Edward Snowden talking:
a public interview with him at the Free Library of Philadelphia and I asked him about this massive data breach at the credit monitoring firm Equifax where upwards of $150 million people’s personal data was exposed. And I also asked him for his current take on the investigation into allegations of Russian interference in the U.S. election.
JS: From all of the publicly available information that you’ve seen, and I know you monitor these issues extremely closely, are you convinced that there was a campaign directed from the highest levels of power in Moscow to seek to influence the outcome of the U.S. election? And you’re speaking to us of course from Moscow right now.
ES: Right, right, right. If the feed gets cut short, you guys know why. (laughter) You know this is one of those things where it’s frustrating because there’s so much smoke, and nobody’s willing to point to fire. And I come from the NSA, right? My last position, I was working counter-cyber, finding exactly the kind of hackers that are being sort of alleged in this current moment, but for China rather than for Russia. And I got to tell you, it wasn’t real hard to find these guys.
So we had this report that came from the DNI and basically three agencies: I think it was the FBI, the CIA, and the NSA. And they said in their finding that they had you know confidence that that was the assessment, but there were some really weird things this is led to this sort of ongoing drama that everybody’s focused on and it’s consuming nation with kind of a passion where we can focus on anything else. Because we’re elevating Russia to a position where they can sort of control our political outcomes. And I think that’s actually giving Russia too much credit. I don’t think Russia is that strong, right?
But when we look at this report, and we think about, obviously, Russia would have interest, any country would have interest in changing electoral outcomes in other countries, I mean we do it, why wouldn’t the Russians. But the main thing here is the FBI and the CIA both said we have high confidence in this assessment, basically the Russians did, and the NSA, who is best positioned to actually make this judgment, so they had medium confidence in this assessment. But why discrepancy there?
And the only reason that I can think about, and again I don’t know this. This the problem when we speak about these things we need evidence. You can track sort of these, let’s call them hacking attempts, from where they’re launched, even if the hackers are trying to hide their footsteps, when you have the powers of the NSA —
JS: You’re going out there, Ed. The feed actually has become choppy now that you’re getting into the details. [Audience laughs] As you were, Ed.
ES: To simplify things, and to sort of tie up the point here, when they were looking at the hacking into the DNC’s servers. This is a high value target. Whether we’re talking about the United States, whether we’re talking China, whether we’re talking Russia, everybody is targeting these institutions, if they have the resources, if they have the people, that’s their job.
And former director of the NSA and CIA. Michael Hayden says this — he’s actually described this as honorable espionage, which I think is a bit much, but that’s his perspective, right? This is what intelligence agencies do. And the problem with this is so the DNC didn’t actually provide their service to the FBI. They contracted this third party company that’s basically paid to provide an explanation that goes, look this matches these attack indicators, right? Fair enough. We’ve seen these before. They’re attributed to the Russians, we think Russian —
But that’s all that they provide. The reality here is if the NSA didn’t have the same level of confidence, it’s very likely it’s because there are more people on the system, right? There could be multiple actors there. We can have the French, we can have the Chinese, we can have the Israelis, we can have the Germans all on the same system. And this happens all of the time, it happens so frequently that in NSA we have an actual term of art for this. Instead of hacking somebody, we’ll just watch what the hackers who already hacked them are taking, and then we just save a copy of that. It is called fourth-party collection.
And because there was so much traffic on this, they couldn’t really de-conflict it. But this raises the big question of, “Ok, well if the Russians didn’t do it, who did it, right?” And I think this is where it gets dicey— and where I start to think alright is probably Russians —
JS: Hold on a bit, Ed. You said the word ‘Russia’ again, and it started to go choppy. [Audience laughs] Either that or someone — someone’s downloading porn here.
ES: Right. Right. Right. So we’ll tie this off then, because it’s going on for a while. There is this allegation, right, that Vladimir Putin and Hillary Clinton basically hate each other, like they’re mortal enemies, right? And he wouldn’t want to see this. So when you start seeing a qui bono, you know maybe it’s possible. But here’s the central problem with everything we’ve discussed right now: it’s entirely speculation. Absolutely none of it is reliable. And previously when the United States government has seen hacking efforts that they considered threats to national security, they released evidence.
This is what’s missing. The NSA is spying on everyone, everywhere, all of the time. That’s how mass surveillance works. So why is it that we aren’t getting evidence about what is arguably the most important public policy question, when it comes to sort of foreign intelligence efforts in recent history?
JS: Ed, we only have a few moments left and I think I’d be remiss if I didn’t ask you about this Equifax breach, but it’s also emblematic of the powder keg that is all of this private data about us that is held by so many private corporations. And what’s particularly, you know, insane about the Equifax situation is that these are the people that can like prevent you from ever buying a house because you didn’t pay your credit card bill once, and it’s like they can’t even fucking keep our Social Security numbers safe. You know it’s like, who are they to tell anyone that they shouldn’t be eligible for a car loan ever again?
But it, but it reveals something I think, you know, that I think should be of deep concern to all of us. So many people have willingly given enormous quantities of private personal information to a variety of corporations and government entities, if you look at what’s happening with our healthcare system in the digitization of our medical records. But also unwittingly huge corporations have developed enormous dossiers on all of us that are lying there waiting to be exploited someday, or a breach happens and it ends up out in the open.
But in this whole landscape and the data breaches, what is your assessment of that and what can people do, what should people do to try to confront what is this unprecedented amassing of information about all of us and our private lives?
ES: Well first. there’s two parts to this question. there’s the specific case and there’s the general case. When we talk about Equifax, right, the last count that I saw was the records of 143 million Americans were lost. There’s no way that this doesn’t happen without negligence, because the volume of data that has been moved from a system that should not be pushing that much data, right, is very trivially detectable.
Imagine you have a hose, leading out of your house, right? And somebody can have a hose turned on and water flows out of the house, but it takes a long time right to create thousands and thousands and thousands of dollars of water charges. Now imagine, somebody snuck in your house when you were, you were sleeping and they increased the water pressure on that system so that you have a stream of water shooting out of that hose that’s so powerful, it actually rips your house off the foundations, pushes it down the block. And you just go out of your house in the morning and drive to work, don’t notice it, you don’t tell anybody about it, you just go and you drive back at the end of the day and go, “My house isn’t there!” [Audience laughs.]
That’s what happened, right? It is ridiculous that this could occur at a company that is so powerful, so influential, so rich. It’s naked negligence. But then there’s the larger general case here. We are living through the greatest crisis in computer security that we have ever seen. This is the atomic moment for computer science as we had for nuclear physics in the last century, the last generation where people who had developed a science, a technology for the empowerment of humanity found only a few short years later, people began mastering this technology to use it to subjugate people, rather than to lift them up, to press them down. Right? And you have to care about this.
Yes, we should be angry with the hackers, right? But we should think about how the ecosystem got to this point. We should think about the fact that there are liability laws for every other sector of the American economy. If you build and sell a car, that car has to meet some minimum safety standards. If you develop and sell a new medicine, it has to meet certain minimum safety standards. If you sell a burrito on the street, it’s got to meet minimum safety standards. But if you create a credit monitoring system that impacts the lives of basically everyone with a credit card in the United States, there are no minimum safety standards that they’re having to deal with.
And this goes double for the people who actually write software in the first place. Now I don’t know where to set the law. I don’t know how to change these things. I’m not going to pretend to be the guy with the magic wand in the policy prescription here. But I think we can all recognize that if industry will not regulate itself here, someone else is going to have to do it for them. [Audience claps.]
JS: That was NSA whistleblower Edward Snowden. I talked to him on Monday in an interview that I did at the Free Library of Philadelphia.
— source theintercept.com 2017-10-06