Recent reports from federal domestic intelligence have revealed signs of potential signals intelligence gathering by foreign actors in the United States. The Department of Homeland Security (DHS) has acknowledged the presence of what appear to be unauthorized mobile surveillance devices in various locations throughout the US, including the Washington, DC area.
These reports were first brought to the attention of lawmakers by DHS’s National Protection and Programs Directorate (NPPD) in a letter to Congress in late March. The letter said the department has observed “anomalous activity” in or near the nation’s capital that “appears to be consistent” with surveillance devices, which are also called international mobile subscriber identity (IMSI) catchers, often generically called Stingrays after the popular model of the device produced by Harris Corp. At the letter’s conclusion, NPPD reaffirms that the use of IMSI catchers is highly regulated by the federal government and their use in tracking cellular device users is “unlawful” and carries with it threats to “the security of communications…resulting in safety, economic, and privacy risks.”
IMSI catchers take advantage of the fact that every mobile phone has embedded within it the requirement to optimize its own reception. Thus they are always seeking out cellular base stations to boost their signals. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. Catchers work by digitally masquerading as a powerful database station, causing every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request aimed at devices, catchers are able to force cell phones to transmit their communications through them, thus intercepting any data emanating from the device.
IMSI catchers essentially employ a version of what’s referred to in cyber security-talk as a “man-in-the-middle (MITM) attack” in which an attacker intercepts and or alters communications between two parties. When it comes to MITM attacks against computers, criminals usually have to accomplish some form of hacking breach into the medium being used by their victims, such as a WiFi router. IMSI catchers are unique as they are more or less waiting for their victims to find them. From an intelligence tradecraft perspective, this means that a savvy agent could identify a specific location saturated with high-value data transfers and communications and set up shop with a catcher. This is why it is particularly disconcerting when we hear about IMSI catcher activity in a place like Washington DC: it is highly indicative of foreign espionage activity.
Senator Ron Wyden, (D-Oregon) highlighted this real concern in his response letter to DHS stating that “foreign government surveillance of senior American political and business leaders would obviously pose a significant threat to our country’s national and economic security.”
America’s Long Counterintelligence Journey
These revelations bring up the real and serious issues of foreign espionage and the use of technology being deployed on American soil. They also touch on the broader question of how technology threatens domestic security, and what we should do about it.
The United States is undoubtedly in the midst of working out a coherent approach to these challenges. It would help to understand the journey that domestic counterintelligence has taken in the United States. This could give some perspective on where we’ve been, where we’re headed, and how incidents like those revealed in the recent NPPD report fit into formulating our current policies.
It’s been 100 years since the well-known Espionage Act came into force. The law has been used to convict perpetrators from socialist activists in the early 20th century, to more recent whistleblowers like Chelsea Manning and Edward Snowden. Although some similar legislation had existed prior to the 1917 law, the Espionage Act was really the first major milestone in America’s waking up to the reality of a domestic intelligence threat. The Act, which passed shortly after the US entered World War I, was triggered as a response to the first organized foreign terror conspiracy executed against the United States. As America had been providing substantial material assistance to the Allies, even while maintaining officially neutral status, the country became an important target for the Central Powers. Germany unleashed what could only be described as a terror wave in America, sending in teams of agents under the guise of immigrants. Over the course of a few years, these saboteurs set fires to Europe-bound supply ships, blew up American storage facilities, and even unleashed germ warfare by infecting war horses with anthrax.
Interestingly, although sabotage was really the main concern of the time, the Act focused heavily on the unlawful release of information. This foreshadowed the drastic shift of intelligence concerns that would occur during the next World War when signals intelligence began to reign supreme. Intercepting (and decoding) enemy communications was understood to be the most important strategic pursuit—it produced the most valuable intelligence assets. The active quest of the world’s intelligence agencies to get their hands on adversaries’ communications presented a paradigm change in spy work. Until then, sentiments of warring governments were usually characterized by Henry L. Stimson’s famous “gentlemen don’t read each other’s mail.” Now, this was all fair game.
(Credit: Facebook/Mohamed Hamdy Shams)
While the risk of attacks and real-world sabotage has never disappeared, the domestic threat to America has since firmly moved to the realm of communications and data. The counterintelligence effort of federal law enforcement has developed over the past several decades to address this threat and focus on safeguarding information. The technological explosion of mobile data and portable communication devices added a whole new dimension to counterintelligence work. Safeguarding vaults and hard copy files was one thing. Securing the communications grid and securing data transmissions from being intercepted was another vastly greater challenge. The compromising potential presented by the army of machines and devices designed to intercept electronic signals—many freely available on the open market—appeared to be endless. Cases of foreign agents from adversarial countries like China and Russia deploying such devices to intercept sensitive data continued into the modern period.
Even today, spies operating in the United States are a real and ongoing threat to national security. One former Defense Intelligence Agency (DIA) officer recently estimated that as many as 100,000 agents working for dozens of different nations are currently and actively operating in America. Confirming these suspicions is the periodical but consistent arrest of foreign agents in US cities. Consider the case of Evgeny Buryakov, who was arrested for espionage and confessed to spying for Russia back in 2015. Buryakov posed as an employee in the Manhattan office of a Russian bank and passed on encoded messages to handlers for years before being taken into custody.
It is on this backdrop that recent administrations—especially the current one—have put such a strong emphasis on domestic digital grid security.
The very agency that reported on the above IMSI activity, the NPPD, is a very recent product of the Trump administration. While DHS as a whole has long incorporated domestic data and communications security into its national defense work, NPPD was necessary as an independent organization in order to address the growing threat to data and communications on the domestic front. NPPD was made responsible for both securing specific national assets, such as digital electoral systems, and developing strategies for defending the country from domestic and foreign actors targeting private and governmental assets located in the United States.
This trend can be seen not only in broader strategic perspective, but also in terms of specific policy decisions. In recent months, the federal government has begun to firmly crackdown on technologies seen as posing a threat to national security. Take the Kaspersky ban from September 2017, when the Department of Homeland Security (DHS) prohibited federal agencies and departments from using software produced by Russian firm Kaspersky Lab, out of fears the programs were being used to redirect data from government servers. Similar efforts have occurred recently in regards to Chinese communications companies being granted licensing in the US, such as the effort to block China-based mobile giant Huawei from operating in America, and pressure on US companies to sever ties with other Chinese telecommunication companies.
Some observers have denounced these and other similar moves by the government as pure fear mongering, and assertions of foreign espionage risks as overblown. There is certainly a point to be taken here: Prudence is required when banning things on the basis of national security, especially when it has to do with our communications and access to information. Findings like the recent NPPD letter on suspicious IMSI use, however, show that the threat posed by unmitigated technology deployment is real. Reports like these will almost certainly bolster the current trend of government policies toughening up on technology policies.
