The last straw for Snowden was a secret program he discovered while getting up to speed on the capabilities of the NSA’s enormous and highly secret data storage facility in Bluffdale, Utah. Potentially capable of holding upwards of a yottabyte of data, some 500 quintillion pages of text, the 1 million-square-foot building is known within the NSA as the Mission Data Repository. (According to Snowden, the original name was Massive Data Repository, but it was changed after some staffers thought it sounded too creepy—and accurate.) Billions of phone calls, faxes, emails, computer-to-computer data transfers, and text messages from around the world flow through the MDR every hour. Some flow right through, some are kept briefly, and some are held forever.
The massive surveillance effort was bad enough, but Snowden was even more disturbed to discover a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country—a “kill” in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement. That’s a problem, Snowden says, because the initial attacks are often routed through computers in innocent third countries. “These attacks can be spoofed,” he says. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?”
In addition to the possibility of accidentally starting a war, Snowden views MonsterMind as the ultimate threat to privacy because, in order for the system to work, the NSA first would have to secretly get access to virtually all private communications coming in from overseas to people in the US. “The argument is that the only way we can identify these malicious traffic flows and respond to them is if we’re analyzing all traffic flows,” he says. “And if we’re analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”
It would also require sensors placed on the internet backbone to detect anomalous activity.
Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says the algorithm scanning system Snowden describes sounds similar to the government’s recent Einstein 2 and Einstein 3 programs, which use network sensors to identify malicious attacks aimed at U.S. government systems. If that system were secretly being extended to cover all U.S. systems, without public debate, that would be a concern.
Although MonsterMind does resemble the Einstein programs to a certain degree, it also sounds much like the Plan X cyberwarfare program run by DARPA. The five-year, $110 million research program has several goals, not the least of which is mapping the entire internet and identifying every node to help the Pentagon spot, and disable, targets if needed. Another goal is building a system that allows the Pentagon to conduct speed-of-light attacks using predetermined and pre-programmed scenarios. Such a system would be able to spot threats and autonomously launch a response, the Washington Post reported two years ago.
It’s not clear if Plan X is MonsterMind or if MonsterMind even exists. The Post noted at the time that DARPA would begin accepting proposals for Plan X (PDF) that summer. Snowden said MonsterMind was in the works when he left his work as an NSA contractor last year.
The NSA, for its part, would not respond to questions about the MonsterMind program.
Related Link: CyberCOP: NSA System Monitors Cyberattacks in Real-Time