Two years ago, this column published what became the first comprehensive storiesever written about a then secret group of computer professionals who volunteered their time to monitor domestic and internationalcybercrime. The group – Project Vigilant – subsequently received a great deal of publicity in the aftermath of those columns. Some of the media attention shed additional light on the group, resulting in an avalanche of coverage. After several months, the group ceased granting press interviews and has remained largely out of the spotlight. Until now.
Secretive group expands role in cybermonitoring
For the past several weeks, this column was granted unprecedented access to the organization, involving multiple, lengthy interviews with key members of the group. A great deal of what was discussed was off the record and could not be described here. However, information the group was willing to allow for publication sheds new light not just on Project Vigilant, but how the technology tools they use play an increasingly significant role in support of the U.S. government’s efforts to combat cybercrime and protect the free flow of information over the Internet around the world.
The new picture of Project Vigilant that emerges is of a fiercely dedicated group of highly skilled volunteers who specialize in online attribution, an increasingly complicated field that is designed to breakdown the anonymity of the Internet by identifying its bad actors. And they are enormously sensitive to criticism that they are spying on U.S. citizens or are secret agents of the U.S. government. “We are not the U.S. government,” says Chet Uber, Project Vigilant’s Director. “We are not agents of the U.S. government. We do not take orders from the U.S. government. We are vigilants, not vigilantes.”
Uber says his group’s role has changed significantly since 2010, through a greater focus on a suite of technology tools that, for example, can assess whether a specific nation state might launch a malware attack in the next week. “We always ask: does this present a threat to national security?” Uber explains. “If the answer is yes, we turn the information over to the U.S. government.”
Representatives of Project Vigilant could not provide a government official willing to acknowledge their role in working with U.S. agencies. However, this column was able to secure confirmation through two independent sources who verified that U.S. government agencies were working with Project Vigilant, specifically to protect the free flow of information across the Internet in foreign countries.
Uber did acknowledge that his group currently has one subcontract with the U.S. government, but would not provide any details on the nature of Project Vigilant’s work or the agency involved. The group bids on contracts continuously, according to Uber.
The group has experienced high turnover in the past two years, as they have sought to bring more experienced people into the organization. Despite the staff changes, Uber says that Project Vigilant has expanded its volunteer force from 500 in 2010 to a current level of 750, with the biggest increase coming in Project Vigilant’s core volunteers (defined as people who work 5 or more hours per week) who today number 125. Approximately 40% of the volunteers are ex-military, aided by the influx of service personnel returning from Iraq and Afghanistan.
When members join Project Vigilant (after an extensive vetting process) they are given a choice to “opt in” and be publicly identified or “opt out” and not be named. There are quite a few who choose to remain under the radar, often because they have full-time jobs with high profile employers who might not be supportive of their volunteer work for the secretive group.
The group’s membership involves people from a wide range of disciplines and backgrounds. The current leaders who are willing to be publicly identified (other than Uber) include Mark Rasch, (General Counsel, Director of Cybersecurity for CSC), A.J. Fardella, (Director of Intelligence and Analysis, Director of Black Diamond Data and a planning commissioner for the city of Pittsburg, California), and Michael Tomasiewicz (Deputy Director and second in command to Uber, Network Specialist with ConAgra Foods). Others include Adrian Lamo who is the Assistant Director for Adversary Characterization, Doug Jacobsen (Director of Science & Technology, Professor of Electronics at Iowa State University), and Jeff Bardin (Assistant Director, Intelligence and Analysis – Middle East Desk, Chief Intelligence Officer for Treadstone 71).
There are also some major leaders in the computer and Internet world who are not members of the group, but were willing to talk for this story about their support for Project Vigilant’s work. These include Vint Cerf, Vice President for Google and widely recognized as the “father of the Internet,”Bill Cheswick, a highly-regarded Internet security expert, and Winn Schwartau, one of the world’s top experts on cyberterrorism. “I know an awful lot of people who are involved with Project Vigilant,” says Schwartau.
Because the group is so heavily volunteer driven, they do not maintain a central office, preferring instead to maintain “virtual offices” using mail, phone answering, and conference room services provided by Regus. Project Vigilant has recently filed with the state of Florida as a limited liability company and lists a Miami Beach address as their place of business. The address is a Regus office.
Despite the volunteer nature of their work, Project Vigilant still has expenses. For many years, their funding came from BBHC Global, an information security firm based in the Midwest, about which very little is known. According to Uber, Project Vigilant purchased BBHC Global and the group’s income comes primarily from sales of forensics products, research reports and consulting services. They also rely on a combination of government and corporate contracts, private donations, and loans from volunteers for its funding. “We also run in the red,” Uber is quick to add.
Interviews with volunteers and advisors to the organization reveal a strong belief that the group’s work is not only important, but critical to the security of the Internet and, in some respects, the world. “The threat is real,” says Jacobsen, the group’s Director of Science and Technology. “Attribution is why the Internet has become the crime playground of choice.”
The ability to be anonymous on the Internet is a double-edged sword. It allows thieves and terrorists to hide their identities while committing crimes, but it can also allow people to speak more freely in countries where heavy-handed censorship is the rule of law. This is the fine line that Project Vigilant must walk when their technology is needed to make sense out of what is happening over the World Wide Web.
“Attribution has two sides – one is discovering the source of traffic on the net in the event it is inimical to the net and its users,” explains Cerf. “The other side is suppression of identity to facilitate freedom of speech where the local conditions make such speech very risky. Project Vigilant has expertise and technology that deals with both sides.”
Tomorrow: A closer look at Project Vigilant’s areas of expertise.