A Partial Defense of Bill Keller’s Column on Manning

/25 Comments/in , , , , , /by

Late Sunday, former New York Times Executive Editor Bill Keller put up an op-ed column at the NYT website on the state of Bradley Manning’s case, his perception of Manning’s motivations and what may have been different had Manning actually gotten his treasure trove of classified information to the Times instead of WikiLeaks. The column is well worth a read, irrespective of your ideological starting point on Mr. Manning.

Bradley Manning has ardent supporters and, predictably, they came out firing at Keller. Greg Mitchell immediately penned a blog post castigating Keller for not sufficiently understanding and/or analyzing the Manning/Lamo chat logs. Kevin Gosztola at Firedoglake also had sharp words for Keller, although, to be fair, Kevin did acknowledge this much:

It is an interesting exercise for Keller. Most of what he said is rational and, knowing Keller’s history, he could have been more venerating in his description of how the Times would have handled Manning.

Frankly, many of the points Mitchell and Gosztola made, which were pretty much representative of a lot of the chatter about Keller’s op-ed on Twitter, were fair criticism even if strident. And part of it seems to simply boil down to a difference in perspective and view with Keller, as evidenced in Keller’s response to inquiry by Nathan Fuller, where he indicates he simply views some things differently.

This is all healthy give and take, difference in view and sober discussion by the referenced Read more

Wondering Wednesday: Suicide in Singapore, Drone Over Brooklyn, and Telco Tattlers

/9 Comments/in , /by

Help me get over the hump and clue me in on a few things. I’ve been scratching my head wondering about these topics.

Suicide in Singapore — The recent “suicide” of a U.S. electronics engineer in Singapore looks fishy to me. It looked not-right to Financial Times as well; it appears no other domestic news outlet picked up this case for investigative reporting before FT. The deceased, who’d worked for a government research institute on a project related to Chinese telecom equipment company Huawei, is alleged to have hung himself, but two details about this case set off my hinky meter.

•  Every photo I’ve seen of engineer Shane Todd depicts a happy chap. Sure, depressed folks can hide their emotions, but comparing a photo of his family after his death to photos of him and you’ll see the difference. My gut tells me that if he was truly depressed, he should have looked more like his folks–flat, withdrawn, low affect. Perhaps meds could have messed with his head more than depression itself. But I’m not a psychologist or a pharmacologist, what do I know?

•  Among all the details of the case, it’s said the victim’s face postmortem was white when his body was discovered. This doesn’t strike me as consistent with hanging; there should have been lividity above the ligature. Conveniently, Singapore’s law enforcement cleaned everything up so quickly there was no chance to see the crime scene or the body as found. Law enforcement also snagged the victim’s laptop and all other work-related stored content, save for a hard drive that looked like a speaker. Everything he was working on “disappeared” except for the contents of that drive.

The engineer had been very concerned about technology he was working on and its possible transfer, which included gallium nitride transistors with potential for both commercial and military applications. After poking around for some time on gallium compounds used in various computing, communications and other technology, nothing screams at me as highly sensitive technology that might get someone “suicided.” But…as I went through abstracts, it seems odd there are a substantive number of Chinese researchers working in on GaN-based technologies.

Thought these two points in particular jar my senses, more than just these two points don’t sit well. Read the story at the link above and see for yourself. (Original FT link here.)

What do you make of this case? Suicide or no? Strategic technology or no? Read more

DOD Uses Sequester to Excuse 5 Year Delay in Implementing Basic Network Security

/3 Comments/in , /by

More than 22 months ago, I wrote a post analyzing Congressional testimony describing the gaping holes in DOD network security 3 years after a nasty malware infection and a year after the publication of Collateral Murder by WikiLeaks.

Almost two years later, Assistant Secretary of Defense Zachary Lemnios says sequestration might hold up improving network security on classified and unclassified networks.

Zachary J. Lemnios, the assistant secretary of defense for research and engineering, was asked by Sen. Rob Portman (R-Ohio) to describe the “most significant” impacts on cybersecurity that could follow from the anticipated cuts to the Pentagon’s budget.

Mr. Lemnios replied that “cuts under sequestration could hurt efforts to fight cyber threats, including […] improving the security of our classified Federal networks and addressing WikiLeaks.”

This is news not just for the specific details offered about how bad DOD’s network security remains (click through for more details). But also for the tacit admission that 3 years after a breach DOD considers tantamount to aiding the enemy, and 5 years after a malware infection that badly affected DOD’s networks in Iraq, DOD still hasn’t completed security enhancements to its networks.

What if China Not Just Hacked — But Sabotaged — the F-35?

/24 Comments/in , , , /by

Screen shot 2013-02-24 at 10.24.35 AM

Over the last week, two perennial stories have again dominated the news. China continues to be able to hack us — including top DC power players — at will. And the F-35 has suffered another setback, this time a crack in an engine turbine blade (something which reportedly happened once before, in 2007).

The coincidence of these two events has got me thinking (and mind you, I’m just wondering out loud here): what if China did more than just steal data on the F-35 when it hacked various contractors, and instead sabotaged the program, inserting engineering flaws into the plane in the same way we inserted flaws in Iran’s centrifuge development via StuxNet?

We know China has hacked the F-35 program persistently. In 2008, an IG report revealed that BAE and some of the other then 1,200 (now 1,300) contractors involved weren’t meeting security requirements; last year an anonymous BAE guy admitted that the Chinese had been camped on their networks stealing data for 18 months. In April 2009, WSJ provided a more detailed report on breaches going back to 2007.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into.

Read more

Jane Harman Now Targeting Individual CyberTargets with Drone Court

/15 Comments/in , /by

Jane Harman’s advocacy for a drone court suffers from the same problem I touched on here (and will lay out at more length in the next day or so): before you can have a Drone and/or Targeted Killing Court, you need some law the court will apply. Harman seems to envision just applying the standards the Executive — not Congress — came up with, which isn’t how Schoolhouse Rock taught me the government is supposed to work.

Congress, in her model, would just be fully apprised of what goes on in the Drone and/or Targeted Killing Court, not write law to limit what can be approved.

But I’m more interested — alarmed, really — by the way Harman seamlessly adds cybertargeting to her advocacy.

The FISA court, renamed the CT Court, could also oversee drones and cyber. A FISA court application must show that specific individuals are connected to a foreign power – which is defined, in part, as a group engaged in international terrorism. Drone and cyber applications could (1) list the individual/cyber target against whom the lethal operation is directed and (2) submit a finding of probable cause that the individual/cyber target is connected to a foreign power, is in a senior operational capacity and poses an imminent threat of violent attack against the United States.

Approved applications for drone strikes and cyberattacks would need to be renewed after a certain period, and discontinued if evidence is presented that the targets no longer meet the criteria. [my emphasis]

Granted, it would have been nice if the government had had to go to a court to explain why a publisher like WikiLeaks should be targeted with a persistent DNS attack, assuming that’s what happened. But given that both our FISA targeting and our targeting killing targeting probably allow for far too much abuse of the First Amendment, I’m not convinced the FISA Court would have noted the problem with that incident of prior restraint.

More generally, though, isn’t Harman’s neat inclusion of cyber targeting here a hint that our cyberattacks have gone beyond just Iran and WikiLeaks?

Why So Surprised? CIA, U.S. Military Knew Chinese Hackers Expected Since 1999

/11 Comments/in , /by
Cover, Unrestricted Warfare via Wikimedia

Cover, Unrestricted Warfare via Wikimedia

The breathless reporting about the alleged Chinese hacking at The New York Times is truly annoying because of the shock it displays. The surprise any major government or private corporate entity shows at this point about any network-based security breach that appears to originate from China should be treated as propaganda, or a display of gross ignorance.

In 1999, the CIA’s Foreign Broadcast Information Service published a white paper entitled Unrestricted Warfare, written by the PRC’s Col. Qiao Liang and Col. Wang Xiansui. The publication outlined the methodologies a nation-state could deploy as part of an asymmetric war. Further, the same work outlined the U.S.’s weaknesses at that time were it to confront such asymmetric warfare. It did not focus any other nation-state, just the U.S.*

The colonels acknowledged that the U.S.—at the time of the paper—had considered using a range of tools in response to conflicts:

“…There’s no getting around the opinions of the Americans when it comes to discussing what means and methods will be used to fight future wars. This is not simply because the U.S. is the latest lord of the mountain in the world. It is more because the opinions of the Americans on this question really are superior compared to the prevailing opinions among the military people of other nations. The Americans have summed up the four main forms that warfighting will take in the future as: 1) Information warfare; 2) Precision warfare [see Endnote 8]; 3) Joint operations [see Endnote 9]; and 4) Military operations other than war (MOOTW) [see Endnote 10]. This last sentence is a mouthful. From this sentence alone we can see the highly imaginative, and yet highly practical, approach of the Americans, and we can also gain a sound understanding of the warfare of the future as seen through the eyes of the Americans. Aside from joint operations, which evolved from traditional cooperative operations and coordinated operations, and even Air- Land operations, the other three of the four forms of warfighting can all be considered products of new military thinking. General Gordon R. Sullivan, the former Chief of Staff of the U.S. Army, maintained that information warfare will be the basic form of warfighting in future warfare. For this reason, he set up the best digitized force in the U.S. military, and in the world. Moreover, he proposed the concept of precision warfare, based on the perception that “there will be an overall swing towards information processing and stealthy long-range attacks as the main foundations of future warfare.” For the Americans, the advent of new, high-tech weaponry, such as precision-guided weapons, the Global Positioning System (GPS), C4I systems and stealth airplanes, will possibly allow soldiers to dispense with the nightmare of attrition warfare. …”

The rise of military tools like drones for precision-guided stealth attacks was predicted; quite honestly, the PRC’s current cyber warfare could be a pointed response to Gen. Sullivan’s statement about information warfare.

But in acknowledging the U.S.’s future use of MOOTW, the colonels also offered up the most likely approaches in an asymmetric assault or response: trade war, financial war, new terror war in contrast to traditional terror war, ecological war. Of these, they cited a specific example of new terror war entity and attacks: Read more

Enjoy A Valentine’s Day Sampler

/3 Comments/in , , /by
Made just for you via cryptogram.com

Made just for you via cryptogram.com

It’s difficult lately for me to sit down and spend time on a blogpost. I manage a handful of minutes here and there to do reading or research. An email may take hours to draft.

But there’s too much juicy stuff floating around deserving more attention. I’m going to gather content as I see it and aggregate it into a post when I have time, rather than let them slip by. Perhaps you can make more of them than I can.

•  MIT Technology Review acknowledges the dawn of a new age in Welcome to the Malware-Industrial Complex. I’m rather surprised at the tone of this piece; it’s not au courant, rather a bit behind the times since the MIC launched more than a handful of years ago. Two important points emerge: 1) Zero-day exploits are being traded like weaponry–think very hard about the source of these exploits and ask yourself why they are tolerated in government computing environments, let alone any other production environment; 2) This new age is the military face of the paradigm shift from the industrial to the information age. Weapons are information; they are no longer separate from the weapons themselves. With this in mind, the last two grafs of this article display the already-anachronistic thinking of the author and his sources.

•  Syracuse University MA/PhD student Seth Long performs a rather fascinating analysis on alleged cop killer Christopher Dorner’s manifesto. But equally fascinating is his earlier analysis on Ted Kaczynski’s Unabomber manifesto. Compare the two assessments, and then ask yourself what any blogger’s online writings might say about them if Long’s analytical process is eventually automated with algorithms. Scary, hmm?

•  Really great long read at Bloomberg Businessweek on the unmasking of a Chinese hacker by a Dell Computers malware expert. This is a snapshot of asymmetric warfare in progress; it’s not as if China has not told us rather candidly (and more than a decade ago) they would engage us in this manner as well as in other non-internet battlefields. Any surprise on the part of U.S. government officials at this point is utterly ridiculous–it’s either feigned or it’s should-get-another-day-job stupidity.

•  I’m so annoyed by this long read in Aeon Magazine–a really great mag, by the way–that I may yet muster the time to write something longer. Author Damien Walter is rather specious in his identification of a new “creator culture” and its necessity to society’s continued success. The problem isn’t that we need to adopt and nurture a new creator culture; it’s that we killed the one we had quite willingly over the last 25-35 years by offshoring production and the subsequent commodification of goods. We allowed corporations and their one-percenter shareholders to tell us that getting our hands dirty through craftsmanship and in manufacturing was bad (mostly bad for their profit margins). We’ve become a culture that doesn’t fix anything; we buy replacements made overseas in third world countries. We’ve lost our can-do spirit along with this shift, and only recently have both the economic crisis and a new hipster-hobbyist ethos encouraged a resurgence of the do-it-yourself handyperson. Unless we’re conscious of our role in killing creativity, nurturing it again through supporting Etsy and Maker Faires is merely temporary relief from the crush of profit-driven consumerism.

•  But perhaps all of this will be moot tomorrow if the cosmos decides to make a bank shot with asteroid 2012 DA14. This “small” asteroid will fly within 17,200 miles of earth tomorrow afternoon. This is awfully bloody close–close enough that scientists say disruption of cellphone and other satellite service is not impossible, but unlikely. That’s a whisker’s breadth, in cosmic scale. Best to check in tomorrow afternoon after 3:00 pm CST to see if we’re still here. See you then.

Obama Will Propose New Efforts to Make Our Creaky Physically Dangerous Critical Infrastructure CyberSafe

/7 Comments/in /by

One of Obama’s key proposals in tonight’s State of the Union will be yet another effort to shore up the cybersecurity of our critical infrastructure.

As a threshold matter, I find it a remarkable coinkydink that the WaPo just reported the leaked findings of an NIE saying that the Chinese (and Israelis and Russians and the French, but the Chinese are bigger and badder, apparently) continue to rob us blind via cybertheft. I look forward to learning whether this — unlike the convenient drone rule book leaks supporting John Brennan’s confirmation — get reported as sanctioned leaks, as required under the Intelligence Authorization.

And speaking of John Brennan, he’s the Homeland Security Czar. A big part of his job is keeping us safe from precisely these kinds of attacks. So why didn’t he get a single question about why he should be CIA Director considering he has been such an abject failure keeping us safe from cyberattacks? (He was asked a question about CIA’s role in cybersecurity, but not asked to explain why he has been such a failure in his current role.)

Now, frankly, I don’t know that that is much John Brennan’s fault. Folks will say that the problem is — as it has been since Richard Clarke first started fearmongering on this front — that corporations won’t participate willingly and no one is going to make them.

But the proposal — which you’ll see if you tune in — doesn’t change that. It’s still voluntary.

And here’s the thing that all the cyberexperts in the world seem to be missing. Not only are the private owners of our critical infrastructure unwilling to fix their cyberdefenses. They’re not willing to keep their brick and mortar infrastructure up to date either. See, for example, PG&E or ConEd‘s recent records, for example.

Look, if these companies refuse to keep up their physical infrastructure and their cyber infrastructure, there’s probably an underlying reason motivating their negligence that no amount of immunity or winks or risk-free information sharing on the cyber side is going to fix. Moreover, if they are physically fundamentally unsafe, no amount of tinkering with their cybersecurity is going to make them safe. They’ll be vulnerable to a terrorist attack and be vulnerable to not entirely random failures and explosions.

You need to solve the underlying problem if you want to keep our critical infrastructure safe. And yet another EO, particularly one limited to cybersecurity and not affect brick and mortar integrity, will not do that.

Updated: Reading Obama’s longer proposal, it does aim to increase the “resiliency” of our physical infrastructure too. So it is not limited to cyber. That said, the underlying problem remains. Private companies aren’t spending the money to invest in this, whether it is physical resilience (or bare minimum functionality) or cyberdefense.

Cables, Confirmed

/10 Comments/in , , /by

I’ve long traced the severance and disconnection of various parts of the world from telecommunication cables on this blog, most recently in the wake of Syria losing Toobz access after it purportedly mixed some chemical weapons.

Danger Room’s sources aren’t even asserting that both events–the mixing of the CW on Wednesday and the Intertoobz blackout on Thursday–are both signs of Bashar al-Assad’s panic.

Which would sort of be the default unless intelligence sources had reason to know that the Intertoobz blackout had nothing to do with the CW mixing.

We’ve long traced interesting Intertoobz blackouts caused by cut cables on this blog: the recent blackout in Djibouti. to a cable in the Bay Area, to a number of cut cables in the Middle East back in 2008.

It appears to be an increasingly common tactic, one difficult to attribute to a specific actor.

But if one of those actors comes out a few days after an outage and says they have no reason to find that outage as suspicious as the mixing of CW, maybe it’s not so hard to attribute after all.

One of the interesting revelations in this profile on the guy who shot Osama bin Laden is that sending Seal Team Six to do something with underwater cables is apparently routine enough that’s what they were told the mission would be before they were read into the real target.

There was so much going on — the Libya thing, the Arab Spring. We knew something good was going to go down. We didn’t know how good.

The first day’s briefing, they actually kind of lied to us, being very vague. They mentioned underwater cables because of the earthquake in Japan or some craziness.

Consider me thoroughly unsurprised.

Mr. Moral Rectitude’s Sleazy Payment

/2 Comments/in , , /by

According to Defense News, John Brennan was paid roughly $2,090 a day while working for The Analysis Corporation in 2008. He was paid roughly $8,496 for each of the 20 days he worked in 2009 before he became Obama’s counterterrorism czar.

A review of Brennan’s financial disclosure reports indicates that in 2009, TAC paid him a total of $169,923 in salary and bonus, which has not been previously reported. The financial disclosure reports, submitted as required of all White House employees, don’t say why he’d receive a bonus if he was leaving the company to join the government, or why he’d received such a large salary if he worked for the company for only 20 days that year.

In November 2008, two months before Brennan joined the Obama administration, TAC announced that the CEO was taking a “leave of absence” from the firm. That is, it is not clear that he was actually on the clock for the transition period before he received that $169,000.

Mind you, this isn’t anything that such illustrious people as Dick Cheney haven’t already done (and in larger figures, too).

Tim Shorrock provided some background on the company in his book.

There were questions about Brennan’s ties to his former company when it was part of the investigation into the failure to connect-the-dots before the UndieBomber attempted to strike the US, though as part of an ethics waver he agreed to recuse himself from anything specifically pertaining to TAC. 

The White House has granted a special ethics waiver to allow President Obama’s top counterterrorism adviser to conduct a review of the intelligence and screening breakdown that preceded the failed Christmas Day bombing attempt on an American passenger plane over Detroit.

[snip]

Mr. Brennan, who was a longtime C.I.A. officer, needed the waiver because for more than three years before his current post he was chief executive of the Analysis Corporation, an intelligence firm that provides services to the government. Norm Eisen, the White House ethics counsel, wrote on the White House Web site on Wednesday that Mr. Brennan’s past ties to the company, were outweighed by his knowledge of the nation’s intelligence system.

And, of course, Brennan’s the guy who has sacrificed US privacy to get more data in databases.

The umbrella company that has absorbed TAC continues to get lots of contracts doing intelligence analysis.