NSA Apologists Now Blaming Snowden for NSA’s Own Cyberdefense Failures

Read this claim about NSA spying, but don’t laugh.

“None of what the U.S. is doing is benefiting American business.”

Did you manage not laughing at the notion that the US is spending $70 billion a year on spying and none of it — not one little bit of it! — benefits American businesses?

Didn’t think so.

That quote, from Mandiant Chief Security Officer Richard Bejtlich, is just one of the utter absurdities built into this Kurt Eichenwald piece attempting to blame Edward Snowden for our failure to stop Chinese hacking of us.

Here’s the logic.

In May, [Tom] Donilon flew to Beijing to meet senior government officials there and set the framework for a summit between Obama and Chinese President Xi Jinping; Donilon and other American officials made it clear they would demand that hacking be a prime topic of conversation. By finally taking the step of putting public – and, most likely, international – pressure on the Chinese to rein in their cyber tactics, the administration believed it was about to take a critical step in taming one of the biggest threats to America’s economic security.

But it didn’t happen. The administration’s attempt to curb China’s assault on American business and government was crippled – perhaps forever, experts say – by a then-unknown National Security Agency contractor named Edward Snowden.

Snowden’s clandestine efforts to disclose thousands of classified documents about NSA surveillance emerged as the push against Chinese hacking intensified. He reached out to reporters after the public revelations about China’s surveillance of the Times‘s computers and the years of hacking by Unit 61398 into networks used by American businesses and government agencies. On May 24, in an email from Hong Kong, Snowden informed a Washington Post reporter to whom he had given documents that the paper had 72 hours to publish them or he would take them elsewhere; had the Post complied, its story about American computer spying would have run on the day Donilon landed in Beijing to push for Chinese hacking to be on the agenda for the presidential summit.

The first report based on Snowden’s documents finally appeared in The Guardian on June 5, two days before the Obama-Xi meeting, revealing the existence of a top-secret NSA program that swept up untold amounts of data on phone calls and Internet activity. When Obama raised the topic of hacking, administration officials say, Xi again denied that China engaged in such actions, then cited The Guardian report as proof that America should not be lecturing Beijing about abusive surveillance. [my emphasis]

Let’s review what Eichenwald has done here.

First, he has taken the Administration at its word that publicly shaming China, and then negotiating with them, would have slowed their cybertheft.

Next, he has insinuated — though not provided evidence — that both Snowden’s initial leaks and the timing of their release (which, after all, took place at different times) were all intentionally rather than coincidentally linked to the US effort to rein in Chinese hacking, and done at the direction of Snowden (that may be the case, but he hasn’t presented it, and if that were Snowden’s real intent, you would think he would have leaked specifics about our attacks on China weeks before he did).

He has highlighted an email (did he somehow get the content of an Edward Snowden email to Barton Gellman? Because I can’t imagine Gellman sharing this.) threatening to take his documents somewhere else, without thinking through what it means that he already had gone somewhere else or considering other reasons (he was holed in a hotel room, for example) why Snowden might have had some urgency for publishing. [Update: Here’s where that claim came from.]

And then he has Xi’s comments on America’s own hacking, which Eichenwald suggests was a response to the Section 215 and PRISM disclosures–“top-secret NSA program that swept up untold amounts of data on phone calls and Internet activity”

With me so far?

Curiously, Eichenwald makes no mention of the document that might actually bolster his case and which almost certainly was the reference Xi intended: the Presidential Policy Directive on cyberwar, which was released just hours before Obama’s meetings with Xi started in CA.

But that would require painting a very different picture of what the US does in cyberspace than this one.

The activities of the two sides, however, are vastly different in scope and intent. The United States engages in widespread electronic espionage, but that classified information cannot legally be handed over to private industry. China is using its surveillance to steal trade secrets, harm international competitors and undermine American businesses.

The US has, after all, conducted the most sophisticated cyberattack publicly known, StuxNet. Suggesting its activities consist solely of collection of intelligence (and suggesting that the US doesn’t use the intelligence it collects to advance the interests of US companies, even while abundant evidence proves that incorrect, even sharing it with its defense contractors) minimizes both what it really does and — just as importantly — minimizes what China knew at that meeting. Moreover, in an article that describes China turning to hacking in response to seeing our military might in the first Gulf War, it doesn’t consider what it would take for China to give up a weapon which offers it a more effective defense against the US than traditional military toys.

Nevertheless, some Obama types apparently believe — or at least are telling a very credulous Eichenwald they believe — that public shaming would have gotten a country that knew we had weaponized cyberspace to stop its own use of cyberattacks.

To get a sense of whether the claim that public shaming would have ended Chinese hacking, read this post from Jack Goldsmith, written as the Administration was pursuing this approach and 4 months before the first Snowden leak.

[B]ecause talks with the Chinese haven’t worked, “the Obama administration is now considering a range of actions,” including “threats to cancel certain visas or put major purchases of Chinese goods through national security reviews.”  The story cites two former officials for the proposition that the USG is preparing a new National Security Estimate (NIE) that will “underscore the administration’s concerns about the threat, and will put greater weight on plans for more pointed diplomatic and trade measures against the Chinese government.”  (The AP story sometimes talks of the threat from “cyber attack” but it is pretty clear from the context that the topic of the story is cyber exploitation.)

What is puzzling is the tentativeness and slowness of the USG reaction given what the USG has been telling us – openly, and through leaks – about the enormous scale of the problem.  One reason for tentativeness is that, as I once wrote, “the United States itself engages in [cyberexploitations] extensively abroad and [] cyber exploitations do not violate international law, and thus would not justify a large-scale military response, kinetic or cyber.”  This is a large hurdle, I think, that leaves the United States with only relatively weak diplomatic tools to address the problem – and tools, by the way, that open it up to reciprocal retaliation.

[snip]

I can imagine a norm developing where certain large-scale cyber exploitations are such a threat or violation of sovereignty and national security that they warrant an attack – kinetic or not – in response.  I also believe, as I have long said, that the United States will not be able to clamp down on China’s cyber exploitations by others unless it is willing to consider clamping down on its own cyberexploitations – both directly by the USG, and through its support of hacktivism in China. [my emphasis]

Goldsmith, months before any Snowden leaks, was saying that our own hacking would prevent this approach from working.

And, of course, Eichenwald’s entire story doesn’t consider whether the US has used the correct approach to defending our own networks. That is, he doesn’t consider whether the US should have, instead of trying to shame someone for hacking that we were ourselves are hacking, instead invested in a better defense.

Again, we can go to commentary, from Thomas Rid, from that period in February when the US was just rolling out the shaming strategy.

Indeed, the Obama administration has been so intent on responding to the cyber threat with martial aggression that it hasn’t paused to consider the true nature of the threat. And that has lead to two crucial mistakes: first, failing to realize (or choosing to ignore) that offensive capabilities in cyber security don’t translate easily into defensive capabilities. And second, failing to realize (or choosing to ignore) that it is far more urgent for the United States to concentrate on developing the latter, rather than the former.

At present, the United States government is one of the most aggressive actors when it comes to offensive cyber operations, excluding commercial espionage. The administration has anonymously admitted that it designed Stuxnet (codenamed Olympic Games) a large-scale and protracted sabotage campaign against Iran’s nuclear enrichment facility in Natanz that was unprecedented in scale and sophistication.

[snip]

Developing sophisticated, code-borne sabotage tools requires skills and expertise; they also require detailed intelligence about the input and output parameters of the targeted control system. The Obama administration seems to have decided to prioritize such high-end offensive operations. Indeed, the Pentagon’s bolstered Cyber Command seems designed primarily for such purposes. But these kinds of narrowly-targeted offensive investments have no defensive value.

So amid all the activity, little has been done to address the country’s major vulnerabilities. The software that controls America’s most critical infrastructure—from pipeline valves to elevators to sluices, trains, and the electricity grid—is often highly insecure by design, as the work of groups like Digital Bond illustrates. Worse, these systems are often connected to the internet for maintenance reasons, which means they are always vulnerable to attack.

[snip]

Defending these areas ought to be the government’s top priority, not the creation of a larger Cyber Command capable of going on the offense.

Here’s the thing: the US was failing in its efforts to combat Chinese hacking all by itself, long before Snowden even got hired at Booz. It has almost certainly been pursuing ineffective approaches to dealing with it, and that’s even before you consider the way its enthusiasm for offensive cyberweapons has led it to tolerate holes and weak encryption in public software. Clearly, Snowden’s leaks have made the shaming strategy the Administration intended to pursue next harder, but to believe it would have worked in the first place would require underestimating Chinese interests in defending itself.

Snowden’s disclosures may well have created a slew of difficulties, both diplomatic and tactical, for the US. But to blame our failure to stop Chinese hacking on Snowden is nothing more than scapegoating NSA’s own failures.

image_print
13 replies
  1. mspbwatch says:

    I would never say journos shouldn’t editorialize, because they all do, whether openly or not. But when they do it, sometimes they feel compelled to double down, to their detriment.

    My own interactions with Eichenwald on Twitter back in June or so showed me the bias he had against Snowden. Greenwald had just criticized him for adhering to the clubby-access model of keeping sources in the Pentagon happy, at times by being a stenographer for them.

    Daniel Ellsberg nailed it when he said that “a lot of people are being smoked out now about their understanding of democracy” in how they reacted to Snowden. (http://www.bradblog.com/?p=10067)

    Eichenwald, as a journalist, is failing Democracy.

  2. earlofhuntingdon says:

    The claim’s chutzpah stands out even by Beltway standards. One could imagine the same claim coming from 19th century American railroad companies, granted millions of free acres from sea to shining sea. Lobbyists for construction companies, architects and building materials firms might claim that billions spent on roads and bridges were of no benefit to them or to thousands of dominant county-based landowners.

    One might as well deny that NASA expenditures helped any businesses (other than the maker of the industrial liquid, Tang) or that governmental subsidies to pharmaceutical development and testing are merely incidental to business profits.

  3. JTMinIA says:

    As I drive home on crappy roads over bridges that are not safe, listening to the latest unemployment figures, after reading another post about the lack of good security on the US portion of the internet which is close to hitting its bandwidth max anyway, I can’t help asking: what would Ike do?

    (That I cross Interstate 80 on the way from my office to my house is just a coinky-dink.)

    And, yet, as I pull into my street, what do I hear blaring from the AM radio of my Tea Party neighbor? Some idiot still making fun of Obama for saying: “you didn’t build that.”

    Eichenwald is not the only failure out there. Not by a long shot.

  4. earlofhuntingdon says:

    What should China do? Spend hundreds of billions on aircraft and carriers, to “project” their power in US fashion? Or should it spend a fraction of that to employ dual-use computer employee skills to hack the secrets of their principal investors, markets and competitors, especially when their computer systems are so incredibly vulnerable even to simple attacks?

  5. orionATL says:

    this seems a clear case of the military leading its civilian “leaders” around by the rings they had placed in the leaders noses.

    has this not been the case for the last 5 years? our military/paramilitary propose military actions, almost always highly aggressive military actions. the actions fail or create unacceptable, how shall i put it delicately, collateral damage. the white house/dod civies then begin scrambling to limit the damage.

    defense? we don’t play no stinking defense – nothin’ but net! every shot!

  6. orionATL says:

    “..For more than a decade, a relentless campaign by China to steal valuable, confidential information from United States corporations flourished with barely a peep from Washington. And now it might never be stopped…”

    kurt eichenwald – from newsweek

    get the picture? 10 years ago the chinks started spying on us. terrible. tricky. stealing all our secrets, even the diet of the presidents’ little dogs….

    finally, one day 10 years later, the president woke up and a plan was devised to deal with the dastardly inscrutable thieves from the east.

    what was that plan?

    why publicly shame the chinese at a meeting between obama and xi in california.

    publicly shame the chinese? ahahahaha. oh my god that’s funny! i can’t beath. ahahahahaha..

    now comes a real dolt of a reporter, kurt eichenwald, to assure very, very simple newsweek readers that, in fact this “strategy” would have worked just fine,

    if only,

    if only, edward snowden had not revealed we were spying on china – and all the rest of the world.

    and revealed it at just the wrong moment in history – when obama was about to spring the shame trap on xi this summer.

    i ask you: can a reporter who writes an evident hit piece like this, fueled entirely by intelligence agency and other wounded-washington-insider tales, have any self-respect at all?

    and let’s not forget the complicity in this stupity of that newsweek editor.

    thanks guys. you remind me again of why, decades ago, i dropped my subscriptions to newsweek and time due to their smart-ass, cutesy, trivial reporting and commentary.

    at the same time, reminding me why weblogs have become so terribly valuable to our society.

  7. orionATL says:

    and by the way, just for the benefit of eichenwald’s readers,

    any effort by prez obama to “call out” xi in california would not have been intended to be effective in reducing chinese spying.

    it would have been another of those posturing gestures for domestic consumption that the obama whitehouse loves to engage in that make the prez look tough/competent without his having to actually do, or expend, a damn thing.

  8. Dave McLane says:

    “The activities of the two sides, however, are vastly different in scope and intent. The United States engages in widespread electronic espionage, but that classified information cannot legally be handed over to private industry. China is using its surveillance to steal trade secrets, harm international competitors and undermine American businesses.”

    Having spent some time in Taiwan and an even longer time in Japan, in my opinion Eichenwald is viewing the situation according to a Western/American viewpoint.

    To begin to understand a Chinese/Japanese viewpoint I would say you need to read the following books at least three times: “Seven Pillars of Wisdom” by T. E. Lawrence, “The Art of War” by Sun Tzu, and finally “The Book of Five Rings” by Miyamoto Musashi. And then watch movies from Netflix such as “Lawrence of Arabia,” “Samurai Trilogy: Musashi Miyamoto” three times so you are comfortable with their world view.

  9. lefty665 says:

    As we learn more about NSA’s access I have to wonder why they have not been better at cyber defense. They are bright, they have resources, they have mission. WTF?

    Why have they not been better at getting us to tighten up known vulnerabilities? The S folks can be right intimidating. I can’t imagine a utility operator or defense contractor that would not sit up and pay attention when they show up at the door.

    IP hacks are another story. Why have we not been more effective at chasing back to and whacking bad guys?

    Why does Alexander think he needs control of the web to mount effective cyber defense? What do we not know? Will Snowden tell us in the fullness of time? Will we learn as much about Sec as we have Int?

  10. Phil Perspective says:

    @mspbwatch: Yeah .. I used to follow Eichenwald on the Twitter machine .. but stopped .. because he’s just another power-worshiping “journalist” .. I don’t remember if he ever called Snowden a traitor .. but it seems he certainly wants to .. and probably has in the privacy of his own home

  11. bloodypitchfork says:

    @Phil Perspective:
    quote” I don’t remember if he ever called Snowden a traitor …but it seems he certainly wants to .. and probably has in the privacy of his own home”unquote

    PRIVACY of his own home. priceless

  12. _decius_ says:

    Emptywheel, I have found your analysis extremely valuable throughout this Edward Snowden affair. FWIW, I think you are dismissing this too easily. State sponsored network intrusions have become a significant operational challenge for many businesses. Most companies are not prepared to defend their networks against that sort of attacker effectively. There is a desire in the business community that we sanction nations that are breaking into our computer networks through trade or other forms of diplomatic pressure the same way that we sanction nations that are threatening our security in other ways.

    Obviously, the problem for the government is that espionage is considered fair game – how can you sanction someone for doing what you, yourself do? In this light, its important to define a difference between what we’re doing and what they’re doing. The question of what this difference is, exactly, and whether or not its real, is very very important.

    Your single link about Montasano doesn’t completely undermine the argument that there is a distinction. People in the IC argue that the US does not steal trade secrets from foreign companies and relay them to US businesses, and that this is an important distinction. Is there evidence that this is not the case? Is this the extent of the distinction between US and Chinese spying? Is there direct evidence that US spies have aided US companies in overseas business negotiations by covertly obtaining information about the negotiation position of foreign business entities?

    Honestly, I think there is a lot that the US government could do to aid US businesses in defending themselves against state sponsored attackers that we do not do, within the framework of existing law. However, the IC is saying they cannot provide technical indicators to US businesses about sophisticated, targeted attack activity without CISPA, which would create an exception to every privacy law. I think that CISPA was written by people who don’t give a damn about privacy laws and don’t think its worth their trouble to think carefully about them. The reality is that we need the sort of information sharing that CISPA envisions, and we need to do it within a framework that respects people’s privacy. Unfortunately, the IC and the privacy community are too busy calling each other names to cooperate on crafting reasonable public policy that achieves both of these ends.

Comments are closed.