Several dozen of these officers now work fulltime in several offices at NSA headquarters at Fort George G. Meade, something which would have been inconceivable prior to 9/11.

CIA operatives have also intensified their efforts to recruit IT specialists and computer systems operators employed by foreign government ministries, major military command headquarters staffs, big foreign multinational corporations, and important international non-governmental organizations.

Since 9/11, the NCS has also developed a variety of so-called "black boxes" which can quickly crack computer passwords, bypass commercially-available computer security software systems, and clone cellular telephones -- all without leaving a trace. To use one rudimentary example, computer users oftentimes forget to erase default accounts and passwords when installing a system, or incorrectly set protections on computer network servers or e-mail accounts. This is a vulnerability which operatives now routinely exploit.

For many countries in the world, especially in the developing world, CIA operatives can now relatively easily obtain telephone metadata records, such as details of all long distance or international telephone calls, through secret liaison arrangements with local security services and police agencies.

America's European allies are a different story. While the connections between the NSA and, for example, the British signals intelligence service GCHQ are well-documented, the CIA has a harder time obtaining personal information of British citizens. The same is true in Germany, Scandinavia and the Netherlands, which have also been most reluctant to share this sort of data with the CIA. But the French intelligence and security services have continued to share this sort of data with the CIA, particularly in counterterrorism operations.

U.S. intelligence officials are generally comfortable with the new collaboration. Those I have spoken to over the past three weeks have only one major concern. The fear is that details of these operations, including the identities of the targets covered by these operations, currently reside in the four laptops reportedly held by Edward Snowden, who has spent the past three weeks in the transit lounge at Sheremetyevo Airport outside Moscow waiting for his fate to be decided. Officials at both the CIA and NSA know that the public disclosure of these operations would cause incalculable damage to U.S. intelligence operations abroad as well as massive embarrassment to the U.S. government. If anyone wonders why the U.S. government wants to get its hands on Edward Snowden and his computers so badly, this is an important reason why.

David Burnett/Newsmakers

National Security

The NSA Can't Tell the Difference Between an American and a Foreigner

That's why it sucks up information on everyone.

The National Security Agency has said for years that its global surveillance apparatus is only aimed at foreigners, and that ordinary Americans are only captured by accident. There's only one problem with this long-standing contention, people who've worked within the system say: it's more-or-less technically impossible to keep average Americans out of the surveillance driftnet.

"There is physically no way to ensure that you're only gathering U.S. person e-mails," said a telecommunications executive who has implemented U.S. government orders to collect data on foreign targets. "The system doesn't make any distinction about the nationality" of the individual who sent the message.

While it's technically true that the NSA is not "targeting" the communications of Americans without a warrant, this is a narrow and legalistic statement. It belies the vast and indiscriminate scooping up of records on Americans' phone calls, e-mails, and Internet communications that has occurred for more than a decade under the cover of "foreign intelligence" gathering. 

The NSA is routinely capturing and storing vast amounts of the electronic communications of American citizens and legal residents, even though they were never individually the subject of a terrorism or criminal investigation, according to interviews with current and former intelligence officials, technology experts, and newly released government documents.

A significant portion of this secret information-gathering is the result of so-called "incidental collection" of U.S. persons' information; Americans' communications just happen to be in the way when foreigners' data is scooped up.

This incidental collection is partly the result of the way the global communications network is constructed. When the agency receives authorization from the Foreign Intelligence Surveillance Court to collect a broad range of e-mails or electronic communications that it believes are coming out of a foreign country, it's inevitable that it will collect some U.S. persons' information, too.

"There are U.S. persons in every country," said a former intelligence official. "The NSA knows that when it collects great gobs [of communications] there are going to be U.S. persons in that country. They know that happens."

But new documents reveal that the NSA has also deliberately gathered communications metadata that it had reason to believe was associated with Americans.

On Thursday, the Guardian reported that NSA had been collecting vast amounts of e-mail data in bulk, stemming from a secret program that was first authorized by President George W. Bush soon after the 9/11 attacks.

The Guardian also disclosed a November 2007 memorandum prepared for then-Attorney General Michael Mukasey by Kenneth Wainstein, who was in charge of the Justice Department's National Security Division. On behalf of the NSA, Wainstein requested that the attorney general approve a powerful form of computer-assisted analysis of U.S. persons' metadata, including their phone and e-mail records, as well as Internet Protocol addresses of individual computers. This information was obtained "by various methods, including pursuant to the Foreign Intelligence Surveillance Act," the memo states.

"NSA has in its databases a large amount of communications metadata associated with persons in the United States," the memo states.  

NSA wanted to subject this large store of metadata to a form of link analysis known as contact chaining, in which an analyst starts with a particular phone number, e-mail address, or Internet Protocol address, and then uses algorithms to find the corresponding communications to which the "seed" target is linked. Contact chaining also finds the communications to which that first layer of communication is linked. Each one of these steps outward in the original target's network is sometimes called a "hop."  In just a few hops, the number of individuals swept up in the analysis multiplies exponentially.

The memo states that the NSA had already been conducting contact-chaining, but that based on the "informal advice" of the Justice Department office that represents the government before the FISA court, "NSA's present practice is to 'stop' when a chain hits a telephone number or address believed to be a United States person." The agency wanted to keep going, however, even when it encountered communications believed to belong to Americans and legal residents. The hope, the memo states, was that by chaining through "all telephone numbers and addresses," the NSA would "yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States."

In effect, the NSA was arguing that it needed to see everyone's metadata in order to find meaningful information about foreigners. Mukasey approved the new contact chaining procedures.

In the memo, Wainstein argued, as other government officials have over the years and continue today, that metadata is not content, and therefore is not subject to protections under the Fourth Amendment. Nevertheless, technology experts say that metadata can reveal deep and meaningful information about who a person knows, where they go, and what they are doing, both online and off. (It's worth remembering that the U.S. government authorizes lethal U.S. drone strikes based on a target's associates and movement -- an analog version of metadata--and that information about those foreign terrorists and their associates is gathered using FISA.)

The memo also asked Mukasey's permission to give metadata on U.S. persons directly to the Central Intelligence Agency and other Defense Department "entities." It doesn't elaborate on what those organizations were doing with the data or why they wanted it.

The Guardian, citing a senior Obama administration official, reported that the intentional collection of Internet metadata was stopped in 2011. However, the paper found that "it is clear that the [NSA] collects and analyzes significant amounts of data from U.S. communications systems in the course of monitoring foreign targets."

When the agency collects the communications of Americans, it is supposed to follow a set of minimization procedures designed to protect individual privacy and keep innocent Americans from being implicated in terrorism investigations. But first, the agency has to determine if, in fact, the sender of a particular message is a U.S. person.

That's hard to do. The breadth of global communications, and the digital mixing of messages from all corners of the world, can make it difficult to know with precision who is being targeted, and where that person is located, without subjecting a particular email to closer inspection.

According to former intelligence officials, the NSA routinely opens e-mails and reads their contents to determine if the sender was a U.S. person. Reading that message doesn't require the agency to obtain a warrant, and if an analyst discovers that the communication belongs to a U.S. person, he is supposed to destroy it if it has no intelligence value and does not contain information about a crime. But the NSA's guidelines allow the agency to hang onto this information for up to five years before trying to determine its origin.

"I think it's important to understand that there are certain things that the government is doing that by their very nature are going to involve vast amounts of information about Americans, even if that's not their intent," said Chris Soghoian, an expert on privacy and technology at the American Civil Liberties Union.

In congressional testimony earlier this month, Gen. Keith Alexander, the NSA Director, discussed two programs that had recently been disclosed in press reports: The NSA's collection of telephone metadata in the United States, and the system known as PRISM that gives the agency access to information from Internet companies including Google and Facebook.

"These programs are limited, focused, and subject to rigorous oversight," Alexander said. "They have distinct purposes and oversight mechanisms. We have rigorous training programs for our analysts and their supervisors to understand their responsibilities regarding compliance."

Alexander did not address the collection of Internet metadata that began under the Bush administration, nor did he discuss the 2007 memo, which had not yet been disclosed. Current and former intelligence officials stressed in interviews that agency employees are trained to follow specific rules and procedures when handling U.S. person data, and that in light of recent revelations they have become more cautious.

Precisely how much U.S. person data is being collected in the course of spying on foreigners has been a subject of considerable debate, but clearly it has been large. In 2009, the New York Times reported a "significant and systematic" collection of Americans' emails and phone calls during the course of searches authorized by the Foreign Intelligence Surveillance Act.

The NSA has avoided saying how much data on U.S. persons it is collecting, even though it appears to have a way to find out. Last year, the NSA told a pair of senators looking into the issue that the agency could not estimate how many Americans' communications had been collected, in part because it would "violate the privacy of U.S. persons" to try answer the question. That implied that those communications were stored somewhere and accessible, but that reading them to see who was the sender would effectively constitute a search under the law.

Former officials contacted for this story were also reluctant to say how many Americans' communications were incidentally collected during broad FISA searches. But they suggested that the number was large and knowable.

Among the U.S. person communications that the agency may retain, even though they weren't directly targeted, are those "acquired because of limitations on NSA's ability to filter communications," according to a set of procedures that the agency uses to minimize the intrusion into Americans' privacy. The document was disclosed last week by the Guardian.

"They do know that U.S. person data will get through. They admit that," the former intelligence official said with respect to this provision in the rules. Sometimes a communication may slip through the filters because it's encrypted and the system cannot scan it for keywords that might help determine the nationality of the sender. Or, the NSA could be collecting information at such a high volume that's practically impossible to filter every message. "They don't listen to everything and process everything," the former official said. "Sometimes they may keep it and look at it later." 

When there's a question about the sender's nationality or location, a human analyst steps in and examines the content of the communication, former officials said. One former analyst said this only happens if there's some indication that the communication is suspect. For instance, a known terrorist is communicating repeatedly with someone who is not yet on the agency's radar.

There appear to be some high-level controls on how much U.S. person data the NSA gathers inadvertently, but they are relatively crude. The former intelligence official said that when the government asks the FISA court for the authority to collect communications from a particular cable, it estimates based on historical information and geography how likely it is that most of the data moving on that cable will be coming from foreigners. The court is not likely to approve broad surveillance on a cable that contains a "significant" amount of U.S. person data, the former official said.

How can the NSA know? A fiber optic cable routing traffic out of Saudi Arabia, for example, is likely to contain mostly foreigners' communications. However, network routing is dynamic, and can change day to day. If, for instance, that same line was suddenly getting traffic from Malta, where there's likely to be a larger number of U.S. persons, the NSA can block the Maltese traffic, the former official said. If that happened, the agency is required to inform the FISA court and describe the steps they took to filter out those communications.

Soghoian, the ACLU technology expert, said that if the NSA were tapping into undersea cables emanating from foreign countries, the likelihood of them containing U.S. persons data would be low. The likelihood increases, however, if those cables were located in the United States, where foreign data would be mingling with Americans' communications. Using the PRISM system, the NSA collects electronic communications from service providers such as Google and Facebook that are based in the United States and use equipment here.

A U.S. person is also more likely to have his communications intercepted if he's communicating with someone overseas, Soghoian said. But Americans who only talk with other U.S. persons can be caught in the driftnet, too -- in part because of the NSA's push into so-called cloud computing.

The NSA's impulse to collect more information has been encouraged by the agency's investments in big data and distributed databases. The agency bet big on Hadoop, a piece of open source software that allows massive amounts of data to be both stored and processed across a seemingly unlimited array of computers. It also lets that data sit on servers uncharacterized until the nanosecond an analyst needs the information. In other words, NSA doesn't have to drop its information into discrete compartments like "foreigner" or "American." The data can be stored, and those characterizations can be made later. This is a great advantage for the agency: It's slurping up billions of records but doesn't have to make sense of them all at once.

The NSA also reverse-engineered Google's most important database, layered it on top of their Hadoop-based system, and added inventive security controls. Older databases can be divided like spreadsheets into rows and columns; analysts can be authorized to access the data from a given column or a given row. The NSA's database, called Accumulo, allows for much more fine-grained permissions; a single cell -- the intersection of a row and column -- can be hidden from an analyst. And even if it is hidden, and analyst can still use that data (even if he can't see it) to help him spot trends and build models.

In his recent testimony, Gen. Alexander said that individual NSA analysts don't have the authority to read someone's e-mails or listen to his phone calls. But with Accumulo and Hadoop, it doesn't matter. Americans' information can be used anyway.

JOHANNES EISELE/AFP/Getty Images