Feeds

Echelon spy system wildly exaggerated – official

Do the bloody maths...

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Defcon 08 By wireless...

The infamous Echelon satellite spy system, reportedly operated by the US National Security Agency (NSA), is largely a product of popular imagination and journalistic mythology, a US government official with ties to the intelligence community said during several sessions at Defcon.

"I wish we had something like that which was that good. I mean, it would make my life so much easier, but it just isn't there," the official, who asked not to be identified, told reporters during a press conference. "I don't really expect a lot of people having a great time with these Echelon stories to believe what I tell you, but just go back and do the math."

The Echelon system is said to be capable of intercepting virtually all the world's electronic communications via fax, microwave and e-mail, and automatically filtering out the noise to get at the titbits of interest to the US national security apparatus - a miraculous feat which The Register has questioned on grounds of feasibility many times in the past.

"Get some of those articles that purport to describe the ability of the Echelon system to do marvellous things, and [think through] the engineering work," the official suggested. "Figure out how much processing power it would require, the types of collaboration one would need with people who build telecommunications systems, and the amount of government employees you would need to read all the stuff that gets scooped out. We just haven't got it."

"We're the government," he quipped. "Why would you reasonably expect us to be any more advanced than the private sector?"

Instead of the automated, science-fiction system generally imagined, the NSA and similar agencies rely on the old-fashioned method of developing sources and leads, and targeting them for further observation, he maintained.

"The basic problem is someone giving us a hint to tell us where to look. Since we can't process anywhere near the volume of stuff that people generate, we have to have some clue that tells us to go after a particular place or a particular thing."

Conspiracy paranoiacs will be further disappointed to learn that the US government does not make a habit of targeting electronic communications simply because they happen to be encrypted, the official said, again illustrating his point by appeal to the common-sense argument that there simply is not an unlimited amount of time, money or personnel available.

"There has to be some association that makes us want to [conduct surveillance]. We do not have the resources, time, interest or attention spans to go after everyone who wants to use encryption."

Still, a great number of people believe that the NSA is conducting mass-scale, indiscriminate monitoring of encrypted traffic, and either breaking the code or relying on back doors implanted in commercial crypto products by compliant manufacturers.

The notion that the government either encourages, or as some believe, forces, software companies to put back doors in their encryption applications also fails to make sense, he said.

"If a [software] firm ever got caught doing that, they would flat be out of business. And how often after that would a company want to co-operate with a government that asked them to do it? You don't set them up to where they're going to get wiped out in public... it's just bad business."

During an open session, he was questioned about US military preparations to defend against, and prosecute, information warfare, a capability which popular imagination also believes to be in an advanced state of development.

He indicated that America's cyberwar capabilities are as grossly overestimated as its spying capabilities. "I'm not even sure how we would determine that [an information attack] was happening," he observed.

"The biggest problem that we have in cyberspace is figuring out who's [attacking]. There are no fingerprints, no physical evidence; and if you don't know who did it, then you have a hard time figuring out why it was done. Identification and intent are key elements in international law. If you want to go whack someone, you have to be able to make a plausible, provable case that Enemy X is the one that [attacked] you; and if you can't determine who they are, then you have a real problem."

And malicious hackers should beware, he said, as this uncertainty in identification could one day cause a great deal more harm than intended. "An individual conducting a [network attack] on US soil against a foreign state could conceivably be interpreted as an agent of the US government. And if that's the case, then you have a situation where an individual could cause an international incident."

As for the US military's offensive cyberwar capabilities, there is little real-world data to go on in assessing it. "We did not conduct any successful virus attacks during the Gulf War," the official noted. "We had a target identified that we thought it useful to knock out to support the air campaign. We were prepared to go against it, but in the complexities of that war, we inadvertently removed the access pathway to the target before we were able to attack it."

As for its defensive capabilities, at least some assessment can be inferred from its difficulties in protecting on-line systems from relatively unsophisticated attacks by script kiddies, and the increasing alarm among federal law enforcement agencies which are scrambling to obtain ever-expanding powers of surveillance and to impose ever-harsher penalties for such minor abuse.

The myth of invincibility doesn't stand up long when FBI Director Louis Freeh and Attorney General Janet Reno wring their hands in public, demanding a relaxation of on-line trap and trace laws and a lowering of the standards by which federal involvement in on-line crime is triggered.

Another obstacle to the defence of crucial US assets from cyber attack is the simple fact that many of them are privately owned, the official noted. "The government doesn't own a lot of the stuff that needs to be protected," he said. "We can't just walk in and tell people how to take care of their personal property."

Some private assets with serious public implications, like telecommunications, finance and non-nuclear energy, have co-operative agreements to harden their crucial assets from attack, but the government is in no position to dictate the particulars of how this is to be accomplished.

One can only hope that old-fashioned economic self-interest will inspire them to do a decent job of it. ®

Related stories

What the hell is - the Echelon scandal?
Euro Parliament to investigate Echelon
NSA memos suggest ECHELON exists
Scheme to crash US Echelon net snoop ops hatched
Reno gets her teeth into Carnivore
ACLU seeks Congress' help against FBI's 'Carnivore'
RIP Bill: Full coverage

Providing a secure and efficient Helpdesk

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
DVLA website GOES TITSUP on day paper car tax discs retire
Welcome to GOV.UK - digital by de ... FAULT
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.