To Protect and Control: The Militarization of the Internet

Good afternoon, everyone. I'm going to be presenting to protect and control the militarization of the internet. So when many people think of surveillance technology, they think of a single tool or a database. However, it's an interconnected ecosystem of laws, collection, infrastructure, commercial spyware, and technology vendors that enable them. So these systems are designed to protect national security, but they are increasingly being used to kind of shape political power and civil rights and understanding this ecosystem and its interconnectivity is really the basis of my talk. So just a quick introduction. I head up security at Synthesis. We're an AWS Premier Partner. My day job is helping companies adopt cloud security. In my free time, I help organize several

community events like this one, besides Joburg, Hexcon, and Hexcoffee as well. And I also do security research focused on national security and foreign policy topics, so things like surveillance, nation state activity, et cetera, and I'm also involved in some policy advocacy work on these issues. So in this talk, I'm gonna spend a bit of time going through the Snowden documents, what's changed since then, And then we'll chat about the growing commercial spyware industry and then close off with some of the problematic legislation that's making its way through various countries. I'm quite excited to present this talk. In 2015, I published research that was actually published in the IEEE journal on this. And I've been wanting to kind of give an update

presentation for a long time. But given the theme of this year's events, I thought it was probably now or never. I think my talk, probably compared to the others, is the most close to the theme of this year's event. And this talk is also heavily inspired by two formative talks that I saw at 30C3 in 2013 that has a similar name to my talk as well. So after the 9-11 attacks that claimed the lives of nearly 3,000 people, the US government made sweeping changes to its intelligence collection capabilities as well as its laws. And in October 2001, weeks after the 9-11 attacks, George Bush signed the Patriot Act into law. It broadened surveillance capabilities and allowed easier access to records. This law

expanded the existing Foreign Intelligence Surveillance Act, or FISA as it's more commonly known, which was passed in 1978 and then broadened through an amendment in 2008. The Patriot Act also expanded certain definitions that were in Executive Order 12-triple-3 that was signed in 1981, which kind of laid the groundwork for surveillance by implementing certain roles in various US intelligence agencies and authorize the collection of intelligence outside of the US. It is the responsibility of the US Congress to oversee all of the rules and legislation that is implemented and the compliance of that through policies and hearings. But often what happens is when leaders of the intelligence agencies testify in Congress, they often are dishonest about what is going on.

A very well-known example is when Senator Ron Wyden questioned the Director of National Intelligence, James Clapper, Senator Wyden asked General Clapper if the NSA collects data on millions or hundreds of millions of Americans. General Clapper responded that they don't, but you can see he's scratching his head, very bad poker face. And this was before the Snowden revelations. And this incident was one of the motivations for Snowden to leak the data because if Congress can't hold intelligence agencies accountable, who is actually going to hold them accountable? So in June 2013, Edward Snowden provided journalists with a trove of documents showing how intelligence agencies were spying on Americans and other people around the world. And by leaving those documents with journalists, it's the journalists

that made the decisions around which documents were in the public interest and which documents effectively would then be published. The release documents exposed programs enabling mass surveillance, signal intelligence collection, and access to global communications infrastructure. They revealed that these operations significantly exceeded legal and constitutional boundaries, while also detailing how these systems functioned. I'm going to go through some of these programs that are specific to my talk, but I would have to stand here for hours going through all of the programs that were leaked. by Snowden. So historically the NSA has been nicknamed the no such agency because of its extreme secrecy and the release documents really provide an unprecedented look into the operational capabilities of the five-hours nations. This includes the United States, the

United Kingdom, Canada, Australia and New Zealand. However, I'm going to focus on the programs run by the NSA in the United States as well as the GCHQ in the UK. So one of the big programs that was revealed is X-Keyscore, which is the NSA's global mass dragnet surveillance system, which is used to collect and analyze vast amounts of internet data. Tempora is the UK version of the system. Tempora is notable because it's the world's first three-day full-take system. And these programs collect data such as emails, web traffic, VPN sessions, tour activity, chat and various other forms of digital communication. You'll also notice that where this infrastructure currently is is very similar to where the landing stations of a lot of the undersea submarine cables are. So

there is collection equipment in a lot of these stations and I'll talk about that a little bit later on. And X-Key School also leverages a program called Termoil which enables deep packet inspection of traffic. captured by Turmoil is then sent into X-Keyscore for processing and analytics. And then there's also a program called TurbBahn, which does deep packet injection, but I'll talk about that in a moment. And by tapping into global fiber optic networks, the NSA is able to collect large volumes of content, including all of the ones that I've previously discussed. And it includes both content as well as metadata. So once the data is collected, it can then be either temporarily stored or stored for a longer period. It can also be used for

retrospective analysis as well. And thanks to these documents, we kind of know what some of this collection infrastructure looks like. So this is a rather famous room. This is room 641A at the Filsom Street Exchange in San Francisco. So inside of that room, there is a splitter. So any internet traffic moving through that room, one copy goes to the original destination and another copy goes directly to the NSA for inspection.

One of the programs that was also revealed is Boundless Informat, which you can kind of think of as an analytics platform for X-Key Score. So in the screenshot, you'll see all of the countries where it's collecting data from. You'll also note that in the screenshot, there are over 124 billion records of metadata.

X-KeyScore also allows analysts to search for specific content. So people that visited a certain website, certain email addresses, phone numbers, et cetera. And what they can also do is they can create tasking. So if the system ever sees a certain web address, email, or phone number, it can then store that data permanently if that is how the analyst has configured it. And then because there are multiple sites around the world, the NSA the analyst can create a query that can then query all of the sites at once. And that's kind of just an illustration of how that would work. Thanks to the documents, we also know a lot of details about the NSA's data center in Salt Lake City, Utah. So although this building looks a little

bit small in the photos, actually larger than a lot of shopping malls. So it's at least 8 exabytes. It's 140,000 square meters, consumes six and a half thousand tons of water per day for cooling. It has extremely high density racks, so a lot taller than you would typically find in a data center, and the aisles are also much closer than you would typically have in a data center as well. And thanks to the documents, we know that one of the problems that they were having when they built this facility is they were actually having electrical arcing problems between the racks. The documents also revealed other operational issues that the NSA was having. So this shows screenshots of classified

reports with issues that they were having with X-key score. So things like slow file uploads, slow indexing, failed hard drives, and failed RAM sticks as well. So what I've shown you thus far is the kind of on-net collection, which is kind of what's going on on the internet. But the documents also showed the closed source operation capabilities. So these are devices that can break into networks, computers, et cetera. You can kind of think about this like Metasploit, basically, for the NSA. So these tools are really designed for total device compromise, from hardware implants to firmware and BIOS persistence, as well as network infrastructure exploit tools, software exploitation, and covert communication tools as well. So as an example of how this will

be used, If the NSA was targeting a specific company or individual, when their person ordered network equipment, they could do supply chain interdiction, implement one of these hardware implants from the ANT catalog that would give them remote access to that device. So in this case, you actually see a Cisco device that's been targeted in this example. The muscular program is also how the NSA intercepts links between data centers. So after Google saw this screenshot, they implemented layer two line encryption between all of the data centers. The Boron program, has the goal of weakening encryption and inserting vulnerabilities into various IT systems and standards. And then the NSA actually paid RSA over $10 million to adopt a backdoor

into a specific algorithm. And they've also tried to infiltrate the NIST

to kind of recommend weaker algorithms, but they have kind of failed at doing that. And all of this kind of leaves us vulnerable, right? So in 2015, I published a paper where I made the argument that we as the security community should see the NSA as an adversarial threat because the stockpiling of all of these zero-day exploits and weakening security standards leaves all of us vulnerable, right? So little did I know at the time that in 2017, as part of the Vault 7 leaks, which revealed several zero days with the most widely known one being EternalBlue that was used in both the WannaCry and NotPetya ransomware campaigns. So WannaCry and NotPetya infected hundreds of thousands of machines and thousands of organizations around

the world. Combined this caused billions of dollars in damage, especially to shipping and logistics company. This image that you see here is actually trucks that were parked out of a port because they actually couldn't load cargo because of the fact that these systems were down due to the ransomware attack. The APEX program is how the NSA goes off the VPN connections and how they can attack VPN sessions. And we spoke about turmoil earlier, which is for deep packet inspection. So let's talk about Turbine now, which is for deep packet injection. So the NSA has a program called QFIRE and Quantum Insert. So this basically uses race conditions. So what they can do is if you visit a specific website, they can inject a packet that

will come to you faster than the host that you were originally going to. And by doing that, they can exploit certain vulnerabilities to actually exploit your system. And some really good investigative work by various journalists have actually found that we actually have one of these sites sitting on one of the telco networks in South Africa. Whether it's still there or not, I'm not sure. But yeah, that's interesting.

the GCHQ then used the combination of these programs, including quantum insert, to actually break into BelgaCom, which is a telecom in Belgium, I believe, with the end target being the EU Commission and Parliament. They also broke into several other networks as well. And the NSA broke into the United Nations video conferencing system for signals intelligence to get a kind of hand or a lead in some of the negotiations that might be happening. So if we look at some of the global response to the Snowden leaks, there was mass global outrage around this. There was legal and policy reforms. There was diplomatic fallout. Through the Snowden documents, several world leaders knew that the phones were being monitored by the NSA, including

German Chancellor Angela Merkel. And as a result of that, the CIA station chief in Germany was actually expelled from the country as a result of this.

response also meant that the adoption of end-to-end encryption and HTTPS also then became a priority on the internet. One of the good things that we know from the Snowden documents is that the NSA can't decrypt OTRM PGP messages. So that is at least some good news. And as a result of this, Google actually implemented additional PGP functionality inside of Chrome in 2014. That functionality is still there, although most people don't use it. And then if we look at HTTPS, again in 2014, Google announced that it would start using HTTPS as a ranking signal. So this combined with the launch of Let's Encrypt at the time meant that everybody could get certificates for free in an automated way. And that combined with the rollout of TLS 1.3,

means that perfect forward secrecy could be enabled, which is a very good deterrent or control against mass surveillance. So if we look at the growth of Let's Encrypt over the last couple of years, thanks to Let's Encrypt and some of the other certificate issuing programs, almost 90% to 95% of the internet is actually encrypted. I actually went to go check the certificate transparency logs and over the last 30 days, over 3 billion certificates have been issued with the bulk of these certificates being let encrypt. So that's certainly a good thing, I think, for the internet. As a result of the spying, the Electronic Frontier Foundation also flew a blimp over the NSA data center with a sign

saying illegal spying below. And then a local win in South Africa, journalists actually took the government to court over the foreign surveillance activities that they were conducting. And the Pretoria High Court ruled that the bulk surveillance activities and foreign signals intelligence that was being done by the national communication centers are unlawful and invalid. Now, the government does have a kind of reputation for not necessarily following court orders. I don't know what the impact of this was but i think it's at least a important thing to recognize Since the initial bunch of disclosures in 2013, a lot of people think that that's kind of the end of the Snowden documents. However, journalists are still working through those documents and releasing

some of them. What they're also trying to do is there are a lot of code words in a lot of the Snowden documents and what they're trying to do is try to figure out what those code words refer to. So thanks to reporting, we know that this building, which is 33 Thomas Street in New York, its code name is Titan Point. So this building has been the center of attention because of its lack of windows. But thanks to the investigation that has been done, we know that this building is called Tartan Point, and that means that you can now go through the other documents and actually go look at where this building is referenced. So for example, in this document, you actually see a

user guide for agents to follow. So when they go to this building, they need to use certain cover stories and certain vehicles when they go to that building. And then we can also look at diagrams like this one where we can actually see the kind of voice processing that's happening inside of that building.

Another thing that happened is that after a lengthy review, the Ninth Circuit Court found that the mass surveillance program exposed by Edward Snowden was unlawful, and a separate investigation also found that the FBI was using the Pfizer 702 program as well. And I think this justifies the fact that Snowden leaked all of these documents. A federal court and an independent White House review panel concluded that the NSA's programs have not stopped a single terrorist attack. So this is very significant because a lot of these programs were put in place to stop terrorism. However, they have never stopped a single terrorist attack. And one of the things that I find astonishing is that if you actually go look at a lot of the terrorist attacks, certainly in Western countries, the

perpetrators are often known to either intelligence agencies or law enforcement agencies. So if we look at the 2017 and 2018 attacks at the Westminster Bridge, the perpetrator was known to intelligence agencies. In 2015, at the Bataclan attack, Turkey's intelligence agencies actually warned the French intelligence agencies that an attack was very likely, and they did nothing. And the most egregious example for me was the attack on the Link Cafe in Sydney in 2014. So a few days before the attack, the national security hotline received 18 calls about the perpetrator of that attacks, and they did nothing. And he was known both to the Australian police and the Australian intelligence agencies, ASD.

in an investigation into this afterwards, they found that they didn't do anything wrong, which is weird. But then they continued to push for more surveillance access. But it's like, well, maybe you should look at other ways that you could potentially prevent terrorist attacks. And many governments continue to claim that they need broader surveillance capabilities, but then miss obvious situations like the ones that I've just discussed. The NSA even has a slide in one of the documents where they show that when they actually do targeted surveillance, they get much higher their intel value from it rather than this broad indiscriminate dragnet surveillance that they have been doing. Now one of the retorts to the issue of surveillance is that all countries spy. Now this is kind of true to a

certain degree but a lot of that's really dependent on both the policy as well as the budget. So the policy drives the budget which then will obviously drive the technical capability and the strategic advantages. In 2013, the classified budget for the intelligence agencies, which is known as the black budget, was $52.6 billion. And that's used to develop and operate the various programs that I've spoken about. And this budget has increased significantly over the years. But the problem is not all governments have the budget, all the talent pool to build out those capabilities. And then what those governments do is they rely on purchasing capabilities from commercial surveillance and spyware companies. So some of the companies that are on the slide are kind of

the old god of spyware companies. So companies like Vupen is actually an NSA contractor as well, which I also think is quite problematic. And these surveillance tools are not only used by governments, but also by corporations and mercenaries that provide the intrusion services to the highest bidders, often with the lowest respect for human rights. Thankfully, some of these companies are now defunct thanks to sanctions. And some of them, like Hacking Team and FinFisher, which is part of Gamma International, they themselves were actually hacked. And research done by the Citizen Lab has actually found that FinFisher has actually been used in South Africa. If you are interested in this type of research, I highly recommend reading the Citizen Lab reports. They do amazing research.

And after the hacking team hack, which revealed a bunch of zero days and exploits, emails showed that an organization in South Africa had actually purchased services from a hacking team as well. So with the shift in cyber policy and spending, the commercial surveillance and spyware industry is booming, driving growth and demand from government from private clients that can infiltrate phones, computers and networks. This industry used to be a niche industry of only a handful of companies, but now there's over a thousand of these companies today, depending on how you define a spyware kind of vendor. And as more countries adopt these tools for law enforcement, the line between law enforcement and intelligence gathering and political actions is getting extremely blurry.

This has led to significant abuse and erosion of privacy and human rights worldwide. The NSO group, Cytrox, Intellexa, and Paragon are kind of the big players in the space. And they pose a significant danger to privacy. They sell extremely powerful spyware that's capable of secretly breaking into phones, tracking movements, reading messages, and monitoring calls. And these companies build their own exploits to break into people's phones, usually targeting iMessage and WebKit on iOS, and then the WebView engine and the media framework on Android. And these tools are often marketed for law enforcement as lawful intercept, which is a massive euphemism, because who really gets to choose what is lawful? And in practice, these tools are often used against journalists, whistleblowers, activists, and political opponents.

And Eamon is an ex-Egyptian politician and a journalist. He was infected by Intellectus Predator spyware and by the Pegasus spyware from the NSO group. So he actually had two separate malware infections on his phone by two separate government clients. And then I think it's the NASA, I'm not really sure how you pronounce it. He was a Greek journalist that was targeted by Intellectus Predator spyware. And then the most well-known case is Jamal Khashoggi who is a dissident journalist who was infected by the NSO's Pegasus spyware and then was killed and dismembered in Saudi Arabian embassy. And there are many other examples of journalists getting targeted by spyware and this really demonstrates the dangers that these spyware companies pose.

And then the last thing I wanted to touch on is kind of problematic legislation. So the Law enforcement agencies continue to claim that they are going dark and they want to pressure tech companies to backdoor encryptions. And this idea has been thoroughly rebuked by people in the security community as something that cannot be done safely. And in 2022, the EU proposed regulation on preventing and detecting CSAM. The regulation would require providers to scan private messages, images, videos, and file transfers for known CSAM. And this detection would rely on client-side scanning, which would break into an encryption. So this would normalize mass scanning of all private communications, and in itself is also a form of generalized mass surveillance. When Apple tried to implement a feature

like this in In 2021, the security community banded together, made it very clear that this is a bad idea, and under scrutiny and public pressure, Apple pulled the feature. Several prominent security researchers also wrote a paper around the dangers of client-side scanning. In the paper, they detail the risks of client-side scanning as it fundamentally undermines end-to-end encryption. It's a dangerous form of turnkey mass surveillance. Even if it's deployed in a constrained, limited-use way, it creates a framework which can easily be repurposed for broader government surveillance. And I think one of the things that the Snowden documents show is that even if something is implemented with good intentions, it can easily be used or abused as well. Thankfully, academic scientists have raised concerns around check

control. Several prominent human rights civil society and NGOs have jointly signed a statement in opposition of check control. In Germany, they have coordinated a bunch of civil society organizations who have collectively expressed their opposition to chat control and have made the public aware of the dangers of it. There's also been protests across Europe at the EU Commission and EU Parliament against this legislation. And thankfully, due to all of this pressure, the law is on pause at the moment. But the fight is not over. There is another law that's currently making its way through the EU, which is called the Protect EU law. And that would require client-side scanning as well as encryption back doors, so it's kind of

like check control but on steroids. So I think we have to collectively stand up against some of this legislation. So in closing, the combination of government surveillance, commercial spyware, and the new legislation point to an unprecedented power over communication systems and our behavior. But none of this is inevitable. So by raising awareness, defending encryption, using technology that actually protects us, we actually have a way to meaningfully change the direction that we are heading in. And with that, thank you very much for your time.