WASHINGTON – Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.
These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden, a computer technician who did work for the National Security Agency. The role of private companies has come under intense scrutiny since his disclosure this month that the NSA is collecting millions of U.S. residents’ telephone records and the computer communications of foreigners from Google Inc. and other Internet companies under court order.
Many of these same Internet and telecommunications companies voluntarily provide U.S. intelligence organizations with additional data, such as equipment specifications, that don’t involve their customers’ private communications, the four people said.
Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies and many other companies also participate in the government programs. In some cases, the information gathered may be used not just to defend the nation but to help infiltrate the computers of its adversaries.
Along with the NSA, the Central Intelligence Agency, the Federal Bureau of Investigation and branches of the U.S. military have agreements with such companies to gather data that might seem innocuous but could be highly useful in the hands of U.S. intelligence or cyberwarfare units, according to the people, who have either worked for the government or are in companies that have these accords.
Microsoft Corp., the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government “an early start” on risk assessment and mitigation.
In an emailed statement, Shaw said there are “several programs” through which such information is passed to the government, and named two that are public, run by Microsoft and for defensive purposes.
Willing cooperation — offshore
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.
Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between CEOs and the heads of America’s major spy agencies, the people familiar with those programs said.
NSA praise a matter of course
Michael Hayden, who formerly directed the National Security Agency and the CIA, described the attention paid to important company partners: “If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful.”
“You would keep it closely held within the company and there would be very few cleared individuals,” Hayden said.
Cooperation between nine U.S. Internet companies and the NSA’s Special Source Operations unit came to light along with a secret program called Prism. According to a slide deck provided by Snowden, the program gathers email, videos, and other private data of foreign surveillance targets through arrangements that vary by company, overseen by a secret panel of judges.
In addition to private communications, information about equipment specifications and data needed for the Internet to work — much of which isn’t subject to oversight as it doesn’t involve private communications — is valuable to intelligence, U.S. law enforcement and the military.
‘Committing officer’ clears way
If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.
Intel Corp.’s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.
Such a relationship would start with an approach to McAfee’s chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.
McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.
In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.
In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.
Following an attack on his company by Chinese hackers in 2010, Sergey Brin, Google’s co-founder, was provided with highly sensitive government intelligence linking the attack to a specific unit of the People’s Liberation Army, China’s military, according to one of the people, who is familiar with the government’s investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.
According to information provided by Snowden, Google, owner of the world’s most popular search engine, had at that point been a Prism participant for more than a year.