[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Doxing of Equation Group Hackers Raises Questions about the Legal Role of Nation-State Hackers

Update: I should have caveated this post much more strongly. I did not confirm the names and IDs released in the dump are NSA’s hackers. It could be Shadow Brokers added names to cast blame on someone else. So throughout, take this as suspected doxing, with the possibility that it is, instead, disinformation. 

In 2014, DOJ indicted five members of China’s People Liberation Army, largely for things America’s own hackers do themselves. Contrary to what you’ve read in other reporting, the overwhelming majority of what those hackers got indicted for was the theft of information on international negotiations, something the US asks its NSA (and military industrial contractor) hackers to do all the time. The one exception to that — the theft of information on nuclear reactors from Westinghouse within the context of a technology transfer agreement — was at least a borderline case of a government stealing private information for the benefit of its private companies, but even there, DOJ did not lay out which private Chinese company received the benefit.

A month ago, DOJ indicted two Russian FSB officers and two criminal hackers (one, Alexey Belan, who was already on FBI’s most wanted list) that also worked for the Russian government. Rather bizarrely, DOJ deemed the theft of Yahoo tools that could be used to collect on Yahoo customers “economic espionage,” even though it’s the kind of thing NSA’s hackers do all the time (and notably did do against Chinese telecom Huawei). The move threatens to undermine the rationalization the US always uses to distinguish its global dragnet from the oppressive spying of others: we don’t engage in economic espionage, US officials always like to claim. Only, according to DOJ’s current definition, we do.

On Friday, along with details about previously unknown, very powerful Microsoft vulnerabilities and details on the 2013 hacking of the SWIFT financial transfer messaging system, ShadowBrokers doxed a number of NSA hackers (I won’t describe how or who it did so — that’s easy enough to find yourself). Significantly, it exposed the name of several of the guys who personally hacked EastNets SWIFT service bureau, targeting (among other things) Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. They also conducted reconnaissance on at least one Belgian-based EastNets employee. These are guys who — assuming they moved on from NSA into the private sector — would travel internationally as part of their job, even aside from any vacations they take overseas.

In other words, ShadowBrokers did something the Snowden releases and even WikiLeaks’ Vault 7 releases have avoided: revealing the people behind America’s state-sponsored hacking.

Significantly, in the context of the SWIFT hack, it did so in an attack where the victims (particularly our ally Kuwait and an apparent European) might have the means and the motive to demand justice. It did so for targets that the US has other, legal access to, via the Terrorist Finance Tracking Program negotiated with the EU and administered by Europol. And it did so for a target that has subsequently been hacked by people who might be ordinary criminals or might be North Korea, using access points (though not the sophisticated techniques) that NSA demonstrated the efficacy of targeting years earlier and which had already been exposed in 2013. Much of the reporting on the SWIFT hack has claimed — based on no apparent evidence and without mentioning the existing, legal TFTP framework — that these hacks were about tracking terrorism finance. But thus far, there’s no reason to believe that’s all that the NSA was doing, particularly with targets like the Kuwait development fund.

Remember, too, that in 2013, just two months after NSA continued to own the infrastructure for a major SWIFT service bureau, the President’s Review Group advised that governments should not use their offensive cyber capabilities to manipulate financial systems.

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;


[G]overnments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

No one has ever explained where the PRG came up with the crazy notion that governments might tamper with the world’s financial system. But since that time, our own spooks continue to raise concerns that it might happen to us, Keith Alexander — the head of NSA for the entire 5-year period we know it to have been pawning SWIFT — is making a killing off of such fears, and the G-20 recently called for establishing norms to prevent it.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

While that’s certainly a compelling argument, there may be another motive that could explain it.

In a little noticed statement released between its last two file dumps, Shadow Brokers did a post explaining (and not for the first time) that what gets called its “broken” English is instead operational security (along with more claims about what it’s trying to do). As part of that statement, Shadow Brokers claims it writes (though the tense here may be suspect) documents for the federal government and remains in this country.

The ShadowBrokers is writing TRADOC, Position Pieces, White Papers, Wiki pages, etc for USG. If theshadowbrokers be using own voices, theshadowbrokers be writing peoples from prison or dead. TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue.

On the same day and, I believe though am still trying to confirm the timing, before that post, Shadow Brokers had reacted to a Forbes piece asking whether it was about to be unmasked (quoting Snowden), bragging that “9 months still living in homeland USA USA USA our country theshadowbrokers not run, theshadowbrokers stay and fight.” Shadow Brokers then started attacking Jake Williams for having a big mouth for writing this post, claiming to expose him as a former Equation Group member, specifically invoking OddJob (the other file released on Friday that doxed NSA hackers, though not Williams), and raising the “gravity” of talking to Q Group, NSA’s counterintelligence group.

trying so hard so helping out…you having big mouth for former member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing members but had make exception for big mouth, keep talking shit your next

Which is to say that, four days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

Which is not to say such a motivation, if true, is mutually exclusive of Russia retaliating for having its own hackers exposed.

All of which brings me back to the question of norms. Even as the US has been discussing other norms about hacking in recent years, I’ve seen next to no discussion about how state hackers — and remember, this post discusses NSA hackers, including uniformed members of the Armed Services, government contractors, spies, and criminal hackers working for a state (a practice we do too, though in a different form than what Russia does) — fit into international law and norms about immunities granted to individuals acting on behalf of the state. The US seems to have been proceeding half-blindly, giving belated consideration to how the precedents it sets with its offensive hacking might affect the state, without considering how it is exposing the individuals it relies on to conduct that hacking.

If nothing else, Shadow Brokers’ doxing of NSA’s own hackers needs to change that. Because these folks have just been directly exposed to the kind of international pursuit that the US aggressively conducts against Russians and others.

Because of international legal protections, our uniformed service members can kill for the US without it exposing them to legal ramifications for the rest of their lives. The folks running our spying and justice operations, however, apparently haven’t thought about what it means that they’re setting norms that deprive our state-sponsored hackers of the same protection.

Update: I forgot to mention the most absurd example of us indicting foreign hackers: when, last year, DOJ indicted 7 Iranians for DDOS attacks. In addition to the Jack Goldsmith post linked in that post, which talks about the absurdity of it,  Dave Aitel and Jake Williams talked about how it might expose people like them to international retaliation.

CloudStrike’s Own Announcement Makes It Clear It Doesn’t Have Proof of Ongoing Chinese Economic Cyberattacks

Many many many outlets are reporting that China has continued conducting economic espionage even after Xi Jinping agreed to stop doing it. They base that claim on this post from CloudStrike, a big cybersecurity contractor that spends a lot of time feeding the press scary stories about hacking.

Here’s the proof they offer:

Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.


In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

The include a timeline showing 9 attempted intrusions into Tech Sector companies, and 2 into Pharma companies since Xi and President Obama signed the hacking agreement.

Now, even assuming that CrowdStrike has accurately labeled these Chinese government hackers (CrowdStrike’s CTO was less confident in an interview with Motherboard) this still is not proof that China has violated the agreement.

After all, the key part of the agreement is on how stolen information gets used — whether it gets used to benefit individual companies or even entire sectors (the latter of which we do in our own spying, but never mind). If CrowdStrike prevented any data from being stolen, then it is impossible to assert that it was being stolen to benefit market actors without more evidence that the hackers were tasked by a market actor. Even the indictment everyone points to as proof that China engages in economic espionage did not allege that the People Liberation’s Army had shared the data involved in the single economic espionage charge with private sector companies, and given that the data in question pertained to nuclear technology ,it’s not something that is proven just because it was stolen in the context of an ongoing relationship with the victim (even if that is a logical presumption to make).

The same is true here. When China hacked Google to spy on dissidents, that was clearly national security spying. When the US hacked Huawei to figure out how to backdoor its equipment, that was clearly national security spying.When the US used Microsoft and Siemens products to carry out StuxNet, the tech companies were merely enabling targets. There are too many reasons to hack tech sector companies for solidly national security purposes to claim, just based on the sector itself, that it was done for economic espionage.

You can’t even point to the 2 Pharma intrusions to make the claim. A list of sites the State Department identified as critical infrastructure from a leaked 2009 cable includes over 25 pharmaceutical sites (including animal Pharma), many of them related to vaccines. If we’re treating pharmaceutical supply and research facilities as critical infrastructure, with the presumed consequent defensive surveillance of those sites, it is tough to argue the Chinese can’t consider our pharmaceutical companies making key drugs to be critical targets. Both can be argued to stem from the same public health concerns.

I’m not saying it’s impossible or even unlikely that these intrusions were attempted economic espionage. I’m saying that this isn’t evidence of it, and that the reporting repeating this claim has been far too credulous.

But that also points to one of the inherent problems with this deal (one pointed to by many people at the time). When last he testified on the subject, Jim Clapper didn’t even claim to have fully attributed the OPM hack. The same attribution and use problems exist here. China may steal data on an important new drug, but that’s not going to be enough to prove they stole it for commercial gain until they release their own copycat of the drug in several years and use it to undercut the US company’s product, and even then that may require a lot more data — collected by spying! — from inside the market companies themselves (in part because China engages in many other means of stealing data which aren’t the subject of a special agreement, which will make even the copycat instance hard to prove came from an intrusion).

China knew that, too, when it signed the agreement. It will take more than evidence of 11 attempted intrusions to prove that China is violating the agreement.

US Trade Rep Complains Other Countries Aren’t Letting NSA Spy

In the NYT, David Sanger describes US efforts to develop some common understanding over cyberattacks with China by briefing it on what our escalation process would be. Unsurprisingly, China (which hasn’t had a massive data leak as an excuse to admit to information now in the public domain) has no reciprocated.

And while Sanger makes it clear the US is still not admitting to StuxNet, his US sources are coming to understand that the rationalizations we use to excuse our spying aren’t really as meaningful as we like to tell ourselves.

Mr. Obama told the Chinese president that the United States, unlike China, did not use its technological powers to steal corporate data and give it to its own companies; its spying, one of Mr. Obama’s aides later told reporters, is solely for “national security priorities.” But to the Chinese, for whom national and economic security are one, that argument carries little weight.

“We clearly don’t occupy the moral high ground that we once thought we did,” said one senior administration official.

I especially love the spectacle of an SAO coming to grips with this, but doing so anonymously.

Yet this anonymous admission will not stop the US from imposing such double standards. On Friday, the US Trade Representative issued  its yearly report on barriers to trade in telecom and related industries.  (Reuters reported on the report here.) None of these complaints are explicitly about the NSA. And some of USTR’s demands — that Turkey stop shutting down services like Twitter — would make it harder for other countries to spy on their own citizens.

But many of the USTR’s complaints single out measures that are either deliberately meant to undermine NSA’s spying advantages, or would have the effect of doing so. So these complaints also amount to whining that other countries are making NSA’s job harder.

Consider some of the complaints against China, whose top equipment manufacturer Huawei the US has excluded from not only the US, but also Korea and Australia.

It complains about China’s limits on telecom providers — and pretends this is exclusively a trade issue, not a national security issue.

Moreover, the Chinese Government still owns and controls the three major basic telecom operators in the telecommunications industry, and appears to see these entities as important tools in broader industrial policy goals, such as promoting indigenous standards for network equipment.

USTR criticizes China’s categorization of business that can be used for spying — such as cloud computing firms — as a telecoms subject to licensing restrictions.

China’s equity restrictions on foreign participation constitute a major impediment to market access in China. These restrictions are compounded by China’s broad interpretation of services requiring a telecommunications license (and thus subject to equity caps) and narrow interpretation of the specific services foreign firms can offer in these sub-sectors.


Several VAS definitions in the draft Catalog also raise trade restriction concerns. First, the draft Catalog created a new category of “Internet Resource Collaboration Services” that appears to covers all aspects of cloud computing. (Cloud computing is a computer service or software delivery model, and should not be misclassified as a telecommunications service.) MIIT approach to cloud computing generally raises a host of broad concerns. Second, the draft Catalog significantly expanded the definition of “Information Services” to include software application stores, software delivery platforms, social networking websites, blogs, podcasts, computer security products, and a number of other Internet and computing services. These services simply use the Internet as a platform for providing business and information to customers, and thus should not be considered as telecommunications services.

USTR complains about Chinese requirements for encryption both for information systems tied to critical infrastructure.

Starting in 2012, both bilaterally and during meetings of the WTO’s Committee on Technical Barriers to Trade, the United States raised its concerns with China about framework regulations for information security in critical infrastructure known as the Multi-Level Protection Scheme (MLPS), first issued in June 2007 by the Ministry of Public Security (MPS) and the Ministry of Industry and Information Technology (MIIT). The MLPS regulations put in place guidelines to categorize information systems according to the extent of damage a breach in the system could pose to social order, public interest, and national security. The MLPS regulations also appear to require buyers to comply with certain information security technical regulations and encryption regulations that are referenced within the MLPS regulations. If China issues implementing rules for the MLPS regulations and applies the rules broadly to commercial sector networks and IT infrastructure, they could adversely affect sales by U.S. information security technology providers in China.

And for providers on its 4G network.

At the end of 2011 and into 2012, China released a Chinese government-developed 4G Long-Term Evolution (LTE) encryption algorithm known as the ZUC standard. The European Telecommunication Standards Institute (ETSI) 3rd Generation Partnership Project (3GPP) had approved ZUC as a voluntary LTE encryption standard in September 2011. According to U.S. industry reports, MIIT, in concert with the State Encryption Management Bureau (SEMB), informally announced in early 2012 that only domestically developed encryption algorithms, such as ZUC, would be allowed for the network equipment and mobile devices comprising 4G TD-LTE networks in China. It also appeared that burdensome and invasive testing procedures threatening companies’ sensitive intellectual property could be required.

In response to U.S. industry concerns, USTR urged China not to mandate any particular encryption standard for 4G LTE telecommunications equipment, in line with its bilateral commitments and the global practice of allowing commercial telecommunications services providers to work with equipment vendors to determine which security standards to incorporate into their networks.

Finally, USTR dubs China’s limits on outsider VOIP services a trade restriction.

Restrictions on VoIP services imposed by certain countries, such as prohibiting VoIP services, requiring a VoIP provider to partner with a domestic supplier, or imposing onerous licensing requirements have the effect of restricting legitimate trade or creating a preference for local suppliers, typically former monopoly suppliers.

All of these complaints, of course, can be viewed narrowly as a trade problem. But the underlying motivation on China’s part is almost certainly about keeping the US out of its telecom networks, both to prevent spying and to sustain speech restraints behind the Great Firewall.

It’s not just China about which USTR complains. It issues similar dual purpose (trade and spying) complaints against India and Colombia, among others.

And of course, it finds European plans to require intra-EU transit limits — a plan done largely to combat US spying — a ‘draconian” trade restriction.

In particular, Deutsche Telekom AG (DTAG), Germany’s biggest phone company, is publicly advocating for EU-wide statutory requirements that electronic transmissions between EU residents stay within the territory of the EU, in the name of stronger privacy protection. Specifically, DTAG has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU;


The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers.

Meanwhile, even as I was writing this, one of the EU’s top Data Privacy figures, Paul Nemitz, just floated making the reverse accusation against America, that its NSA spying is a trade impediment to European businesses trying to do business in the US.

Fun stuff.

Taking Kaplan’s Defense of Empire on Its Face

Robert Kaplan wrote a predictably horrible defense of empire that a number of people are giving the appropriate disdainful treatment.

Against my better judgement, I’d like to take a different approach and treat it as a useful piece (though not one I agree with or find palatable at all).

I think its useful, in part, against the background of the NSA disclosures. Key players in NSA discussions — people who travel some of the same circles as Kaplan, even — premise their treatment of the disclosures from an exclusively national perspective, completely ignoring that the NSA (and its GCHQ poodle) is different precisely because it depends on and serves as a key instrument of authority in an empire (or global hegemon, if the term empire gives you the willies). Approaching and assessing NSA’s behavior solely from a national perspective not only represses the obvious reasons why NSA’s dragnet of other countries’ citizens matters, but it also fails to assess our actions in the proper light, even from the standpoint of efficacy. NSA’s tasking choices reflect not our national interest, but rather the needs of the empire, which is why a relatively minor country like Venezuela gets prioritized along with Russia and China. That’s why we made Huawei such a high priority target: because it presents a unique threat to the functioning of our empire.

I would like to get to the point where we can discuss the NSA disclosures not just in terms of what they mean for Americans’ civil liberties as well of those who may not enjoy Fourth Amendment protection but nevertheless are citizens in a US order, but also whether the prioritization of complete dragnet and offensive spying and hacking serves the interests to which they’ve been put, that of the American global hegemon.

And here’s where I think Kaplan, in spite of his racism and paternalism and selective history, serves a useful role at this point in time. He claims, cherry picking from history, that only empires can provide order.

Throughout history, governance and relative safety have most often been provided by empires, Western or Eastern. Anarchy reigned in the interregnums.

And then he asks whether or not America can afford to sustain its own empire.

Nevertheless, the critique that imperialism constitutes bad American foreign policy has serious merit: the real problem with imperialism is not that it is evil, but rather that it is too expensive and therefore a problematic grand strategy for a country like the United States. Many an empire has collapsed because of the burden of conquest. It is one thing to acknowledge the positive attributes of Rome or Hapsburg Austria; it is quite another to justify every military intervention that is considered by elites in Washington.

Thus, the debate Americans should be having is the following: Is an imperial-like foreign policy sustainable?


Once that caution is acknowledged, the debate gets really interesting. To repeat, the critique of imperialism as expensive and unsustainable is not easily dismissed.

Perhaps predictably Kaplan dodges his own question, never seriously answering it. Instead of answering the question that he admits might have answers he doesn’t much like, he instead spends a bunch of paragraphs, in all seriousness, arguing that Obama is pursuing a post-Imperial presidency.

Rather than Obama’s post-imperialism, in which the secretary of state appears like a lonely and wayward operator encumbered by an apathetic White House, I maintain that a tempered imperialism is now preferable.

No other power or constellation of powers is able to provide even a fraction of the global order provided by the United States.

And by dodging his own question by launching a partisan attack, Kaplan avoids a number of other questions. Not just whether the American empire is sustainable, but whether there’s something about the means of American empire that has proven ineffective (which is really a different way of asking the same question). Why did Iraq end up being such catastrophe? Why did we lose the Arab Spring, in all senses of the word? Why, even at a time when the US still acts as global hegemon, is instability rising?

There are some underlying reasons, like climate change, that the imperialists would like to distinguish from our oil-based power and the dollar exchange it rests on.

But even more, I think, the imperialists would like to ignore how neoliberalism has gutted the former source of our strength, our manufacturing, has led us to increased reliance on Intellectual Property, and has not offered the people in our realm of influence the stability Kaplan claims empire brings. People can’t eat, they can’t educate their children, they can’t retire because of the policies Kaplan and his buddies have pushed around the world. And the US solution to this is more trade pacts that just further instantiate IP as a core value, regardless of how little it serves those people who can’t eat.

The NSA is intimately a part of this, of course. The reason I find it so hysterical that NSA’s one defense against China is effectively the IP one — the NSA doesn’t steal IP and give it to “private” companies to use. But that’s just another way of saying that the empire we’ve rolled out has failed to protect even the increasingly ineffective core basis of our power, its IP.

I’ve said this before, but what is happening, increasingly, is that the US has to coerce power rather than win it through persuasion — persuasion that used to be (at least for our European allies) increased quality of life. It’s a lot more expensive to coerce power, both in terms of the military adventures or repression you must engage in, but also in terms of the dragnet you must throw across the world rather than the enhanced communication of an open Internet. Nevertheless, the Obama Administration, for all of Kaplan’s claimed post-Imperialism, seems to be doubling down on more coercive (or, in the case of trade agreements, counterproductive) means of retaining power.

And so Kaplan, who’s so sure that empire is a great thing, might be better considering not empire in the abstract (indeed, abstracted to the point of suppressing the many downsides of empire), but the empire we’ve got. He seems to implicitly admit he can’t rebut the claim that our empire is no longer sustainable, but since he can’t he changes the subject. Why is our empire unsustainable, Robert Kaplan? And for those who believe the US offers a good — or even a least-bad — order for the globe, what do you intend to do to return it to sustainability?

Dragnets and austerity aren’t going to do it, that’s for sure.

Update: Thanks to Wapiti for alerting me to my huge error of substituting Kagan (generic neocon name) for Kaplan’s actual last name. Sorry for the confusion.

How the NSA Deals with a Threat to Its Backbone Hegemony

I have talked before about the importance of US’ dominant role in global telecom infrastructure in our hegemonic position.

US hegemony rests on a lot of things: the dollar exchange, our superlative military, our ideological lip service to democracy and human rights.

But for the moment, it also rests on the globalized communication system in which we have a huge competitive advantage. That is, one reason we are the world’s hegemon is because the rest of the world communicates through us — literally, in terms of telecommunications infrastructure, linguistically, in English, and in terms of telecommunications governance.

Which is why these stories (NYT, Spiegel’s short version, to be followed by a longer one Monday) about NSA’s targeting of Huawei are so interesting. Der Spiegel lays out the threat Huawei poses to US hegemony.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document. As justification for targeting the company, an NSA document claims that “many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products.” The agency also states concern that “Huawei’s widespread infrastructure will provide the PRC (People’s Republic of China) with SIGINT capabilities.” SIGINT is agency jargon for signals intelligence. The documents do not state whether the agency found information indicating that to be the case.

The operation was conducted with the involvement of the White House intelligence coordinator and the FBI. One document states that the threat posed by Huawei is “unique”.

The agency also stated in a document that “the intelligence community structures are not suited for handling issues that combine economic, counterintelligence, military influence and telecommunications infrastructure from one entity.”

Fears of Chinese Influence on the Net

The agency notes that understanding how the firm operates will pay dividends in the future. In the past, the network infrastructure business has been dominated by Western firms, but the Chinese are working to make American and Western firms “less relevant”. That Chinese push is beginning to open up technology standards that were long determined by US companies, and China is controlling an increasing amount of the flow of information on the net. [my emphasis]

And the NSA document the NYT included makes this threat clear.

There is also concern that Huawei’s widespread infrastructure will provide the PRC with SIGINT capabilities and enable them to perform denial of service type attacks.

Now, for what it’s worth, the NYT story feels like a limited hangout — an attempt to pre-empt what Spiegel will say on Monday, and also include a bunch of details on NSA spying on legitimate Chinese targets so the chattering class can talk about how Snowden is a tool of Chinese and Russian spies. (Note, the NYT story relies on interviews with a “half dozen” current and former officials for much of the information on legitimate Chinese targets here, a point noted by approximately none of the people complaining.)

But the articles make it clear that 3 years after they started this targeted program, SHOTGIANT, and at least a year after they gained access to the emails of Huawei’s CEO and Chair, NSA still had no evidence that Huawei is just a tool of the People’s Liberation Army, as the US government had been claiming before and since. Perhaps they’ve found evidence in the interim, but they hadn’t as recently as 2010.

Nevertheless the NSA still managed to steal Huawei’s source code. Not just so it could more easily spy on people who exclusively use Huawei’s networks. But also, it seems clear, in an attempt to prevent Huawei from winning even more business away from Cisco.

I suspect we’ll learn far more on Monday. But for now, we know that even the White House got involved in an operation targeting a company that threatens our hegemony on telecom backbones.

NSA, Not China, the Global BIOS Suicide Cyber-Bomber

Remember when, to fearmonger as part of 60 Minutes NSA propaganda, they warned of a Chinese attack on the US economy that, if launched, would have amounted to China acting as a suicide cyber-bomber?

The attack would have targeted computers’ BIOS.

Then there’s the scary BIOS plot.

I’ll need to go back and review this, but the jist of the scary claim at the heart of the report is that the NSA caught China planning a BIOS plot to shut down the global economy.







Of course, if that happened, it’d mean a goodly percentage of China’s 1.3 billion people would go hungry, which would lead to unbelievable chaos in China, which would mean the collapse of the state in China, the one thing the Chinese elite want to prevent more than anything.

But the NSA wants us to believe that this was actually going to happen.

That China was effectively going to set off a global suicide bomb. Strap on the economy in a cyber-suicide vest and … KABOOOOOOOM!

And the NSA heroically thwarted that attack.

The invocation of a BIOS attack was meant to provide authenticity and (for those who didn’t realize how obvious this is, mystery), I think.

But I find it particularly ironic that inserting backdoors into BIOS is (or was, back in 2008) the preferred method of NSA’s Access Network Technology group, which provides tools to access hardware and software.

It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Again, this is not surprising. It’s just a means of doing what the NSA wants to acquire.

Still, it highlights the degree to which most fearmongering claims the NSA makes may well be projection about its own activities.

That said, given the list of companies whose products they’ve compromised, it may serve as a kind of suicide bomb against the tech industry:

  • Juniper Networks
  • Cisco
  • Huawei
  • Western Digital
  • Seagate
  • Maxtor
  • Samsung

Again, that ANT tampers with Huawei products is not surprising, but it is ironic, given that we not only won’t let Huawei do business in the US, but increasingly want to keep them out of our close allies’ networks, all because of concerns China would require the company to insert back doors into Huawei equipment.

Maybe those back doors are really NSA’s?

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Read more

Are the Chinese Spying on Our Spying?

Danger Room reports that our nation’s spooks have moved beyond their concern about Chinese chips and other “counterfeit” (read, sabotaged) parts in war toys to grow concerned about Chinese parts in our telecom system.

Rep. Mike Rogers (R-Mich.), chairman of the House Permanent Select Committee on Intelligence (HPSCI), and the committee’s top Democrat, Rep. Dutch Ruppersberger, announced on Thursday that their committee will look into the potential for Chinese telecommunications equipment — like commercial servers, routers and switches — to help China spy on the United States.

“The investigation is to determine the extent to which these companies provide the Chinese government an opportunity for greater foreign espionage, threaten our critical infrastructure, and further the opportunity for Chinese economic espionage,” Rogers tells Danger Room. “Through this investigation we will come to a better understanding of the threat so we are better prepared to mitigate.”

The concern is that Chinese companies could tamper with equipment for use in civilian communications infrastructure, allowing China to insert Trojan horses that eavesdrop on targets in the United States. Chinese companies already make a number of telecommunications products sold in the U.S., but several have bowed out of deals to acquire large stakes in American telecom companies after facing U.S. government pressure.

Rogers says the investigation is an outgrowth of a review he commissioned shortly after becoming chairman of the committee in January.

Now, I don’t think Rogers and Ruppersberger are wrong to be concerned. The Chinese have every incentive to steal what they can from us, and their country’s corporations have always seemed willing to help out.

But I wonder if the concern doesn’t go beyond just China’s ability to affirmatively spy on select targets in the US and the rest of the world. To what degree are Rogers and Ruppersberger–the latter of whom represents the NSA–worried about the US monopoly on wiretapping switches? And is it possible that China will be able to create bottlenecks–as we did in the 1990s–to make it easier to wiretap? To what degree has China’s ascendance threatened the Anglo-American superiority in wiretapping?