NATO mulls ‘offensive defense’ with cyber warfare rules

NATO mulls 'offensive defense' with cyber warfare rules

By Robin Emmott

TARTU, Estonia (Reuters) – A group of NATO allies are considering a more muscular response to state-sponsored computer hackers that could involve using cyber attacks to bring down enemy networks, officials said.

The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019.

The doctrine could shift NATO’s approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology.

“There’s a change in the (NATO) mindset to accept that computers, just like aircraft and ships, have an offensive capability,” said U.S. Navy Commander Michael Widmann at the NATO Cooperative Cyber Defence Centre of Excellence, a research center affiliated to NATO that is coordinating doctrine writing.

Washington already has cyber weapons, such as computer code to take down websites or shut down IT systems, and in 2011 declared that it would respond to hostile cyber acts.

The United States, and possibly Israel, are widely believed to have been behind “Stuxnet”, a computer virus that destroyed nuclear centrifuges in Iran in 2010. Neither has confirmed it.

Some NATO allies believe shutting down an enemy power plant through a cyber attack could be more effective than air strikes.

“I need to do a certain mission and I have an air asset, I also have a cyber asset. What fits best for the me to get the effect I want?” Widmann said.

The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails.

In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data.

Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns.

They believe Russia is trying to break Western unity over economic sanctions imposed over Moscow’s 2014 annexation of Crimea and its support for separatists in eastern Ukraine.

“They (Russia) are seeking to attack the cohesion of NATO,” said a senior British security official, who said the balance between war and peace was becoming blurred in the virtual world. “It looks quite strategic.”

Moscow has repeatedly denied any such cyber attacks.

ESTONIAN ‘CYBER COMMAND’

The United States, Britain, the Netherlands, Germany and France have “cyber commands” — special headquarters to combat cyber espionage and hacks of critical infrastructure.

Estonia, which was hit by one of the world’s first large-scale cyber attacks a decade ago, aims to open a cyber command next year and make it fully operational by 2020, with offensive cyber weapons.

“You cannot only defend in cyberspace,” said Erki Kodar, Estonia’s undersecretary for legal and administrative affairs who oversees cyber policy at the defense ministry.

Across the globe this year computer hackers have disrupted multinational firms, ports and public services on an unprecedented scale, raising awareness of the issue.

NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks.

“The fictional scenarios are based on real threats,” said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise.

NATO’s commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested.

(Reporting by Robin Emmott; Editing by Peter Graff)

UK shipping firm Clarkson reports cyber attack

UK shipping firm Clarkson reports cyber attack

(Reuters) – British shipping services provider Clarkson Plc <CKN.L> on Wednesday said it was the victim of a cyber security hack and warned that the person or persons behind the attack may release some data shortly.

The company’s disclosure, while a relatively rare event in Britain, follows a series of high-profile hacks in corporate America.

Clarkson is one of the world’s main shipbrokers, sourcing vessels for the world’s largest producers and traders of natural resources. It also has a research operation which collects and analyses data on merchant shipping and offshore markets.

The London-headquartered company said it had been working with the police on the incident but did not provide any details about the scale or type of data stolen.

“As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident,” the company said.

“Our initial investigations have shown the unauthorized access was gained via a single and isolated user account which has now been disabled.”

The company said it is in the process of contacting potentially affected clients and individuals directly, and that it has been working with data security specialists to probe further.

(Reporting by Rahul B in Bengaluru; Editing by Maju Samuel and Patrick Graham)

Millions of insecure gadgets exposed in European cities: report

Millions of insecure gadgets exposed in European cities: report

LONDON (Reuters) – A year after a wave of denial-of-service attacks knocked out major websites around the world, millions of unsecured printers, network gear and webcams remain undefended against attack across major European cities, a report published on Tuesday said.

Computer security company Trend Micro <4704.T> said that Berlin has more than 2.8 million insecure devices, followed closely by London with more than 2.5 million exposed gadgets. Among the top 10 capitals, Rome was lowest with nearly 300,000 visible unsecured devices, the researchers said.

The study was based on calculating the number of exposed devices in major European cities using Shodan, a search engine that helps to identify internet-linked equipment.

Trend Micro said that electronics users must take responsibility for managing their own internet-connected devices because of the failure by many gadget manufacturers to build in up-front security by default in their products.

The warning comes one year after a wave of attacks using so-called botnets of infected devices caused outages on popular websites and knocked 900,000 Deutsche Telekom <DTEGn.DE> users off the internet. (http://reut.rs/2BjdRII)

Computer experts say the failure to patch millions of insecure devices after last year’s Mirai denial-of-service attacks means it is only a question of time before further broad-based outages occur.

Research company Gartner recently forecast that there would be 8.4 billion connected products or devices in 2017, up 31 percent from 2016, and expects the number to triple by 2020. (https://goo.gl/thR54Q)

(Reporting by Jamillah Knowles; Editing by Eric Auchard and David Goodman)

U.S. government warns businesses about cyber bug in Intel chips

U.S. government warns businesses about cyber bug in Intel chips

By Stephen Nellis and Jim Finkle

(Reuters) – The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

“These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years,” said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

Intel said that it knew of no cases where hackers had exploited the vulnerability in a cyber attack.

The Department of Homeland Security advised computer users to review the warning from Intel, which includes a software tool that checks whether a computer has a vulnerable chip. It also urged them to contact computer makers to obtain software updates and advice on strategies for mitigating the threat. (http://bit.ly/2zqhccw)

Intel spokeswoman Agnes Kwan said the company had provided software patches to fix the issue to all major computer manufacturers, though it was up to them to distribute patches to computers users.

Dell’s support website offered patches for servers, but not laptop or desktop computers, as of midday Tuesday. Lenovo offered fixes for some servers, laptops and tablets and said more updates would be available Friday. HP posted patches to its website on Tuesday evening.

Security experts noted that it could take time to fix vulnerable systems because installing patches on computer chips is a difficult process.

“Patching software is hard. Patching hardware is even harder,” said Ben Johnson, co-founder of cyber startup Obsidian Security.

(Reporting by Stephen Nellis; Editing by Cynthia Osterman and Grant McCool)

South Korea fears further missile advances by North this year in threat to U.S.

A flag is pictured outside the Permanent Mission of North Korea in Geneva, Switzerland, November 17, 2017.

By Hyonhee Shin

SEOUL (Reuters) – North Korea may conduct additional missile tests this year to polish up its long-range missile technology and ramp up the threat against the United States, South Korea’s spy agency said on Monday, adding that it was monitoring developments closely.

North Korea is pursuing nuclear weapons and missile programs in defiance of U.N. Security Council sanctions and has made no secret of its plans to develop a missile capable of hitting the U.S. mainland. It has fired two missiles over Japan.

The reclusive state appears to have carried out a recent missile engine test while brisk movements of vehicles were spotted near known missile facilities, Yi Wan-young, a member of South Korea’s parliamentary intelligence committee which was briefed by Seoul’s National Intelligence Service, said.

No sign of an imminent nuclear test had been detected, Yi noted. The third tunnel at the Punggye-ri complex remained ready for another detonation “at any time”, while construction had recently resumed at a fourth tunnel, making it out of use for the time being.

“The agency is closely following the developments because there is a possibility that North Korea could fire an array of ballistic missiles this year under the name of a satellite launch and peaceful development of space, but in fact to ratchet up its threats against the United States,” the lawmakers told reporters after a closed-door briefing by the spy agency.

North Korea defends its weapons programs as a necessary defense against U.S. plans to invade. The United States, which has 28,500 troops in South Korea, a legacy of the 1950-53 Korean war, denies any such intention.

Pyongyang is also carrying out a sweeping ideological scrutiny of the political unit of the military for the first time in 20 years, according to Kim Byung-kee, another lawmaker in the committee.

The probe was led by the ruling Workers’ Party’s Organisation and Guidance Department and orchestrated by Choe Ryong Hae, who once headed the General Political Bureau of the Korean People’s Army himself until he was replaced by Hwang Pyong So in May 2014.

As a result, Hwang and Kim Won Hong, who Seoul’s unification ministry said was removed from office in mid-January as minister of the Stasi-like secret police called “bowibu”, had been punished, the lawmaker said. He did not elaborate.

Choe, who was subjected to political “reeducation” himself in the past, appears to be gaining more influence since he was promoted in October to the party’s powerful Central Military Commission.

The National Intelligence Service indicated that Choe now heads the Organisation and Guidance Department, a secretive body that oversees appointments within North Korea’s leadership.

“Under Choe’s command, the Organisation and Guidance Department is undertaking an inspection of the military politburo for the first time in 20 years, taking issue with their impure attitude toward the party leadership,” the lawmaker, Kim, said.

Separately on Monday, South Korea approved a request by a South Korean to attend an event in the North marking the anniversary of the death of his mother who formerly led the Chondoist Chongu Party, a minor North Korean political party.

The son, identified only by his surname Choi, will be the first South Korean to visit the North since liberal President Moon Jae-in took office in May.

He is scheduled to arrive in Pyongyang via China on Wednesday and return on Saturday, according to Seoul’s unification ministry.

A senior Chinese official wrapped up a four-day visit to North Korea on Monday, apparently without meeting the country’s leader, Kim Jong Un.

Song Tao, head of the international department of the Chinese Communist Party, met senior officials from the Workers Party of Korea and “exchanged views on the Korean peninsula issue”, China’s official Xinhua news agency said.

“The ruling parties of China and the Democratic People’s Republic of Korea on Monday pledged to strengthen inter-party exchanges and coordination, and push forward relations,” it added, using North Korea’s official name.

Song had been in Pyongyang to discuss the outcome of the recently concluded Chinese Communist Party Congress in Beijing.

 

(Additional reporting by Christine Kim, and Ben Blanchard in BEIJING; Editing by Nick Macfie and Clarence Fernandez)

 

Travelers says it is in ‘right spot’ for cyber insurance exposure

Travelers says it is in 'right spot' for cyber insurance exposure

By Suzanne Barlyn

(Reuters) – Travelers Cos Inc <TRV.N> plans to stick to its recent growth pace for sales of cyber insurance, which protects businesses against hacking and other liabilities, despite potential to boost it, as the insurer assesses risks in the segment, its head of specialty insurance said on Monday.

“We feel like we’re just in the right spot,” Thomas Kunkel, the insurer’s president of bond and specialty insurance, said during an investor meeting in Connecticut.

Travelers has increased its cyber business at a 40 percent compound annual growth rate since 2011 and could quicken the pace, Kunkel said. “It would not be hard,” he said.

But Travelers must be “respectful and prudent” about the risks involved in cyber, Kunkel said.

Insurers have said the growing sophistication of hackers alongside a still-evolving cyber insurance industry makes it difficult to quantify their potential cyber-related losses.

About three-quarters of cyber policies that Travelers writes cover up to $1 million in damages, while nearly a quarter cover between $1 million and $5 million, the company said.

“We manage our limits very closely,” Kunkel said.

Equifax Inc <EFX.N>, which compiles credit information about consumers and assigns them scores, disclosed in September that cyber criminals had breached its systems between mid-May and late July and stolen the sensitive information of 145.5 million people. The hack is among the largest ever.

Regulation will also drive demand for cyber insurance, particularly in the financial services sector, Fitch Ratings said in a report on Monday.

“As the cyber insurance market develops, competition is likely to erode profit margins,” Fitch said.

Some insurers who ultimately enter the cyber market may lack underwriting experience and take on risks that could exceed their capital, Fitch said.

Events that could trigger large claims include cyber attacks on electronic grids and transportation systems, or hacks of large data storage clouds, Fitch said.

Insurer American International Group Inc <AIG.N> said on Oct. 26 that it was reviewing all types of coverage it offers to gauge its exposure to cyber risk.

AIG will start including cyber coverage as part of its commercial casualty insurance during the first quarter of 2018, Tracie Grella, global head of cyber risk insurance, said at the time.

The move would boost rates but also make it clearer how customers are covered if they are the victim of a security breach.

Many commercial insurers offer stand-alone cyber coverage, but it is not yet a standard addition to most other policies, such as property and casualty.

(Reporting by Suzanne Barlyn in New York; Editing by Lisa Von Ahn and Matthew Lewis)

Rookies and robots brace for first UK rate rise since 2007

Office lights are on at dusk in the Canary Wharf financial district, London, Britain,

By Fanny Potkin and Polina Ivanova

LONDON (Reuters) – Financial markets braced this week for what could be the Bank of England’s first rate rise in a decade – a step into the unknown for a generation of young traders who started work after 2007 but also for the state-of-the-art technology they use.

After a decade that included a global financial crash, numerous investigations into market collusion and relentless automation, trading floors at banks in London have been transformed in ways not obvious at first glance.

The newest kid on the block is not necessarily the rookie trader with a PhD in physics but the latest computer model or algorithm. How these models will perform under the almost novel circumstances of tightening monetary policy is as much a question as how the human neophytes will react.

Using past market data, assessments of demand, valuation models and even measures of how upbeat news headlines are, computers crunch the numbers, game the scenarios and buy or sell in the blink of an eye.

But shocks such as Brexit have shown that computer-driven trading can end in stampedes, or so-called flash crashes.

“You’ve got to weigh up the strength of the traders and the strength of the algorithms that have been developed and whether they can manage this kind of a process when the rate hike does come in,” said Benjamin Quinlan, CEO of financial services strategy consultancy Quinlan & Associates.

At Citibank’s expansive trading floor in London, the dealing room doesn’t look much different from a decade ago with traders hunched in front of banks of screens, the odd national flag perched on top, and television screens on mute.

But beneath the outward appearance, foreign exchange trading has undergone a seismic shift: more than 90 percent of cash transactions and a growing proportion of derivatives trades in the global $5 trillion a day FX market are done electronically.

So-called smart algos, or fully automated algorithmic trading programs that react to market movements with no human involvement, were virtually non-existent in 2007. Now, almost a third of foreign exchange trades are driven solely by algorithms, according to research firm Aite Group.

“Most of these algorithms haven’t really been tested in a rising interest rate scenario so the next few months will be crucial,” said a portfolio manager at a hedge fund in London.

To be sure, the U.S. Federal Reserve’s first rate rise in a decade in 2015 provided a dry run for this week’s UK decision – but the two economies are in very different positions and the knock-on effects on the wider financial markets of a Bank of England move are hard to predict.

 

ROOKIES AND ROBOTS

Much has changed since the Bank of England raised rates by 0.25 percent on July 5, 2007 to 5.75 percent. The first iPhone had yet to reach British shores, the country’s TVs ran on analogue signals and Northern Rock bank was alive and well.

Where once lightning decision-making and a calm head in a crisis were at a premium, the bulk of trading today is done by machines and the job of a foreign exchange sales trader is often little more than minding software and fielding client queries.

Itay Tuchman, head of global FX trading at Citi and a 20-year market veteran, said while the bank employs roughly the same number of people in currency trading as over the last few years, fewer are dedicated to business over the phone.

“We have an extensive electronic trading business, powered by our algorithmic market making platform, which is staffed by many people that have maths and science PhDs from various backgrounds,” said Tuchman, who heads trading for Citi’s global developed and emerging currency businesses.

London is the epicenter of those changes with the average daily turnover of foreign exchange trades executed directly over the phone down by a fifth to $566 billion in just three years to 2016, according to the Bank of England.

At Dutch bank ING’s London trading room, Obbe Kok, head of UK financial markets, said the floor now has about 165 people but the bank wants to make it 210 by the end of the year – searching mainly for traders attuned to technological innovations and keen on artificial intelligence.

The proportion of people employed in trading with degrees in mathematics and statistics has increased by a 58 percent over the last 10 years, Emolument, a salary benchmarking site, said.

“What banks have started to do is trade experience for technological skill and with electronic platforms growing, the average age on the floor is a bit younger,” said Adrian Ezra, CEO of financial services recruitment agency Execuzen.

 

TAPER TANTRUM

The increasing use of technology means traders can gauge the depth of market liquidity at the click of a button or quickly price an option based on volatility – a major change from a few years ago when they had to scour the market discreetly for fear of disclosing their interest to rivals.

Ala’A Saeed, global head of institutional electronic sales and one of the brains behind Citi’s trading platform FX Velocity, said its electronic programs process thousands of trades per minute.

Most of the currency trading models used by banks incorporate variables such as trading ranges, valuation metrics including trade-weighted indexes and trends in demand based on internal client orders to get a sense of which way markets are moving – and the potential impact of a new trade.

Nowadays, the models also incorporate sentiment analysis around news headlines and economic data surprises.

These electronic trading platforms also have years of financial data plugged into them with various kinds of scenario analyses, but one thing they have sometimes appeared unprepared for is a sudden change in policy direction.

Witness the market mayhem exacerbated by trend-following algorithms when Switzerland’s central bank scrapped its currency peg in 2015, or the taper tantrum in 2013 when the U.S. Federal Reserve said it would stop buying bonds.

Or Britain’s vote last year to leave the European Union.

Indeed, the biggest risk for financial markets cited by money managers in a Bank of America Merrill Lynch poll in October was a policy misstep from a major central bank.

 

EASY CREDIT, LOW VOLATILITY

One concern is that the rise in automation has coincided with a prolonged decline in market volatility as central banks from the United States to Japan have kept interest rates close to zero and spent trillions of dollars dragging long-term borrowing costs lower to try to reboot depressed economies.

While central banks have been careful to get their messages across as they end the years of stimulus, there are concerns about whether quantitative trading models can capture all the qualitative policy shifts.

For example, a growing number of investors expect the Bank of England to raise its benchmark interest rate to 0.5 percent on Nov. 2, and then leave it at that for the foreseeable future.

But futures markets are expecting another rate rise within six to nine months, injecting a new level of risk around interest rate moves and potentially boosting volatility.

Neale Jackson, a portfolio manager at 36 South Capital Advisors, a $750 million volatility hedge fund in London, said young traders have never seen an environment other than central banks supporting markets, and that has fueled risk-taking underpinned by the belief that “big brother has got our backs”.

“The problem these days is that there’s a whole generation of traders who have never seen interest rates, let alone interest rates hikes,” said Kevin Rodgers, a veteran FX trader and the author of “Why Aren’t They Shouting?”, a book about the computer revolution within financial markets.

 

(Additional reporting by Maiya Keidan and Simon Jessop; writing by Saikat Chatterjee; editing by Mike Dolan and David Clarke)

 

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

Kaspersky says it obtained suspected NSA hacking code from U.S. computer

Kaspersky says it obtained suspected NSA hacking code from U.S. computer

By Joseph Menn

SAN FRANCISCO (Reuters) – Moscow-based Kaspersky Lab on Wednesday acknowledged that its security software had taken source code for a secret American hacking tool from a personal computer in the United States.

The admission came in a statement from the embattled company that described preliminary results from an internal inquiry it launched into media reports that the Russian government used Kaspersky anti-virus software to collect National Security Agency technology.

While the explanation is considered plausible by some security experts, U.S. officials who have been campaigning against using Kaspersky software on sensitive computers are likely to seize on the admission that the company took secret code that was not endangering its customer to justify a ban.

Fears about Kaspersky’s ties to Russian intelligence, and the capacity of its anti-virus software to sniff out and remove files, prompted an escalating series of warnings and actions from U.S. authorities over the past year. They culminated in the Department of Homeland Security last month barring government agencies from using Kaspersky products.

In a statement, the company said it stumbled on the code a year earlier than the recent newspaper reports had it, in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.

While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said.

“Following a request from the CEO, the archive was deleted from all our systems,” the company said. It said no third parties saw the code, though the media reports had said the spy tool had ended up in Russian government hands.

The Wall Street Journal said on Oct. 5 that hackers working for the Russian government appeared to have targeted the NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.

Kaspersky did not say whether the computer belonged to an NSA worker who improperly took home secret files, which is what U.S. officials say happened. Kaspersky denied the Journal’s report that its programs searched for keywords including “top secret.”

The company said it found no evidence that it had been hacked by Russian spies or anyone except the Israelis, though it suggested others could have obtained the tools by hacking into the American’s computer through a back door it later spotted there.

The new 2014 date of the incident is intriguing, because Kaspersky only announced its discovery of an espionage campaign by the Equation Group in February 2015. At that time, Reuters cited former NSA employees who said that Equation Group was an NSA project.

Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.

Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.

It also did not say how often it takes uninfected, non-executable files, which normally would pose no threat, from users’ computers.

Former employees told Reuters in July that the company used that technique to help identify suspected hackers. A Kaspersky spokeswoman at the time did not explicitly deny the claim but complained generally about “false allegations.”

After that, the stories emerged suggesting that Kaspersky was a witting or unwitting partner in espionage against the United States.

Kaspersky’s consumer anti-virus software has won high marks from reviewers.

It said Monday that it would submit the source code of its software and future updates for inspection by independent parties.

(Reporting by Joseph Menn in San Francisco; Editing by Jim Finkle and Eric Auchard)

Exclusive: U.S. widens surveillance to include ‘homegrown violent extremists’ – documents

Exclusive: U.S. widens surveillance to include 'homegrown violent extremists' - documents

By Dustin Volz

WASHINGTON (Reuters) – The U.S. government has broadened an interpretation of which citizens can be subject to physical or digital surveillance to include “homegrown violent extremists,” according to official documents seen by Reuters.

The change last year to a Department of Defense manual on procedures governing its intelligence activities was made possible by a decades-old presidential executive order, bypassing congressional and court review.

The new manual, released in August 2016, now permits the collection of information about Americans for counterintelligence purposes “when no specific connection to foreign terrorist(s) has been established,” according to training slides created last year by the Air Force Office of Special Investigations (AFOSI).

The slides were obtained by Human Rights Watch through a Freedom of Information Act request about the use of federal surveillance laws for counter-drug or immigration purposes and shared exclusively with Reuters.

The Air Force and the Department of Defense told Reuters that the documents are authentic.

The slides list the shooting attacks in San Bernardino, California, in December 2015 and Orlando, Florida, in June 2016 as examples that would fall under the “homegrown violent extremist” category. The shooters had declared fealty to Islamic State shortly before or during the attacks, but investigators found no actual links to the organization that has carried out shootings and bombings of civilians worldwide.

Michael Mahar, the Department of Defense’s senior intelligence oversight official, said in an interview that AFOSI and other military counterintelligence agencies are allowed to investigate both active duty and U.S. civilian personnel as long as there is a potential case connected to the military. Investigations of civilians are carried out cooperatively with the Federal Bureau of Investigation, Mahar said.

Executive order 12333, signed by former President Ronald Reagan in 1981 and later modified by former President George W. Bush, establishes how U.S. intelligence agencies such as the CIA are allowed to pursue foreign intelligence investigations. The order also allows surveillance of U.S. citizens in certain cases, including for activities defined as counterintelligence.

Under the previous Defense Department manual’s definition of counterintelligence activity, which was published in 1982, the U.S. government was required to demonstrate a target was working on behalf of the goals of a foreign power or terrorist group.

It was not clear what practical effect the expanded definition might have on how the U.S. government gathers intelligence. One of the Air Force slides described the updated interpretation as among several “key changes.”

‘CLOAK OF DARKNESS’

However, some former U.S. national security officials, who generally support giving agents more counterterrorism tools but declined to be quoted, said the change appeared to be a minor adjustment that was unlikely to significantly impact intelligence gathering.

Some privacy and civil liberties advocates who have seen the training slides disagreed, saying they were alarmed by the change because it could increase the number of U.S. citizens who can be monitored under an executive order that lacks sufficient oversight.

“What happens under 12333 takes place under a cloak of darkness,” said Sarah St. Vincent, a surveillance researcher with Human Rights Watch who first obtained the documents. “We have enormous programs potentially affecting people in the United States and abroad, and we would never know about these changes” without the documents, she said.

The National Security Act, a federal law adopted 70 years ago, states that Congress must be kept informed about significant intelligence activities. But the law leaves the interpretation of that to the executive branch.

The updated interpretation was motivated by recognition that some people who may pose a security threat do not have specific ties to a group such as Islamic State or Boko Haram, Mahar at the Defense Department said.

“The internet and social media has made it easier for terrorist groups to radicalize followers without establishing direct contact,” Mahar said.

“We felt that we needed the flexibility to target those individuals,” he said.

In August 2016, during the final months of former President Barack Obama’s administration, a Pentagon press release announced that the department had updated its intelligence collecting procedures but it made no specific reference to “homegrown violent extremists.”

The revision was signed off by the Department of Justice’s senior leadership, including the attorney general, and reviewed by the Privacy and Civil Liberties Oversight Board, a government privacy watchdog.

Mahar said that “homegrown violent extremist,” while listed in the Air Force training slide, is not an official phrase used by the Defense Department. It does not have a specific list of traits or behaviors that would qualify someone for monitoring under the new definition, Mahar said.

Hunches or intuition are not enough to trigger intelligence gathering, Mahar said, adding that a “reasonable belief” that a target may be advancing the goals of an international terrorist group to harm the United States is required.

The updated Defense Department manual refers to any target “reasonably believed to be acting for, or in furtherance of, the goals or objectives of an international terrorist or international terrorist organization, for purposes harmful to the national security of the United States.”

Mahar said that in counterterrorism investigations, federal surveillance laws, including the Foreign Intelligence Surveillance Act, continue to govern electronic surveillance in addition to the limitations detailed in his department’s manual.

(Reporting by Dustin Volz; editing by Grant McCool)