Intelligence Archives - Page 58 of 101

Did FBI First Request James Risen’s Phone Records Using the CAU Program?

February 25, 2011/in FISA, Intelligence, Press and Media /by emptywheel

In Josh Gerstein’s report on DOJ’s collection of James Risen’s phone and business records, he quotes University of Minnesota law professor Jane Kirtley saying that the government doesn’t give reporters notice when it collects telephone or business records on them.

Kirtley also said journalists often aren’t notified when the government asks telecom companies, banks or other service providers for their records.

DOJ must inform reporters if their call records have been subpoenaed

That may be the case in practice. But DOJ policy actually requires that journalists receive notice if their phone records are subpoenaed.

(g) In requesting the Attorney General’s authorization for a subpoena for the telephone toll records of members of the news media, the following principles will apply: (1) There should be reasonable ground to believe that a crime has been committed and that the information sought is essential to the successful investigation of that crime. The subpoena should be as narrowly drawn as possible; it should be directed at relevant information regarding a limited subject matter and should cover a reasonably limited time period. In addition, prior to seeking the Attorney General’s authorization, the government should have pursued all reasonable alternative investigation steps as required by paragraph (b) of this section.

(2) When there have been negotiations with a member of the news media whose telephone toll records are to be subpoenaed, the member shall be given reasonable and timely notice of the determination of the Attorney General to authorize the subpoena and that the government intends to issue it.

(3) When the telephone toll records of a member of the news media have been subpoenaed without the notice provided for in paragraph (e)(2) of this section, notification of the subpoena shall be given the member of the news media as soon thereafter as it is determined that such notification will no longer pose a clear and substantial threat to the integrity of the investigation. In any event, such notification shall occur within 45 days of any return made pursuant to the subpoena, except that the responsible Assistant Attorney General may authorize delay of notification for no more than an additional 45 days.

(4) Any information obtained as a result of a subpoena issued for telephone toll records shall be closely held so as to prevent disclosure of the information to unauthorized persons or for improper purposes.

From that we should assume that DOJ got the phone records by subpoenaing Sterling’s records, not Risen’s. But if that’s the case, you’d think the government would have just told Risen that when his lawyer asked whether his records had been subpoenaed back in 2008.

Risen said the government never notified him that they were seeking his phone records. But he said he got an inkling in 2008 that investigators had collected some information about his calls.

“We heard from several people who had been forced to testify to the grand jury that prosecutors had shown them phone records between me and those people—not the content of calls but the records of calls,” he said. “As a result of what they told us, my lawyers filed a motion with the court as asking how the Justice Department got these phone records and whether or not they had gotten my phone records.”

“We wanted the court to help us decide whether they had abided by the attorney general’s guidelines,” Risen said. “We never got an answer from the court or the government.”

In other words, there may be no cause for suspicion, except for the suspicious funkiness on the government’s part.

DOJ has refused to inform at least one reporter his or her records were subpoenaed

Now, there is one case we know of where DOJ collected information on a reporter’s phone records and did not inform him or her. The DOJ Inspector General Report on Exigent Letters describes three cases in which reporters’ phone records were collected through the telecom’s onsite Communications Analysis Unit. Two of these were collected using exigent letters; in both, the editors (for stories published in both the NYT and WaPo) and the journalist (for an Ellen Nakashima story) were informed the reporters’ records had been collected.

In the third case, the records were collected with a grand jury subpoena. Here’s what we know about the collection:

The investigative team included two federal prosecutors who appear to belong to a counterintelligence group at DOJ, an AUSA from the jurisdiction in which the grand jury was seated who was rubberstamping records for the investigation, the FBI case agent, and intelligence analysts.
The FBI case agent asked the CAU agent about how to do a phone records subpoena for the leak investigation, and the CAU agent referred the case agent to the telecom analysts at CAU for help with the subpoena. Following a meeting with (I think) an AT&T analyst, the case agent asked that analyst for boilerplate language to make sure the subpoena was “as encompassing as possible.” It appears from the report (though this information is highly redacted) that the resultant subpoena may have asked for the community of interest of the suspected leaker’s numbers. That is, it appears the subpoena asked for a network analysis of all the people who had directly contacted the target.
One of the two prosecutors used that boilerplate language to write up attachments to the subpoena; the rubberstamp AUSA never saw the attachments. This was the first subpoena the rubberstamp AUSA signed in the case.
The prosecutor that generated the subpoena claims–with an undated document to back up that claim–that the case agent told him the subpoena would not collect phone records for the reporter that–they both knew at the time–had been in phone contact with the suspected leaker. The case agent, however, did not recall such a discussion and claims it was “very unlikely” such a conversation occurred. The implication of this seems to be that the case agent knew full well he’d be getting the reporter’s call data.
In talking to a counterintelligence Special Agent, the prosecutor who generated the subpoena learned that such a subpoena could produce the records of reporters; he also learned there was a way to write the subpoena to avoid that from happening. Once he realized that, he had conversations with other DOJ lawyers and supervisors about what to do; they all agreed to seal the records. Though they sealed the records of the case agent and deleted them from his computer, they didn’t ask what CAU had done with the records, much less ask the CAU analyst to delete the records.
When the IG learned about all this, they finally checked whether this information got loaded into the investigative database. The target’s records were entered into the FBI database; the IG did not find any reporters’ information uploaded, though much of the report’s discussion on this topic is redacted.
DOJ’s Criminal Division informed the Court overseeing the grand jury of the subpoenas and the “corrective actions” taken.

After learning all this, the IG asked DOJ whether it should have notified the reporter in question per the policy cited above. Here’s what happened:

The Criminal Division and the OIG asked the Department’s Office of Legal Counsel (OLC) to opine on the question when the notification provision in the regulation would be triggered. Read more →

The Business Records and Classified (?) Emails of James Risen

February 25, 2011/in FISA, Intelligence, PATRIOT /by emptywheel

Jeffrey Sterling’s lawyers are throwing a number of interesting theories against the wall. In a filing demanding a bill of particulars (and presumably ultimately supporting a greymail defense),they demand to know which “defense information” is tied to each count of leaking or possessing such information, arguing that they need to know that to prevent double jeopardy. As part of that argument, though, they note that the 10 year statute of limitations on this crime exists only to make sure crafty Communists don’t evade the law.

In this case, the Government will surely claim that there is a ten year statute of limitations applicable to violations of 18 U.S.C. 793. See Internal Security Act, Ch. 1024, 64 Stat. 987, P.L. 831 (§19) (1950).

As set forth in the statute, this law was passed, by its terms, because of the then existing threat of global communism.

There exists a world Communist movement which, in its origins, its development, and its present practice, is a world-wide revolutionary movement whose purpose is by treachery, deceit…espionage, sabotage, terrorism, and any other means necessary, to establish a Communist totalitarian dictatorship in the countries throughout the world through the medium of a worldwide Communist organization. Id. at § 2 (1)

In this regard, the Court can see that when this law was passed in 1950, it appears that the Congress extended the statute of limitations applicable to 18 U.S.C. § 793 because the “agents of communism have devised clever and ruthless espionage and sabotage tactics which are carried out in many instances in form and manner successfully evasive of existing law.” Id. at § 2 (11).

As such, the defense reserves the right to challenge the application of this McCarthy era law to the charges in this case which challenge would result in the application of the general five year statute applied to felonies. 18 U.S.C. § 3282.

Sterling is alleged to have leaked to James Risen in 2003; if a 5 year SOL applied, then it would have expired after the time when the Bush DOJ declined to charge Sterling. Charging him at this late date, he seems to suggest, is just McCarthyite.

But the other interesting aspect of this filing is the one Josh Gerstein points out: the details Sterling’s lawyers provide about what they’ve gotten in discovery.

In this case, for example, the United States has provided in unclassified discovery various telephone records showing calls made by the author James Risen. It has provided three credit reports – Equifax, TransUnion and Experian – for Mr. Risen. It has produced Mr. Risen’s credit card and bank records and certain records of his airline travel. The government has also provided a copy of the cover of the book State of War written by Mr. Risen and published in 2006. It has provided receipts and shipping records from Borders and Barnes and Noble indicating that State of War was sold in this District between November 1, 2005 and March 1, 2006.4 From this document production, it can be inferred that Mr. Risen is Author A and that the “national defense information” at issue can perhaps be found somewhere in State of War.

But State of War is a long book containing many chapters. Just pointing the defense to the book, or even a particular chapter in the book, is not legally sufficient to provide notice.

4 Count Eight is a mail fraud count under 18 U.S.C. §§1341 & 2, that seeks to hold Mr. Sterling criminally liable for the decision of Author A’s publisher to sell in the Eastern District of Virginia a book allegedly containing “national defense information” obtained from Mr. Sterling. Author A and his publisher are not charged with any crime.

Now, obviously this passage does several things. It sets up a future argument–one that might be modeled on the AIPAC case–that if they’re going to charge mail fraud they also need to charge Risen’s publishers. Also, it exploits the fact that the government has sent an entire book full of highly classified disclosures–including details of the warrantless wiretap program–to introduce selective prosecution. Why is the government choosing to prosecute the alleged leaker of MERLIN information, but not the leakers of the illegal surveillance program?

But it seems Sterling’s lawyers are just as interested in getting details about the government surveillance of Risen into the record.

Now, some of this is unsurprising. We knew the government had Risen’s phone records, because the indictment cites at least 46 phone calls between Risen and Sterling. The indictment also mentions a trip Risen made (presumably to Vienna), so it’s unsurprising they have his credit card and airline information.

But that leaves two other items.

The filing mentions Risen’s three credit reports and bank records. The only possible application of this information in the indictment is the repeated distinction between Risen’s office and his residence. Presumably the latter would show up on the credit report. But that information would also be available by public means (publicly available property records, for example). So why collect Risen’s credit reports and bank records?? Was the government trying to argue Risen was in some way induced to publish this?

Also, given that this would have qualified as a counterintelligence investigation, one wonders whether the government used the PATRIOT Act to collect these records.

More interesting, though, is what Sterling’s lawyers don’t mention in this passage: emails. We know they got emails, since they refer to at least 13 emails between Risen and Sterling (and point out that the emails went through a server conveniently located in the CIA’s home district!). But for some reason, Sterling’s lawyers don’t mention having received the emails in what they specify is “unclassified discovery.”

The probable explanation for that, of course, is that they have received those emails. It’s possible they can’t mention them, though, in an unclassified filing (one clearly targeted to the public), because they were turned over in classified discovery.

It’s troubling that the government collected Risen’s credit report and bank records to develop its case against Sterling. But the possibility that the government considers the email traffic between Risen and Sterling classified suggests some even more troubling possibilities.

When Militaries Conspire to Ignore the Will of the People

February 24, 2011/in Drones, Intelligence /by emptywheel

The story of the day is from Michael Hastings, fresh off winning a Polk Award for his reporting on the insubordination of key members of Stanley McChrystal’s staff. In today’s story, he describes how Lieutenant General William Caldwell ordered a PsyOp unit to manipulate Senators–including John McCain, Carl Levin, Jack Reed, and Al Franken–to support increased troops and funding for training Afghan soldiers. When the commander of that unit objected, he was investigated and disciplined. (See Jim White’s post on it here.)

It’s a troubling picture of the extent to which individual members of our military will push the war in Afghanistan, knowing how unpopular it is in the States.

But there’s an equally troubling story reporting on the disdain with which our military treats public opinion. Josh Rogin reports on a regularly scheduled meeting between the Pakistani and American military in Oman that took place on Tuesday; because of the Raymond Davis affair, the meeting had heightened importance. The US was represented by, among others, Admiral Mullen and Generals Petraeus, Olson (SOCOM) and Mattis (CENTCOM).

As Rogin describes it, the Americans, whose views were represented in a written summary from General Jehangir Karamat with confirmation from another Pakistani participant, believed the two militaries had to restore the Pakistani-American relationship before it got completely destroyed by the press and the public.

“The US had to point out that once beyond a tipping point the situation would be taken over by political forces that could not be controlled,” Karamat wrote about the meeting, referring to the reported split between the CIA and the Pakistani Inter-services Intelligence (ISI) that erupted following the Davis shooting.

[snip]

“[T]he US did not want the US-Pakistan relationship to go into a free fall under media and domestic pressures,” Karamat wrote. “These considerations drove it to ask the [Pakistani] Generals to step in and do what the governments were failing to do-especially because the US military was at a critical stage in Afghanistan and Pakistan was the key to control and resolution.”

“The militaries will now brief and guide their civilian masters and hopefully bring about a qualitative change in the US-Pakistan Relationship by arresting the downhill descent and moving it in the right direction.” [my emphasis]

In short, the US military wants to make sure that military intervenes to counteract the fury of the people and the press over the Davis affair.

Now, don’t get me wrong. I’d rather have the military ensure close relations with this nuclear-armed unstable state. I’m cognizant of how, in different situations (notably the Egyptian uprising), close ties between our military and others’ have helped to foster greater democracy. As Dana Priest’s The Mission makes clear our military has increasingly become the best functioning “diplomatic” service we’ve got. And though I think a great deal of stupidity and arrogance got Davis into the pickle he’s in, I certainly back our government’s efforts to get him returned to our country (Rogin also provides details of the plan to do that).

But particularly coming as it does in the same theater and on the same day as news of PsyOps being waged against my Senator, I’m troubled that our military isn’t more concerned with reining in the behavior that has rightly ticked off so many Pakistanis, rather than coordinating with the Pakistani military to make sure the people of Pakistan’s concerns are ignored.

Thousands of Spooky Americans Doing Who-Knows-What in Pakistan?

February 23, 2011/in Intelligence /by emptywheel

As I have followed the Raymond Davis saga, this passage from an early Jeremy Scahill story on the CIA/JSOC/Blackwater programs operating in Pakistan, has haunted me.

The Blackwater operatives also assist in gathering intelligence and help direct a secret US military drone bombing campaign that runs parallel to the well-documented CIA predator strikes, according to a well-placed source within the US military intelligence apparatus.

[snip]

The source said that the program is so “compartmentalized” that senior figures within the Obama administration and the US military chain of command may not be aware of its existence.

That is, back in November 2009, even the Americans claimed not to be sure what people like Davis were doing.

There are a number of versions of stories talking about both the Pakistanis and Americans being clueless about what Raymond Davis was doing, as in this Daily Beast story suggesting the drone strikes halted to give the Americans time to figure out what we were doing in Pakistan.

The U.S. government also has its own questions about what Davis and other shadowy Americans are up to in Pakistan. According to the senior Pakistani official, the U.S. government has only a sketchy notion of what Davis and other security contractors and intelligence agents are actually doing on the ground. As a result, the CIA’s activities in Pakistan have more or less been temporarily shut down, according to the official, while a review of the agency’s activities is carried out. Hence the temporary drone freeze, since the drone program is under the direction of the CIA.

And admittedly, both parties have an incentive to plead ignorance. Plausible deniability, after all.

But what’s striking about this AP version pleading ignorance is the sheer numbers involved.

The ISI fears there are hundreds of CIA contracted spies operating in Pakistan without the knowledge of either the Pakistan government or the intelligence agency, a senior Pakistani intelligence official told the AP in an interview. He spoke only on condition he not be identified on grounds that exposure would compromise his security.

Pakistan intelligence had no idea who Davis was or what he was doing when he was arrested, the official said, adding that there are concerns about “how many more Raymond Davises are out there.”

[snip]

The ISI is now scouring thousands of visas issued to U.S. employees in Pakistan. The ISI official said Davis’ visa application contains bogus references and phone numbers. He said thousands of visas were issued to U.S. Embassy employees over the past five months following a government directive to the Pakistan Embassy in Washington to issue visas without the usual vetting by the interior ministry and the ISI. The same directive was issued to the Pakistan embassies in Britain and the United Arab Emirates, he said.

Within two days of receiving that directive, the Pakistani Embassy issued 400 visas and since then thousands more have been issued, said the ISI official. A Western diplomat in Pakistan agreed that a “floodgate” opened for U.S. Embassy employees requesting Pakistani visas. [my emphasis]

In other words, some time back in September or thereabouts, the Pakistani government opened the floodgates for a bunch–hundreds or thousands–of spooky types who would not be vetted.

Back in the 60s in Vietnam, they called those hundreds and thousands “advisors,” I think.

In any case, at this point, the Pakistanis are making a concerted effort to make it clear (or claim) that they let these thousands into the country with no vetting without first ascertaining what they would be doing. Mind you, they probably did know, at least vaguely. But if these numbers are true, the sheer scope of this program may be one of the big sources of the embarrassment here.

It’s Not the Pakistanis from Whom Papers Were Withholding Davis’ CIA Affiliation

February 22, 2011/in Drones, Intelligence /by emptywheel

Glenn and I both complained after the US media admitted yesterday it had been sitting on the very obvious news that Raymond Davis was a spook. But I got a number of questions from people who seem to miss the point. Why did I argue for years that Bob Novak shouldn’t have published Valerie Plame’s identity, yet was now arguing that newspapers should have revealed Davis’ affiliation? This article from Michael Calderone gets closer to–but does not directly address–what I think the difference is.

Consider the whole reason why–at least as far as our government claims–we keep spies’ identities secret. It’s to make sure our adversaries don’t know who we’ve got spying on them. Just as random example (just about all these cautionary claims use a similar formulation), here’s what Robert Gates said about the danger that Wikileaks would reveal the identities of our sources to (in this case) our enemies in Afghanistan.

Intelligence sources and methods, as well as military tactics, techniques and procedures, will become known to our adversaries.

The whole point is to keep spies and their sources’ identities secret from our enemies. (In spite of what some have reported about Aldrich Ames and Valerie Plame and Brewster and Jennings, CIA documents I’ve seen in the Plame case made it clear that the Agency believed Plame’s identity was still secret when Novak published her identity; I also suspect that B&J’s cover role was misunderstood.)

But consider this case. From the very earliest reports on Davis in Pakistan, he has been alleged to be a spook and/or Blackwater. Indeed, as Calderone points out, the people protesting in the streets of Pakistan have long been operating on the assumption that he is a spy.

But the shooting had already sparked a diplomatic crisis, with Pakistani protesters calling for violent retribution against Davis and burning American flags and an effigy of the CIA agent on the street. (The protest against Davis pictured above took place a week ago). And in the Pakistani media—where conspiracy theories involving the CIA are commonplace—Davis had already been pegged as a spy.

Furthermore, we have every reason to believe that Pakistani intelligence (replete with its ties to Al Qaeda and the Taliban) know and knew who Davis is. Members of the ISI have said as much, for starters. Plus, there are the many allegations that the two men whom Davis killed had ties to ISI; if, as it appears, the ISI was tracking Davis, then it’s a sure bet they knew before he was arrested that he was some kind of spook. And if they didn’t know before they arrested him, then there are the items they captured with him, not least his phone, which allegedly had numbers of people in the tribal regions. Thus, regardless of what Davis has said, the ISI likely already has a good idea who his sources are.

So almost all the people we’d like to keep Davis’ identity secret from–the Pakistani government and the Pakistani people–already either knew or have been operating based on the assumption that he is a spy. The one exception, of course, is the Taliban or other extremists, who would no doubt like to know whom Davis was speaking to in their ranks. But to the extent they haven’t already guessed those details, the Pakistani government now must be trusted to keep them secret, if they will. There’s no more or less that the Taliban and Al Qaeda will learn about Davis based solely on US reporting confirming he is a spy.

In other words, had they revealed his CIA affiliation, American newspapers would not have revealed anything to the key people we’re supposed to be protecting Davis’ identity from; those people already knew or assumed it.

So the people from whom American newspapers were withholding the truth about Davis’ identity were not America’s adversaries, but the American readers who hadn’t already read all the Pakistani coverage on Davis.

Raymond Davis: Diplomatic Immunity v. US Impunity

February 21, 2011/in Contractors, Foreign Policy, Intelligence, Law, Obama Administration, War /by Mary

What happens with the Raymond Davis case, in the end, will likely not have very much to do with the Vienna Conventions. For that matter, we likely will never have enough of the unadulterated facts to know what should happen under the Vienna Conventions. But let’s suspend reality and see where an examination of the Vienna Conventions and the competing facts in the Davis case might take us.

As several reports have pointed out, there are numerous Vienna Conventions and the two that are likely to apply to Davis are the Vienna Convention of 1961 on Diplomatic Relations and the Vienna Convention of 1963 on Consular Relations. The VCs get wrapped in and out of discussions of passports and visa – so let’s separate and reassemble.

Diplomatic Passport. Our State Department issues passports needed for travel to other countries. Because of the State Department’s sole control over this document, it is looked at skeptically by Pakistanis in the Davis matter. The US says that, while it was not on him when he was captured and while it may have some discrepancies with other documents, Raymond Davis has a US issued diplomatic passport. Some have gone so far as to make this the equivalent of having diplomatic immunity, without anything more.

But that’s not how it works. Diplomatic immunity is derived, under VC 1961, by being validly attached to the embassy (mission) of a nation in which the “diplomat” is located. A diplomatic passport has no effect to attach someone to an embassy or mission. For example, a diplomat validly attached to the embassy in Iraq could travel to Germany on a diplomatic passport, but would not have immunity in Germany if they were not validly attached to the German embassy. So the question isn’t whether or not Davis had a diplomatic passport (or whether, if so, it was issued to an alias or issued after the fact), but whether he was validly attached to the US embassy at the time of his altercation in Pakistan.

Attachment to the US Mission/Embassy. For someone other than the head of mission, the general rule is that the sending nation (US) can “freely appoint” diplomats to its mission staff (Article 7), with a few caveats, and are then merely required to notify the receiving nation’s foreign ministry of the appointment/addition. The first caveat, also in Article 7, is that if the person being appointed is a military Read more →

Raymond Davis’ Work “with” the CIA

February 21, 2011/in Intelligence /by emptywheel

After the Guardian confirmed for the Anglo-American world what the rest of the world had already concluded–that Raymond Davis is some kind of spook–the government gave the American outlets that have been sitting on this knowledge the go-ahead to publish it.

The New York Times had agreed to temporarily withhold information about Mr. Davis’s ties to the agency at the request of the Obama administration, which argued that disclosure of his specific job would put his life at risk. Several foreign news organizations have disclosed some aspects of Mr. Davis’s work with the C.I.A., and on Monday, American officials lifted their request to withhold publication.

Yet even though the NYT claims they have been cleared by the government to describe Davis’ “specific job,” the article does no such thing.

Note how none of the usages in the story make it clear whether Davis works for the CIA, for Blackwater, for his own contracting company, or for JSOC:

The American arrested in Pakistan after shooting two men at a crowded traffic stop was part of a covert, C.I.A.-led team of operatives conducting surveillance on militant groups deep inside the country, according to American government officials.

[snip]

carried out scouting and other reconnaissance missions for a Central Intelligence Agency task force

[snip]

Mr. Davis has worked for years as a C.I.A. contractor, including time at Blackwater Worldwide, the controversial private security firm (now called Xe)

[snip]

The officials gave various accounts of the makeup of the covert task force and of Mr. Davis, who at the time of his arrest was carrying a Glock pistol, a long-range wireless set, a small telescope and a headlamp. An American and a Pakistani official said in interviews that operatives from the Pentagon’s Joint Special Operations Command had been assigned to the group to help with the surveillance missions. Other American officials, however, said that no military personnel were involved with the task force.

[snip]

Even before his arrest, Mr. Davis’s C.I.A. affiliation was known to Pakistani authorities, who keep close tabs on the movements of Americans.

[snip]

American officials said that with Pakistan’s government trying to clamp down on the increasing flow of Central Intelligence Agency officers and contractors trying to gain entry to Pakistan, more of these operatives have been granted “cover” as embassy employees and given diplomatic passports.

[snip]

American officials said he operated as part of the Central Intelligence Agency’s Global Response Service in various parts of the country, including Lahore and Peshawar.

[snip]

It is unclear when Mr. Davis began working for the C.I.A., but American officials said that in recent years he worked for the spy agency as a Blackwater contractor and later founded his own small company, Hyperion Protective Services. [my emphasis]

This article leaves open every single possibility–CIA, Blackwater, other contractor, JSOC–with the least likely being that Davis is an employee of the CIA (not least because according to the Pakistanis he makes $200,000). Though the article does make it clear we’re now extending official cover to contractors.

The most likely, I’d guess, is that we’re using Blackwater to employ JSOC folks to get around legal niceties.

Poppy Bush’s Virgin Born Intelligence Knowledge

February 18, 2011/in Intelligence /by emptywheel

Jack Goldsmith links to an interesting document from the RummyLeaks library: then Chief of Staff Donald Rumsfeld’s memo to President Ford reviewing possible candidates to replace William Colby as head of the CIA.

But Goldsmith doesn’t call out the most amusing part of the memo: the way that Rummy asserts that Poppy has the intelligence experience to do the job without pointing out where he got that experience.

Where Rummy thought someone had real experience with the CIA he laid that out: Harold Brown’s experience with the NRO and SALT, his and John Foster’s experience with Defense Research and Engineering, Douglas Dillon’s membership on the Rockefeller Committee on the CIA, William Baker and Robert Galvin’s service on the Presidential Foreign Intelligence Advisory Board, Melvin Laird’s service on the Appropriations and Armed Services Committees and Gale McGee’s service on Foreign Relations and Appropriations Committees, Stanley Resor’s service as Secretary of the Army and as member of the Mutual and Balanced Force Reductions delegation, Elliott Richardson’s service as Secretary of Defense. Every single member of the Council on Foreign Relations had that detail noted. For a number of these (particularly those with a research focus, Rummy explained precisely how the experience applied).

But Rummy doesn’t really explain how Bush acquired his general familiarity with intelligence.

This is perhaps most obvious when you compare Rummy’s description of Bob Dole’s qualifications with those of Bush.

Robert J. Dole: 52 years old (this month); U.S. Senator (R-Kansas); Past Chairman, RNC; Lawyer, WWII Service.

Pros: Strong “law and order” image. Confirmable.

Cons: No background in intelligence; no management experience; RNC post raises question over politicization potential.

[snip]

George Bush: 51 years old; Member of Congress; US Ambassador to the UN and subsequently to USLO Peking; Oil producer; Politician.

Pros: Experience in government and diplomacy; generally familiar with the components of the intelligence community and their missions; management experience; high integrity and proven adaptability.

Cons: RNC post lends undesirable political cast.

After all, at this point of their life, these men shared many of the same resume points: they are nearly exact contemporaries, with World War II experience (though Rummy didn’t mention Poppy’s), time in Congress, and service at the head of the RNC. Yet according to Rummy, Bush had the intelligence experience to lead CIA and Dole did not.

Now, obviously, Bush’s service as Ambassador to the UN and–to an even greater degree–as Ambassador to China would clearly have put him in positions at the front line of the Cold War.

But of course Bush’s most direct experience to be Director of the CIA came from that innocuous other resume point: “oil producer.” Heck, Rummy doesn’t even note by name Bush’s leadership of Zapata Oil, which was reportedly a cover for Bay of Pigs preparation. Russ Baker even found a J. Edgar Hoover note indicating that “Mr. George Bush of the Central Intelligence Agency” was briefed on concerns that the Kennedy assassination would encourage anti-Castro groups to strike at Cuba.

Rummy doesn’t explain any of that background. But then, had he done so, he probably couldn’t have claimed (as he did) that “all 23” candidates “are outsiders to the CIA.”

Lindsey Graham Calls Raymond Davis an “Agent”

February 18, 2011/in Intelligence /by emptywheel

AFP has a report (notably picked up by Pakistan’s Dawn) on the Senate’s hand-wringing over whether we should tie aid to Pakistan to the release of Raymond Davis, the “consulate employee” who shot two alleged Pakistani spies. Here’s what Lindsey Graham had to say:

But Senator Lindsey Graham, the top Republican on Leahy’s subcommittee, strongly warned against any rollback of assistance to Pakistan, citing the need for help in the war in Afghanistan and the hunt for suspected terrorists.

“Our relationship’s got to be bigger than this,” Graham said.

“This is a friction point, this is a troubling matter, it doesn’t play well in Afghanistan. We can’t throw this agent over, I don’t know all the details, but we cannot define the relationship based on one incident because it is too important at a time when we’re making progress in Afghanistan,” he said. [my emphasis]

Lindsey, Lindsey, Lindsey! Under Ben Cardin’s proposed law criminalizing leaks (and, frankly, under existing law), you could go to jail for such honesty. Good thing you have immunity as a member of Congress.

Though in the spirit of Bob Novak–who claimed to be thinking of a political professional running congressional campaigns in Dick Cheney’s state when he called Valerie Plame an “operative”–I suppose Graham could claim he just thought Davis serves some kind of service employee at the consulate, one of the “agents” that help with visas or some such nonsense.

Not that that’ll help the tensions over this incident in Pakistan at all.

Stuxnet: The Curious Incident of the Second Certificate

February 17, 2011/in Intelligence /by WilliamOckham

“Is there any point to which you would wish to draw my attention?”

“To the curious incident of the dog in the night-time.”

“The dog did nothing in the night-time.”

“That was the curious incident,” remarked Sherlock Holmes.

Arthur Conan Doyle (Silver Blaze)

[From ew: William Ockham, who knows a whole lot more about coding than I, shared some interesting thoughts with me about the Stuxnet virus. I asked him to share those thoughts it into a post. Thanks to him for doing so!]

The key to unraveling the mystery of Stuxnet is understanding the meaning of a seemingly purposeless act by the attackers behind the malware. Stuxnet was first reported on June 17, 2010 by VirusBlokAda, an anti-virus company in Belarus. On June 24, VirusBlokAda noticed that two of the Stuxnet components, Windows drivers named MrxCls.sys and MrxNet.sys, were signed using the digital signature from a certificate issued to Realtek Semiconductor. VirusBlokAda immediately notified Realtek and on July 16, VeriSign revoked the Realtek certificate. The very next day, a new Stuxnet driver named jmidebs.sys appeared, but this one was signed with a certificate from JMicron Technology. This new Stuxnet driver had been compiled on July 14. On July 22, five days after the new driver was first reported, VeriSign revoked the JMicron certificate.

The question I want to explore is why the attackers rolled out a new version of their driver signed with the second certificate. This is a key question because this is the one action that we know the attackers took deliberately after the malware became public. It’s an action that they took at a time when there was a lot of information asymmetry in their favor. They knew exactly what they were up to and the rest of us had no clue. They knew that Stuxnet had been in the wild for more than a year, that it had already achieved its primary goal, and that it wasn’t a direct threat to any of the computers it was infecting in July 2010. Rolling out the new driver incurred a substantial cost, and not just in monetary terms. Taking this action gave away a lot of information. Understanding why they released a driver signed with a second certificate will help explain a lot of other curious things in the Stuxnet saga.

It’s easy to see why they signed their drivers the first time. Code signing is designed to prove that a piece of software comes from a known entity (using public key infrastructure) and that the software hasn’t been altered. A software developer obtains a digital certificate from a “trusted authority”. When the software is compiled, the certificate containing the developer’s unique private key is used to “sign” the code which attaches a hash to the software. When the code is executed, this hash can be used to verify with great certainty that the code was signed with that particular certificate and hasn’t changed since it was signed. Because drivers have very privileged access to the host operating system, the most recent releases of Microsoft Windows (Vista, Win7, Win2008, and Win2008 R2) won’t allow the silent installation of unsigned drivers. The Stuxnet attackers put a lot of effort into developing a completely silent infection process. Stuxnet checked which Windows version it was running on and which anti-virus software (if any) was running and tailored its infection process accordingly. The entire purpose of the Windows components of Stuxnet was to seek out installations of a specific industrial control system and infect that. To achieve that purpose, the Windows components were carefully designed to give infected users no sign that they were under attack.

The revocation of the first certificate by VeriSign didn’t change any of that. Windows will happily and silently install drivers with revoked signatures. Believe it or not, there are actually good reasons for Windows to install drivers with revoked signatures. For example, Realtek is an important manufacturer of various components for PCs. If Windows refused to install their drivers after the certificate was withdrawn, there would be a whole lot of unhappy customers.

The release of a Stuxnet driver signed with a new certificate was very curious for several reasons. As Symantec recently reported [link to large pdf], no one has recovered the delivery mechanism (the Trojan dropper, in antivirus lingo) for this driver. We don’t actually know how the driver showed up on the two machines (one in Kazakhstan and one in Russia) where it was found on July 17, 2010. This is significant because the driver is compiled into the Trojan dropper as resource. Without a new dropper, there’s no way for that version of the virus to have infected additional computers. And there is no evidence that I’m aware of that Stuxnet with the new driver ever spread to any other machines.