In a video last year, Marios Savvides, the director of Carnegie Mellon’s CyLab Biometrics Center, sat in his white Chevy Suburban and peered into his sideview mirror, explaining for the camera that a team of students about 40 feet behind him were aiming an experimental piece of technology to scan his iris and quickly run it through a database to identify him on the spot.
The technology, developed in his lab, are especially important for law enforcement, said Mr. Savvides. Think of a cop pulling over a motorist for speeding and using the nearly immediate identification to discover he is a sought-after criminal. Or airport security now able to identify kidnapped children who are now in the hands of sex traffickers.
Iris identification technology is just one of many innovations to come out of CyLab and other academic institutions that have become major resources for the surveillance industry. Research centers like CyLab and the Lincoln Laboratory at the Massachusetts Institute of Technology have become, in effect, the R&D arms for cybersecurity innovations used by law enforcement, private companies and others looking for surveillance capabilities.
“Law enforcement has a huge technology gap from what you see on … CSI and what they have,” said Savvides.
Among the problems CyLab is working to fix is the problem of low-quality images of suspects that police would often try to fix by adding missing areas so a computer could recognize the face. Savvides said that’s a problem because it is essentially adding biometric components of other people to the original image.
CyLab also wants improve identification when the camera only catches a suspect’s eyes because he or she is masked. For instance, the international manhunt for “Jihad John” later identified as Mohammed Emwazi, who as the English-speaking spokesman for ISIS in a number of propaganda videos was covered from head to toe, with only his eyes and voice as clues. Emwazi was the captor standing behind American journalist James Foley in the video of his beheading.
“I know there’s a lot of concern – big brother and whatnot,” said Savvides. “The reality is law enforcement needs the technology so badly to help save people from criminals that are out there.”
Among university-based research centers, there are different funding models.
MIT’s Lincoln Laboratory is a federally funded Department of Defense research facility whose contracts are managed by the Air Force.
CyLab, on the other hand, is supported by both private and public, mainly federal, research funding. CyLab does not sell its products if they are going toward a public use — like law enforcement.
The lab offers private partnerships to corporations for $25,000 to $500,000. In return, partners such as Aetna, Boeing, Facebook and Lockheed Martin get access to research, other reports and tools.
The National Security Agency regularly holds competitions and “codebreaker challenges” that engage student researchers at CyLab and the other programs. In February, three CyLab students placed third in a challenge to reverse-engineer software from a fictitious terrorist group that, on its surface, looked like a program to check stock information but actually sent encoded messages.
NSO Group and FinFisher
One of the companies with the best kept secrets in the surveillance industry is NSO Group, largely thought to have been founded by alumni of an elite Israeli army intelligence unit. It’s employees are anonymous. It’s office location is unknown. It has no website. In fact, the only reason the public is aware the firm exists is an incident involving an internationally known human rights activist.
Ahmed Mansoor, a recipient of the Martin Ennals Award for Human Rights Defenders, received suspicious text messages that included hacks created by NSO Group in an attempt to infiltrate his cellphone.
The texts claimed clicking on a URL would reveal information about torture taking place in jails in the United Arab Emirates, where Mansoor was based. Wary, he forwarded the texts without clicking on the URL to researchers at Citizen Lab, which is part of the Munk School of Global Affairs at the University of Toronto. The center studies targeted digital attacks and attempts to control the free flow of information internationally.
Citizen Lab, in collaboration with Lookout Security, a mobile security company, was able to connect the texts to NSO Group, according to a report on its website. This zero-day exploit, a hole in the software unknown to the developer, was perhaps the first of its kind, according to the report that senior researcher John Scott-Railton and Citizen Lab published two weeks after Mansoor sent them the texts. That makes it very valuable, especially because it targeted an iPhone, which are notoriously difficult to crack. Indeed, one similar exploit for iPhones was sold for $1 million in November 2015 to a firm named Zerodium.
It’s an example of the money commanded by top-flight surveillance and security firms such as NSO Group and Gamma Group. The World Economic Forum’s 2016 Global Risk Report estimates crimes in cyberspace will cost the global economy around $445 billion this year—greater than the combined market caps of Exxon Mobil and McDonald’s.
“If you look at the public statements made by people who work at some companies like Gamma Group and Hacking Team, you will find that they often acknowledge the financial rewards of the business,” Scott-Railton said. “But [they] also point to the fact that their tools are used in ways that they believe to be legitimate by law enforcement and others to track down, as they would say, criminals and terrorists.”
What makes things difficult, Scott-Railton said, is how easy it is for the governments that purchase surveillance tools to switch their targets from criminals and terrorists to dissidents and political enemies. Gamma Group, which has been criticized for selling tools used by repressive regimes worldwide, is an international company whose website says the group “exclusively supplies, integrates and trains authorized government agencies.”
Scott-Railton points out that this can be a “convenient narrative” for companies in the surveillance industry. By focusing on their tools’ uses to crack down on criminal activities, firms that exist in the gray area between good and bad may steer attention away from the rest of their client base that may not have such good intentions “while simultaneously providing a degree of moral absolution against the more troubling potential for misuse of their tools,” he said.
“It is clearly the case that any business that enters this space is going to face the difficult problem of understanding how their tool is used and preventing misuse,” he said. “It is only a matter of time in a state that has limited judicial oversight and limited rule of law before a tool for secret surveillance like hacking ends up being pointed not at a national security threat but at something closer to a perceived political threat.”
Many companies prefer to work through intermediaries to ease the hassle of export restrictions and other legal issues, Scott-Railton said. While this reduces red tapes for the surveillance firms, “it can also create the issue that they’re not in a position to do real due diligence about how their tools may be used.”
Gamma Group, in particular, has been criticized by human rights organizations for selling a specific product, FinFisher, that enables customers—usually governments—to conduct targeted hacking. Some countries have later used it to spy on on their citizens, according to a Citizen Lab report on FinFisher.
“We’ve found that it has been used in ways that look on their face to be abusive against civil society and journalists in many different countries,” Scott-Railton said. The report identified 32 countries believed to be using the technology. Notable incidents include Bahrain, which used the tool to target “some of the country’s top law firms, journalists, activists and opposition political leaders,” the report said, and exiled Ethiopian dissidents in the United States and elsewhere targeted by their home government.
Another issue is the proliferation of these technologies. Zero-day exploits are called zero-day for a reason: They are the first of their kind. But, inevitably, other actors will get their hands on the technology, and not all of them will have honorable intentions.
“As a global community,” Scott-Railton said, “how do we want to treat the issue of the proliferation of the technology to hack, globally? Is the proliferation of these technologies contributing to or damaging global security? … In some cases, the proliferation of this technology can lead to clear abuses.”
Booz Allen Hamilton
Booz Allen Hamilton, the vast consulting firm that earns billions working for American intelligence agencies, has been the victim of two high-profile leaks in the past few years. Both were perpetrated by contract employees. Most recent was the arrest of Harold T. Martin III on suspicion of stealing classified information. Booz Allen is also the firm that infamously employed Edward Snowden, one of the most well-known leakers in modern history.
There has been speculation that the congressionally mandated Defense Department cuts that hurt defense contractors combined with the stress of dealing with classified material created a culture that fostered leaks.
However, two former employees, one of them a senior consultant, disagreed, said the Martin and Snowden are outliers.
A former employee who now works for the State Department and spoke on the condition of anonymity said the culture was professional, but became increasingly tense because of sequestration. She added, however, that the Booz Allen Hamilton surveillance section was largely unaffected, as were many intelligence contractors, because they had multi-year contracts.
“I don’t really attribute the Snowden situation or this most recent guy to any particular Booz Allen culture or pressures of the marketplace,” the State Department worker said. “I sort of see them as a lone wolf.” She added that most employees at surveillance firms are, like most professionals, just trying to create careers.
“I happen to think it’s just bad luck.”
Another former Booz Allen employee described the company’s culture as “very corporate governmental.
“Obviously, you’re dealing with the sensitivities of government security,” he said. “There’s a lot more security protocol than the way I operate business now — mobile, cell phone, email. Obviously those are not things you’re able to do when you’re supporting the national security work that I was doing at the time.”
In May, Booz Allen was named a lead contractor in a $460 million contract with United States Cyber Command or CyberCom. According to DefenseOne, the first job in the contract included hacking and counterhacking work.