What Obama’s Presidential Policy Directive on Cyberwar Says about NSA’s Relationship with Corporations

The Guardian has had three big scoops this week: revealing that Section 215 has, indeed, been used for dragnet collection of US person data, describing PRISM, a means of accessing provider data in real-time that was authorized by the FISA Amendments Act, and publishing Obama’s Presidential Directive on offensive cyberwar.

The latter revelation has received a lot less coverage than the first two, perhaps because it doesn’t affect most people directly (until our rivals retaliate). “Of course Obama would have a list of cybertargets to hit,” I heard from a number of people, with disinterest.

But I thought several passages from Obama’s PPD-20 are of particular interest for the discussion on the other two scoops — particularly what degree of access PRISM has to corporate networks real-time data. First, consider the way definitions of several key terms  pivot on whether or not network owners know about a particular cyber action.

Network Defense: Programs, activities, and the use of tools necessary to facilitate them (including those governed by NSPD-54/HSPD-23 and NSD-42) conducted on a computer network, or information or communications system by the owner or with the consent of the owner and, as appropriate, the users for the primary purpose of protecting (1) that computer, network, or system; (2) data stored on, processed on, or transiting that computer, network, or system; or (3) physical and virtual infrastructure controlled by that computer, network, or system. Network defense does not involve or require accessing or conducting activities on computers, networks, or information or communications systems without authorization from the owners or exceeding access authorized by the owners. (u)

[snip]

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence — including from information that can be used for future operations — from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of the computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. (C/NF)

Defensive Cyber Effects Operations (DCEO): Operations and related programs or activities — other than network defense or cyber collection — conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace. (C/NF)

Nonintrusive Defensive Countermeasures (NDCM): The subset of DCEO that does not require accessing computers, information or communications systems, or networks without authorization from the owners or operators of the targeted computers, information or communications systems, or networks exceeding authorized access and only creates the minimum cyber effects needed to mitigate the threat activity. (C/NF)

So you’ve got:

  • Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids.
  • Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks.
  • Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality.
  • Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US.

In other words, this schema (there are a few more categories, including strictly offensive attacks) seems to be about ensuring there is additional review for defensive attacks (but not strictly data collection) intended to use non-consensual network access.

As I suggested, these attacks based on nonconsensual access is all supposed to be primarily focused externally, unless the President approves.

The United States Government shall conduct neither DCEO nor OCEO that are intended or likely to produce cyber effects within the United States unless approved by the President. A department or agency, however, with appropriate authority may conduct a particular case of DCEO that is intended or likely to produce cyber effects within the United States if it qualifies as an Emergency Cyber Action as set forth in this directive and otherwise complies with applicable laws and policies, including Presidential orders and directives. (C/NF)

Of course, a lot of the networks or software outside of the US are still owned by US corporations (and the implication seems to be that these categories remain even if they’re not). Consider, for example, how central Microsoft exploits have been to US offensive attacks on Iran. How much notice has MS gotten that we planned to use the insecurity of their software?

Nevertheless, a big chunk of this PPD — the part that has received endless discussion publicly — pertains to that network defense, getting corporations to either defend their own networks properly or agree to let the government do it for them. (Does the USG bill for that, I wonder?)

Which partly explains the language in the PPD on partnerships with industry, treated as akin to partnerships with states or cities.

The United States Government shall seek partnerships with industry, other levels of government as appropriate, and other nations and organizations to promote cooperative defensive capabilities, including, as appropriate, through the use of DCEO as governed by the provisions in this directive; and

Partnerships with industry and other levels of government for the protection of critical infrastructure shall be coordinated with the Department of Homeland Security (DHS), working with the relevant sector-specific agencies and, as appropriate, the Department of Commerce (DOC). (S/NF)

[snip]

The United States Government shall work with private industry — through DHS, DOC, and relevant sector-specific agencies — to protect critical infrastructure in a manner that minimizes the need for DCEO against malicious cyber activity; however, the United States Government shall retain DCEO, including anticipatory action taken against imminent threats, as governed by the provisions in this directive, as an option to protect such infrastructure. (S/NF)

The United States Government shall — in coordination, as appropriate, with DHS, law enforcement, and other relevant departments and agencies, to include sector-specific agencies — obtain the consent of network or computer owners for United States Government use of DCEO to protect against malicious cyber activity on their behalf, unless the activity implicates the United States’ inherent right of self-defense as recognized in international law or the policy review processes established in this directive and appropriate legal reviews determine that such consent is not required. (S/NF)

One thing I’m most curious about this PPD is the treatment of the Department of Commerce. Why is DOC treated differently than sector-specific agencies? Do they have some kind of unseen leverage — a carrot or a stick — to entice cooperation that we don’t know about?

Aside from that, though, there are two possibilities (which probably amounts to just one) when the government will go in and defend a company’s networks without their consent.

Imminent threat, inherent right to self-defense.

Ultimately, this seems to suggest that the government will negotiate access, but if it deems your networks sufficiently important (Too Big To Hack) and you’re not doing the job, it’ll come in and do it without telling you.

And of course, nothing in this PPD explicitly limits cyber collection — that is, the non-consensual access of networks to collect information. I will wait to assume that suggests what it seems to, but it does at least seem a giant hole permitting the government to access networks so long as it only takes intelligence about the network.

Which brings us to these two categories included among the policy criteria.

Transparency: The need for consent or notification of network or computer owners or host countries, the potential for impact on U.S. persons and U.S. private sector networks, and the need for any public or private communications strategies after an operation; and

Authorities and Civil Liberties: The available authorities and procedures and the potential for cyber effects inside the United States or against U.S. persons. (S/NF)

Neither is terrifically well-developed. Indeed, it doesn’t seem to consider civil liberties, as such, at all. Which may be why the Most Transparent Administration Evah™ considers transparency to consist of:

  • Informing corporations that own networks
  • Accounting for the impact on US persons (but not informing them, apparently, though Network Defense allows users to be informed “as appropriate”)
  • Prepping propaganda for use after an operation

The entire PPD lays out potential relationships with corporations as negotiated, potentially leveraged, but coerced if need be. But at least corporations are assumed be entitled to some “transparency.”

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

20 replies
  1. cregan says:

    This entire string of disclosures brings to mind Eric Holder’s statement a few days ago regarding reporters. To the effect:

    “We will never prosecute a reporter for doing their job.”

    Whose idea of their “job?” Did he mean “for doing what the DOJ considers to be their job?” Or, what the reporter considers to be their job?

    These spying techniques could be protective or monstrous depending on whose viewpoint determines what the rules mean. One reason they shouldn’t exist to begin.

  2. newz4all says:

    Glenn & The Guardian dropped a 4th Bombshell / Revelation in 4 days today saturday 8 june 2013

    Boundless Informant: the NSA’s secret tool to track global surveillance data

    Revealed: The NSA’s powerful tool for cataloguing data – including figures on US collection

    http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining

    Boundless Informant NSA data-mining tool – four key slides

    The top-secret Boundless Informant tool details and maps by country the voluminous amount of information it collects from computer and telephone networks

    http://www.guardian.co.uk/world/interactive/2013/jun/08/nsa-boundless-informant-data-mining-slides

    Boundless Informant: NSA explainer – full document text

    View the three-page explanation document, which showed the NSA collected almost 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March

    http://www.guardian.co.uk/world/interactive/2013/jun/08/boundless-informant-nsa-full-text

  3. ess emm says:

    The first thing I noticed about the doc is it doesnt mention Congress or oversight committees once.

  4. Clark Hilldale says:

    [P]articularly what degree of access PRISM has to corporate networks real-time data. First, consider the way definitions of several key terms pivot on whether or not network owners know about a particular cyber action

    A month and a half ago, WaPo reported that legislation was being drafted to remedy a somewhat similar problem:

    A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

    Driven by FBI concerns that it is unable to tap the Internet communications of terrorists and other criminals, the task force’s proposal would penalize companies that failed to heed wiretap orders — court authorizations for the government to intercept suspects’ communications.

    [snip]

    “The importance to us is pretty clear,” Andrew Weissmann, the FBI’s general counsel, said last month at an American Bar Association discussion on legal challenges posed by new technologies. “We don’t have the ability to go to court and say, ‘We need a court order to effectuate the intercept.’ Other countries have that. Most people assume that’s what you’re getting when you go to a court.”

    There is currently no way to wiretap some of these communications methods easily, and companies effectively have been able to avoid complying with court orders. While the companies argue that they have no means to facilitate the wiretap, the government, in turn, has no desire to enter into what could be a drawn-out contempt proceeding.

    I am very aware of the difference between law enforcement and intelligence requirements vis-a-vis use of evidence versus intelligence product, but the absurdity of the situation being described here in light of what we know now is pretty striking.

  5. scribe says:

    Any wonders still remaining why Obama has pegged Penny Pritizker to be the next commerce secretary?

    There are a lot of tools, blunt and otherwise, resident in the Department of Commerce, which are obscure at best to the outsider but well known to corporate attorneys and executives.

  6. john francis lee says:

    The NSA tool seems pretty rudimentary. The payoff is the marriage of Google’s search and transformation techniques with NSA data. That’s what CISP and son of CISPA are all about.

    A few weeks ago wsws.org had an article on the FBI’s request for what can now be identified as PRISM. Don’t know if the FBI was just a day late and a dollar short or whether theirs was an after-the-fact ‘legalizing‘ move on an already standard practice.

    I’d bet the latter … and bet the same goes for CISPA.

  7. cregan says:

    Another thing, Obama said Friday, “Congressional oversight” about 6 times.

    Does he mean “that body we stall handing over documents to, and parse words in front of their committees?”

    The same one that all Presidents try as hard as hell not to tell anything?

    That sounds like some effective oversight that we can depend on to get to the bottom of things–about 3 years after the fact.

  8. Garrett says:

    At this amount of leaking, if I was the government trying to track the leaker down, I’d first suspect whichever prominent high-level wide-access NSAer it was, that had recently disappeared and taken off for a foreign country.

    We’ll see what tomorrow brings.

    The “it is too direct server access slide” suggests more could be coming. There is a reserve of material. And the reserve of material can be used as debating points.

  9. greengiant says:

    While paranoid hallucination conspiracy theory suggests Greenwald is being set up, another thought occurs.
    There is actually at least one person who works/worked for the government that has enough integrity to reveal what FUBAR FBI/NSA defense contractor subsidization programs have been doing as opposed to lack of prosecutions for the financial crisis, the ongoing destruction of the US by TBTF banks, thieving brokerages like MF Global and hedge funds, the use of White House and FBI collaboration teams with local governments to violently maim occupy demonstrators topped off by pepper mouth spray from canisters.
    All the lack of justice and active state sponsored terrorism brought to us by every administration since before Reagan and his AG Meese.
    While NSA whistleblowers Binney etc have already talked about programs prior to 2006, still no connecting the dots to evil doing in high places.
    By the way wiki says Binney estimated 20 trillion intercepts todate, which is a tad higher rate than the 3 billion in US in May per the Boundless heat map discussed in the guardian today.

  10. orionATL says:

    “Globally networked risks and how to respond” (nature 497,1-152 2 may 2013, p.51ff, dirk helbing)

    The article is abstract, but notes a number of critical human systems capable of disruption.

    Suppose we assume that telecommunications (phone/fax, internet) are one such at risk “anthropogenic” network.

    What happens to this network when the american government threatens to attack users of it who challenge american “interests”

    And

    Other powerful nations move to protect themselves from potential american depridations by attacking american “interests”.

    Is able to play tit-for-tat not virtually the functional definition of an unstable system?

    how wise is it for american and chinese leaders to play tit-for-tat?

    How wise would it be for such leaders rather to design a stable worldwide communications system not manipulatable or destabalizable by the actions of governments, non-gov organizations, or individuals?

  11. lefty665 says:

    Good post EW, this may help get our heads up out of the domestic, insular, small bore, violation of privacy we’ve been rolling in for the last several days. The presidential directive is a profound window into the world of cyber warfare. It provides context for the meetings with Xi Jinping. No Al Kaida twerps need apply.

    To belabor the obvious, this is state level cyber. The mostly anti-terrorism collection disclosures we’ve been obsessed with over the last several days are trivial in comparison. The mix of public and private, consensual and unwitting, foreign and domestic, security and intelligence in the directive are as broad as it gets.

    It’s been clear the Chinese have been tremendously successful at exploiting our, and others, naivety, arrogance, sloth or contempt for cyber security. Some of the hacks have apparently been for competitive business advantage, but much has explicitly been military.

    We have had everything from defense contractors leaving unsecured wifi available in the parking lot to public utilities leaving power plant control unprotected to contractor hacks gone undetected for years to DoD people compromising secure networks with infected thumb drives, to who the hell knows what other moronic breaches we have not heard about. That’s just domestically, wonder what has happened in the rest of the world? Unlikely as it seems, surely some folks elsewhere are as dumb, fat or lazy as we are.

    The remedies include working with organizations and nations as well as declaring some folks too fucking dumb or unwilling to learn or care. With them, just going in and fixing things to keep idiots, and the rest of us, secure is the only solution.

    The web has removed geography as a barrier to attack, and at the fiber optic speed of light, exploitation is only seconds away. This directive gives us a glimpse into the world of the future we’ve blindly stumbled into. Remember Moore’s law, every three years all electronics are obsolete. We are coming up on 4 generations since 9/11. We ain’t in Kansas anymore.

    None of this discounts the privacy issues and threats to democracy we have been embroiled in. “Trust us” does not fly. However, the directive addresses different issues, a different scope and scale.

    While material portions of what they’ve done domestically are clearly far beyond the pale, NSA ain’t all bad. The Agency has a legitimate mission. It is targeting and defending against places like China, not thee or me.

    Thanks for pushing us to pause and take a look.

  12. TarheelDem says:

    Department of Commerce houses the technical resources at National Telecommunications and Information Administration, which might be drawn upon for technical networking with commercial telecom and information processing technical personnel.

    That would be my guess.

    Making private networks responsible for their own security while taking an aggressive posture on offensive cyberwarfare seems to me to be kinda stupid. The most cyber-vulnerable nation on earth saber-rattling about cyberwarfare. What possibly could go wrong? And yes, once you announce a cyberwarfare command, you have people drawing up war plans and target lists as SOP.

  13. 335blues says:

    What do you think the chances are that personal communications of congress and the supreme court are being recorded?

Comments are closed.