Inside the Black Box
How the NSA is helping companies fight back against Chinese hackers.
For China, U.S. government secrecy has been a boon. Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate. Because companies are generally reluctant to admit they’ve been breached and because the National Security Agency, which works with these companies to assess Chinese cyber techniques, is surrounded by a cocoon of secrecy, China has been able to operate with impunity.
That soon will change.
In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China’s cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.
Press reports have indicated that the Obama administration plans to give certain companies a list of domain names China is known to use for network exploitation. But the coming effort is of an entirely different scope. These are American state secrets.
Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies — with their permission — to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or "attribute," the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.
Now, though, the cumulative effect of Chinese economic warfare — American companies’ proprietary secrets are essentially an open book to them — has changed the secrecy calculus. An American official who has been read into the classified program — conducted by cyber-warfare technicians from the Air Force’s 315th Network Warfare Squadron and the CIA’s secret Technology Management Office — said that China has become the "Curtis LeMay" of the post-Cold War era: "It is not abiding by the rules of statecraft anymore, and that must change."
"The Cold War enforced norms, and the Soviets and the U.S. didn’t go outside a set of boundaries. But China is going outside those boundaries now. Homeostasis is being upset," the official said.
In essence, the NSA will give American companies the ability to fight back. The idea is two-fold. One: Behavior modification by exposing Chinese tactics, which, in theory, would embarrass the Chinese. Two: This will force China will develop new hacking avenues, but this will take time, giving U.S. companies the chance to catch up.
The NSA could do even more than this. It has some pretty nifty tools to use in terms of protecting cyberspace. In theory, it could probe devices at critical Internet hubs and inspect the patterns of data packets coming into the United States for signs of coordinated attacks. The recently declassified Comprehensive National Cyberspace Initiative describes the government’s plan, informally known as Einstein 3, to address the threats to government data that run through private computer networks — an admission that the NSA will have to perform deep packet inspection on private networks at some point. But, currently, the NSA only does this for a select group of companies that work with the Department of Defense. It is legally prohibited from setting up filters around all of the traffic entry points.
Government agencies, however, are a different matter. To protect the feds, the NSA provides the Department of Homeland Security with the equipment and personnel to do to the packet inspection. DHS (using NSA personnel) analyzes the patterns, sanitizes the data, and sends the information back to Fort Meade, where the NSA can figure out how to respond to threats discovered. DHS’s jurisdiction does not include the military and U.S. intelligence agencies. That’s the NSA’s province.
The agency has gathered a significant amount of intelligence on the ways sophisticated cyber-actors — usually nation-states and, more often than not, China — have written their code. Sometimes the NSA is able, through its collection of signals intelligence, to get advance notice of a major attack on a major company. It has very recently begun sharing this information with the FBI, which in turn shares it (or a sanitized form of it) with the companies that might be affected.
But it has been NSA policy to keep its information private. They’re an intelligence agency, after all. They gather information in secret and use it to outfox the enemy. If the NSA were to share with the public what it knows about China’s cyber capabilities, for example, then China would know what the NSA knows and would adjust its tactics accordingly, thus potentially rendering the Defense Department’s Internet space more vulnerable. But the penetrations have become so frequent and so potentially economically devastating that the government has decided to take that risk.
The next step may be letting the NSA conduct deep-packet monitoring of private networks. It’s undeniable that Congress and the public probably wouldn’t be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.
Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don’t. It’s costly, both in terms of buying the protection systems necessary to make sure critical systems don’t fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.
If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA’s intelligence will be filtered through the FBI and DHS.)
Also, because the NSA’s reputation has been tarnished by its participation in warrantless surveillance, and because telecoms are wary of cooperating with the NSA beyond the scope of the law, companies are afraid to even admit that they’ve asked the agency for technical advice. As a senior executive at Google — which asked the NSA to help contain an outbreak of Chinese network exploitation in 2008 — admitted to me, "People don’t really trust the NSA, and it will raise suspicions that we’re letting them look at their search data, and other things. It’s not in our interest."
But it was in their interest to work with the agency — and in the months ahead the NSA is betting that will be true of many others.