Mind the Gap: How the NSA might use SolarWinds campaign to do warrantless spying
Officials have said the SolarWinds hacking campaign succeeded in part because of a gap in NSA surveillance power. But what exactly is the gap and how might the gov use it to gain domestic spy power?
The nearly year-long SolarWinds/Sunburst hacking campaign that targeted government and private-sector computers succeeded because the adversaries used U.S.-based servers to conduct their operation.
At least that’s the assertion numerous intelligence officials and federal lawmakers have made in recent weeks.
They’ve said the hackers leased servers owned by Amazon Web Services to bypass National Security Agency surveillance, because the spy agency is prohibited from monitoring domestic systems and networks unless they belong to the military.
Referring to this as an intelligence “blind spot,” a "domestic visibility" issue, and an authorities “gap,” officials appear to be setting the stage to seek new powers for the NSA or another agency to conduct domestic surveillance, even though a senior administration official told reporters during a press call last month that the White House has no current plan — “not yet, not now” — to seek additional surveillance authority “for any government agencies.”
Instead, the White House is focused on improving information-sharing between the government and private sector — which “does have visibility” into private networks — and address liability concerns businesses have about sharing information with the government when cyberattacks or suspicious activity occurs on their networks and systems.
“We first want to … try to fix the issues preventing effective information sharing that we believe can get at that issue, while still fully protecting the civil liberties and privacy of Americans,” a senior administration official, who spoke on background, said on the call. “There’s less concerns of civil liberty and privacy when it’s private sector [collecting the information] versus government."
This suggests the White House isn’t abandoning the idea of seeking additional monitoring powers altogether, it’s just not on the agenda now.
But in the meantime, public discussion about the “gap” has continued.
It was raised during hearings last month with the heads of Microsoft and FireEye. And during another hearing last week, five lawmakers on the Senate Armed Services Committee asked Gen. Paul Nakasone, director of the NSA and commander of US Cyber Command, what additional authorities the NSA needs to fix the surveillance gap. Sen. Kirsten Gillibrand (D-NY) told Nakasone: “I would like to work with the committee on getting you those authorities.”
An NSA official, responding to questions for this article, underscored in an email to me that “General Nakasone did not ask nor advocate for additional authorities for U.S. Cyber Command or NSA during his testimony.”
“Any additional discussions on new authorities, policies, responsibilities, or laws fall within the purview of policymakers,” the official wrote.
Officials discussing the gap have been vague about what it is, describing it only as an inability for the government to see inside private-sector systems.
But a few details emerged last week that provide better insight into what the gap is, and what — aside from better information-sharing — officials might propose to fix it.
What Is the Surveillance Gap?
Speaking virtually at the Cipher Brief Cybersecurity Summit last Wednesday, former NSA General Counsel Glenn Gerstell, who is currently a senior adviser at the Center for Strategic and International Studies, said the issue is about surveillance search warrants and an inability to get them approved quickly.
In the past, when the NSA tracked suspicious internet traffic from a foreign malign actor to a U.S.-based computer or IP address, it couldn’t get access to that U.S. system or monitor the domestic traffic going to and from it to determine if it’s being used to launch cyberattacks against other U.S. systems.
Once the foreign traffic reached U.S. networks, “that was the end of the NSA’s responsibility,” Gerstell said. “It was then a domestic matter that had to be turned over either to the FBI … or to [DHS’s Cybersecurity and Infrastructure Security Agency] to address.” But “the FBI can’t possibly get a search warrant quickly enough to go track that foreign cyber activity.”
Russia, China, and Iran know about this gap, and strategically use U.S. infrastructure “that we do not have the ability to continuously see,” said Gerstell.
The use of U.S. infrastructure in hacking campaigns is not new or unique to the SolarWinds/Sunburst campaign. Nation-state hackers and cybercriminals have long used U.S.-based computers and servers as proxies through which to route attacks or siphon stolen data. In some cases the hackers rent servers in U.S. data centers for their operations, using stolen credit card numbers and IDs to do this. Other times, they simply hijack servers belonging to other data center customers.
In the SolarWinds/Sunburst campaign, the actors leased U.S.-based AWS servers to use as their command-and-control infrastructure to communicate with victim systems that were infected with their malware and steal data from them in a way that was less likely to be detected. Data passing between two U.S.-based systems is less suspicious than data passing out of a U.S. system and going directly to one in China or Russia.
Gerstell and others have seized on this to argue for more domestic surveillance to uncover these U.S. command centers.
The day after Gerstell’s talk, Nakasone expressed similar statements during the Senate hearing.
“Our adversaries understand that they can come into the United States and rapidly utilize [a server belonging to] an Internet service provider,” and erase their tracks from that system “before a warrant can be issued, before we can actually have surveillance by a civilian authority here in the United States.”
This suggests the gap is less about not being able to see into U.S. private-sector systems at all, but about the FBI — which has authority to conduct this kind of domestic surveillance for the NSA — not being able to get a warrant quickly enough to do so.
In order to get access to a U.S. system in a foreign intelligence investigation, an FBI field agent has to get his or her sworn affidavit and warrant application approved by a supervisor and FBI lawyers before submitting it to the Foreign Intelligence Surveillance Court for additional review and approval. By that time, the hackers may have moved on to another system and cleaned their tracks from the one the NSA and FBI want to investigate, Gerstell told me during a follow-up discussion this week.
But experts criticize this characterization since the Foreign Intelligence Surveillance Act lets the FBI conduct domestic electronic surveillance without a warrant for up to seven days in emergency circumstances. The surveillance can include both content and traffic metadata. The bureau does have to apply for a warrant before the seven days are up, or stop the monitoring at the end of that time period. But the seven days should be sufficient to determine if a system is being used to conduct cyberattacks.
FISA’s Emergency Surveillance Option
“There are all these existing legal authorities that permit surveillance, for foreign intelligence purposes or national security purposes, inside the U.S.,” said Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union and author of the book American Spies. “And there’s also the almost unregulated surveillance that the government is capable of doing outside the U.S. So … the idea that more surveillance … fixes the problem, as opposed to better surveillance, is just misplaced.”
Sen. Ron Wyden (D-Oregon) is also doubtful that the NSA needs authority to peer into these U.S. systems.
“It’s … unclear why the FBI’s existing emergency surveillance authorities aren’t adequate and why it’s somehow necessary to unravel a decades-old consensus that the NSA should stick to its foreign mission,” he said.
A FISA Court expert told me, however, that Gerstell and Nakasone are correct in one aspect — the warrant process can be time-consuming.
“It is absolutely true that everything at the FISA Court proceeds fairly slowly,” said the expert, who asked to remain anonymous so that he could speak freely about the Court. Applications have to be reviewed by legal advisors after they’re submitted to the FISA Court, and sometimes the Court sends them back to the FBI for revision if the surveillance request is too broad.
“When people say the FISA court is a rubber stamp, it’s not,” the source said. “We want the process to be deliberate and careful…. and we have slowed the process down, through reforms, over time. But they do have the emergency provision [they can use]. So they shouldn’t be able to say they can’t do [surveillance]. They just have to get the right people to sign off.”
Gerstell, however, said he’s not aware of the emergency FISA provision ever being used for cybersecurity investigations of this nature, because it requires probable cause that the target of the surveillance is a foreign power or agent of a foreign power, and this can’t always be determined prior to getting access to the U.S. system being investigated.
“While it is true that we could use that [emergency power] … if we had probable cause to believe that [a U.S.] server was [leased] by the North Korean government. But you vary rarely have that. You may not know who owns the server,” he told me.
He describes a hypothetical scenario in which the NSA observes large amounts of data passing from a U.S. computer to one in Europe, and also sees large amounts of data going from that European computer to a computer in St. Petersburg, Russia. The NSA doesn’t have enough information to know if the data is intelligence stolen from U.S. computers by a foreign power or the agent of a foreign power. It may only suspect that this is the case.
If the NSA or FBI could quickly examine that U.S. machine, they could determine “within hours” that the machine is a vector for malicious activity by a foreign power. "And that would be a big improvement over what is now a several-days process,” Gerstell said. “It will make things more difficult for the adversary. It will slow them down, it will prevent the spread of [their malware], and maybe a few of them will be caught in the act.”
All of this suggests, however, that the gap is not just about the FBI not being able to see inside U.S. systems quickly enough, but about the bureau not being able to get inside U.S. systems when there is not probable cause to determine that a foreign power or agent of that power is using the system for cyberattacks.
Gerstell argues that there are “tons” of situations where warrantless monitoring is permitted under certain conditions and with specific protections to avoid abuse. In the scenario he’s describing, the FBI or NSA could only look at “that particular [U.S] IP address. We're not going to scoop up innocent parties in it,” he told the Cipher Brief audience.
There would be other safeguards to prevent abuse: monitoring could be limited to 72 hours, data collected would have to be purged after a specified time and it could only be used to determine if the U.S. system is being used by foreign adversaries for cyberattacks.
“It shouldn’t be trolled through for evidence of a crime [or] for other surveillance purposes,” Gerstell said.
It also doesn’t need to be done by the NSA but could be done by DHS, a fusion center or the FBI instead — with the Privacy and Civil Liberties Oversight Board evaluating the effectiveness of the activity and monitoring it for abuse.
But the FISA Court expert told me Gerstell’s proposal is simply an attempt to bypass the probable-cause safeguard in FISA’s emergency provision.
“What we’re talking about is not something FISA law would allow for a good reason,” he told me. “We don’t know who the actor is, and we don’t know what they’re doing, but we monitor [U.S.] systems to see what they’re up to. That’s not what the system is set up for.”
U.S. lawmakers could, of course, just change the law to drop the probable-cause requirement and allow either the NSA or FBI to examine systems in this scenario.
“We could decide that cyber threats are so significant that we believe the NSA should operate domestically [in this manner],” he said.
NSA Domestic Surveillance Won’t Work
But Dmitri Alperovitch, executive chairman of the Silverado Policy Accelerator and former co-founder and CTO of the security firm CrowdStrike, told me there are other reasons to reject Gerstell’s proposal.
“What if [the U.S. system] is not a command-and-control server? What if it’s Biden campaign infrastructure, and suddenly you’re monitoring a presidential campaign [computer]? You don’t want to be in that business,” he said.
If the goal is simply to have visibility into U.S.-based systems potentially being used as command centers by foreign adversaries, then the U.S. should just boot them out of those systems and force them to use foreign infrastructure that the NSA can hack without restriction, Alperovitch said.
“If the IP address is in the U.S., they have to go through the FISA process. If it’s overseas, they don’t have to do any of that,” he said. “They just pop that box and look at where it’s communicating.”
He points to an executive order signed by former President Trump during his last days in office that could theoretically accomplish this by requiring that cloud and other service providers verify the identity of foreign customers and maintain records of their transactions.
“The Trump administration EO actually solves all of these problems and does it in a way that doesn’t create massive fights over civil liberties in Congress,” Alperovitch said.
But the so-called “Know Your Customer” rules that would be developed under this executive order have been criticized by some as being too onerous for service providers, especially smaller providers who don’t have a lot of resources. It also wouldn’t prevent foreign adversaries from simply hijacking U.S.-based servers that are leased or owned by other customers who have been verified.
For this reason, it’s likely that talk about the surveillance gap and expanding NSA authority won’t go away.
If the government succeeds in alleviating the liability concerns of the private sector and convinces businesses like AWS to cooperate more when a U.S. system is suspected of being used in a cyberattack by a foreign power, the government may not need to seek more authority. If this fails, however, the Biden administration may turn to a proposal that the Obama administration considered years ago.
Former Defense Secretary Robert Gates described it in a recent Washington Post op-ed. The proposal called for creating a dual-hat position held by a senior DHS official who would also be a deputy director of the NSA. This person would have “authority to task the NSA in real time to defend against cyberattacks of domestic origin.” The details of how that would work are sparse, but Obama’s White House approved the plan, according to Gates. It never got implemented for various political and bureaucratic reasons, however, which Fred Kaplan recently described in a Slate piece and in his book Dark Territory.
It’s not clear, however, that this program, if implemented, would have detected the SolarWinds/Sunburst campaign or would detect future ones like it. The NSA and DHS, which already protect government military and civilian networks respectively, failed to prevent or detect the SolarWinds/Sunburst attack with the authorities they already possess to monitor and see inside those networks.
“The federal government failed to catch the SolarWinds hackers in any of the nine federal agencies that were hacked, where it had full legal authority to monitor every bit of activity on its own networks,” Wyden said in an email to me. "It’s not at all clear that sending the NSA into domestic networks would have detected recent breaches, particularly as they went unnoticed in the government’s own networks."