The Cover Story that Serves as a Cover Story

/in , , /by

Check out this sentence, which appears at the end of the Executive Summary of a document purporting to debunk the “cover stories” of detainees who claimed to have traveled to Afghanistan to teach the Koran.

Mujahideen that traveled to Afghanistan following the attacks of 11 September 2001 did so with the knowledge that Usama Bin Laden and Al-Qaida were the likely perpetrators of the attack.

Note the assumptions. First, that the detainees picked up in Afghanistan were, by definition, mujahadeen. The document doesn’t define the term. It does contextualize the term “mujahadeen” within the fight against the Russians, then calls recent “recruits” mujahadeen uncritically. And nowhere in the document does it explain how to assess a detainee’s claim that he was not an active fighter, a trainee at an al Qaeda camp, or even a trainee more generally.

Nowhere does the document address evidentiary problems assessing when a detainee left for Afghanistan and/or arrived there and whether the departure preceded 9/11 (though this is one of the least problematic parts of this statement).

As to the claim that detainees that traveled to Afghanistan after 9/11 did so “with the knowledge that Usama Bin Laden and Al-Qaida were the likely perpetrators of the attack”? Here’s the shoddy proof the document offers for the claim that these detainees assumed to be trained fighters knew of 9/11 and Osama bin Laden’s role in it.

There was already speculation on 11 September 2001 as to the origins of the perpetrators of the attacks, and the US Government publicly named Usama bin Laden and Al-Qaida no later than 12 September 2001. Even before this announcement, there were communications between extremists in Afghanistan and elsewhere identifying UBL as the sponsor of the attacks. Prior to the attacks, the recruits would have no way of knowing they would soon be engaged in a battle with a US-led coalition because of the deaths of thousands of innocent people. This does not decrease the recruits [sic] involvement with terrorist groups including Al-Qaida, however, as their travel to Afghanistan and their room and board in the months following their arrival were paid for by the Al-Qaida, the Taliban, and or other supporting extremist groups [sic] fund raising activities and the recruit elected to remain in Afghanistan. Some detainees state they attempted to leave but could not, this too is part of their cover story to show they were not in Afghanistan of their own free will. After 11 September 2001, the new recruits could no longer claim ignorance to the actions of Al-Qaida and the likelihood of hostilities resulting from the US desire to bring those responsible to justice. Therefore, especially following the attacks, Muahideen traveling to Afghanistan did so with the distinct desire to defend UBL and his organization.

Now, there are a lot of basic problems with the claim about speculation that al Qaeda executed the attacks just after 9/11, not least that key players within the Bush Administration were fighting the argument at the time that al Qaeda caused the attack. Ultimately, this amounts to an argument that because Richard Clarke was sure al Qaeda caused the attack, it meant the Americans generally were loudly backing that certainty rather than, for example, trying to turn this into a war against Iraq.

Then there’s the problem that intelligence in US possession by the time this was issued in August 2004 made clear that even Osama bin Laden himself did not expect the US to retaliate as they did. If he was expecting the US to respond with limited missile strikes, than how they hell are purported recruits (ignoring the problem of proving they were recruits) supposed to expect the full response the US made?

Then there’s the implicit problem–with the reference to Al-Qaida “and or other supporting extremist groups”–that many of these purported mujahadeen weren’t even purportedly training with al Qaeda. Even if they knew al Qaeda carried out the attack, where is the proof that because the US would, at some point in the future, assert that those “supporting extremist groups” were affiliated with the attack, recent recruits of those “supporting” groups had to have known that the US would ultimately deem those groups as supporting as well?

But the really big problem here is the failure to even attempt to establish what the media/communications consumption of someone purporting to be teaching the Koran in rural Afghanistan would have, and whether it might credibly include awareness of what Richard Clarke was arguing within the Situation Room of the White House in the days right after 9/11 (not least given the assertion that a number of these detainees had limited schooling). I mean, most Americans on September 12, 2001, watching footage of the attack over and over on CNN, probably didn’t know that al Qaeda caused the attack; many still doubt it did. But we’re insisting someone reading the Koran in Afghanistan would know?

It all feels very familiar. When confronted with refutations of their claims that Iraq had WMD before the war, the US repeatedly attributed those refutations–by people like Hans Blix and Mohammed el Baradei (not people who happened to leave for Afghanistan at an inauspicious time)–to Iraqi cover stories. Anything that didn’t confirm their assumptions was, by definition, a cover story. Only even with all the intelligence claims on Iraq that have been released, we never got to see how shoddy the logic those arguing it was all a cover story really was.

Seeing the logic, though, I’m not sure which is more appalling and embarrassing: that many people treated this as valid analysis? Or that someone had either such bad logical skills or such a desire to generate propaganda that he’d consider this report a coherent argument?

Gitmo Detainee Files Working Thread

/in , , , , , /by

Hi folks, HUGE document dump tonight from the New York Times, NPR, Guardian, El Pais and even the Washington Post tagging in. Heck, just about everybody has them; probably the only people who won’t be able to read the files are …. the detainees themselves who, of course, are currently effectively precluded from discussing such things with their lawyers.

At any rate, I am plowing through Charlie Savage’s material at the NYT, and there have been numerous individual filings by the Times tonight. I am going to give the various links in the order they came across the wire tonight and open the floor for discussion:

Initial NYT Article

Second NYT Article

Third NYT Article

Fourth NYT Article

Fifth NYT Article

Official Response From Us Govt.

Overall updated joint NYT/NPR Database

Feel free to link and quote into comments anything from any other sources you feel appropriate. Happy hunting!

Have the Spooks Finally Admitted to Congress They’ve Been “Exploiting” Gitmo Detainees as Spies?

/in , , /by

Something funny happened yesterday.

The House Armed Services Committee had a hearing on Gitmo Detainee Transfer Policy. According to Carol Rosenberg’s tweeting, up to two hours of the hearing was conducted in closed session before the hearing opened to the public and the witnesses explained that the interesting details–like the “recidivists” names and the amount paid to other countries to accept detainees–are secret (meaning they presumably got reported in that secret session).

DIA’s Ed Mornston says names of ex-#Guantanamo captives who “re-engaged” after release are secret “to protect sources and methods.”

Rosenberg’s story on the hearing reports that fewer of the detainees released under Obama are “reengaging” than the detainees released under Bush.

U.S. intelligence agencies have concluded that three of the 68 Guantanamo detainees released since Barack Obama became president have engaged in terrorism or insurgency, a senior administration told Congress Wednesday.

[snip]

He declined to say, however, who the men were or where they were sent after Guantanamo. He also wouldn’t say when U.S. intelligence crunched its latest figure.

The rate of so-called return-to-battlefield detainees, however, is far less than what the Defense Intelligence Agency determined it was during the George W. Bush administration. In a report released in December, the DIA reported that 79 of 532 detainees released during the Bush administration had engaged in terrorism or insurgency.

All of which makes me wonder whether the spooks have finally stopped counting detainees whom we’ve recruited as spies to infiltrate al Qaeda as “recidivists.”

While no one ever talks about such things, it is safe to assume the government has been releasing some number of Gitmo detainees with the understanding that they’ll infiltrate (or return to, for the small percentage that actually had ties before Gitmo) al Qaeda and report back to the US on its operations. As Jeff Kaye and Jason Leopold has reported, the US abused detainees in order to get them to spy on others within Gitmo. There were quiet reports that the reason we used torture at Abu Ghraib was to recruit spies. And the example of Jabir al Fayfi, who was released to Saudi Arabia in 2007, underwent the Saudi retraining program, and then “fled” to Yemen, only to return and alert the Saudis of the toner cartridge plot last year, is most easily explained by assuming that Fayfi was a spy, either ours or Saudi Arabia’s.

While no one will ever talk about this, we can be sure that some of the Gitmo detainees who appear to “reengage” are doing so on orders from us.

So how are those former detainees counted? DIA would have a really big incentive to label them “recidivists,” because doing so would be important for their cover. They’re not going to stay alive very long if the US isn’t screaming bloody murder about them returning to the battlefield. But of course, so long as they don’t become double agents (which I would imagine happens a lot, if only because it’s a good way to stay alive for these guys), they aren’t really “recidivists;” rather, they are men who were coerced to become spies and are taking great risks to do so.

Which is why I find yesterday’s hush hush–and today’s lower “recidivism” news–so interesting. By not releasing the names of those who have “reengaged,” DIA presumably makes it easy for these men to sustain their cover. But given the lower numbers, it’s just possible that either we’ve run out of men at Gitmo who agree to spy for us (and so are counting fewer of them as “recidivists”), or we’re simply not counting them fraudulently as “recidivists.”

But consider what else has been going on with these “recidivism” claims: a central reason why we can’t close Gitmo, the fearmongers say, is because people keep “returning” to al Qaeda when we release them.

Well, now the Administration has capitulated on a key Gitmo issue, and voila! The recidivism numbers are lower!

You see why Gitmo is important to the government’s “exploitation” goals, not just for recruiting spies, but also for lying to the American people?

Ongoing Fallout from Raymond Davis Affairs Reveals Extent of Our Activities in Pakistan

/in , /by

When the US detained the Kuwaiti-Pakistani Khalid Sheikh Mohammed and interrogated him for years (including at least a month of harsh torture), he revealed a handful of al Qaeda operatives in the US. When Pakistan held the American contractor, Raymond Davis, and–as this NYT article specifies–had Pakistan’s intelligence service ISI interrogate him for 14 days, that appears to have led to the identification of hundreds of Americans working in Pakistan on activities not authorized by the Pakistani government.

As the article reveals, there are four things we’re doing in Pakistan to which the Pakistanis object:

  1. Spying on Pakistan’s nuclear program
  2. Infiltration of Lashkar-e-Taiba, the group that carried out the Mumbai bombing as well as (the WSJ adds) the Haqqani network
  3. Deploying Special Forces personnel in the name of training Frontier Corps but using them to spy instead
  4. Conducting the drone program unilaterally, without sharing targeting information with Pakistan

Now, we knew all of this was going on. Of course we were tracking Pakistan’s nukes; public reports often optimistically (probably over-optimistically) claim we could gain control of their program if the government was ever overturned. The Pakistanis had to know we were infiltrating Lashkar-e-Taiba, since that’s what David Headley was supposedly doing when he participated in the Mumbai bombing.

And it certainly seems like Pakistan knew the details and many of the people involved as well.

But this article provides some numbers. It explains that 335 Special Forces, contractors, and CIA officers are now being sent home. Of that, 40 to 80 are members of the Special Forces who exceeded the quota of 120 Special Forces Pakistan allowed us. The remaining 255-315 must be a combination of contractors and CIA officers whose purpose the US has not shared with the Pakistanis. That’s in addition to whatever contractors we withdrew after Davis was captured.

For the moment, it appears this will shut down two parts of the American war in Pakistan. The US threatened to shut down the training program.

The request by General Kayani to cut back the number of Special Operations forces by up to 40 percent would result in the closure of the training program begun last year at Warsak, close to Peshawar, an American official said.

The United States spent $23 million on a building at Warsak, and $30 million on equipment and training there.

Informed by American officials that the Special Operations training would end even with the partial reduction of 40 percent, General Kayani remained unmoved, the American official said.

And the Pakistanis are asking that the drone program be stopped or, at least, curtailed to its original scope.

In addition to reducing American personnel on the ground, General Kayani has also told the Obama administration that its expanded drone campaign had gotten out of control, a Pakistani official said. Given the reluctance or inability of the Pakistani military to root out Qaeda and Taliban militants from the tribal areas, American officials have turned more and more to drone strikes, drastically increasing the number of strikes last year.The drone campaign, which is immensely unpopular among the Pakistani public, had morphed into the sole preserve of the United States, the Pakistani official said, since the Americans were no longer sharing intelligence on how they were choosing their targets. The Americans had also extended the strikes to new parts of the tribal region, like the Khyber area near the city of Peshawar.

“Kayani would like the drones stopped,” said another Pakistani official who met with the military chief recently. “He believes they are used too frequently as a weapon of choice, rather than as a strategic weapon.” Short of that, General Kayani was demanding that the campaign return to its original, more limited scope and remain focused narrowly on North Waziristan, the prime militant stronghold.

Ultimately, it seems like our efforts were getting close to elements in the ISI and Pakistani military who were involved in what we deem militant activity. We were doing so without sharing our intelligence with the Pakistanis (which has often led to militants being tipped off). So now the Pakistanis are demanding we share that information again.

But negotiations don’t appear to be going well. ISI head Lt. General Ahmed Shuja Pasha left early yesterday from meetings with Leon Panetta and Mike Mullen.

Though the spokesman Marie Harf said that the cooperation between the two agencies remained on “solid footing”, the Pakistani general reportedly cut short his visit abruptly to return home.

Both the US and Pakistani officials did not give any reasons for Shuja curtailing his talks here.

There’s one more thing about this story: US reporting on it, at least, seems to pretend that Davis was captured out of chance. The NYT even repeats the implausible “mugging” story. I’d say that’s unlikely.

Update: Fixed the numbers for special forces personnel. I think.

Another Two-Tier Justice System: for “Unauthorized” Leaks

/in /by

I’m traveling to Boston today for the National Conference on Media Reform (if you’re in Boston, come see my panel on “Independent Journalism and International Crisis” on Saturday!). So blogging will be light today.

But I wanted to point to one more aspect of the Senate Intelligence Committee’s Intelligence Authorization–one also highlighted by Steven Aftergood. Someone–someone not in the intelligence community, apparently–has decided that intelligence community leakers (but not leakers from other parts of government) should lose their pension if the executive branch unilaterally decides they’ve leaked classified information.

The committee’s explanation for needing the bill is cute, among other reasons, because its concerns about “unauthorized” leaks seem to admit their lack of concern about “authorized” leaks of classified information.

The Committee has had long-standing concerns about unauthorized disclosures of classified information.

Which by itself points to the arbitrariness of our classification system.

But it’s in Ron Wyden’s extensive opposition to the measure where the true arbitrary potential for this becomes clear.

Given these challenges, my concern is that giving intelligence agency heads the authority to take away the pensions of individuals who haven’t been formally convicted of any wrongdoing could pose serious problems for the due process rights of intelligence professionals, and particularly the rights of whistleblowers who report waste, fraud and abuse to Congress or Inspectors General.

Section 403 – as approved by the Select Committee on Intelligence – gives the intelligence agency heads the power to take pension benefits away from any employee that an agency head ―determines‖ has knowingly violated their nondisclosure agreement. But as I noted in the committee markup of this bill, neither the DNI nor any of the intelligence agency heads have asked Congress for this authority.Moreover, as of this writing none of the intelligence agencies have officially told Congress how they would interpret this language.

It is entirely unclear to me which standard agency heads would use to ―determine‖ that a particular employee was guilty of disclosing information. It seems clear that section 403 gives agency heads the power to make this determination themselves, without going to a court of law, but the language of the provision provides virtually no guidance about what standard should be used, or even whether this standard could vary from one agency to the next.

In other words, agency heads will get to decide, unilaterally and in secret, whether they think a former employee has leaked classified information and therefore should lose their pension.

Serving in the intelligence community is already prone to abuse. Since there is almost no transparency, agencies can and have fired people for being unwilling to participate in propaganda or illegal ops. And this would just give intelligence agencies one more tool to retaliate against people if they’re perceived as doing something wrong.

I can’t help but think of Jeff Sterling and this measure. He had a gripe about discrimination. But he also appears to have had a gripe about a really asinine plot to deal nukes to Iran. His case will be tried in court (though the agency already has a huge advantage over him, starting with the fact that they have already invoked state secrets in his case). But now Congress (or someone whispering on Congress’ ear?) wants one more tool to punish people like Sterling, this time with no due process. Moreover, in his case, the government has claimed that leaks to the American public are worse than leaks to our enemies.

The defendant’s unauthorized disclosures, however, may be viewed as more pernicious than the typical espionage case where a spy sells classified information for money. Unlike the typical espionage case where a single foreign country or intelligence agency may be the beneficiary of the unauthorized disclosure of classified information, this defendant elected to disclose the classified information publicly through the mass media. Thus, every foreign adversary stood to benefit from the defendant’s unauthorized disclosure of classified information, thus posing an even greater threat to society.

This measure, which would allow the government to use a two-tier justice system to secretly retaliate against those it claims leaked, seems to reinforce this growing claim to that leaks to American citizens are more dangerous than leaks to our enemies.

It seems the government believes the most dangerous spies are those who tell Americans what its government does in their name.

Intelligence Community Will Close Gaping Hole that Allegedly Led to WikiLeaks Disclosure … in 2013

/in , /by

I did a long post yesterday describing how embarrassingly, pathetically bad DOD’s information security was and remains 3 years after a malware attack and a full year after the alleged WikiLeaks leak. Along with DOD’s gaping security problems, I noted that some entities in the intelligence community are still in the process of implementing user authentication which would have exposed someone taking entire databases off of their networks.

While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

Just in case the intelligence community can’t get around to providing this fairly common security on our intelligence community networks by their planned timeframe of the first quarter of FY 2012 (which would mean the last quarter of calendar year 2011), the Senate Intelligence Committee is requiring the IC to have a fully operational ability to audit online access by October 2013.

Section 402 requires the Director of National Intelligence, not later than October 1, 2012, to establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information. Section 402 requires that the program be at full operating capability by October 1, 2013.

Not later than December 1, 2011, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the resources required to implement the program and any other issues the Director considers appropriate to include in the report.

In other words, if closing this security gap a year and a half after the leaks are alleged to have occurred is too tough, then they can go ahead and take another year or so to close the barn door.

Though to be fair, this deadline may come directly from the lackadaisical DOD, as the deadlines given here seem to match those DOD aspires to hit.

Now, maybe it’s considered unpatriotic to note that our intelligence community–and its congressional overseers–are tolerating pretty shoddy levels of security all while insisting that they takes leaks seriously.

But seriously: if our government is going to claim that leaks are as urgent as it does, if it’s going to continue to pretend that secrets are, you know, really secret, then it really ought to at least pretend to show urgency on responding to the gaping technical issues that will not only protect against leakers, but also provide better cybersecurity and protect against spies. Aspiring to fix those issues years after the fact really doesn’t cut it.

How Many Other Journalists Does the FBI Consider Informants?

/in , , /by

Yesterday, the Center for Public Integrity revealed the contents of a secret FBI memo treating a top ABC journalist–who turned out to be Christopher Isham (currently CBS’ DC bureau chief)–as a confidential source for a claim that Iraq’s intelligence service had helped Timothy McVeigh bomb the Murrah Federal Building.

Isham claims he alerted the FBI about the story because there were indications there might be follow-on attacks.

Christopher Isham, a vice president at CBS News and chief of its Washington bureau, later issued a statement denouncing the claims, revealing himself as the subject of the report. Mr. Isham, who worked for ABC News at the time of the bombing, said he would have passed information to the F.B.I. only to try to verify it or to alert the bureau to word of a possible terrorist attack.

“Like every investigative reporter, my job for 25 years has been to check out information and tips from sources,” Mr. Isham said in a statement released through a CBS spokeswoman. “In the heat of the Oklahoma City bombing, it would not be unusual for me or any journalist to run information by a source within the F.B.I. for confirmation or to notify authorities about a pending terrorist attack.”

Only, it turns out that Vince Cannistraro–who had told ABC the story while serving as a consultant for them and had, in turn, been told the tale by a Saudi General–had already told the FBI himself.

That source, Vincent Cannistraro, a former Central Intelligence Agency official who was a consultant for ABC News at the time, said in an interview that Mr. Isham had done something discourteous, perhaps, but not improper.

“I was working for ABC as a consultant,” he said. “I was not a confidential source.”

Mr. Cannistraro added, however, that he would have preferred it if Mr. Isham had told him that he had passed along the tip. “I was not told that Chris was also going to talk to them. And he certainly didn’t tell me.”

Now, aside from Isham ultimately revealing that his story came from Cannistraro, it seems to me the ethical questions on the part of ABC and Isham are misplaced. Isham’s call to the FBI to confirm or deny a tip really can’t be faulted.

The problem seems to lie in two issues: how ABC treated Cannistraro, and how the FBI treated Isham.

First, Cannistraro fed ABC an inflammatory tip, apparently without confirming it. Given that he was a consultant to ABC, was it his job to second source that material? As it happens, since both Cannistraro and Isham reported the tip to the FBI, it worked like a stove pipe, giving the FBI the appearance of two sources when the story derived from the same Saudi General. And how much other bullshit did Cannistraro feed ABC over the years? It’s not even necessary that Cannistraro do this deliberately–if sources knew he was an ABC consultant, particularly if they knew the information would be treated this way, it’d be easy to stovepipe further inflammatory information right to the screens of the TV. And who owns the source relationship, then, the understanding that the source can be burned for planting deliberate, inflammatory misinformation designed to stoke an illegal war?

In other words, the way ABC treated Cannistraro as a consultant muddled journalistic lines in ways that may have led to less than responsible journalism.

It wouldn’t be the first time networks’ relationships with “consultants” had compromised their reporting.

And then there’s the FBI. Anonymous sources are reassuring the NYT that Isham wasn’t really treated as a snitch, even though the report that CPI has seems to treat him as such. This seems more like FBI trying to cover its tracks–reassure other journalists the FBI isn’t typing up source reports every time a journalist calls the FBI for confirmation of a tip–than anything else. So how often does the FBI, having been asked to confirm information by a journalist, start an informant file on that tip?

And what is the relationship that evolves between the FBI and that source over the years? That is, if the FBI treats journalists who confirm information with them as sources, filing reports like this one that, if revealed, would reflect badly on the journalist, then what will the journalist do in the future when the FBI feeds him shit?

One Year After Collateral Murder Release, DOD’s Networks Are Still Glaring Security Problem

/in , /by

As I have posted several times, the response to WikiLeaks has ignored one entity that bears some responsibility for the leaks: DOD’s IT.

Back in 2008, someone introduced malware to DOD’s computer systems. In response, DOD announced it would no longer allow the use of removable media in DOD networks. Yet that is precisely how Bradley Manning is reported to have gotten the databases allegedly leaked. In other words, had DOD had very basic security measures in place they had already been warned they needed, it would have been a lot harder for anyone to access and leak these documents.

Often, when I have raised this issue, people are simply incredulous that DOD’s classified network would be accessible to removable media (and would have remained so two years after malware was introduced via such means). But it’s even worse than that.

A little-noticed Senate Homeland Security hearing last month (Steven Aftergood is one of the few people who noticed) provided more details about the status of DOD’s networks when the leaks took place and what DOD and the rest of government have done since. The short version is this: for over two months after DOD arrested Bradley Manning for allegedly leaking a bunch of material by downloading information onto a Lady Gaga CD, DOD and the State Department did nothing. In August, only after WikiLeaks published the Afghan War Logs, they started to assess what had gone wrong. And their description of what went wrong reveals not only how exposed DOD was, but how exposed it remains.

Two months to respond

Bradley Manning was arrested on or before May 29. Yet in spite of claims he is alleged to have made in chat logs about downloading three major databases, neither DOD or State started responding to the leak until after the Afghan War Logs were published on July 25, 2010.

The joint testimony of DOD’s Chief Information Officer Teresa Takai and Principal Deputy Under Secretary for Intelligence Thomas Ferguson explains,

On August 12, 2010, immediately following the first release of documents, the Secretary of Defense commissioned two internal DoD studies. The first study, led by the Under Secretary of Defense for Intelligence (USD(I)), directed a review of DoD information security policy. The second study, led by the Joint Staff, focused on procedures for handling classified information in forward deployed areas.

In other words, “immediately” (as in, more than two weeks) after the publication of material that chat logs (published two months earlier) had clearly explained that Manning had allegedly downloaded via Lady Gaga CD months earlier, DOD commissioned two studies.

As State Department Under Secretary of Management Patrick Kennedy explained, their response was no quicker.

When DoD material was leaked in July 2010, we worked with DoD to identify any alleged State Department material that was in WikiLeaks’ possession.

It wasn’t until November–at around the time when NYT was telling State precisely what they were going to publish–that State started responding in earnest. At that time–over four months after chat logs showed Manning claiming to have downloaded 250,000 State cables–State moved its Net Centric Diplomacy database from SIPRNet (that is, the classified network) to JWICS (the Top Secret network).

DOD’s exposed IT networks

Now, frankly, State deserves almost none of the blame here. Kennedy’s testimony made it clear that, while the WikiLeaks leak has led State to enhance their limits on the use of removable media access, they have systems in place to track precisely who is accessing data where.

DOD won’t have that across their system for another year, at least.

There are three big problems with DOD’s information security. First, as the Takai/Ferguson testimony summarized,

Forward deployed units maintained an over-reliance on removable electronic storage media.

It explains further that to make sure people in the field can share information with coalition partners, they have to keep a certain number of computers accessible to removable media.

The most expedient remedy for the vulnerability that led to the WikiLeaks disclosure was to prevent the ability to remove large amounts of data from the classified network. This recommendation, forwarded in both the USD(I) and Joint Staff assessments, considered the operational impact of severely limiting users’ ability to move data from SIPRNet to other networks (such as coalition networks) or to weapons platforms. The impact was determined to be acceptable if a small number of computers retained the ability to write to removable media for operational reasons and under strict controls.

As they did in 2008 after malware was introduced via thumb drive, DOD has promised to shut off access to removable media (note, Ferguson testified thumb drives, but not CDs, have been shut down for “some time”). But 12% of the computers on SIPRNet will still be accessed by removable media, though they are in the process of implementing real-time Host Based Security System tracking of authorized and unauthorized attempts to save information on removable media for those computers.

In response to a very frustrated question from Senator Collins, Ferguson explained that DOD started implementing a Host Based Security System in 2008 (the year DOD got infected with malware). But at the time of the leak, just 40% of the systems in the continental US had that system in place; it was not implemented outside of the US, though. They weren’t implemented overseas, he explained, because a lot of the systems in the field “are cobbled together.”

In any case, HBSS software will be in place by June. (Tech folks: Does this means those computers are still vulnerable to malware introduced by removable media? What about unauthorized software uploads?)

Then there’s data access control. DOD says it can’t (won’t) password protect access to information because managing passwords to control the access of 500,000 people is too onerous for an agency with a budget larger than Australia’s gross national product. Frankly, that may well be a fair approach given the importance of sharing information.

But what is astounding is that DOD is only now implementing public key infrastructure that will, first of all, make it possible to track what people access and–some time after DOD collects that data–to start fine tuning what they can access.

DoD has begun to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card. This is very similar to the Common Access Card (CAC) we use on our unclassified network. We will complete issuing 500,000 cards to our SIPRNet users, along with card readers and software, by the end of 2012. This will provide very strong identification of the person accessing the network and requesting data. It will both deter bad behavior and require absolute identification of who is accessing data and managing that access.

In conjunction with this, all DoD organizations will configure their SIPRNet-based systems to use the PKI credentials to strongly authenticate end-users who are accessing information in the system. This provides the link between end users and the specific data they can access – not just network access. This should, based on our experience on the unclassified networks, be straightforward.

DoD’s goal is that by 2013, following completion of credential issuance, all SIPRNet users will log into their local computers with their SIPRNet PKI/smart card credential. This will mirror what we already do on the unclassified networks with CACs.

[Takai defines what they’re doing somewhat just before 88:00]

Note what this says: DOD is only now beginning to issue the kind of user-based access keys to protect its classified network that medium-sized private companies use. And unless I’m misunderstanding this, it means DOD is only now upgrading the security on its classified system to match what already exists on its unclassified system.

Let’s hope nothing happens between now and that day in 2013 when all this is done.

And this particular problem appears to exist beyond DOD. While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

So that’s the issue of removable media and individualized access tracking.

Which leaves one more big security hole. According to Takai/Ferguson, DOD didn’t–still didn’t, as of mid-March–have the resources in place to detect anomalous behavior on its networks.

Limited capability currently exists to detect and monitor anomalous behavior on classified computer networks.

This confirms something Manning said in chat logs: no one is following the activity occurring on our networks in Iraq (or anywhere else on SIPRNet, from the sounds of things), and flagging activities that might be an intrusion.

The part of the Takai/Ferguson testimony that details very hazy plans to think about maybe implementing such a system (pages 6-7) is worth a gander just for the number of acronyms of titles of people who are considering maybe what to implement some time in the future. It’s all a bunch of bureaucratic camouflage, IMO, to avoid saying clearly, “we haven’t got it and we haven’t yet figured out how we’re going to get it.” But here are the two most concrete descriptions of what the Department of Defense plans to do to make sure no one is fiddling in their classified networks. First, once they get HBSS completely installed, then they will install an NSA audit program on top of that.

One very promising capability is the Audit Extraction Module (AEM) developed by the National Security Agency (NSA). This software leverages already existing audit capabilities and reports to the network operators on selected audit events that indicate questionable behavior. A great advantage is that it can be integrated into the HBSS we have already installed on the network, and so deployment should be relatively inexpensive and timely. AEM is being integrated into HBSS now and will be operationally piloted this summer.

But in the very next paragraph, Takai/Ferguson admit there are better solutions out there. But DOD (again, with its budget larger than the GNP of most medium sized countries) can’t implement those options.

Commercial counterintelligence and law enforcement tools – mostly used by the intelligence community – are also being examined and will be a part of the overall DoD insider threat program. These tools provide much more capability than the AEM. However, while currently in use in some agencies, they are expensive to deploy and sustain even when used in small, homogeneous networks. Widespread deployment in DoD will be a challenge.

In other words, DOD wants to be the biggest part of the intelligence community. But it and its budget bigger than Brazil’s GNP won’t implement the kind of solutions the rest of the intelligence community use.

Department. Of. Defense.

Now, let me be clear: DOD’s embarrassingly bad information security does not, in any way, excuse Bradley Manning or the other “bad apples” we don’t know about from their oath to protect this information. (Note, there was also testimony that showed DOD’s policies on information sharing were not uniformly accessible, but that’s minor compared to these big vulnerabilities.)

But in a world with even minimal accountability, we’d be talking about fixing this yesterday, not in 2013 (five years, after all, after the malware intrusion). We’d have fired the people who let this vulnerability remain after the malware intrusion. We’d aspire to the best kind of security, rather than declaring helplessness because our very expensive DOD systems were kluged together. And we’d be grateful, to a degree, that this was exposed with as little reported damage as it has caused.

If this information is really classified for good reason, as all the hand-wringers claim, then we ought to be using at least the kind of information security implemented by the private sector a decade ago. But we’re not. And we don’t plan on doing so anytime in the near future.

Darrell Issa Complains that Janet Napolitano Took a Whole Year to Change Michael Chertoff’s Inefficient FOIA Process

/in /by

Darrell Issa has no credibility when it comes to matters of transparency. We’ve seen Issa’s rank hypocrisy in the past. He dismissed concerns about Karl Rove doing business on RNC emails as a political stunt. And he suggested that apparently deliberate attempts to dismantle email archives at the White House was all about technology.

So I’m not surprised his loud complaints that Department of Homeland Security politicized the FOIA process turned out to be oversold.

As it happens, both Issa’s and Elijah Cummings’ reports on this seem to miss the forest for the trees.

At issue is the process by which top DHS officials review–and are alerted to–sensitive FOIA releases. The policy in place up until July 2010 was put in place in 2006. That is, under Michael Chertoff. As I understand it, when certain high level issues were due to be released, the Secretary’s office (whether it be Chertoff or Janet Napolitano) would be emailed the materials for review. In some cases, that review identified additional information that, for legal FOIA reasons, needed to be redacted. In other case, this review process simply alerted the Secretary to something he or she would be asked about in the press.

In other words, Darrell Issa is complaining about a process–and a burdensome email review process–inherited from Michael Chertoff. Since then, DHS has introduced an intranet system that has gotten the Secretarial review time to one day.

In addition, Issa appears to ignore how DHS has gotten rid of the largest FOIA backlog in history. In 2006, according to Mary Ellen Callahan’s testimony, DHS had a backlog of 98,000 requests. When Napolitano took over, that backlog was 74,000 requests. The backlog is now 11,000.

This is the kind of thing Darrell Issa is bitching about.

Now I do have certain questions about what sparked all of this. Issa first latched onto the issue after this AP report–the most serious allegations of which the AP subsequently admitted they could not confirm. Call me crazy, but given the centrality of bad blood between a few career staffers here, I’d suggest the original article came right out of that bad blood. (And perhaps not coincidentally, the article came out in the same month as DHS switched to the more efficient Intranet process.)

But it also sounds like the Napolitano was particularly concerned about being alerted to sensitive requests in the early years of the Administration.

Unless I missed it, no one mentioned this debacle, Napolitano’s embarrassment with the release of a Bush-initiated report on right wing domestic extremism. Mind you, witnesses admitted that part of the concern arose from the release of information that had been generated under the Bush Administration, so it’s possible that this report was the reason for the sensitivity.

But I wonder whether part of the problem here all stems from the fact that the Bush DHS initiated a study on right wing extremists that was subsequently spun as a Napolitano project.

US Intelligence Operatives in Libya, Before a Finding, Sounds Like JSOC

/in , /by

Mark Hosenball, who yesterday broke the news that Obama had issued a Finding authorizing the CIA to operate covertly in Libya in the last 2-3 weeks, today says “intelligence operatives” were on the ground before Obama signed that Finding.

U.S. intelligence operatives were on the ground in Libya before President Barack Obama signed a secret order authorizing covert support for anti-Gaddafi rebels, U.S. government sources told Reuters.The CIA personnel were sent in to contact opponents of Libyan leader Muammar Gaddafi and assess their capabilities, two U.S. officials said.

[snip]

The president — who said in a speech on Monday “that we would not put ground troops into Libya” — has legal authority to send U.S. intelligence personnel without having to sign a covert action order, current and former U.S. officials said.

Within the last two or three weeks, Obama did sign a secret “finding” authorizing the CIA to pursue a broad range of covert activities in support of the rebels.

Congressional intelligence committees would have been informed of the order, which the officials said came after some CIA personnel were already inside Libya.

Now, one explanation for this is simply that Obama sent JSOC–under the guise of preparing the battlefield–rather than CIA. It sounds like the practice–first exploited by Cheney–that the government has used frequently in the last decade of ever-expanding Presidential authority.

Indeed, House Intelligence Chair Mike Rogers’ claims he must authorize covert action, but hasn’t, sounds like the kind of complaint we’ve frequently gotten when the President bypassed the intelligence committees by claiming DOD was simply preparing the battlefield.

And Hosenball’s nuanced language about “boots,” that is, military, on the ground, may support that view.

Furthermore, we know there are a slew of British Special Forces on the ground in Libya. So why not Americans, too?

Hosenball is not saying this explicitly, yet. And he does refer to “CIA operatives” (who could be in Libya to simply collect information). But all the subtext of this article suggests that our special forces have been on the ground since before any Finding, which in turn suggests they may have been there longer than 2-3 weeks (the timeframe given for the Finding).

This is all a wildarsed overreading of Hosenball at this point. But if I’m right, then it would mean Obama would be using the shell game he adopted from Cheney to engage in war without Congressional oversight.