By Joseph Menn
SAN FRANCISCO, July 3 (Reuters) - Silicon Valley has tried to distance itself from the controversial U.S. surveillance programs exposed by Edward Snowden, but there is a long history of close cooperation between technology companies and the intelligence community.
Former U.S. officials and intelligence sources say the collaboration between the tech industry and spy agencies is both broader and deeper than most people realize, dating back to the formative years of Silicon Valley itself.
As U.S. intelligence agencies accelerate efforts to acquire new technology and fund research on cybersecurity, they have invested in start-up companies, encouraged firms to put more military and intelligence veterans on company boards, and nurtured a broad network of personal relationships with top technology executives.
And they are using those connections to carry out specific espionage missions, current and former officials say, even as they work with the tech industry to avoid overt cooperation that might raise the hackles of foreign customers.
Joel Harding, an intelligence officer for the Joint Chiefs of Staff in the 1990s who went on to work at big defense contractors Computer Sciences Corp and SAIC, said spy agencies have at times persuaded companies to alter their hardware and software products to enable monitoring of foreign targets.
In one instance several years ago, an intelligence agency paid a tech company supervisor $50,000 to install tampered computer chips in machines bound for a customer in a foreign country so that they could be used for espionage, Harding said, declining to provide specifics. “They looked exactly the same, but they changed the chips,” he said.
A current U.S. intelligence operative, who spoke on condition of anonymity, said the government often works through third parties, in part to shield the big tech companies from fallout if the operations are discovered.
He cited a case more than a decade ago in which the government secretly created a computer reselling company to sell laptops to Asian governments. The reseller bought laptops from a company called Tadpole Computer, which made machines based on Sun Microsystems processors. The reseller added secret software that allowed intelligence analysts to access the machines remotely.
Tadpole was later bought by defense contractor General Dynamics Corp in 2005. General Dynamics declined to comment. Sun’s new owner, Oracle Corp, did not respond to an inquiry.
Despite these secret collaborations, former intelligence officials and company executives say the great fear of overseas customers - that widely used U.S. technology products contain a “back door” accessible only to the National Security Agency or Central Intelligence Agency - is exaggerated. They said computers and communications overseas are captured by other means, including third parties such as the laptop reseller and special software developed by the agencies.
Defense contractors offer the government the means to break in to the products of virtually every major software vendor, according to a product catalogue reviewed by Reuters that was described as typical for the industry. The NSA did not respond to a request for comment.
More massive cooperation is rare because big tech companies sell to many countries and have too much business at stake in markets like China to risk installing a back door that could be discovered, said one intelligence veteran who had worked for Microsoft Corp.
“Microsoft is technically a U.S. company, but it’s an international conglomerate with tons of subsidiaries,” he said. “It’s a major part of Microsoft strategy to sell to China.” A spokeswoman for the company declined to comment.
Silicon Valley’s relationship with U.S. intelligence agencies is under scrutiny after Snowden, a former contractor for the NSA, last month exposed a top secret Internet monitoring program known as Prism that relied on customer data supplied by major technology companies.
Google Inc, Microsoft, Facebook Inc and others scrambled to assure their customers that they only handed over data for specific intelligence investigations involving foreign targets, and they denied giving the NSA access to wholesale client data.
But last weekend, the European Union demanded that Washington explain its surveillance programs and some European politicians said there were grounds to break off trade talks. Others urged citizens to stop relying on U.S. providers.
The close and symbiotic relationship between U.S. tech companies and government defense and intelligence agencies is frequently underplayed in the mythology of Silicon Valley. Defense contracts were its lifeblood through much of the 1950s and 1960s. Frederick Terman, who led Allied radio-jamming efforts in World War II, came to Stanford University with grant money and counted the founders of Hewlett-Packard Co among his students.
Varian Associates and other startups, many with ties to Stanford, got their start in the 1950s with military contracts for microwave and vacuum-tube technologies that were used in aerospace projects. In the 1960s, government space and defense programs, especially the Minuteman missile effort, were the biggest customers for the Valley’s expensive integrated circuit computer chips. Database software maker Oracle Corp’s first customer was the CIA.
“The birth of Silicon Valley was solving defense problems,” said Anup Ghosh, whose cybersecurity firm Invincea Inc was launched in 2009 with funding from the Pentagon’s Defense Advanced Research Projects Agency.
DARPA, which initially funded what became the Internet out of a desire for a communications network that would survive a nuclear attack, has intensified its work on Internet security in recent years and recently launched a “fast-track” program to get smaller amounts of money to startups more quickly.
Federal cybersecurity spending is expected to reach $11.9 billion next year, up from $8.6 billion in 2010, according to budget analysts at Deltek.
The relationship between the Valley and the government has had its bumps. A low point came in the mid-1990s, when then-President Bill Clinton pressed the industry to include in its products a device called the Clipper Chip, which had an NSA-designed back door to allow for law enforcement eavesdropping if authorities obtained a warrant.
Civil liberties groups and such technology leaders as Microsoft and Apple Inc objected, in part because the code could be broken and presented a security risk, and eventually the administration backed down.
Stung by that setback, Washington tried harder to learn the Valley’s language. Its most visible initiative was the creation of In-Q-Tel, a venture capital fund intended to finance companies whose products were of interest to the CIA and other agencies.
In-Q-Tel’s portfolio now includes security companies such as FireEye and data analysis firms like Palantir Technologies, which counts the CIA as a major customer. In-Q-Tel often makes modest investments in exchange for companies adding specific features to their products, former employees said. In-Q-Tel declined to comment.
Government agencies often demand the right to review the software code of their technology vendors, said former McAfee Chief Technology Officer Stuart McClure. That could allow them to spot vulnerabilities that they can use to penetrate the software when it is installed at other locations.
In other cases, officials and executives said, companies give the government advance notice of software vulnerabilities, even before they have warned their own customers - information that could be used for defense, offense or both.
“The vulnerabilities that are discovered as well as the potential risks to the infrastructure are now shared at levels that have never had sharing before,” said Dave DeWalt, chief executive of FireEye and chairman of closely held security firm Mandiant. DeWalt was previously CEO of No. 2 security software vendor McAfee, which he said gave early threat warnings to intelligence agencies.
Chuck Mulloy, a spokesman for current McAfee owner Intel Corp, said the organization works with governments around the world but declined to discuss specifics.
In a more formal effort at coordinated defense, NSA Director Keith Alexander is leading a regular gathering called the Enduring Security Framework, in which CEOs are given temporary security clearances.
One outcome of those meetings: a cross-industry effort to improve the security of the boot-up process on personal computers, say several people familiar with the project.
“It’s a seriously dangerous game they all play,” former Pentagon intelligence officer Harding said of the tech companies. “They want to help their government, but if it comes out, it’s a serious problem. They are teetering and tottering, and if they teeter too far, they are going to lose.”