Inside the NSA's Ultra-Secret China Hacking Group Deep within the National Security Agency, an elite, rarely discussed team of hackers and spies is targeting America's enemies abroad.
BY MATTHEW M. AID | JUNE 10, 2013
This weekend, President Barack Obama sat down for a series of meetings with China's newly appointed leader, Xi Jinping. We know that the two leaders spoke at length about the topic du jour -- cyber espionage -- a subject that has long frustrated officials in Washington, and is now front and center with the revelations of sweeping U.S. data mining. The media has focused at length on China's aggressive attempts to electronically steal U.S. military and commercial sectrets, but Xi pushed back at the "shirtsleeves" summit, noting that China, too, was the recipient of cyber espionage. But what Obama probably neglected to mention is that he has his own hacker army, and it has burrowed its way deep, deep into China's networks.
When the agenda for the meeting at the Sunnylands Estate outside Palm Springs, California was agreed to several months ago, both parties agreed that it would be a nice opportunity for President Xi, who assumed his post in March, to discuss a wide range of security and economic issues of concern to both countries. According to diplomatic sources, the issue of cyber security was not one of the key topics to be discussed at the summit.
Sino-American economic relations, climate change, and the growing threat posed by North Korea were supposed to dominate the discussions.
Then, two weeks ago, White House officials leaked to the press that President Obama intended to raise privately with Xi the highly contentious issue of China's widespread use of computer hacking to steal U.S.
government, military, and commercial secrets. According to a Chinese diplomat in Washington who spoke in confidence, Beijing was furious about the sudden elevation of cyber security and Chinese espionage on the meeting agenda. According to a diplomatic source in Washington, the Chinese government was even angrier that the White House leaked the new agenda item to the press before Washington bothered to tell them about it.
So the Chinese began to hit back. Senior Chinese officials have publicly accused the U.S. government of hypocrisy, and alleged that Washington is also actively engaged in cyber espionage. When the latest allegation of Chinese cyber espionage was leveled in late May in a front page article in the Washington Post , which alleged that hackers employed by the Chinese military had stolen the blueprints of over three dozen American weapons systems, the Chinese government's top Internet official, Huang Chengqing, shot back that Beijing possessed "mountains of data" showing that the U.S.
has engaged in widespread hacking designed to steal Chinese government secrets. This weekend's revelations about the National Security Agency's PRISM and Verizon metadata collection from a 29-year-old former Central Intelligence Agency (CIA) undercover operative named Edward J. Snoden, who is now living in Hong Kong, only add fuel to Beijing's position.
But Washington never publicly responded to Huang's allegation, and nobody in the U.S. media seems to have bothered to ask the White House if there was a modicum of truth to the Chinese charges.
It turns out that the Chinese government's allegations are essentially correct. According to a number of confidential sources, a highly secretive unit of the National Security Agency (NSA), the U.S. government's huge electronic eavesdropping organization, called the Office of Tailored Access Operations, or TAO, has successfully penetrated Chinese computer and telecommunications systems for almost 15 years, generating some of the best and most reliable intelligence information about what is going on inside the People's Republic of China.
Hidden away inside the massive NSA headquarters complex at Fort Meade, Maryland, in a large suite of offices segregated from the rest of the agency, TAO is a mystery to many NSA employees. Relatively few NSA officials have complete access to information about TAO because of the extraordinary sensitivity of its operations, and it requires a special security clearance to gain access to the unit's work spaces inside the NSA operations complex.
The door leading to its ultra-modern operations center is protected by armed guards, an imposing steel door which can only be entered by entering the correct six digit code into a key pad, and a retinal scanner to ensure that only those individuals specially cleared for access get through the door.
According to former NSA officials interviewed for this article, TAO's mission is simple. It collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the message and data traffic passing within the targeted e-mail and text messaging systems. The technical term-of-art used by NSA to describe these operations is Computer Network Exploitation (CNE).
TAO is also responsible for developing the information which would allow the United States to destroy or damage foreign computer and telecommunications systems with a cyber attack if so directed by the president. The organization responsible for conducting such a cyber attack is U.S. Cyber Command (CYBERCOM), whose headquarters is located at Fort Meade and whose chief is the director of NSA, Gen. Keith Alexander.
Commanded since April of this year by Robert Joyce, who formerly was the deputy director of NSA's Information Assurance Directorate (responsible for protecting the U.S. government communications and computer systems), sources say that TAO is now the largest, and arguably the most important component of NSA's huge Signal Intelligence (SIGINT) Directorate, consisting of over
1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers.
The sanctum sanctorum of TAO is its ultra-modern operations center at Fort Meade called the Remote Operations Center (ROC), which is where the unit's
600 or so military and civilian computer hackers (they themselves CNE
operators) work in rotating shifts 24-hours-a-day, seven days a week.
These operators spend their days (or nights) searching the ether for computers systems and supporting telecommunications networks being utilized by, for example, foreign terrorists to pass messages to its members or sympathizers. Once these computers have been identified and located, the computer hackers working in the ROC break into the targeted computer systems electronically using special software designed by TAO's own corps of software designers and engineers specifically for this purpose, download the contents of the computer's hard drives, and place software implants or other devices called "buggies" inside the computer's operating system, which allows TAO intercept operators at Fort Meade to continuously monitor the e-mail and/or text messaging traffic coming in and out of the computer or hand-held device.
TAO's work would not be possible without the team of gifted computer scientists and software engineers belonging to the Data Network Technologies Branch, who develop the sophisticated computer software that allows the unit's operators to perform their intelligence collection mission. A separate unit within TAO called the Telecommunications Network Technologies Branch, or TNT for short, develops the techniques that allows TAO's hackers to covertly gain access to targeted computer systems and telecommunications networks without being detected. Meanwhile, TAO's Mission Infrastructure Technologies Branch develops and builds the sensitive computer and telecommunications monitoring hardware and support infrastructure that keeps the effort up and running.
TAO even has its own small clandestine intelligence gathering unit called the Access Technologies Operations Branch, which includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations," which is a polite way of saying that they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and/or telecommunications systems overseas so that TAO's hackers can remotely access them from Fort Meade.
It is important to note that TAO is not supposed to work against domestic targets in the U.S. or its possessions. This is the responsibility of the Federal Bureau of Investigation (FBI), which is the sole U.S. intelligence agency chartered for domestic telecommunications surveillance. But in light of information about wider NSA snooping, one has to prudently be concerned about whether TAO is able to perform its mission of collecting foreign intelligence without accessing communications originating in, or transiting through the United States.
Since its creation in 1997, TAO has garnered a reputation for producing some of the best intelligence available to the U.S. intelligence community not only about China, but also on foreign terrorist groups, espionage activities being conducted against the United States by foreign governments, ballistic missile and weapons of mass destruction developments around the globe, and the latest political, military and economic developments around the globe.
According to a former NSA official, by 2007, TAO's 600 intercept operators were secretly tapping into thousands of foreign computer systems and accessing password-protected computer hard drives and e-mails of targets around the world. As detailed in my 2009 history of NSA, The Secret Sentry, this highly classified intercept program, known at the time as Stumpcursor, proved to be critically important during the U.S. Army's 2007 "surge" in Iraq, where it was credited with singlehandedly identifying and locating over one hundred Iraqi and al Qaeda insurgent cells in and around Baghdad.
That same year, sources report that TAO was given an award for producing particularly important intelligence information about whether Iran was trying to build an atomic bomb.
By the time President Obama became president of the United States in January 2009, TAO had become something akin to the wunderkind of the U.S.
intelligence community. "It's become an industry unto itself," a former NSA official said of TAO at the time. "They go places and get things that nobody else in the IC [intelligence community] can."
Given the nature and extraordinary political sensitivity of its work, it will come as no surprise that TAO has always been, and remains extraordinarily publicity shy. Everything about TAO is classified Top Secret Codeword, even within the hyper-secretive NSA. Its name has appeared in print only a few times over the past decade, and the handful of reporters who have dared inquire about it have been politely but very firmly warned by senior U.S. intelligence officials not to describe its work for fear that it might compromise its ongoing efforts. According to a senior U.S. defense official who is familiar with TAO's work, "The agency believes that the less people know about them [TAO] the better."
The word among NSA officials is that if you want to get promoted or recognized, get a transfer to TAO as soon as you can. The current head of the NSA SIGINT Directorate, Teresa Shea, 54, got her current job in large part because of the work she did as chief of TAO in the years after the 9/11 terrorist attacks, when the unit earned plaudits for its ability to collect extremely hard to come by information during the latter part of the Bush administration. We do not know what the information was, but sources suggest that it must have been pretty important to propel Shea to her position today. But according to a recently retired NSA official, TAO "is the place to be right now."
There's no question that TAO has continued to grow in size and importance since President Obama took office in 2009, which is indicative of its outsized role. In recent years, TAO's collection operations have expanded from Fort Meade to some of the agency's most important listening posts in the United States. There are now mini-TAO units operating at the huge NSA SIGINT intercept and processing centers at NSA Hawaii at Wahiawa on the island of Oahu; NSA Georgia at Fort Gordon, Georgia; NSA Texas at the Medina Annex outside San Antonio, Texas; and within the huge NSA listening post at Buckley Air Force Base outside Denver, Colorado.
The problem is that TAO has become so large and produces so much valuable intelligence information that it has become virtually impossible to hide it anymore. The Chinese government is certainly aware of TAO's activities. The "mountains of data" statement by China's top Internet official, Huang Chengqing, is clearly an implied threat by Beijing to release this data.
Thus it is unlikely that President Obama pressed President Xi too hard at the Sunnydale summit on the question of China's cyber espionage activities.
As any high stakes poker player knows, you can only press your luck so far when the guy on the other side of the table knows what cards you have in your hand.
(F)AIR USE NOTICE: All original content and/or articles and graphics in this message are copyrighted, unless specifically noted otherwise. All rights to these copyrighted items are reserved. Articles and graphics have been placed within for educational and discussion purposes only, in compliance with "Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain permission or pay royalties for the use of previously copyrighted materials if the purposes of display include "criticism, comment, news reporting, teaching, scholarship, and research." Section 107 establishes four criteria for determining whether the use of a work in any particular case qualifies as a "fair use". A work used does not necessarily have to satisfy all four criteria to qualify as an instance of "fair use". Rather, "fair use" is determined by the overall extent to which the cited work does or does not substantially satisfy the criteria in their totality. If you wish to use copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to:
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.