U.S. Agencies Said to Swap Data With Thousands of Firms
Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.
These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden, a computer technician who did work for the National Security Agency. The role of private companies has come under intense scrutiny since his disclosure this month that the NSA is collecting millions of U.S. residents’ telephone records and the computer communications of foreigners from Google Inc. (GOOG) and other Internet companies under court order.
Many of these same Internet and telecommunications companies voluntarily provide U.S. intelligence organizations with additional data, such as equipment specifications, that don’t involve private communications of their customers, the four people said.
Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies and many other companies also participate in the government programs. In some cases, the information gathered may be used not just to defend the nation but to help infiltrate computers of its adversaries.
Along with the NSA, the Central Intelligence Agency, the Federal Bureau of Investigation and branches of the U.S. military have agreements with such companies to gather data that might seem innocuous but could be highly useful in the hands of U.S. intelligence or cyber warfare units, according to the people, who have either worked for the government or are in companies that have these accords.
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government “an early start” on risk assessment and mitigation.
In an e-mailed statement, Shaw said there are “several programs” through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.
Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.’s major spy agencies, the people familiar with those programs said.
Michael Hayden, who formerly directed the National Security Agency and the CIA, described the attention paid to important company partners: “If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful.”
“You would keep it closely held within the company and there would be very few cleared individuals,” Hayden said.
Cooperation between nine U.S. Internet companies and the NSA’s Special Source Operations unit came to light along with a secret program called Prism. According to a slide deck provided by Snowden, the program gathers e-mails, videos, and other private data of foreign surveillance targets through arrangements that vary by company, overseen by a secret panel of judges.
U.S. intelligence agencies have grown far more dependent on such arrangements as the flow of much of the world’s information has grown exponentially through switches, cables and other network equipment maintained by U.S. companies.
In addition to private communications, information about equipment specifications and data needed for the Internet to work -- much of which isn’t subject to oversight because it doesn’t involve private communications -- is valuable to intelligence, U.S. law-enforcement officials and the military.
Typically, a key executive at a company and a small number of technical people cooperate with different agencies and sometimes multiple units within an agency, according to the four people who described the arrangements.
If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.
Intel Corp. (INTC)’s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.
Such a relationship would start with an approach to McAfee’s chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.
McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.
McAfee’s data and analysis doesn’t include information on individuals, said Michael Fey, the company’s worldwide chief technology officer.
“We do not share any type of personal information with our government agency partners,” Fey said in an e-mailed statement. “McAfee’s function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity.”
In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.
In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.
Following an attack on his company by Chinese hackers in 2010, Sergey Brin, Google’s co-founder, was provided with highly sensitive government intelligence linking the attack to a specific unit of the People’s Liberation Army, China’s military, according to one of the people, who is familiar with the government’s investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.
According to information provided by Snowden, Google, owner of the world’s most popular search engine, had at that point been a Prism participant for more than a year.
Google CEO Larry Page said in a blog posting June 7 that he hadn’t heard of a program called Prism until after Snowden’s disclosures and that the Mountain View, California-based company didn’t allow the U.S. government direct access to its servers or some back-door to its data centers. He said Google provides user data to governments “only in accordance with the law.”
Leslie Miller, a spokeswoman for Google, didn’t provide an immediate response June 13.
The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.
That metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.
“It’s highly offensive information,” said Glenn Chisholm, the former chief information officer for Telstra Corp. (TLS), one of Australia’s largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.
According to Snowden’s information, Blarney’s purpose is “to gain access and exploit foreign intelligence,” the Post said.
It’s unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge’s order.
Stewart Baker, former general counsel for the NSA, said if metadata involved communications between two foreign computers that just happened to be crossing a U.S. fiber optic cable “then the likelihood is it would demand less legal scrutiny than when communications are being extracted one by one.”
Lawmakers who oversee U.S. intelligence agencies may not understand the significance of some of the metadata being collected, said Jacob Olcott, a former cybersecurity assistant for Senator John D. Rockefeller IV of West Virginia, the Democratic chairman of the Senate Commerce Committee.
“That’s what makes this issue of oversight so challenging,” said Olcott, now a principal at Good Harbor Security Risk Management in Washington. “You have a situation where the technology and technical policy is far outpacing the background and expertise of most elected members of Congress or their staffs.”
While companies are offered powerful inducements to cooperate with U.S. intelligence, many executives are motivated by patriotism or a sense they are defending national security, the people familiar with the trusted partner programs said.
U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems’ architecture or equipment schematics so the agencies can analyze potential vulnerabilities.
“It’s natural behavior for governments to want to know about the country’s critical infrastructure,” said Chisholm, chief security officer at Irvine, California-based Cylance Inc.
Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.
Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn’t authorized to discuss the matter.
Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc. (VZ), Sprint Nextel Corp., Level 3 Communications Inc. (LVLT) and CenturyLink Inc. (CTL) -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.
Mark Siegel, a spokesman for Dallas-based AT&T, the nation’s biggest phone carrier, declined to comment. Edward McFadden, a spokesman for New York-based Verizon, the second-largest phone company, declined to comment.
Scott Sloat, a spokesman for Overland Park, Kansas-based Sprint, and Monica Martinez, a spokeswoman for Broomfield, Colorado-based Level 3, didn’t immediately respond to requests for comment.
Linda Johnson, a spokeswoman for Centurylink, formerly Qwest Corp., said her Monroe, Louisiana-based company participates in the Enhanced Cybersecurity Services program and the Intrusion Prevention Security Services program, which includes Einstein 3. Both programs are managed by the U.S. Department of Homeland Security.
Beyond that, she said, “CenturyLink does not comment on matters pertaining to national security.”
To contact the reporter on this story: Michael Riley in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Michael Hytha at email@example.com