Cyber Strategies
© 2014 FrontLine Security (Vol 9, No 1)

The Snowden leaks that were first publicized on 5 June 2013 in The Guardian, continue to have wide-ranging implications. They highlighted significantly developed US state cyber surveillance capabilities designed to counter complex threats within the domestic security space, including the NSA’s sec. 215 and sec. 702 programs. The capabilities were unprecedented in their reach (bulk collection and mass data storage of some 1.7 billion interceptions daily), and in their depth (enabled by computational metadata analysis). Security breaches aside, weaknesses in Western intelligence have become apparent, and 2014 will be a cardinal year of recalibration for Western intelligence.

More than just classified documents, the leaks revealed a US grand strategic approach to aggressively secure the homeland from terrorist attack. The grand-strategy was comprehensively applied in a global security context, in peacetime, domestically, and with resources beyond a military scope –but with a cyber technology-fuelled ultra-tactical focus. The result was a bifurcated strategy split between the grand strategic and the ultra-tactical.

Like using air power to fight enemy operatives in theatre, the cyber-surveillance programs employed a light, non-physical footprint, providing full-coverage of US domestic space, against a similarly light-footprint terrorist global strategic threat operating within US domestic space. Terrorists in the US could blend into the population, and potentially strike anywhere, so the US looked everywhere through the NSA 215 and 702 programs, treading increasingly heavily through the metadata to find them - collecting records en mass without reasonable articulated suspicion (RAS), contact chaining with three “hops”, using sophisticated computational metadata analysis, and leveraging the historical connections contained within years of stored data, all with the American people unaware.

The programs quietly expanded into a full-saturation surveillance presence – well beyond the light-footprint approach originally envisioned, and one with unprecedented ultra-tactical reach that could pinpoint individual terrorist needles within the US domestic haystacks. Leaked US Management Directive #424 detailed sophisticated US programs: the PRISM data mining program; the XKeyscore risk-scoring analytical program; the Enterprise Knowledge System suite of relational databases and metadata programs; and the Bluffdale, Utah Mainway mass data storage facility. Additionally, the “Shotgiant” program monitored Chinese global telecom giant Huawei, which boasts services reaching one-third of the globe.

The US programs are not unique. The Communications Security Establishment Canada (CSEC) intercepted and collected domestic communications and generated metadata, having gained ministerial approval in both 2005 and 2011, including from the Ottawa International Airport.[iii] Canadian authorities made nearly 1.2 million requests for telecom customer information, often without court orders.

The UK’s Government Communications Headquarters (GCHQ)’s Optic Nerve program (2008-2012) sought to locate suspected terrorists by deploying facial recognition programs against 1.8 million Yahoo webcam chat accounts, unbeknownst to Yahoo or its users. Images were collected at five-minute intervals (rather than as continuous feed) in an entirely inadequate effort to respect privacy. US Senators Wyden, Udall and Heinrich jointly criticized the “…breathtaking lack of respect for privacy and civil liberties”.[v] An expectation of webcam privacy was evident, with 3-11% of interceptions containing “undesirable nudity”.  GCHQ lacked the ability to adequately filter compromising images from (and for) its employees. The data was nonetheless uploaded to the NSA XKeyscore program.
The European Union collects and retains telecommunications metadata for at least 6 months. German law enforcement has engaged in intense cyber surveillance of suspected terrorists, in stark contrast to Germany’s conservative approach to surveillance post-WW II. The s.129(a,b) 2001-2008 “MG 1” investigation that targeted the Militante Gruppe (MG), claimed an alarming ratio of 3:200 original suspects to collateral victims of surveillance. Individuals were geo-located and their movements mapped through silent SMS ping-tracking of their phones (similar to Inmarsat’s ping hand-shake tracking of disappeared Malaysian flight MH370). The investigation was ruled unlawful in its entirety in March 2010 by Germany’s Federal Supreme Court (BGH), yet the data remains in cyber-storage.

Between March 2011 and March 2012, the Mexican Secretaría de la Defensa Nacional (Sedena) made significant purchases under non-disclosure contracts of cyber surveillance equipment, including equipment with audio and optic capabilities. The equipment was destined for use by an elite military group and the military’s intelligence Sección Segunda. It is unclear whether this program assisted in the February 2014  capture by Mexican special forces of most wanted Mexican cartel lead Joaquín “el Chapo” Guzmán Loera, in Culiacán, Sinaloa, which did involve wiretaps.
The capture of Osama bin Laden and the pinpointing of a previously unknown terrorist on US soil through the NSA programs - identified in the 23 January 2014 Privacy and Civil Liberties Oversight Board (PCLOB) report – were linked to cyber surveillance programs. Just how critical those programs were to locating them is unknown. Bin Laden, like Guzmán, was the subject of a complex, multi-year man-hunt. Cyber surveillance in German law enforcement investigations was found to be of limited value by the Frauenhofer Institute.
The international community’s continued inability to locate Malaysian flight 370 and the failure of Western intelligence to detect the recent public meeting of Al-Wuhayshi and some 100 Al Qaeda in the Arabian Peninsula (AQAP) affiliates in Yemen have raised important questions about over-reliance on technology solutions by Western intelligence.
Moreover, threat groups are adapting to intensified cyber surveillance. The Yemen meeting participants are believed to have minimized their cyber communications leading up to the meeting, consistent with Leistert’s interviews of some 50 activists spanning the globe, who indicated that groups are avoiding surveillance by “unplugging” from cyber communications, including removing batteries from devices – a practice believed to be shared by at least some within Huawei. This has resulted in reduced battlespace awareness, and the need for Western intelligence counter-innovation and recalibration. The negative effects of cyber surveillance on free speech and free association are also being felt at home. Former US President Jimmy Carter revealed in March 2014 that he actively avoids surveillance of his communications by using traditional mail service.
Greater oversight of intelligence programs alone is not the solution. US Senate Intelligence Committee Chairman Dianne Feinstein highlighted that the NSA programs are the most overseen within US intelligence.  The core problem may be the strategic bifurcation behind these secretive, highly-centralized programs that are ultra-tactically operationalized by personnel operating on the periphery of the strategic vision. Strategic coherence is thereby limited, but critical for methodological, operational, and information security soundness, and ultimately for program success. As with Obamacare, there was a vertical disconnect between the strategic vision and the rising tactical-focused tech stars who rolled-out the program. Dispersed access to the centralized metadata will likely increase through liberal Five Eye sharing, increasing law enforcement demand for cyber and geospatial intelligence, and with President Obama’s call for work-related access, rather than “need to know” or “need to share” access to metadata. Horizontal disconnect is also evident, with incident-focused technology experts leading the effort, and traditional surveillance scholars (who offer lessons learned, best practices, and a contextualized understanding of the societal impacts of surveillance programs) having been largely excluded from the programs. Moreover, achieving public support and private sector buy-in (including from CSO’s, CISO’s, and the C-Suite), which is critical to the long-run success of the intelligence programs, is becoming increasingly unlikely as details of the programs emerge.
Multiple drivers have produced the grand strategic/ultra-tactical bifurcation of Western intelligence cyber-surveillance efforts. Identifying and understand these drivers will be instrumental in bridging the Western intelligence strategic gap as it relates to cyber surveillance.
A sense of urgency in protecting the homeland has helped shift the West from intelligence- and defence-led paradigms to a security-led paradigm. The desire to secure everyone and everything, with a no-fail imperative, pushed the strategy toward a grand strategy of domestic full-coverage with creeping scope; while the need to establish attribution to specific individuals in order to pre-empt attacks, pushed the strategy toward ultra-tacticization through the unprecedented and privacy-eliminating deep profiling of individuals. This increasingly broad and deep operationalization arguably created overstretch within Western intelligence efforts. Overstretch was reflected in the weak legal footing of the programs. The NSA technology-driven light-footprint programs were loosely extrapolated from sec 215 of the USA PATRIOT Act (originally intended for handover of specific existing business records in relation to specific investigations) to allow for broad and continuous cyber bulk collection in the absence of applicable Supreme Court jurisprudence. Physical safety objectives were allowed to trump privacy rights and civil liberties. The NSA programs are currently being rolled back under Presidential Policy Directive PPD-28.
The over-reliance on a technology solution also drove bifurcation within Western intelligence strategy, at the expense of well-calibrated human intelligence analysis. Human analysis struggled to keep up with the volume and tempo of communications within the cyber landscape. The automation of responses at the ultra-tactical end of the spectrum emerged from the tech-led extrapolation of cyber surveillance to domestic counter-terrorism efforts.
This ultra-tacticization of the programs was accelerated by the blurring of method and mission. Collecting intelligence to support the mission gave way to bulk intelligence collection, storage and analysis programs that became the mission itself. No longer were targets selected based on reasonable suspicion, and then surveilled; rather society was surveilled, and the targets selected through metadata analysis – a fundamental shift within intelligence. Sustainable intelligence practice over the long-run was eclipsed by what was technologically possible in the immediate. State cyber-surveillance programs began to resemble cyber warfare targeting its own people through continuous, intense surveillance in the name of counter-terrorism – with unrestricted activity conducted by personnel without reasonable restrictions, and with civilians being targeted en mass.
Beyond targeting, the technology-led approach also appears to have affected analysis decisions. Assumptions made to wade through the metadata were sometimes questionable, and may signal a Western intelligence capability gap across multiple strategic levels. The MG 1 investigation assumed that if a phone was turned off it indicated the subject was engaging in conspiratorial behaviour. Optic Nerve, in an attempt to eliminate the many privacy-compromising photos from being queried, made the assumption that if a certain percentage of an image included skin it was pornography, potentially leading to false positives for criminal activity and the potential for additional meritless investigation and intrusion.
The high cost of HUMINT, analysis, and training in times of austerity, have increased the attractiveness of computational analysis for intelligence agencies trying to achieve economies of scale. Technology that could go broad and deep was seen as the best return on investment. With OSINT volunteers (such as Grey Goose, the Cyber Minutemen, Blue Servo, and the Minutemen Civil Defense Corps) having proved controversial and unsustainable, and the private telecommunications sector unwilling to store and query metadata for the intelligence community, governments pursued a technological solution to provide discrete, full-coverage of the domestic space, with pinpoint attributional accuracy.[xviii] The cost-value calculation failed to adequately take into account the risks inherent in the strategically bifurcated programs that operated under an assumption of sustained secrecy from the public.
Increased pressure to share information amongst allies on globalized threats has resulted in lowest common denominator intelligence sharing. State protections regarding privacy and civil liberties, and legislated restrictions on intelligence collection activities, have been circumvented by metadata sharing amongst partner states, just as rendition programs allowed countries the benefit of torture-derived intelligence, while themselves banning the practice. Optic Nerve provided the US with data on US citizens that they could not otherwise have collected. Such peripheral accessing of otherwise prohibited information increasingly distanced the cyber surveillance programs from the strategic light-footprint vision of the programs.
Western intelligence cyber surveillance efforts have arguably gone down a rabbit hole, and evaluation is required beyond the roll-back of existing programs and increased intelligence oversight. 2014 will mark a key year of recalibration for intelligence efforts that have become strategically bifurcated and unsustainable. Strategic coherence and control must be re-established in order to effectively and sustainably protect domestic populations against globalized threats in difficult economic times and within a rapidly changing cyber landscape, while still respecting the rights and trust of Western populations.

Bonnie Butlin will be formally inducted into the International Women in Homeland Security and Emergency Management Hall of Fame in November 2014.
This article was also published in the Summer 2014 edition of The Winston Report.
© FrontLine Security 2014