Let’s assume the NSA is competent
This is the organization that uses submarines to tap undersea cables, is the largest employer of mathematicians in the US, and allegedly captures all communication. They were able to construct a breathtakingly large spying apparatus that was only exposed by chance through a disaffected employee.
So — the NSA are highly competent, well-resourced and aggressive. No undertaking is too daunting. It’s also become clear that they operate without strong congressional oversight and have been able and willing to violate the law (including the constitution).
It’s safe to say that we (the public) are only aware of a fraction of their activity. But I think we can credibly predict their as-yet-unknown activity, simply by working backwards from their goals (i.e. ability to access any data or system) and extrapolating forward from their known activity.
Specifically, I bet the NSA is heavily involved in infiltration. We already know that they spend $250M/year to covertly “insert vulnerabilities into commercial encryption systems”.
How it would work:
- Infiltration of security infrastructure. I would have “non-NSA” engineers contributing to open source projects like OpenSSL, adding vulnerabilities, etc.
- Infiltration of OS manufacturers (MSFT, APPL, GOOG). By planting staff, for example, on Apple’s OS and compiler teams, they could secretly inject code into every iPhone — without anyone at the company being aware. Actually, techniques like the so-called “Ken Thompson Hack” might allow anyone who controlled the compiler to patch most software compiled on that platform.
- Infiltration of any company making communication software (WhatsApp, etc.). If you’ve already compromised the OS (see above), this might not be necessary.
- Infiltration of banks to track financial activity.
- Infiltration of companies that make password managers. These products are so simple that it might even be easier to create their own commercial password manager(s) and release them through shell companies.
Given what we know that the NSA has done, it’s hard to believe they haven’t done these things too, since they’d require less effort and yield more benefit. I can’t see how the law or any other consideration would inhibit them.
Infiltration of these organizations would be quite possible as they are desperate for high-quality engineering talent. You would need to recruit and groom engineers from outside the NSA, presumably drawing from top engineering programs. Once planted, they would inject work done by engineers at the NSA into their hosts’ systems. Of course, it might be easier to “turn” engineers already at these companies.
Similarly, to infiltrate open source projects you would need to maintain a pool of engineers not associated with the NSA.
This wouldn’t have to be a large program — with 10 or 20 well-placed engineers, you could have a massive impact. And a small (in terms of staff and budget) program would be easy to hide within the $10 billion budget and organizational structure of the NSA. In fact, it’s unlikely that Snowden would have been able to discover such a program if it did exist.
Find it all a little hard to believe?
- For three decades before Snowden, many in the security world speculated about what the NSA was doing — but their warnings were dismissed.
- These infiltrations would let them bypass any public debate or resistance from the private sector — both of which now pose serious obstacles to their activity.
- “They couldn’t get away with it” or “the risk of getting caught would be too high.” Possibly, but look carefully at what they’ve already gotten away with. Was there any meaningful reform after Snowden’s revelations?
Here’s a twist: presumably other countries (ie. China’s 3PLA, Russia’s FAPSI, etc.) would also be trying to infiltrate the same organizations to similar ends. Although tech companies routinely hire foreigners, infiltration would be much more difficult for these countries since (like the NSA) they would need to recruit from a small pool — talented engineers loyal to their government — and it would be difficult to hide their nationality. One has to wonder if the moles within these organizations are hunting each other.