Edward Snowden Reveals NSA's MonsterMind Program

It's a cyberwar robot that always hits back.

NSA's Utah Data Center

A view of Monstermind's physical lair, photographed from an Electronic Frontier Foundation airshipParker Higgins, Electronic Frontier Foundation

In the high desert near Bluffdale, Utah, there lurks a creature made entirely of zeroes and ones. Called "MonsterMind", the project is an automated cyber weapon, perched atop the data flows into the National Security Agency's Mission Data Repository. According to recent revelations from former government contractor and NSA leaker Edward Snowden, Monstermind is both tremendously powerful and easily fooled. Here's the skinny on the biggest revelation from Wired's recent profile of Snowden. Author James Bamford writes:

The massive surveillance effort was bad enough, but Snowden was even more disturbed to discover a new, Strangelovian cyberwarfare program in the works, codenamed MonsterMind. The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country—a “kill” in cyber terminology.

Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement. That's a problem, Snowden says, because the initial attacks are often routed through computers in innocent third countries. “These attacks can be spoofed,” he says. “You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?”

As described, MonsterMind is a brute force approach to covert cyber war embodied in one program. In order to function, it scans a huge amount of electronic communication, all passing through the 247 acre facility, and looks for attacks. That's the scary part. The dumb part is how it automatically decides where to strike back. Spoofing, as Snowden mentioned, is a relatively simple technique for hiding where an attack comes from. It's the online equivalent of throwing a pebble to distract the prison guard while the plucky protagonist runs away.

Bamford describes this attack as Strangelovian, in reference to the Stanley Kubrick film about nuclear war. In the film, the Soviets develop a nuclear deterrent system that automatically attacks America if Russia gets hit first. The deterrent fails in part because the Americans didn't know about it, and the film ends with a montage of nuclear explosions, as an accidental American first strike triggers the apocalypse. The automatic strike-back mechanism and obscurity of Monstermind resemble this device, but the stakes are at least an order of magnitude less severe than all-out nuclear war.

Cyber attacks at present are mostly the theft of private data or bank information, with the occasional rare instance of actual industrial sabotage breaking a machine. None of this makes an automated strike-back system great, but it's still a far cry from the world-ending threat of thermonuclear war.

Read this and other revelations, including one about a contractor router that broke Syria's internet, at Wired.

The Bomb That Ends The World, Dr. Strangelove

Still image from Stanley Kubrick's Dr Strangelove or: How I Learned To Stop Worrying And Love The Bomb.Stanley Kubrick