Google’s secret NSA alliance: The terrifying deals between Silicon Valley and the security state

Cover detail of "@War" by Shane Harris

Excerpted from "@WAR: The Rise of the Military-Internet Complex"

In mid-December 2009, engineers at Google’s headquarters in Mountain View, California, began to suspect that hackers in China had obtained access to private Gmail accounts, including those used by Chinese human rights activists opposed to the government in Beijing.

Like a lot of large, well-known Internet companies, Google and its users were frequently targeted by cyber spies and criminals. But when the engineers looked more closely, they discovered that this was no ordinary hacking campaign.

In what Google would later describe as “a highly sophisticated and targeted attack on our corporate infrastructure originating from China,” the thieves were able to get access to the password system that allowed Google’s users to sign in to many Google applications at once. This was some of the company’s most important intellectual property, considered among the “crown jewels” of its source code by its engineers. Google wanted concrete evidence of the break-in that it could share with U.S. law enforcement and intelligence authorities. So they traced the intrusion back to what they believed was its source — a server in Taiwan where data was sent after it was siphoned off Google’s systems, and that was presumably under the control of hackers in mainland China.

“Google broke in to the server,” says a former senior intelligence official who’s familiar with the company’s response. The decision wasn’t without legal risk, according to the official. Was this a case of hacking back? Just as there’s no law against a homeowner following a robber back to where he lives, Google didn’t violate any laws by tracing the source of the intrusion into its systems. It’s still unclear how the company’s investigators gained access to the server, but once inside, if they had removed or deleted data, that would cross a legal line. But Google didn’t destroy what it found. In fact, the company did something unexpected and unprecedented — it shared the information.

Google uncovered evidence of one of the most extensive and far-reaching campaigns of cyber espionage in U.S. history. Evidence suggested that Chinese hackers had penetrated the systems of nearly three dozen other companies, including technology mainstays such as Symantec, Yahoo, and Adobe, the defense contractor Northrop Grumman, and the equipment maker Juniper Networks. The breadth of the campaign made it hard to discern a single motive. Was this industrial espionage? Spying on human rights activists? Was China trying to gain espionage footholds in key sectors of the U.S. economy or, worse, implant malware in equipment used to regulate critical infrastructure?

Google shared what it found with the other targeted companies, as well as U.S. law enforcement and intelligence agencies. For the past four years, corporate executives had been quietly pressing government officials to go public with information about Chinese spying, to shame the country into stopping its campaign. But for President Obama or Secretary of State Hillary Clinton to give a speech pointing the finger at China, they needed indisputable evidence that attributed the attacks to sources in China. And looking at what Google had provided it, government analysts were not sure they had it. American officials decided the relationship between the two economic superpowers was too fragile and the risk of conflict too high to go public with what Google knew.

Deputy Secretary of State James Steinberg was at a cocktail party in Washington when an aide delivered an urgent message: Google was going to issue a public statement about the Chinese spying campaign.

The next day, January 12, 2010, Google’s chief legal officer, David Drummond, posted a lengthy statement to the company’s blog, accusing hackers in China of attacking Google’s infrastructure and criticizing the government for censoring Internet content and suppressing human rights activists. “We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” said Drummond.

Back at the State Department, officials saw a rare opportunity to put pressure on China for spying. That night Hillary Clinton issued her own statement. “We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation,” she said. “The ability to operate with confidence in cyberspace is critical in a modern society and economy.”

As diplomatic maneuvers go, this was pivotal. Google had just given the Obama administration an opening to accuse China of espionage without having to make the case itself. Officials could simply point to what Google had discovered as a result of its own investigation.

The Obama administration began to take a harsher tone with China, starting with a major address Clinton gave about her Internet Freedom initiative nine days later. She called on China to stop censoring Internet searches and blocking access to websites that printed criticism about the country’s leaders. Clinton likened such virtual barriers to the Berlin Wall.

On the day that Google’s lawyer wrote the blog post, the NSA’s general counsel began drafting a “cooperative research and development agreement,” a legal pact that was originally devised under a 1980 law to speed up the commercial development of new technologies that are of mutual interest to companies and the government.

It’s not clear what the NSA and Google built after the China hack. But a spokeswoman at the agency gave hints at the time the agreement was written. “As a general matter, as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers,” she said. It was the phrase “tailored solutions” that was so intriguing. That implied something custom built for the agency, so that it could perform its intelligence-gathering mission. According to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers. It was a quid pro quo, information for information.

The cooperative agreement and reference to a “tailored solution” strongly suggest that Google and the NSA built a device or a technique for monitoring intrusions into the company’s networks. That would give the NSA valuable information for its so-called active defense system, which uses a combination of automated sensors and algorithms to detect malware or signs of an imminent attack and take action against them. One system, called Turmoil, detects traffic that might pose a threat. Then, another automated system called Turbine decides whether to allow the traffic to pass or to block it. Turbine can also select from a number of offensive software programs and hacking techniques that a human operator can use to disable the source of the malicious traffic.

The government could command the company to turn over that information, and it does as part of the NSA’s Prism program, which Google had been participating in for a year by the time it signed the cooperative agreement with the NSA. But that tool is used for investigating people whom the government suspects of terrorism or espionage.

Google took a risk forming an alliance with the NSA. The company’s corporate motto, “Don’t be evil,” would seem at odds with the work of a covert surveillance and cyber warfare agency. But Google got useful information in return for its cooperation.

Excerpted from “@WAR: The Rise of the Military-Internet Complex” by Shane Harris. Copyright © 2014 by Shane Harris. Used by permission of Houghton Mifflin Harcourt Publishing Company. All rights reserved.

http://cyberwar.einnews.com/article/

« Newsletters
What Is Spyware & Adware and What Is Malware? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

6cure

6cure

The 6cure Threat Protection solution eliminates malicious traffic to critical services in real time and protects against DDoS attacks.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

Mnemonica

Mnemonica

Mnemonica specializes in providing data protection system, information security compliance solutions, cloud and managed services.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Navaio IT Security

Navaio IT Security

Navaio helps clients with IT Security related challenges with a primary focus on Identity and Access Management, Data Governance, User Awareness and Cyber Resilience Services.

SIRP Labs

SIRP Labs

SIRP is a Risk-based Security Orchestration, Automation and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response.

Internet 2.0

Internet 2.0

Internet 2.0 is a Cyber Security technology company with a core focus on developing affordable but sophisticated cyber security solutions.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

Netsurit

Netsurit

Managed IT, Cloud, and Security Services. Netsurit is Your IT Innovation and Digital Transformation Accelerator.

Qevlar AI

Qevlar AI

Qevlar AI empowers SOC teams, to eliminate redundant tasks and refocus on what truly matters - making the most of every employee within the SecOps team.

Saidot

Saidot

Saidot is a Finnish AI governance and alignment company committed to helping businesses safely and transparently integrate AI into their operations.

Hunt & Hackett

Hunt & Hackett

Hunt & Hackett helps European companies prevent, detect and respond to today’s most advanced adversaries, safeguarding them against cyberthreats and espionage.

Sphinx

Sphinx

Sphinx provide advanced security consulting services and cyber solutions to federal and private industry.

Styx Intelligence

Styx Intelligence

Styx Intelligence’s platform provides visibility and supports remediation against threats targeting your digital assets.