Posts

Hal Martin Manages to Obtain a Better Legal Outcome than Reality Winner, But It Likely Doesn’t Matter

/61 Comments/in /by

I’d like to comment on what I understand happened in a Hal Martin order issued earlier this month. In it, Judge Richard Bennett denied two requests from Martin to throw out the warrants for the search of his house and cell site tracking on his location, but granted an effort to throw out his FBI interrogation conducted the day they raided his house.

Hal Martin did not tweet to Shadow Brokers

The filing has received a bit of attention because of a redaction that reveals how the government focused on Martin so quickly: a Tweet (apparently a DM) he had sent hours before the Shadow Brokers files were first dropped on August 13, 2016.

The passage has been taken to suggest that Martin DMed with Shadow Brokers before he published any files.

That’s impossible, for two reasons.

First, it is inconsistent with Shadow Brokers’ known timeline. Shadow Brokers didn’t set up a Twitter account until after the first batch of files were initially posted. And both the Martin warrant — dated August 25 — and the search — which took place the afternoon of August 27 — preceded the next dump from Shadow Brokers on August 28.

But it’s also impossible for how Bennett ruled.

While the underlying motion remains sealed (like virtually everything else in this case), Martin was arguing the warrant used to obtain his Twitter content and later search his house was totally unreasonable under the Fourth Amendment. It’s clear from a letter Martin sent the judge asking for his social media accounts as they actually appeared that he believes the FBI read the content of his Tweet out of context. And the judge actually considered the argument that the search was unreasonable to have merit, and in ruling that the FBI did have substantial basis for the search warrant, conceded that in another context the Tweet would not appear to be so damning.

Significantly, the Fourth Amendment exclusionary rule does not bar the admission of evidence obtained by officers acting in reasonable reliance on a search warrant issued by a magistrate later,found to be invalid. United States v. Leon, 468 U.S. 897,913-14 (1984). The evidence will be suppressed only if (1) the issuing judge was misled by information that the affiant knew or should have known was false, (2) the judge “wholly abandoned” her neutral role, (3) the affidavit was “so lacking in indicia of probable cause as to render official belief in its existence entirely unreasonable,” or (4) the warrant is so facially deficient that no reasonable officer could presume it to be valid. !d. at 923 (citations omitted).

[snip]

In this case, there was a substantial basis for the Magistrate’s fInding of probable cause to issue the search warrant for information associated with the Defendant’s Twitter account. See Upton, 466 U.S. at 728. The affIdavit provides that the Defendant’s Twitter messages [redacted] in which he requested a meeting [redacted] and stated “shelf life, three weeks” – were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online content-sharing sites, including Twitter. (ECF No. 140-1 ~~ 14-23.) Further, and signifIcantly,the affIant averred that the Defendant was a former government contractor who had accessto the information that appeared to be what was purported to be stolen government property that was publicly posted on the Internet. (Id. ~~ 25-27.) Thus, although the Defendant’s Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant’s messages provide a substantial basis for the Magistrate’s conclusion that there was a “fair probability” that evidence of the crime of Theft of Government Property, in violation of 18 U.S.c. ~ 641, would be found in information associated with the Defendant’s Twitter account. See Gates, 462 U.S. at 238.

You would never see language like this if Martin really were tweeting with Shadow Brokers, particularly not given the timeline (as it would suggest that he knew of Shadow Brokers before he ever posted). The warrant would, in that case, not be a close call at all. Indeed, the language is inconsistent with Martin’s interlocutor having anything to do with Shadow Brokers.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Hal Martin got a similar FBI interrogation to Reality Winner’s thrown out

The sheer extent of FBI’s panic is probably what made Martin’s effort to get his FBI interrogation thrown out more successful than Reality Winner’s effort.

Their interrogations were similar. Ten FBI Agents came to Winner’s house, whereas nine SWAT team members, plus eight other FBI Agents, and a few Maryland State Troopers came to Martin’s. In both cases, the FBI segregated the NSA contractors in their home while Agents conducted a search. In Winner’s case, they also segregated her from her pets. In Martin’s case, they segregated him from his partner, Deborah Shaw, and when they did finally let him talk to her, they told Martin “you can’t touch her or any of that stuff.” When the NSA contractors wanted to get something from another part of their home, the FBI accompanied them.

Aside from the even greater number of FBI Agents and that Martin had a partner to be separated from, the biggest difference in Martin’s case is that that they set off a flash-bang device to disorient Martin, and the FBI originally put him face down on the ground and handcuffed him. Those factors, Bennett judged, meant it was reasonable for Martin to believe he was under arrest, and therefore the FBI should have given him a Miranda warning.

That is, on the afternoon of the interrogation, approximately 17-20 law enforcement officers swarmed the Defendant’s property. The Defendant was initially approached by nine armed SWAT agents, handcuffed, and forced to lay on the ground. During the four-hour interrogation, the Defendant was isolated from his partner, his freedom of movement was significantly restricted, and he was confronted with incriminating evidence discovered on his property. In this police dominated environment, a reasonable person in the Defendant’s position would have believed he was not free to leave, notwithstanding the agents’ statements to the contrary.

So unlike Winner, Martin will have his interrogation (in which he admitted to taking files home from his job as a contractor and explained how he did so) thrown out.

But it probably won’t matter.

As a reminder, the FBI charged Martin with taking home 20 highly classified files in February 2017, but they included no allegation that he (willfully) served as a source for Shadow Brokers. It’s possible they know he was an inadvertent source for Shadow Brokers (unlike Nghia Pho, who was likely also a source for Shadow Brokers, they charged Martin for 20 files, larding on the legal exposure; they charged Pho with taking home just one file, while getting him to admit that he could have been charged for each individually). But an earlier opinion in this case ruled that the government only has to prove that by taking hordes of files from of his employers that included National Defense Information, he knowingly possessed the ones he got charged for.

In any case, Martin has already been in jail for 28 months, almost half the amount of time that Pho will serve for doing the same thing, and his trial is not due to start on June 17, a full 34 months after he was arrested. As with Winner, the delay stems from the Classified Information Protection Act process, which ensures that — once the government successfully argues that the secrets in your head make it impossible to release you on bail for fear a foreign intelligence agency will steal those secrets — you serve the equivalent of a sentence before the government even has to prove your guilt.

Again, it may be that Martin unwittingly served as a source for Shadow Brokers. But if he didn’t, then the heavy hand they’re taking with him appears to stem from sheer embarrassment at fucking up with the initial panicked pursuit of him.

Update: Corrected the post to reflect that the search actually preceded the August 28 dump.

The Two Legitimacy Problems with the Nghia Pho Sentence

/5 Comments/in /by

Nghia Pho was sentenced to 5 years and 6 months yesterday. He is presumed to have been one of the sources for the files released by Shadow Brokers (though I have been told he couldn’t be the sole source).

The government had asked for 8 years, just a month short of the top of the guidelines for the crime to which he pled guilty (though the government could have charged him much more aggressively and gotten far more time). In sentencing Pho, however, Judge George Russell seemed persuaded by Pho attorney Robert Bonsib’s point that David Petraeus did no jail time for what actually would have been a worse offense had he also been charged with sharing with his mistress the code word intelligence he mishandled and then lying about both to the FBI, as well as if the government admitted that the information Petraeus shared actually did show up in Paula Broadwell’s hagiography of the general.

Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators.

“Did he do one day in prison?” the clearly frustrated judge asked. “Not one day. … What happened there? I don’t know. The powerful win over the powerless? … The people at the top can, like, do whatever they want to do and walk away.”

Admittedly, the unstated presumption that Pho’s mishandling of NSA’s hacking tools led to first their leak then the downstream malware attacks tied to them seems to justify the government’s call for a harsh sentence and is reflected in statements from both Russell and prosecutor.

Russell called Pho’s actions “extraordinarily serious.” He also rejected claims that it was an isolated mistake, noting that Pho took the top-secret material to his home for years.

[snip]

Little was said at Tuesday’s hearing about what information may have escaped Pho’s control or where it wound up, although Windom used very strong language about the impact of Pho’s actions, calling it “devastating.”

And it also explains the language of Pho’s remorse — denying the things that might have been suspected of the release.

“I admit it but I do not betray the U.S.A.,” the white-haired, glasses-wearing engineer said in broken English. “I do not betray this country. … I do not send anything to anybody or on the internet. I do not make profit on this information. … I cannot damage this country.”

It also might explain the terms of the plea agreement, one part of which remains sealed.

There’s something that remains unexplained, however — at least not credibly. Pho continues to claim that he brought the NSA’s hacking tools home because he needed them to write his Employee Performance Assessments. (h/t Josh Gerstein for obtaining the documents)

I need extra times and information about what I worked on, cut and paste, to create a good EPA at home and hope that I will have a chance to be promoted this time hence I received a good high-three average salaries before I go to the retirement in next four years (2019) when my clearance will be expired.

I was devoted to EPA promotion, encircle by EPA/promotion and the last high-three salaries that made me blind to violate the security policy of the Agency.

But as the government noted in their sentencing memo, this was not a one-off in advance of writing a yearly EPA. Rather, Pho continued doing this over the course of five years, and did so with materials unrelated to his work.

For a period of at least five years, the defendant removed Top Secret and Sensitive Compartmented Information (“SCI”) from secure space at the National Security Agency (“NSA”) and retained it in his home–an unsecure residence.

[snip]

This assertion [that he did this solely for EPAs] is belied by the facts. The defendant did not take home and retain classified information consistently for five years to work on an annual performance review. This argument especially does not apply to the classified material found in his home that was unrelated to his work or any personnel evaluation. [citations removed]

The government also notes that Pho knew better than to load these materials onto his computer (as a guy who coded malware, that should be all the more true).

The defendant claims that he stored massive troves of classified information at his home without the intention of placing national security at risk. The defendant goes so far as to say, directly, that he “did handle the information with care.” His actions speak to his intentions, and the facts do not support his contentions. For years, the defendant received training on how and where to store classified information and on why such precautions were critical to protecting national security. The defendant well knew that the mere removal of classified information from secure spaces, in itself, could endanger national security, and that retaining classified information in an unsecure location compounded this danger. Indeed, in his plea agreement, the defendant admitted that his extensive training informed him that “unauthorized removal of classified materials and transportation and storage of those materials in unauthorized locations risked disclosure and transmission of those materials, and therefore could endanger the national security of the United States and the safety of its citizens.

This is a point that Admiral Rogers repeated in his (March 5) letter on the sentencing.

Mind you, even a year after Pho was discovered, it was still possible for even a translator to stick thumb drives into Top Secret computers at Fort Meade, as evidenced by Reality Winner’s actions (actions that were not charged). In the same way that Pho knew well that putting hacking tools on a computer attached to the Internet would be colossally stupid, the government itself has known the risks of leaving computers accessible to removable media since before Chelsea Manning’s leaks. They’re not exactly in a position to lecture.

That said, there’s something that still doesn’t add up about this and Pho’s claimed motive for it, which may be why when this story first broke, three different theories for why he brought the files home got leaked to the press. Maybe it was just ego fed by resentment that he (as reported in his letter) wasn’t getting promotions at the same rate as his colleagues, which doesn’t make for a very good excuse to having exposed the NSA’s crown jewels.

 

The Frothy Right Is Furious that Peter Strzok Pursued the Guy Leaking about Carter Page

/61 Comments/in , , /by

Close to midnight on June 3, 2017, Lisa Page texted Peter Strzok to let him know that Reality Winner was in custody. Page used the same shorthand she and Strzok (and presumably, those around them) consistently use to describe leak investigations, ML, media leaks.

They used the term elsewhere, as when Strzok said “media leaks and what I do for a living” when responding to the first reports that Mueller was investigating Trump (and hypothesizing about who the WaPo’s likely sources were).

Significantly, they used the term on April 10, 2017, when trying to figure out how to respond to DOJ’s effort to increasingly politicize leak investigations.

Indeed, Strzok’s lawyer has issued a statement confirming this is how Strzok and Page used the term.

The term ‘media leak strategy’ in Mr. Strzok’s text refers to a Department-wide initiative to detect and stop leaks to the media. The President and his enablers are once again peddling unfounded conspiracy theories to mislead the American People.

In spite of all that context, Mark Meadows has the entire frothy right, from Sara Carter to Fox News to Don Jr to his dad, worked up about two newly produced texts, based on this letter to Rod Rosenstein, which gets just about every thing wrong.

Before I explain how wrong Mark Meadows’ letter is, let me point out two things.

Michael Horowitz has already investigated a media leak text and found no misconduct

First, Michael Horowitz is (with the possible exception of DOD’s Glenn Fine) the best Inspector General in government. His office spent over a year investigating the work of Peter Strzok and Lisa Page; he wrote a 500-page report on it. And when he found evidence that even looked like impropriety, acted on it immediately and then formally, leading to Strzok’s firing. He has also spent a year investigating whatever calls went between FBI lines and reporters covering Hillary or Trump. He even drew pretty pictures showing each one of concern.

As part of both investigations, he examined a text in the series Meadows is concerned about (the April 10 one, above). And in spite of examining Page and Strzok, including a relevant text, at such length, Horowitz found no impropriety with the discussions about how to investigate leaks to the media.

We know the likely culprit for the leak the frothy right is blaming on Page and Strzok

The punchline of Meadows’ letter — as fed via the always-wrong Sara Carter — is a claim that Strzok and Page were the source for the WaPo story revealing that FBI obtained a FISA order on Carter Page.

The review of the documents suggests that the FBI and DOJ coordinated efforts to get information to the press that would potentially be “harmful to President Trump’s administration.” Those leaks pertained to information regarding the Foreign Intelligence Surveillance Court warrant used to spy on short-term campaign volunteer Carter Page.

Aside from how fucking stupid you’d have to be to believe that Strzok would go to great lengths to get a FISA order on Page and then tell the entire world about it, there’s another reason that the frothy right should know this is wrong: because we know the likely culprit for it.

As I noted in my first post on the James Wolfe indictment, that investigation appears to have started to (and focused on) finding the source for the WaPo story the frothy right now blames on Strzok and Page.

The government lays out clear proof Wolfe lied about conversations with three reporters. With Watkins and another, they point to stories about Carter Page to do so. The Watkins story is this one, confirming he is the person identified in the Evgeny Buryakov indictment. Another must be one of two stories revealing Page was subpoenaed for testimony by the Senate Intelligence Committee — either this one or this one.

I’m most interested, however, in this reference to a story the FBI raised with Wolfe in its interview, a story for which (unlike the others) the indictment never confirms whether Wolfe is the source.

During the interview, FBI agents showed WOLFE a copy of a news article authored by three reporters, including REPORTER #1, about an individual (referred to herein as “MALE-l), that contained classified information that had been provided to the SSCI by the Executive Branch for official purposes

The story suggests they don’t have content for the communications between Wolfe and Reporter #1, and the call records they’re interested in ended last June (meaning the story must precede it).

For example, between in or around December 2015 and in or around June 2017, WOLFE and REPORTER #1 communicated at least five times using his SSCI email account.

For that reason, I suspect this is the story they asked about — whether Wolfe is a source for the original credible story on Carter Page’s FISA order. The focus on Page generally in the indictment suggests this investigation started as an investigation into who leaked the fact that Page had been targeted under FISA, and continued to look at the stories that revealed classified details about the investigative focus on him (stories which he rightly complained to SSCI about).

The government didn’t charge Wolfe for that story — they just (appear to have) included his lies about whether he knew the reporters behind it among the lies they charged him for. But that’s a common strategy for FBI when dealing with a leak investigation the direct prosecution of which would require declassifying information, particularly with someone like Wolfe who could easily graymail the government. Moreover, the docket in his case has the look of one where the defense is considering a plea to avoid more serious charges.

Now consider how they got Wolfe. Not only did the government go after a trusted employee, not only did they very publicly access his Signal and WhatsApp texts, not only did they get Congress to waive speech and debate (which very rarely happens), but they also obtained years of Ali Watkins’ call records, both directly and via Temple University.

In other words, the prosecution of James Wolfe pushed prior protocols on leak investigations on a number of fronts: going after favored insiders, going after encrypted comms, going after employees of Congress, and going far more aggressively after a journalist and a college student than would seem necessary. That’s precisely the kind of thing that FBI and DOJ would debate as part of revising their strategy to more aggressively pursue media leaks.

So the James Wolfe case not only provides a likely culprit for the leak, but probably even evidence that shifts in the media leak strategy did happen, shifts resulting in far more aggressive pursuit of leaks than happened at the end of the Obama Administration.

Mark Meadows dangerously wrong

Which brings us, finally, to the many errors of Mark Meadows’ letter to Rosenstein. Once again, the premise of the letter is that two next texts (one of which obviously relates the one I posted above) create grave new concerns.

As you may know, we recently received a new production of documents from the Department providing greater insight into FBI and DOJ activity during the 2016 election and the early stages of the Trump administration. Our review of these new documents raises grave concerns regarding an apparent systemic culture of media leaking by high-ranking officials at the FBI and DOJ related to ongoing investigations.

Review of these new documents suggests a coordinated effort on the part of the FBI and DOJ to release information in the public domain potentially harmful to President Donald Trump’s administration. For example, the following text exchange should lead a reasonable person to question whether there was a since desire to investigate wrongdoing or to place derogatory information in the media to justify a continued probe.

April 10, 2017: Peter Strozk [sic] contacts Lisa Page to discuss a “media leak strategy.” Specifically, the text says: “I had literally just gone to find this phone to tell you I want to talk to you about media leak strategy with DOJ before you go.”

April 12, 2017: Peter Strozk [sic] congratulates Lisa Page on a job well done while referring to two derogatory articles about Carter Page. In the text, Strzok warns Page two articles are coming out, one which his “worse” than the other about Lisa’s “namesake.” [see update below] Strzok added: “Well done, Page.”

Meadows goes on to cite the WaPo story revealing Page’s FISA order and Andrew Weissman’s meeting with the AP (in which, per court testimony from the Manafort trial, the AP provided information useful to the investigation into Manafort, but which — significantly — led to the warrant on Manafort’s condo which may have led to the discovery of information that implicates Trump).

Meadows is just wrong. Both texts he already has and the Wolfe case “should lead a reasonable person” to understand that the same people who had long pursued leak investigations still were doing so, doing so in an increasingly politicized environment, but doing so with results that would employ more aggressive techniques and would find the likely culprit behind the WaPo story in question (not to mention send Reality Winner to prison for five years).

But all that’s just a premise to claim that because he imagines, fancifully, that Page and Strzok were leaking about ongoing investigations to the press (when in fact they were investigating such leaks), he should be able to get the FBI to talk about ongoing investigations.

During our interviews with Peter Strozk [sic] and Lisa Page, FBI attorneys consistently suggested witnesses could not answer questions due to the US Attorneys’ Manual’s policy for ongoing investigations. However, documents strongly suggest that these same witnesses discussed the ongoing investigations multiple times with individuals outside of the investigative team on a regular basis.

Not only is Meadows almost certainly wrong in his accusations against Strzok and Page, but he’s also ignoring that there are two ongoing investigations being protected here — both the general Russian investigation, but also the prosecution of Wolfe for behavior that likely includes the story he’s bitching about.

Meadows then uses what he even seems to admit are authorized media contacts as a transition paragraph.

Our task force continues to receive troubling evidence that the practice of coordinated media interactions continues to exist within the DOJ and FBI. While this activity may be authorized and not part of the inappropriate behavior highlighted above, it fails to advance the private march to justice, and as such, warrants your attention to end this practice.

The transition paragraph — which I’ll return to — leads to the whole point of the letter, Meadows’ demand that, because he has trumped up a false accusation against Strzok and Page, he should be able to interview FBI agents he believes will undermine the investigation into Donald Trump.

In light of the new information, our task force is requesting to review text messages, emails, and written communication from FBI and DOJ officials Stu Evans, Mike Kortan, and Joe Pientka between June 2016 to June 2017. To be clear, we are not suggesting wrongdoing on the part of Evans, Kortan, and Pientka–and, in fact, previously reviewed documents suggest that some of these individuals may share the committees’ same concerns. However, these additional documents, with an emphasis on communications between the aforementioned individuals and Peter Strozk [sic], Andrew McCabe, Lisa Page, Bruce Ohr and Andrew Weissman, would provide critical insight into the backdrop of the Russian investigation.

Meadows is looking, among other things, testimony that says Pientka didn’t believe Mike Flynn lied when he interviewed Trump’s National Security Advisor with Strzok. But he’s doing so specifically for a time period that ends before the evidence showing that Flynn did lie came into FBI (in part, when Mueller obtained Transition emails showing Trump closely directed Flynn’s conversations with Sergei Kislyak.

Now back to authorized media interactions. I happen to know something about how they work. I had a conversation with the FBI that pertained, in part, to whether there was a tie between Russian criminals and the President, one that also pertained to my perception of possible threats. Apparently Meadows thinks that such a conversation “fails to advance the private march to justice,” though it’s not clear what he means by that.  I mean, thus far, I have been very circumspect about the content of such conversations; is Meadows really asking me to air details before the midterms? I have thus far hesitated to share suspicions I had, believing it would be inappropriate for anyone besides Mueller and the FBI to air such things publicly, until they had corroborated my suspicions. But Meadows apparently believes it important to air investigative details before the election.

The better option — one that would put the rule of law and the security of the nation ahead of partisan obstruction — would be for Meadows to stop inciting hoaxes among the frothy right. Or maybe, at least, the frothy right can recognize that Meadows has serially embarrassed them as they credulously repeat whatever hoax he floats?

Update: After Jerrold Nadler and Elijah Cummings released a response noting some of Meadows’ errors, he fixed just one of the errors in his letter, admitting that the “well done, Page” language was actually from an April 22, 2017 text that reads, “article is out! Well done, Page,” and which obviously refers to this story on Jim Comey.

As I disclosed July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Reality Gets A Harsh Sentence

/38 Comments/in , , , , , /by

With Update Below!

As many of you may already know, this morning was the sentencing for Reality Winner. She was sentenced to 63 months of incarceration and three years of supervised release upon completion of her term. The supervised release term is rather standard. She will be housed at the Federal Medical Center, Carswell in Fort Worth, Texas. The stated reason was because she is bulimic, but it seems more like a nod to her, and her family, who requested a Texas posting so they would be near. There is no pecuniary fine. I have not seen the official sentencing order yet, but have little to no doubt she will be credited with the time served in pre-trial detention since her arrest on June 3, 2017; i.e. nearly 15 months. So, assuming that, she should be released in about 4 years.

Okay, that is the hard nuts and bolts of Ms. Winner’s sentencing. If you want some more background, please see our old friend Kevin Gosztola at Shadowproof, who has been covering all the Reality Winner court appearances.

All that said, let me address a couple of things. First, the sentence was not unexpected, indeed it was stipulated to in the plea agreement Ms. Winner both signed and allocuted to in open court. While the court technically “could” have deviated downward, there was little to no chance it would given the plea language. Anybody shocked by today’s sentencing has not been paying attention.

Secondly, the government did not “block” Winner’s defenses. I had a discussion on this point with a good friend, Will Bunch, who has admirably written extensively on, and in favor of, Reality. Sadly, the law here is what it is, and not what Will and I would like it to be. Winner’s attorneys filed every motion they could, both to try to win and to protect the record. But those motions were never going to work, they never do, and they did not here.

Jeffrey Sterling also tried all of that. It did not work then, for him, either. Sterling got 42 months in prison. It is hard to compare disparate cases, but in the long run, I personally have a hard time seeing why Reality Winner was worse or more damaging than Jeff Sterling, and yet she got 1.5 times as much incarceration as Sterling. Different DOJ’s, different times and the Trump Administration was already on the record as head hunting for leakers when Winner fell into their lap. So, I guess it is not shocking. They were looking to make an example and there she was.

Now to the after show doings. The United States Attorney for the Southern District of Florida, Bobby L. Christine (never trust a man with two first names), cravenly issued a pompous press release on the sentencing. This is just a taste of the Christine hyperbolic:

The document Winner compromised did, in fact, contain TOP SECRET information about the sources and methods used to acquire the intelligence described in the report. That means it revealed how U.S. Intelligence Agencies obtained information. U.S. Government subject matter experts have determined that Winner’s willful, purposeful disclosure caused exceptionally grave damage to U.S. national security. That harm included, but was not limited to, impairing the ability of the United States to acquire foreign intelligence information similar to the information the defendant disclosed. This was, by no means, a victimless crime.

What’s more, Winner’s exceptionally damaging disclosure was not a spontaneous, unplanned event, but was the calculated culmination of a series of acts. She researched whether it was possible to insert a thumb drive into a Top Secret computer without being detected, and then inserted a thumb drive, WHICH THE GOVERNMENT NEVER RECOVERED, into a Top Secret computer. She researched job opportunities that would provide her access to classified information. At the same time, she searched for information about anti-secrecy organizations, and she celebrated claimed compromises in U.S. classified information.

Note the Trump like raging capital letters? Ooof. It was an unnecessary and prickish public release by somebody that had won and driven the vanquished into the ground. And while Bobby L. Christine took all the glory, he did not do diddly squat himself, the matter was handled by a team of career AUSA’s that he did not even have the common courtesy to mention. Very Trump like.

Okay, so why did Ms. Winner end up here? There are a lot of reasons. First off, while Winner would have pretty clearly been discovered anyway, she disclosed her material to The Intercept, which was far from the only cause of her discovery, but did her no favors either. And the Government, especially the NSA, hates, with a capital H, The Intercept. But again, Reality’s discovery was inevitable even despite that, but it is a factor.

Secondly, the Government has thought all along that she had more material than what The Intercept and Matt Cole received and published. In its sentencing memorandum, the government addressed other areas of concern as to Winner including: her insertion of flash drive into a TS/SCI NSA computer at Fort Meade; her Internet history (which other filings make clear included details on Anonymous, Vault 7, Hal Martin, Assange, and Snowden); her download of Tor; her seeking out employment at Pluribus; and her screenshots of secure drop information.

These bases were generally also why she was detained without bail. That does not make it right, and it is, and remains true, that there is far too much secrecy and cheap classification in the face of the American public’s interest. This is a textbook example of just that. But Reality Winner tried to be a whistleblower and fell into the lurch where there are no such protections for the acts she did. She paid an overly, and draconian, price for what she did because the Trump Administration needed a head on a pike. They got hers. And this morning’s sentencing was the ugly culmination of that.

UPDATE: alright, Trevor Timm at The Intercept, has posted an interesting coda to the Reality Winner goings on today.

WHEN THE INTERCEPT first published the top-secret document, reporters and editors went to the government — as they do every time The Intercept publishes classified documents — to hear the NSA’s views about any information that might truly harm national security. After listening to the agency’s arguments, and out of an abundance of caution, The Intercept redacted a few pieces of information from the document before publishing it.

A key phrase that the government wanted withheld was the specific name of the Russian unit identified in the document. The government was particularly insistent on that point. Since it wasn’t vital to the story that the unit’s name be revealed, nor was it clear — at least at the time — that revealing the unit’s name was in the public interest, The Intercept agreed to withhold it.

But in the indictment of alleged Russian military intelligence operatives that Mueller’s office released last month, the Justice Department revealed the same name: GRU unit 74455. (The unit is also known as the Main Center for Special Technology or GTsST.) The indictment went on to reveal information almost identical to that contained in the document Winner admits to disclosing:

In or around June 2016, KOVALEV and his co-conspirators researched domains used by U.S. state boards of elections, secretaries of state, and other election-related entities for website vulnerabilities. KOVALEV and his co-conspirators also searched for state political party email addresses, including filtered queries for email addresses listed on state Republican Party websites.

In or around July 2016, KOVALEV and his co-conspirators hacked the website of a state board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers

In or around August 2016, KOVALEV and his co-conspirators hacked into the computers of a U.S. vendor (“Vendor 1”) that supplied software used to verify voter registration information for the 2016 U.S. elections. KOVALEV and his co-conspirators used some of the same infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1.

The Justice Department is trying to have it both ways: It’s OK for Mueller to publicly release this information in an attempt to prosecute alleged Russian hackers because it’s in the public interest. But at the exact same time, the government is also claiming that a document including very similar information causes grave harm to national security when disclosed to the public by someone else.

There is a lot more there at Trevor’s post. Without doubling the size of this post, I would like to second the expert opinions submitted by Bill Leonard that Trevor Timm describes and have been long a staple here. There literally is no greater expert on classification than Bill Leonard. That said, it is like the discussion in the main original post. The fight is against archaic, authoritarian and totalitarian laws and legal precedent. Until those are changed, there is reality, and then there is the regrettable case of Reality Winner.

The Gaping Holes in the SSCI Voting Security Report: Vendors and Mitch McConnell

/21 Comments/in , , /by

The Senate Intelligence Committee released a 6-page report, titled “Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations,” on how to secure elections last night.

While it is carefully hedged (noting that states may have missed forensic evidence and new evidence may become available), it confirms that “cyber actors affiliated with the Russian Government” conducted the operation and that no “vote tallies were manipulated or [] voter registration information was deleted or modified.” It says the intrusions were “part of a larger campaign to prepare to undermine confidence in the voting process,” but in its admission that, “the Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action,” doesn’t explain that the reason Russia would have decided against action was because Trump won.

The report is laudable for the care with which it describes the various levels of intrusion: scan, malicious access attempts, and successful access attempts. As it concludes, in a small number of states (which must be six or fewer), hackers could have changed registration data, but could not have changed vote totals.

In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.

Among its recommendations, the report suggests that,

Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.

This would avoid shitty NBC reporting that falsely leads voters to believe over 20 states were successfully hacked.

Ultimately, though, this report offers weak suggestions, using the word “should” 18 times, never once calling on Congress to fulfill some of its recommendations (such as providing resources to states), and simply suggesting that the Executive warn of consequences for further attacks.

U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.

Predictably (especially coming from a Chair whose own reelection in 2016 is due, in part, to his party’s abuse of North Carolina’s administration of elections, the report affirms the importance of states remaining in charge.

States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

I guess Richard Burr would like the Federal government to give his colleagues more money to disenfranchise brown people.

But it’s not just in its weak suggestions that the report falls short. There are two significant silences that discredit the report as a whole: Mitch McConnell, and vendors.

For example, in a long section discussing laying out why DHS’ warnings in 2016 were insufficient, the report complains that the October 7, 2016 statement was not adequate warning.

DHS’s notifications in the summer of 2016 and the public statement by DHS and the ODNI in October 2016 were not sufficient warning.

The report remains utterly silent about Mitch McConnell’s refusal to back a more forceful statement (and, as I’ve noted, Burr and fellow Trump advisor Devin Nunes himself never joined any statement about the attacks).

In other words, while this report talks about gaps and is happy to blame DHS, it doesn’t consider the past and proposed role of top members of Congress.

The other big gap in this report has to do with the vendors on which our election system relies. To be sure, the report does, twice, acknowledge the importance of private sector companies in counting our vote, first when it describes that the vendors would are enticing targets that might need to be bound by more than voluntary guidelines.

Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors. State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for Security, abiding by those guidelines is currently voluntary.

As a solution, it said that state and local officials should perform risk assessments for election infrastructure vendors, not that they should do so themselves (or be held to any mandated standards).

Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems.

Not all  states and almost no local officials are going to have the ability to do this risk assessment, and there’s no reason why it should be done over and over again across the country.

That’s particularly true given the fact that (as the report addresses the vulnerability posed by, but provides no remedy) the election vendor market has gotten increasingly concentrated.

Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.

The report also suggests that DHS educate vendors.

DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.

But in a report that acknowledges the key role played by vendors in administering our elections, the report remains silent about Russian efforts to compromise them in 2016. Indeed, in its accounting of how many states were affected, the report admits its numbers don’t include vendors.

In addition, the numbers do not include any potential attacks on third-party vendors.

And yet — thanks in large part to Reality Winner — we know Russia did target vendors. Not only did they target them, but they appear to have succeeded, and succeeded in a way that may have affected the vote in North Carolina, Burr’s state.

In short, the report leaves a key aspect of known Russian efforts to target the vote completely unexamined, and it doesn’t consider the many ways that by compromising vendors in ways beyond cyberattacks might affect the vote.

Perhaps the report is silent about vendors precisely because of Winner’s pending case, to avoid publicly mentioning in unclassified form the attacks that the document she is accused of leaking. Or perhaps the committee just did an inadequate job of reviewing what happened in 2016.

Whichever it is, it’s unacceptable.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner: The Cost of Mounting a Defense Arguing the Government Overclassifies

/23 Comments/in , , , /by

In this Democracy Now appearance, Reality Winner’s mom, Billie Winner-Davis, suggested that, whereas her case had originally been due to go to trial next month, it now looks like it will stretch into 2019.

We do not have a trial date at this point. The trial was originally scheduled for October, and then it was pushed to March. But as of right now, we do not have a new trial date. So we don’t know when she will be—face the jury. What I’m being told is that it will be late 2018, if not early February 2019.

Earlier this week the two sides submitted a proposed schedule that shows even that may be optimistic. Because Winner’s defense wants to use classified information to argue the document she is accused of releasing is not national defense information, it has to go through the onerous Classified Information Procedures Act process (see this for a description of the CIPA process) to get that information approved for use in a trial. If I’m doing the math correctly, most optimistically the proposed schedule looks like this:

  • March 30, 2018: Defense submits all proposed subpoenas
  • April 30: Deadline for discovery, including remainder of government’s CIPA Section 4
  • June 14: Government’s Rule 16 expert disclosures
  • July 14: Defendant’s Rule 16 expert disclosures, if they already have clearance (former ISOO head, Bill Leonard, who is already serving as expert witness already has clearance)
  • July 29: Defendant’s amended CIPA 5 notice
  • August 13: Government’s supplemental Rule 16 expert disclosures due, government’s objections to adequacy of defendant’s CIPA 5 notice
  • September 10: Government’ CIPA 6(a) motion
  • October 1: Defendant’s response to government’s CIPA 6(a) motion
  • October 15: Government’s reply to CIPA 6(a) motion
  • October 21: CIPA hearing (this is where the two sides argue about what classified information the defense needs to make her case)

At this point, there would either be 42 days to argue about CIPA 6(c) motion (where the government proposes unclassified substitutes). If that happens, it will be 90 days until trial, meaning it would start March 1. If it doesn’t, then the trial would skip that 42 day process and presumably drop into very early 2019).

  • Early January 2019 or March 1: Trial start

Again, this is a joint proposal, meaning the defense is on board with the long delay. Either they think they can win a graymail attempt (meaning the judge agrees they should get the classified information but the government refuses to provide adequate substitutes and so is forced to dismiss the case) or they believe they can make a case (with the help of Leonard) on the NDI claims generally. They may also anticipate that other events — the Mueller investigation, the congressional investigations into the Russian hack, state investigations, or more journalism — may make it clear how absurd it is to try Winner for information that has become publicly available as we have a public discussion about what the Russians did in 2016.

But if not, because (unlike most other people save Hal Martin recently charged under the Espionage Act) she will have been in jail for 19 months assuming an early January 2019 trial, or 21 months assuming a March 2019 trial. Winner is charged with one count of willful retention and dissemination of National Defense Information.

By comparison, Jeffrey Sterling, who was found guilty on nine counts, including five unauthorized disclosure counts, was sentenced to 42 months (the government had been asking for nine years, but Leonie Brinkema seemed to have reservations about the evidence behind a number of the guilty verdicts, and the sentencing came in the wake of the David Petraeus sweetheart two years of probation plea deal). Admittedly, the government piled on the charges in that case, whereas here they charged as one count things they might have charged as several (by charging both the leaks to The Intercept and WaPo, for example, or by charging her for not telling the full truth to the FBI). Nevertheless, Sterling was accused of exposing a critically sensitive program and an intelligence asset, whereas Winner is charged with leaking one document in an environment where very similar information is being leaked or released by multiple government sources.

Stephen Jin-Woo Kim, who pled guilty to one count of disseminating NDI pertaining to CIA resources in North Korea, was sentenced to 13 months.

This is the no-win situation Winner is in, trying to challenge her conviction after having been denied bail. Because of the way we deal with classified information, she’ll have served a likely full sentence by the time she gets to trial.

It still may be worth it. After all, if she wins at trial, she’ll avoid a record as a felon.

But the larger battle seems to be one about the ridiculousness of our classification system. As Leonard said (see PDF 99-100) in his declaration to explain why he was providing his services pro bono in this case, he believes the kind of overclassification of information that may be at issue here amounts to degrading the entire classification system.

My motivation for becoming involved in this case. was my concern for the integrity of the classification system. I strongly believe that classification is a critical national security tool and that the responsibilities of cleared individuals to properly protect classified information are profound. At the same time, government agencies have equally profound responsibilities and in this regard, I have long witnessed the over•classification of rnfonnation within the Executive Branch due to the failure of agencies to fulfill these responsibilities. In this way, the actions of agencies can actually undermine the integrity of the classification system in that to be effective, it must be used with precision. As Justice Potter Stewart said in the Pentagon Papers case, “when everything is classified, then nothing is classified … ”

[snip]

My involvement in [two prior prosecutions, that of Steven Rosen and Thomas Drake] confirmed for me the importance~ especially in criminal prosecutions, of not allowing representatives of the Executive Branch to simply assert that certain information is classified or closely held or potentially damaging if disclosed.

That is, Winner might prove a point: that this kind of information should be more accessible to the public.

But along the way she will have paid a very costly price.

Update, March 15: After two hearings, Magistrate Brian Epps cut two months off this schedule, setting Winner’s trial date for October 15. That will mean she will have been in jail over 16 months by the time of her trial.

Reality Winner Seeks to Use Trump’s Denials of Russian Hacking in Her Defense

/17 Comments/in , , , /by

Last week, Reality Winner had a hearing on her bid to get her interview with the FBI thrown out because they didn’t issue her a Miranda warning (Kevin Gosztola covered and discussed it on Democracy Now). Given the precedents on Miranda, I think that bid is unlikely to succeed.

But there is a tack her defense is taking that, as far as I’ve seen, has gotten no notice, one that is far more interesting. Winner is seeking to use Trump’s comments denying that the Russians hacked the election to argue the document she is accused of leaking to The Intercept isn’t actually National Defense Information, the standard the government has to prove to secure an Espionage conviction.

In her discovery requests, Winner asked for three (entirely redacted) categories of documents “reflecting statements made by high-ranking governmental officials regarding information contained in the document,” all of which were denied (see PDF 87).

A discovery appeal submitted in January (but only released on February 13) makes clear that Winner’s defense attorneys are going to argue that the intelligence in the report she is accused of leaking cannot be National Defense Information because the President’s statements would be taken to suggest the intelligence is not true.

However, high-ranking government officials, including the President of the United States, have made statements undermining and/or contradicting that contention. 44 That, is of great import because, if the information in the Document is inaccurate (as the President and other high-ranking officials have said), it cannot be NDI. While the defense may seek to capture some of this information in the public domain, 45 it cannot capture statements made privately by these high-ranking officials.

Bill Leonard, the former head of the federal classification authority, ISOO, who has served as expert witness on two other cases involving Espionage charges, laid out the logic of the argument this way (PDF 102-3)

[T]here are governmental actors, including high-level governmental actors (such as the President of the United States), that have made conflicting and/or contradicting statements in comparison to the Government’s position here. In other words, these high-level governmental officials have made statements undermining the veracity of the information contained in the Document, which would impact whether the Document actually contains “national defense information” because, if inaccurate, the Government’s contention that its disclosure could harm the national security of the United States would be severely undermined. Indeed, the President is the highest level of authority in our classification system and has virtually unrestricted access to information in our intelligence system. He is, therefore, in the best position to know the particulars of any piece of intelligence, including its sensitivity and its veracity. Consequently, records reflecting statements made by high-ranking governmental officials, including and in particular, the President of the United States, relating to the information contained in the Document (including statements contradicting the truth or veracity of the information at issue) are highly relevant and are critical to the determination of whether or not it is closely held and/or whether or not its disclosure would potentially damage the national security.

There are a number of other challenges the government is facing with this case (not least that — as I’ve pointed out — similar information has been leaked to the press without any apparent prosecution arising from it).

But Trump’s self-interested denials are the most interesting. After all, he cannot admit that Russia affected the election, because he has staked so much on the claim that that will lessen his legitimacy (not to mention any risk such an admission exposes him to in the Mueller investigation). As Leonard notes, the entire classification system is built on presidential authority, and if he says something isn’t true, it will seriously undermine any claim a prosecutor can make at trial that Winner leaked true National Defense Information.

Effectively, some prosecutor will be in a position of having to point out what we all know, that the President is a liar. Given Trump’s propensity towards rage-induced firings, I imagine the government would like to avoid this pickle.

The Russian Metadata in the Shadow Brokers Dump

/29 Comments/in , /by

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

In Discussion of Unmasking Admiral Rogers Gets Closer to Admitting Types of Section 702 Cybersecurity Use

/2 Comments/in , , /by

Last Friday, Director of National Intelligence Dan Coats, Director of NSA Mike Rogers, and FBI Director Christopher Wray did an event at Heritage Foundation explaining why we need Section 702 and pretending that we need it without reasonable reforms. I attended Wray’s talk — and even got my question on cybersecurity asked, which he largely dodged (I’ll have more about two troubling things Wray said later). But I missed Rogers’ talk and am just now catching up on it.

In it, he describes a use of Section 702 that goes further than NSA usually does to describe how the authority is used in cybersecurity.

So what are some examples where we’ll unmask? Companies. Cybersecurity. So we’ll report that US company 1 was hacked by the following country, here’s how they got in, here’s where they are, here’s what they’re doing. Part of our responsibility on the US government side is the duty to warn. So how do you warn US company 1 if you don’t even know who US company 1 is? So one of the reasons we do unmasking is, so for example we can take protective to ensure this information is provided to the appropriate individuals.

What Rogers describes is an active hack, by a nation-state (which suggests that rule may not have changed since the 2015 report based off 2012 Snowden documents that said NSA could only use 702 against nation-state hackers). The description is not necessarily limited to emails, the type of data NSA likes to pretend it collects in upstream (though it could involve phishing). And the description even includes what is going on at the victim company.

Rogers explains that the NSA would unmask that information so as to be able to warn the victim — something that (via the FBI) happened with the DNC, but something which didn’t happen with a number of other election related hacks.

Of course, Reality Winner is facing prison for having made this clear. The FISA-derived report she is accused of leaking shows how the masking works in practice.

In the case of VR Systems, the targeted company described, it’s not entirely clear whether NSA (though FBI) warned them directly or simply warned the states that used it. But warnings, complete with their name, were issued. And then leaked to the press, presumably by people who aren’t facing prison time.

In any case, this is a thin description of NSA’s use of 702 on cybersecurity investigations. But more detail in unclassified public than has previously been released.

 

702 Reauthorization: The Anti-Leak Package

/7 Comments/in , /by

As part of the draft Section 702 Reauthorization released this week, the House Judiciary Committee included what I’ll call the anti-leak package. They’re not actually presented in the same Title, but I want to consider them as a group as a way to consider whether they’ll do anything to make leaking less useful than internal whistleblowing.

The package consists of three things:

  • Increased penalties for improperly handling classified information
  • New protections for FBI whistleblowers and contractor whistleblowers
  • A GAO report on whether classification works

Increased penalties for improperly handling classified information

The first part of the package changes 18 USC 1924, which criminalizes unauthorized retention of classified documents, to make knowingly retaining classified information a felony, while creating a new misdemeanor for negligently retaining classified information.

SEC. 302. PENALTIES FOR UNAUTHORIZED REMOVAL AND RETENTION OF CLASSIFIED DOCUMENTS OR MATERIAL.

Section 1924 of title 18, United States Code, is amended—

(1) in subsection (a), by striking ‘‘one year’’ and inserting ‘‘five years’’;

(2) by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; and 13 (3) by inserting after subsection (a) the following new subsection (b):

(b) Whoever, being an officer, employee, contractor, or consultant of the United States, and, by virtue of his office, employment, position, or contract, becomes possessed of documents or materials containing classified information of the United States, negligently removes such documents or materials without authority and knowingly retains such documents or materials at an unauthorized location shall be fined under this title or imprisoned for not more than one year, or both.

I think this was done to make what Hillary Clinton did a clear felony, so Republicans can squawk about it, rather than solving any real problem.

Which is a pity. Because those who want to write new laws criminalizing the retention and leaking of classified information (something I’m not advocating, but I understand the sentiment), it might be useful to write laws that address the problems we’re actually seeing.

For example, the Espionage Act should be rewritten to make it clear it only applies to real Espionage — the secret sharing of “national defense information” (which should be better defined) with an adversary for some kind of personal benefit. By all means, create something else that applies to the Edward Snowdens and Chelsea Mannings of the world, if you feel the need to. But in that law, do something to ensure that the David Petraeuses of the world — who leaked information to get laid and tell nice stories about himself — don’t get a wrist slap, while people who at least believe their acts to be benefitting the country face life imprisonment.

The degree to which the Espionage statute specifically, and leak prosecutions generally, have become the means to pursue arbitrary retaliation against people who don’t hew a party line undermines the legitimacy of the classification system, which (in my opinion, as someone who has covered most recent leak prosecutions) just leads to more leaking.

In related news, one of the reasons why magistrate Brian Epps Cobb denied Reality Winner bail yesterday is because she admires Snowden and Assange.

In addition, this week’s news that an NSA TAO hacker brought files home and used them on his machine running Kaspersky, thereby alerting Russia to them, suggests the need to consider the impact of even negligent improper handling, because it can have an impact akin to that of Snowden if it is compromised.

Finally, there should be some controls over abuse of Original Classification Authority, both in Prepublication Reviews, to prevent the selective censorship of important stories. And there should be some recognition that OCAs are often not the only source of information (which is one of the problems with the Hillary emails — her staffers were reporting widely known facts that the CIA later claimed a monopoly on, thereby making the information “classified”).

Perhaps the GAO review, below, can go some distance to making this happen.

New protections for contractor whistleblowers

There’s a section that extends the (still inadequate) whistleblower protections of the National Security Act to contractors, while adding protection (just for contractors!) for the reporting of “evidence of another employee or contractor employee accessing or sharing classified information without authorization.” It also adds additional reporting vehicles for FBI contractors (to DOJ or FBI’s Office of Professional Responsibility, to FBI’s Inspection Division, or to the Office of Special Counsel).

The bill also adds contractors to those you can’t retaliate against by stripping of security clearance if they’ve made a protected disclosure.

Contractor is defined as “an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element.”

As I said, this is just the protection extended to intelligence community employees, with enforcement by the President, the same guy who orders up the illegal activities (such as torture or domestic spying) of the IC.

Plus, I’m not sure the language protects against two other problems that have happened with contractors. First, the loss of a contract, which doesn’t seem to be included in the definition of personnel decisions. So an agency could retaliate not by denying a promotion, but simply denying a contract. And, for similar reasons, I’m not sure the language prevents a contractor from retaliating against one of their employees directly, particularly if they’re threatened with losing work.

As I said, I’m not sure on this. I await analysis from the people who work whistleblower issues all the time.

That said, while this is an important improvement that will extend the same inadequate protection that IC employees get to IC contractors, I think it doesn’t necessarily protect against some known kinds of retaliation.

A GAO report on whether classification works

Perhaps most interestingly, the bill asks GAO to conduct on a story on why we’re having so much leakage.

SEC. 303. COMPTROLLER GENERAL STUDY ON UNAUTHORIZED DISCLOSURES AND THE CLASSIFICATION SYSTEM.

(a) STUDY.—The Comptroller General of the United States shall conduct a study of the unauthorized disclosure of classified information and the classification system of the United States.

(b) MATTERS INCLUDED.—The study under subsection (a) shall address the following:

(1) Insider threat risks to the unauthorized disclosure of classified information.

(2) The effect of modern technology on the unauthorized disclosure of classified information, including with respect to—

(A) using cloud storage for classified information; and

(B) any technological means to prevent or detect such unauthorized disclosure.

(3) The effect of overclassification on the unauthorized disclosure of classified information.

(4) Any ways to improve the classification system of the United States, including with respect to changing the levels of classification used in such system.

(5) How to improve the authorized sharing of classified information, including with respect to sensitive compartmented information.

(6) The value of polygraph tests in determining who is authorized to access classified information.

(7) Whether each element of the intelligence community (as defined in section (4) of the National Security Act of 1947 (50 U.S.C. 3003(4))—

(A) applies uniform standards in determining who is authorized to access classified information; and

(B) provides proper training with respect to the handling of classified information.

(c) COOPERATION.—The heads of the intelligence community shall provide to the Comptroller General information the Comptroller General determines necessary to carry out the study under subsection (a).

(d) REPORT.—Not later than 180 days after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select Committee on Intelligence of the Senate a report containing the study under subsection (a). (e) FORM.—The report under subsection (d) shall be submitted in unclassified form, but may include a classified annex.

I really like the idea of doing such a report (though am not sure GAO can get it done in just 6 months, especially since I’m sure some agencies will filibuster any cooperation). And what a novelty, to finally consider whether polygraphs actually do what they’re claimed to do (rather than get people to confess to dirt that can later be used against them or leaked to China in an OPM hack).

As mentioned above, a really thorough such study should also look specifically at the Prepublication Review process, which is one of the most notorious forms of arbitrary use of classification.

It should also try to quantify how much classification does (abusively) hide mismanagement or law-breaking, especially in the FOIA process.

A truly thorough study would have to include leaks by members of Congress, up to and including the Gang of Four — but that’s never going to happen and so that means of leakage will remain untouched.

A study should also not only review recent leak prosecutions, with a particularly focus on the selectivity with which they’ve been taken, but compare leak prosecutions with the efficacy of internal measures (like stripping someone of clearance), which ODNI has been using more in recent years, at least before Reality Winner.

And a study should do a macro review of the initiatives put in place since Chelsea Manning’s leaks, to review overall compliance (we know NSA and CIA had not fully complied as of last year), and to measure whether those initiatives have done any good.

Finally, for the classified version, the report should include a full measure of how much internal spying is being targeted at government employees and contractors in various CI programs, and whether those are overseen adequately (they’re absolutely not).

Will this all do any good?

As I said, I’m the one lumping these together into a package, not the bill’s authors. I did so, though, to better weigh whether this will do any good — whether we’ll move the balance on necessary discussions for democracy being weighed against genuine need to protect secrets. I think an actual assessment is worthwhile.

But ultimately, I suspect our leak problem stems, in large part, from the degree to which classification (and clearances and leak prosecutions) have all been designed to give the Executive Branch unfettered ability to run an arbitrary system of secrets that does as much to serve nexuses of power as it does to keep the country safe.  Secrets, in DC, have become the coin of power, not the necessary tool to ensure a vibrant and secure democracy.

And I’m not sure this effort will do much to change that.