PJ Crowley’s Acting Replacement Can’t Differentiate Us from China on Human Rights and Transparency

/in /by

Josh Gerstein provides the entirety of an exchange between former State Department spokesperson PJ Crowley’s acting replacement, Mark Toner, AP reporter Matthew Lee, and Reuters reporter Arshad Mohammed. At issue is how State can still claim to be transparent when it won’t explain why it refuses to allow the UN Special Rapporteur on Torture to have an unmonitored visit with Bradley Manning. It’s not quite Baghdad Bob … quite. But it would be pure comedy gold if it weren’t about our hypocrisy on human rights.

At first, Toner responds to criticism on Manning’s treatment by blaming DOD (as if State can’t be held responsible, in the international community, for anything DOD does).

LEE: Can you explain why, if the United States is proud of its human rights record, that the UN special rapporteur has complained that you’re not allowing him independent access to Bradley Manning?

TONER: We’ve been in contact with the UN special rapporteur. We’ve had conversations with you in terms of access to –

LEE: With me?

TONER: I’m sorry. We’ve had conversations with the special rapporteur. We’ve discussed Bradley Manning’s case with him. But in terms of visits to PFC Manning, that’s something for the Department of Defense.

LEE: And the ICRC with the same problem? You are – the State Department is the direct contact with the ICRC. At least it was for the Guantanamo inmates. Have you had any contact with them?

TONER: I’m not aware. I don’t know. I’d have to look into that. But in terms of the UN special rapporteur, we’ve had conversations with him. We have ongoing conversations with him. But in terms of access to Manning, that’s something for the Department of Defense.

Then the discussion moves into Toner’s difficulties with the meaning of the word “scrutiny.”

MOHAMMED: If you welcome scrutiny, where’s the harm?

TONER: I said we’re having conversations with him. We’re trying to work with him to meet his needs. But I don’t understand the question.

MOHAMMED: Well, you said you welcome scrutiny from outsiders of the United States human rights record –

TONER: Right. We do.

QUESTION: — that you feel that it speaks to the strength of the U.S. system. So why does it take very lengthy conversations to agree to let a UN special rapporteur have access to an inmate?

Read more

US Willing to Bomb Libya to Maintain UN Credibility, But Not Allow an “Official” Visit to Bradley Manning

/in /by

By my count, the OLC memo retroactively authorizing the bombing of Libya mentions the importance of UN or UN Security Council credibility nine times, including these two extended discussions.

In prior opinions, this Office has identified a variety of national interests that, alone or in combination, may justify use of military force by the President. In 2004, for example, we found adequate legal authority for the deployment of U.S. forces to Haiti based on national interests in protecting the lives and property of Americans in the country, preserving “regional stability,” and maintaining the credibility of United Nations Security Council mandates. Memorandum for Alberto R. Gonzales, Counsel to the President, from Jack L. Goldsmith III, Assistant Attorney General, Office of Legal Counsel, Re: Deployment of United States Armed Forces to Haiti at 3-4 (Mar. 17, 2004) (“2004 Haiti Opinion”), available at http://www.justice.gov/olc/ opinions.htm. In 1995, we similarly concluded that the President’s authority to deploy approximately 20,000 ground troops to Bosnia, for purposes of enforcing a peace agreement ending the civil war there, rested on national interests in completing a “pattern of inter-allied cooperation and assistance” established by prior U.S. participation in NATO air and naval support for peacekeeping efforts, “preserving peace in the region and forestalling the threat of a wider conflict,” and maintaining the credibility of the UNSC. Proposed Bosnia Deployment, 19 Op. O.L.C. at 332-33. And in 1992, we explained the President’s authority to deploy troops in Somalia in terms of national interests in providing security for American civilians and military personnel involved in UNSC-supported humanitarian relief efforts and (once again) enforcing UNSC mandates. Military Forces in Somalia, 16 Op. O.L.C. at 10-12.2

[snip]

The second important national interest implicated here, which reinforces the first, is the longstanding U.S. commitment to maintaining the credibility of the United Nations Security Council and the effectiveness of its actions to promote international peace and security. Since at least the Korean War, the United States government has recognized that “‘[t]he continued existence of the United Nations as an effective international organization is a paramount United States interest.’” Military Forces in Somalia, 16 Op. O.L.C. at 11 (quoting Authority of the President to Repel the Attack in Korea, 23 Dep’t St. Bull. 173, 177 (1950)). Accordingly, although of course the President is not required to direct the use of military force simply because the UNSC has authorized it, this Office has recognized that “‘maintaining the credibility of United Nations Security Council decisions, protecting the security of United Nations and related relief efforts, and ensuring the effectiveness of United Nations peacekeeping operations can be considered a vital national interest’” on which the President may rely in determining that U.S. interests justify the use of military force. Proposed Bosnia Deployment, 19 Op. O.L.C. at 333 (quoting Military Forces in Somalia, 16 Op. O.L.C. at 11). Here, the UNSC’s credibility and effectiveness as an instrument of global peace and stability were at stake in Libya once the UNSC took action to impose a no-fly zone and ensure the safety of civilians—particularly after Qadhafi’s forces ignored the UNSC’s call for a cease fire and for the cessation of attacks on civilians. As President Obama noted, without military action to stop Qadhafi’s repression, “[t]he writ of the United Nations Security Council would have been shown to be little more than empty words, crippling that institution’s future credibility to uphold global peace and security.” Obama March 28, 2011 Address; see also Obama March 21, 2011 Report to Congress (“Qadhafi’s defiance of the Arab League, as well as the broader international community . . . represents a lawless challenge to the authority of the Security Council and its efforts to preserve stability in the region.”). We think the President could legitimately find that military action by the United States to assist the international coalition in giving effect to UNSC Resolution 1973 was needed to secure “a substantial national foreign policy objective.” Military Forces in Somalia, 16 Op. O.L.C. at 12. [my emphasis]

Never mind that the Administration felt no need to bomb Cote d’Ivoire to maintain the credibility of the resolutions regarding that country, the Obama Administration just bombed another country in the name of “credibility” of the UN. While the Administration’s stated concerns about credibility focus on the UNSC, it extends (according to this memo) to the UN’s effectiveness generally, the UN’s security, and its relief efforts.

That’s interesting, because the UNHCR explains that in order for its Special Rapporteur on Torture to retain credibility, he must have unmonitored access to detainees. (See the Guardian for more on this.)

“Since December 2010, I have been engaging the US Government on visiting Mr. Manning, at the invitation of his Counsel, to determine his current condition,” the human rights expert said. “Unfortunately, the US Government has not been receptive to a confidential meeting with Mr. Manning.”

The UN Special Rapporteur on Torture, as part of the methods of work for his mandate, requires unimpeded access to all places of detention, where he can hold private, confidential and unsupervised interviews with detainees. The requirement of a private, confidential and unsupervised interview is a standard practice of the Rapporteur’s mandate and ensures the credibility of any interviews that an independent expert holds with detainees or persons who allege that they have been subjected to torture and ill-treatment.

“I have since last year on several occasions raised serious concern about the conditions of detention of Mr. Manning, who since his arrest in May 2010, has been confined to his cell for twenty-three hours a day at the Marine Corps Brig, Quantico, Virginia. I have also urged the authorities to ensure his physical and mental integrity,” said Mr. Méndez.

[snip]

“Even though I have not received an official answer from the Brig Commander, Mr. Manning’s counsel has learned that the request for an official visit has been denied,” Mr. Méndez said. “Presumably, the alternative is a ‘private visit’, the difference between the two is that the latter takes place in the presence of a guard, while an official visit may be unmonitored.”

On Friday, April 8, the Special Rapporteur held a conversation with high authorities in the Departments of Defense and State. Those officials confirmed that Manning could ask to see the Special Rapporteur if he so wished and in that case the US Government would have no objection to a ‘private visit,’ meaning a visit that is monitored by prison officials.

“I am deeply disappointed and frustrated by the prevarication of the US Government with regard to my attempts to visit Mr. Manning. I understand that Pfc Manning does not wish to waive his right to an unmonitored conversation with me,” the human rights expert said. “My request for a private, confidential and unsupervised interview with Manning is not onerous: for my part, a monitored conversation would not comply with the practices that my mandate applies in every country and detention center visited. In fact, such forms of interview have been used by the Special Rapporteur in, at least, 18 countries over the last 6 years.” [my emphasis]

But the Obama Administration has given Special Rapporteur Juan Mendez the same kind of run-around they gave Dennis Kucinich, and then ultimately refused to comply with the standard practice.

Apparently, our “national interest” in the credibility of the UN extends only so far as it allows us to bomb other countries, but not so far as it might expose our own treatment of detainees to independent evaluation.

Update: Title changed to get the type of visit correct.

Democracy and Now Capitalism Are Failing Ideologically; But What Comes Next?

/in , , /by

As I was prepping for my panel on Saturday, I was thinking a lot about PJ Crowley. Crowley is, as you’ll recall, the State Department spokesperson who was ousted after he called the treatment of Bradley Manning “ridiculous and counterproductive and stupid.” In my panel, I quoted Crowley’s comments on American support for unrestricted media. And as I was reviewing all this, I was thinking about Crowley’s almost unremarked criticism last week of the Administration’s decision to move of Khalid Sheikh Mohammed’s trial to Gitmo.

The prosecution of #KhalidSheikhMohammed and others under untested military tribunals undercuts our global promotion of the rule of law.

For all my disagreements with Crowley about Manning’s incarceration (though note that Crowley is also one of the few in government who has criticized the embarrassing lack of security that made the alleged leak possible), I find his adherence to a now-outmoded approach to diplomacy charming. Almost quaint.

You see, Crowley still appears to believe that America’s claim to exceptionalism–the conceit that it serves as a model of democracy and rule of law and liberty to others around the world–not only still exists but still forms a part of our international policy. He believes that this country would choose to follow the law out of consideration that doing so will allow us to exercise power through persuasion rather than force.

Crowley’s ouster–the firing of a guy because he dared remind his bosses that American used to choose to do things the right way rather than the way of maximal power–seems symbolic that that approach is now dead.

Indeed, whether or not we’ve conceded it’s dead, others now recognize it, as Glenn Greenwald points out today. (h/t harpie)

Aside from what conduct like [his endorsement of Manning’s treatment and his persecution of whistleblowers] reveals about Obama, it also severely undermines the ability of the U.S. to exercise any shred of moral leadership in the world. Consider this series of events:

Washington Post, March 13, 2011:

Associated Press, April 4, 2011:

Reuters, yesterday:

The United States is beset by violence, racism and torture and has no authority to condemn other governments’ human rights problems, China said on Sunday, countering U.S. criticism of Beijing’s crackdown. . . . “The United States ignores its own severe human rights problems, ardently promoting its so-called ‘human rights diplomacy’, treating human rights as a political tool to vilify other countries and to advance its own strategic interests,” said a passage from the Chinese report.

China also “accused the U.S. . . . of pushing for Internet freedom around the world as a way to undermine other nations, while noting that Washington’s campaign against secret-spilling website WikiLeaks showed its own sensitivity to the free flow of information,” and further “lambasted the U.S. over issues ranging from homelessness and violent crime to the influence of money on politics and the negative effects of its foreign policy on civilians.” China’s human rights record is atrocious, but can anyone contest the validity of its objections to the U.S. and the Obama administration’s purporting to act as human rights arbiters for the world?

Now, all that simply shows that our ideological claim to serve as a model of law and liberty is dead.

But this–this is an ideological collapse America may have a much more difficult time dealing with, because it’s an ideological failure internally.

FAITH in the free market is at a low in the world’s biggest free-market economy. In 2010, 59% of Americans asked by GlobeScan, a polling firm, agreed “strongly” or “somewhat” that the free market was the best system for the world’s future. This has fallen sharply from 80% when the question was first asked in 2002. And among poorer Americans under $20,000, faith in capitalism fell from 76% to 44% in just one year. [my emphasis]

Now, granted, capitalism still commands majority support in this country; it’s just among the people paying the price of capitalism’s failure where support has really tanked. (Update: In this Gallup poll from a few weeks ago, 67% of those polled said corporations and banksters have too much power.)

But consider this: by a count of 67% to 59%, more people in China believe in the power of free markets right now than in the US. The communists like capitalism better than the capitalists themselves! (Maybe that’s because they’ve taken the jobs of the poorer Americans who lost theirs to globalization).

I wrote a fair bit about the collapse of capitalism as an ideology, internationally, back in January.

A corollary to the question, “after such a catastrophic failure in 2008, why aren’t we reining in capitalism and expanding the safety net?” is “why isn’t anyone declaring victory over capitalism in the same way capitalism once declared victory over communism?”

But who would declare victory? (Some humor: “Hu would declare victory.”)

[snip]

But I also think something else is going on with ideology as it existed during the Cold War. With the failure of both communism and (thus far, in more limited fashion) capitalism, it becomes increasingly clear that ideology doesn’t make for successful countries, governance does. Whether or not capitalism will experience a resurgence, our country has become corrupt and ineffective enough that it’s not clear we’d go with it. Moreover, the bogeyman that has replaced the Evil Empire–terrorism–is as much about an increasingly viable challenge to the nation-state, at a time when a rising number of failed states offer a geographic beachhead for such challenges. One of the most important ways to combat “terrorism” is to prevent militarization and climate issues to create more failed states. And that means there will be less emphasis on ideology as it worked in the Cold War and a greater premium on governance.

Which is important because failing capitalism is having real repercussions on things like food supply. Which, as we saw in Tunisia and may well see across the globe, cuts through any debate about ideology quickly. When it comes to the point where governments can’t feed their people, then they begin to fear the popular classes again, even if they’ve managed to insulate themselves from that for deacades.

Which brings us full circle, I think. DeBoer suggests we need greater ideological diversity in the blogosphere, and he’s right. But what we need just as badly is some way to articulate and mobilize the needs of the working class before our failure to govern (which the narrowness of our discourse fosters) ends up in food riots.

With the end of the Cold War, the US has had the luxury, for now, of completely ignoring the ideological left because the threats to the country–as the governing class sees them–have everything to do with the market and nothing to do with workers. But ultimately, the combination of failed governance and the market will lead right back to the workers.

But capitalism as an ideology internationally works differently than it does domestically. Internationally, it provides ideological cover for policies that concentrate wealth and create instability. As uprisings in North Africa and the Middle East show, ultimately reality will intrude and make such policies harder to sustain.

But free market ideology in the US has allowed far more than just anti-worker policies. In the same way our exploitation of democracy as an ideology internationally allowed us to rule through persuasion, working class belief in capitalism paved the way for corporations to take over our government without a fight.

That said, it’s unclear where this goes. Where ideology fails, force usually takes its place.

But it does seem like an opportunity. Now if only the left were prepared with a viable “something else” to offer.

Obama’s Would-Be “Rule of Law” Counselor Calls Bradley Manning’s Treatment Unconstitutional

/in , /by

In Charlie Savage’s story from last year on the sidelining of Laurence Tribe as head of an “Access to Justice” program at DOJ, he reported that Tribe originally believed he would serve as counselor for “rule of law” issues in Obama’s Administration.

There was also concern over how his presence might play out internally, several administration officials said. Some officials feared that he might be unmanageable, intruding into all manner of policy areas and able to call on Mr. Obama as a trump card.

“He has an ego,” said Charles Fried, a former solicitor general in the Reagan administration and a fellow Harvard law professor. “He’s entitled to it. He’s earned it.”

Several friends and administration officials said Mr. Tribe had initially sought and believed he would be given a far broader title and assignment: counselor for “rule of law” issues, which would have come with a mandate to help shape matters of national security and foreign policy. That did not happen, but Mr. Tribe came to Washington anyway.

After less than a year in that position, Tribe left last December, citing medical issues.

Now, the guy Obama sidelined to make sure he didn’t impose too much rule of law on his Administration has strongly criticized Bradley Manning’s treatment, not only signing a letter condemning Manning’s treatment, but elaborating on why that treatment was unconstitutional.

[Tribe] told the Guardian he signed the letter because Manning appeared to have been treated in a way that “is not only shameful but unconstitutional” as he awaits court martial in Quantico marine base in Virginia.

The US soldier has been held in the military brig since last July, charged with multiple counts relating to the leaking of thousands of embassy cables and other secret documents to the WikiLeaks website.

Under the terms of his detention, he is kept in solitary confinement for 23 hours a day, checked every five minutes under a so-called “prevention of injury order” and stripped naked at night apart from a smock.

Tribe said the treatment was objectionable “in the way it violates his person and his liberty without due process of law and in the way it administers cruel and unusual punishment of a sort that cannot be constitutionally inflicted even upon someone convicted of terrible offences, not to mention someone merely accused of such offences”.

A pity. Back when Tribe was celebrating candidate Obama, he called him the best student he ever taught at Harvard Law and promised he would defend civil liberties and would not appoint justices who put executive power above rule of law.

Tribe said Americans’ civil liberties are hanging by a thread. “But it’s better to have a thread than to have the thread cut,” he said. “A Republican president would be in a position to cut that thread.”

[snip]

Tribe said that if Obama were to be elected, he would appoint justices “who share his view that the Constitution is a living document that has to be interpreted in light of evolving values of decency.”

“They would not be justices who fool themselves into thinking they know what the Constitution’s original meaning was, and they can apply it as if nothing has happened in the last 200 years,” Tribe said. “They would be justices who have a serious record of support for human rights and constitutional values, rather than justices who simply have shown their loyalty to executive power.”

[snip]

On a more personal note, Tribe called Obama the “best student I ever had” and the “most exciting research assistant.”

As to Justices Obama would appoint, Tribe has proven himself badly wrong about who would and would not make a good Justice.

But it appears that his belief that Obama would support the rule of law was a far greater misjudgment.

Intelligence Community Will Close Gaping Hole that Allegedly Led to WikiLeaks Disclosure … in 2013

/in , /by

I did a long post yesterday describing how embarrassingly, pathetically bad DOD’s information security was and remains 3 years after a malware attack and a full year after the alleged WikiLeaks leak. Along with DOD’s gaping security problems, I noted that some entities in the intelligence community are still in the process of implementing user authentication which would have exposed someone taking entire databases off of their networks.

While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

Just in case the intelligence community can’t get around to providing this fairly common security on our intelligence community networks by their planned timeframe of the first quarter of FY 2012 (which would mean the last quarter of calendar year 2011), the Senate Intelligence Committee is requiring the IC to have a fully operational ability to audit online access by October 2013.

Section 402 requires the Director of National Intelligence, not later than October 1, 2012, to establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information. Section 402 requires that the program be at full operating capability by October 1, 2013.

Not later than December 1, 2011, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the resources required to implement the program and any other issues the Director considers appropriate to include in the report.

In other words, if closing this security gap a year and a half after the leaks are alleged to have occurred is too tough, then they can go ahead and take another year or so to close the barn door.

Though to be fair, this deadline may come directly from the lackadaisical DOD, as the deadlines given here seem to match those DOD aspires to hit.

Now, maybe it’s considered unpatriotic to note that our intelligence community–and its congressional overseers–are tolerating pretty shoddy levels of security all while insisting that they takes leaks seriously.

But seriously: if our government is going to claim that leaks are as urgent as it does, if it’s going to continue to pretend that secrets are, you know, really secret, then it really ought to at least pretend to show urgency on responding to the gaping technical issues that will not only protect against leakers, but also provide better cybersecurity and protect against spies. Aspiring to fix those issues years after the fact really doesn’t cut it.

One Year After Collateral Murder Release, DOD’s Networks Are Still Glaring Security Problem

/in , /by

As I have posted several times, the response to WikiLeaks has ignored one entity that bears some responsibility for the leaks: DOD’s IT.

Back in 2008, someone introduced malware to DOD’s computer systems. In response, DOD announced it would no longer allow the use of removable media in DOD networks. Yet that is precisely how Bradley Manning is reported to have gotten the databases allegedly leaked. In other words, had DOD had very basic security measures in place they had already been warned they needed, it would have been a lot harder for anyone to access and leak these documents.

Often, when I have raised this issue, people are simply incredulous that DOD’s classified network would be accessible to removable media (and would have remained so two years after malware was introduced via such means). But it’s even worse than that.

A little-noticed Senate Homeland Security hearing last month (Steven Aftergood is one of the few people who noticed) provided more details about the status of DOD’s networks when the leaks took place and what DOD and the rest of government have done since. The short version is this: for over two months after DOD arrested Bradley Manning for allegedly leaking a bunch of material by downloading information onto a Lady Gaga CD, DOD and the State Department did nothing. In August, only after WikiLeaks published the Afghan War Logs, they started to assess what had gone wrong. And their description of what went wrong reveals not only how exposed DOD was, but how exposed it remains.

Two months to respond

Bradley Manning was arrested on or before May 29. Yet in spite of claims he is alleged to have made in chat logs about downloading three major databases, neither DOD or State started responding to the leak until after the Afghan War Logs were published on July 25, 2010.

The joint testimony of DOD’s Chief Information Officer Teresa Takai and Principal Deputy Under Secretary for Intelligence Thomas Ferguson explains,

On August 12, 2010, immediately following the first release of documents, the Secretary of Defense commissioned two internal DoD studies. The first study, led by the Under Secretary of Defense for Intelligence (USD(I)), directed a review of DoD information security policy. The second study, led by the Joint Staff, focused on procedures for handling classified information in forward deployed areas.

In other words, “immediately” (as in, more than two weeks) after the publication of material that chat logs (published two months earlier) had clearly explained that Manning had allegedly downloaded via Lady Gaga CD months earlier, DOD commissioned two studies.

As State Department Under Secretary of Management Patrick Kennedy explained, their response was no quicker.

When DoD material was leaked in July 2010, we worked with DoD to identify any alleged State Department material that was in WikiLeaks’ possession.

It wasn’t until November–at around the time when NYT was telling State precisely what they were going to publish–that State started responding in earnest. At that time–over four months after chat logs showed Manning claiming to have downloaded 250,000 State cables–State moved its Net Centric Diplomacy database from SIPRNet (that is, the classified network) to JWICS (the Top Secret network).

DOD’s exposed IT networks

Now, frankly, State deserves almost none of the blame here. Kennedy’s testimony made it clear that, while the WikiLeaks leak has led State to enhance their limits on the use of removable media access, they have systems in place to track precisely who is accessing data where.

DOD won’t have that across their system for another year, at least.

There are three big problems with DOD’s information security. First, as the Takai/Ferguson testimony summarized,

Forward deployed units maintained an over-reliance on removable electronic storage media.

It explains further that to make sure people in the field can share information with coalition partners, they have to keep a certain number of computers accessible to removable media.

The most expedient remedy for the vulnerability that led to the WikiLeaks disclosure was to prevent the ability to remove large amounts of data from the classified network. This recommendation, forwarded in both the USD(I) and Joint Staff assessments, considered the operational impact of severely limiting users’ ability to move data from SIPRNet to other networks (such as coalition networks) or to weapons platforms. The impact was determined to be acceptable if a small number of computers retained the ability to write to removable media for operational reasons and under strict controls.

As they did in 2008 after malware was introduced via thumb drive, DOD has promised to shut off access to removable media (note, Ferguson testified thumb drives, but not CDs, have been shut down for “some time”). But 12% of the computers on SIPRNet will still be accessed by removable media, though they are in the process of implementing real-time Host Based Security System tracking of authorized and unauthorized attempts to save information on removable media for those computers.

In response to a very frustrated question from Senator Collins, Ferguson explained that DOD started implementing a Host Based Security System in 2008 (the year DOD got infected with malware). But at the time of the leak, just 40% of the systems in the continental US had that system in place; it was not implemented outside of the US, though. They weren’t implemented overseas, he explained, because a lot of the systems in the field “are cobbled together.”

In any case, HBSS software will be in place by June. (Tech folks: Does this means those computers are still vulnerable to malware introduced by removable media? What about unauthorized software uploads?)

Then there’s data access control. DOD says it can’t (won’t) password protect access to information because managing passwords to control the access of 500,000 people is too onerous for an agency with a budget larger than Australia’s gross national product. Frankly, that may well be a fair approach given the importance of sharing information.

But what is astounding is that DOD is only now implementing public key infrastructure that will, first of all, make it possible to track what people access and–some time after DOD collects that data–to start fine tuning what they can access.

DoD has begun to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card. This is very similar to the Common Access Card (CAC) we use on our unclassified network. We will complete issuing 500,000 cards to our SIPRNet users, along with card readers and software, by the end of 2012. This will provide very strong identification of the person accessing the network and requesting data. It will both deter bad behavior and require absolute identification of who is accessing data and managing that access.

In conjunction with this, all DoD organizations will configure their SIPRNet-based systems to use the PKI credentials to strongly authenticate end-users who are accessing information in the system. This provides the link between end users and the specific data they can access – not just network access. This should, based on our experience on the unclassified networks, be straightforward.

DoD’s goal is that by 2013, following completion of credential issuance, all SIPRNet users will log into their local computers with their SIPRNet PKI/smart card credential. This will mirror what we already do on the unclassified networks with CACs.

[Takai defines what they’re doing somewhat just before 88:00]

Note what this says: DOD is only now beginning to issue the kind of user-based access keys to protect its classified network that medium-sized private companies use. And unless I’m misunderstanding this, it means DOD is only now upgrading the security on its classified system to match what already exists on its unclassified system.

Let’s hope nothing happens between now and that day in 2013 when all this is done.

And this particular problem appears to exist beyond DOD. While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

So that’s the issue of removable media and individualized access tracking.

Which leaves one more big security hole. According to Takai/Ferguson, DOD didn’t–still didn’t, as of mid-March–have the resources in place to detect anomalous behavior on its networks.

Limited capability currently exists to detect and monitor anomalous behavior on classified computer networks.

This confirms something Manning said in chat logs: no one is following the activity occurring on our networks in Iraq (or anywhere else on SIPRNet, from the sounds of things), and flagging activities that might be an intrusion.

The part of the Takai/Ferguson testimony that details very hazy plans to think about maybe implementing such a system (pages 6-7) is worth a gander just for the number of acronyms of titles of people who are considering maybe what to implement some time in the future. It’s all a bunch of bureaucratic camouflage, IMO, to avoid saying clearly, “we haven’t got it and we haven’t yet figured out how we’re going to get it.” But here are the two most concrete descriptions of what the Department of Defense plans to do to make sure no one is fiddling in their classified networks. First, once they get HBSS completely installed, then they will install an NSA audit program on top of that.

One very promising capability is the Audit Extraction Module (AEM) developed by the National Security Agency (NSA). This software leverages already existing audit capabilities and reports to the network operators on selected audit events that indicate questionable behavior. A great advantage is that it can be integrated into the HBSS we have already installed on the network, and so deployment should be relatively inexpensive and timely. AEM is being integrated into HBSS now and will be operationally piloted this summer.

But in the very next paragraph, Takai/Ferguson admit there are better solutions out there. But DOD (again, with its budget larger than the GNP of most medium sized countries) can’t implement those options.

Commercial counterintelligence and law enforcement tools – mostly used by the intelligence community – are also being examined and will be a part of the overall DoD insider threat program. These tools provide much more capability than the AEM. However, while currently in use in some agencies, they are expensive to deploy and sustain even when used in small, homogeneous networks. Widespread deployment in DoD will be a challenge.

In other words, DOD wants to be the biggest part of the intelligence community. But it and its budget bigger than Brazil’s GNP won’t implement the kind of solutions the rest of the intelligence community use.

Department. Of. Defense.

Now, let me be clear: DOD’s embarrassingly bad information security does not, in any way, excuse Bradley Manning or the other “bad apples” we don’t know about from their oath to protect this information. (Note, there was also testimony that showed DOD’s policies on information sharing were not uniformly accessible, but that’s minor compared to these big vulnerabilities.)

But in a world with even minimal accountability, we’d be talking about fixing this yesterday, not in 2013 (five years, after all, after the malware intrusion). We’d have fired the people who let this vulnerability remain after the malware intrusion. We’d aspire to the best kind of security, rather than declaring helplessness because our very expensive DOD systems were kluged together. And we’d be grateful, to a degree, that this was exposed with as little reported damage as it has caused.

If this information is really classified for good reason, as all the hand-wringers claim, then we ought to be using at least the kind of information security implemented by the private sector a decade ago. But we’re not. And we don’t plan on doing so anytime in the near future.

DOD Considers Illegal Data Mining Part of Capital Crime

/in , /by

I’ve written two posts on the software that Bradley Manning is alleged to have loaded onto SIPRNet (here, here). Wired has now gotten a little more detail about what the software was: DOD says it was some kind of data mining software, though they won’t say of what kind. Wired goes on to suggest that presence of the software may make it easier for DOD to prove intent with Manning (though I rather suspect the idea is to prove collaboration with WikiLeaks personnel; furthermore, Wired’s tie of the data mining software to Manning’s alleged illegal access of the State cables has one problem–that he probably couldn’t access such things after he got demoted).

But the entire time I read the following passages, I couldn’t help but think of the illegal data mining DOD’s component, NSA, conducted on American citizens in 2004 even after Congress had specifically defunded such activities.

Accused WikiLeaks source Pfc. Bradley Manning installed and used unauthorized “data-mining software” on his SIPRnet workstation during the time he allegedly siphoned hundreds of thousands of documents off that classified network, the Army said Friday in response to inquiries from Threat Level.

Manning’s use of unauthorized software was the basis of two allegations filed against him this year in his pending court martial, but the charge sheet listing those allegations was silent on the nature of that software.

On Friday, an Army spokeswoman clarified the charges. “The allegations … refer to data-mining software,” spokeswoman Shaunteh Kelly wrote in an e-mail. “Identifying at this point the specific software program used may potentially compromise the ongoing criminal investigation.”

[snip]

If Manning installed data-mining software on his SIPRnet workstation, that could potentially strengthen the government’s case against the alleged leaker.

After all, Wired at least suggests data mining is proof of guilt. Yet the agency that may be crafting such arguments not only violated privacy laws for years, but continued to data mine Americans for months after Congress had specifically prohibited funding from being used for such things. And DOD now wants to prosecute the person it alleges engaged in such illegal data mining with a capital crime.

Maybe the whole thing would be more credible if our government hadn’t become such a criminal itself?

PJ Crowley Explains Why Manning’s Treatment Is Ridiculous, Counterproductive, and Stupid

/in /by

PJ Crowley has a very important Guardian piece on why he said the treatment of Bradley Manning was ridiculous, counterproductive, and stupid. After explaining that Manning, if convicted, “should spend a long, long time in prison,” and then claiming that the overall narrative of the State Department cables shows a story of “rightdoing,” he describes how Manning’s treatment undermines our own strategic narrative.

But I understood why the question was asked. Private Manning’s family, joined by a number of human rights organisations, has questioned the extremely restrictive conditions he has experienced at the brig at Marine Corps base Quantico, Virginia. I focused on the fact that he was forced to sleep naked, which led to a circumstance where he stood naked for morning call.

Based on 30 years of government experience, if you have to explain why a guy is standing naked in the middle of a jail cell, you have a policy in need of urgent review. The Pentagon was quick to point out that no women were present when he did so, which is completely beside the point.

Our strategic narrative connects our policies to our interests, values and aspirations. While what we do, day in and day out, is broadly consistent with the universal principles we espouse, individual actions can become disconnected. Every once in a while, even a top-notch symphony strikes a discordant note. So it is in this instance.

The Pentagon has said that it is playing the Manning case by the book. The book tells us what actions we can take, but not always what we should do. Actions can be legal and still not smart. With the Manning case unfolding in a fishbowl-like environment, going strictly by the book is not good enough. Private Manning’s overly restrictive and even petty treatment undermines what is otherwise a strong legal and ethical position.

When the United States leads by example, we are not trying to win a popularity contest. Rather, we are pursuing our long-term strategic interest. The United States cannot expect others to meet international standards if we are seen as falling short. Read more

Frontline Ignores Most Embarrassing “Cause” of WikiLeaks Leak

/in /by

Greg Mitchell has a preview of the Frontline piece on Bradley Manning today. He points out that the big “scoop” of the story–that Manning’s stepmother called the cops in 2006 after Bradley pulled out a knife during a family fight (but then immediately asked if his dad was okay).

The entire story seems to look to Manning’s psychology to explain his alleged leak of classified information.

Frontline says it will continue its report in May in a one-hour program which will, again, focus on Manning’s personal life and how this “led” to his alleged leak; and his new outbursts, this time in the Army (all reported elsewhere)–and how the Army still gave him access to top-secret documents.

[snip]

The overall tone of tonight’s report is sure to spark debate. Consider that MilitaryTimes opens its report today with this: “Could the global turmoil sparked by Wikileaks have started started with a son’s anger for his father?” NPR’s report is headlined: “Home Life Included a 911 Call.”

Such spin, in the absence of a larger examination of what “led to” the alleged leak, is irresponsible.

If Manning is found to have leaked the cables, he deserves the bulk of responsibility for the leak (though, as Mitchell points out, to explain it, it’d be well to look at his political views and, I’d add, the disclosure requirements for crimes like support for torture exposed in WikiLeaks as well).

But one entity that has thus far avoided all responsibility for the leak are the folks in charge of DOD’s IT. As I have pointed out, DOD’s network security was embarrassingly bad–worse than your average mid-sized corporation. But to make their negligent security even worse, they had already suffered a damaging compromise of their systems when, in 2008, malware was introduced into their system via removable media, the same means by which Manning is alleged to have downloaded the WikiLeaks cables.

Read more

Richard Clarke: The Chamber Broke the Law

/in /by

I’m really deep in the weeds on the Jack Goldsmith memo right now (I should have a weedy post up later).

But in case you’re bored w/bmaz’s rant about the assault on Miranda rights, I thought I’d point to this TP post describing Richard Clarke suggesting that the Chamber of Commerce (funded by foreign sources, he notes) may have broken the law in targeting Chamber opponents.

Clarke denounced the scandal in no uncertain terms. Noting accurately that the Chamber “took foreign money in the last election,” a story also uncovered by ThinkProgress, Clarke said the Chamber had conspired to commit a “felony”:

FANG: Hi. You talked a lot about classifying and recognizing cyber security threats, but you mostly focused on foreign threats. I’m curious about a story that broke last month, that the US Chamber of Commerce, the world’s largest trade association, based here in DC, had contracted or attempted to contract military defense firms like HB Gary Federal, Palantir, and Berico, to develop proposals to use the same type of cyber warfare tactics normally reserved for Jihadi websites against left-wing activists, trade — labor unions, and left of center think tanks here in America. What do you think about that type of threat from a lobbyist or a corporation targeting political enemies, or perceived enemies here in the US?

CLARKE: I think it’s a violation of 10USC. I think it’s a felony, and I think they should go to jail. You call them a large trade association, I call them a large political action group that took foreign money in the last election. But be that as it may, if you in the United States, if any American citizen anywhere in the world, because this is an extraterritorial law, so don’t think you can go to Bermuda and do it, if any American citizen anywhere in the world engages in unauthorized penetration, or identity theft, accessing a number through identity theft purposes, that’s a felony and if the Chamber of Commerce wants to try that, that’s fine with me because the FBI will be on their doorstep in a matter of hours.

Now if only we had Feds anymore that would consider busting big business…