Saturday, June 15, 2013

彭博社:美情报局与数千公司互通数据 棱镜仅为冰山一角

 
 

Sent to you by Zhiyuan via Google Reader:

 
 

via 墙外楼 by 墙外仙 on 6/14/13

national-security-agency-seal_610x407

彭博社今天发表署名迈克尔·莱利(Michael Riley)的文章称,美国NSA、CIA和FBI等情报机构与美国数千家私有企业保持着紧密的合作关系,它们会从这些企业获得敏感情报,同时也会向合作企业提供机密信息。以下是文章全文:

据四位熟悉内幕的消息人士称,成千上万家科技、金融和制造领域的公司与美国国家安全机构合作紧密,它们向后者提供敏感信息,作为回报它们会获得后者提供的机密情报。

这 些项目的参与公司都是可信赖的合作伙伴,它们的所作所为远远超出在美国国家安全局(NSA)从事电脑技术员工作的爱德华·斯诺登(Edward Snowden)所披露出来的那些内容。自从斯诺登本月披露NSA收集数百万美国居民的电话记录以及与谷歌等互联网企业合作监控外国人的计算机通信信息以 来,那些涉事的私有企业受到了公众密切的关注。

上述四位消息人士称,除了用户的私人通信信息外,许多互联网和通信公司自觉自愿地为美国情报组织提供额外的数据,例如设备规格。

软硬件制造商、银行、互联网安全服务商、卫星通信公司以及其它许多公司也参与了美国政府的这些项目。某些时候,这些项目所收集的信息不仅仅是出于自我保护,还被用来作为攻击手段,侵入竞争对手的计算机系统。

据上述四位消息人士中一位曾在美国政府及其合作企业都工作过的人透露,除NSA外,美国中央情报局(CIA)、联邦调查局(FBI)以及美国军方的情报机构也与上述公司保持合作,收集那些普通人看起来无害,但在美国情报人员或网络战部队看来非常有用的信息。

微软漏洞

据两位熟悉内幕的人士称,世界上最大的软件公司微软会向情报机构提前提供操作系统的漏洞信息,之后再发布修复补丁。这些信息可被用来保护美国政府的计算机,以及用来访问恐怖分子或军事对手的电脑系统。

据两位美国官员透露,微软等软件公司、互联网和安全企业提前提供的这些信息可以帮助政府好好利用这些出售到海外的软件的脆弱性。这两位不愿具名的消息人士表示,微软没有问、也不可能被告知政府将如何使用这些信息。

微软一位发言人弗兰克·肖(Frank Shaw)表示,微软会向多个合作机构提前提供漏洞信息,目的是让政府能够"尽早启动"风险评估和减少灾难带来的损失。

乐意合作

上 述四位消息人士之一透露,一些美国通信公司非常愿意向情报机构提供访问海外基础设施和通信数据的权利。而在美国本土,这样事情必须得到法官的批准才能进 行。在美国"外国情报监视法"(Foreign Intelligence Surveillance Act)的庇佑下,美国的通信公司可以不经监管,自愿地向情报机构提供信息。

情报机构和私有企业之间展开的这类广泛合作是非法的,它存在于 人们生活的方方面面,但只有很少一部分律师、企业主和间谍人员才会审慎地看待这个问题。一位熟悉情报机构和公司间协议内容的消息人士称,私有企业的高管们 乐于与政府合作,博得协助国防的美名,同时公司本身也会从中获益。

一位熟悉流程的人士表示,大多数协议都属于高度机密,公司只有少数高层能够访问这些信息。很多时候,这样的机密信息只有企业的CEO和间谍机构的负责人知晓,其他人根本无从得知。

"感谢他们"

曾 先后担任NSA和CIA一把手的迈克尔·海登(Michael Hayden)这样描述与合作公司间的关系:"如果我是情报机构负责与合作企业接洽的主管,当我的伙伴向我提供了对公共防卫非常有价值的信息时,我要以我 的方式感谢他们,让他们意识到自己的所作所为的必要性和有用性。"

海登补充道:"作为公司负责人你有义务做这样的事,很少有人会置身事外。"

根 据斯诺登披露的一张幻灯片显示,美国互联网公司与NSA"特别来源行动"(Special Source Operations)小组之间有一个命名为Prism(棱镜)的秘密计划,该计划专门收集海外侦查目标的电子邮件、视频以及其它数据信息。每家互联网企 业监控的数据不同,具体类别由一个秘密的评委会决定。

由于全球的信息呈现爆炸式增长,以及更多地通过由美国公司提供的交换机/路由器、线缆及其它网络设备传输,美国情报机构越来越依赖与私有企业间的这种合作关系。

设备规格

除了私人通信外,支撑互联网运行的设备的规格信息也在美国政府及其合作企业的收集之列。理论上,这些设备规格信息与私人通信信息之间没多大联系,不属于情报机构关心的范畴。但是,这些信息对企业、美国执法官员和军方很重要。

接洽官员

如果必要,与情报机构合作的公司高管,会被授予可以免除因转移数据而遭受的民事诉讼的豁免权。情报机构还会定期向公司接洽人更新他们将如何使用收集到的数据信息。

上述四位熟悉内幕的消息人士之一称,英特尔旗下从事互联网安全软件业务的McAfee部门,会定期与NSA、FBI以及CIA合作。McAfee是美国情报机构一个非常有价值的合作伙伴,因为它生产的互联网软件可以掌握大量的恶意互联网流量,包括来自外国的间谍行动等。

该 消息人士表示,美国情报机构与McAfee的合作过程可能是:先与McAfee CEO接洽,后者会指派特别的员工来负责向调查员提供数据。他还表示,美国公众如果得知政府居然要寻求这么多帮助,一定会大吃一惊。McAfee的防火墙 可以收集使用正版服务器从事间谍活动的数据,从而找出攻击发起的位置。此外,McAfee还熟知全球信息网络的体系结构,这些信息对合作情报机构非常有 用。

企业高管获关照

McAfee全球首席技术执行官迈克尔·菲(Michael Fey)表示,McAfee的数据和相关分析并不涉及个人信息。他在一份声明中写道:"我们不与政府机构合作伙伴分享任何类型的个人信息。McAfee的 任务是向政府机构提供安全技术、教育信息和威胁情报。这种情报包括有关新威胁、网络攻击模式、矢量活动的趋势数据,以及对软件系统漏洞和黑客组织活动真实 性的分析。"

上述知情人士透露,作为交换,美国安全机构会给予合作企业高管特别关照和相关信息,以维持这种合作关系。有时候,合作企业还会提前获得相关威胁的警告,这些威胁可能会影响他们的营收,如大规模网络攻击以及幕后操纵者等信息。

据 一位熟悉美国政府调查的知情人士透露,2010年,在谷歌遭受中国黑客攻击后,谷歌联合创始人塞吉·布林(Sergey Brin)获得了一份高度机密的政府情报,称此次攻击的主使是中国军方下属秘密机构。根据斯诺登透露的信息,作为全球第一大搜索引擎,谷歌当时已经参与 "棱镜"计划一年有余。

谷歌CEO拉里·佩奇(Larry Page)本月7日在一份博文中写道,在斯诺登曝料之前,他从未听说过"棱镜"计划,而谷歌并不允许美国政府直接接入其服务器,或是数据中心的"后门"系 统。佩奇称,谷歌只有在不违反法律的情况下,才向政府提供用户数据。谷歌发言人莱斯利·米勒(Leslie Miller)暂未对这一报道发表评论。

搜集设备元数据

斯诺登提供的信息还曝光了一个名为的"Blarney"秘密计划。根据《华盛顿邮报》对"Blarney"计划的描述,美国安全机构会搜集一些电脑和设备的元数据(Metadata),这些电脑和设备被用于通过主数据线路发送电子邮件,浏览互联网信息。

全 球数以百万计的设备都在使用元数据,而美国情报机构则可以利用此类信息,向这些电脑或手机进行渗透,对用户实施监控。元数据还包括操作系统、浏览器和 Java软件版本。澳大利亚大型电信运营商Telstra Corp前首席信息官格伦·奇斯霍尔姆(Glenn Chisholm)说:"这是一种具有高度进攻性的数据"。他这样讲,其实是在与保护而非渗透电脑的防御性信息做对比。

据《华盛顿邮报》报道,斯诺登称"Blarney"计划的目标是"接入和获取外国情报"。目前尚不清楚美国互联网服务提供商是否按照"Blarney"计划,向NSA提供了用户信息,如果确有此事,他们是否得到了法官批准。

NSA前法律总顾问斯图尔特·贝克(Stewart Baker)表示,如果元数据涉及两台碰巧穿越美国光缆的境外电脑之间的通讯,"那么相比正在逐一筛查的通信,前者并不需要太多的法律监督就可以获取。"

跟不上科技潮流

雅 各布·奥尔库特(Jacob Olcott)表示,负责监督美国情报机关的议员们,或许并不清楚NSA所搜集的部分元数据的重要性。奥尔库特是美国参议院商业委员会主席约翰·洛克菲勒 (John D. Rockefeller IV)的前任网络安全顾问,现为安全风险管理公司Good Harbor Security Risk Management高层。

他说:"这使得议员对此类问题的监察变得非常困难。现如今,科技和技术政策瞬息万变,大多数民选议员及其助手的 背景和专长已经无法跟上这种潮流。"知情人士透露,虽然美国情报机构会向合作企业提供颇具吸引力的奖励,但许多高管参与此类计划主要是出于爱国情操,或是 觉得他们是在保护国家安全。

美国电信运营商、互联网公司、电力公司和其他企业,向美国情报机构提供了他们系统的基础架构或相关设备的细节,以便情报机构可以分析潜在漏洞。美国加州数据安全公司Cylance首席安全官奇斯霍尔姆说:"政府想要知道国家重要基础设施的情况,这是自然而然的举动。"

不承担法律责任

即 便是一些高度防御性系统,也会给用户隐私带来预想不到的后果。"Einstein 3"是最早由NSA制订的一个投入巨大的计划,旨在保护政府系统免遭黑客攻击。目前,该项目已经公诸于众,目前正处于安装阶段,它将会对每年发送至政府电 脑的数十亿封电子邮件进行仔细分析,以确定它们是否包含间谍工具或恶意软件。据知情人士透露,在某些情况下,"Einstein 3"计划还可能使电子邮件的私密内容曝光。

据悉,在AT&T、Verizon Communications、Sprint Nextel、Level 3 Communications、CenturyLink等美国五家知名互联网同意在其网络中安装"Einstein 3"系统之前,有几家还要求政府必须保证,他们不会因违反美国反窃听法律而承担责任,结果他们收到了一封有美国总检察长亲笔签名的书信,信中称曝光此类信 息并不符合美国法律对窃听的定义,同时给予这些公司以民事诉讼的豁免权。

AT&T发言人马克·西格尔(Mark Siegel)和Verizon发言人爱德华·麦克法登(Edward McFadden)均对这一报道不愿置评,而Sprint发言人斯科特·斯洛特(Scott Sloat)和Level 3发言人莫妮卡·马丁尼斯(Monica Martinez)则暂未对此发表评论。

Centurylink发言人琳达·约翰逊(Linda Johnson)表示,该公司参与了"网络安全增强服务"(Enhanced Cybersecurity Services)和"入侵预防安全服务"(Intrusion Prevention Security Services)等两个计划,后者还包括"Einstein 3"项目。这两个计划都由美国国土安全部直接负责。她说,除此之外,"Centurylink不会对国家安全相关事宜发表评论。"

————-

U.S. Agencies Said to Swap Data With Thousands of Firms
By Michael Riley – Jun 15, 2013 12:01 PM CT

Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.

These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden, a computer technician who did work for the National Security Agency. The role of private companies has come under intense scrutiny since his disclosure this month that the NSA is collecting millions of U.S. residents' telephone records and the computer communications of foreigners from Google Inc (GOOG). and other Internet companies under court order.

Many of these same Internet and telecommunications companies voluntarily provide U.S. intelligence organizations with additional data, such as equipment specifications, that don't involve private communications of their customers, the four people said.

Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies and many other companies also participate in the government programs. In some cases, the information gathered may be used not just to defend the nation but to help infiltrate computers of its adversaries.

Along with the NSA, the Central Intelligence Agency (0112917D), the Federal Bureau of Investigation and branches of the U.S. military have agreements with such companies to gather data that might seem innocuous but could be highly useful in the hands of U.S. intelligence or cyber warfare units, according to the people, who have either worked for the government or are in companies that have these accords.

Microsoft Bugs

Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation.

In an e-mailed statement, Shaw said there are "several programs" through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.

Willing Cooperation

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge's order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.'s major spy agencies, the people familiar with those programs said.

'Thank Them'

Michael Hayden, who formerly directed the National Security Agency and the CIA, described the attention paid to important company partners: "If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful."

"You would keep it closely held within the company and there would be very few cleared individuals," Hayden said.

Cooperation between nine U.S. Internet companies and the NSA's Special Source Operations unit came to light along with a secret program called Prism. According to a slide deck provided by Snowden, the program gathers e-mails, videos, and other private data of foreign surveillance targets through arrangements that vary by company, overseen by a secret panel of judges.

U.S. intelligence agencies have grown far more dependent on such arrangements as the flow of much of the world's information has grown exponentially through switches, cables and other network equipment maintained by U.S. companies.

Equipment Specs

In addition to private communications, information about equipment specifications and data needed for the Internet to work — much of which isn't subject to oversight because it doesn't involve private communications — is valuable to intelligence, U.S. law-enforcement officials and the military.

Typically, a key executive at a company and a small number of technical people cooperate with different agencies and sometimes multiple units within an agency, according to the four people who described the arrangements.

Committing Officer

If necessary, a company executive, known as a "committing officer," is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.

Intel Corp. (INTC)'s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.

Such a relationship would start with an approach to McAfee's chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.

McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.

McAfee's Data

McAfee (MFE)'s data and analysis doesn't include information on individuals, said Michael Fey, the company's worldwide chief technology officer.

"We do not share any type of personal information with our government agency partners," Fey said in an e-mailed statement. "McAfee's function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity."

In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.

In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.

China's Military

Following an attack on his company by Chinese hackers in 2010, Sergey Brin, Google's co-founder, was provided with highly sensitive government intelligence linking the attack to a specific unit of the People's Liberation Army, China's military, according to one of the people, who is familiar with the government's investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.

According to information provided by Snowden, Google, owner of the world's most popular search engine, had at that point been a Prism participant for more than a year.

Google CEO Larry Page said in a blog posting June 7 that he hadn't heard of a program called Prism until after Snowden's disclosures and that the Mountain View, California-based company didn't allow the U.S. government direct access to its servers or some back-door to its data centers. He said Google provides user data to governments "only in accordance with the law."

Leslie Miller, a spokeswoman for Google, didn't provide an immediate response June 13.

The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.

Metadata

That metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.

"It's highly offensive information," said Glenn Chisholm, the former chief information officer for Telstra Corp (TLS)., one of Australia's largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.

According to Snowden's information, Blarney's purpose is "to gain access and exploit foreign intelligence," the Post said.

It's unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge's order.

Less Scrutiny

Stewart Baker, former general counsel for the NSA, said if metadata involved communications between two foreign computers that just happened to be crossing a U.S. fiber optic cable "then the likelihood is it would demand less legal scrutiny than when communications are being extracted one by one."

Lawmakers who oversee U.S. intelligence agencies may not understand the significance of some of the metadata being collected, said Jacob Olcott, a former cybersecurity assistant for Senator John D. Rockefeller IV of West Virginia, the Democratic chairman of the Senate Commerce Committee.

"That's what makes this issue of oversight so challenging," said Olcott, now a principal at Good Harbor Security Risk Management in Washington. "You have a situation where the technology and technical policy is far outpacing the background and expertise of most elected members of Congress or their staffs."

While companies are offered powerful inducements to cooperate with U.S. intelligence, many executives are motivated by patriotism or a sense they are defending national security, the people familiar with the trusted partner programs said.

Einstein 3

U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems' architecture or equipment schematics so the agencies can analyze potential vulnerabilities.

"It's natural behavior for governments to want to know about the country's critical infrastructure," said Chisholm, chief security officer at Irvine, California-based Cylance Inc.

Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.

Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn't authorized to discuss the matter.

AT&T, Verizon

Before they agreed to install the system on their networks, some of the five major Internet companies — AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). — asked for guarantees that they wouldn't be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn't meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

Mark Siegel, a spokesman for Dallas-based AT&T, the nation's biggest phone carrier, declined to comment. Edward McFadden, a spokesman for New York-based Verizon, the second-largest phone company, declined to comment.

Scott Sloat, a spokesman for Overland Park, Kansas-based Sprint, and Monica Martinez, a spokeswoman for Broomfield, Colorado-based Level 3, didn't immediately respond to requests for comment.

Linda Johnson, a spokeswoman for Centurylink, formerly Qwest Corp., said her Monroe, Louisiana-based company participates in the Enhanced Cybersecurity Services program and the Intrusion Prevention Security Services program, which includes Einstein 3. Both programs are managed by the U.S. Department of Homeland Security.

Beyond that, she said, "CenturyLink does not comment on matters pertaining to national security."

To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net

To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net

相关日志


 
 

Things you can do from here:

 
 

No comments:

Blog Archive