20 January 2002. Thanks to PP.
Source: Hardcopy of The Atlantic Monthly, February 2002, pp. 33-35.




The great age of code breaking is over -- and with it much of our ability to track the communications of our enemies

Within days of the September 11 attacks U.S. intelligence agencies were being blamed in many quarters for their failure to detect the terrorists' plans in advance. Mistakes in the formulation and execution of intelligence policy were no doubt made. Yet there is no one to blame for what is probably by far the greatest setback in recent years to American capabilities for keeping tabs on terrorists: the fact that it is now virtually impossible to break the encrypted communication systems that PCs and the Internet have made available to everyone -- including, apparently, al Qaeda. The real culprits behind this intelligence failing are the advance of technology and the laws of mathematics.

For more than a decade the National Security Agency has been keenly aware that the battle of wits between code users and code breakers was tipping ineluctably in favor of the code users. Their victory has been clinched by the powerful encryption software now incorporated in most commercial e-mail and Web-browser programs.

It has always been theoretically possible to produce a completely unbreakable code, but only at considerable inconvenience. In the 1920s two groups of code users, Soviet spies and German diplomats, became aware of the vulnerability of their existing systems and began to rely on what are known as one-time pads. In this system sender and receiver are supplied with matching pages containing strings of numbers; each page is used as a key for encoding and decoding a single message and then discarded. If properly used, this scheme is unbreakable, Yet in practice corners were invariably cut, because the system was logistically complicated, involving -- among other things -- teams of couriers to deliver new onetime pads as the old ones were used up.

Until the end of the twentieth century any more practical coding system that could be devised was susceptible to a basic flaw that a skilled code breaker could exploit. Language is extremely patterned -- certain letters and words occur far more often than others. The essential task of a code key is to disguise that non-randonmess. The key might, for example, consist of a long string of random numbers specifying where in the alphabet each letter of the message text should be shifted. If the first letter of the message were A and the first key number 3, then that A would become D in the coded version of the text; if the fourth letter were A and the fourth key number 5, then that A would become F; and so on. Many schemes were developed to provide users with very long key strings, in an attempt to approach the security offered by the one-time pad. Some systems used code books containing tens of thousands of key numbers; others, such as the famous German Enigma machine of World War II, used rotating wheels containing wires and electrical contacts to generate a sequence of permutations.

Yet eventually some of the strings of key would have to be used in more than one message, and when they were, the underlying patterns of language would begin to glow dimly through. The history of twentieth-century code breaking is at its heart the development of a series of increasingly sophisticated mathematical methods to detect non-randomness. The best code breakers were usually able to keep pace with the latest advances in code making, because of the practical limitations of producing very long strings of truly random, non-repeating key. The Enigma machine could be reset each day to one of a million million million million different key-string permutations, yet because of the machine's reliance on mechanically rotating wheels, those different combinations were not completely random or independent; subtle mathematical relationships connected one combination to another, and Allied code breakers were able to develop a brilliant mathematical technique that required them to test only a few thousand different combinations to break each day's setting. In effect, they discovered a shortcut, much like a safecracker's using a stethoscope to listen to the tumblers fall rather than attempting the "brute force" approach of trying every single combination.

But the postwar advent of general-purpose computers -- stimulated by funding from the NSA -- began a process that by the end of the century gave code makers an unassailable lead.

At first, when the extremely high price of computers ensured that government agencies would always have a commanding technological lead over the public, computers enabled the code breakers to abandon much subtlety in favor of brute force: the computers could simply run through every possible key setting to find the one that worked. But this was ultimately a losing proposition, because in terms of computing power it is always cheaper and easier to generate longer and longer keys than it is to test longer and longer keys. Once computers became widely available, the game was over.

In 1998 a team of private-sector computer experts built a special-purpose computer that could test 92 billion different key sequences per second in the widely used Data Encryption Standard system, a mainstay of encoding for commercial electronic traffic, such as bank transfers. It took them fifty-six hours to break a message that was encoded in a version of DES that chooses from some 72 quadrillion possible keys for enciphering each message. (The number of possible keys available in a computer-generated code is typically measured in terms of the length of the binary numeral required to specify which key sequence to use; fifty-six bits give about 72 quadrillion combinations, so this version is called 56-bit DES.) That feat was hailed as a great technological triumph, and it undoubtedly was one. It was also clearly intended to make a statement -- mainly, that DES, which the U.S. government had promulgated, was deliberately designed to keep ordinary code users from employing anything too hard for the NSA to break. But there was an utterly trivial fix that DES users could employ if they were worried about security: they could simply encrypt each message twice, turning 56-bit DES into 112-bit DES, and squaring the number of key sequences that a code breaker would have to try. Messages could even be encrypted thrice; and, indeed, many financial institutions at the time were already using "Triple DES."

Issued in 1977, DES was originally implemented in a computer chip, which made it possible at least in principle to control the spread of encryption technology through export restrictions. Huge increases in the processing power of PCs, however, subsequently made it easy to realize much more complex encryption schemes purely in software, and the Internet made it practically impossible to prevent the rapid spread of' such software to anyone who wanted it. Today most Web browsers use 128-bit encryption as the basic standard; a brute-force attack would take the world's fastest supercomputer something like a trillion years at present. If someone develops a supercomputer that is twice as fast, a code user need only start using 129-bit encryption to maintain the same relative advantage.

The standard e-mail encryption software, supplied with most computers, is the PGP ("pretty good privacy") system. In its latest version it is actually considerably better than pretty good. Users can select 2048-bit (equivalent to a little less than 128-bit DES) or even 4096-bit (equivalent to significantly more than 128-bit DES) keys.

Osama bin Laden's network is suspected of employing additional methods to veil its communications. Some reports suggest that a1 Qaeda not only used encrypted e-mail but also hid encrypted message texts within picture files or other data that could be downloaded from a Web site.

The implications of this fundamental shift in the balance of cryptologic power between the spies and the spied-upon are profound. Before World War II most Western governments, and their military officials looked on intelligence with considerable contempt if they paid attention to it at all. Information from paid spies has always been notoriously unreliable -- colored by ineptness, by a mercenary calculation of what the customer wants to hear, and sometimes by outright deceit. The explosion of intelligence from decoded enemy signals that took place during World War II, however, revolutionized both the profession of intelligence gathering and its impact. Signals intelligence was information coming unfiltered from the mouth of the enemy; its objectivity and authenticity were unparalleled. The proof was in the payoff. The victory at Midway, the sinking of scores of Japanese and German submarines, the rout of Rommel across North Africa, the success of D-Day -- all depended directly and crucially on intelligence from decoded Axis communications.

Signals intelligence is not completely dead, of course: bad guys make mistakes; they sometimes still use the phone or radio when they need to communicate in a hurry; and a surprising amount of useful intelligence can be gleaned from analyzing communication patterns even if the content of the communications is unreadable. Still, if encrypted-signals intelligence is to continue to provide information about enemy plans and organization, it must be accompanied by a significant increase in direct undercover operations. A hint of things to come emerged this past summer in the federal criminal trial of Nicodemo Scarfo Jr., who faces charges of running gambling and loan-sharking operations for the Gambino crime family. Federal agents, discovering that Scarfo kept records of his business in encrypted files on his PC, obtained a court order to surreptitiously install on his computer what was identified in court papers as a "key-logger system." The system (whether hardware or software is unclear) apparently recorded every keystroke typed into the computer, eventually enabling FBI agents to recover the password Scarfo used with his encryption software. Planting such electronic bugs directly in computers, or perhaps even sabotaging encryption software with a "back door" that code breakers could exploit, would generally require direct access to the machines. A plan proposed by the Clinton Administration would have obviated the need for direct access. But the plan, which would have required all American makers of encryption software to install a back door accessible by U.S. intelligence agencies acting with court approval, was abandoned, in part because of the argument that the requirement would not apply to foreign software makers, who are now perfectly capable of equaling the most sophisticated American-made commercial encryption software.

An effort in the Senate to revive that plan and include it in the anti-terrorism bill that was signed into law October 26 received little support and was withdrawn, and on much the same grounds -- that however powerful an intelligence tool code breaking was during its golden age, in World War II and the Cold War, the technical reality is that those days are gone. Code breaking simply cannot work the magic it once did.

Cryptome: Mr. Budiansky is a correspondent for The Atlantic Monthly, based in Leesburg, Virginia. His book on Allied codebreaking in World War II, Battle of Wits, was published in 2000 by The Free Press.

Mr. Budiansky is sufficiently knowledgeable about codebreaking to note that codebreakers never reveal their decrypting capabilities and will go to considerable lengths to hide them or promulgate disinformation so that code users will believe their systems are secure. There have been a fair number of articles promoting the notion of NSA's loss of codebreaking capabilities as public use of encryption increases. This would be consistent with a campaign of disinformation similar to that employed for earlier code-breaking deceptions. Professional cryptographers and computer security specialists remind that code-breaking today is not usually directed against the mathematical strengths of an encryption program but against the program's more vulnerable implementation -- such as the faults of a computer operating system, weaknesses in processor design, poorly chosen obvious passphrases or inadequately protected passphrases. Occasionally the articles report, as does Mr. Budiansky's here, alternative methods employed to bypass encryption (the Scarfo case repeatedly cited as if planned and publicized for that purpose), but not always.

It is probable that some of the methods described for bypassing encryption are disinformative, and disseminated to divert attention from true capabilities of decryption and/or burglary. For example, those used by the Special Collections Service (SCS), a covert unit operated by the CIA and NSA to burgle targeted facilities making use of encryption. The publicized feats of the SCS may be disinformation to conceal decryption capabilities. Sample article on SCS below.

Source: http://www.business20.com/articles/mag/print/0,1643,17511,FF.html

Business 2.0

November 2001

Weapons of the Secret War

By: Paul Kaihla

How the shadowy science of signals intelligence, honed in the drug wars, can help us fight terrorism.

The target never had a clue that he was in imminent danger. A high-ranking member of a Kashmiri terrorist group implicated in the World Trade Center attack, he had every reason to believe he had eluded the manhunt. He was lying low in a nondescript safe house on the outskirts of Peshawar in Pakistan's Khyber Pass region. He steered clear of phones and kept to himself. His sole contact with his global ring was through wireless e-mail transmitted by a high-frequency radio running on only eight flashlight batteries. Using that low-powered signal to send messages of only a few words at a time -- keeping transmissions to short bursts -- he was impossible to trace.

Or so he thought.

What the terrorist couldn't know was that signals intelligence operatives had been on his trail for months. His communications network relied on a base station hundreds of miles away in the Afghan desert; that device had been spotted by a robotic spy plane, a U.S. Air Force Predator, that was mapping radio traffic along the mountainous Afghan-Pakistani border from an altitude of 25,000 feet. Thereafter, each radio message he sent brought his fate closer, the final one pinpointed by members of the U.S. antiterrorism unit, Delta Force, who were sweeping his outpost with handheld direction finders. They staked out the house with local commandos and waited. When their man stepped out for some air, they made a visual confirmation and radioed the kill order to a Pakistani sniper team. From a quarter-mile away, a shooter took out the target with a single .50-caliber bullet.

In the shadowy war against the architects of the Sept. 11 atrocity, this is how victory may look. If you think it all sounds too much like a Tom Clancy novel to be true, you're mistaken: The hypothetical scenario above parallels almost exactly the real-life demise on Dec. 2, 1993, of public enemy number one in the U.S. war on drugs, Pablo Escobar. That manhunt ended in Medellmn, of course, not Peshawar, and the infinite justice was administered by Colombian, not Pakistani, commandos. Still, members of the U.S. intelligence community and military say the drug cartel raids of the 1990s are a model for antiterror strategists today. In both campaigns, U.S. special forces advise indigenous troops, who do the actual dirty work. And in both cases, American signals intelligence technology plays a crucial role.

Broadly speaking, signals intelligence (sigint) is the interception, exploitation, and jamming of electronic communication, whether it's radiated through the atmosphere and sea or through fixed lines like the telephone grid. In its 21st-century American application, it is a multibillion-dollar enterprise designed to eavesdrop on the conversations and data traffic of U.S. adversaries anywhere in the world. (However, the law prohibits blanket electronic monitoring of U.S. residents, one reason perhaps that intelligence agencies missed the hundreds of e-mails the Sept. 11 hijackers exchanged with each other from personal computers and public library kiosks.) The listening posts in this worldwide surveillance network range from simple radio antennas wired into sophisticated receivers to P-3 Orion spy planes operated by the U.S. Navy and Customs Service to nuclear submarines like the USS Jimmy Carter, which can sit on the ocean floor for weeks at a time tapping undersea fiber-optic cables. The network even extends into space, where at least eight geosynchronous spy satellites vacuum up radio and other waves emanating from earth, beam the captured data to receivers on various continents, and then relay them to the mecca of sigint, the Fort Meade, Md., headquarters of the National Security Agency (NSA). Some of the above listening points feed data into the computers of a Cold War-inspired intelligence cooperative called Echelon, maintained by the United States, Canada, Britain, Australia, and New Zealand.

Behind the octopuslike network of listening posts is a technological arsenal that would stretch the imagination of Silicon Valley's best engineers. There are instruments known as spectrum analyzers, which are like MRI-scanners for all electromagnetic signals in an area. They not only can find a radio transmitter hidden in the mountains but will tell you its energy source. Data-mining software can comb through hundreds of millions of intercepted e-mail messages, faxes, and phone calls in a matter of minutes to find a single hot-button sequence -- say, the fax number of a suspected terrorist. Most mind-boggling of all is a system that can pick a single voice out of thousands of cell-phone conversations in an area, even if the speaker is constantly switching phones to avoid interception.

At the controls of all of this high-tech gear are specialists who number only a few hundred in the United States and perhaps only 2,000 in the entire world. Not surprisingly, they aren't particularly chatty about their occupation, but it's clear that they're in greater demand than ever. One of the handful of private contractors in the group (most are on the government payroll) told Business 2.0 that he was hired by a three-letter government agency the day of the attacks on New York and Washington, and has worked practically around the clock since. Of his latest assignment, all he will say is "I have to fly somewhere for this job tomorrow, and it won't be on a civilian aircraft."

Steve Uhrig [http://www.swssec.com] is another private sigint contractor, a onetime "spook" with U.S. Naval Intelligence who is now one of the most respected surveillance and technical countermeasure specialists in the world. In other words, he installs bugs and wiretaps, as well as conducts sweeps for them, and designs "black boxes" of spy gear for clients that have ranged from the NSA and the CIA to Tom Clancy himself. (Uhrig spent the summer wiring the author's 440-acre Maryland compound with state-of-the-art surveillance and security gear.) He has not yet been tapped for the war effort. But to the extent that the campaign against the Colombian drug cartels was a rehearsal for the coming showdown with terrorists, Uhrig has a unique perspective on how the new conflict might shape up. After all, the Colombian army is by far his largest customer. Among the surveillance systems he has set up in Colombia is a network of 100 "beeper busters," computer-driven receivers with decoders that can filter both pager numbers and content of interest to authorities in real time. Now the instant a suspected trafficker or money launderer receives a pager message, Colombian army intelligence has a copy of it.

The Escobar takedown shows how U.S. sigint can work with local forces to eliminate bad guys. In 1993 the CIA and a covert U.S. Army unit called Centra Spike spent months in Colombia monitoring Escobar's communications from both the ground and the air, finally pinpointing his location when he made a call from his cell phone. Colombian special forces commandos gunned down the Medellmn cartel leader as he ran barefoot across the rooftop of an apartment building.

Sigint's work against the cocaine cartels evolved into a game of high-tech cat-and-mouse, especially after Escobar's death taught traffickers the vulnerability of cell phones. One of the cartels' countermeasures is to "roll" cell phones to confuse wiretappers. Using scanners, they steal the identities of innocent bystanders' mobile phones and program the "cloned" numbers into their own handsets for a few days at a time. Authorities can't keep track of what phone numbers they should be tapping.

In response, authorities deployed a remarkable surveillance technology that operates over Colombia from spy planes. It uses a series of devices called IF-to-tape converters ("IF" stands for "intermediate frequency"), in conjunction with directional antennas, receivers, and wide-band recorders, to scoop up the major bands across the entire cellular spectrum. Loaded with the proper gear, one aircraft can record all of the cell traffic in a major city by circling it at a high altitude and exploiting the powerful microwave signals that form a handshake between cell sites in wireless networks. Back at the plane's base, a computer extracts audio files of actual conversations from the captured signals. The audio files are then filtered with sophisticated voice recognition software, allowing intelligence analysts to identify all of a suspect's conversations by his voice, no matter how many times he rolls his phones.

According to Uhrig, those kinds of vacuum cleaner technologies will not be as effective against Middle Eastern terrorists. For one thing, Afghanistan has no cellular service. For another, this year's successful prosecution of four terrorists implicated in the 1998 bombings of U.S. embassies in Africa relied heavily on NSA intercepts of cellular and satellite phone calls between terrorist leader Osama bin Laden and his al Qaeda network. All too aware that its phones were compromised, al Qaeda has reportedly curtailed its use of phones.

Sigint operatives will adapt by trying to move in closer to bin Laden. That delicate and dangerous task is the forte of an unacknowledged U.S. intelligence agency bearing the innocuous name of Special Collections Service (SCS). The agency, housed in Beltsville, Md., a short freeway ride from NSA headquarters, is jointly staffed by the NSA and the CIA. Operating under cover from U.S. embassies around the world, the agency is known for Mission Impossible-style operations -- most famously, hiding bugs on pigeons that perched on windowsills of the Soviet embassy in Washington, D.C. The SCS is currently working overtime, experts have told Business 2.0, eavesdropping on government communications in Middle East capitals and, where possible, setting up listening posts around figures close to bin Laden's network. "They'll be trying to build a case to show the Taliban's support for al Qaeda," says a retired U.S. special operations colonel who is still involved with the military.

If bin Laden or other suspects try to blend into a densely populated city, they might choose to talk on a radio frequency that they will "snuggle" next to a powerful signal like a local television transmitter. "If you're sweeping the area for a radio, you'll miss it unless you know exactly what you're looking for," says Uhrig, who was the technical consultant for the film Enemy of the State. "A receiver will lock on to the big transmitter." In that case, electronic espionage agents would likely do their hunting with a spectrum analyzer. This device shows a picture on a monitor of all signals, big and small, and can break them down into their component parts much like a chemical analysis of your drinking water.

If, as seems more likely, bin Laden remains holed up in his mountain hideouts, Uhrig surmises that the terrorist leader may use a low-powered high-frequency radio network, whose signals would be drowned in background noise such as that emitted by electronic car ignitions. But sigint doesn't need to capture a whole conversation to make life very tenuous for the broadcaster. In a manhunt, in fact, all it really needs to do is ascertain the coordinates of a target. Modern direction finders can get a bearing on a radio or a cell phone even if they capture a signal lasting as little as 20 milliseconds. In that scenario, a target may meet his end not with a sniper's bullet but with something much louder. Out in the Afghan mountains, says a high-ranking officer formerly in charge of counter-drug operations and surveillance in South America, "there is no reason to put our troops in danger and do a SWAT-style hard takedown. You would just put a high-tech weapon on him -- send a Tomahawk into his cave with a laser detonator."

No one in the military or intelligence communities thinks it will be easy to locate -- let alone stamp out -- the organizations responsible for the attacks on the nation's largest city and its capital. But no criminals in history have had so much electronic weaponry arrayed against them as bin Laden and his cohorts do today. "If bin Laden has anything that creates an RF signal, his ass is grass," says the private sigint specialist who was contracted for the manhunt. "If our boy has any brains at all, the only thing he has on him is his handy Kalishnikov and a copy of the Koran."