Feeds

Echelon spy system wildly exaggerated – official

Do the bloody maths...

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Defcon 08 By wireless...

The infamous Echelon satellite spy system, reportedly operated by the US National Security Agency (NSA), is largely a product of popular imagination and journalistic mythology, a US government official with ties to the intelligence community said during several sessions at Defcon.

"I wish we had something like that which was that good. I mean, it would make my life so much easier, but it just isn't there," the official, who asked not to be identified, told reporters during a press conference. "I don't really expect a lot of people having a great time with these Echelon stories to believe what I tell you, but just go back and do the math."

The Echelon system is said to be capable of intercepting virtually all the world's electronic communications via fax, microwave and e-mail, and automatically filtering out the noise to get at the titbits of interest to the US national security apparatus - a miraculous feat which The Register has questioned on grounds of feasibility many times in the past.

"Get some of those articles that purport to describe the ability of the Echelon system to do marvellous things, and [think through] the engineering work," the official suggested. "Figure out how much processing power it would require, the types of collaboration one would need with people who build telecommunications systems, and the amount of government employees you would need to read all the stuff that gets scooped out. We just haven't got it."

"We're the government," he quipped. "Why would you reasonably expect us to be any more advanced than the private sector?"

Instead of the automated, science-fiction system generally imagined, the NSA and similar agencies rely on the old-fashioned method of developing sources and leads, and targeting them for further observation, he maintained.

"The basic problem is someone giving us a hint to tell us where to look. Since we can't process anywhere near the volume of stuff that people generate, we have to have some clue that tells us to go after a particular place or a particular thing."

Conspiracy paranoiacs will be further disappointed to learn that the US government does not make a habit of targeting electronic communications simply because they happen to be encrypted, the official said, again illustrating his point by appeal to the common-sense argument that there simply is not an unlimited amount of time, money or personnel available.

"There has to be some association that makes us want to [conduct surveillance]. We do not have the resources, time, interest or attention spans to go after everyone who wants to use encryption."

Still, a great number of people believe that the NSA is conducting mass-scale, indiscriminate monitoring of encrypted traffic, and either breaking the code or relying on back doors implanted in commercial crypto products by compliant manufacturers.

The notion that the government either encourages, or as some believe, forces, software companies to put back doors in their encryption applications also fails to make sense, he said.

"If a [software] firm ever got caught doing that, they would flat be out of business. And how often after that would a company want to co-operate with a government that asked them to do it? You don't set them up to where they're going to get wiped out in public... it's just bad business."

During an open session, he was questioned about US military preparations to defend against, and prosecute, information warfare, a capability which popular imagination also believes to be in an advanced state of development.

He indicated that America's cyberwar capabilities are as grossly overestimated as its spying capabilities. "I'm not even sure how we would determine that [an information attack] was happening," he observed.

"The biggest problem that we have in cyberspace is figuring out who's [attacking]. There are no fingerprints, no physical evidence; and if you don't know who did it, then you have a hard time figuring out why it was done. Identification and intent are key elements in international law. If you want to go whack someone, you have to be able to make a plausible, provable case that Enemy X is the one that [attacked] you; and if you can't determine who they are, then you have a real problem."

And malicious hackers should beware, he said, as this uncertainty in identification could one day cause a great deal more harm than intended. "An individual conducting a [network attack] on US soil against a foreign state could conceivably be interpreted as an agent of the US government. And if that's the case, then you have a situation where an individual could cause an international incident."

As for the US military's offensive cyberwar capabilities, there is little real-world data to go on in assessing it. "We did not conduct any successful virus attacks during the Gulf War," the official noted. "We had a target identified that we thought it useful to knock out to support the air campaign. We were prepared to go against it, but in the complexities of that war, we inadvertently removed the access pathway to the target before we were able to attack it."

As for its defensive capabilities, at least some assessment can be inferred from its difficulties in protecting on-line systems from relatively unsophisticated attacks by script kiddies, and the increasing alarm among federal law enforcement agencies which are scrambling to obtain ever-expanding powers of surveillance and to impose ever-harsher penalties for such minor abuse.

The myth of invincibility doesn't stand up long when FBI Director Louis Freeh and Attorney General Janet Reno wring their hands in public, demanding a relaxation of on-line trap and trace laws and a lowering of the standards by which federal involvement in on-line crime is triggered.

Another obstacle to the defence of crucial US assets from cyber attack is the simple fact that many of them are privately owned, the official noted. "The government doesn't own a lot of the stuff that needs to be protected," he said. "We can't just walk in and tell people how to take care of their personal property."

Some private assets with serious public implications, like telecommunications, finance and non-nuclear energy, have co-operative agreements to harden their crucial assets from attack, but the government is in no position to dictate the particulars of how this is to be accomplished.

One can only hope that old-fashioned economic self-interest will inspire them to do a decent job of it. ®

Related stories

What the hell is - the Echelon scandal?
Euro Parliament to investigate Echelon
NSA memos suggest ECHELON exists
Scheme to crash US Echelon net snoop ops hatched
Reno gets her teeth into Carnivore
ACLU seeks Congress' help against FBI's 'Carnivore'
RIP Bill: Full coverage

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.