Without their knowledge or permission, the National Security Agency has broken into the global data centers of Yahoo! and Google, the Washington Post is reporting on Wednesday.
In a report that terms the specific NSA surveillance program as “unusually aggressive,” the newspaper claims that leaked documents provided by whistleblower Edward Snowden show how the operation, codenamed MUSCULAR, allowed the agency to access the “cloud networks” of the two internet giants and “collect at will from among hundreds of millions of user accounts, many of them belonging to Americans.”
Two engineers with close ties to Google exploded in profanity when they saw the leaked drawing from the NSA: “I hope you publish this,” one of them said.
“The NSA does not keep everything it collects,” the Post reports, “but it keeps a lot.”
Though the stream of information generated by the Snowden leaks seems endless, these latest revelations come amid growing concern both in the U.S. and abroad about the unrivaled power of the NSA when it comes to accessing information that was otherwise thought protected.
In this case, it is the internet giants themselves who seem most caught off guard over the revelations. Since the Snowden leaks first began, these companies (along with others) have been criticized for allowing the NSA specific kinds of access to their customer data. As the Post reports, however, disclosure of the MUSCULAR program becomes “especially striking,”
because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.
When asked by the Post if they were aware of the program, both Yahoo! and Google adamantly said they did not know and expressed deep concern—anger, in fact—that the NSA had possibly infiltrated their private, highly secure, “cloud” networks.
As the Post explains:
In order for the data centers to operate effectively, they synchronize high volumes of information about account holders. Yahoo’s internal network, for example, sometimes transmits entire e-mail archives — years of messages and attachments — from one data center to another.
Tapping the Google and Yahoo clouds allows the NSA to intercept communications in real time and to take “a retrospective look at target activity,” according to one internal NSA document.
In order to obtain free access to data center traffic, the NSA had to circumvent gold standard security measures. Google “goes to great lengths to protect the data and intellectual property in these centers,” according to one of the company’s blog posts, with tightly audited access controls, heat sensitive cameras, round-the-clock guards and biometric verification of identities.
Google and Yahoo also pay for premium data links, designed to be faster, more reliable and more secure. In recent years, each of them is said to have bought or leased thousands of miles of fiber optic cables for their own exclusive use. They had reason to think, insiders said, that their private, internal networks were safe from prying eyes.
In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data resides. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security.
Two engineers with close ties to Google exploded in profanity when they saw the drawing. “I hope you publish this,” one of them said.
Whether those in the outraged public will find sympathy with the likes of Google and Yahoo!, the exposure of MUSCULAR shows the degree to which online data—even that which was thought to be more secure—is susceptible to the reach of the NSA.
One of the other key takeaways from the Post reporting is how this particular program seemed to target communication hubs and data centers located outside of the U.S., showing that legal requirements, though clearly not effective overall, certainly have an impact on the manner in which the NSA operates. Again, from the report:
Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.
Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.
John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.
“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.”
Snowden leak: NSA secretly accessed Yahoo, Google data centers to collect information
Despite having front-door access to communications transmitted across the biggest Internet companies on Earth, the National Security Agency has been secretly tapping into the two largest online entities in the world, new leaked documents reveal.
Those documents, supplied by former NSA contractor Edward Snowden and obtained by the Washington Post, suggest that the US intelligence agency and its British counterpart have compromised data passed through the computers of Google and Yahoo, the two biggest companies in the world with regards to overall Internet traffic, and in turn allowed those country’s governments and likely their allies access to hundreds of millions of user accounts from individuals around the world.
“From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants,” the Post’s Barton Gellman and Ashkan Soltani reported on Wednesday.
The document providing evidence of such was among the trove of files supplied by Mr. Snowden and is dated January 9, 2013, making it among the most recent top-secret files attributed to the 30-year-old whistleblower.
Gen. Keith Alexander, the head of the NSA, told reporters Wednesday afternoon, “I don’t know what the report is,” according to Politico, and said his agency is “not authorized” to tap into Silicon Valley companies. When asked if the NSA tapped into the data centers, Alexander said, “Not to my knowledge.”
Earlier this year, separate documentation supplied by Mr. Snowden disclosed evidence of PRISM, an NSA-operated program that the intelligence company conducted to target the users of Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple services. When that program was disclosed by the Guardian newspaper in June, reporters there said it allowed the NSA to “collect material including search history, the content of emails, file transfers and live chats” while having direct access to the companies’ servers, at times with the “assistance of communication providers in the US.”
According to the latest leak, the NSA and Britain’s Government Communications Headquarters are conducting similar operations targeting the users of at least two of these companies, although this time under utmost secrecy.
“The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process,” the Post noted.
And while top-brass in the US intelligence community defended PRISM and said it did not target American Internet users, the newest program — codenamed MUSCULAR — sweeps up data pertaining to the accounts of many Americans, the Post acknowledged.
The MUSCULAR program, according to Wednesday’s leak, involves a process in which the NSA and GCHQ intercept communications overseas, where lax restrictions and oversight allow the agencies access to intelligence with ease.
“NSA documents about the effort refer directly to ‘full take,’ ‘bulk access’ and ‘high volume’ operations on Yahoo and Google networks,” the Post reported. “Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.”
- theguardian.com, Wednesday 30 October 2013 16.50 EDT
Google and Yahoo, two of the world’s biggest tech companies, reacted angrily to a report on Wednesday that the National Security Agency has secretly intercepted the main communication links that carry their users’ data around the world.
Citing documents obtained from former NSA contractor Edward Snowden and interviews with officials, the Washington Post claimed the agency could collect information “at will” from among hundreds of millions of user accounts.
The documents suggest that the NSA, in partnership with its British counterpart GCHQ, is copying large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers of the Silicon Valley giants.
The story is likely to put further strain on the already difficult relations between the tech firms and Washington. The internet giants are furious about the damage done to their reputation in the wake of Snowden’s revelations.
In a statement, Google’s chief legal officer, David Drummond, said the company was “outraged” by the latest revelations.
“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,” he said.
“We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Yahoo said: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
According to a top-secret document cited by the Post dated 9 January 2013, millions of records a day are sent from Yahoo and Google internal networks to NSA data warehouses at the agency’s headquarters in Fort Meade, Maryland. The types of information sent ranged from “metadata”, indicating who sent or received emails, the subject line and where and when, to content such as text, audio and video.
The Post’s documents state that in the preceding 30 days, field collectors had processed and sent on 181,280,466 new records.
Internet firms go to great lengths to protect their data. But the NSA documents published by the Post appear to boast about their ability to circumvent those protections. In one presentation slide on “Google Cloud Exploitation,” published by the Post, an artist has added a smiley face, in apparent celebration of the NSA’s victory over Google security systems.
NSA intercepts Google, Yahoo traffic overseas: report
SAN FRANCISCO |
(Reuters) – The National Security Agency has tapped directly into communications links used by Google and Yahoo to move huge amounts of email and other user information among overseas data centers, the Washington Post reported on Wednesday. It was unclear how the NSA accessed the links.
The report, based on secret NSA documents leaked by former contractor Edward Snowden, appears to show that the agency has used weak restrictions on its overseas activities to exploit even major U.S. companies’ data to a far greater extent than previously realized.
Previously reported programs included those that allowed easy searches of Google’s, Yahoo’s and other Internet giants’ material based on court orders. But because the interception in the newly disclosed effort, code named MUSCULAR, occurs outside the United States, there is no oversight by the secret intelligence court.
Google, which recently said it is speeding its efforts to encrypt internal traffic, told Reuters: “We’re troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.”
“Executive Orders (EOs) are official documents … through which the President of the United States manages the operations of the Federal Government.” The directives cite the President’s authority under the Constitution and statute (sometimes specified). EOs are published in the Federal Register, and they may be revoked by the President at any time. Although executive orders have historically related to routine administrative matters and the internal operations of federal agencies, recent Presidents have used Executive Orders more broadly to carry out policies and programs.
The National Archives maintains a list of all Executive Orders indexed by Presidents, by Order number, and by subject. This site, which also has a “search” capacity, can be used to determine if a particular Order has been amended, repealed, superseded, or otherwise changed.
EO 12333 (As initially issued) – Goals, Direction, Duties, and Responsibilities with Respect to the National Intelligence Effort (22pp | 281kb | PDF) (December 4, 1981). Under section 2.3, intelligence agencies can only collect, retain, and disseminate information about a “U.S. person” (U.S. citizens and lawful permanent residents) if permitted by applicable law, if the information fits within one of the enumerated categories under EO 12333, and if it is permitted under that agency’s implementing guidelines approved by the Attorney General. The EO has been amended to reflect the changing security and intelligence environment and structure within the U.S. Government.
EO 12333 has been amended by three subsequent Executive Orders: EO 13284 (4pp. | 155kb | PDF) (January 23, 2003), EO 13355 (5pp | 166kb | PDF) (August 27, 2004), and EO 13470 (20pp | 205kb | PDF) (July 30, 2008). The current text of EO 12333 as amended is available online (16pp | 131kb | PDF).
- Many of the provisions of EO 13470 change how the intelligence agencies are governed and how they report to the President. In particular, the changes reflect that the U.S. intelligence agencies are to report to the President through the newly created Office of the Director of National Intelligence (ODNI). (At the time that EO 12333 was initially signed in 1981, the Director of National Intelligence was the nominal head of U.S. intelligence agencies).
- Briefing on the July 2008 changes to 12333. Briefing for the Congressional Oversight Committee (8pp | 2.56mb | PPT) by ODNI indicates that EO 12333’s original privacy and civil liberties protections are maintained after the July 2008 revisions.
- In section 1.1(b), the amended EO 12333 includes the following language: the Government “has a solemn obligation, and shall continue in the conduct of intelligence activities under this order, to protect fully the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law.”
- At section 1.5(c), EO 12333 requires the heads of all departments and agencies to “Coordinate development and implementation of intelligence systems and architectures and, as appropriate, operational systems and architectures of their departments, agencies, and other elements with the Director to respond to national intelligence requirements and all applicable information sharing and security guidelines, information privacy, and other legal requirements….”
- Section 1.6(h) of EO 12333 also requires the heads of elements of the Intelligence Community to ensure “that the inspectors general, general counsels, and agency officials responsible for privacy or civil liberties protection for their respective organizations have access to any information or intelligence necessary to perform their official duties.”
- The amended 12333 includes the following language: the Government “has a solemn obligation, and shall continue in the conduct of intelligence activities under this order, to protect fully the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law.”
EO 13311 – Homeland Security Information Sharing (2pp | 149kb | PDF) (July 29, 2003). President Bush assigned his functions under section 892 of the Homeland Security Act to the Secretary of Homeland Security. Amended by EO 13388, all references to “Director of Central Intelligence” are now the “Director of National Intelligence.”
EO 13353 – Establishing the President’s Board on Safeguarding Americans’ Civil Liberties (3pp | 160kb | PDF) (August 27, 2004). EO13353 creates the President’s Board on Safeguarding Americans’ Civil Liberties, which is ‘part of the Department of Justice for administrative purposes,’ to ‘undertake other efforts to protect the legal rights of all Americans, including civil liberties, and information privacy guaranteed by Federal law, as the President may direct.’ Although EO 13353 was never officially rescinded, its directive to create the President’s Board on Safeguarding Americans’ Civil Liberties faced strong opposition and was eventually jettisoned in favor of an independent body, the Privacy and Civil Liberties Oversight.
EO 13354 – Establishing the National Counterterrorism Center (4pp | 161kb | PDF) (August 27, 2004). The Center was established in order to “protect the security of the United States through strengthened analysis and strategic planning and intelligence support to operations to counter transnational terrorist threats…” This includes the “interchange of terrorism information between agencies and appropriate authorities of States and local governments….” The EO designated the National Counterterrorism Center (NCTC) as “the primary organization in the United Sates Government for analyzing and integrating all intelligence possessed or acquired by the [Government]… pertaining to terrorism and counterterrorism, excepting purely domestic counterterrorism information.” While the Center continues in existence, EO 13354 was revoked by EO 13470 (18pp | 205kb | PDF) (July 30, 2008), which revised EO 12333. (See Section 3.6 of current version of EO 12333).
- Also see EO 12333 above, EO 12958 (19pp | 248kb | PDF) (April 17, 1995) (revoked by EO 13526), and EO 13470, which amended EO 12333 in 2008.
- “Agencies shall protect the freedom, information privacy, and other legal rights of Americans in the conduct of activities implementing …[the detection, prevention, disruption, preemption and mitigation of the effects of transnational terrorist activities and] the interchange of terrorism information between agencies and appropriate authorities of States and local governments.”
EO 13388 – Further Strengthening the Sharing of Terrorism Information to Protect Americans (3pp | 161kb | PDF) (October 25, 2005). This Executive Order :
- revokes EO 13356 (4pp | 163kb | PDF) (August 27, 2004) and amends EO 13311 (above);
- creates the Information Sharing Council (ISC) to provide advice and information concerning the “establishment of an interoperable terrorism information sharing environment to facilitate automated sharing of terrorism information among appropriate agencies to implement the policy set forth in section 1 of this order; and (ii) perform the duties set forth in section 1016(g) of the Intelligence Reform and Terrorism Prevention Act of 2004.”
- assists the Program Manager for the ISE (PM–ISE) in expediting the establishment of the ISE and appointed the PM as chair of the Council,
- requires that “[t]o the maximum extent consistent with applicable law, agencies shall, in the design and use of information systems and in the dissemination of information among agencies… give the highest priority to… the interchange of terrorism information among agencies… [and shall] protect the freedom, information privacy, and other legal rights of Americans in the conduct of [such] activities….”
EO 13526 – Classified National Security Information (27pp | 246kb | PDF) (December 29, 2009). This Executive Order:
- prescribes a uniform system for classifying, safeguarding, and declassifying national security information, including information relating to the defense against transnational terrorism;
- states that our democratic principles “require that the American people be informed of the activities of their Government” but that “throughout our history, the national defense has required that certain information be maintained in confidence….”;
- promotes open Government through “accurate and accountable application of classification standards and routine, secure, and effective declassification….”; and
- revokes EO 12958 (19pp | 248kb | PDF) (April 17, 1995) and EO 13292 (20pp | 199kb | PDF) (March 25, 2003).
The Information Security Oversight Office, National Archives and Records Administration issued a Directive (28pp | 269kb | PDF) implementing the Executive Order on June 28, 2010. The Directive addresses classification standards, identification and markings, declassification, safeguarding, and other factors related to classified national security information.
EO 13549 – Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities (6pp | 159kb | PDF) (August 18, 2010). This Executive Order:
- ensures the proper safeguarding of information shared with State, local, tribal and private sector (SLTPS) entities;
- establishes a “Classified National Security Information Program” designed to manage access to and handling of such information;
- assures the security standards established in accord with EO 13526 (above) and other relevant Executive Orders are articulated by the Secretary of Homeland Security, to address among other things: eligibility for access to classified information by SLTPS personnel, how duly elected Governors are to receive appropriate clearances; and requiring that physical custody of classified information by SLTPS entities be limited to Secret information unless the location housing the information is under “full-time management, control, and operation of the Department of Homeland Security or another agency….”;
- establishes an SLTPS Policy Advisory Committee to discuss Program–related policy issues in dispute in order to facilitate resolution of disputes; and
- promotes inspections and monitoring of SLTPS programs and facilities to ensure there is an ongoing need for access to classified information.
The order is to be implemented in a manner “consistent with procedures approved by the Attorney General pursuant to Executive Order 12333, as amended.”
EO 13556 – Controlled Unclassified Information (3pp | 138kb | PDF) (November 4, 2010). This Executive Order:
- establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government–wide policies, excluding information classified under EO 13526 or the Atomic Energy Act, as amended;
- addresses the “ad hoc, agency–specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency-specific policies are often hidden from public view has only aggravated these issues.” (Sec. 1).
- establishes a program for managing this information, called “Controlled Unclassified Information,” (CUI) that emphasizes the openness and uniformity of Government–wide practices;
- requires that the CUI categories and subcategories shall serve as the exclusive designations for identifying unclassified information throughout the executive branch that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government–wide policies;
- charges the National Archives and Records Administration to implement the Order and oversee agency compliance with it; and
- rescinds Presidential Memorandum of May 7, 2008 (“Designation and Sharing of Controlled Unclassified Information (CUI)“).
EO 13587 – Structural Reforms To Improve The Security Of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information ( 5pp | 155kb | PDF) (October 7, 2011). This Executive Order:
- directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties;
- ensures coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security;
- requires policies and minimum standards for sharing classified information both within and outside the Federal Government;
- requires that these policies and minimum standards will address all agencies that operate or access classified computer networks, all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the Federal Government), and all classified information on those networks;
- directs agency heads to: (a) designate a senior official to be charged with overseeing classified information sharing and safeguarding efforts for the agency; (b) implement an insider threat detection and prevention program consistent with guidance and standards developed by the Insider Threat Task Force established in the order; and (c) perform self-assessments of compliance with policies and standards issued pursuant to sections 3.3, 5.2, and 6.3 of the order, as well as other applicable policies and standards, the results of which shall be reported annually to the Senior Information Sharing and Safeguarding Steering Committee established in section 3 of the order;
- establishes a Classified Information Sharing and Safeguarding Office (CISSO) within and subordinate to the office of the PM–ISE to provide expert, full-time, sustained focus on responsible sharing and safeguarding of classified information on computer networks; and
- requires establishment of an interagency Insider Threat Task Force to develop a Government-wide program (insider threat program) for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.
EO 13629 – Establishing the White House Homeland Security Partnership Council (5pp | 315kb | PDF) (October 26, 2012). This Executive Order:
- establishes “a White House Homeland Security Partnership Council (Council) to foster local partnerships—between the Federal Government and the private sector, nongovernmental organizations, foundations, community-based organizations, and State, local, tribal, and territorial government and law enforcement—to address homeland security challenges;”
- directs the Council to “promote homeland security priorities and opportunities for collaboration between Federal Government field offices and State, local, tribal, and territorial stakeholders;”
- directs the Council to “advise and confer with State, local, tribal, and territorial stakeholders and agencies interested in expanding or building local homeland security partnerships;”
- directs the Council to “raise awareness of local partnership best practices that can support homeland security priorities;”
- directs the Council to “as appropriate, conduct outreach to representatives of the private sector, nongovernmental organizations, foundations, community-based organizations, and State, local, tribal, and territorial government and law enforcement entities with relevant expertise for local homeland security partnerships, and collaborate with other Federal Government bodies; and”
- directs the Council to “convene an annual meeting to exchange key findings, progress, and best practices.”
EO 13636 – Improving Critical Infrastructure Cybersecurity (8pp | 325kb | PDF) (February 12, 2013). This Executive Order:
- sets the “policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats;”
- orders the establishment of a process to rapidly disseminate unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity;
- expands the Enhanced Cybersecurity Services program, a voluntary information sharing program, to all critical infrastructure sectors to provide classified cyber threat and technical information;
- coordinates agency activities under this order with senior agency officials for privacy and civil liberties to “ensure that privacy and civil liberties protections are incorporated into such activities;”
- bases privacy and civil liberties protections on “the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities;”
- orders an annual assessment of privacy and civil liberties risks by the DHS Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties;
- directs the development of a Cybersecurity Framework to reduce cyber risks to critical infrastructure, which shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches and shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.