Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously

[Reefa]

Edward Snowden has made us painfully aware of the government’s sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government’s cyber defense capabilities, too.

The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks.

Although details of the program are scant, Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat.

Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted.

“An individual record of an individual flow only tells you so much, but more revealing might be patterns of flows that are indicative of an attack,” he says. “If you have hundreds or thousand of flows starting up from a particular place and targeted to a particular machine, this might indicate you’re under attack. That’s how intrusion detection and anomaly-detection systems generally work. If you have intelligence about the attack tools of your adversary, you may be able to match specific patterns to specific tools that are being used to attack.”

Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s, which in theory would have shot down any incoming nuclear missiles. In the same way, MonsterMind could identify a distributed denial of service attack lobbed against US banking systems or a malicious worm sent tocripple airline and railway systems and stop—that is, defuse or kill— it before it did any harm.

More than this, though, Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention—against the attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks.

Snowden doesn’t specify the nature of the counterstrike to say whether it might involve launching malicious code to disable the attacking system, or simply disable any malicious tools on the system to render them useless. But depending on how its deployed, such a program presents several concerns, two of which Snowden specifically addresses in the WIRED story.

First, an attack from a foreign adversary likely would be routed through proxies belonging to innocent parties—a botnet of randomly hacked machines, for example, or machines owned by another government. A counterstrike could therefore run the risk of embroiling the US in a conflict with the nation where the systems are located. What’s more, a retaliatory strike could cause unanticipated collateral damage. Before returning fire, the US would need to know what it is attacking, and what services or systems rely upon it. Otherwise, it could risk taking out critical civilian infrastructure. Microsoft’s recent move to take down two botnets—which disabled thousands of domains that had nothing to do with the malicious activity Microsoft was trying to stop—is an example of what can go wrong when systems are taken down without adequate foresight.

Blaze says such a system would no doubt take the attribution problem—looking beyond proxies to find exactly where the attack originated—into consideration. “Nobody would build a system like this and be unaware of the existence of decentralized botnet attacks laundered through the systems of innocent users, because that’s how pretty much all attacks work,” he says. That does not, however, make so-called hackback attacks any less problematic, he says.

The second issue with the program is a constitutional concern. Spotting malicious attacks in the manner Snowden describes would, he says, require the NSA to collect and analyze all network traffic flows in order to design an algorithm that distinguishes normal traffic flow from anomalous, malicious traffic.

“[T]hat means we have to be intercepting all traffic flows,” Snowden told WIRED’s James Bamford. “That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”

It would also require sensors placed on the internet backbone to detect anomalous activity.

Blaze says the algorithm scanning system Snowden describes sounds similar to the government’s recent Einstein 2 (.pdf) and Einstein 3 (.pdf) programs, which use network sensors to identify malicious attacks aimed at U.S. government systems. If that system were secretly being extended to cover all U.S. systems, without public debate, that would be a concern.

Although MonsterMind does resemble the Einstein programs to a certain degree, it also sounds much like the Plan X cyberwarfare program run by Darpa. The five-year, $110 million research program has several goals, not the least of which is mapping the entire internet and identifying every node to help the Pentagon spot, and disable, targets if needed. Another goal is building a system that allows the Pentagon to conduct speed-of-light attacks using predetermined and pre-programmed scenarios. Such a system would be able to spot threats and autonomously launch a response, the Washington Post reported two years ago.

It’s not clear if Plan X is MonsterMind or if MonsterMind even exists. The Postnoted at the time that Darpa would begin accepting proposals for Plan X that summer. Snowden said MonsterMind was in the works when he left his work as an NSA contractor last year.

The NSA, for its part, would not respond to questions about the MonsterMind program.

Source

[sujith]

Edward Snowden is not done talking about the NSA and the way the intelligence agency oversteps its boundaries and plays a control game that can have dire consequences.

In a special interview for WIRED magazine, the whistleblower reveals that the NSA has developed a scary project called “MonsterMind” which can respond to cyberattacks from other countries without agents even intervening in any way.

The system works by automating the process of hunting for the beginning of a foreign cyberattacks. The NSA’s software is always on the lookout for traffic patterns indicating known or suspected attacks, and when one is detected, MonsterMind blocks it from entering the country.

While this type of security system isn’t exactly new, NSA’s tool also has the ability to fight back against the attack, without any human getting involved in the process, which is, of course, the tricky part.

The project is great from the point of view of national security, but Snowden points out that there is a huge risk of causing some international friction for no good reason, effectively giving birth to yet another set of diplomatic issues for the United States.

And that’s because this type of attacks can be spoofed. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next,” Snowden asks.

What’s more, the whistleblower views MonsterMind as the ultimate threat to privacy because in order for the NSA to fight against threats, it first needs to get access to all private communications coming in from overseas to people in the United States.

“The argument is that the only way we can identify these malicious traffic flows and respond to them is if we're analyzing all traffic flows. And if we're analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time,” Snowden says, painting the scary picture where privacy means nothing to the NSA.

Even though this revelation is perfectly new and MonsterMind has never been discussed before, the news of NSA’s way of sacrificing citizens’ privacy whether there was a real threat or not is not at all surprising, at least not after more than a year of revelations.

Source