The NSA has not infected millions of computers with malware, it said in a statement on Thursday. It could though, it seems, as the agency made no attempt to deny the existence of an automated malware delivery system which appears in documents leaked by Edward Snowden this week.
According to the documents, the system, codenamed Turbine, is meant to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”
Last year, GCHQ gained access to Belgacom communications by hacking employees, and The Intercept says the UK agency “appears to have played an integral role” in developing the NSA’s malware program.
The documents allege that NSA delivery methods for malware include posing as a Facebook server and distributing spam email.
A statement published to the NSA’s official website on Thursday addresses the allegations, saying “Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating US social media or other websites, are inaccurate.”
The Intercept article suggests that the distribution of malware to millions of computers is a theoretical capability, and that the number of computers being spied on the by the NSA is closer to 100,000, though it is increasing. Other media outlets have been discriminate about what they allege or imply to varying degrees, and sensationalist versions are addressed by the NSA statement, which rules out “indiscriminate computer exploitation operations.”
The statement does not deny the allegation that the system exists, or its capabilities. It does directly deny the allegations of posing as Facebook, and then reiterates that denial, saying “NSA does not use its technical capabilities to impersonate US company websites.”
Most of the rest of the statement will be interpreted by critics as begging the question, with phrases like “in strict accordance with its authorities,” and “legal, policy, and operational context” providing assurance only that the agency believes its actions are appropriate.
Perhaps more worrying to hosts are allegations of an internal message board post, entitled “I hunt sys admins,” in which surveillance of communications processed by foreign phone and internet service providers is discussed.
The European Union moved to overhaul data protection legislation this week to address ongoing data privacy and security concerns, and Snowden provided testimony to the European Parliament earlier this month.