The NSA’s New Code Breakers

There was a time when the code breakers of the National Security Agency actually took the lead in solving enemy encryption systems. These days, not so much. In today’s NSA, it’s hackers, break-in artists, corporate liaisons, and shadow salesman using front companies who are at the forefront of this effort. Even so-called "hacktivists" play an unwitting role in helping the NSA gain access to computer networks — both hostile and friendly.

Just about the only place that’s somewhat immune to the NSA’s new style of code-breaking attacks? North Korea, because it’s so disconnected from the rest of the world’s networks.

Former U.S. intelligence officials confirm that the more than 1,500 cryptanalysts, mathematicians, scientists, engineers, and computer technicians who comprise NSA’s elite cryptanalytic unit, the Office of Cryptanalysis and Exploitation Services (S31), have had a remarkably large number of code-breaking successes against foreign targets since the 9/11 attacks. But these wins were largely dependent on clandestine intelligence activities for much of their success in penetrating foreign communications networks and encryption systems, and not the more traditional cryptanalytic attacks on encrypted messages that were the norm during the Cold War era. Prior to 9/11, the NSA’s cryptanalysts used their huge stable of supercomputers to break cipher systems using what is referred to as "brute-force methods" — using the supercomputers to run every cipher permutation until the message or messages in question become readable. It was a long, tedious, and extremely costly process (today the NSA spends over $247 million a year to buy and maintain its state-of-the-art supercomputer systems just for cryptanalytic use). But it did work if there were inherent vulnerabilities or structural weaknesses in the cipher being attacked or if the system’s users did not practice proper communications security procedures, such as changing the cipher keys and passwords frequently.

The NSA today has more supercomputers than ever, and the agency still employs a number of puzzle-solvers, linguists, and math geeks. But these classic cryptanalysts have, in part, given way to a new breed.

You won’t learn this in the files leaked by former NSA contractor Edward Snowden — at least not directly. According to individuals who have reviewed the entire collection of 50,000 documents provided to the media by Snowden, what is missing from the papers is any document which lays out in detail just how successful the agency’s code-breaking efforts have been. There are numerous documents in the Snowden collection describing individual NSA cryptologic programs, such as the NSA’s mostly unsuccessful multiyear effort to crack the encryption protection used by the anonymizer service Tor. But no reports describing the agency’s cryptanalytic successes and failures have been found in the Snowden collection to date.

Interviews with current and former intelligence officials conducted over the past two months have revealed that since 9/11, the NSA’s computer scientists, electronic engineers, software programmers, and collection specialists have been remarkably inventive in finding new and innovative ways to circumvent the protections supposedly offered by encryption systems by compromising them through clandestine means. Among these clandestine means are CIA and FBI "black-bag jobs," as well as secret efforts by the U.S. intelligence community to interdict the shipment of advanced encryption technology to America’s enemies around the world and insert "back doors" into commercially available computer, communications, and encryption technologies that allow the NSA to covertly access these systems without the users knowing it.

But the most sensitive of these clandestine techniques, and by far the most productive to date, is to covertly hack into targeted computers and copy the documents and message traffic stored on these machines before they are encrypted, a process known within the NSA as "Endpoint" operations. Responsibility for conducting these Endpoint operations rests with the computer hackers of the NSA’s cyberespionage unit, the Office of Tailored Access Operations (TAO).

According to sources familiar with the organization’s operations, TAO has been enormously successful over the past 12 years in covertly inserting highly sophisticated spyware into the hard drives of over 80,000 computer systems around the world, although this number could be much higher. And according to the sources, these implants are designed in such a way that they cannot be detected by currently available commercial computer security software. It has been suggested to me by a reliable source that "this is not an accident," with the insinuation being that many of the biggest commercially available computer security software systems made in the United States and overseas have been compromised by the NSA, either covertly or with the knowledge and consent of the companies that manufacture these systems.

Former agency personnel confirm that in innumerable instances, these TAO implants have allowed NSA analysts to copy and read all of the unencrypted documents stored on the targeted computer’s hard drive, as well as copy every document and email message produced and/or transmitted by the machine. But more importantly, TAO has helped NSA cryptanalysts solve several hundred foreign government and commercial encryption systems because these spyware implants, if properly inserted into the computer, can covertly alter its security software as well as copy the encryption system’s technical parameters, especially the system’s encryption algorithm and access passwords, in a way that cannot be detected. These implants can compromise the encryption systems used by not only the targeted computer, but also by all other computer systems that it communicates with using encryption technology.

According to confidential sources familiar with TAO’s operations, many of the NSA’s cryptanalytic "success stories" against high-priority targets such as Russia and the People’s Republic of China in recent years have been the direct result of TAO’s cyberespionage efforts. For example, sources confirm that much of what the U.S. intelligence community knows about China’s computer-hacking efforts against targets in the United States, Europe, and Asia stems from TAO’s intelligence collection efforts since 2005, when TAO reportedly achieved a major technical breakthrough against a Chinese target.

But TAO doesn’t just spy on America’s rivals. In 2012, the group reportedly compromised the encryption system used by an important G-8 country to transmit sensitive diplomatic communications via satellite to its embassies around the world. The same is true with a number of countries in the Middle East and South Asia, including Egypt, Syria, Iran, and Pakistan, although the details of these successes are not yet known. And finally, sources report that TAO has successfully compromised the privacy protection systems currently used on a range of 4G cell phones and hand-held devices, thanks in large part to help from a major American telecommunications company.

There are high-profile targets that have proved resistant to TAO’s cyberespionage efforts over the years, however. For example, TAO has reportedly had virtually no success penetrating North Korean government computer systems or networks because there are so few of them and they are heavily protected from access to the outside world.

Over time, TAO has become increasingly accomplished at its mission, thanks in part to the high-level cooperation that it secretly receives from the "big three" American telecommunications companies (AT&T, Verizon, and Sprint), most of the large U.S.-based Internet service providers, and many of the top computer security software manufacturers and consulting companies. According to a February 2012 budget document published this year by ProPublica, these companies "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" on behalf of TAO.

TAO is also very active in the global computer security industry marketplace, using the CIA, Defense Intelligence Agency, and State Department to help it keep close tabs on the latest computer security devices and software systems being developed around the world. And while details are lacking, informed sources report that TAO has been active in covertly buying up commercially available "hacker tools" or spyware software systems from individuals and companies in the United States and overseas, particularly in Western Europe, to help facilitate its ever-growing computer network exploitation efforts.

The extreme sensitivity of TAO’s collection efforts has required the NSA to take extraordinary steps to try to disguise its computer-hacking activities. For instance, current and former intelligence sources confirm that TAO increasingly depends on clandestine techniques, such as commercial cover, to hide its activities. TAO uses an array of commercial business entities, some of them proprietary companies established specifically for this purpose, to try to hide its global computer-hacking activities from computer security experts in a maze of interlocking computer servers and command-and-control systems located in the United States and overseas that have no discernible link to the NSA or the U.S. government.

These sources also say that TAO gets a lot of help from politically motivated hackers, or "hacktivists," who unintentionally help the NSA by providing ideas to improve TAO’s collection efforts. (Exactly which hacktivists have been particularly helpful, these sources wouldn’t say.) Working closely with the NSA’s computer security experts at the NSA/CSS Threat Operations Center, TAO personnel perform detailed forensic postmortem studies of every major successful computer penetration operation around the world. Some of these are pulled off by criminal outfits, some by government-backed groups, and others by political actors. In each case, the agency’s personnel look for new techniques or procedures that they can use to get inside computer systems around the world.

There is no question that TAO’s future looked incredibly bright before the first newspaper articles began appearing in the British and American press in June 2013 based on documents leaked by Snowden. Now, industry sources familiar with TAO say that the organization’s future prospects have dimmed somewhat.

A number of foreign-based computer systems and IT networks that formerly were major producers of intelligence information for TAO have over the past three months changed security procedures and encryption systems, routed traffic to more secure computer nodes or servers, erected new firewalls, or have gone offline altogether. According to recent press reports, the Russian government for a time reverted back to using manual typewriters rather than commit sensitive information to its computer systems. And a number of European countries and Brazil have begun shifting their most sensitive data and communications traffic to secure networks that they hope will be resistant to the NSA’s intrusive surveillance activities.

But this is, I am sure, just the tip of the iceberg. I have no doubt that the damage to TAO’s foreign intelligence collection capabilities and its ability to facilitate the solution of foreign encryption systems by the NSA’s cryptanalysts has been substantial. The big question that will determine TAO’s future prospects is whether the damage done so far proves to be irreparable.