The National Security Agency is tapping into the global data centers maintained by Yahoo and Google, according to new documents revealed today detailing a global intelligence gathering operation that bypasses U.S. oversight authority to gain unfettered access to secure Internet communications.
The Washington Post reported Wednesday that the NSA, working with its British counterpart the Government Communications Headquarters (GCHQ), has the ability to access data hundreds of millions of accounts, including communication encrypted by Google. In a top secret accounting obtained by the Post dated Jan. 9, 2013, during a 30-day period, the field collectors had processed more than 181 million new records ranging from the sender and receiver of emails to text, audio and video files.
The surveillance project is called Muscular, according to the Post, and includes undisclosed interception points where the data flows between the Yahoo and Google data centers. Those data centers are located on four continents. The Post cited from documents it said it obtained from NSA contractor Edward Snowden and interviews with "knowledgeable officials."
NSA surveillance activities surfaced following reports by The Washington Post and the Guardian newspaper about the agency's Prism data collection program. The program has put pressure on U.S. technology firms to increase transparency about the data they are required to disclose as a result of government requests under the program. Other leaked documents detailed a widely implemented encryption algorithm that potentially gave the NSA backdoor access capabilities. Another leak brought to light a collaborative effort between Microsoft and the government to potentially enable backdoor access into software to view customer data.
A Yahoo spokesperson issued a statement to CRN about the latest disclosure, denying knowledge of the Muscular project. "We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency," the spokesperson said in an email.
In a Google statement released to CRN, David Drummond, Google's chief legal officer, said the company has deployed encryption because it has long been concerned about the possibility of this kind of snooping.
"We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” Drummond said in an email. "We do not provide any government, including the U.S. government, with access to our systems."
Security experts told CRN they fear the apparent extent of the NSA's broad surveillance activities could have a negative impact on U.S. technology providers. The Muscular project is different than the Prism program because the agencies are using taps outside U.S. territory where the Foreign Intelligence Surveillance Court has no jurisdiction. In the U.S., the NSA gains access to user accounts through the FISC.
"Google and Yahoo will take a hit in the court of public opinion, despite their insistence that the data collection occurred without their knowledge," said Michael Sutton, vice president of research at cloud security vendor Zscaler. "The scope of the Muscular project and the fact that it blatantly leverages loopholes in the legal system is particularly concerning."
NEXT: How Will The Fallout Affect Cloud Providers?
Zscaler's Sutton said the blame for the extent of the surveillance should not be placed on the NSA, which is executing on its mission, but on lawmakers who approved a poorly implemented system of oversight.
"Blame for programs such as PRISM and MUSCULAR rests squarely with the politicians that have implemented a system riddled with loopholes and such loose oversight that the rules are meaningless,” he said in an email.
Stronger encryption protocols need to be adopted at every level on the Internet, said Pravin Kothari, founder & CEO, CipherCloud. Kothari told CRN via email that fallout from the Muscular project and Prism program have a cumulative effect on U.S. cloud providers as they attempt to bolster trust with customers globally.
"On the topic of SSL decryption, cryptographers have for years warned that 1024-bit SSL encryption, in use by much of the Internet, can be broken and have advocated moving to 3072-bits or higher, which currently is projected to be secure until at least 2030," Kothari told CRN via email.
Other technology providers that offer cloud-based services are making moves in an attempt to bolster trust and security in the wake of the NSA revelations. Two secure email providers that shut down their encrypted email services in the face of not being able to protect customers from government intrusion announced plans to collaborate on a new end-to-end encryption protocol and architecture.
"What we call 'Email 3.0.' is an urgent replacement for today's decades old email protocols ('1.0') and mail that is encrypted but still relies on vulnerable protocols leaking metadata ('2.0')," the two firms said today in an announcement of the Dark Mail Alliance partnership. "Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind."
PUBLISHED OCT. 30, 2013