WASHINGTON — The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
While
most of the software is inserted by gaining access to computer
networks, the N.S.A. has increasingly made use of a secret technology
that enables it to enter and alter data in computers even if they are
not connected to the Internet, according to N.S.A. documents, computer
experts and American officials.
The
technology, which the agency has used since at least 2008, relies on a
covert channel of radio waves that can be transmitted from tiny circuit
boards and USB cards inserted surreptitiously into the computers. In
some cases, they are sent to a briefcase-size relay station that
intelligence agencies can set up miles away from the target.
The
radio frequency technology has helped solve one of the biggest problems
facing American intelligence agencies for years: getting into computers
that adversaries, and some American partners, have tried to make
impervious to spying or cyberattack. In most cases, the radio frequency
hardware must be physically inserted by a spy, a manufacturer or an
unwitting user.
The
N.S.A. calls its efforts more an act of “active defense” against
foreign cyberattacks than a tool to go on the offensive. But when
Chinese attackers place similar software on the computer systems of
American companies or government agencies, American officials have
protested, often at the presidential level.
Among the most frequent targets of the N.S.A. and its Pentagon partner, United States Cyber Command,
have been units of the Chinese Army, which the United States has
accused of launching regular digital probes and attacks on American
industrial and military targets, usually to steal secrets or
intellectual property. But the program, code-named Quantum, has also
been successful in inserting software into Russian military networks and
systems used by the Mexican police and drug cartels, trade institutions
inside the European Union, and sometime partners against terrorism like
Saudi Arabia, India and Pakistan, according to officials and an N.S.A.
map that indicates sites of what the agency calls “computer network
exploitation.”
“What’s
new here is the scale and the sophistication of the intelligence
agency’s ability to get into computers and networks to which no one has
ever had access before,” said James Andrew Lewis, the cybersecurity
expert at the Center for Strategic and International Studies in
Washington. “Some of these capabilities have been around for a while,
but the combination of learning how to penetrate systems to insert
software and learning how to do that using radio frequencies has given
the U.S. a window it’s never had before.”
No Domestic Use Seen ( RIGHT!!!!!!!!!!!!!!!!!!! )
There
is no evidence that the N.S.A. has implanted its software or used its
radio frequency technology inside the United States. While refusing to
comment on the scope of the Quantum program, the N.S.A. said its actions
were not comparable to China’s.
“N.S.A.'s
activities are focused and specifically deployed against — and only
against — valid foreign intelligence targets in response to intelligence
requirements,” Vanee Vines, an agency spokeswoman, said in a statement.
“We do not use foreign intelligence capabilities to steal the trade
secrets of foreign companies on behalf of — or give intelligence we
collect to — U.S. companies to enhance their international
competitiveness or increase their bottom line.”
Over
the past two months, parts of the program have been disclosed in
documents from the trove leaked by Edward J. Snowden, the former N.S.A.
contractor. A Dutch newspaper published the map
of areas where the United States has inserted spy software, sometimes
in cooperation with local authorities, often covertly. Der Spiegel, a
German newsmagazine, published the N.S.A.'s catalog
of hardware products that can secretly transmit and receive digital
signals from computers, a program called ANT. The New York Times
withheld some of those details, at the request of American intelligence
officials, when it reported, in the summer of 2012, on American cyberattacks on Iran.
President
Obama is scheduled to announce on Friday what recommendations he is
accepting from an advisory panel on changing N.S.A. practices. The panel
agreed with Silicon Valley executives that some of the techniques
developed by the agency to find flaws in computer systems undermine
global confidence in a range of American-made information products like
laptop computers and cloud services.
Embracing
Silicon Valley’s critique of the N.S.A., the panel has recommended
banning, except in extreme cases, the N.S.A. practice of exploiting
flaws in common software to aid in American surveillance and
cyberattacks. It also called for an end to government efforts to weaken
publicly available encryption systems, and said the government should
never develop secret ways into computer systems to exploit them, which
sometimes include software implants.
Richard
A. Clarke, an official in the Clinton and Bush administrations who
served as one of the five members of the advisory panel, explained the
group’s reasoning in an email last week, saying that “it is more
important that we defend ourselves than that we attack others.”