I Told You So, It’s about Cybersecurity Edition
When James “Least Untruthful” Clapper released the first version of PRISM success stories and the most impressive one involved thwarting specific cyberattacks, I noted that the NSA spying was about hackers as much as terrorists.
When “Lying Keith” Alexander answered a question about hacking China from George Stephanopoulos by talking about terror, I warned that these programs were as much about cybersecurity as terror. “Packets in flight!”
When the Guardian noted that minimization procedures allowed the circulation of US person communications collected incidentally off foreign targets if they were “necessary to understand or assess a communications security vulnerability,” I suggested those procedures fit cybersecurity targets better than terror ones.
When Ron Wyden and Mark Udall caught Lying Keith (again) in a lie about minimization, I speculated that the big thing he was hiding was that encrypted communications are kept until they are decrypted.
When I compared minimization procedures with the letter of the law and discovered the NSA had secretly created for itself the ability to keep US person communications that pose a serious threat to property (rather than life or body), I suggested this better targeted cyber criminals than terrorists.
When Joel Brenner suggested Ron Wyden was being dishonorable for asking James Clapper a yes or no question in March 2013, I noted that Wyden’s question actually referred to lies Lying Alexander had told the previous year at DefCon that hid, in part, how hackers’ communications are treated.
When the Guardian happened to publish evidence the NSA considers encryption evidence of terrorism the same day that Keith Alexander spokes to a bunch of encrypters exclusively about terrorism, I suggested he might not want to talk to those people about how these programs are really used.
And when I showed how Lying Keith neglected his boss’ earlier emphasis on cyber in his speech to BlackHat in favor of terror times 27, I observed Lying Keith’s June exhortation that “we’ve got to have this debate with our country,” somehow didn’t extend to debating with hackers.
I told you it would come to this:
U.S. officials say NSA leaks may hamper cyber policy debate
Over two months after Edward Snowden’s first disclosures, the cyberwarriors are now admitting disclosures about how vast is NSA’s existing power — however hidden behind the impetus of terror terror terror — might lead Congress to question further empowering NSA to fight cyberwar.
I told you so.
Despite the emerging consensus that U.S. cyber defenses must be improved, the conversation has sputtered amid disagreements about liability and privacy protections, the creation of new industry standards and other critical elements.
Now, cybersecurity leaders say the leaked details of the vast scope of NSA’s online data gathering may hamper efforts to draft cyber policies, such as greater information-sharing between government and industry.
“It’s opened up a big can of worms about what the government’s role is, which is already a big open question in cyberspace,” said Bruce McConnell, the Department of Homeland Security’s Acting Deputy Undersecretary for Cybersecurity. “I don’t think this is going to be helpful in making Congress, who tends to be risk-averse, forge new policy agreements.”
As Reuters notes, Congress wasn’t even willing to give the government the authorities it wanted before the Snowden revelations. And yet, even though no one besides me is talking about how these tools are used against cyber targets, Congress is likely to be far more skeptical about giving Lying Keith more power or private corporations more immunity.
And yet for all their silence about how central cyber has been to these disclosures, the cyberwarriors claim remorse that we haven’t been having this debate all along.
Judging from the content of Hayden’s recent speech it is not clear to me that the cyberwarriors can, or will, distinguish between threats to companies and threats to lives. Indeed if we are to judge from public prosecutions of those who steal from banks (as opposed to the banks themselves) and public prosecutions of polluters who poison the water, it is clear that the former are a higher priority than the latter.
If you add to that the recent disclosures about the “training materials” used in the Insider Threat program (short version: hate Indian woman who doesn’t think we should support dictators or bomb civilians) you begin to think that they simply mistrust everyone until proven otherwise. That is, after all, consistent with the belief that they must catalogue everything and conceal it from is “for our own good”
The summer before 9/11, DoD sites suffered a cyberattack and their response was just to pull them all off-line. That part worried me more than anything – that they just didn’t have a clue to how to defend and respond.
It seems they’re still clueless (or clueful in the wrong direction) – smash every gnat with a hammer, shut down everything you can’t control, peer into every byte/packet you can.
Soon they’ll be quantum physicists with tweezers wanting to know the direction of spin on each quark – it’s all controllable at some smaller resolution, no?
It’s nuts. Two people might have a conversation somewhere and they wouldn’t know, but that the internet exists and they don’t control it all is driving them crazy.
Jesus, that Reuters article is seriously fucked up. It’s got 3 Homeland Security guys and one ex-Secret Service guy who’s pushing his own cybersecurity conference/networking business. No conflicting opinions allowed.
Here’s who Robert Rodrigues of SINET is –
“When I came out to Silicon Valley 12 years ago, I was tasked by the Director of the Secret Service to run the operations for Northern California and also create and build the first Electronic Crimes Task Force. This is really a public/private partnership that was mandated by congressional law” – http://www.innovationexcellence.com/blog/2012/08/05/robert-rodriguez-sinets-security-innovation
So what do these 4 government security cheerleaders conclude: “But he agreed that public concerns over the scope of government surveillance online convolute policy progress.”
Indeed – our concerns just convolute – we’re not actually part of the process. You’d never guess the public is supposed to be the actual customer of this government, from which its powers are obtained.
The laziness of the Reuters reporting is also astounding – send a reporter to a Homeland Security-sponsored SINET conference, jot down a few comments, go to press. Wonder if she’d give a survivalist conference such leeway. Imagine how she’d investigate fracking – go to an oil energy convention and jot down exec opinions.
I don’t know whether you noticed, but this NSA document:
http://www.nsa.gov/public_info/_files/press_releases/section_702_protections.pdf
“…The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm…”
– which you referenced in your post on ‘minimization’ here:
http://www.emptywheel.net/2013/06/19/minimization-in-the-age-of-cyberwar/
– is now a broken link.
Is that significant ?
“Sitting among you are people who mean us harm.”
… US CyberCommander Alexander also said.
Lying liars and the lies they tell that are built on some element of the truth, and the philosophy of George Costanza: “Remember Jerry it’s not a lie if you believe it.”
http://www.emptywheel.net/2013/08/02/shut-down-cybercommand-us-cybercommander-keith-alexander-doesnt-think-its-important/#sthash.nCeaQOsP.dpuf
@Nigel: Ha!
Yeah, this post sort of explains that. Short version is after Udall and Wyden called out certain lies in it NSA just withdrew it entirely.
Channeling the great Carnac, I predict that the out sourced, the contractors, the private third party sub contractors have been selling zero day exploits, hacking software and hacked information to all comers.
Yes, let’s talk about cybersecurity policy.
Let’s talk about how requirements for law enforcement and offensive cyberwarfare compromise defensive cybersecurity.
Let’s talk about how the NSA databases might enable the MPAA and RIAA to beat up on more 13-year-old file sharers.
Let’s talk about how SAIC on behalf of one of the Alphabets compromised the anonymity and security of Tor with an offensive cyberattack. And how “child porn” has become the “drug bust” law enforcement excuse in the cyber world.
Let’s talk about the wasted hours of US government cybersecurity training pursued annually because of Congressional or White House or OMB decree.
Let’s talk about the Endgames, HBGary’s, and other government contractors who are selling off-the-shelf exploits to governments, corporations, and other contractors.
And let’s talk about how hoovering up everyone’s data and mirroring and archiving the entire internet does little to improve cybersecurity but makes bunches of contractors rich.
And let’s talk about repeal of the Computer Fraud and Abuse Act that uses criminal law to enforce terms of service.
Somehow I don’t think that’s the sort of discussion that NSA or the cybersecurity contractors want to see.
Is it now up to this Roberts Supreme Court to defend our Constitutional rights?
And how do you think that will come down? On the side of the surveillance state or…weaseled in some way…or on the side of the Bill of Rights?
For some on this court, the only right worth protecting is Second Amendment gun rights…. Oh, and the rights of the powerful and wealthy.
But, if push comes to shove, IF a case that can define how the surveillance state will work and is treated under the Constitution makes it all the way to the Supremos, they will be the final word, right?
Until either amendments to the Constitution either enshrining the surveillance state, controlling it, or killing it OR the next actual revolution. It seems to me that the power of this US Corporatist State is much greater versus the people’s power than the original colonialists faced in taking on the British.
@TarheelDem: We could also ask whether these programs as “remedies” for “cybersecurity threats” are “also” “authorized” by the AUMF or the “President’s implied Article II powers” as “commander in chief” regarding “international policy”. And, while we’re at it, whether the existence of the internet constitutes grounds for a governmental exemption from the Fourth Amendment to the United States Constitution. And, of course, whether we’re at “war” on “cyber”. Inquiring minds will want to know.
@TarheelDem:
nice summary, nice said.
about private company SAIC:
“…Campaign contributions
SAIC is among the 8 top contributors to federal candidates, parties, and outside groups with $1,209,611 during the 2011-2012 election cycle according to information from the Federal Election Commission. The top candidate recipient was Barack Obama.[13]
https://en.wikipedia.org/wiki/SAIC_(U.S._company)
as our leader reminds us whenever he reneges on a promise, “when you’re sitting in the oval office, things appear more complicated.”
continuing from miss wiki:
“…Subsidiaries
bd Systems
Bechtel SAIC Company, LLC, a joint venture between SAIC and Bechtel
Beck Disaster Recovery BDR
Benham, a subsidiary of SAIC and its subsidiaries
Calnais
CloudShield
Danet
Eagan, McAllister Associates, Inc a wholly owned subsidiary of SAIC under the C4I business unit.
Hicks & Associates
MEDPROTECT, LLC
Reveal Imaging
R. W. Beck, Inc.[14]
SAIC-Frederick, Inc.
SAIC International Subsidiaries
SAIC Venture Capital Corporation
Varec (Red)
Applied Marine Technology Corporation, A SAIC Operation
EAI Corporation, a wholly owned subsidiary
Vitalize
maxIT Healthcare…”
more on what we citizens get for our tax money when contractors and government security bureaucracies hook up:
“..FBI allegations
In June 2001 the Federal Bureau of Investigation (FBI) paid SAIC $122 million to create a Virtual Case File (VCF) software system to speed up the sharing of information among agents. But the FBI abandoned VCF when it failed to function adequately. Robert Mueller, FBI Director, testified to a congressional committee, “When SAIC delivered the first product in December 2003 we immediately identified a number of deficiencies – 17 at the outset. That soon cascaded to 50 or more and ultimately to 400 problems with that software … We were indeed disappointed.”
SAIC executive vice president Arnold L. Punaro claimed that the company had “fully conformed to the contract we have and gave the taxpayers real value for their money.” He blamed the FBI for the initial problems, saying the agency had a parade of program managers and demanded too many design changes. He stated that during 15 months that SAIC worked on the program, 19 different government managers were involved and 36 contract modifications were ordered.
“There were an average of 1.3 changes every day from the FBI, for a total of 399 changes during the period,” Punaro said.[18]
note: in my memory, the fbi and its contractors have an extraordinary and decades-old history of failed “big-change-a-coming” software projects.
More secure email services shutting down:
http://www.telegraph.co.uk/news/worldnews/northamerica/usa/10232473/Encrypted-email-service-linked-to-Edward-Snowden-shuts-down.html
“I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit,” Lavabit LLC owner Ladar Levison wrote in a letter that was posted on the Texas-based company’s website on Thursday.
Mr Levison said he has decided to “suspend operations” but was barred from discussing the events over the past six weeks that led to his decision.
That matches the period since Mr Snowden went public as the source of media reports detailing secret electronic spying operations by the US National Security Agency.
“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” Mr Levison wrote…
…Later on Thursday, an executive with a better-known provider of secure email said his company had also shut down thatservice. Jon Callas, co-founder of Silent Circle Inc, said on Twitter and in a blog post that Silent Circle had ended Silent Mail.
“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now,” Mr Callas wrote on a blog addressed to customers.
Silent Circle, co-founded by the PGP cryptography inventor Phil Zimmermann, will continue to offer secure texting and secure phone calls, but email is harder to keep truly private, Mr Callas wrote.