The NSA is targeting hackers the same way it targets terror.
NSA data center (seen from Freedom Ridge) 4, Bluffdale, Utah, USA. Image: Cory Doctorow/Flickr
Shortly after 9/11, Congress passed the Authorization for the Use of Military Force (AUMF). It authorized the US military to go after "Al Qaeda and associated forces," officially starting the so-called War on Terror. Of course, we now know that last part, "associated forces," has been re-interpreted to mean more or less anyone the US government labels a threat. All a target needs is to possess the right signature (being a military-age male in certain parts of Pakistan or Yemen, for example) and they can be captured or killed by a drone from virtually anywhere in the world—even when the government doesn't know who its targets are.
New Snowden documents published by The New York Times and ProPublica show that this same mentality has taken over the NSA's cyber intelligence mission. According to a leaked internal timeline of the agency's cyber operations, the NSA and FBI won significantly broadened authorities in 2012, allowing them to target hackers that might be associated with rival nation-states. But the agencies also sought to expand those powers further to allow them to go after signatures that aren't tied to any particular terrorist group or foreign power.
On some level this makes sense. Attribution is often hard, if not impossible, when it comes to investigating cyber attacks
And, as usual, all of this happened in secret without any public notice or debate.
The documents show that after successful NSA lobbying, the Department of Justice secretly broadened the agency's powers under Section 702 of the FISA Amendments Act in May and July of 2012. But instead of being limited to tech-savvy terrorists and nation-state hackers, the NSA also wanted to be able to target IP addresses, strings of code and other "cybersignatures" they suspect are associated with malware, hackers, and other cyber threats.
The changes would fill what the NSA had complained was a "huge collection gap" in their online threat detection capabilities. But while the documents seem to describe those authorizations as a sure thing, it's not clear if or when they've been implemented.
On some level this makes sense. Attribution is often hard, if not impossible, when it comes to investigating malware and cyber attacks. Many experts still doubt the FBI's claim that North Korea was behind the massive hack of Sony Pictures last December, for example. Since cyber criminals and hackers use proxies and infected computers to carry out their missions, it's difficult to investigate malicious cyber activity without stumbling upon innocent peoples' machines.
But the crumbling distinction between violent terrorist attacks, nation-state spying and regular criminal activity is nevertheless incredibly alarming. A classified section of a 2009 report from the National Security Council, which is included in the new documents, reveals that the government worries that maintaining any distinction between these threat categories "may prove impractical." That might explain why in 2011, also according to the documents, the FBI was given access to the NSA's "Upstream" collection of global internet traffic for the purpose of using IP addresses and cybersignatures in its investigations.
In other words, when it comes to the internet, the government believes the boundaries between foreign intelligence and domestic law enforcement are becoming obsolete.