Posts

Wednesday Morning: Ashes to Ashes

It’s your second morning-after this week, this one launching the countdown on Christian calendars to Easter. I’m a lapsed Catholic, but we do observe Lent in my household. My agnostic son resists, but I’ve explained this is an opportunity to be mindful about others’ experience of going without. We are privileged to choose to give up, and we consciously recognize it by Lenten observation. Some choices we make, like giving up meat and sugar, are beneficial for us, but it’s still the luxury of choice when others are forced to simply suffer without recourse.

This year we will be mindful of water. We take it for granted every time we turn on the faucet. Yet our brethren go without in nearby Flint, in spite of water’s essential nature to life. I’ll donate the money I would have spent on 46 days of meat-based meals to Flint’s United Way Water Fund and the Food Bank of Eastern Michigan, as both organizations are helping distribute water and filters to Flint residents. Last night’s Boil Water order issued because of a water main break only underlines the difficulties Flint’s residents will face until the entire water system is replaced.

Dept of Duh: Director of National Intelligence says Internet of Things can be used to spy
NO! Say it isn’t so! Like it never occurred to us that any device attached to the internet, including the growing number of WiFi-enabled household appliances, might be used to spy on us.

Volkswagen recalls cars — and not because of emissions
VW didn’t need more trouble; this time, it’s not the German car makers’ fault. 680,000 VW-branded vehicles are being recalled because of Takata-made airbags which may be defective. TAKE NOTE: Mercedes-Benz models were also recalled yesterday.

Toyota, Honda, Acura, BMW, Nissan, Subaru, GM, Ford, Chrysler, and Daimler also issued recalls over the last two years for the very same reason — defective Takata-made airbags. See this article for a running timeline of events related to the recalls as well as a list of affected vehicles (to date).

Attacking the grid? Try a squirrel first – hacking is much harder
A honeypot mimicking an energy management system demonstrated the challenge to hackers trying to crash a power grid. Dewan Chowdhury, MalCrawler’s founder, spoke at Kaspersky Lab security Analyst Summit about the knowledge set needed to attack energy systems:

“It’s extremely difficult. You’ can’t just be a NSA or FSB hacker; you need an electrical engineer on board to weaponize attacks and figure out what’s going on … When it comes to weaponization, you need a power substation engineering who knows what needs to be done and tested.”

After reading about Chowdhury’s presentation, I have two caveats. The first is the notion that an “electrical engineer” or a “power substation engineer” is required. Many non-degreed workers like electricians and technicians are familiar with computers, networks, and SCADA equipment. The second is this bit:

The groups had access to the HMI, which would allow them to manipulate the grid, but Chinese, U.S., and Russian groups, he said, stick to a gentlemen’s agreement and leave the grid alone. Middle Eastern actors, however, will try to perform control actions to sabotage the grid.

A “gentlemen’s agreement”? When do the gloves come off? When one of these actors align with a Middle Eastern actor?

Global disaster — how would you respond?
In case a mess of squirrels are deployed to take down the world’s power grids, one might need to know how to deal with the inevitable meltdown of services. Johns Hopkins Center for Civilian Biodefense Strategies modeled a global disaster in 2013 by way of a simulation game. The results were predictable:

What they discovered was that the country was ill prepared to cope. Within two weeks there would be enormous civilian casualties, a catastrophic breakdown in essential institutions, and mass civil unrest. Food supplies, electricity and transport infrastructures would all collapse.

International security scholar Dr. Nafeez Ahmed was asked how people should respond; he offered a nifty guide, outlined in six points.

But disaster isn’t always global, and current cases show our gross inability to respond to limited disasters. Flint, for example, already struggles with running water, item number three on Dr. Ahmed’s list. Conveniently, Flint doesn’t necessarily rely on government or law enforcement (item number four) because neither responded appropriately to the ongoing water crisis. What remains to be seen is whether Flint will muster long-term self-sufficiency (item number six) as government and law enforcement continue to let them down.

Speaking of Flint, I wonder how today’s Democratic Steering and Policy Committee hearing on Flint’s water crisis will go, as Michigan’s Governor Rick Snyder declined to appear.

“Don’t necessarily trust the government or law enforcement” in global disaster, indeed.

In First Act as DNI, James Clapper Adds to Redundancy Competitive Analysis

When James Clapper testified before the Senate Intelligence Committee, he rejected one of the central criticisms in the WaPo’s Top Secret America series–that the redundancy in the Intelligence Community contributed to waste and intelligence failures.

Clapper disputed criticism of redundancy in intelligence programs, saying that duplication is sometimes a conscious decision. “One man’s duplication is another man’s competitive analysis,” he said.

Perhaps it should come as no surprise, then, that his first act as DNI is to add to the redundancy.

After my second week on the job, I wanted to let you know what an honor it is to be leading this Community of such skilled and dedicated professionals.

When President Obama asked me to lead the Intelligence Community he said he wanted someone who would continue to build our enterprise into an integrated team.  I have begun to embark on that process and wanted to share with you a few of my initial thoughts and plans.

I have asked DIA Deputy Director Robert Cardillo to join ODNI in the newly-created role of Deputy Director for Intelligence Integration.  While the specifics of this position are still being developed, it unites the roles of Analysis and Collection to elevate information sharing and collaboration between these two essential functions.

Admittedly, Clapper doesn’t explain what he just hired a top DOD intell guy to do, but it sure seems like it overlaps with the mandate of the National Counterterrorism Center.

NCTC serves as the primary organization in the United States Government for integrating and analyzing all intelligence pertaining to terrorism possessed or acquired by the United States Government (except purely domestic terrorism); serves as the central and shared knowledge bank on terrorism information; provides all-source intelligence support to government-wide counterterrorism activities; establishes the information technology (IT) systems and architectures within the NCTC and between the NCTC and other agencies that enable access to, as well as integration, dissemination, and use of, terrorism information.

NCTC serves as the principal advisor to the DNI on intelligence operations and analysis relating to counterterrorism, advising the DNI on how well US intelligence activities, programs, and budget proposals for counterterrorism conform to priorities established by the President.

And the move is all the more bizarre given that Clapper only has this job because the Administration chose to fire Dennis Blair rather than hold Michael Leiter, the Director of the NCTC, responsible for failing to connect the dots on the UndieBomber attack, even though it appears that Leiter deserves more of the blame. So if I’m right that this new position is duplicative of the NCTC position, then the Administration has chosen not to fire the guy most responsible for missing the UndieBomber clues, and instead fire the DNI and replace him with a guy that–rather than firing the guy most responsible for missing the UndieBomber clues–will instead just create a second version of that guy’s position.

Now in an ideal world, the next time someone misses an attack, we’ll be justified in firing Clapper, since he’s the guy who opted for redundancy rather than holding one person responsible. But I’m guessing by then Clapper will be capitalizing on his inevitably short tenure as DNI, getting rich heading six or eight intelligence contractors.

The Intelligence Industrial Complex Prepares for War

In my review of Tim Shorrock’s important Spies for Hire, I summarized one of the most important parts of the narrative he tells in the book.

Shorrock describes, for example, [Mike] McConnell’s key role in the formation of the Intelligence and National Security Alliance (INSA), a trade organization that serves as a bridge between large intelligence contractors (like Booz Allen, SAIC, Computer Sciences Corporation, and ManTech) and the officers from CIA, NSA, and DHS who join them on the board of the organization. “INSA,” Shorrock explains, “is one of the only business associations in Washington that include current government officials on their board of directors.” Shorrock describes how INSA worked with the DNI (back when John Negroponte was DNI and McConnell was head of INSA and a VP at Booz Allen) to foster information sharing in the intelligence community–including with contractors. He reports that, for the first time in 2006, INSA’s contractors were consulted on the DNI’s strategic plans for the next decade. And Shorrock describes one intelligence veteran wondering “if INSA has become a way for contractors and intelligence officials to create policy in secret, without oversight from Congress.”

McConnell, after nurturing this enhanced relationship between contractors and government intelligence services, ascended to serve as DNI. He was, Shorrock points out, “the first contractor ever to be named to lead the Intelligence Community.” Once confirmed, McConnell immediately buried a report assessing the practice of outsourcing intelligence. And he worked to further expand the ties between government spying and its contractors.

[snip]

[The warrantless wiretap program] not just about Bush and Cheney ignoring laws and spying on citizens (though it is that). It’s that, in the name of fighting terrorism, the Bush Administration is creating a monstrous new Intelligence-Industrial Complex in which intelligence contractors and the government collaborate–with little oversight–to snoop at home and abroad.

Now, Shorrock’s book got far too little attention, IMO. But he did lay out in great detail the many problems with the degree to which we have outsourced our national security infrastructure to contractors (and Jeremy Scahill has, of course, tirelessly chronicled that as well).

Which is why I’m amused by the panic revealed in a memo the Office of the Director of National Intelligence released a few weeks ago preparing all members of the intelligence community for an upcoming Dana Priest series covering the same terrain. The memo reveals:

  • The Director of Communications for ODNI, Art House, briefed Intelligence Community public affairs officers on the article back in January
  • House briefed the Deputies Committee for the intelligence community on the Priest series the week the memo was released
  • House has laid out a response plan to Priest’s article including his agency and the NSC, to be coordinated with all the IC agencies
  • House is already planning “a meeting or conference call to review procedural action before, during and after publication, and to compare substantive points that might be offered in rebuttal to the article”

Perhaps that’s just good messaging strategy–the kind that (as it happens) becomes a lot less effective when it is laid out ahead of time.

But what I’m perhaps most amused by is this paragraph:

This series has been a long time in preparation and looks designed to cast the IC and the DoD in an unfavorable light.  We need to anticipate and prepare so that the good work of our respective organizations is effectively reflected in communications with employees, secondary coverage in the media and in response to questions. [my emphasis]

Nowhere in this memo–at least as republished by Marc Ambinder–does House even hint that Priest has her details wrong (and given that she’s been working on it for two years, I’d be surprised if she did). The only real risk that House raises is the “unauthorized disclosure of sensitive and classified information.”

Yet the conclusion he draws from months of preparation for an article by Priest that is presumably factually correct is that it is “designed to cast the IC and the DoD in an unfavorable light.”

I’ve got a ton of respect for Priest’s reporting and therefore would guess that the article is designed to reveal the truth about the IC and DoD. And yet the intelligence community, inside its bunker, perceives a search for the truth as a design to portray it unfavorably.

What an apt explanation, then, for the problem with excessive contracting: when a reporter avails herself of Constitutionally protected rights to act as a watchdog on our government and its contractors, the government itself assumes that must be an attack. Hell, the IC has had time to preemptively respond to some of the problems Priest is about to reveal (and, as I said, Shorrock gave them a head start two years ago).

But instead, it has decided to go to war.

What the Scope of the IG Report on Warrantless Wiretapping Tells Us

Remember how when Congress passed the FISA Amendment Act last year, they required that the Inspectors General of the various agencies involved in the warrantless wiretapping produce a report on the program? They did an interim report–basically describing the scope of the report–last September (and produced in unclassified form last November). It took Secrecy News pulling teeth to get this released (six months after the fact), but here is the interim report.

General Scope

I’m going to show you the whole scope-related section, then unpack it line by line.

The DoJ IG is completing work on a broadly-scoped review of the Program, which the DoJ IG has been conducting over the past 18 months. In accord with its normal procedures and consistent with classification requirements, the DoJ IG will release its report when completed. The DoJ IG’s review examines the involvement of the DoJ and the Federal Bureau of Investigation (FBI) in the Program, including the use of and control over Program information; compliance with relevant authorities governing the Program as these authorities changed over time; and the impact and effectiveness of Program information on DoJ’s and FBI’s counterterrorism efforts. The review also describes various legal assessments of the Program, legal and operational changes to the Program, any use of Program information in the FISA process, and the transition to Foreign Intelligence Surveillance Court orders related to the Program.

The NSA IG’s review will examine the evolution of the Presidential authorization as it affected NSA, the technical operation of the Program, the preparation and dissemination of the product of the Program, and communications with and representations made to private sector entities. The review will address access by NSA to legal reviews and information concerning the Program and will also examine NSA’s interaction with the Foreign Intelligence Surveillance Court and the transition of Program activities to operations under court orders. The review will also include a description of NSA’s oversight of the Program. To conduct the review of the Program, the NSA IG will both initiate new work and draw upon a substantial body of completed evaluations.

The DoD IG will examine the involvement of the Office of the Secretary of Defense in the establishment and implementation of the Program.

The ODNI IG will examine the involvement of DNI senior leadership in the Program and DNI communication with private-sector entities concerning the Program. Read more