NSA’s “MUSCULAR” Secretly Breaks Into The Cloud Of US Tech Companies, Siphons Off Data, Fouls Up Revenues Overseas

Edward Snowden’s revelations have added a new dimension, deeper and more disturbing still, to the perfect, seamless, borderless surveillance society: under a program with the evocative moniker, MUSCULAR, the NSA and its British counterpart, the GCHQ, have secretly targeted American companies, managed to get around their security measures, broken into their “clouds,” and syphoned out user data on a large scale.

That would be illegal in the US.

But the cloud is a worldwide phenomenon. It’s a beacon of growth for American tech companies. Facebook, Amazon (its AWS hosts a number of big cloud-based websites, such as Netflix), Microsoft, IBM, Google, Yahoo… just about all tech companies, online retailers, social media companies, financial firms, app makers, every company with online products, they’re all making money in the cloud. Even Obamacare is in the cloud. You log into a website to access software and your own data – that’s the cloud. In terms of hardware, it’s data centers and fiber-optic links. Thousands of them. Everywhere.

The cloud is where the NSA goes to pick through everyone’s data. Under the PRISM program, revealed by Snowden some time ago, the NSA has enjoyed easy access to user accounts and their data. Companies cooperate. It’s permitted under the Foreign Intelligence Surveillance Act and overseen by the Foreign Intelligence Surveillance Court. We just didn’t know about it.

MUSCULAR is darker. It secretly targets American companies. Google and Yahoo have been named in top-secret documents that Snowden had pilfered and that landed at the Washington Post. To get around legality issues in the US, the NSA broke into Google’s and Yahoo’s overseas data centers. If you have anything in the cloud – and you do, whether you want to or not – it’s stored in numerous locations, including overseas.

In March last year, when David Petraeus was still CIA Director, before emails, ironically, about an extramarital affair unraveled his career, he spoke at the In-Q-Tel CEO Summit. He was accompanied by NSA specialists. He raved about how startups that had been funded by In-Q-Tel – the CIA’s venture capital branch – were “providing enormous support to us as we execute various critical intelligence missions.” He talked about “innovative technologies developed by the firms represented in this room.”

It was just a speech, and no one really paid attention. But he was disclosing the true nature of our perfect surveillance society, on the eve of the Snowden revelations.

“We have to rethink our notions of identity and secrecy. In the digital world, data is everywhere,” he said. “Data is created constantly, often unknowingly and without permission” – emphasis mine. “Every byte left behind reveals information about location, habits, and, by extrapolation, intent, and probable behavior.” The data “that can be collected is virtually limitless,” he said, which presented “enormous intelligence opportunities.” And in closing he thanked the executives and tech gurus for “helping to keep America’s Intelligence Community at the forefront of global innovation.”

So far, the Snowden revelations have shown exactly that: an intense, hand-in-glove cooperation between the Intelligence Community and American tech companies, from scrappy startups to corporate mastodons, at every level, whether adding backdoors to Windows operating systems or compromising the keys to encryption.

But the revelations about the MUSCULAR program show that, in parallel, the NSA also worked against these tech companies – Google and Yahoo so far, but more documents are likely to trickle out, as they have done in the past, like Chinese water torture, to reveal that other American companies got hit as well.

“According to a top secret accounting dated Jan. 9, 2013,” the NSA had in the preceding 30 days syphoned off from undisclosed interception points at Google’s and Yahoo’s clouds “181,280,466 new records” – metadata, text, audio, video, anything, from Americans and foreigners alike – and sent them back to its own data center at its Fort Meade headquarters.

The NSA and GCHQ aren’t even targeting anyone. They’re just grabbing massive data streams between data centers. A worldwide dragnet.

Google already warned in early September that it was furiously trying to encrypt the stream of data between its data centers to keep the NSA and other intelligence agencies out of them. “It’s an arms race,” explained Google VP for security engineering, Eric Grosse at the time. “We see these government agencies as among the most skilled players in this game.”

Even encryption won’t protect the data against the NSA’s all-out efforts to defeat encryption. But it will make it more difficult. As Christopher Soghoian, a computer security expert at the ACLU, put it: “If the NSA wants to get into your system, they are going to get in.” The only hope was the encryption would make, as he said, “dragnet surveillance impossible.”

The MUSCULAR revelations were met with total stonewalling from the government. A spokeswoman at Yahoo said: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.” Google was “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.” The company has “long been concerned about the possibility of this kind of snooping.”

How was the NSA able to exploit cracks in the networks? The Washington Post has some titillating tidbits:

“For the MUSCULAR project, the GCHQ directs all intake into a ‘buffer’ that can hold three to five days of traffic before recycling storage space. From the buffer, custom-built NSA tools unpack and decode the special data formats that the two companies use inside their clouds. Then the data are sent through a series of filters to ‘select’ information the NSA wants and ‘defeat’ what it does not.”

We don’t know yet how many more companies were hit, or how many more of these programs are out there. We do know, however, given the revelations of the past six months, that just when we thought it couldn’t worse, it gets much worse.

Corporate America has hugely benefited from the cooperation with the NSA, whose relentlessly growing budget makes it the perfect customer. And they have benefitted from their cooperation with other intelligence and law enforcement agencies. But these revelations have thrown dark shadows on the entire cloud and have made foreign companies and governments leery of buying Big Data software, services, or hardware from American companies. And MUSCULAR, too, will worm its way perniciously into revenues and profits of our already revenue-challenged tech heroes. 

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.