The leaks keep coming about how and where the National Security Agency (NSA) is able to obtain information on Americans and, seemingly, anyone else in the world. The leaks largely come from a single source: former NSA contractor Edward Snowden and the massive data theft from his employer, which continues to shed light on the NSA’s surveillance activities in the U.S. and abroad.
This week, the Washington Post published details on the NSA’s MUSCULAR program, which is able to intercept data from Google and Yahoo data centers.
Is anyone really surprised?
After so many disclosures on the boundless initiatives of the NSA to get data (all in a noble bid to protect the U.S. against terrorist attacks), there is no stone left unturned. My own personal view is that there should be no safe harbor for terrorists, and the Internet should not be a place for them to hide. That said, the scale at which the NSA is allegedly collecting data from sources around the world is alarming.
In the MUSCULAR approach, the NSA has cleverly managed to insert itself at a point where it can intercept all Google and Yahoo traffic. You see, both Google and Yahoo use robust sets of private links between data centers. As a networking guy though, I know full well that the modern Internet always has a peering point (typically connected with BGP (Border Gateway Protocol). The Washington Post report notes that the NSA relies on an “… un-named telecom vendor to offer secret access to a cable or switch through which Google and Yahoo traffic passes.”
A good practice for network admins looking to monitor and diagnose traffic is to use a network TAP. What the NSA has likely done is deploy a TAP and then mirror the traffic so that the agency can do whatever further analysis is needed to protect the U.S.
No doubt, both Google and Yahoo are livid that their traffic is being pilfered at will by the NSA. But the simple reality is that the way the Internet works, at some point data traffic needs to be peered and at some point there is always a network switch or device that could have a TAP port.
For regular users of the Internet (i.e., those of us who aren’t Google or Yahoo), just run a traceroute on your own PC and see how many network hops there are between you and your intended Website. Anyone of those network hops could have a TAP.
If I were architecting a network that was supposed to be more secure, the first step I’d take is reduce the number of hops. Using a private network with MPLS (Multiprotocol Label Switching) or other nonpublic fiber Internet links, much like Google and Yahoo are trying to do, is a critical step. In the final analysis, there is (as I said earlier) always a peering point. Well, at least there is today.
Given this new disclosure, Google and Yahoo now need to rethink their network topology to further ensure that every step and every device is owned and controlled by them. In the MUSCULAR disclosure, it could just be a single link from a single telecom vendor that is the weak link. Sure, Google and Yahoo can also work on improving data cryptography too, but the reality is that once someone has access to the data, it’s only a matter of time until the data is decrypted.
Protecting the network from being intercepted in the first place is likely a near-impossible goal, but that’s the only way Google and Yahoo could ever protect all their data.
In terms of what’s next from the Snowden files? Who knows. It’s absolutely amazing to see the near-endless stream of top secret reports that he had access to and was able to steal. While the security of Google and Yahoo data centers is now suspect, the greater breach in my view still remains the one at the NSA itself that allowed a contractor to walk away with an as yet unknown volume of top secret information.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.