Defcon 08 By wireless...
The infamous Echelon satellite spy system, reportedly operated by the US National Security Agency (NSA), is largely a product of popular imagination and journalistic mythology, a US government official with ties to the intelligence community said during several sessions at Defcon.
"I wish we had something like that which was that good. I mean, it would make my life so much easier, but it just isn't there," the official, who asked not to be identified, told reporters during a press conference. "I don't really expect a lot of people having a great time with these Echelon stories to believe what I tell you, but just go back and do the math."
The Echelon system is said to be capable of intercepting virtually all the world's electronic communications via fax, microwave and e-mail, and automatically filtering out the noise to get at the titbits of interest to the US national security apparatus - a miraculous feat which The Register has questioned on grounds of feasibility many times in the past.
"Get some of those articles that purport to describe the ability of the Echelon system to do marvellous things, and [think through] the engineering work," the official suggested. "Figure out how much processing power it would require, the types of collaboration one would need with people who build telecommunications systems, and the amount of government employees you would need to read all the stuff that gets scooped out. We just haven't got it."
"We're the government," he quipped. "Why would you reasonably expect us to be any more advanced than the private sector?"
Instead of the automated, science-fiction system generally imagined, the NSA and similar agencies rely on the old-fashioned method of developing sources and leads, and targeting them for further observation, he maintained.
"The basic problem is someone giving us a hint to tell us where to look. Since we can't process anywhere near the volume of stuff that people generate, we have to have some clue that tells us to go after a particular place or a particular thing."
Conspiracy paranoiacs will be further disappointed to learn that the US government does not make a habit of targeting electronic communications simply because they happen to be encrypted, the official said, again illustrating his point by appeal to the common-sense argument that there simply is not an unlimited amount of time, money or personnel available.
"There has to be some association that makes us want to [conduct surveillance]. We do not have the resources, time, interest or attention spans to go after everyone who wants to use encryption."
Still, a great number of people believe that the NSA is conducting mass-scale, indiscriminate monitoring of encrypted traffic, and either breaking the code or relying on back doors implanted in commercial crypto products by compliant manufacturers.
The notion that the government either encourages, or as some believe, forces, software companies to put back doors in their encryption applications also fails to make sense, he said.
"If a [software] firm ever got caught doing that, they would flat be out of business. And how often after that would a company want to co-operate with a government that asked them to do it? You don't set them up to where they're going to get wiped out in public... it's just bad business."
During an open session, he was questioned about US military preparations to defend against, and prosecute, information warfare, a capability which popular imagination also believes to be in an advanced state of development.
He indicated that America's cyberwar capabilities are as grossly overestimated as its spying capabilities. "I'm not even sure how we would determine that [an information attack] was happening," he observed.
"The biggest problem that we have in cyberspace is figuring out who's [attacking]. There are no fingerprints, no physical evidence; and if you don't know who did it, then you have a hard time figuring out why it was done. Identification and intent are key elements in international law. If you want to go whack someone, you have to be able to make a plausible, provable case that Enemy X is the one that [attacked] you; and if you can't determine who they are, then you have a real problem."
And malicious hackers should beware, he said, as this uncertainty in identification could one day cause a great deal more harm than intended. "An individual conducting a [network attack] on US soil against a foreign state could conceivably be interpreted as an agent of the US government. And if that's the case, then you have a situation where an individual could cause an international incident."
As for the US military's offensive cyberwar capabilities, there is little real-world data to go on in assessing it. "We did not conduct any successful virus attacks during the Gulf War," the official noted. "We had a target identified that we thought it useful to knock out to support the air campaign. We were prepared to go against it, but in the complexities of that war, we inadvertently removed the access pathway to the target before we were able to attack it."
As for its defensive capabilities, at least some assessment can be inferred from its difficulties in protecting on-line systems from relatively unsophisticated attacks by script kiddies, and the increasing alarm among federal law enforcement agencies which are scrambling to obtain ever-expanding powers of surveillance and to impose ever-harsher penalties for such minor abuse.
The myth of invincibility doesn't stand up long when FBI Director Louis Freeh and Attorney General Janet Reno wring their hands in public, demanding a relaxation of on-line trap and trace laws and a lowering of the standards by which federal involvement in on-line crime is triggered.
Another obstacle to the defence of crucial US assets from cyber attack is the simple fact that many of them are privately owned, the official noted. "The government doesn't own a lot of the stuff that needs to be protected," he said. "We can't just walk in and tell people how to take care of their personal property."
Some private assets with serious public implications, like telecommunications, finance and non-nuclear energy, have co-operative agreements to harden their crucial assets from attack, but the government is in no position to dictate the particulars of how this is to be accomplished.
One can only hope that old-fashioned economic self-interest will inspire them to do a decent job of it. ®
What the hell is - the Echelon scandal?
Euro Parliament to investigate Echelon
NSA memos suggest ECHELON exists
Scheme to crash US Echelon net snoop ops hatched
Reno gets her teeth into Carnivore
ACLU seeks Congress' help against FBI's 'Carnivore'
RIP Bill: Full coverage