Posts

HPSCI: We Must Spy Like Snowden To Prevent Another Snowden

I was going to write about this funny part of the HPSCI report anyway, but it makes a nice follow-up to my post on Snowden and cosmopolitanism, on the importance of upholding American values to keeping the servants of hegemon working to serve it.

As part of its attack on Edward Snowden released yesterday, the House Intelligence Committee accused Snowden of attacking his colleagues’ privacy.

To gather the files he took with him when he left the country for Hong Kong, Snowden infringed on the privacy of thousands of government employees and contractors. He obtained his colleagues’ security credentials through misleading means, abused his access as a systems administrator to search his co-workers’ personal drives, and removed the personally identifiable information of thousands of IC employees and contractors.

I have no doubt that many — most, perhaps — of Snowden’s colleagues feel like he violated their privacy, especially as their identities are now in the possession of a number of journalists. So I don’t make light of that, or the earnestness with which HPSCI’s sources presumably made this complaint (though IC employee privacy is one of the things all journalists who have reported these stories have redacted, to the best of my knowledge).

But it’s a funny claim for several reasons. Even ignoring that what the NSA does day in and day out is search people’s personal communications (including millions of innocent people), this kind of broad access is the definition of a SysAdmin.

HPSCI apparently never had a problem with techs getting direct access to our dragnet metadata, as they had and (now working in pairs) still have, for those of us two degrees away from a suspect.

Plus, HPSCI has never done anything publicly to help the 21 million clearance holders whose PII China now holds. Is it possible they’re more angry at Snowden than they are at China’s hackers, who have more ill-intent than Snowden?

But here’s the other reason this complaint is laugh-out-loud funny. HPSCI closes its report this way:

Finally, the Committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA and the IC as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure. Although it is impossible to reduce the change of another Snowden to zero, more work can and should be done to improve the security of the people and the computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee had yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.

First, that timeline — showing an effort to improve network security in each year following the Snowden leaks — is completely disingenuous. It neglects to mention that the Intel Committees have actually been trying for longer than that. In the wake of the Manning leaks, it became clear that DOD’s networks were sieve-like. Congress tried to require network monitoring in the 2012 Intelligence Authorization. But the Administration responded by insisting 2013 — 3 years after Manning’s leaks — was too soon to plug all the holes in DOD’s networks. One reason Snowden succeeded in downloading all those files is because the network monitoring hadn’t been rolled out in Hawaii yet.

So HPSCI is trying to pretend Intel Committee past efforts didn’t actually precede Snowden by several years, but those efforts failed to stop Snowden.

The other reason I find this paragraph — which appears just four paragraphs after it attacks Snowden for the invasion of his colleagues’ privacy — so funny is that in the 2014 Intelligence Authorization (that is, the first one after the Snowden leaks), HPSCI codified an insider threat program, requiring the Director of National Intelligence to,

ensure that the background of each employee or officer of an element of the intelligence community, each contractor to an element of the intelligence community, and each individual employee of such a contractor who has been determined to be eligible for access to classified information is monitored on a continual basis under standards developed by the Director, including with respect to the frequency of evaluation, during the period of eligibility of such employee or officer of an element of the intelligence community, such contractor, or such individual employee to such a contractor to determine whether such employee or officer of an element of the intelligence community, such contractor, and such individual employee of such a contractor continues to meet the requirements for eligibility for access to classified information;

This insider threat program searches IC employees hard drives (one of Snowden’s sins).

Then, the following year, HPSCI got even more serious, mandating that the Director of National Intelligence look into credit reports, commercially available data, and social media accounts to hunt down insider threats, including by watching for changes in ideology like those Snowden exhibited, developing an outspoken concern about the Fourth Amendment.

I mean, on one hand, this isn’t funny at all — and I imagine that Snowden’s former colleagues blame him that they have gone from having almost no privacy as cleared employees to having none. This is what people like Carrie Cordero mean when they regret the loss of trust at the agency.

But as I have pointed out in the past, if someone like Snowden — who at least claims to have had good intentions — can walk away with the crown jewels, we should presume some much more malicious and/or greedy people have as well.

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

The Intelligence world has gotten itself into a pickle, at once demanding that a great deal of information be shared broadly, while trying to hide what information that includes, even from American citizens. It aspires to be at once an enormous fire hose and a leak-proof faucet. That is the inherent impossibility of letting the secret world grow so far beyond management — trying to make a fire hose leak proof.

Some people in the IC get that — I believe this is one of the reasons James Clapper has pushed to rein in classification, for example.

But HPSCI, the folks overseeing the fire hose? They don’t appear to realize that they’re trying to replicate and expand Snowden’s privacy violations, even as they condemn them.

Two (Three, Four?) Data Points on DNC Hack: Why Does Wikileaks Need an Insurance File?

Actually, let me make that three data points. Or maybe four.

First, Reuters has reported that the DCCC has also been hacked, with the hacker apparently believed to be the same entity (APT28, also believed to be GRU). The hackers created a spoof version of ActBlue, which donors use to give money to campaigns.

The intrusion at the group could have begun as recently as June, two of the sources told Reuters.

That was when a bogus website was registered with a name closely resembling that of a main donation site connected to the DCCC. For some time, internet traffic associated with donations that was supposed to go to a company that processes campaign donations instead went to the bogus site, two sources said.

The sources said the Internet Protocol address of the spurious site resembled one used by Russian government-linked hackers suspected in the breach of the DNC, the body that sets strategy and raises money for the Democratic Party nationwide.

That would mean hackers were after either the donations themselves, the information donors have to provide (personal details including employer and credit card or other payment information), or possibly the bundling information tied to ActBlue.

Second, Joe Uchill, who wrote one of the stories — on two corrupt donors to the Democratic Party — that preceded both publication at the Guccifer 2 site and Wikileaks, said Guccifer gave him the files for the story because Wikileaks was dawdling in publishing what they had.

Screen Shot 2016-07-29 at 12.59.01 PM
Guccifer posted some of the documents Uchill used here.

This detail is important because it says Julian Assange is setting the agenda (and possibly, the decision to fully dox DNC donors) for the Wikileaks release, and that agenda does not perfectly coincide with Guccifer’s (which is presumed to be a cut-out for GRU).

As I’ve noted, Wikileaks has its own beef with Hillary Clinton, independent of whom Vladimir Putin might prefer as President or any other possible motive for Russia to do this hack.

Now consider this bizarre feature of several high level leak based stories on the hack: the claim of uncertainty about how the files got from the hackers to Wikileaks. This claim, from NYT, seems bizarrely stupid, as Guccifer and Wikileaks have both said the former gave the latter the files.

The emails were released by WikiLeaks, whose founder, Julian Assange, has made it clear that he hoped to harm Hillary Clinton’s chances of winning the presidency. It is unclear how the documents made their way to the group. But a large sampling was published before the WikiLeaks release by several news organizations and someone who called himself “Guccifer 2.0,” who investigators now believe was an agent of the G.R.U., Russia’s military intelligence service

The claim seems less stupid when you consider these two cryptic comments from two equally high level sourced piece from WaPo. In a story on FBI’s certainty Russia did the hack(s), Ellen Nakashima describes that the FBI is less certain that Russia passed the files to Wikileaks.

What is at issue now is whether Russian officials directed the leak of DNC material to the anti-secrecy group WikiLeaks — a possibility that burst to the fore on the eve of the Democratic National Convention with the release of 20,000 DNC emails, many of them deeply embarrassing for party leaders.

The intelligence community, the officials said, has not reached a conclusion about who passed the emails to WikiLeaks.

“We have not drawn any evidentiary connection to any Russian intelligence service and WikiLeaks — none,” said one U.S. official. Doing so will be a challenge, in part because the material may not have been passed electronically. [my emphasis]

The claim appears this way in a more recent report.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

Now, the doubts about whether the files were passed electronically is thoroughly fascinating. I assume the NSA has Assange — and potentially even the Wikileaks drop — wired up about 100 different ways, so the questions about whether the files were passed electronically may indicate that they didn’t see them get passed in such a fashion.

Add in the question of whether they’re even the same emails! We know the DCCC hack is targeting donor information. The Wikileaks release included far more than that. Which raises the possibility GRU is only after donor information (which is part of, but just one part of, what Guccifer has released).

But then there’s this detail. On June 17, Wikileaks released an insurance file — a file that will be automatically decrypted if Wikileaks is somehow impeded from releasing the rest of the files. It has been assumed that the contents of that file are just the emails that were already released, but that is almost certainly not the case. After all, Wikileaks has already released further documents (some thoroughly uninteresting voice mails that nevertheless further impinge on the privacy of DNC staffers). They have promised still more, files they claim will be more damaging. Indeed, Wikileaks claims there’s enough in what they have to indict Hillary, though such claims should always be taken with a grain of salt. Correction: That appears to have been a misunderstanding about what Assange said about the previously released State emails.

But here’s the other question.

There’s no public discussion of Ecuador booting Assange from their Embassy closet (though I’m sure they’re pretty tired of hosting him). His position — and even that of Wikileaks generally — seems pretty stable.

So why does Assange believe they need an insurance file? I don’t even remember the last time they issued an insurance file (update: I think it was when they released an insurance file of Chelsea Manning’s documents). So is there someone else in the process that needs an insurance file? Is there someone else in the process that would use the threat of full publication of the files (which presumably is going to happen anyway) to ensure safety?

I’ll leave that question there.

That said, these data point confirms there are at least two players with different motivations: Wikileaks, and the Russian hackers. But the FBI isn’t even certain whether the files the Russians took are the same that Wikileaks released, which might suggest a third party.

Meanwhile, James Clapper (who thankfully is willing to poo poo claims that hacks that we ourselves do are unique) seems very interested in limiting the panic about this hack.

Update: Oh! I forgot this fifth data point. This absolutely delightful take-down of Debbie Wasserman Schultz includes this claim that Wikileaks has malware in its site, which I’ve asked around and doesn’t seem to be true.

Staff members were briefed in a Tuesday afternoon meeting in Washington that their personal data was part of the hack, as were Social Security numbers and other information for donors, according to people who attended. Don’t search WikiLeaks, they were told — malware is embedded throughout the site, and they’re looking for more data.

Who told the DNC Wikileaks is releasing malware, and why?

Update: here’s what the malware claim is about: When it posted the “AKP emails,”  WL either added or did not remove a bunch of malware included in those emails, and as a result, that malware is still posted at the site. That is, the malware is associated with a separate set of documents available at the site.

Jim Comey, Poker Face, and the Scope of the Clinton Investigation(s)

Screen Shot 2016-07-07 at 10.11.04 PMI write this post reluctantly, because I really wish the Hillary investigations would be good and over. But I don’t think they are.

After having watched five and a half hours of the Clinton investigation hearing today, I’ve got new clarity about what the FBI has been doing for the last year. That leads me to believe that this week’s announcement that DOJ will not charge Clinton is simply a pause in the Clinton investigation(s). I believe an investigation will resume shortly (if one is not already ongoing), though that resumed investigation will also end with no charges — for different reasons than this week’s declination.

First, understand how this all came about. After the existence of Hillary’s server became known, State’s IG Steve Linick started an investigation into it, largely focused on whether Hillary (and other Secretaries of State) complied with Federal Records Act obligations. In parallel, as intelligence agencies came to complain about State’s redactions of emails released in FOIA response, the Intelligence Committee Inspector General Charles McCullough intervened in the redaction process and referred Clinton to the FBI regarding whether any classified information had been improperly handed. As reported, State will now resume investigating the classification habits of Hillary and her aides, which will likely lead to several of them losing clearance.

The FBI investigation that ended yesterday only pertained to that referral about classified information. Indeed, over the course of the hearing, Comey revealed that it was narrowly focused, examining the behavior of only Clinton and four or five of her close aides. And it only pertained to that question about mishandling classified information. That’s what the declination was based on: Comey and others’ determination that when Hillary set up her home-brew server, she did not intend to mishandle classified information.

This caused some consternation, early on in the hearing, because Republicans familiar with Clinton aides’ sworn testimony to the committee investigating the email server and Benghazi were confused how Comey could say that Hillary was not cleared to have her own server, but aides had testified to the contrary. But Comey explained it very clearly, and repeatedly. While FBI considered the statements of Clinton aides, they did not review their sworn statements to Congress for truth.

That’s important because the committee was largely asking a different question: whether Clinton used her server to avoid oversight, Federal Record Act requirements, the Benghazi investigation, and FOIA. That’s a question the FBI did not review at all. This all became crystal clear in the last minutes of the Comey testimony.

Chaffetz: Was there any evidence of Hillary Clinton attempting to avoid compliance with the Freedom of Information Act?

Comey: That was not the subject of our criminal investigation so I can’t answer that sitting here.

Chaffetz: It’s a violation of law, is it not?

Comey: Yes, my understanding is there are civil statutes that apply to that. I don’t know of a crimin–

Chaffetz: Let’s put some boundaries on this a little bit — what you didn’t look at. You didn’t look at whether or not there was an intention or reality of non-compliance with the Freedom of Information Act.

Comey: Correct.

Having started down this path, Chaffetz basically confirms what Comey had said a number of times throughout the hearing, that FBI didn’t scrutinize the veracity of testimony to the committee because the committee did not make a perjury referral.

Chaffetz: You did not look at testimony that Hillary Clinton gave in the United States Congress, both the House and the Senate?

Comey: To see whether it was perjurious in some respect?

Chaffetz: Yes.

Comey: No we did not.

[snip]

Comey: Again, I can confirm this but I don’t think we got a referral from Congressional committees, a perjury referral.

Chaffetz: No. It was the Inspector General that initiated this.

Now, let me jump to the punch and predict that OGR will refer at least Hillary’s aides, and maybe Hillary herself, to FBI for lying to Congress. They might even have merit in doing so, as Comey has already said her public claims about being permitted to have her own email (which she repeated to the committee) were not true. Plus, there’s further evidence that Hillary used her own server precisely to maintain control over them (that is, to avoid FOIA).

That said, there are two reasons why Hillary and her aides won’t be prosecuted for lying to Congress: James Clapper and Scott Bloch.

Clapper you all know about. The Director of National Intelligence — unlike Clinton — was not under oath when he spectacularly lied to Ron Wyden. Nor was he referred to DOJ for prosecution. But that recent lie will make FBI hesitate.

DOJ will hesitate even more given the history of Scott Bloch. bmaz has written a slew of posts about this but the short version is that the former Office of Special Counsel lied to this very committee and wiped his hard drive to obscure that fact. He ultimately pled guilty, but when the magistrate handling the case pointed out that the plea carried a minimum one month sentence, Bloch and DOJ went nuts and tried to withdraw his plea. bmaz and a bunch of whistleblowers who had been poorly treated by Bloch went nuts in turn. All to no avail. After DOJ claimed there were secret facts that no one understood, the court agreed to sentence Bloch to just one day in jail.

In other words, to keep one of their own out of jail, DOJ made expansive claims about how unimportant lying to Congress is. Even assuming DOJ would ignore their own recent historical claims about the frivolity of lying to Congress, Hillary’s lawyers could use that precedent to argue that lying to Congress has, effectively, been decriminalized (unilaterally by the Executive Branch!).

So FBI will investigate it. Comey might even refer, this time, for prosecution, because the evidence is actually far stronger that Hillary used her own server to avoid oversight (and that she was less than forthcoming about that to Congress). But that, too, won’t be prosecuted because you basically can’t prosecute lying to Congress after the Bloch case.

Which brings me to the funniest part of this exchange with Chaffetz (which, coming as it did in the last minutes of the hearing, has escaped most notice).

Chaffetz: Did you look at the Clinton Foundation?

Comey: I’m not going to comment on the existence or non-existence of any other investigation.

Chaffetz: Was the Clinton Foundation tied into this investigation?

Comey: I’m not going to answer that.

Understand: Comey had already commented on the existence or non-existence of other investigations, commenting at length on the non-investigation of questions pertaining to FOIA and FRA, even describing how many people (four to five) were subjects of this investigation. Comment on non-existence of investigation, comment on non-existence of investigation, comment on non-existence of investigation.

And for what it’s worth, the Clinton Foundation probably couldn’t have been part of the scope of this, given that this was only focused on four to five people (note, a Clinton Foundation investigation would better explain why FBI gave Brian Pagliano immunity, another topic on which Comey would not comment).

But when asked about the Clinton Foundation, he claimed he couldn’t say. All of a sudden, refusal to comment on existence or non-existence of investigation.

Now, I’m just going to say I don’t think anything will come of that, because I doubt FBI would clear Hillary on one issue but not the related one (plus, given SCOTUS’ ruling in the Bob McDonnell case, it probably became impossible to prosecute any Clinton Foundation violations). But Comey’s answer does make it clear that FBI considers questions about improperly handling classified information, avoiding FOIA and other oversight, lying about avoiding FOIA, and deals made with the Clinton Foundation to be different things.

I think that doesn’t change that Hillary won’t be indicted. But I do think she will continue to be investigated in conjunction with questions about what she did and said to avoid FOIA and other oversight.

Update: This post has been tweaked.

Some Legislative Responses to Clinton’s Email Scandal

The Republicans have reverted to their natural “Benghazi witchhunt” form in the wake of Jim Comey’s announcement Tuesday that Hillary Clinton and her aides should not be charged, with Comey scheduled to testify before the House Oversight Committee at 10 AM.

Paul Ryan wrote a letter asking James Clapper to withhold classified briefings from Hillary. And the House Intelligence Committee is even considering a bill to prevent people who have mishandled classified information from getting clearances.

In light of the FBI’s findings, a congressional staffer told The Daily Beast that the House Intelligence Committee is considering legislation that could block security clearances for people who have been found to have mishandled classified information in the past.

It’s not clear how many of Clinton’s aides still have their government security clearances, but such a measure could make it more difficult for them to be renewed, should they come back to serve in a Clinton administration.

“The idea would be to make sure that these rules apply to a very wide range of people in the executive branch,” the staffer said. (Clinton herself would not need a clearance were she to become president.)

It’s nice to see the same Republicans who didn’t make a peep when David Petraeus kept — and still has — his clearance for doing worse than Hillary has finally getting religion on security clearances.

But this circus isn’t really going to make us better governed or safer.

So here are some fixes Congress should consider:

Add some teeth to the Federal/Presidential Records Acts

As I noted on Pacifica, Hillary’s real crime was trying to retain maximal control over her records as Secretary of State — probably best understood as an understandable effort to withhold anything potentially personal combined with a disinterest in full transparency. That effort backfired spectacularly, though, because as a result all of her emails have been released.

Still, every single Administration has had at least a minor email scandal going back to Poppy Bush destroying PROFS notes pertaining to Iran-Contra.

And yet none of those email scandals has ever amounted to anything, and many of them have led to the loss of records that would otherwise be subject to archiving and (for agency employees) FOIA.

So let’s add some teeth to these laws — and lets mandate and fund more rational archiving of covered records. And while we’re at it, let’s ensure that encrypted smart phone apps, like Signal, which diplomats in the field should be using to solve some of the communication problems identified in this Clinton scandal, will actually get archived.

Fix the Espionage Act (and the Computer Fraud and Abuse Act)

Steve Vladeck makes the case for this:

Congress has only amended the Espionage Act in detail on a handful of occasions and not significantly since 1950. All the while, critics have emerged from all corners—the academy, the courts, and within the government—urging Congress to clarify the myriad questions raised by the statute’s vague and overlapping terms, or to simply scrap it and start over. As the CIA’s general counsel told Congress in 1979, the uncertainty surrounding the Espionage Act presented “the worst of both worlds”:

On the one hand the laws stand idle and are not enforced at least in part because their meaning is so obscure, and on the other hand it is likely that the very obscurity of these laws serves to deter perfectly legitimate expression and debate by persons who must be as unsure of their liabilities as I am unsure of their obligations.

In other words, the Espionage Act is at once too broad and not broad enough—and gives the government too much and too little discretion in cases in which individuals mishandle national security secrets, maliciously or otherwise.

To underscore this point, the provision that the government has used to go after those who shared classified information with individuals not entitled to receive it (including Petraeus, Drake, and Manning), codified at 18 U.S.C. § 793(d), makes it a crime if:

Whoever, lawfully having possession of, access to, control over, or being entrusted with any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted … to any person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to the officer or employee of the United States entitled to receive it …

This provision is stunningly broad, and it’s easy to see how, at least as a matter of statutory interpretation, it covers leaking—when government employees (“lawfully having possession” of classified information) share that information with “any person not entitled to receive it.” But note how this doesn’t easily apply to Clinton’s case, as her communications, however unsecured, were generally with staffers who were“entitled to receive” classified information.

Instead, the provision folks have pointed to in her case is the even more strangely worded § 793(f), which makes it a crime for:

Whoever, being entrusted with or having lawful possession or control of [any of the items mentioned in § 793(d)], (1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or (2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed … fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer …

Obviously, it’s easy to equate Clinton’s “extreme carelessness” with the statute’s “gross negligence.” But look closer: Did Clinton’s carelessness, however extreme, “[permit] … [classified information] to be removed from its proper place of custody or delivered to anyone in violation of [her] trust”? What does that even mean in the context of intangible information discussed over email? The short answer is nobody knows: This provision has virtually never been used at least partly because no one is really sure what it prohibits. It certainly appears to be focused on government employees who dispossess the government of classified material (like a courier who leaves a satchel full of secret documents in a public place). But how much further does it go?

There’s an easy answer here, and it’s to not use Clinton as a test case for an unprecedented prosecution pursuant to an underutilized criminal provision, even if some of us think what she did was a greater sin than the conduct of some who have been charged under the statute. The better way forward is for Congress to do something it’s refused to do for more than 60 years: carefully and comprehensively modernize the Espionage Act, and clarify exactly when it is, and is not, a crime to mishandle classified national security secrets.

Sadly, if Congress were to legislate the Espionage Act now, they might codify the attacks on whistleblowers. But they should not. They should distinguish between selling information to our adversaries and making information public. They should also make it clear that intent matters — because in the key circuit, covering the CIA, the Pentagon, and many contractors, intent hasn’t mattered since the John Kiriakou case.

Eliminate the arbitrariness of the clearance system

But part of that should also involve eliminating the arbitrary nature of the classification system.

I’ve often pointed to how, in the Jeffrey Sterling case, the only evidence he would mishandle classified information was his retention of 30-year old instructions on how to dial a rotary phone, something far less dangerous than what Hillary did.

Equally outrageous, though, is that four of the witnesses who may have testified against Sterling, probably including Bob S who was the key witness, have also mishandled classified information in the past. Those people not only didn’t get prosecuted, but they were permitted to serve as witnesses against Sterling without their own indiscretions being submitted as evidence. As far as we know, none lost their security clearance. Similarly, David Petraeus hasn’t lost his security clearance. But Ashkan Soltani was denied one and therefore can’t work at the White House countering cyberattacks.

Look, the classification system is broken, both because information is over-classified and because maintaining the boundaries between classified and unclassified is too unwieldy. That broken system is then magnified as people’s access to high-paying jobs are subjected to arbitrary review of security clearances. That’s only getting worse as the Intelligence Community ratchets up the Insider Threat program (rather than, say, technical means) to forestall another Manning or Snowden.

The IC has made some progress in recent years in shrinking the universe of people who have security clearances, and the IC is even making moves toward fixing classification. But the clearance system needs to be more transparent to those within it and more just.

Limit the President’s arbitrary authority over classification

Finally, Congress should try to put bounds to the currently arbitrary and unlimited authority Presidents claim over classified information.

As a reminder, the Executive Branch routinely cites the Navy v. Egan precedent to claim unlimited authority over the classified system. They did so when someone (it’s still unclear whether it was Bush or Cheney) authorized Scooter Libby to leak classified information — probably including Valerie Plame’s identity — to Judy Miller. And they did so when telling Vaughn Walker could not require the government to give al Haramain’s lawyers clearance to review the illegal wiretap log they had already seen before handing it over to the court.

And these claims affect Congress’ ability to do their job. The White House used CIA as cover to withhold a great deal of documents implicating the Bush White House in authorizing torture. Then, the White House backed CIA’s efforts to hide unclassified information, like the already-published identities of its torture-approving lawyers, with the release of the Torture Report summary. In his very last congressional speech, Carl Levin complained that he was never able to declassify a document on the Iraq War claims that Mohammed Atta met with a top Iraqi intelligence official in Prague.

This issue will resurface when Hillary, who I presume will still win this election, nominates some of the people involved in this scandal to serve in her White House. While she can nominate implicated aides — Jake Sullivan, Huma Abedin, and Cheryl Mills — for White House positions that require no confirmation (which is what Obama did with John Brennan, who was at that point still tainted by his role in torture), as soon as she names Sullivan to be National Security Advisor, as expected, Congress will complain that he should not have clearance.

She can do so — George Bush did the equivalent (remember he appointed John Poindexter, whose prosecution in relation to the Iran-Contra scandal was overturned on a technicality, to run the Total Information Awareness program).

There’s a very good question whether she should be permitted to do so. Even ignoring the question of whether Sullivan would appropriately treat classified information, it sets a horrible example for clearance holders who would lose their clearances.

But as far as things stand, she could. And that’s a problem.

To be fair, legislating on this issue is dicey, precisely because it will set off a constitutional challenge. But it should happen, if only because the Executive’s claims about Navy v. Egan go beyond what SCOTUS actually said.

Mandate and fund improved communication system

Update, after I posted MK reminded me I meant to include this.

If Congress is serious about this, then they will mandate and fund State to fix their decades-long communications problems.

But they won’t do that. Even 4 years after the Benghazi attack they’ve done little to improve security at State facilities.

Update: One thing that came up in today’s Comey hearing is that the FBI does not routinely tape non-custodial interviews (and fudges even with custodial interviews, even though DOJ passed a policy requiring it). That’s one more thing Congress could legislate! They could pass a simple law requiring FBI to start taping interviews.

Happy Flag-Waving Drone Document Dump

ODNI (update–and now I Con the Record) has released its report on the number of drone deaths. The overview is that the US intelligence community is reporting (more on that in a second) far, far fewer drone deaths than credible outside researchers do. (TBIJ, New American, Long War Journal)

Screen Shot 2016-07-01 at 2.06.46 PM

The IC numbers are for strikes occurring outside areas of active hostilities, which currently includes Afghanistan, Iraq, and Syria, but might have — the report doesn’t say one way or another — included other places, like Pakistani tribal lands, when these drone strikes happened.

The report acknowledges that this number differs dramatically from these of outside researchers, though it doesn’t include a footnote to permit those who don’t already know the players to compare, which betrays a real lack of confidence in its own analysis. A footnote would also permit readers to see the degree to which NGOs have done granular analysis, as compared to ODNI’s 3 line table.

Plus, it doesn’t acknowledge this discrepancy until after it suggests these other numbers — which I believe are actually more consistent with each other than the IC’s numbers are with them — come from terrorist propaganda, a claim it repeats a second time before the end of the 3-page report.

The large volume of pre- and post-strike data available to the U.S. Government can enable analysts to distinguish combatants from non-combatants, conduct detailed battle damage assessments, and separate reliable reporting from terrorist propaganda or from media reports that may be based on inaccurate information.

In releasing these figures, the U.S. Government acknowledges that there are differences between U.S. Government assessments and reporting from non-governmental organizations. Reports from non-governmental organizations can include both aggregate data regarding non-combatant deaths as well as case studies addressing particular strikes, and generally rely on a combination of media reporting and, in some instances, field research conducted in areas of reported strikes. Although these organizations’ reports of non-combatant deaths resulting from U.S strikes against terrorist targets outside areas of active hostilities vary widely, such reporting generally estimates significantly higher figures for non-combatant deaths than is indicated by U.S. Government information. For instance, for the period between January 20, 2009 and December 31, 2015, non-governmental organizations’ estimates range from more than 200 to slightly more than 900 possible non-combatant deaths outside areas of active hostilities.

[snip]

Finally, non-governmental organizations’ reports of counterterrorism strikes attributed to the U.S. Government—particularly their identification of non-combatant deaths—may be further complicated by the deliberate spread of misinformation by some actors, including terrorist organizations, in local media reports on which some non-governmental estimates rely.

The IC report also suggests that it derives such a low civilian casualty figure by defining belligerent broadly, to include people like drivers and cooks — but don’t you worry, that doesn’t mean that every single military aged male counts as a belligerent (I will check but I suspect the IC’s numbers likely could not be so low without counting some women as belligerents, which might happen if they do things like cook).

Non-combatants are individuals who may not be made the object of attack under applicable international law. The term “non-combatant” does not include an individual who is part of a belligerent party to an armed conflict, an individual who is taking a direct part in hostilities, or an individual who is targetable in the exercise of U.S. national self-defense. Males of military age may be non-combatants; it is not the case that all military-aged males in the vicinity of a target are deemed to be combatants.

[snip]

The U.S. Government draws on all available information (including sensitive intelligence) to determine whether an individual is part of a belligerent party fighting against the United States in an armed conflict; taking a direct part in hostilities against the United States; or otherwise targetable in the exercise of national self-defense. Thus, the U.S. Government may have reliable information that certain individuals are combatants, but are being counted as non-combatants by nongovernmental organizations. For example, further analysis of an individual’s possible membership in an organized armed group may include, among other things: the extent to which an individual performs functions for the benefit of the group that are analogous to those traditionally performed by members of a country’s armed forces; whether that person is carrying out or giving orders to others within the group; or whether that person has undertaken certain acts that reliably connote meaningful integration into the group.

The ACLU is due to get more documents from the precipitating FOIA that may explain better how broadly the government has defined belligerent (remember–these strikes are all in areas outside of active hostilities).

Perhaps the most interesting part of the report is this repeated language:

a summary of information provided to the DNI

The assessed range of non-combatant deaths provided to the DNI

The information that was provided to the DNI

based on the information provided to the DNI

according to information provided to the DNI

That is, the ODNI may be releasing this information. But they’re sure as hell not vouching for it. I find that particularly interesting given that, in May, I had to explain to ODNI that the National Security Letter numbers they were getting (and publishing in transparency reports) from FBI were probably unreliable.

These numbers don’t even, apparently, reflect the kind of rigor that would involve an outside agency reviewing the CIA’s numbers. Instead, the CIA (and presumably, in more limited cases, DOD) provided numbers to ODNI, and ODNI is — as ordered by the President — passing those numbers on.

At least you can be sure this isn’t terrorist propaganda.

Update: Micah Zenko gets at what I find to be the most striking aspect of this: the disparity between the number of strikes. Averaging the 3 main trackers, Zenko figures there were 578 strikes, as compared to the claimed ODNI number of 473. This is a huge discrepancy (the government only counts 82% of what the NGOs collectively count as strikes).

Such a big discrepancy may come from various places, two obvious ones being strikes considered to be in areas of active hostilities (say, the Pakistani border) not being counted in the ODNI tally, or strikes conducted by the home country (chiefly, Pakistan or Yemen, but I’d include Saudi Arabia in there). Given how low the civilian casualties are, then, it’s possible ODNI is counting as domestic the most lethal strikes.

SEC Says Hackers Like NSA Are Biggest Threat to Global Financial System

Reuters reports that, in the wake of criminals hacking the global financial messaging system SWIFT both via the Bangladesh central and an as-yet unnamed second central bank, SEC Commissioner Mary Jo White identified vulnerability to hackers as the top threat to the global financial system.

Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.

Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.

The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she said.

“As we go out there now, we are pointing that out.”

Of course, the criminals in Bangladesh were not the first known hackers of SWIFT. The documents leaked by Snowden revealed NSA’s elite hacking group, TAO, had targeted SWIFT as well. Given the timing, it appears they did so to prove to the Europeans and SWIFT that the fairly moderate limitations being demanded by the Europeans should not limit their “front door” access.

Targeting SWIFT (and credit card companies) is probably not the only financial hacking NSA has done. One of the most curious recommendations in the President’s Review Group, after all, was that “governments” (including the one its report addressed, the US?) might hack financial institutions to change the balances in financial accounts.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

After which point, James Clapper started pointing to similar attacks as a major global threat.

I don’t mean to diminish the seriousness of the threat (though I still believe banksters’ own recklessness is a bigger threat to the world financial system). But the NSA should have thought about the norms they were setting and the impact similar attacks done by other actors would have, before they pioneered such hacks in the first place.

James Clapper’s Latest Effort To Fearmonger about Snowden’s Damage

In addition to getting him to admit the US can’t fix the Middle East but we have to stay because our “leadership” is needed there, in this column David Ignatius asked James Clapper, again, about how much damage Edward Snowden has caused.

Clapper said the United States still can’t be certain how much harm was done to intelligence collection by the revelations of disaffected National Security Agency contractor Edward Snowden. “We’ve been very conservative in the damage assessment. Overall, there’s a lot,” Clapper said, noting that the Snowden disclosures made terrorist groups “very security-conscious” and speeded the move to unbreakable encryption of data. And he said the Snowden revelations may not have ended: “The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Let’s unpack this.

Clapper provides two pieces of evidence for damage:

  1. Snowden disclosures have made terrorist groups “very security-conscious”
  2. Snowden disclosures have “speeded the move” [by whom, it’s not entirely clear] to unbreakable encryption

That’s a bit funny, because what we saw from the terrorist cell that ravaged Paris and Belgium was — as The Grugq describes it — “drug dealer tradecraft writ large.” Stuff that they could have learned from watching the Wire a decade ago, with a good deal of sloppiness added in. With almost no hints of the use of encryption.

If the most dangerous terrorists today are using operational security that they could have learned years before Snowden, then his damage is not all that great.

Unless Clapper means, when he discusses the use of unbreakable encryption, us? Terrorists were already using encryption, but journalists and lawyers and US-based activists might not have been (activists in more dangerous places might have been using encryption that the State Department made available).

Neither of those developments should be that horrible. Which may be why Clapper says, “We’ve been very conservative in the damage assessment” even while insisting there’s a lot. Because this is not all that impressive, unless as Chief Spook you think you should have access to the communications of journalists and lawyers and activists.

I’m most interested, however, in this escrow idea.

“The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Snowden and Glenn Greenwald and Laura Poitras and Bart Gellman have said about a zillion times that Snowden handed everything off before he went to Russia. And everyone who knows anything about Russia would assume if he brought documents there, Putin has had them for almost 3 years.

Sure, there are surely documents that reporters have that, reviewed in the future by other people, may result in new disclosures. But the suggestion that Snowden himself is asking the journalists to hold back some of the documents “in escrow” is rather curious. Why would Snowden withhold documents until such time that the technology behind disclosures would be out of date.

I mean, it’s useful as a basis to claim that Snowden will continue to damage the IC when there’s actually not that much evidence he already has. But it doesn’t make much sense to me.

Ah well. In the article Clapper says he’ll be around for 265 days, which means around February 9 of next year, someone else will take up fearmongering about Edward Snowden.

The Easy Section 702 Surveillance Number James Clapper Can Share

Last week, a bunch of House Judiciary Committee members set James Clapper a letter stating that before the Committee deals with Section 702 reauthorization next year, they’d like:

  • The number of telephone communications in which one caller is located in the United States
  • The number of Internet communications acquired through upstream collection that originate or terminate in the United States
  • The number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work

They asked for those numbers by May 6.

In response, Clapper is humming and hawing about “several options” for disclosing how many Americans get spied on under Section 702.

Clapper said that “any methodology we come up with will not be completely satisfactory to all parties.”

“If we could have made such an estimate and if such an estimate were easy to do — explainable without compromise — we would’ve done it a long time ago,” he said.

We just learned there is, however, one number that should be easy-peasy to make public (and one I’m frankly alarmed the HJC members didn’t mention, as they should have known about it for some time): the number of back door searches FBI conducts on Section 702 data for reasons other than national security.

As I noted the other day, in response to FISC amicus (and former Eric Holder counsel) Amy Jeffress’ argument that FBI’s back door searches of Section 702 are unconstitutional, Thomas Hogan required FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” As I noted, that’s an easily gamed number — I’m sure FBI treats a lot of criminal matters as national security ones, and FBI has the ability to see if there is 702 data without looking at it, permitting it to see if the same data is available under another authority.

Nevertheless, DOJ must have an exact number of reports they’ve submitted in response to this reporting requirement, which has been in place for over four months.

That’s not to say HJC shouldn’t insist on getting estimates for all the other numbers they’re seeking. But they should also demand that this number — the number of times FBI is using a foreign intelligence exception for criminal prosecutions that should be subject to a probable cause standard — be made public.

FBI’s Back Door Searches: Explicit Permission … and Before That

I have written numerous times about the timing of authorization for FBI to do back door searches. There’s a passage of the November 6, 2015 FISC opinion finding those searches to be constitutional that some have taken to clearly date the authority. But I believe the (unredacted sections of the) passage are being misread.

As Judge Thomas Hogan describes, “Queries by FBI personnel of Section 702-acquired data…

Screen Shot 2016-04-20 at 8.53.44 PM

As the unredacted parts of the section make clear, queries for both foreign intelligence information or evidence of a crime “have been explicitly permitted by the FBI Minimization Procedures since 2009.” [my emphasis] The footnote goes onto describe how Minimization Procedures approved by Attorney General Mukasey on October 22, 2008 and submitted on some redacted date were approved by an opinion issued on April 7, 2009.

Already, that’s a curious set of details. If the minimization procedures were approved in October 2008, normally they’d be submitted close to right away, though it’s not clear that that happened. But why bother, given that FISC had just approved FAA certifications on September 4 (this timing resembles what had happened earlier that year, when the government significantly changed the program within days of getting certificates approved)?  In any case, James Clapper’s censors want to hide what those dates were. One likely reason they might have done so would be to hide the dates from defendants, including a few of the ones challenging 702. Another would be to obscure how the approval process went after passage of FISA Amendments Act, specifically given that the FISA Court of Review finalized its Yahoo opinion in August of that year, in which it relied on DOJ’s promise that “there is no database” of incidentally collected US person information.

There Is No Database

But two other things suggest that’s not the end of the story. First, the use of “explicitly” suggests there may have been a period before FISC approved the minimization procedures when such a practice was approved but perhaps not explicitly. Perhaps that simply refers to that lag period, between the time Mukasey approved those minimization procedures and the time FISC approved them.

But then there’s that redacted paragraph (the next footnote, 25, starts after it). Hogan adds something to his discussion beyond his description of the explicit approval of those minimization procedures.

As I have pointed out, Mukasey (writing with then Director of National Intelligence Mike McConnell, who would also have to approve any PRISM minimization procedures) made it clear in response to a Russ Feingold amendment of FISA Amendments Act in February of 2008 that they intended to spy in Americans under PRISM.

So it sure seems likely the Administration at the very least had FBI back door searches planned, if not already in the works, well before FISC approved the minimization procedures in 2009. That’s probably what Hogan explained in that paragraph, but James Clapper apparently believes it would be legally inconvenient to mention that.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.