“Don’t overuse sorry, please and thanks” when speaking in Spanish. “According to a UK insurance company, the average Brit will say sorry 1.9 million times in their lifetimes.”
WHEN FACEBOOK BLOWS YOUR COVER
by Gordon Corera / 07 April 16
“You could forgive the chief of MI6 – known as C – a slight shudder as he watched the latest Bond movie, Spectre. Not the scene in which the MI6 HQ is blown up, but the more worrisome plot that his secret service was going to be swallowed by a new data-driven super-agency. The shudder? Because the storyline is worryingly close to today’s reality. The world of spying may be as old as the ages and MI6 may be one of the most storied intelligence services but, make no mistake, it is in an existential battle. And the reason for that is data. The current C, Alex Younger, 52, talks of an “arms race” when it comes to exploiting technology. The intelligence services that succeed in mastering data will prosper against adversaries. Those that fail to adapt will find themselves irrelevant. To avoid that fate, MI6 is trying to answer two questions: what is secrecy in the digital age? And how do you protect it? Spying involves stealing secrets. There are various ways of doing that.
One is by intercepting communications and breaking codes known as SIGINT (signals intelligence). This is the province of agencies such as GCHQ (the UK government communications) and the NSA (in the US). Human intelligence (HUMINT) involves getting those secrets from people who have access – known as agents (the staff who work for MI6 are officers, not agents). During the cold war, machines played a marginal role in human intelligence. Their preferred habitat was the alleyways of Berlin and Vienna meeting agents while trying to shake a KGB tail. But, a quarter of a century ago, the spread of networked computers began to revolutionise the spy business. First, the KGB and then GCHQ and NSA realised other governments kept valuable information on networks connected to the internet. For a while, MI6 looked on nervously as operators at GCHQ began to remotely steal documents that would previously have required a human agent in a foreign ministry snapping hurried photos of material in a safe.
“Secret document detailing GCHQ’s ambition to ‘master the internet‘”
It was clear that cyber espionage was transformative. It allowed information to be extracted in huge volumes remotely – massively reducing the risks involved. Where does that leave the old-fashioned spooks? From an office on the executive floor of the MI6 building in Vauxhall, Younger, a veteran spy, has the job of answering that question. So what’s the strategy? In a nutshell: to master data, to stay secret and to be able to operate anywhere. Technology offers opportunity and threat. The initial stage of recruiting an agent is “targeting”. Imagine you want to know if a country is secretly working on a nuclear-weapons programme.
The best source might be a businessman in the illicit procurement chain. A spy agency needs to find out who has the access to secrets, the motivation to pass them on and how to get close to that individual. All of that is now data driven. The data may be open source – publicly available information on who works for a company. Social media can play a role in understanding an individual’s interests and connections, building a picture of their lives. Spies say if you want to understand a target you now have to understand the expression of their life online as well as in the physical world – because dissonance between their “real world” and “online” behaviour can be telling.
“The home secretary said she did not want to “go down the route of giving information about the sort of data sets that are being acquired“.
Increasingly important is what the government calls “bulk personal data sets”. MI6 told one inquiry that these “are increasingly used to identify the people that we believe that we have an interest in; and also to identify the linkages between those individuals and the UK that we might be able to exploit”. The exact nature of this data is secret, but it could include a foreign state’s employment records, the booking records of a hotel or subscribers to particular magazines. Some of these data sets can contain millions of records including those of innocent people. Spies maintain that both acquisition and then access is tightly controlled – any specific search needs to be compliant with the Human Rights Act in terms of being lawful, necessary and proportionate. The “proportionality” test in interrogating bulk personal data sets means if any query returns too many people then it is less useful and potentially against the rules. A query might reveal an engineer had money problems. The next step would be an approach. Systems can alert a team when an individual books a hotel. An MI6 officer would wait in the lobby – a crucial method of contact that depends on human skills.
The transfer of material from agent to handler has always been the moment of greatest operational vulnerability. Catching one person handing over an envelope to another person meant both were “bang to rights”. Now, the transfer of information can be done remotely using specially developed communications tech. In 2006, Russian security services made claims about a “spy rock” set up by British spies. The rock was said to contain a short-range transmitter/receiver into which an agent could transfer data by walking past. A case officer could later walk past and upload the information. MI6 has always refused to comment but a senior Downing Street official later said that the Russians “had us bang to rights”.
Ten years later, it’s likely communication can be carried out more remotely, minimising the risk of being caught. “Using data offers us a priceless opportunity to be deliberate and targeted in what we do and thus be better at protecting our agents and this country,” Younger said in his first public speech, at a Whitehall event in March 2015. “That is good news. The bad news is that the same technology in opposition hands allows them to see what we are doing and put our people and agents at risk.” Technology helps spies find their targets, but it can also be used by foreign security services to identify British spies and their sources.
“A massive election data breach in the Philippines does appear to contain millions of fingerprint records, despite officials claiming the leak “doesn’t include biometrics”
Stealing secrets also requires keeping them. And that is getting harder. The first signs of that challenge emerged just over a decade ago with the spread of biometric databases at international borders. Once, a faked passport might have been enough to build a cover story for an MI6 officer travelling to meet an agent. An officer could breeze across a border, conduct the debrief and leave. But if their iris or fingerprints were scanned at an airport then that data would be associated with the false cover. Would they be identified as a spy?
The old days of using a simple cover to meet agents abroad were passing. The next challenge was social media. In the past, a spy would want no details or pictures of themselves in the public domain. But today, what kind of person under 30 doesn’t have a social-media trail and digital profile? That in itself is pretty much enough to mark you out as someone unusually protective of their privacy and, to foreign intelligence services, possibly a spy. A test was run at MI6 a few years ago: how long would it take for an officer’s cover to endure when subjected to a series of Google searches? The answer: about a minute.
“Lady moved to the US in late 2004 and will not be returning to Italy. Spataro offered the former agent a deal to testify against the CIA. Lady turned it down. He remains loyal to his former employer despite the fact that the agency has left him hanging in the wind, refuses to let him have a lawyer, and acts as if the trial in Italy doesn’t even exist. His retirement villa has been confiscated and is due to be sold after the verdict comes through to cover part of the court costs.”
Veteran officers say that, at first, many spies were deeply resistant to understanding the new dangers. But then came the lessons. In February 2003, a CIA team was sent to Milan to conduct an “extraordinary rendition” of a suspected radical Islamist: Abu Omar was plucked off the streets and transported to Egypt. Three years later, an Italian prosecutor using link analysis of phones, hotel reservations, car rentals and credit cards had been able to identify about two dozen members of the CIA team and prosecute them in absentia.
What about bulk data? The fear of what could be done by using large data sets against spies was evident in Washington’s neuralgic reaction to the cyber-intrusion into the federal government’s Office of Personnel Management (OPM) when the personal details of 21 million government workers were stolen. The personal details of CIA officers and other spies were not listed. That was precisely the problem – a smart intelligence service could simply correlate who at an embassy was on the OPM database and, by a process of elimination, work out that anyone not on the database was an undercover intelligence officer. In the wake of the breach, British officials were assured that there was no single database in the UK with the same amount of detail.
The moment of meeting an agent has become trickier. In the past a fleeting brush-past on a street or conversation in an alley would leave no trace unless someone had been followed. Now CCTV is everywhere and so is the data – from mobile phones and other digital tools – of where you have been. What is more, it’s stored. The digital exhaust we leave behind has completely altered the ways in which spies can operate. Countries are moving towards large biometric databases of identifiers which can offer them knowledge about their own population. “When I joined MI6, I was trained to spot people tracking me or telephone tapping or intercepting radio communication,” John Sawers, who joined MI6 in the late 70s before going to the Foreign Office and coming back as chief from 2009 to 2014, said in a speech in January 2015. “Today, those labour-intensive techniques are supported by high-end software: face recognition, footstep recognition, etc.”
Image credit: Iris Scan – Biometric Data Collection – Aadhaar – Kolkata by Biswarup Ganguly. CC-BY-3.0 via Wikimedia Commons
Sawers was brought back to MI6 in 2009 as a moderniser. That included integrating technology and the Service’s “Q” team into operations much more closely. A technologist and data analyst would be brought into planning operations from the outset rather than as a last minute add-on and the case officer (who recruited the agent) became more part of a team rather than the “fighter pilot” whom everyone else served. Now the data analyst drives the operations as much as the case officer does. Working in an age where everything is recorded and leaves a digital footprint requires different tradecraft. In some cases it means you have to, in the words of some in MI6, “go medieval” and stay offline and use old-fashioned methods of communication. Some countries were reported to have bought old typewriters in the wake of the Snowden disclosures and techniques such as secret ink are said to be making a return.
Overlooking Open Source
The next stage in technological transformation is coming with the growth of open-source intelligence, big data and predictive analysis. Open-source intelligence was something that spies looked down on a decade ago. Real intelligence was something that had been obtained through low cunning, not a web search. “Open source was about routine monitoring of foreign newspapers and broadcasts for useful snippets,” says Cameron Colquhoun, who worked as a government intelligence analyst before founding Neon Century, a London-based open-source intelligence company.
That changed first with the Green Movement in Iran in 2009 and then with 2011’s Arab Spring which was organised, in part, on social media. “The richness of the data – geolocated, time-stamped and verifiable – meant that open source was not just something analysts could monitor but something you could use to run intelligence investigations.”
One British general estimates that 85 per cent of military intelligence can now be obtained from open sources. Mapping and terrain information are simple to pick up; an understanding of local populations can be drawn using sentiment-analysis tools. So why spend huge amounts of money and take risks to get secrets when much of the information can be found? The rise of Islamic State (IS) made the importance of social media clear: British jihadists were using platforms such as Facebook to lure others in the UK to follow them.
Intelligence analysts still struggle with this world. After all, their work computers are air-gapped from the internet, they have been encouraged not to be on social media and they normally cannot bring personal smartphones into the office. The internet is a prime vector for espionage. Foreign spies could use it to access the systems at Vauxhall Cross. The advantages of cross-referencing information and integrating open and secret data are also huge risks because of the fear of cross-infection. Today’s challenge is to leverage the internet while not letting it into the building. Today, analytical techniques for open data are often developed by the private sector rather than the state. The most advanced tools are being built by startups interested in sentiment analysis for commercial purposes.
Just as an intelligence agency might be interested in working out who is expressing positive and influential views about a gruesome IS video, a consumer brand might be interested in social-media influencers for its product. In the US, Palantir was originally funded by In-Q-Tel, the CIA VC firm, and supports military and security programmes as well as selling its tech to consumer-facing companies. In the UK, the startup Ripjar is moving into a similar space. “The aggregation of data is paramount to joining the dots and exposing criminal behaviour,” says Tom Griffin, the company’s CEO. “This is similar to the commercial world, where the true value of data is exposed when you combine the business knowledge, analytical thinking and many disparate data sets.” He argues that employing techniques of machine learning and natural-language processing will not negate the need for human analysts but allows them to make sense of vast tides of data such as tweets sent by IS.
“One of the conditions set by the American commanders who met in Baghdad was that any group receiving weapons must submit its fighters for biometric tests that would include taking fingerprints and retinal scans.”
The agencies hope that big data will open the way for better intelligence analysis to avoid “strategic surprise” and provide early warning and horizon scanning. Senior CIA officials talk of their desire to build an “anticipatory intelligence capability”. Sentiment analysis aims to look for early indicators of political and social crisis, unrest such as riots, signs of nascent economic instability or resource shortage. The new Alan Turing Institute, at the British Library, has formed a partnership of industry, government and academics to work on data-led solutions to various challenges, including national security. But is it possible – given the volume of data and the unpredictability of human behaviour – for agencies to conduct truly insightful predictive analysis? There was an upsurge in data analysis after 9/11 when, for instance, bomb factories in Iraq were identified using patterns of phone usage by insurgents. In the UK, GCHQ and MI6 work hand in glove.
So-called bulk data is used for what is called “target discovery” – finding people based on their data trails – so that more specialised techniques can be deployed. This is much harder than it used to be. In the past, a single GCHQ analyst might be able to track a dozen targets; now it can take a dozen analysts to track a single target who knows what they’re doing. This means human intelligence still plays a part. A spy inside a group such as al-Qaeda can tell you who’s who and where they are even if that person practises good comms security. Targeting individuals might be done by a close integration of human and technical intel: analysts at GCHQ might identify patters in online activity, whereas MI6 officers would try and recruit agents on the ground.
GCHQ and MI6 are moving closer together. GCHQ will sometimes need a human spy to enable an operation: think of the US-Israeli Stuxnet virus targeting Iran’s nuclear programme – it needed an engineer to put a USB stick into a system. There are also pieces of info a human spy can tell you that data can’t reveal. But the balance is shifting – GCHQ is roughly double the size of MI6. Inside MI6, there’s an understanding that they will need a new type of spy and everyone will need digital skills.
It’s becoming ever harder to keep secrets. For spies, this new world means deconstructing everything they do and analysing it for new opportunities and weaknesses, seeking out new sources of data and the latest tools to exploit. Every new trick they use to spy on someone else needs to be tested to ensure it doesn’t offer an opportunity to the other side. Nation states are working hard to exploit the insights that data offers in a new arms race of technology-driven espionage. To the victor the spoils. To the loser – as with the rest of the tech-based world, but with greater consequences – defeat and irrelevance.”
‘HACK the PENTAGON’ CONSENSUAL HONEYPOT
by James Temperton / 11 April 16
“The Pentagon has launched an initiative that challenges vetted hackers to break into government systems. The “Hack the Pentagon” scheme, the first ever program of its kind developed by the federal government, has been designed to test the strength of the US’s cyber defences. Full details of the initiative have not been announced, but hackers could be financially rewarded if they find major flaws. So-called “bug bounties“, where white-hat hackers are rewarded for finding and reporting security problems, are already used by companies such as Google, Facebook, Microsoft and Yahoo. Financial rewards for such programs range can top $100,000, with Facebook paying out more than $3 million since its bug bounty was launched in 2011. An application page describing the “Hack the Pentagon” program explains that the pilot will start on April 18 and end on May 12. “If you have information related to security vulnerabilities in the online services listed in scope below, we want to hear from you,” the page reads.
One senior official speaking to Reuters claimed that thousands of participants were expected to join the initiative. While the “Hack the Pentagon” program is a first for the federal government, the US has long been a customer in the black market for software bugs. Documents released by whistleblower Edward Snowden suggest the National Security Agency spends $25 million a year buying bugs for use in its surveillance operations. The Pentagon already uses its own internal security experts to test its networks, but it is hoped that opening up to vetted outsiders will help spot and remove more weaknesses. Reuters reports that participants will have to be US citizens and submit to background checks before being given access. The Pentagon said that more sensitive networks would not be included in the program to begin with.
Security researchers have repeatedly called on the US government to take inspiration from major technology firms and introduce a bug bounty program. If the Pentagon does introduce financial rewards, it would be the first government-funded initiative of its kind in the world. The program is being led by the Pentagon’s Defense Digital Service, which was set up in November 2015 to work more closely with the technology industry. The announcement of the initiative comes months after two US army captains argued for the creation of a bug bounty for the military. In October 2015 Captain Rock Stevens and Captain Michael Weigand published a paper calling on the US Army to establish a central program for disclosing software vulnerabilities on military systems. The paper, published on Cyber Defense Review, claimed the current system for researchers reporting bugs was “fraught with danger and trepidation”. People were “hesitant to disclose known vulnerabilities in systems out of a fear of reprisal,” the paper noted.
In a statement issued to Reuters, US defence secretary Ashton Carter said the Hack the Pentagon initiative was designed to “strengthen our digital defences and ultimately enhance our national security”. The decision to create a bug bounty program comes after a damaging year for America’s cyberdefences. In 2015 Russian hackers gained access to unclassified Pentagon computer systems, with sophisticated cyberattacks also targeting digital infrastructure inside the White House. Hackers linked to the Chinese government also stole personal information from background checks on 21.5 million Americans, including the fingerprint data on 5.6 million federal employees.”
COLLECT THEM ALL
U.S. Scans Afghan Inmates for Biometric Database
Bagram Air Field, Afghanistan — “Don’t think of the U.S. military’s new Detention Facility In Parwan as just a holding pen for suspected insurgents. It’s also an emerging datafarm, storing biometric information on its inmate population. In a country with a shaky commitment to the rule of law, those identifiers could become weapons. Parwan, with its thousand-or-so detainee population, will become an Afghan-run detention complex next year. By 2014, it’ll become a major Afghan jail, run by the Ministry of Justice to incarcerate convicted criminals, not hold insurgents taken off the battlefield. But Army Brigadier General Mark Martins, who currently runs day-to-day operations at the detention center, explains that there’s a basic problem with Afghanistan’s criminal justice system: It doesn’t have a efficient information infrastructure to identify the people it holds. That’s where he comes in.
Every detainee who comes into Parwan leaves basic information with the Detainee Services Branch during in-processing: Name; father’s name; residence. A mark of any identifying scars, marks or tattoos. Residence of record. After a shower and a medical exam, the DSB scans their irises and collects prints from all of their fingers, rolling their thumbs for a 360-degree view. Its cameras snap five photographs of every detainee’s face. All of this information goes into a military database called the Automated Biometric Information System.
Troops in the field can access the system through a set of portable consoles that the DSB has on hand. The Biometrics Automated Toolset, or BAT, allows troops who detain insurgents on the battlefield to get a quick biometric identification of who they’ve captured, all through talking to the database. One clunky component of it, the Handheld Interagency Identity Detection System (HIIDE), which looks like a big black FunSaver, takes pictures of a captive’s irises, facial features and fingerprints. BATS and HIIDE were used in Iraq, where counterinsurgents like David Kilcullen praised the devices for allowing troops to quickly and positively identify known insurgents during the surge.
But any detective will tell you that a database is only as good as the data it contains. And after 30 years of war, Afghanistan isn’t really in the data-collection game. The U.S. military’s detentions command, known as Joint Task Force-435, is working with the Afghan Ministry of Interior to kick-start an up-to-date records program. Martins says he and the ministry want “enrollments on 15 percent of fighting-age males,” Afghans between the ages of 14 and 49. Studies that he’s seen convince him that 15 percent represents a Gladwellian tipping point, allowing the U.S. and the Afghans to match exponentially more latent fingerprints off homemade bombs to Afghans in the system. But that means biometric information about one million people. And the easiest way to get this information is by locking up a whole lot of Afghans and collecting it against their will, one of the reasons that human rights advocates are wary about the U.S.’s plans to turn over Parwan to the Afghans.
In Iraq, privacy advocates raised similar concerns about weaponizing the biometrics database — essentially, turning it into a military hit list. Afghanistan is filled with corruption, fraud and malicious police officers. Its commitment to the rule of law is, to be charitable, immature. In such a circumstance, a counterinsurgency tool like the biometric database just as easily become predatory, allowing its possessors to take out their political or ethnic rivals and reward their allies. If the WikiLeaks disclosures put Afghans in danger, imagine what iris scans and fingerprints could mean for people who don’t want to pay bribes to crooked cops. “That’s a policy-significant issue,” Martins admits, “Who holds the data?” According to an October memorandum signed by the U.S. and Afghan governments, the Afghans will. The U.S. might see its collected records become the “biometric component of a national ID” Martins says, good for property ownership records, establishing credit lines and other economic behavior. But first, the biometrics database will be “MOI’s data,” in the hands of the security services — the legacy of ten years of U.S. detention operations in Afghanistan.”
the MYTH of FINGERPRINTS