Frankenstein,
written in 1818, is largely set in Geneva, the
bustling, neat, clean, clockwork-organized Swiss city where I now made my
home. Like many Americans, I’d grown up watching the various movie versions
and TV cartoons, but I’d never actually read the book. In the days before I left
the States, however, I’d been searching for what to read about Geneva, and in
nearly all the lists I found online,
Frankenstein
stood out from among the tourist
guides and histories. In fact, I think the only PDFs I downloaded for the flight
over were
Frankenstein
and the Geneva Conventions, and I only finished the
former. I did my reading at night over the long, lonely months I spent by myself
before Lindsay moved over to join me, stretched out on a bare mattress in the
living room of the comically fancy, comically vast, but still almost entirely
unfurnished apartment that the embassy was paying for on the Quai du Seujet, in
the Saint-Jean Falaises district, with the Rhône out one window and the Jura
Mountains out the other.
Suffice it to say, the book wasn’t what I expected.
Frankenstein
is an
epistolary novel that reads like a thread of overwritten emails, alternating scenes
of madness and gory murder with a cautionary account of the way technological
innovation tends to outpace all moral, ethical, and legal restraints. The result is
the creation of an uncontrollable monster.
In the Intelligence Community, the “Frankenstein effect” is widely cited,
though the more popular military term for it is “blowback”: situations in which
policy decisions intended to advance American interests end up harming them
irreparably. Prominent examples of the “Frankenstein effect” cited by after-the-
fact civilian, governmental, military, and even IC assessments have included
America’s funding and training of the mujahideen to fight the Soviets, which
resulted in the radicalization of Osama bin Laden and the founding of al-Qaeda,
as well as the de-Baathification of the Saddam Hussein–era Iraqi military, which
resulted in the rise of the Islamic state. Without a doubt, however, the major
instance of the Frankenstein effect over the course of my brief career can be
found in the US government’s clandestine drive to restructure the world’s
communications. In Geneva, in the same landscape where Mary Shelley’s
creature ran amok, America was busy creating a network that would eventually
take on a life and mission of its own and wreak havoc on the lives of its creators
—mine very much included.
The CIA station in the American embassy in Geneva was one of the prime
European laboratories of this decades-long experiment. This city, the refined Old
World capital of family banking and an immemorial tradition of financial
secrecy, also lay at the intersection of EU and international fiber-optic networks,
and happened to fall just within the shadow of key communications satellites
circling overhead.
The CIA is the primary American intelligence agency dedicated to HUMINT
(human intelligence), or covert intelligence gathering by means of interpersonal
contact—person to person, face-to-face, unmediated by a screen. The COs (case
officers) who specialized in this were terminal cynics, charming liars who
smoked, drank, and harbored deep resentment toward the rise of SIGINT
(signals intelligence), or covert intelligence gathering by means of intercepted
communications, which with each passing year reduced their privilege and
prestige. But though the COs had a general distrust of digital technology
reminiscent of Frank’s back at headquarters, they certainly understood how
useful it could be, which produced a productive camaraderie and a healthy
rivalry. Even the most cunning and charismatic CO will, over the course of their
career, come across at least a few zealous idealists whose loyalties they can’t
purchase with envelopes stuffed with cash. That was typically the moment when
they’d turn to technical field officers like myself—with questions, compliments,
and party invitations.
To serve as a technical field officer among these people was to be as much a
cultural ambassador as an expert adviser, introducing the case officers to the
folkways and customs of a new territory no less foreign to most Americans than
Switzerland’s twenty-six cantons and four official languages. On Monday, a CO
might ask my advice on how to set up a covert online communications channel
with a potential turncoat they were afraid to spook. On Tuesday, another CO
might introduce me to someone they’d say was a “specialist” in from
Washington—though this was in fact the same CO from the day before, now
testing out a disguise that I’m still embarrassed to say I didn’t suspect in the
least, though I suppose that was the point. On Wednesday, I might be asked how
best to destroy-after-transmitting (the technological version of burn-after-
reading) a disc of customer records that a CO had managed to purchase from a
crooked Swisscom employee. On Thursday, I might have to write up and
transmit security violation reports on COs, documenting minor infractions like
forgetting to lock the door to a vault when they’d gone to the bathroom—a duty
I’d perform with considerable compassion, since I once had had to write up
myself for exactly the same mistake. Come Friday, the chief of operations might
call me into his office and ask me if, “hypothetically speaking,” headquarters
could send over an infected thumb drive that could be used by “someone” to
hack the computers used by delegates to the United Nations, whose main
building was just up the street—did I think there was much of a chance of this
“someone” being caught?
I didn’t and they weren’t.
In sum, during my time in the field, the field was rapidly changing. The
agency was increasingly adamant that COs enter the new millennium, and
technical field officers like myself were tasked with helping them do that in
addition to all of our other duties. We put them online, and they put up with us.
Geneva was regarded as ground zero for this transition because it contained
the world’s richest environment of sophisticated targets, from the global
headquarters of the United Nations to the home offices of numerous specialized
UN agencies and international nongovernmental organizations. There was the
International Atomic Energy Agency, which promotes nuclear technology and
safety standards worldwide, including those that relate to nuclear weaponry; the
International Telecommunication Union, which—through its influence over
technical standards for everything from the radio spectrum to satellite orbits—
determines what can be communicated and how; and the World Trade
Organization, which—through its regulation of the trade of goods, services, and
intellectual property among participating nations—determines what can be sold
and how. Finally, there was Geneva’s role as the capital of private finance, which
allowed great fortunes to be stashed and spent without much public scrutiny
regardless of whether those fortunes were ill-gotten or well earned.
The notoriously slow and meticulous methods of traditional spycraft
certainly had their successes in manipulating these systems for America’s
benefit, but ultimately too few to satisfy the ever-increasing appetite of the
American policy makers who read the IC’s reports, especially as the Swiss
banking sector—along with the rest of the world—went digital. With the world’s
deepest secrets now stored on computers, which were more often than not
connected to the open Internet, it was only logical that America’s intelligence
agencies would want to use those very same connections to steal them.
Before the advent of the Internet, if an agency wanted to gain access to a
target’s computer it had to recruit an asset who had physical access to it. This
was obviously a dangerous proposition: the asset might be caught in the act of
downloading the secrets, or of implanting the exploitative hardware and software
that would radio the secrets to their handlers. The global spread of digital
technology simplified this process enormously. This new world of “digital
network intelligence” or “computer network operations” meant that physical
access was almost never required, which reduced the level of human risk and
permanently realigned the HUMINT/SIGINT balance. An agent now could just
send the target a message, such as an email, with attachments or links that
unleashed malware that would allow the agency to surveil not just the target’s
computer but its entire network. Given this innovation, the CIA’s HUMINT
would be dedicated to the identification of targets of interest, and SIGINT would
take care of the rest. Instead of a CO cultivating a target into an asset—through
cash-on-the-barrel bribery, or coercion and blackmail if the bribery failed—a few
clever computer hacks would provide a similar benefit. What’s more, with this
method the target would remain unwitting, in what would inevitably be a cleaner
process.
That, at least, was the hope. But as intelligence increasingly became
“cyberintelligence” (a term used to distinguish it from the old phone-and-fax
forms of off-line SIGINT), old concerns also had to be updated to the new
medium of the Internet. For example: how to research a target while remaining
anonymous online.
This issue would typically emerge when a CO would search the name of a
person from a country like Iran or China in the agency’s databases and come up
empty-handed. For casual searches of prospective targets like these, No Results
was actually a fairly common outcome: the CIA’s databases were mostly filled
with people already of interest to the agency, or citizens of friendly countries
whose records were more easily available. When faced with No Results, a CO
would have to do the same thing you do when you want to look someone up:
they’d turn to the public Internet. This was risky.
Normally when you go online, your request for any website travels from your
computer more or less directly to the server that hosts your final destination—the
website you’re trying to visit. At every stop along the way, however, your
request cheerfully announces exactly where on the Internet it came from, and
exactly where on the Internet it’s going, thanks to identifiers called source and
destination headers, which you can think of as the address information on a
postcard. Because of these headers, your Internet browsing can easily be
identified as yours by, among others, webmasters, network administrators, and
foreign intelligence services.
It may be hard to believe, but the agency at the time had no good answer for
what a case officer should do in this situation, beyond weakly recommending
that they ask CIA headquarters to take over the search on their behalf. Formally,
the way this ridiculous procedure was supposed to work was that someone back
in McLean would go online from a specific computer terminal and use what was
called a “nonattributable research system.” This was set up to proxy—that is,
fake the origin of—a query before sending it to Google. If anyone tried to look
into who had run that particular search, all they would find would be an anodyne
business located somewhere in America—one of the myriad fake executive-
headhunter or personnel-services companies the CIA used as cover.
I can’t say that anyone ever definitively explained to me why the agency
liked to use “job search” businesses as a front; presumably they were the only
companies that might plausibly look up a nuclear engineer in Pakistan one day
and a retired Polish general the next. I can say with absolute certainty, however,
that the process was ineffective, onerous, and expensive. To create just one of
these covers, the agency had to invent the purpose and name of a company,
secure a credible physical address somewhere in America, register a credible
URL, put up a credible website, and then rent servers in the company’s name.
Furthermore, the agency had to create an encrypted connection from those
servers that allowed it to communicate with the CIA network without anyone
noticing the connection. Here’s the kicker: After all of that effort and money was
expended just to let us anonymously Google a name, whatever front business
was being used as a proxy would immediately be burned—by which I mean its
connection to the CIA would be revealed to our adversaries—the moment some
analyst decided to take a break from their research to log in to their personal
Facebook account on that same computer. Since few of the people at
headquarters were undercover, that Facebook account would often openly
declare, “I work at the CIA,” or just as tellingly, “I work at the State Department,
but in McLean.”
Go ahead and laugh. Back then, it happened all the time.
During my stint in Geneva, whenever a CO would ask me if there was a
safer, faster, and all-around more efficient way to do this, I introduced them to
Tor.
The Tor Project was a creation of the state that ended up becoming one of the
few effective shields against the state’s surveillance. Tor is free and open-source
software that, if used carefully, allows its users to browse online with the closest
thing to perfect anonymity that can be practically achieved at scale. Its protocols
were developed by the US Naval Research Laboratory throughout the mid-
1990s, and in 2003 it was released to the public—to the worldwide civilian
population on whom its functionality depends. This is because Tor operates on a
cooperative community model, relying on tech-savvy volunteers all over the
globe who run their own Tor servers out of their basements, attics, and garages.
By routing its users’ Internet traffic through these servers, Tor does the same job
of protecting the origin of that traffic as the CIA’s “non-attributable research”
system, with the primary difference being that Tor does it better, or at least more
efficiently. I was already convinced of this, but convincing the gruff COs was
another matter altogether.
With the Tor protocol, your traffic is distributed and bounced around through
randomly generated pathways from Tor server to Tor server, with the purpose
being to replace your identity as the source of a communication with that of the
last Tor server in the constantly shifting chain. Virtually none of the Tor servers,
which are called “layers,” know the identity of, or any identifying information
about, the origin of the traffic. And in a true stroke of genius, the one Tor server
that
Do'stlaringiz bilan baham: |