The Costs of Politically Free Cybersecurity Failures

/3 Comments/in /by

Ben Wittes looks at the WaPo article and accompanying National Security Council Draft Options paper on how the White House should respond to FBI’s campaign against encryption and declares that “Industry has already won.”

[T]he document lays out three options for the administration—three options that notably do not include seeking legislation on encryption.

They are:

  • “Option 1: Disavow Legislation and Other Compulsory Actions”;
  • “Option 2: Defer on Legislation and Other Compulsory Actions”; and
  • “Option 3: Remain Undecided on Legislation or Other Compulsory Actions.”

In all honesty, it probably doesn’t matter all that much which of these options Obama chooses. If these are the choices on the table, industry has already won.

What’s most fascinating about the white paper is that it lays bare how the NSC itself sees this issue — and they don’t see it like Wittes does, nor in the way the majority of people clamoring for back doors have presented it. As the NSC defines the issue, this is not “industry” versus law enforcement. For each assessed scenario, NSC measures the impact on:

  • Public safety and national security
  • Cybersecurity
  • Economic competitiveness
  • Civil liberties and human rights

Arguably, there’s a fifth category for each scenario — foreign relations — that shows up in analysis of reaction by stakeholders that weighs the interests of foreign governments, including allies that want back doors (UK, France, Netherlands), allies that don’t (Germany and Estonia), and adversaries like Russia and China that want back doors to enable repression (and, surely, law enforcement, but the analysis doesn’t consider this).

That, then, is the real network of interests on this issue and not — as Wittes, Sheldon Whitehouse, and many though not all defenders of back doors have caricatured — simply hippies and Apple versus Those Who Keep Us Safe.

NSC not only judges the market demand for encryption — and foreign insistence that US products not appear to be captive to America’s national security state — to be real, but recognizes that those demands underlie US economic competitiveness generally.

And, as a number of people point out, the NSC readily admits that encryption helps cybersecurity. As the white paper explains,

Pro-encryption statements from the government could also encourage broader use of encryption, which would also benefit global cybersecurity. Further, because any new access point to encrypted data increases risk, eschewing mandated technical changes ensures the greatest technical security. At the same time, the increased use of encryption could stymie law enforcement’s ability to investigate and prosecute cybercriminals, though the extent of this threat over any other option is unclear as sophisticated criminals will use inaccessible encryption.

Shorter the NSC: If encryption is outlawed, only the sophisticated cyber-outlaws will have encryption.

This is the discussion we have not been having, as Jim Comey repeatedly talks in terms of Bad Guys and Good Guys, the complex trade-offs that are far more than “safety versus privacy.”

What’s stunning, however, is that NSC — an NSC that was already in the thick of responding to the OPM hack when this paper was drafted in July — sees cybersecurity as a separate category from public safety and national security. Since 2013, the Intelligence Community has judged that cybersecurity is a bigger threat than terrorism (though I’m not sure if the IC has revised that priority given ISIS’ rise). Yet the NSC still thinks of this as a separate issue from public safety and national security (to say nothing of the fact that NSC doesn’t consider the crime that encryption would prevent, such as smart phone theft).

I’m not surprised that NSC considers these different categories, mind you. Cybersecurity failures are still considered (with the sole exception of Katherine Archuleta, who was forced to resign as OPM head after the hack) politically free, such that men like John Brennan (when he was Homeland Security Czar on NSC) and Keith Alexander can have, by their own admission, completely failed to keep us safe from cyberattack without being considered failures themselves (and without it impacting Brennan’s perceived fitness to be CIA Director).

The political free ride cybersecurity failures get is a problem given the other reason that Wittes’ claim that “industry has already won” is wrong. WaPo reports that NSC still hasn’t come up with a preferred plan, ostensibly because it is so busy with other things.

Some White House aides had hoped to have a report on the issue to give to the president months ago. But “the complexity of this issue really makes it a very challenging area to arrive at any sort of policy on,” the senior official said. A Cabinet meeting to be chaired by National Security Adviser Susan Rice, ostensibly to make a decision, initially was scheduled for Wednesday, but it has been postponed.

The senior official said that the delays are due primarily to scheduling issues — “there are a lot of other things going on in the world” — that are pressing on officials’ time.

But WaPo also presents evidence that those who want back doors are just playing for time, until some kidnapping or terrorist attack investigation gets thwarted by encryption.

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

So long as the final decision never gets made, those who want back doors will be waiting for the moment when some event changes the calculus that currently weighs in favor of encryption. And, of course, we’ll all be relying on people like Jim Comey to explain why encryption made it impossible to catch a “bad guy,” which means the measure will probably ignore the other ways law enforcement can get information.

We are still living in Dick Cheney’s world, where missing a terrorist attack (other than the big one or the anthrax attack) is assumed to be career ending, even while failing to address other threats to the US (climate change and increasingly cybersecurity) are not. So long as that’s true, those waiting to use the next spectacular failure to make ill-considered decisions about back doors will await their day, putting some kinds of national security above others.

Update: Like me, Susan Landau thinks Wittes misunderstood what the White Paper said about who “won” this fight.

But the National Security Council draft options paper never mentions national-security threats as a concern in the option of disavowing legislation controlling encryption (it does acknowledge potential problems for law enforcement). The draft says that no-legislation approach would help foster “the greatest technical security.” That broad encryption use is in our national security interest is why the administration is heading to support the technology’s broad use. That’s the story here — and not the one about Silicon Valley.

Jeb’s Cyber-Corporate-Welfare-as-Security Program

/2 Comments/in /by

Jeb! Bush has issued a cybersecurity policy as an excuse to bitch about Hillary having her own email server when he himself did the same thing (and exposed users when he revealed some but not all of those emails).

Kudos to Jeb! for releasing it — I agree it’s a worthy issue to discuss this election (I meant to finish this when the policy was first issued but things got in the way). But Jeb!’s plan is as much a corporate welfare bill (surprise!) as it is a security bill. Indeed, in its introductory language, it explains the policy is designed “to achieve 4% growth and the 19 million jobs that come with it [with] a vibrant and secure Internet.” It’s about the Internet and the businesses that operate on it first and foremost, and only secondarily about keeping that world secure.

1. Place a Command Focus on Cybersecurity.

In its first section, Jeb! says we need to “place a command focus on cybersecurity.” It continues on to present conflicting data about whether cyber-attacks target big companies (which have the resources to protect themselves, he says) or smaller ones. But this comes amid an admission that “poor cyber-security practices” are one of the biggest problems.

2. Restore Accountability within the Federal Government.

Jeb! makes some of his best points when he argues that government needs to be accountable.

We need presidential leadership to get government to take the cybersecurity threat more seriously, fix the vulnerabilities of government systems, and hold government leaders accountable for the security of information entrusted to their care.

[snip]

Leadership means not hiring political hacks or cronies for critical positions that involve cybersecurity.  It also means holding executive branch officials accountable for their failure to prioritize cybersecurity and protect the networks under their care.

Jeb! demands we hold executives (presumably including people like FEMA head “heck of a job” Mike Brown) responsible for cybersecurity lapses. I’ll come back to this point.

But then Jeb! — whose brother oversaw, and according to some evidence, authorized the exposure of a CIA officer for political gain — jumps from government accountability to Hillary having kept her emails in the same insecure fashion as Bush did (though Hillary didn’t release personal information of correspondents when she released them).

The President also cannot allow cabinet secretaries and senior officials to violate rules and procedures meant to protect classified and national security-related government communications.  It should not be too much to ask government officials to abide by the laws and rules in place to safeguard our national security.  Secretary Hillary Clinton’s growing email scandal highlights reckless behavior by officials entrusted with some of our nation’s most sensitive secrets.

3. Increase U.S. Intelligence and Law Enforcement Cybersecurity Capabilities and Strengthen International Cooperation.

After calling for accountability in government, Jeb! calls for reversing reforms put into place after citizens discovered how much domestic spying the spy agencies have been doing and how ineffective some of it was. Read more

A Really Interestingly Timed Corruption Extradition

/3 Comments/in /by

The AP reports that the US extradited a long-sought Chinese corruption target, Yang Jinjun.

A most-wanted Chinese fugitive suspected of graft and bribery was brought back from the U.S. on Friday after he fled there in 2001, officials said, as Beijing seeks stronger cooperation from Washington.

Yang Jinjun — the businessman brother of a former deputy mayor in the eastern city of Wenzhou — is the first person to be repatriated to China from the U.S. since the “Sky Net” operation targeting 100 fugitives was launched in April, the Ministry of Supervision said.

[snip]

The last prominent repatriation case out of the United States was in 2004, when Chinese bank executive Yu Zhendong, accused of embezzling $485 million with other defendants, was sent back on the condition that Yu would not be tortured or given the death penalty, which is common in China even for less serious corruption cases.

Note the story relies on Chinese sources, not US ones. The Obama Administration is not, at least thus far, making the same kind of big deal about this as China is.

The extradition comes in the wake of news that the US would crack down on agents the Chinese send to bully corruption targets to return for prosecution, and as Congress demands Obama retaliate for the OPM hack even in spite of the precedent that would establish for people to retaliate for our more ambitious bulk collection. And, of course, the extradition comes in advance of Xi Jinping’s visit.

I suspect it will be years before we learn the full extent of deals drafted in advance of Xi’s visit. But I take this as a sign the US is being more cooperative than a lot of people in DC would support.

National Counterintelligence Director Evanina about OPM Breach: “Not My Job”

/2 Comments/in /by

I’ve been tracking Ron Wyden’s efforts to learn whether the National Counterintelligence and Security Center had anticipated how much of a counterintelligence bonanza the Office of Personnel Management’s databases would be. Wyden sent National Counterintelligence Executive William Evanina a set of questions last month.

  1. Did the NCSC identify OPM’s security clearance database as a counterintelligence vulnerability prior to these security incidents?
  2. Did the NCSC provide OPM with any recommendations to secure this information?
  3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why existing retention periods are necessary?

Evanina just responded. His answer to the first two questions was basically, “Not my job.”

In response to the first two questions, under the statutory structure established by the Federal Information Security Management Act of 2002 (FISMA), as amended, executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS). For agencies with Inspectors General (IG) appointed under the Inspector General Act of 1978 (OPM is one of those agencies), independent annual evaluations of each agency’s adherence to the instructions of OMB and DHS are carried out by the agency’s IG or an independent external auditor chosen by the agency’s IG. These responsibilities are discussed in detail in OMB’s most recent annual report to Congress on FISMA implementation. The statutory authorities of the National Counterintelligence Executive, which is part of the NCSC, do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations on how to secure their IT systems.

Of course, this doesn’t really answer the question, which is whether Evanina — or the NCSC generally — had identified OPM’s database full of clearance information as a critical CI asset. Steven Aftergood has argued it should have been, according to the Office of Director of National Intelligence’s definition if not bureaucratic limits. Did the multiple IG reports showing OPM was vulnerable, going back to 2009 and continuing until this year, register on NCSC’s radar?

I’m guessing, given Evanina’s silence on that issue, the answer is no.

No, the folks in charge of CI didn’t notice that this database of millions of clearance holders’ records might be a juicy intelligence target. Not his job to notice.

Evanina’s response to the third question — whether the government really had to keep records going back to Reagan’s second term — was no more satisfying.

[T]he timelines for retention of personnel security files were established by the National Archives General Records Schedule 18, Item 22 (September 2014). While it is possible that we may incur certain vulnerabilities with the retention of background investigation information over a significant period of time, its retention has value for personnel security purposes. The ability to assess the “whole person” over a long period of time enables security clearance adjudicators to identify and address any issues (personnel security or counterintelligence-related) that may exist or may arise.

In other words, just one paragraph after having said it’s not his job to worry about the CI implications of keeping 21 million clearance holders’ records in a poorly secured database, the Counterintelligence Executive said the government needed to keep those records (because the government passed a policy deciding they’d keep those just a year ago) for counterintelligence purposes.

In a statement on the response, Wyden, like me, reads it as Evanina insisting this key CI role is not his job. To which Wyden adds, putting more data in the hands of these insecure agencies under CISA would only exacerbate this problem.

The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job. This is a bureaucratic response to a massive counter-intelligence failure and unworthy of individuals who are being trusted to defend America. While the National Counterintelligence and Security Center shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.

The Senate is now trying to respond to the OPM hack by passing a bill that would lead to more personal information being shared with these agencies. The way to improve cybersecurity is to ensure that network owners take responsibility for plugging security holes, not encourage the sharing of personal information with agencies that can’t protect it adequately.

Somehow, the government kept a database full of some of its most important secrets on an insecure server, and the guy in charge of counterintelligence can only respond that we had to do that to serve counterintelligence purposes.

Another Reason GM May Have Come Around to CISA

/15 Comments/in , /by

Last week, Wired had a story about a hack of GM vehicles that the car company took 5 years to fix. As the story explains, while GM tried to fix the vulnerability right away, their efforts didn’t completely fix the problem until GM quietly sent a fix to its vehicles over their Verizon network earlier this year.

GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.

The article uses this is a lesson in how ill-equipped car companies were in 2010 (notably, right after they had been put through bankruptcy) to fix such things, and how much more attentive they’ve gotten in the interim.

GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.

Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.

GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

What Wired doesn’t note is that GM was in the thick of recall hell by November 2014 because of its delay, during the same period, in fixing ignition problems. It’s not just the network problem GM wasn’t fixing, it was more traditional problems as well. Whatever hack GM pulled off, starting in November 2014 as a kluge to fix a long-running problem, GM did so while under great pressure for having sat on other (more obviously dangerous) problems with their cars. GM also did so knowing their recognizable Impala would be shown on 60 Minutes exhibiting this problem.

In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015. (For both shows they carefully masking-taped the car’s logos to prevent it from being identified, though car blog Jalopnik nonetheless identified the Impala from the 60 Minutes demo.)

So GM had a lot more urgency to find curious hacks in November 2014 than they did in 2010.

Read more

The Special Sanger Cyber Unicorn: Iran Warmonger Edition

/3 Comments/in /by

I noted earlier that the reporting on the US not imposing cybersanctions on China appears to have credulously served its purpose in creating a narrative that may have helped create the environment for some kind of deal with China.

NYT’s David Sanger did his own version of that story which deserves special focus because it is so full of nonsense — and nonsense that targets Iran, not China.

Sanger starts his tale by quoting something President Obama said at Fort Meade over the weekend out of context. In response to a question about the direction of cybersecurity in the next 5-10 years, Obama spoke generally about both state and non-state actors.

Q Good afternoon, Mr. President. You alluded to in your opening remarks the threat that cyber currently is. And there’s been a lot of talk within the DOD and cyber community of the possibility of a separate branch of the military dedicated to cyber. I was wondering where you see cyber in the next five to ten years.

THE PRESIDENT: Well, it’s a great question. We initiated Cyber Command, anticipating that this is going to be a new theater for potential conflict. And what we’ve seen by both state and non-state actors is the increasing sophistication of hacking, the ability to penetrate systems that we previously thought would be secure. And it is moving fast. So, offense is moving a lot faster than defense.

Part of this has to do with the way the Internet was originally designed. It was not designed with the expectation that there would end up being three or four or five billion people doing commercial transactions, et cetera. It was thought this was just going to be an academic network to share papers and formulas and whatnot. And so the architecture of the Internet makes it very difficult to defend consistently.

We continue to be the best in the world at understanding and working within cyber. But other countries have caught up. The Russians are good. The Chinese are good. The Iranians are good. And you’ve got non-state hackers who are excellent. And unlike traditional conflicts and aggression, oftentimes we don’t have a return address. If somebody hacks into a system and goes after critical infrastructure, for example, or penetrates our financial systems, we can’t necessarily trace it directly to that state or that actor. That makes it more difficult as well. [my emphasis]

Sanger excised all reference to “excellent” non-state hackers, and instead made this a comment about hacking by state actors.

“Offense is moving a lot faster than defense,” Mr. Obama told troops on Friday at Fort Meade, Md., home of the National Security Agency and the United States Cyber Command. “The Russians are good. The Chinese are good. The Iranians are good.” The problem, he said, was that despite improvements in tracking down the sources of attacks, “we can’t necessarily trace it directly to that state,” making it hard to strike back.

Sanger then took this comment very specifically directed at the upcoming Xi visit and China,

And this is something that we’re just at the infancy of.  Ultimately, one of the solutions we’re going to have to come up with is to craft agreements among at least state actors about what’s acceptable and what’s not.  And so, for example, I’m going to be getting a visit from President Xi of China, a state visit here coming up in a couple of weeks.  We’ve made very clear to the Chinese that there are certain practices that they’re engaging in that we know are emanating from China and are not acceptable.  And we can choose to make this an area of competition — which I guarantee you we’ll win if we have to — or, alternatively, we can come to an agreement in which we say, this isn’t helping anybody; let’s instead try to have some basic rules of the road in terms of how we operate.

And suggested it was directed at other states more generally.

Then he issued a warning: “There comes a point at which we consider this a core national security threat.” If China and other nations cannot figure out the boundaries of what is acceptable, “we can choose to make this an area of competition, which I guarantee you we’ll win if we have to.”

Sanger then spends six paragraphs talking about how hard a time Obama is having “deterring” cyberattacks even while reporting that China and the US have forged some kind of deal that would establish norms that are different than deterrence but might diminish attacks. He also, rather curiously, talks (again) about “unprecedented” theft of personal information in the OPM hack that we need to deter — even though James Clapper has repeatedly said publicly that we do the same thing (and by some measures, on a much bigger scale).

Read more

Cyber-Unicorn Journalists Shocked the Unicorn Didn’t Appear, Again

/12 Comments/in /by

When last we checked in on claims the US was going to cyber-deter China, I suggested people should understand the underlying dynamics at work.

Before people start investing belief in unicorn cyber deterrence, they’d do well to understand why it presents us such a tough problem.

That was 11 days ago. Since then, James Clapper has claimed (I’m not necessarily endorsing this claim as true, especially given the timing) the US isn’t even 100% sure China is behind the OPM hack — in part because we’ve lost some monitoring capabilities in recent years — all while making it clear we don’t consider it an attack because we do precisely the same thing to China. At the same time, top level US and Chinese officials met in anticipation of Xi Jinping’s visit. Here’s the White House readout of that meeting.

From September 9-12, senior Administration officials held a series of meetings with Secretary of the Central Political and Legal Affairs Commission of the Communist Party of China Meng Jianzhu in Washington, D.C.  Mr. Meng traveled to Washington as President Xi Jinping’s Special Envoy to discuss cybersecurity and other issues in advance of President Xi’s State Visit. Secretary of Homeland Security Jeh Johnson hosted Mr. Meng during his visit. In this capacity, Secretary Johnson convened a meeting between members of the Chinese delegation and representatives from the Departments of State, Treasury, Justice, Federal Bureau of Investigation, and the Intelligence Community.  In addition, FBI Director Comey also met with Mr. Meng at FBI headquarters for discussions. National Security Advisor Susan E. Rice received Mr. Meng for a meeting at the White House, where she had a frank and open exchange about cyber issues.

Remember: China is believed to have all of Jim Comey and Jeh Johnson’s security clearance files (probably Susan Rice’s as well). Comey in particular keeps raising that point. That surely adds something to such negotiations, knowing that your interlocutor has read a ready-made intelligence portfolio that your own government compiled on you.

Now the journalists who keep reporting that the US is about to, honest to god, this time they mean it, sanction China for its hacking report that sanctions are off the table for now, in part because those negotiations resulted in some kind of cyber agreement.

The United States will not impose economic sanctions on Chinese businesses and individuals before the visit of China President Xi Jinping next week, a senior administration official said Monday.

The decision followed an all-night meeting on Friday in which senior U.S. and Chinese officials reached “substantial agreement” on several cybersecurity issues, said the administration official, who spoke on the condition of anonymity because of the topic’s sensitivity.

The potential for sanctions in response to Chinese economic cyberespionage is not off the table and China’s behavior in cyberspace is still an issue, the official said. “But there is an agreement, and there are not going to be any sanctions” before Xi arrives on Sept. 24, the official said.

The breakthrough averted what would have raised a new point of tension with the Chinese that could have overshadowed the meeting — and Xi’s first state visit.

“They came up with enough of a framework that the visit will proceed and this issue should not disrupt the visit,” the official said. “That was clearly [the Chinese] goal.”

The reporting on this appears to be problematic, in part, because sources for these stories themselves misunderstand the issue.

Yet what that agreement is remains unclear. Two U.S. officials told The Daily Beast that substantial disagreement remains between the U.S. and China. China insists that it’s the victim of cyber spying, not a perpetrator. But the U.S. has filed criminal charges against Chinese officials for their role in stealing trade secrets and intellectual property from American companies.

[snip]

[CSIS Deputy Director Scott] Kennedy noted that given the length of time Meng was in Washington, his visit almost certainly covered other issues, including China’s efforts to hunt down Chinese nationals accused of crimes who are living abroad. U.S. law enforcement officials have complained that Chinese state security operatives are working in this country illegally and trying to intimidate Chinese people living here legally.

Remember, “US official” is journalistic code often used for members of Congress or contractors. And if these (possible) members of Congress don’t understand that the US sensors embedded in China’s networks are incredibly invasive cyber spying, if whoever claimed that our indictment for stealing information on trade disputes (something we spy on too) believes that we indicted for stealing IP, if those sources can’t imagine we might respond to the OPM hack by cracking down on extraordinary Chinese agents in the US, then those sources aren’t appreciating the real power dynamics at stake. And we’re going to continue to have journalism on this topic that serves more to provide a convenient narrative than to inform.

Thank you for playing, thank you for providing the appearance of a threat to placate Congress and drive a narrative of a tough negotiation, all while not laying out how the OPM hack changes things.

Several things seem to have been missed in this recent round of cyber-deterrence unicorn reporting. While China’s crashing stock market (renewed again today) provides a bit more leverage for the US against China — among other things, it raises the value Chinese elites would place on their US property and holdings, though China itself wants to pressure some of the same elites — it is still not in our best interest to antagonize this relationship. Moreover, whatever additional leverage we’ve got economically is more than offset by the OPM and related hacks, which China could use in any number of ways to really damage the US, especially given so many of our other critical systems — public and private, and I suspect that’s part of what some of the related hacks have been designed to demonstrate — remain insecure.

Most importantly, even before the Snowden leaks, the US had a real interest in finding some kind of norms that would make the cyber realm less volatile. That’s probably even more true now, because (as Clapper said, and this part I believe) our adversaries have been hardening their own defenses while stealing information that turns out to be more valuable to the US, meaning we don’t have such asymmetric advantage in the cyber realm anymore.

This comes at a time when Congress has become adamantly opposed to anything that resembles negotiations, because to them it looks like weakness. And most seem not to understand the stakes behind the reasons why the OPM hack cannot be considered an attack.

So if some credulous reporting created the space for such an agreement, great!

John Doe Ungagged: Nicholas Merrill Wins the Right to Reveal Contents of 11-Year Old National Security Letter

/2 Comments/in , /by

Nicholas Merrill, who first challenged a National Security Letter 11 years ago, has won the right to talk about what he was ordered to turn over to the FBI in 2004. A key holding from the decision is that private citizens — as distinct from government officials who have signed non-disclosure agreements — cannot be prevented from talking about stuff that the government, as a whole, has already released.

A private citizen should be able to disclose information that has already been publicly disclosed by any government agency — at least once the underlying investigation has concluded and there is no reason for the identities of the recipient and target to remain secret. Otherwise, it would lead to the result that citizens who have not received such an NSL request can speak about information that is publicly known (and acknowledged by other agencies), but the very individuals who have received such NSL requests and are thus best suited to inform public discussion on the topic could not. Such a result would lead to “unending secrecy of actions taken by government officials” if private citizens actually affected by publicly known law enforcement techniques could not discuss them.

The judge in the case, Victor Marrero, gave the government 90 days to appeal. If they don’t (?!?!), Merrill will finally be ungagged after 11 years of fighting.

As noted, the FBI served the NSL back in 2004, when Merrill ran a small Internet Service Provider. Merrill sued under the name John Doe. He twice won court rulings that the gag orders were unconstitutional. But it wasn’t until 2010 that he was allowed to ID himself as Doe, and it wasn’t until 2014 — a decade after receiving the NSL — that he was able to tell the person whose records the FBI wanted. Even then, even after Edward Snowden revealed the need for more transparency about these things, the government fought Merrill’s demand to disclose what he had been asked to turn over, which was included in an attachment to the NSL itself.

See this post and this post for background on Merrill’s renewed fight to disclose how much FBI has demanded under an NSL.

Marrero found that the government just didn’t have really good reasons to gag this information, especially given that substantially similar information had been given out by other government agencies, and especially since the government admits it is only trying to hide the information from future targets, not anyone tied to the investigation that precipitated the NSL over a decade ago.

For the reasons discussed below, the court finds that the Government has not satisfied its burden of demonstrating a “good reason” to expect that disclosure of the NSL Attachment in its entirety will risk an enumerated harm, pursuant to Sections 2709 and 3511.

[snip]

The Government argues that disclosure of the Attachment would reveal law enforcement techniques that the FBI has not acknowledged in the context of NSLs, would indicate the types of information the FBI deems important for investigative purposes, and could lead to potential targets of investigations changing their behavior to evade law enforcement detection. {See Gov’t Mem. at 6.) The Court agrees that such reasons could, in some circumstances, constitute “good” reasons for disclosure.

[snip]

The Government’s justifications might constitute “good” reasons if the information contained in the Attachment that is still redacted were not, at least in substance even if not in the precise form, already disclosed by government divisions and agencies, and thus known to the public. Here, publicly-available government documents provide substantially similar information as that set forth in the Attactunent. For that reason, the Court is not persuaded that it matters that these other documents were not disclosed by the FBI itself rather than by other government agencies, and that they would hold significant weight for a potential target of a national security investigation in ascertaining whether the FBI would gather such information through an NSL. The documents referred to were prepared and published by various government divisions discussing the FBI’s authority to issue NSLs, the types of materials the FBI seeks, and how to draft NSL requests.

[snip]

Now, unlike earlier iterations of this litigation, the asserted Government interest in keeping the Attachment confidential is based solely on protecting law enforcement sensitive information that is relevant to future or potential national security investigations.

[snip]

[I]t strains credulity that future targets of other investigations would change their behavior in light of the currently-redacted information, when those targets (which, according to the Government, [redacted] see Perdue Deel. ¶ 56) have access to much of this same information from other government divisions and agencies.

Effectively, Marrero is arguing that since the government has asserted potential national security targets are good at putting 2 plus 2 together, and 2 and 2 are already in the public domain, any targets can already access the information in the attachment.

Marrero’s quotations from already released documents and the redactions from the attachment make it clear the government is trying to hide they were getting activity logs…

Screen Shot 2015-09-14 at 4.41.14 PM

And the various identities tied to an account (which we know the government matches to better be able to map activity across multiple identities).

Screen Shot 2015-09-14 at 4.42.34 PM

I’ll lay more of this out shortly — effectively, Marrero has already done the mosaic work for targets, even without the attachment (though I suspect what the government is really trying to prevent is release of a document defendants can point to to support discovery requests).

Ultimately, Marrero points to the absurd — and dangerous, for a democracy — position that would result if the government were able to suppress this already public information.

If the Court were to find instead that the Government has met its burden of showing a good reason for nondisclosure here, could Merrillever overcome such a showing? Under the Government’s reasoning, the Court sees only two such hypothetical circumstances in which Merrill could prevail: a world in which no threat of terrorism exists, or a world in which the FBI, acting on its own accord and its own time, decides to disclose the contents of the Attachment. Such a result implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.

Especially at a time when the President claims to want to reverse the practice of forever gags on NSLs, Marrero finds such a stance untenable.

Let’s see whether the government doubles down on secrecy.

What If the Intelligence Community Is Looking for the Wrong Malicious Use of OPM Data?

/20 Comments/in /by

Screen Shot 2015-09-14 at 9.11.40 AMThe revelation in last week’s cyber threats hearing the press has been most agog about is that James Clapper predicted hackers would get around to changing, rather than just stealing, data.

[after 19:00] In the future I believe we’ll see more cyber operations that will change or manipulate electronic information to compromise its integrity — in other words, compromise its accuracy and its reliability, instead of merely deleting it or disrupting access to it.

[snip]

[after 56:00] To this point, it’s either been disruption — of a website, for example, but more commonly, just purloining information. As I indicated in my opening statement though, I believe the next push on the envelope here is going to be the manipulation or deletion of data, which will of course compromise its integrity.

Um. Really, journalists who cover this area?

The notion that a cyber operator will change data is not new. Proof of that concept happened years ago, with the StuxNet attack, when US and Israeli hackers made the Iranians think everything was going peachy with their centrifuges when in fact they were spinning out of control. No one may yet have manipulated our data, but we’ve manipulated others’ data.

Which I guess means, according to Clapper’s definition, StuxNet was an attack and not just a hack — in case you had any doubts.

One thing I found far more interesting was Clapper’s repeated assertion that the IC has seen no use of the Office of Personnel Management data.

[after 49:00; see also after 1:29] Clapper: What we’ve done is speculate how it could be used. And again the distinction I was just making with Congressman Westmoreland had to do with the terminology of saying that the OPM breach was an attack. Getting back to definitional issues, we wouldn’t characterize it that way. What’s of great concern with respect to the OPM breach, which I spoke to briefly in my opening statement had to do with potential uses of that data. And of course, we’re looking. Thus far we haven’t seen any evidence of their usage of that data.

I said as I was watching and others have said since that this likely just reflects China — almost universally believed to be the OPM perpetrator — playing the long game. It will use the knowledge when it’s good and ready, all the while we’ll know it has it.

All that said, the other thing Clapper said that I found very interesting was that the IC has varying degrees of confidence about who did this hack.

[after 20:00] Clapper: And while speaking of the OPM breaches, let me say a couple of words about attribution, which is not a simple process and involves at least three related but distinct determinations: geographic point of origin, the identity of the actual perpetrator doing the keystrokes, and the responsibility for actually directing the attack. In the case of OPM, we’ve had differing degrees of confidence across the IC in our assessment of the responsibility for each of these elements. Of late, unauthorized disclosures and foreign defensive improvements have cost us some technical accesses.

Apparently, not everyone in the IC is completely convinced China did this. This is the kind of statement we never saw, as far as I remember, with regards to the Sony hack (though, admittedly, it’s a lot easier to make unsubstantiated accusations against North Korea than China). Are people really not convinced?

Note, too, the casual reference to the US losing some technical accesses, presumably in response to Snowden’s disclosures and the heightened awareness from our adversaries just how badly we’ve pawned them for years. Given the assumption China hacked OPM, this likely means we’ve lost some visibility into Chinese actions in the last two years.

The evidence China did this hack in part stems from its complexity; few — but not no — other actors could pull it off. That someone would hack United, in tandem with OPM, would support that, given that United flies so many flights from Dulles to China.

All that said is it possible — remotely — some other sophisticated state actor could have done this?

I’m going to assume Clapper is just downplaying the certainty here, possibly in advance of Xi Jinping’s visit to DC.

But if it is remotely true, would that have an effect on our ability to monitor for the use — or even manipulation — of OPM data? That is, if we were looking for Chinese use of the data — focusing on people of Chinese descent and/or people stationed there — would we miss attempts to compromise clearance holders another sophisticated state actor — say, Israel — might target? I’ll just remind that at a time when the US was trying to set up the IRGC for an assassination attempt, someone spamouflaged what likely included our target. I presume that as we got closer and then finalized the Iran deal, Israel’s targeting of our spooks has intensified.

In any case, Clapper seems confident that the data was not compromised here, which is something other commentators have raised as a worry (because doing so would allow you to create clearances for people who had not been vetted, for example).

[after 1:29]My working definition of whether it’s an attack or not and my characterization of it not being an attack in that there was no destruction of data or manipulation of data, it was simply stolen.

But if we’re not 100% sure this is China (again, I’m skeptical we have much doubt), maybe we couldn’t be so sure about whether the data has been manipulated or — at the very least — used to compromise our clearance holders.

Why Is Devin Nunes Rushing to Give More Data to Hack-Tastic Department of Energy?

/5 Comments/in /by

On several occasions, I’ve pointed out that the agencies that would automatically receive data shared with the federal government under cybersecurity bills being pushed through Congress aren’t any more secure than Office of Personnel Management, which China hacked in spectacular fashion. Among the worst — and getting worse rather than better — is Department of Energy.

Earlier this week, USAT published more information on how bad things are at DoE.

Cyber attackers successfully compromised the security of U.S. Department of Energy computer systems more than 150 times between 2010 and 2014, according to a review of federal records obtained by USA TODAY.

Incident reports submitted by federal officials and contractors since late 2010 to the Energy Department’s Joint Cybersecurity Coordination Center shows a near-consistent barrage of attempts to breach the security of critical information systems that contain sensitive data about the nation’s power grid, nuclear weapons stockpile and energy labs.

The records, obtained by USA TODAY through the Freedom of Information Act, show DOE components reported a total of 1,131 cyberattacks over a 48-month period ending in October 2014. Of those attempted cyber intrusions, 159 were successful.

Yet at yesterday’s Cyber Threats hearing (around 2 minutes), House Intelligence Chair Devin Nunes suggested he only learned of this detail from USAT’s report. “[J]ust this morning we learned that Department of Energy was successfully hacked 159 times.”

It’s troubling enough that the guy overseeing much of the government’s cybersecurity efforts didn’t already know these details (and I presume that means Nunes is also unaware that DoE has actually been getting worse as the Administration tries to fix major holes). Especially given that DoE is part of the Intelligence Community.

But it’s even more troubling given that HPSCI’s Protecting Cyber Networks Act, like the Senate’s Cyber Intelligence Sharing Act, automatically shares incoming cyber threat data with DoE (and permits private entities to share with DoE directly).

This is the height of irresponsibility. Devin Nunes is rushing to share this data — he pushed for quick passage of these bills in the same breath as noting how insecure DoE is –yet he hadn’t even bothered to review whether the agencies that would get the data have a consistent history of getting pawned.

Nunes did say that we need to ensure these agencies are secure. But the data is clear: DoE isn’t secure.

So why not plug those holes before putting more data in for hackers to get?