Saturday, September 20, 2014

Whose Speargun is it?

In a hard to find post in the technology section of the stuff website, it was reported that the GCSB had confirmed on Friday the existence of ‘Project Speargun’, as Glenn Greenwald had claimed on Monday.

The site quotes an unnamed “GCSB spokesman” saying that Speargun was “a core component of the cyber defence project in its earlier iterations”, i.e. that it was the discarded ‘Option 2’ mentioned in the papers released by John Key few days earlier.

This is supposed to confirm what John Key said - that it was an option that never went past a business case, and that he stopped it because it was too intrusive.

What it does confirm is the veracity of Greenwald’s documents. But it doesn’t let Key or the GCSB off the hook, really.

According to the hastily declassified papers, the Cabinet Committee on State Sector Reform and Expenditure Control in April 2012 “directed the GCSB to develop a Detailed Business Case for implementation of Option 2 [Speargun] in 2013”, noting that “the implementation of Option 2 is preferred.” The committee includes of course John Key, therefore it was also his preferred option in 2012.

The NSA document from early 2013 states:
GCSB's cable access programme SPEARGUN phase 1; awaiting new GCSB Act expected July 2013; first meta data probe mid 2013.
This definitely sounds more like a project plan than the development of a business case.

Then in September 2013, cabinet “rescinded the decision [...] on the development of a detailed business case for Option 2”. Note the wording – it does not say that cabinet looked at the business case and decided not to proceed with it, as John Key claims, but that cabinet no longer required the development of the business case. Without the project being detailed, how did Key come to the conclusion that his previously preferred option was suddenly too intrusive?

One would have thought that a year and a half after being asked to develop a business case for a project that was “a core component of the cyber defence project” (according to the anonymous GCSB spokesperson), the GCSB would have done so. It sounds unlikely that the GCSB would not have made it a high priority to get on with it. Are we supposed to believe that the GCSB doesn’t really care about cyber security?

So we have the NSA document pointing to project ‘Speargun’ being well under way, with a first test having been planned for mid 2013, and a (previously top secret) cabinet paper from several months later, telling the GCSB not to bother with writing the business case for it. Could it be that this was because by that time the project had been taken over by the NSA?

What speaks for this theory is that the first paper from 2012 mentions that ‘Option 2’ “requires significant scoping and consultation in order to identify the full range of risks and dependencies for the government”, i.e. it was quite complex and possibly beyond the capabilities of the GCSB.

Friday, September 19, 2014

Cortex, 'Operation Speargun' and Surveillance in NZ

This week saw the introduction of another surveillance term to the world: 'Operation Speargun'.

It is another of a growing list of surveillance programmes and tools that have come to light over the last year: Prism, Boundless Informant, XkeyScore, Tempora, Shelltrumpet, Honeytrap, Egoistic Giraffe, Evil Olive, Blarney, Stormview, Thin Thread, Muscular, Moonlightpath, Spinnernet, Trial Blazer, Treasure name a few. Most of the names are as bad as the Five-Eye powerpoint slides revealed by Edward Snowden since leaving his job as a sub-contractor with the NSA.

Glenn Greenwald, the former lawyer turned journalist who has been helping Snowden, came to NZ to release the documents. Within hours of Greenwald's arrival Prime Minister John Key was on the attack, describing Greenwald as 'a loser' and 'Dotcom's little henchman'. Key also played the jingoist nationalist card and several times pointed out that Greenwald was a foreigner and not with New Zealand's interests at heart. He even went so far to say, “We are a good country doing good things. This guy turns up ... he's not a passionate New Zealander.”

John Key has also once agan been repeatedly reassuring us that the GCSB is not involved in mass surveillance in NZ. He is keen for us to believe that the GCSB, in fact all the Five-Eye members, always act legally and never spy on their own citizens – they only spy on 'threats'.

Yet one only has to look at the swathe of material revealed by Snowden to know that the Five-Eyes are a force unto themselves. The five original key agencies that make up the Five-Eyes: the United States NSA, the British GCHQ, the Canadian CSEC, the Australian DSD and the NZ GCSB, have been and are involved in mass surveillance and data collection of people worldwide, including in their own countries.

They are not government run organisations that only focus on 'signals intelligence'. The Five-Eyes are intelligence agencies involved in mass data collection and surveillance. They are also agencies involved in pro-active spying, entrapment schemes and smear tactics.

'The Moment of Truth' – Operation Speargun
On Monday 15th September Greenwald and Snowden revealed Operation Speargun – a Five-Eye programme to be operated in NZ. A surveillance programme that the GCSB was working on, and had laid the foundations for, prior to the changes to the GCSB Act going through last year.

Operation Speargun was a programme to hack into the Southern Cross cable and install covert cable access equipment capable of monitoring all communications to and from NZ. The programme was ready to go, the first phase had occurred. According to NSA documents, it was only waiting for the new GCSB Act for it to be activated. (For some reason the government had decided to follow the law. Possibly the scandal over the illegal surveillance of the 80 plus New Zealanders that came to light in the Kitteridge Report meant the government wanted to play safe.)

But before Greenwald even got to speak about Speargun at the Monday meeting – John Key did his own exposing and revealed Project Cortex. On one hand, Key appeared to be bravely declassifying and releasing previously 'top secret' documents to show that his government is not involved in mass surveillance. On the other hand however, Key's leaks seem to be little more than a side-show to distract the media and public from the spectre of mass surveillance.

Project Cortex and Operation Speargun are different programmes.
Project Cortex is the government's initiative to protect NZ infrastructure from cyber attacks – just like a giant 'Norton Anti-virus'. In hindsight, in August 2013 when John Key described the GCSB as just “providing protection like Norton Antivirus, he had probably been doing some work on the Cortex project.

The documents released by Key show Project Cortex involves the NZ National Cyber Security Centre (which is hosted by the GCSB), the GCSB, various government agencies and a number of key businesses (probably Telcos and ISPs).

The Cortex documents could fool people into believing that John Key is right – the programme is just like a giant Norton Anti-Virus. But it is not.

The aim of Project Cortex is to defeat cyber attacks that cannot be detected by commercially available systems. This means Cortex does not simply monitor what goes in and out of the 'participating organisations' but collects meta-data to predict cyber attacks. In order to do this, large amounts of data first have to be collected in order to analyse it for patterns that allow these predictions. This is where Cortex can be linked to Speargun.

The Cortex business case also states that the GCSB will not undertake any software development itself, or contract it out. Instead Project Cortex will use existing programs and technologies. Yet one cannot read what these technologies are as the sentences following are redacted. It is possible that these redacted sentences contain references to the technologies already developed for use in Operation Speargun.

John Key said when releasing the Project Cortex documents, that it helps prove his case some surveillance options were rejected as going too far. In the documents there are mention of two options but little to support his statement. Nor to the documents mention any widespread surveillance option that was prevented.

Key has not offered any evidence of his purported stopping of a surveillance programme.

'We would know about surveillance' – really?
Others have also denied that a programme like Operation Speargun could happen here.

The CEO of Southern Cross put out a press release stating that it was impossible for spy agencies to tap into the cable without his company noticing. The NZ Inspector-General of Intelligence and Security Cheryl Gwyn also said she had "not identified any indiscriminate interception of New Zealanders' data in my work to date."

This raises the question – do these people think that NZ cannot be out-witted or fooled by the NSA and any of the other four agencies in the Five-Eyes? Brazil was out-witted, Indonesia was, Germany was – US citizens and British citizens were, so why would we not be?

Just this week, Spiegel Online published a report about a Five-Eyes spying programme used on German Telcos. The reaction of some of those companies was absolute shock at the level of spying that had taken place. 'Fuck!' was the reaction of one CEO.

Angela Merkel never knew she was been spied on. Nor did the president of Indonesia and his wife. But Key thinks it will be different for NZers. He is certain none of the other Five-Eye agencies are spying on NZers, because “If Barack Obama wanted to know something about New Zealand I suspect he'd just give me a ring.”

'Spied on and surveilled?' - Yes
The media and public can get bogged down in the technical terms and the red-herrings thrown up by politicians – but all one has to do is step back and look at the whole of the evidence that has come to light about surveillance over the last few years.

We need to not only look at what Snowden has revealed since he quit the NSA, but also recall what has happened since the raid on Dotcom in early 2012.

The Kitteridge Report alleged that 88 people were illegally spied upon by the GCSB. The Inspector-General of Intelligence and Security said the spying was “arguably legal”and the GCSB Act was changed accordingly.

Meanwhile the Telecommunication Interceptions Capability and Security Act (TICS) was passed. The TICS Act requires the Telcos to cooperate with the GCSB, something the Telcos rejected and numerous submissions were made against the Bill.

Many see the TICS Act as establishing the basis for mass surveillance in this country, it is legislation giving the GCSB power to surveil all NZ digital traffic.

Project Cortex specifically states “there will be no 'mass surveillance', and data will be accessed by GCSB only with the consent of owners of relevant networks or systems.” In tautological reasoning, this is consent that is required by law under the TICS Act.
And more lately a declassified summary of the NZ State Services Commission's report on the NZ Intelligence Community was released. The report said that the NZIC do not have clear priorities, do not work together well and have a naïve faith in wanting to copy the structure of the NSA. The NZ Intelligence Community rely too much on the Five Eyes network.

NZ is part of the Five-Eyes network. The Five-Eyes do undertake mass surveillance. We are part of it.

Is Key still waiting for that phone call from Obama?

Sunday, September 14, 2014

Sept 2014 Report on Communications Surveillance in New Zealand.

The Global Information Society Watch (GISWatch) has recently published a report on communications surveillance in New Zealand.

The report concludes that as a result of the GCSB and TICS laws introduced in 2013, surveillance of communications in this country has increased. The "new laws provide much stronger, direct state-sanctioned surveillance (including the use of metadata) by the GCSB, which it can use in domestic law enforcement."

The report is a concise report of the state of communications surveillance and the changes that have occurred since the raid on Dotcom's home in early 2012. The report summarises the GCSB spying that came to light as a result of that raid, the publication of the Kitteridge Report and the resulting acknowledgement by the Prime Minister that the GCSB had been spying on NZ citizens.