Cyberwar (2016) s01e08 Episode Script

America's Elite Hacking Force

1 BEN: Leaked documents revealed the scope of the NSA's mass surveillance program.
We cannot prevent terrorist attacks or cyber threats without some capability to penetrate digital communications.
Others unmasked a unit called Tailored Access Operations.
I don't need mass surveillance.
I need you to break into that guy's computer.
Their mission is to get the ungettable.
If you want to hack into systems lawfully, the only game in town is the government.
But their targets are secret.
They are very important at actually tracking down people who are then subsequently killed.
And there's almost nothing they can't hack.
The National Security Agency is one of the world's largest intelligence agencies.
Headquartered in Fort Meade, Maryland, the NSA's mandate is to collect foreign intelligence.
After 9/11, George W.
Bush authorized the NSA to collect even more, including American communications to and from foreign targets.
(Cameras snapping) Good morning.
This is a highly classified program that is crucial to our national security.
This program shocked an NSA senior executive named Thomas Drake.
Drake is a decorated veteran who blew the whistle on NSA's activities to the press.
He barely escaped 35 years in jail after being charged under the Espionage Act, a law first written in 1917.
- Mr.
Drake? - Hi.
- I'm Ben.
- Nice to meet you.
The National Security Agency is focused on foreign intelligence.
It was formed in 1952.
People don't realize it was not formed by an act of Congress.
It was literally signed into existence by the stroke of a secret presidential pen.
In fact, the joke was it was "No Such Agency" or "Never Say Anything".
You never even referenced the actual name.
People who used to work there, "Oh, I work at DOD.
" Now, accelerate forward.
Internet explodes.
You have this rapid transition from analog to digital, and the explosion of data became exponential.
What do you think is the easiest way to deal with it? Just suck it all.
But what happened after 9/11? Was it the NSA should do better? Here's where you have culture in secret meeting itself; realizing it had failed but can't admit it failed.
It had not prevented the next Pearl Harbor.
And now, NSA is literally unleashed.
It's unleashed on an extraordinary scale, a scale we have never seen in US history or the world.
All means necessary to confront the threat.
Who cares about the Constitution? Who cares about law? Who cares about the rights of US persons? Hey, if you've done nothing wrong - I even heard this - then it shouldn't matter.
And the mantra was: just get the data.
Collect it all so we can know it all.
Collect it all so we can know it all.
Drake inspired another NSA worker to sound the alarm.
RADIO: This afternoon, The Guardian newspapers revealed the name of their source.
BEN: In 2013, Edward Snowden leaked tens of thousands of classified NSA documents.
The first to get published was a secret court order forcing Verizon to fork over the call data of millions of US customers.
The next big leak was a PowerPoint presentation about a program called Prism.
The NSA boasted that Prism gave them direct access to emails, video chats and more from some of America's biggest tech companies.
The media was obsessed with Snowden and the leaks, but few people noticed information hidden in the documents about a top secret NSA unit called TAO, or Tailored Access Operations, until the German magazine Der Spiegel revealed more about it than ever before.
Jorg Schindler is the magazine's award-winning national security reporter.
You can call them the highly skilled plumbers of the NSA who are able to get into every sort of pipe.
What they are doing is getting the ungettable.
They're like the special forces of the NSA essentially.
Yeah, a special hacker force.
I mean, the whole NSA is a special force, but those are the highly skilled handymen who create certain kinds of tools to infiltrate, manipulate and sabotage every kind of digital device you might think of.
What's the relationship between Tailored Access Operations by the NSA and their mass surveillance? I mean, to explain it easily, I would say that mass surveillance is like going into the ocean with a huge fishing net and to draw everything out, whatever you find.
And what the Tailored Access Operation units are doing is like using the harpoon to find the special targets and the fishes they really need.
So that might be the difference.
So it's like going hand in hand.
And TAO's pretty good at it.
They're extremely good at it, yes.
(Laughing) The Snowden leaks revealed details about Tailored Access Operations, but a lot is still unknown.
I wanted to talk to someone who knows the NSA from the inside: an Air Force veteran and former NSA exec named John Harbaugh.
- I'm John Harbaugh.
- Nice to meet you, John.
Please, come in.
Let's see this place.
- "root9B".
- Yeah.
(Laughing) Why that name, by the way? So "root" is system level access.
"9B" is hexadecimal for 9/11.
Ah.
So it's a nod to the fact that the next 9/11 event is most likely gonna be cyber-related.
root9B, which has defense contracts, aims to hunt and pursue adversaries inside a client's network.
This is where we do all of our Hunt Operations, what we call it for our clients.
So what this is showing you is what the operator sees while they're doing their op, right? So there'll be windows of time where they're actually active inside the client's network pursuing the adversary.
And this was really driven by our experiences in the government space.
Does it look like this in Fort Meade? This is better.
(Laughing) In your bio, it says something like you were the director of a super elite cyber operation unit.
So basically what that's about is what we've tried to recreate here.
So my time inside the organization, I had the pleasure and the fortune to be asked to run a team of about 8 individuals, and that team was focused on the most challenging problems in cyber.
Was that Tailored Access Operations? So you know, there is elements of that space, right? 'Cause if you're in cyber and you do all of cyber, then you're doing all of those types of things.
And so the bosses could come in and say, "We have a significant national event.
I need you guys to be able to do this in the next 12 hours.
" I could walk into that space and say, "Hey guys, I need 5 minutes.
" I would give them what we would call the op order.
"This is what we need to achieve, we need to achieve it in the next 12, 24, 48 hours," and I could walk away.
And I knew when I came back, no matter what time of day, how long they were working on it, they would get it done.
And it was that kind of Again, it was that kind of Teamwork? teamwork that really drew people.
And it's a very similar thing to the Special Ops community.
It does sound like a military chain of command.
Yeah, I mean, NSA is a very military organization.
To build a team like TAO, the NSA has to hire highly skilled hackers.
So how does it head hunt them? To find out, I ask Chris Soghoian.
He's a privacy activist with the American Civil Liberties Union.
Who are they, and where's the NSA recruiting them from? The government wants people who can get us security clearance, more so than ever.
Particularly after Snowden and after Chelsea Manning, they want people who they know are gonna play by the rules.
They want people who cannot be easily blackmailed.
So I think NSA tries to recruit the best and brightest from computer science programs around the country, and in particular computer security programs.
like Carnegie Mellon, that have probably the most sophisticated offensive cybersecurity programs in academia in the United States, and their students are heavily recruited both by NSA, but also by Silicon Valley.
They're competing for the same people? So they're competing for the same people, and the problem that NSA has is they can't pay the same kind of money, right? They're not gonna be able to offer the smoothies and massages and sort of perks of life that Google and Facebook can.
But they have something that those companies don't.
What they have is a monopoly on violence, right? In the same way that if you wanna like repel out of helicopters and shoot people in the head, you go join the Special Forces.
If you wanna hack into systems lawfully, the only game in town is the government.
In many other walks of life, you would be you would be a criminal, you would be a stalker, you'd be a bad person.
But when you go to NSA, suddenly you get to wrap yourself in the flag and do it for king and country.
If TAO can legally do things no one else can, who are they hacking, and why? BEN: Not much is known about who Tailored Access Operations hacks, but the Snowden Leaks revealed one major target: Osama bin Laden.
TAO hacked into the mobile phones of Al Qaeda operatives in the hunt for bin Laden, as reported by The Washington Post.
The unit's work also led to the capture of 40 insurgents in Afghanistan.
Ryan Gallagher is an investigative reporter at The Intercept, where he has covered the role of surveillance in the ongoing war on terror.
How did TAO and how does TAO fit into the War on Terror? Well, they're very important.
I mean, people don't necessarily think of surveillance even as a thing being integral to what the military is doing on the ground, but it is.
It's absolutely vital.
What the Tailored Access guys are doing for instance is, because they're so skilled at actually breaking into systems and going after what they would refer to as hard targets, people who are elusive or skilled at dodging surveillance, they are very important at actually tracking down people who are then subsequently killed or captured, in past years probably rendered in through the Black Sites program that was going on through the Bush Administration.
So they're very entwined with these physical, kind of kinetic, they call it, operations on the ground.
So are they basically the commandos of the NSA? You could put it like that, yeah.
I mean, it's maybe sort of glorifying them a little bit.
But I mean, essentially these guys are just like geeky nerds, but they do kind of do that sort of commando-type role.
They're facilitating military operations on the ground by hacking into targets.
They are actually directly able to track people who are then killed in say a drone strike.
So what they do, yeah, it is kind of commando work, but they are also providing assistance on the ground to real commando types who are out there trying to kill people.
In the hunt for bin Laden, TAO reportedly used what the unit calls "implants", spy devices installed in mobile phones or other hardware.
Implants are just some of the tools that appear in a leaked document called the ANT Catalog, which lists other spy gear at TAO's disposal.
Security researchers Michael Ossmann, Joe FitzPatrick and Dean Pierce decided to build some of these spy tools themselves.
The media kinda saw it and reported on bits and pieces of it and said, "Oh, look at this thing! This is magic!" And I think all of us looked at it and said, "Oh, yeah, I know how to do that.
Yeah, I know how to do that.
" Joe recreated a graphics card that can see what's running on a computer's active memory, and Dean rigged a phone so it picks up the mobile traffic in the area.
Mike reproduced Ragemaster, a tiny chip implanted in a computer video cable to reflect information via radar.
When this is installed, I can point one antenna at it, and that's transmitting a signal.
And then my other antenna's also pointed at it, and it's receiving a reflection.
By measuring that reflection, I can, on my laptop, recover information that's going over the cable.
And what I get is a video image, a screen image from the target computer system.
And this is an example of something where an implant is required.
Getting an implant into a piece of hardware, like a video cable, requires physical access.
But planting bugs into terrorists' cell phones isn't the only thing TAO does.
Some of their activity has jeopardized internet security at large.
One Snowden leak shows how TAO found a vulnerability a software bug - in Mozilla Firefox.
TAO used the bug to try to identify some users also running an anonymizing software called Tor.
Not only did TAO need to be able to monitor and hijack internet traffic to pull of its attack, but hundreds of millions of Firefox users were left vulnerable to the software bug, which has since been patched.
- Claudio.
- Hey, man.
Hacker Claudio Guarnieri has helped expose TAO's activities.
I met him in an old Stasi surveillance tower that still stands in what used to be Soviet-controlled East Berlin.
A lot of the mass surveillance and bulk collection capability of the NSA is empowered by some of the break-ins that TAO is able to do.
For example, they would ask TAO to break into some core parts of the internet infrastructure, of the whole global backbone.
You know, from an internet structure perspective, when you connect from Germany to Google, you move through a number of hubs, 10, 15 nodes that relay your message from Berlin to, you know, Hamburg and Frankfurt, and then to who knows, Netherlands, wherever the cables are.
If the NSA is able to break into any one of these points, then they're able to see you communicating with Google.
When they're able to observe that, they're also able to hijack it.
So pretend like you're getting a response from Google, while instead you're getting a response from the NSA.
None of this comes cheap.
Claudio and I went inside to look through a Snowden leak known as the Black Budget.
The NSA spends more than $600 million a year for just the kind of offensive hacks TAO conducts.
Yeah, this is what it's being called the Black Budget.
And the trend that we see is that again, the balance between how much is invested in breaking things and how much is invested in protecting things is uneven.
You know, part of the mandate of intelligence services is to keep the country secure.
At the same time, from a technological perspective, they're undermining the security of the country.
And like you said, we all use the exact same internet.
Once it's broken for one, it's broken for all.
So the question is: is it worth it to break something and keep it broken for catching one or two terrorists that you probably could catch otherwise? Breaking into the internet or hacking into phones might make us all less secure.
So is TAO's hacking really all that targeted? BEN: To find out more about who TAO targets, I met up with Robert M.
Lee.
He'd been out of the military for only a week.
He was an Air Force cyber officer and also worked for an intelligence agency; he confirm or deny that's the NSA.
- Prost.
- Cheers.
(Chattering) How did you get into being a hacker? So, the Air Force has a wonderful program where it volunteers you to do shit.
And I joined the Air Force, said, "Here I am, Lord.
What would you like me to do?" And they said, "Go be a cyber guy.
" So if you were to take Snowden's slides completely seriously, you'd think that it's all mass surveillance.
I actually for the first time ended up seeing slides that I had actually seen before in real life.
I was like holy shit, like I've seen these ones! But once you bring something into the intelligence community, you don't delete files, like everything is stored.
And so there were some files that like get translated out, like their truth, and they were just remnants of product pitches or something like that.
And so I think that you can't take all the slides seriously.
We also know that there is something called TAO in the NSA.
What is that team? Like what are they doing? Yeah, so I think when you look at TAO, that's actually the thing that I think most of the community should be cool with, right? So I'm actually a huge privacy advocate.
And ironically enough, I hate the idea of any sort of mass surveillance.
From a perspective of TAO or whoever would be breaking into those networks, that's targeted, retained intelligence.
And so privacy activists should actually enjoy that.
They should say, "Hey, mass surveillance sucks.
We need more targeted surveillance, we need more" If you're gonna do intelligence, do the kind that you put resources into and have to think about, and have to prioritize your own efforts so it's not gonna be some dissident or accidentally picking up somebody else's communications.
So who are TAO's targets? I don't know exactly their targets, right? And I wouldn't be able to speak on it anyway, but I would say that it would be asinine to assume that anything in our national policy of interest isn't one of their targets, right? So if we say if the president says global terrorism is something we're concerned with, well, then TAO's not doing their job, like the government's not doing their job if they don't go after it.
Anything that the president wakes up in the morning and says, "Hey, this is important to me," anybody in the government who's not supporting his needs is not doing their job.
So I would, just off virtue of that, say that TAO has to be doing that stuff, or they're incompetent and they're wasting taxpayer money.
So you can't have it both ways.
Rob made a pretty convincing case for the so-called targeted surveillance TAO conducts, but investigative reporter Ryan Gallagher disagrees.
He says the problem is that unit's methods aren't as targeted as they seem.
TAO is doing some of the most aggressive work that NSA does.
The traditional eavesdropping where they're listening in on a phone call just by like wiretapping a cable, which they call kind of passive surveillance, that's actually becoming almost secondary now to the active surveillance they call it, which is attacking and hacking systems.
And part of the reason for that is because, increasingly, networks and technologies adopting encryption, and so they can't listen to it by just tapping the queue because then you can't read it or listen to it.
It's just, you know, jargon.
Going forward, especially with this sort of boom in encryption, you're gonna see more and more of these hacking attacks to the point that there may come a stage in the future where it's described as a mass surveillance kind of technique.
TAO's hacking skills may be in higher demand than ever before.
And while the group goes after terrorists, that's not all they do.
BEN: How does TAO decide who to target? And are they really legitimate threats? The elite unit has gone after al-Qaeda and Taliban fighters, but the Snowden leaks also revealed the group hacked into the president of Mexico's emails.
And workers at a Belgian telecommunications company were spied on by the British, possibly with help from TAO.
Generally there is a consensus that mass surveillance is a bad thing, while targeted surveillance is tolerable because they go after very specific individuals or very specific groups.
However, there is multiple things that you need to consider.
One is: what makes a legitimate target? You know, ultimately the NSA only has to respond to somehow to the US government.
But they have no respect whatsoever towards foreigners.
And so we have cases where they spied on UNICEF, they spied on foreign ministries, they spied on private companies, energy companies, you know.
So what, at that point, makes it legitimate to hack directly and target a certain organization? We don't know.
One of the Snowden documents that came out about the Tailored Access group is one of the guys from within the unit is saying, "Look, we don't just do terrorism, we do everything.
We do all operations, we're here to support any operations.
" I think it's one of the common misconceptions that the government has managed to build up around a lot of these revelations.
So it's like, "Don't worry about it, we're only going after these extreme terrorists, people who are, you know We're just trying to protect you," and all that.
But that's kind of disingenuous because that's not at all just what they're doing.
They're doing a lot more than that.
Ultimately, it seems TAO may be just one more tool in the NSA's mass surveillance arsenal.
What happens in a mass surveillance regime, you sweep up essentially everybody.
Everybody by definition becomes a target, which means there's no target.
The problem is that when you do this in secret and you protect your secret powers, this usually doesn't end well in terms of history.
It just doesn't.
You know, in 1984, the extraordinary George Orwell novel, the only place Winston the only place he could go to, out of sight, was in the corner, because that's where the surveillance cameras couldn't reach.
Which meant what? They knew where he was.
And remember, people forget even in 1984, he didn't prevail.
He basically cried uncle.
If you can't fight them, you can't beat them, join them.
So you're a whistleblower, you cried uncle to some extent, or you cried out.
Do you think it was worth it? Yeah.
History was at stake.
We know the NSA's elite hacking unit has helped capture terrorists, but they've also targeted friendly nation states.
So who else have they gone after? For now, much of TAO's work remains shrouded in secrecy.
But privacy activists, whistleblowers and others aren't giving up on the fight to know more, and to live surveillance free.