Posts

Keith Alexander to Earn $600,000 a Month for Preventing DDos Attacks

/12 Comments/in , /by

When Politico reported that Keith Alexander was shacking up with shadow regulator Promontory Financial Group to profit off his cyber fear-mongering, I knew he’d be raking in the bucks.

Bloomberg provides more details on how much: his asking price starts at $1M a month, from which he negotiates down to a mere $600,000.

Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.

At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. “I told them I did think they could defend against that,” Alexander said.

Still, despite the banks’ growing investments in computer security, Alexander said, “many of them aren’t really confident they’re getting their money’s worth.”

[snip]

Sifma Meeting

Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.

Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”

The article talks in terms of the DDoS attacks launched against US bank websites last year, as well as Wiper, which is allegedly tied to the StuxNet family (and therefore is something with which ALexander ought to be intimately familiar).

What he doesn’t seem to be promising he can fix are things like the recent hack of a hedge fund’s High Frequency Trading algorithms (about which I am simply failing not to laugh hysterically at … sorry, hedgies).

No wonder the banks doubt they’re getting their money’s worth.

It’s hard to read this as anything but a scam. Not only has Alexander spent the last year talking up the risk of cyberattacks, not only has he had access to whatever bank secrets haven’t been encrypted for the last 8 years, plus the double dipping in SWIFT databases. But he also knows what holes NSA hasn’t fixed.

Ultimately, though, this all serves to obscure the fact that these banks are rickety all by themselves, with or without a hacker’s help (which is one reason I’m laughing at that HFT hack). There’s only so much you can do to harden that target, and the banks won’t do it.

Causing Exceptionally Grave Harm to National Security by FOIAing FOIA Process

/6 Comments/in /by

Jason Leopold has a new article at the Guardian based off a FOIA of NSA’s FOIA process. Perhaps the funniest part of the documents he received, however, is the number of times the NSA claimed its own discussion of FOIA process — including praise for the FOIA responders! — was Top Secret, suggesting revealing details would cause exceptionally grave harm to national security.

NSA FOIA Praise

 

 

That said, I think there’s a missing piece to this puzzle (and hope Leopold pursues it when he makes his inevitable appeal of some of these redaction decisions).

On June 11, NSA’s Chief of FOIA Office Pamela Phillips raised the possibility of having “a paper or sheet of unclassified facts that could be provided to the public.” (See PDF 1) She repeated that request on June 17. (See PDF 3) I believe that is separate from the efforts to come up with a standard Glomar letter (that discussion, incidentally, is redacted in some enormously interesting ways).

But I’m particularly interested in a redaction in an email from Deputy Chief of Staff Trumbull Soule to Associate Director for Policy and Records David Sherman and then Media Leaks Task Force head and now Deputy Director of NSA Richard Ledgett, and cc’ed to Phillips and (among at least 12 others) NSA General Counsel Raj De on June 26.

That’s because that email got sent on the day after the NSA had to pull what I believe was that unclassified fact sheet, which NSA first posted on June 18, after Ron Wyden and Mark Udall wrote a letter, on June 24, to Keith Alexander noting two problems with the letter, in that it misleadingly suggested,

  • NSA had the ability to determine how many Americans had been collected under Section 702
  • NSA may not search on the records of Americans (back door searches)

In addition, the letter had a classified attachment that, I suspect, noted that John Bates’ response to the upstream problems did not require the destruction of entirely domestic communications.

NSA withdrew the fact sheet from its website sometime before 1 PM on June 25.

Now, it may just be a coinkydink that the highest level of discussion among these emails come on that particular day (though I assume NSA withheld a bunch of emails). But I do find the timing rather interesting.

Keith Alexander Declares Failure in War on Terror, as He Earlier Declared Failure in Cyberdefense

/12 Comments/in , , /by

The New Yorker has a weird interview with Keith Alexander. The weirdness stems from Alexander’s wandering answers, which may, in turn, stem from the fact that the interview was not done by an NSA beat reporter. Such interviews seem to flummox NSA insiders.

But beyond all the rambling about Jeopardy and “free vowels” and disingenuous claims (and silences) about past terrorist events, ultimately Keith Alexander wants us to know that we are at greater risk as he steps down after more than 8 years of protecting us.

His logic for that is not that terrorists struck the Boston Marathon last year, in spite of NSA apparently collecting on them but not reviewing the collection — he doesn’t even mention that.

Rather, it’s that the number of terrorist attacks are going up globally. The US has thus far avoided such attacks (ignoring hate crimes and the Marathon attack), which he points to as proof our spying is working. But he also points to it as proof that we’re due.

There are people on one side saying that these N.S.A. programs could have stopped these plots. And then there are people who dispute that.

We know we didn’t stop 9/11. People were trying, but they didn’t have the tools. This tool, we believed, would help them. Let’s look at what’s happening right now. You ought to get this from the START Program at the University of Maryland. They have the statistics on terrorist attacks. 2012 and 2013. The number of terrorist attacks in 2012—do you know how many there were globally?

How many?

Six thousand seven hundred and seventy-one. Over ten thousand people killed. In 2013, it would grow to over ten thousand terrorist attacks and over twenty thousand people killed. Now, how did we do in the United States and Europe? How do you feel here? Safe, right? I feel pretty safe.

[snip]

So think about how secure our nation has been since 9/11. We take great pride in it. It’s not because of me. It’s because of those people who are working, not just at N.S.A. but in the rest of the intelligence community, the military, and law enforcement, all to keep this country safe. But they have to have tools. With the number of attacks that are coming, the probability, it’s growing—

I’m sorry, could you say that once more?

The probability of an attack getting through to the United States, just based on the sheer numbers, from 2012 to 2013, that I gave you—look at the statistics. If you go from just eleven thousand to twenty thousand, what does that tell you? That’s more. That’s fair, right?

I don’t know. I think it depends what the twenty thousand—

—deaths. People killed. From terrorist attacks. These aren’t my stats. The University of Maryland does it for the State Department.

I’ll look at them. I will. So you’re saying that the probability of an attack is growing.

The probability is growing. What I saw at N.S.A. is that there is a lot more coming our way. Just as someone is revealing all the tools and the capabilities we have. What that tells me is we’re at greater risk. I can’t measure it. You can’t say, Well, is that enough to get through? I don’t know. It means that the intel community, the military community, and law enforcement are going to work harder.

Since Alexander invited us, let’s see what the START data say, shall we? Here’s what they tell us:

According to the annex, the 10 countries that experienced the most terrorist attacks in 2013 are the same as those that experience the most terrorist attacks in 2012.

Although terrorist attacks occurred in 93 different countries, they were heavily concentrated geographically. More than half of all attacks (57%), fatalities (66%), and injuries (73%) occurred in Iraq, Pakistan and Afghanistan. By wide margin, the highest number of fatalities (6,378), attacks (2,495) and injuries (14,956) took place in Iraq. The average lethality of attacks in Iraq was 40 percent higher than the global average and 33 percent higher than the 2012 average in Iraq.

The US hasn’t been attacked. But attacks are mushrooming in Iraq, Pakistan, and Afghanistan. These not only happen to be places where we’ve been fighting the war on terror the longest and most directly, places where Alexander has been at the forefront of the fight, even before he took over at NSA. But they also happen to be those places overseas that the NSA uses to legitimize their global reach.

Yet 13 or 11 years of concentrated spying — of collect it all — in those places has not eliminated terrorism. On the contrary, terrorism is now getting worse.

And now they serve as both the proof that spying is working and that spying is more necessary than ever.

Rather than evidence that the War on Terror is failing.

We shouldn’t be surprised that we’re losing a war fighting which Alexander was one of the longest tenured generals (though I don’t think he bears primary responsibility for the policy decisions that have led to this state). After all, last year, Alexander said that also under his watch, we had been plundered like a colony via cyberattacks. He seems to think he lost both the war on terror and on cyberattacks.

Which, if you’re invested in Wall Street, ought to alarm you. Because that’s where Keith Alexander is headed to wage war next.

Lying Keith Alexander to Shack up with Promontory and Profit Off His Fearmongering

/5 Comments/in /by

Man, I knew Keith Alexander was going to cash in after he retired. And I probably would have placed all my chips on him profiting off his cyber fearmongering.

Former National Security Agency chief Gen. Keith Alexander is launching a consulting firm for financial institutions looking to address cybersecurity threats, POLITICO has learned.

Less than two months since his retirement from the embattled agency at the center of the Edward Snowden leak storm, the retired four-star general is setting up a Washington-based operation that will try to attract clients based on his four decades of experience in the military and intelligence — and the continued levels of access to senior decision-makers that affords.

But the part of this story that even I couldn’t have predicted — but makes so much sense it brings tears to my eyes — is that he’s shacking up with Promontory Financial Group, the revolving door regulator to hire that has been caught underestimating its clients’ crimes for big money.

Alexander will lease office space from the global consulting firm Promontory Financial Group, which confirmed in a statement on Thursday that it plans to partner with him on cybersecurity matters.

“He and a firm he’s forming will work on the technical aspects of these issues, and we on the risk-management compliance and governance elements,” said Promontory spokesman Chris Winans.

I’m impressed, Lying Keith: You’ve done my very low expectations even one better!

Keith Alexander’s Bubble Floats into the Sunset of Defense Contractor Sinecures

/11 Comments/in /by
Screen shot 2013-11-27 at 11.11.07 AM

In a training program developed in 2009, the NSA itself identified abuses it likened to Projects Shamrock and Minaret.

Today, LAT has an extremely friendly exit interview with Keith Alexander that nevertheless depicts the now-retired General as hopelessly lost inside a bubble far removed from those who paid his salary. It depicts Alexander confusing objections to what NSA’s leaders have ordered with what the presumably honorable people who implement those decisions.

But something else seems likely to shape the legacy of the NSA’s longest-serving director, who retired Friday: something that Alexander failed to anticipate, did not prepare for and even now has trouble understanding.
Thanks to Edward Snowden, a former NSA contractor, the world came to know many of the agency’s most carefully guarded secrets. Ten months after the disclosures began, Alexander remains disturbed, and somewhat baffled, by the intensity of the public reaction.
“I think our nation has drifted into the wrong place,” he said in an interview last week. “We need to recognize that those who are working to protect our nation are not the bad people.

I find it particularly troubling that Alexander sees in skepticism about authority the nation “drifting into the wrong place.”

The profile goes on to convey Alexander’s laughable belief that what has been depicted since June is the model of oversight.

When Snowden’s disclosures began, Alexander and his deputies knew they were in for a storm. But they felt sure the American public would be comforted when they learned of the agency’s internal controls and the layers of oversight by Congress, the White House and a federal court.
“For the first week or so, we all had this idea that we had nothing to be ashamed of, and that everyone who looked at this in context would quickly agree with us,” Inglis said.
Instead, polls show, many Americans believe that the NSA is reading their emails and listening to their phone calls. A libertarian group put an advertisement in the Washington transit system calling Alexander, a 62-year-old career military officer, a liar. U.S. technology companies are crying betrayal.

Side note: it would be useful if LAT noted that in fact the disclosures do show that the NSA is conducting warrantless back door searches on US person emails, rather than using the conjunction “instead” suggesting this impression is false. And that’s all before you get into the vast collection overseas and upstream for which NSA refuses to count US person data.

I’m particularly interested in Alexander’s attempt to distinguish this scandal from the scandals of the 1970s.

He sees a fundamental difference between the intelligence abuses uncovered by Congress in the 1970s — including revelations that the NSA spied without warrants on domestic dissidents — and the programs exposed by Snowden.
“What the Church and Pike committees found” nearly 40 years ago was “that people were doing things that were wrong. That’s not happening here,” Alexander said, referring to the panels headed by Sen. Frank Church (D-Idaho) and Rep. Otis Pike (D-N.Y.) that examined intelligence-agency activities in that era.

As I have noted repeatedly, 4 years into Alexander’s tenure, the NSA itself likened some of its abuses to Projects Shamrock and Minaret. So perhaps Alexander should at least cede that under his leadership, the NSA was also doing things that it itself considered to be analogues to those earlier scandals (and yes, they violated the law and limits of the programs in question).

Even the LAT conducts a soft fact check of Alexander’s claim that the President’s Review Group and PCLOB found a model of oversight.

Outside reviews, including one released in December by a presidential task force, he said, found that “lo and behold, NSA is doing everything we asked them to do, and if they screw up, they self-report.”
The task force reported it found “no evidence of illegality or other abuse of authority for the purpose of targeting domestic political activity.” But it also noted “serious and persistent instances of noncompliance” with privacy and other rules. Even if unintentional, those violations “raise serious concerns” about the NSA’s “capacity to manage its authorities in an effective and lawful manner,” the report said.

I’d go further, too, and point out that this self-reporting only came with the greater involvement of DOJ’s National Security Division, after years of NSA not reporting these violations. Even months into one of those incidents, the NSA was failing to report its violations to the FISC without NSD involvement.

But perhaps the most egregious example of Alexander’s bubble comes in his assessment of the Snowden leaks themselves.

The ease with which Snowden removed top-secret documents also embarrassed an agency that is supposed to be the first line of defense against cyberattacks.
In July, Alexander offered to resign, but the White House turned him down, he said. He didn’t think holding other senior officials accountable would be right because a massive theft of documents by a systems administrator could not have been foreseen, he added.

Are you kidding me? First, how is it that the NSA couldn’t anticipate the large scale exfiltration of documents via removable media in the 3 years after Chelsea Manning did so? And why didn’t NSA comply with requirements to implement software to prevent just that, the kind of software Alexander insists his agency should have on our private communications? But note what else doesn’t get mentioned, as Alexander rides off into the sunset of generous defense contractor sinecures? Not only didn’t Alexander hold his subordinates responsible, but he didn’t hold Booz responsible, the company under whose lucrative eyeballs Snowden did this work.

As of Friday, the Bubble General is gone into retirement. While I fully expect soon-to-be Admiral Mike Rogers to be just as aggressive in hiding the scope of his programs and doing what he can because he can, I do hope he is not this detached from the reality in which he works.

Happy Birthday to Me, Mike Rogers Edition

/35 Comments/in /by

I’m going to level with you all. Today is my birthday.

And in honor of my birthday, apparently, two of my nemeses will shift their careers. At 3PM, Keith Alexander retires as Director of the NSA.

And in an entirely unexpected announcement, Congressman Mike Rogers announced he will not run for reelection this year.

Happy Birthday to me — and by extension, to all of you!

Now, Mike Rogers’ excuse for retiring — that he’s been offered a national radio show on Cumulus Radio — doesn’t make sense. Less than a year ago, when he decided not to run for Carl Levin’s seat, he said he felt he could still do a lot of good in the House. A key part of that, though, was that unlike other House Committees, the Republicans don’t term limit the Intelligence Committee Chair position (the Democrats don’t term limit anything). So a key reason Rogers gave was that he’d remain HPSCI Chair.

So I can’t help but wonder whether his departure has something to do with his Chairmanship of the Intelligence Community (the original announcement last night from The Hill was that he was resigning the Chairmanship, with the even more horrible Mike Pompeo to take his place, with no mention of him retiring from Congress).

And I honestly wonder whether Rogers got caught revealing information so sensitive that he was told, by the Intelligence Community, to take a hike. Remember that after Richard Shelby leaked news that the NSA had overheard warnings of the 9/11 attack before it happened, he not only stepped down as Ranking Member (he had been Chair) of the Senate Intelligence Committee, he left the Committee entirely. No one ever said that was the reason, but I’ve long assumed that’s what happens when you step over the line of acceptable leaking as a Gang of Four member — you quietly walk away at the end of the term.

Pete Hoekstra leaked very damaging information in his last term as House Intel Chair — that we had a real-time intercept on Anwar al-Awlaki — though he had already announced he was leaving the House to run for Governor.

Mind you, most of the high volume of classified information Mike Rogers leaks, he does so with the blessing of the Intelligence Committee, as Gang of Four members are increasingly expected to serve as cut-outs for the Intelligence Community. Plus, much of what he “leaks” is in fact disinformation. Still, there are a number of stories that reveal NSA intercepts, many placed with conservative journalists, that could very easily have come from him. Some of them have been deemed more immediately damaging than all of Snowden’s leaks. Rogers would be legally protected under the Speech and Debate Clause, but there’d be good reason to remove him from his sensitive position, if he had been discovered to be the source for those stories.

If that happened, I can imagine that facing the prospect of staying in the House without his powerful Intelligence gavel might persuade Rogers he’d rather froth up wingnuts for war on AM radio then while away with much less power in the House. Also, if he compromised intelligence, it’d explain why he’s not moving on to a sinecure with an Intelligence Contractor, as had been floated at different times in the last year or so.

Meanwhile, Rogers’ departure opens up a pretty decent opportunity for Democrats in a district they were otherwise (inexplicably) not going to seriously contest. The Clerk who married the first same sex couple last weekend, Barb Byrum, is among the potential Democratic candidates.

Anyway, at 3PM I shall raise a toast to the departure of Keith Alexander. And hope for better things in MI’s 8th CD.

The RuppRoge Fake Dragnet Fix, As Introduced: Does It Include Keith Alexander’s Quid Pro Quo?

/11 Comments/in , /by

This post is going to be a general review on the contents of the actual records collection part of the RuppRoge Fake Dragnet Fix, which starts on page 15, though I confess I’m particularly interested in what other uses — besides the phone dragnet — it will be put to.

First, note that this bill applies to “electronic communication service providers,” not telecoms. In addition, it uses neither the language of Toll Records from National Security Letters nor Dialing, Addressing, Routing, or Signalling from Pen Registers. Instead, it uses “records created as a result of communications of an individual or facility.” Also remember that FISC has, in the past, interpreted “facility” to mean “entire telecom switch.” This language might permit a lot of things, but I suspect that one of them is another attempt to end run content collection restrictions on Internet metadata — the same problem behind the hospital confrontation and the Internet dragnet shutdown in 2009. I look forward to legal analysis on whether this successfully provides an out.

The facility language is also troubling in association with the foreign power language of the bill (which already is a vast expansion beyond the terrorism-only targeting of the phone dragnet). Because you could have a telecom switch in contact with a suspected agent of a foreign power and still get a great deal of data, much of it on innocent people. The limitation (at b1B) to querying with “specific identifiers or selection terms’ then becomes far less meaningful.

Then add two details from section h, covering the directives the government gives the providers. The government requires the data in the format they want. Section 215 required existing business records, which may have provided providers a way to be obstinate about how they delivered the data (and this may have led to the government’s problems with the cell phone data). But it also says this (in the paragraph providing for compensation I wrote about here):

The Government may provide any information, facilities, or assistance necessary to aid an electronic communications service provider in complying with a directive

Remember, one month ago, Keith Alexander said he’d be willing to trade a phone dragnet fix for what amounts to the ability to partner with industry on cybersecurity. The limits on this bill to electronic communication service providers means it’s not precisely what Alexander wanted (I understand him to want that kind of broad partnership across industries). Still, the endorsement of the government basically going to camp out at a provider makes me wonder if there isn’t some of that. Note, that also may answer my question about when and where NSA would conduct the pizza joint analysis, which would mean there’d still be NSA techs (or contractors) rifling through raw data, but they’d be doing it at the telecoms’ location.

The First Amendment restriction appears more limited than it is in the Section 215 context, though I suspect RuppRoge simply reflects the reality of what NSA is doing now. Both say you can’t investigate an American solely for First Amendment views, but RuppRoge says you can’t get the information for an investigation of an American. Given that RuppRoge eliminates any requirement that this collection be tied to an investigation, it would make it very easy to query a US person selector based on First Amendment issues in the guise of collecting information for another reason. But again, I suspect that’s what the NSA is doing in practice in any case.

Note, too, that RuppRoge borrows the “significant purpose” language from FISA, meaning the government can have a domestic law enforcement goal to getting these records.

RuppRoge then lays out an elaborate certification/directive system that is (as I guessed) modeled on the FISA Amendments Act, but written to be even more Byzantine in the bill. It works the same, though: the Attorney General and the Director of National Intelligence submit broad certifications to the FISC, which reviews whether they comply with the general requirements in the bill. It can also get emergency orders (though for some reason here, as elsewhere, RuppRoge have decided to invent new words from the standard ones), though the language is less about emergency and more about timely acquisition of data. Ultimately, there is judicial review, after the fact, except that like FAA, the review is programmatic, not identifier specific. Significantly, the records the government has to keep only need to comply with selection procedures (which are the new name for targeting procedures) “at the time the directive was issued,” which would seem to eliminate any need to detask over a year if you discover the target isn’t actually in contact with an agent of a foreign power. Also, in the clause permitting the FISC to order data be destroyed if the directives were improper, the description talks about halting production of “records,” but destruction of “information.” That might be more protective (including the destruction of reports based on data) or it might not (requiring only the finished reports be destroyed). Interestingly, this section includes no language affirmatively permitting alert systems, though RuppRoge have made it clear that’s what they intend with the year long certifications. In addition, those year long certifications might be used in conjunction with a year long PRISM order to first search a provider for metadata, then immediately task on content (which would be useful in a cybersecurity context).

The bill also changed the language of minimization procedures, which they call “civil liberties and privacy protection procedures.” Interestingly, the procedures differ from the standard in Section 215, including both a generalized privacy protection and one limiting receipt and dissmenation of “records associated with a specific person.” These might actually be more protective than those in Section 215, or they might not, given that the identifying information (at b1D) excludes things like phone number or email which clearly identify a specific person, but get no protection (this identifying information hearkens back, at least in part, to debates about whether the dragnet minimization procedures complied with requirement for them in law on this point). In other words, it may provide people more protection, but given the NSA’s claim that they can’t get identify from a phone number, they likely don’t consider that data to be protected at all.

I can’t help believing much of this bill was written with cases like Lavabit and the presumed Credo NSL challenges in mind, as it uses language disdainful of legal challenges.

If the judge determines that such petition consists of claims, defenses, or other legal contentions that are not warranted by existing law or consists of a frivolous argument for extending, modifying, or reversing existing law or for establishing new law, the judge shall immediately deny such petition and affirm the directive or any part of the directive that is the subject of the such petition and order the recipient to comply with the directive or any part of it.

This seems to completely rule out any constitutional challenge to this law from providers.  Though the bill even allows for emergency acquisition while FISC is reviewing a certification, suggesting RuppRoge don’t want the FISC to make any through either. So if this bill were to pass, you can be sure it will remain in place indefinitely.

The Other Problem with the Obama Proposal: Who Does the Pizza Joint Review?

/13 Comments/in /by

I’m sure I’ll spend all day discussing the various proposals to “fix” the dragnet.

I’ve already shown why the House Intelligence bill is not an improvement and should not be discussed by credible people as one.

And on Twitter and briefly in that piece, I described two problems that aren’t addressed at all in either of these proposals, including President Obama’s plan laid out by Charlie Savage.

  • The Reasonable Articulable Suspicion standard is still far too lenient, allowing the government to engage in a broad digital stop-and-frisk system
  • Once supplied to NSA, it will presumably subject tens or hundreds of thousands of innocent people to the full array of NSA’s tradecraft

Finally, though, there’s one other problem, which directly affects how many people get subjected to such analytical tradecraft, a problem identified by no other person than … Barack Obama.

Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns.

I suspect one of those privacy concerns, as I laid out in this post, is the necessity to make analytical judgments about what high volume numbers distort the chaining system.

Someone needs to go in and take out such high volume numbers — which include voice mail access numbers, telemarketers, and pizza joints — otherwise almost everyone is two degrees of separation from everyone else.

For two of these functions, I assume the telecoms can do the task as easily as the NSA. (The dirty secret is they conduct the same kind of 3-degrees analysis as the government does!) They know what their own (and reseller phone companies) voice mail access numbers are, after all, and surely they track the telemarketer spam that weighs down their system.

It’s the pizza joints that have me — that always have me — worried.

Pizza joints absolutely distort the contact chaining system. Keith Alexander learned this when the contact chaining he was doing — and he used to claim he had mapped out all the evil people tied to Iraq — showed everyone to be guilty because they frequented the same pizza joints.

When he ran INSCOM and was horning in on the NSA’s turf, Alexander was fond of building charts that showed how a suspected terrorist was connected to a much broader network of people via his communications or the contacts in his phone or email account.

“He had all these diagrams showing how this guy was connected to that guy and to that guy,” says a former NSA official who heard Alexander give briefings on the floor of the Information Dominance Center. “Some of my colleagues and I were skeptical. Later, we had a chance to review the information. It turns out that all [that] those guys were connected to were pizza shops.”

Nevertheless, sometimes a cigar is just a cigar, and sometimes a tie through a pizza joint can be a very important tie through a pizza joint, as I believe Gerry’s Italian Kitchen was in the case of the Tsarnaev brothers. If NSA purged the pizza joint in that case, they may have eliminated some of the most important evidence tying the brothers (or at least Tamerlan) to the Waltham murder in 2011.

So who, under this new system, will do the pizza joint analysis?

If the phone companies do it (which I doubt, because of cases like the Tsarnaevs), it will mean even more intensive data mining of customer data while it remains in their hands.

If the NSA does it, it means a lot more totally innocent people will have their data turned over to NSA to do as they wish.

Don’t get me wrong. The Obama proposal is an improvement off the status quo. But for these reasons, including the pizza joint problem, it still doesn’t comply with the Fourth or First Amendments.

NSA Bids to Expand Spying in Guise of “Fixing” Phone Dragnet

/8 Comments/in , , /by

Dutch Ruppersberger has provided Siobhan Gorman with details of his plan to “fix” the dragnet — including repeating the laughable claim that the “dragnet” (which she again doesn’t distinguish as solely the Section 215 data that makes up a small part of the larger dragnet) doesn’t include cell data.

Only, predictably, it’s not a “fix” of the phone dragnet at all, except insofar as NSA appears to be bidding to use it to do all the things they want to do with domestic dragnets but haven’t been able to do legally. Rather, it appears to be an attempt to outsource to telecoms some of the things the NSA hasn’t been able to do legally since 2009.

For example, there’s the alert system that Reggie Walton shut down in 2009.

As I reported back in February, the NSA reportedly has never succeeded in replacing that alert system, either for technical or legal reasons or both.

NSA reportedly can’t get its automated chaining program to work. In the motion to amend, footnote 12 — which modifies part of some entirely redacted paragraphs describing its new automated alert approved back in 2012 — reads:

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

PCLOB describes this automated alert this way.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

It has been 15 months since FISC approved this alert, but NSA still can’t get it working.

I suspect this is the root of the stories claiming NSA can only access 30% of US phone records.

As described by WSJ, this automated system will be built into the orders NSA provides telecoms; once a selector has been provided to the telecoms, they will keep automatically alerting on it.

Under the new bill, a phone company would search its databases for a phone number under an individual “directive” it would receive from the government. It would send the NSA a list of numbers called from that phone number, and possibly lists of phone numbers those numbers had called. A directive also could order a phone company to search its database for such calls as future records come in. [my emphasis]

This would, presumably, mean NSA still ends up with a corporate store, a collection of people against whom the NSA has absolutely not a shred of non-contact evidence, against whom they can use all their analytical toys, including searching of content.

Note, too, that this program uses the word “directive,” not query. Directive comes from the PRISM program, where the NSA gives providers generalized descriptions and from there have broad leeway to add new selectors. Until I hear differently, I’ll assume the same is true here: that this actually involves less individualized review before engaging in 2 degrees of Osama bin Laden.

The legislation seems ripe for inclusion of querying of Internet data (another area where the NSA could never do what it wanted to legally after 2009), given that it ties this program to “banning” (US collection of, but Gorman doesn’t say that either, maintaining her consistency in totally ignoring that EO 12333 collection makes up the greater part of bulk programs) Internet bulk data collection.

The bill from Intelligence Committee Chairman Mike Rogers (R., Mich.) and his Democratic counterpart, Rep. C.A. “Dutch” Ruppersberger (D., Md.), would ban so-called bulk collection of phone, email and Internet records by the government, according to congressional aides familiar with the negotiations. [my emphasis]

Call me crazy, but I’m betting there’s a way they’ll spin this to add in Internet chaining with this “fix.”

Note, too, Gorman makes no mention of location data, in spite of having tied that to her claims that NSA only collects 20% of data. Particularly given that AT&T’s Hemisphere program provides location data, we should assume this program could too, which would present a very broad expansion on the status quo.

And finally, note that neither the passage I quoted above on directives to providers, nor this passage specifies what kind of investigations this would be tied to (though they are honest that they want to do away with the fig leaf of this being tied to investigations at all).

The House intelligence committee bill doesn’t require a request be part of an ongoing investigation, Mr. Ruppersberger said, because intelligence probes aim to uncover what should be investigated, not what already is under investigation.

Again, the word “directive” in the PRISM context also provides the government the ability to secretly pass new areas of queries — having expanded at least from counterterrorism to counterproliferation and cybersecurity uses. So absent some very restrictive language, I would assume that’s what would happen here: NSA would pass it in the name of terrorism, but then use it primarily for cybersecurity and counterintelligence, which the NSA considers bigger threats these days.

And that last suspicion? That’s precisely what Keith Alexander said he planned to do with this “fix,” presumably during the period when he was crafting this “fix” with NSA’s local Congressman: throw civil libertarians a sop but getting instead an expansion of his cybersecurity authorities.

Update: Here’s Spencer on HPSCI, confirming it’s as shitty as I expected.

And here’s Charlie Savage on Obama’s alternative.

It would:

  • Keep Section 215 in place, though perhaps with limits on whether it can be used in this narrow application
  • Enact the same alert-based system and feed into the corporate store, just as the HPSCI proposal would
  • Include judicial review like they have now (presumably including automatic approval for FISA targets)

Obama’s is far better than HPSCI (though this seems to be part of a bad cop-good cop plan, and the devil remains in the details). But there are still some very serious concerns.

In Nomination Hearing, DIRNSA Nominee Mike Rogers Continues James Clapper and Keith Alexander’s Obfuscation about Back Door Searches

/12 Comments/in , , , /by

Yesterday, the Senate Armed Services Committee held a hearing for Vice Admiral Mike Rogers to serve as head of Cyber Command (see this story from Spencer about how Rogers’ confirmation as Cyber Command chief serves as proxy for his role as Director of National Security Agency because the latter does not require Senate approval).

Many of the questions were about Cyber Command (which was, after all, the topic of the hearing), but a few Senators asked questions about the dragnet that affects us all.

In one of those exchanges — with Mark Udall — Rogers made it clear that he intends to continue to hide the answers to very basic questions about how NSA conducts warrantless surveillance of Americans, such as whether the NSA conducts back door searches on American people.

Udall: If I might, in looking ahead, I want to turn to the 702 program and ask a policy question about the authorities under Section 702 that’s written into the FISA Amendments Act. The Committee asked your understanding of the legal rationale for NASA [sic] to search through data acquired under Section 702 using US person identifiers without probable cause. You replied the NASA–the NSA’s court approved procedures only permit searches of this lawfully acquired data using US person identifiers for valid foreign intelligence purposes and under the oversight of the Justice Department and the DNI. The statute’s written to anticipate the incidental collection of Americans’ communications in the course of collecting the communications of foreigners reasonably believed to be located overseas. But the focus of that collection is clearly intended to be foreigners’ communications, not Americans. But declassified court documents show that in 2011 the NSA sought and obtained the authority to go through communications collected under Section 702 and conduct warrantless searches for the communications of specific Americans. Now, my question is simple. Have any of those searches been conducted?

Rogers: I apologize Sir, I’m not in a position to answer that as the nominee.

Udall: You–yes.

Rogers: But if you would like me to come back to you in the future if confirmed to be able to specifically address that question I will be glad to do so, Sir.

Udall: Let me follow up on that. You may recall that Director Clapper was asked this question in a hearing earlier this year and he didn’t believe that an open forum was the appropriate setting in which to discuss these issues. The problem that I have, Senator Wyden’s had, and others is that we’ve tried in various ways to get an unclassified answer — simple answer, yes or no — to the question. We want to have an answer because it relates — the answer does — to Americans’ privacy. Can you commit to answering the question before the Committee votes on your nomination?

Rogers: Sir, I believe that one of my challenges as the Director, if confirmed, is how do we engage the American people — and by extension their representatives — in a dialogue in which they have a level of comfort as to what we are doing and why. That is no insignificant challenge for those of us with an intelligence background, to be honest. But I believe that one of the takeaways from the situation over the last few months has been as an intelligence professional, as a senior intelligence leader, I have to be capable of communicating in a way that we are doing and why to the greatest extent possible. That perhaps the compromise is, if it comes to the how we do things, and the specifics, those are perhaps best addressed in classified sessions, but that one of my challenges is I have to be able to speak in broad terms in a way that most people can understand. And I look forward to that challenge.

Udall: I’m going to continue asking that question and I look forward to working with you to rebuild the confidence. [my emphasis]

The answer to the question Rogers refused to answer is clearly yes. We know that’s true because the answer is always yes when Wyden, and now Udall, ask such questions.

But we also know the answer is yes because declassified parts of last August’s Semiannual Section 702 Compliance Report state clearly that oversight teams have reviewed the use of this provision, which means there’s something to review.

As reported in the last semiannual assessment, NSA minimization procedures now permit NSA to query its databases containing telephony and non-upstream electronic communications using United States person identifiers in a manner designed to find foreign intelligence information. Similarly, CIA’s minimization procedures have been modified to make explicit that CIA may also query its databases using United States person identifiers to yield foreign intelligence information. As discussed above in the descriptions of the joint oversight team’s efforts at each agency, the joint oversight team conducts reviews of each agency’s use of its ability to query using United States person identifiers. To date, this review has not identified any incidents of noncompliance with respect to the use of United States person identifiers; as discussed in Section 4, the agencies’ internal oversight programs have, however, identified isolated instances in which Section 702 queries were inadvertently conducted using United States person identifiers. [my emphasis]

It even obliquely suggests there have been “inadvertent” violations, though this seems to entail back door searches on US person identifiers without realizing they were US person identifiers, not violations of the procedures for using back door searches on identifiers known to be US person identifiers.

Still, it is an unclassified fact that NSA uses these back door searches.

Yet the nominee to head the NSA refuses to answer a question on whether or not NSA uses these back door searches.

And it’s not just in response to this very basic question that Rogers channeled the dishonest approach of James Clapper and Keith Alexander.

As Udall alluded, at the end of a long series of questions about Cyber Command, the committee asked a series of questions about back door searches and other dragnet issues. They asked (see pages 42-43):

  • Whether NSA can conduct back door searches on data acquired under EO 12333 and if so under what legal rationale
  • Whether NSA can conduct back door searches on data acquired pursuant to traditional FISA and if so under what legal rationale
  • What the legal rationale is for back door searches on data acquired under FISA Amendments Act
  • What the legal rationale is for searches on the Section 215 query results in the “corporate store”

I believe every single one of Rogers’ answers — save perhaps the question on traditional FISA — involves some level of obfuscation. (See this post for further background on what NSA’s Raj De and ODNI’s Robert Litt have admitted about back door searches.)

Consider his answer on searches of the “corporate store” as one example.

What is your understanding of the legal rationale for searching through the “Corporate Store” of metadata acquired under section 215 using U.S. Persons identifiers for foreign intelligence purposes?

The section 215 program is specifically authorized by orders issued by the Foreign Intelligence Surveillance Court pursuant to relevant statutory requirements. (Note: the legality of the program has been reviewed and approved by more than a dozen FISC judges on over 35 occasions since 2006.) As further required by statute, the program is also governed by minimization procedures adopted by the Attorney General an d approved by the FISC. Those orders, and the accompanying minimization procedures, require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization specified in the Court’s order.

Remember, not only do declassified Primary Orders make it clear NSA doesn’t need Reasonable Articulable Suspicion to search the corporate store, but PCLOB has explained the possible breadth of “corporate store” searches plainly.

According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.”71 Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results.72 For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes every record in the corporate store.73

There is no debate over whether NSA can conduct back door searches in the “corporate store” because both FISC and PCLOB say they can.

Which is probably why SASC did not ask whether this was possible — it is an unclassified fact that it is — but rather what the legal rationale for doing so is.

And Rogers chose to answer this way:

  1. By asserting that the phone dragnet must comply with statutory requirements
  2. By repeating tired boilerplate about how many judges have approved this program (ignoring that almost all of these approvals came before FISC wrote its first legal opinion on the program)
  3. By pointing to AG-approved minimization procedures (note–it’s not actually clear that NSA’s — as distinct from FBI’s — dragnet specific procedures are AG-approved, though the more general USSID 18 ones are)
  4. By claiming FISA orders and minimization procedures “require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization”

The last part of this answer is either downright ignorant (though I find that unlikely given how closely nominee responses get vetted) or plainly non-responsive. The question was not about queries of the dragnet itself — the “collection store” of all the data. The question was about the “corporate store” — the database of query results based off those RAS approved identifiers. And, as I said, there is no dispute that searches of the corporate store do not require RAS approval. In fact, the FISC orders Rogers points to say as much explicitly.

And yet the man Obama has picked to replace Keith Alexander, who has so badly discredited the Agency with his parade of lies, refused to answer that question directly. Much less explain the legal rationale used to conduct RAS-free searches on phone query results showing 3rd degree connections to someone who might have ties to terrorist groups, which is what the question was.

Which, I suppose, tells us all we need to know about whether anyone plans to improve the credibility or transparency of the NSA.