Critical infrastructure cyberattacks pushed NSA to unmask thousands of U.S. identities through spying law

Some 20,000 additional U.S. identities were unmasked in investigations that involved a controversial spying tool in 2023 compared to the prior year, motivated by increased attempts from hackers to break into and cripple American critical infrastructure, according to a new intelligence community release documenting spy agency activities.

Over 30,000 U.S. persons, companies or other entities were unveiled in surveillance reports viewed by or shared among law enforcement officials and other agencies, up from some 11,500 in 2022, according to the annual report from the Office of the Director of National Intelligence released Tuesday.

The revealed targets’ information — carried out through an “unmasking” process that undergoes legal approval and allows requesting officials or agencies to look beneath redacted lines in reports to unveil affected American targets — was linked to Section 702 of the Foreign Intelligence Surveillance Act, a recently renewed authority that lets spy agencies warrantlessly target foreigners’ communications abroad but also permits collection of American conversations if a U.S. person is speaking with a foreign target.

The figure marks the largest publicly known use of unmasking cases in several years. The National Security Agency is the only agency allowed to improve unmasking requests, and permits them on a “need to know” basis, according to intelligence-gathering policies highlighted in the report.

According to the report, 2023 featured a single report that contained many identities of U.S. persons — which could be individuals or corporations — that contributed to the unmasking spike for that year.

“The identities in this single report in CY2023 were not those of individual people, but of U.S. entities associated with critical infrastructure. The approved unmaskings related to attempts by foreign cyber actors to compromise U.S. critical infrastructure and account for the increase in unmaskings by NSA,” the report said.

Law enforcement has publicly said that cases in which American communications are queried via Section 702 have been frequently used for victim notifications in which entities targeted by hackers are warned by cyber officials to patch or be wary of breach attempts. Privacy and civil liberties advocates agree with the tool’s usage as it relates to foreign targets but have questioned its usefulness in cases where American conversations are hoovered up and stored in Section 702 databases.

The report did not specify the extent of which critical infrastructure entities were involved in the unmaskings, though public advisories have heavily linked Chinese, Iranian and Russian operatives to infrastructure attacks on water infrastructure and out-of-date internet routers.

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, told a House panel Tuesday that her agency carried out 97 digital hunting missions in fiscal year 2023 that involved jettisoning cyberspies from domestic critical infrastructure. A senior FBI official in February said hacking collectives have been frequently detected through Section 702 but declined to give more specifics on which groups were discovered.

Various small-scale abuses of 702 have included an NSA analyst using it to search for the communications of two people they met on an online dating platform, as well as some 2,000 searches of the names and birthdays of individuals registered to compete in an athletic event, according to government-mandated oversight findings which involved scrutiny of classified surveillance information.

Headline-making 702 infringements have galvanized much of the privacy world and privacy-centric lawmakers, including instances where it was used to surveil Black Lives Matter activists and participants in the Jan. 6, 2021 attack on the U.S. Capitol.

President Joe Biden recently approved a two-year extension of the authority, which included a list of reform measures that the White House and FBI said have been able to largely increase intelligence analysts’ compliance in using the tool.