Posts

If CyberCom Can’t Beat Reservists, Why Not Split NSA?

/4 Comments/in /by

ArmyTimes has a story about how CyberCommand service members took on a team of civilian reservists in a cyber war game last year, the civilians handed the active duty team their ass.

When the military’s top cyberwarriors gathered last year inside a secretive compound at Fort Meade, Maryland, for a classified war game exercise, a team of active-duty troops faced off against several teams of reservists.

And the active-duty team apparently took a beating.

“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”

ArmyTimes uses the shellacking to raise questions about the mix between active duty and reservists CyberCommand should be using.

But it seems the exercise ought to also undermine one justification for keeping NSA’s Information Assurance Division, its spying, and CyberCommand unified.

One argument behind doing so is that’s the only way to make the appropriate measure of which vulnerabilities the government should sit on and exploit for their own spying and offensive capabilities, and which they should disclose and patch. The unified CyberCommander — first Keith Alexander and now Admiral Mike Rogers — are the only ones who can appropriately measure the trade-offs.

If the military hierarchy — and the article suggests the hierarchy is part of the problem — doesn’t serve the understanding of cyberwar very well, then how is the guy at the top of the hierarchy going to be best able to understand the trade-offs? If his subordinates don’t “even know they’d been attacked,” then how are they able to judge what exploits might be attackable?

Everything about this article, particularly the complementarity of the civilian and military skills it describes, suggests we’d be better served by having some who recognizes an attack as an attack in charge of keeping our networks safe.

Sadness in the NSA-Telecom Bromance

/in , /by

In his report on an interview with the new Director of NSA, Admiral Mike Rogers, David Sanger gets some operational details wrong, starting with his claim that the new phone dragnet would require an “individual warrant.”

The new phone dragnet neither requires “warrants” (the standard for an order is reasonable suspicion, not probable cause), nor does it require its orders to be tied to “individuals,” but instead requires “specific selection terms” that may target facilities or devices, which in the past have been very very broadly interpreted.

All that said, I am interested in Rogers’ claims Sanger repeats about NSA’s changing relationship with telecoms.

He also acknowledged that the quiet working relationships between the security agency and the nation’s telecommunications and high technology firms had been sharply changed by the Snowden disclosures — and might never return to what they once were in an era when the relationships were enveloped in secrecy.

Oh darn!

Sadly, here’s where Sanger’s unfamiliarity with the details makes the story less useful. Publicly, at least, AT&T and Verizon have had significantly different responses to the exposure of the dragnet (though that may only be because Verizon’s name has twice been made public in conjunction with NSA’s dragnet, whereas AT&T’s has not been), and it’d be nice if this passage probed some of those details.

Telecommunications businesses like AT&T and Verizon, and social media companies, now insist that “you are going to have to compel us,” Admiral Rogers said, to turn over data so that they can demonstrate to foreign customers that they do not voluntarily cooperate. And some are far more reluctant to help when asked to provide information about foreigners who are communicating on their networks abroad. It is a gray area in the law in which American courts have no jurisdiction; instead, the agency relied on the cooperation of American-based companies.

Last week, Verizon lost a longstanding contract to run many of the telecommunications services for the German government. Germany declared that the revelations of “ties revealed between foreign intelligence agencies and firms” showed that it needed to rely on domestic providers.

After all, under Hemisphere, AT&T wasn’t requiring legal process even for domestic call records. I think it possible they’ve demanded the government move Hemisphere under the new phone dragnet, though if they have, we haven’t heard about it (it would only work if they defined domestic drug dealer suspects as associated with foreign powers who have some tie to terrorism). Otherwise, though, AT&T has not made a peep to suggest they’ll alter their decades-long overenthusiastic cooperation with the government.

Whereas Verizon has been making more audible complaints about their plight, long before the Germans started ending their contracts. And Sprint — unmentioned by Sanger — even demanded to see legal support for turning over phone data, including, apparently, turning over foreign phone data under ECPA;s exception in 18 U.S.C. § 2511(2)(f)‘s permitting telecoms to voluntarily provide foreign intelligence data. 

Given that background — and the fact ODNI released the opinions revealing Sprint’s effort, if not its name — I am curious whether the telecoms are really demanding process. If courts really had no jurisdiction then it is unclear how the government could obligate production

Though that may be what the Microsoft’s challenge to a government request for email held in Ireland is about, and that may explain why AT&T and Verizon, along with Cisco and Apple — for the most part, companies that have been more reticent about the government obtaining records in the US — joined that suit. (In related news, EU Vice President Viviane Reding says the US request for the data may be a violation of international law.)

Well, if the Microsoft challenge and telecom participation in the request for data overseas is actually an effort to convince the Europeans these corporations are demanding legal process, Admiral Rogers just blew their cover.

Admiral Rogers said the majority of corporations that had long given the agency its technological edge and global reach were still working with it, though they had no interest in advertising the fact.

Dear Ireland and the rest of Europe: Microsoft — which has long been rather cooperative with NSA, up to and including finding a way to obtain Skype data — may be fighting this data request just for show. Love, Microsoft’s BFF, Mike Rogers.

Defund All “Bad Guy” National Security Thinking

/9 Comments/in , /by

Ellen Nakashima has a report on the development of CyberCommand’s national mission teams. Here’s how her anonymous “senior defense official” source described their job.

Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.

“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”

Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”

It’s defense appropriations season, though admittedly too late into the process to do this. But can I suggest an amendment defunding any program or person who discusses targeting in terms of “good guys” and “bad guys”?

Even when discussing physical attacks — say those about to be unleashed on ISIS — it encourages a kind of simplistic thinking. But when discussing online targeting, in which sorting legitimate targets from Big Data chaff should involve a lot of nuanced analysis, and which does happen with little oversight, thinking in such Manichean terms betrays a sloppiness that is unacceptable.

And for both kinds of targeting, physical and digital, presuming we are always the “good guys” fosters a sense of impunity for whatever we do, no matter how rash and — at times — disproportionate our actions are.

Our national security establishment seems to be run by men (mostly men, anyway) with the cognitive sophistication of children. Perhaps we’d be well-served to change that.

Time for an Executive Branch Internet Dragnet

/4 Comments/in , , /by

As George Zornick and Josh Hicks laid out (saving me the trouble) the news that IRS lost Lois Lerner’s emails from the period during which she reviewed the tax status of political groups is not all that surprising. After all, there’s a long history of the Executive Branch “losing” emails from a period that ends up being scandalous, including:

  • John Yoo’s emails from the period when he was working with David Addington to pre-authorize torture
  • SEC’s emails on the earliest non-investigations of Bernie Madoff
  • OVP’s emails from the days after DOJ initiated an investigation into the CIA leak case (and 5 million other emails)

I’d add two things to their list. This whole tradition started when the Reagan and Bush White House tried to destroy emails concerning the Iran-Contra scandal. And there’s a parallel tradition of having White House political staff conduct official business on non-White House emails, as both Bush and Obama’s White House have done.

And unfortunately, Steven Stockman hasn’t been paying attention. He asked NSA Director Mike Rogers for the metadata from Lerner’s missing emails. But NSA has already claimed they destroyed all their Internet dragnet records when they shut down the program in 2011. Perhaps Stockman should ask FBI whether they’ve got an Internet dragnet that might have collected on Lois Lerner?

Stockman is a nut.

But he might be onto something here. The government argues it is reasonable to collect all the records of all Americans in order to protect against the worst kinds of crimes people in the US might commit. Yet every time emails go missing, they do so amidst allegations of the worst kind of bad faith from the Executive Branch. If the threat of terrorism justifies comprehensive dragnets, based in part on the possibility the culprits will destroy evidence, then doesn’t the Executive Branch’s serial inability to fulfill its archival responsibilities under the law in the face of allegations of abuse of office do so too?

Besides, making a central repository of all the Executive Branch’s emails would address an asymmetry that corrodes democracy. Such a dragnet would ensure that the governed — and those who represent their interests — will always be able to exercise the same kind of scrutiny on those who govern as the government does on them.

Of course this will never happen, in part for justifiable reasons (cost, the privacy of federal employees), in part for unjustifiable reasons (the Executive would never agree to this). But given that it won’t happen, doesn’t it suggest the NSA’s dragnets shouldn’t either?

Update: In somewhat related news, Ron Wyden and Chuck Grassley are concerned that ODNI’s plan to continually monitor employees to prevent leaks will improperly chill whistleblowers.  If someone besides the Intelligence Community tracks that information, then access to the records could be provided more due process.

Keith Alexander’s Bubble Floats into the Sunset of Defense Contractor Sinecures

/11 Comments/in /by
Screen shot 2013-11-27 at 11.11.07 AM

In a training program developed in 2009, the NSA itself identified abuses it likened to Projects Shamrock and Minaret.

Today, LAT has an extremely friendly exit interview with Keith Alexander that nevertheless depicts the now-retired General as hopelessly lost inside a bubble far removed from those who paid his salary. It depicts Alexander confusing objections to what NSA’s leaders have ordered with what the presumably honorable people who implement those decisions.

But something else seems likely to shape the legacy of the NSA’s longest-serving director, who retired Friday: something that Alexander failed to anticipate, did not prepare for and even now has trouble understanding.
Thanks to Edward Snowden, a former NSA contractor, the world came to know many of the agency’s most carefully guarded secrets. Ten months after the disclosures began, Alexander remains disturbed, and somewhat baffled, by the intensity of the public reaction.
“I think our nation has drifted into the wrong place,” he said in an interview last week. “We need to recognize that those who are working to protect our nation are not the bad people.

I find it particularly troubling that Alexander sees in skepticism about authority the nation “drifting into the wrong place.”

The profile goes on to convey Alexander’s laughable belief that what has been depicted since June is the model of oversight.

When Snowden’s disclosures began, Alexander and his deputies knew they were in for a storm. But they felt sure the American public would be comforted when they learned of the agency’s internal controls and the layers of oversight by Congress, the White House and a federal court.
“For the first week or so, we all had this idea that we had nothing to be ashamed of, and that everyone who looked at this in context would quickly agree with us,” Inglis said.
Instead, polls show, many Americans believe that the NSA is reading their emails and listening to their phone calls. A libertarian group put an advertisement in the Washington transit system calling Alexander, a 62-year-old career military officer, a liar. U.S. technology companies are crying betrayal.

Side note: it would be useful if LAT noted that in fact the disclosures do show that the NSA is conducting warrantless back door searches on US person emails, rather than using the conjunction “instead” suggesting this impression is false. And that’s all before you get into the vast collection overseas and upstream for which NSA refuses to count US person data.

I’m particularly interested in Alexander’s attempt to distinguish this scandal from the scandals of the 1970s.

He sees a fundamental difference between the intelligence abuses uncovered by Congress in the 1970s — including revelations that the NSA spied without warrants on domestic dissidents — and the programs exposed by Snowden.
“What the Church and Pike committees found” nearly 40 years ago was “that people were doing things that were wrong. That’s not happening here,” Alexander said, referring to the panels headed by Sen. Frank Church (D-Idaho) and Rep. Otis Pike (D-N.Y.) that examined intelligence-agency activities in that era.

As I have noted repeatedly, 4 years into Alexander’s tenure, the NSA itself likened some of its abuses to Projects Shamrock and Minaret. So perhaps Alexander should at least cede that under his leadership, the NSA was also doing things that it itself considered to be analogues to those earlier scandals (and yes, they violated the law and limits of the programs in question).

Even the LAT conducts a soft fact check of Alexander’s claim that the President’s Review Group and PCLOB found a model of oversight.

Outside reviews, including one released in December by a presidential task force, he said, found that “lo and behold, NSA is doing everything we asked them to do, and if they screw up, they self-report.”
The task force reported it found “no evidence of illegality or other abuse of authority for the purpose of targeting domestic political activity.” But it also noted “serious and persistent instances of noncompliance” with privacy and other rules. Even if unintentional, those violations “raise serious concerns” about the NSA’s “capacity to manage its authorities in an effective and lawful manner,” the report said.

I’d go further, too, and point out that this self-reporting only came with the greater involvement of DOJ’s National Security Division, after years of NSA not reporting these violations. Even months into one of those incidents, the NSA was failing to report its violations to the FISC without NSD involvement.

But perhaps the most egregious example of Alexander’s bubble comes in his assessment of the Snowden leaks themselves.

The ease with which Snowden removed top-secret documents also embarrassed an agency that is supposed to be the first line of defense against cyberattacks.
In July, Alexander offered to resign, but the White House turned him down, he said. He didn’t think holding other senior officials accountable would be right because a massive theft of documents by a systems administrator could not have been foreseen, he added.

Are you kidding me? First, how is it that the NSA couldn’t anticipate the large scale exfiltration of documents via removable media in the 3 years after Chelsea Manning did so? And why didn’t NSA comply with requirements to implement software to prevent just that, the kind of software Alexander insists his agency should have on our private communications? But note what else doesn’t get mentioned, as Alexander rides off into the sunset of generous defense contractor sinecures? Not only didn’t Alexander hold his subordinates responsible, but he didn’t hold Booz responsible, the company under whose lucrative eyeballs Snowden did this work.

As of Friday, the Bubble General is gone into retirement. While I fully expect soon-to-be Admiral Mike Rogers to be just as aggressive in hiding the scope of his programs and doing what he can because he can, I do hope he is not this detached from the reality in which he works.