It has increasingly become clear that the Obama Administration treats the category of “terrorist” more flexibly than the Bush Administration did. With the introduction of the term “countering violent extremism,” for example, the Administration broadened the potential application of terrorist tools to those who were simply, according to them, “extremists.” Then there’s the odd treatment of a bunch of Colombian right wing terrorists, who were extradited on drug charges (but not terrorism), and then entirely disappeared from the docket, with allegations that at least one of them had been freed. And while the Obama Administration has charged some white people with using WMD (a terrorism crime), the disparity in its use is stark.

Carol Rosenberg has been tracking another telling example of the Obama Administration’s flexible interpretations of terrorist-like activity: DOD’s citation of a legally suspect ruling about an attack on Seminoles as precedent for trying material support for terrorism in military commissions.

Pentagon prosecutors touched off a protest — and issued an apology this week — for likening the Seminole Indians in Spanish Florida to al Qaeda in documents defending Guantánamo’s military commissions.

Citing precedents, prosecutors reached back into the Indian Wars in arguments at an appeals panel in Washington D.C. Specifically, they invoked an 1818 military commission convened by Gen. Andrew Jackson after U.S. forces invaded then-Spanish Florida to stop black slaves from fleeing through a porous border — then executed two British men for helping the Seminole Indians.

Navy Capt. Edward S. White also wrote this in a prosecution brief:

“Not only was the Seminole belligerency unlawful, but, much like modern-day al Qaeda, the very way in which the Seminoles waged war against U.S. targets itself violate the customs and usages of war.”

In other words, our government is siding with slavery, genocide of Native Americans, and Andrew Jackson’s illegal belligerency–it is citing our own country’s illegal behavior–to find some support for the claim that material support is a military crime.

Not surprisingly, the Seminole tribe objected (see Rosenberg’s collection of documents in the case here).  And now Jeh Johnson (he of the claim that Martin Luther King would have empathized with the attacks on Afghans) has apologized to the tribe–but reiterated our reliance on the precedent.

The Pentagon’s top lawyer has sent the Seminole Tribe of Florida what amounts to an apology for Guantánamo war court lawyers likening al Qaida to the Native American tribe in 1818.

But Defense Department general counsel Jeh Johnson made clear in the single-page letter that the U.S. government was standing by its precedent from Gen. Andrew Jackson’s Indian Wars in its bid to uphold the life-time conviction of Osama bin Laden’s media secretary at Guantánamo’s Camp Justice.

And so it is that our government clings desperately to one of the darkest chapters of our history to legitimize its current actions. Rather than reflect on what that means–how damning it is that we can point only to Andrew Jackson’s illegal treatment of Native Americans to justify our current conduct–the government says simply, “a precedent is a precedent!”

Apparently, our country has learned nothing in the last 200 years.

Update: Jackson corrected for Johnson, thanks to JTIDAHO.

In Charlie Savage’s story from last year on the sidelining of Laurence Tribe as head of an “Access to Justice” program at DOJ, he reported that Tribe originally believed he would serve as counselor for “rule of law” issues in Obama’s Administration.

There was also concern over how his presence might play out internally, several administration officials said. Some officials feared that he might be unmanageable, intruding into all manner of policy areas and able to call on Mr. Obama as a trump card.

“He has an ego,” said Charles Fried, a former solicitor general in the Reagan administration and a fellow Harvard law professor. “He’s entitled to it. He’s earned it.”

Several friends and administration officials said Mr. Tribe had initially sought and believed he would be given a far broader title and assignment: counselor for “rule of law” issues, which would have come with a mandate to help shape matters of national security and foreign policy. That did not happen, but Mr. Tribe came to Washington anyway.

After less than a year in that position, Tribe left last December, citing medical issues.

Now, the guy Obama sidelined to make sure he didn’t impose too much rule of law on his Administration has strongly criticized Bradley Manning’s treatment, not only signing a letter condemning Manning’s treatment, but elaborating on why that treatment was unconstitutional.

[Tribe] told the Guardian he signed the letter because Manning appeared to have been treated in a way that “is not only shameful but unconstitutional” as he awaits court martial in Quantico marine base in Virginia.

The US soldier has been held in the military brig since last July, charged with multiple counts relating to the leaking of thousands of embassy cables and other secret documents to the WikiLeaks website.

Under the terms of his detention, he is kept in solitary confinement for 23 hours a day, checked every five minutes under a so-called “prevention of injury order” and stripped naked at night apart from a smock.

Tribe said the treatment was objectionable “in the way it violates his person and his liberty without due process of law and in the way it administers cruel and unusual punishment of a sort that cannot be constitutionally inflicted even upon someone convicted of terrible offences, not to mention someone merely accused of such offences”.

A pity. Back when Tribe was celebrating candidate Obama, he called him the best student he ever taught at Harvard Law and promised he would defend civil liberties and would not appoint justices who put executive power above rule of law.

Tribe said Americans’ civil liberties are hanging by a thread. “But it’s better to have a thread than to have the thread cut,” he said. “A Republican president would be in a position to cut that thread.”

[snip]

Tribe said that if Obama were to be elected, he would appoint justices “who share his view that the Constitution is a living document that has to be interpreted in light of evolving values of decency.”

“They would not be justices who fool themselves into thinking they know what the Constitution’s original meaning was, and they can apply it as if nothing has happened in the last 200 years,” Tribe said. “They would be justices who have a serious record of support for human rights and constitutional values, rather than justices who simply have shown their loyalty to executive power.”

[snip]

On a more personal note, Tribe called Obama the “best student I ever had” and the “most exciting research assistant.”

As to Justices Obama would appoint, Tribe has proven himself badly wrong about who would and would not make a good Justice.

But it appears that his belief that Obama would support the rule of law was a far greater misjudgment.

I’m going to have more to say about the Libya memo the Administration released yesterday. But I just wanted to point out something about the structure of it.

Here’s the first paragraph:

This memorandum memorializes advice this Office provided to you, prior to the commencement of recent United States military operations in Libya, regarding the President’s legal authority to conduct such operations. For the reasons explained below, we concluded that the President had the constitutional authority to direct the use of force in Libya because he could reasonably determine that such use of force was in the national interest. We also advised that prior congressional approval was not constitutionally required to use military force in the limited operations under consideration. [my emphasis]

This is not the advice authorizing the Libyan engagement. Rather, it is a document written the day after–the memo notes–the Administration turned over control to NATO, claiming to memorialize the advice given before the Libyan engagement (therefore, presumably, before March 19).

Is this all the advice OLC gave the President? Did OLC authorize further activities? Did Obama’s description of why bombing Libya was in the national interest before March 19 match what appears in this memo, written after the fact?

This fundamental structural reality is all the more striking given the role of Section I of the memo: it provides a narrative of the Libyan engagement starting in mid-February and leading right up to the March 31 turnover of control to NATO. In other words, a key function of this memo is to provide the Administration’s own mini-history of the Libyan engagement, written the day after an artificial “end date” for the engagement, which it uses to lay out the national interest of bombing Libya and the limits to our engagement in it that the memo says justify the engagement. Two key elements in this history–Obama’s address to Congress on March 21 and his address to the nation on March 28–took place after the real advice OLC offered Obama to authorize this engagement.

But the memo claims to have offered its advice before the start of the bombing. It is basically using Presidential statements made up to 9 days after the advice it gave to “memorialize” the advice it gave 9 days earlier. The memo uses limits Obama described after the advice was actually given to claim the advice itself had limits.

I’m envisioning a discussion like this:

Bob Bauer: Caroline, can you give us a verbal okay for this engagement?

Caroline Krass: Do you want a written memo?

Bauer: Not yet. Let’s wait until it’s all done so we can tailor the legal authorization of it to what we really end up doing. It’ll make it easier for us to thread the needle between authorizing what we do while still claiming to believe Executive Power is limited.

Krass: Okay, Bob.

Pretty remarkable, isn’t it, the way a memo written after the fact authorizes precisely the engagement that Obama ultimately used, all the while highlighting limits to the use of unilateral presidential power?

I’m traveling to Boston today for the National Conference on Media Reform (if you’re in Boston, come see my panel on “Independent Journalism and International Crisis” on Saturday!). So blogging will be light today.

But I wanted to point to one more aspect of the Senate Intelligence Committee’s Intelligence Authorization–one also highlighted by Steven Aftergood. Someone–someone not in the intelligence community, apparently–has decided that intelligence community leakers (but not leakers from other parts of government) should lose their pension if the executive branch unilaterally decides they’ve leaked classified information.

The committee’s explanation for needing the bill is cute, among other reasons, because its concerns about “unauthorized” leaks seem to admit their lack of concern about “authorized” leaks of classified information.

The Committee has had long-standing concerns about unauthorized disclosures of classified information.

Which by itself points to the arbitrariness of our classification system.

But it’s in Ron Wyden’s extensive opposition to the measure where the true arbitrary potential for this becomes clear.

Given these challenges, my concern is that giving intelligence agency heads the authority to take away the pensions of individuals who haven’t been formally convicted of any wrongdoing could pose serious problems for the due process rights of intelligence professionals, and particularly the rights of whistleblowers who report waste, fraud and abuse to Congress or Inspectors General.

Section 403 – as approved by the Select Committee on Intelligence – gives the intelligence agency heads the power to take pension benefits away from any employee that an agency head ―determines‖ has knowingly violated their nondisclosure agreement. But as I noted in the committee markup of this bill, neither the DNI nor any of the intelligence agency heads have asked Congress for this authority.Moreover, as of this writing none of the intelligence agencies have officially told Congress how they would interpret this language.

It is entirely unclear to me which standard agency heads would use to ―determine‖ that a particular employee was guilty of disclosing information. It seems clear that section 403 gives agency heads the power to make this determination themselves, without going to a court of law, but the language of the provision provides virtually no guidance about what standard should be used, or even whether this standard could vary from one agency to the next.

In other words, agency heads will get to decide, unilaterally and in secret, whether they think a former employee has leaked classified information and therefore should lose their pension.

Serving in the intelligence community is already prone to abuse. Since there is almost no transparency, agencies can and have fired people for being unwilling to participate in propaganda or illegal ops. And this would just give intelligence agencies one more tool to retaliate against people if they’re perceived as doing something wrong.

I can’t help but think of Jeff Sterling and this measure. He had a gripe about discrimination. But he also appears to have had a gripe about a really asinine plot to deal nukes to Iran. His case will be tried in court (though the agency already has a huge advantage over him, starting with the fact that they have already invoked state secrets in his case). But now Congress (or someone whispering on Congress’ ear?) wants one more tool to punish people like Sterling, this time with no due process. Moreover, in his case, the government has claimed that leaks to the American public are worse than leaks to our enemies.

The defendant’s unauthorized disclosures, however, may be viewed as more pernicious than the typical espionage case where a spy sells classified information for money. Unlike the typical espionage case where a single foreign country or intelligence agency may be the beneficiary of the unauthorized disclosure of classified information, this defendant elected to disclose the classified information publicly through the mass media. Thus, every foreign adversary stood to benefit from the defendant’s unauthorized disclosure of classified information, thus posing an even greater threat to society.

This measure, which would allow the government to use a two-tier justice system to secretly retaliate against those it claims leaked, seems to reinforce this growing claim to that leaks to American citizens are more dangerous than leaks to our enemies.

It seems the government believes the most dangerous spies are those who tell Americans what its government does in their name.

I did a long post yesterday describing how embarrassingly, pathetically bad DOD’s information security was and remains 3 years after a malware attack and a full year after the alleged WikiLeaks leak. Along with DOD’s gaping security problems, I noted that some entities in the intelligence community are still in the process of implementing user authentication which would have exposed someone taking entire databases off of their networks.

While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

Just in case the intelligence community can’t get around to providing this fairly common security on our intelligence community networks by their planned timeframe of the first quarter of FY 2012 (which would mean the last quarter of calendar year 2011), the Senate Intelligence Committee is requiring the IC to have a fully operational ability to audit online access by October 2013.

Section 402 requires the Director of National Intelligence, not later than October 1, 2012, to establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information. Section 402 requires that the program be at full operating capability by October 1, 2013.

Not later than December 1, 2011, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the resources required to implement the program and any other issues the Director considers appropriate to include in the report.

In other words, if closing this security gap a year and a half after the leaks are alleged to have occurred is too tough, then they can go ahead and take another year or so to close the barn door.

Though to be fair, this deadline may come directly from the lackadaisical DOD, as the deadlines given here seem to match those DOD aspires to hit.

Now, maybe it’s considered unpatriotic to note that our intelligence community–and its congressional overseers–are tolerating pretty shoddy levels of security all while insisting that they takes leaks seriously.

But seriously: if our government is going to claim that leaks are as urgent as it does, if it’s going to continue to pretend that secrets are, you know, really secret, then it really ought to at least pretend to show urgency on responding to the gaping technical issues that will not only protect against leakers, but also provide better cybersecurity and protect against spies. Aspiring to fix those issues years after the fact really doesn’t cut it.

CNN is reporting that Curt Weldon, the ethically and legally challenged former Congressman with ties to Manucher Ghorbanifar, has gone to Libya to try to negotiate with Muammar Qaddafi. In a NYT op-ed, Weldon makes the case for why he’s the guy to persuade Qaddafi to step aside.

Seven years later I am back in Libya, this time on a much different mission, as the leader of a small private delegation, at the invitation of Colonel Qaddafi‘s chief of staff and with the knowledge of the Obama administration and members of Congress from both parties. Our purpose is to meet with Colonel Qaddafi today and persuade him to step aside.

[snip]

First, we must engage face-to-face with Colonel Qaddafi and persuade him to leave, as my delegation hopes to do. I’ve met him enough times to know that it will be very hard to simply bomb him into submission.

Simultaneously, we must obtain an immediate United Nations-monitored cease-fire, with the Libyan Army withdrawing from contested cities and rebel forces ending attempts to advance.

Then we must identify and engage with those leaders who, if not perfect, are pragmatic and reform-minded and thus best positioned to lead the country.

[snip]

The world agrees that Colonel Qaddafi must go, even though no one has a plan, a foundation for civil society has not been constructed and we are not even sure whom we should trust. But in the meantime, the people of Libya deserve more than bombs. [my emphasis]

Noah Shachtman elaborates on the history Weldon and Qaddafi have in common. The short version? At a time when Weldon served on Qaddafi’s “foundation,” he was pitching selling arms to him.

It wasn’t long ago — April, 2008, to be exact — that Weldon was boasting in a report that he had become the “1st non-Libyan Board Member of the Ghadaffi Foundation.” During a trip to Tripoli the month before, the self-proclaimed “friend of Libya” carried “a personal letter from Libyan Chamber [of Commerce] President to U.S. Chamber President.” Weldon also visited with with the country’s “Nuclear Ministry Leadership and agreed to reinforce U.S. nuclear cooperation/collaboration.”

Finally, Weldon agreed “to quickly return to Libya for meetings with [Gadhafi’s] son Morti regarding defense and security cooperation.”

Two weeks later, Defense Solutions — a company which, at the time, counted Weldon as a key executive and adviser — drew up a proposal to refurbish the country’s fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles and BTR-60 armored personnel carriers.

Now, granted, Weldon says he is undertaking this trip with the knowledge–not the endorsement–of the Obama Administration. Still, I can’t help but wondering whether this is an elaborate plot (with Weldon, there’s always a plot) to make Obama’s decision to send Frank Wisner–also a business associate–to negotiate with Hosni Mubarak look remarkably smart by comparison. After all, both Wisner and Weldon have troubling conflicts that make them poor choices to represent our country’s interests. But Wisner, at least, is diplomatic and sane. Weldon? I’m not so sure.

DDay reported on OCC’s attempt to preempt a foreclosure settlement on Monday. Today, Yves Smith has a long post giving the consent decrees the banks are trying to roll out in lieu of a real foreclosure settlement the disdain they deserve.

Wow, the Obama administration has openly negotiated against itself on behalf of the banks. I don’t think I’ve ever seen anything so craven heretofore.

[snip]

The part I am puzzled by is who is behind this rearguard action. It clearly guts the Federal part of the settlement negotiations. If you pull out your supposed big gun (ex having done a real exam to find real problems, and it’s weaker than your negotiating demands, you’ve just demonstrated you have no threat. Now obviously, a much more aggressive cease and desist order could have been presented; it’s blindingly obvious that the only reason for putting this one forward was not to pressure the banks, as American Banker incorrectly argued, but to undermine the AGs and whatever banking/housing regulators stood with them (HUD and the DoJ were parties to the first face to face talks).

So the only part that I’d still love to know was who exactly is behind the C&D order? Is it just the OCC?

But what I’d like to know is why, coincident with the roll-out of this Potemkin resolution to the foreclosure problem, someone told Reuters that the Administration was considering Jennifer Granholm and/or Sarah Raskin to head the Consumer Finance Protection Board.

The White House is considering Federal Reserve Governor Sarah Raskin and former Michigan Gov. Jennifer Granholm to head a new agency charged with protecting consumers of financial products, a source aware of the process said Tuesday.

You see, as Yves reminds us, one part of the whole AG settlement that this consent decree seems intended to replace was that Tom Miller, Iowa’s Attorney General, would get the CFPB position as his reward for shepherding through such a crappy settlement.

So now, with the consent decrees the apparent new plan to appear to address foreclosures without penalizing the banksters, the Administration rolls out the claim that it is considering Granholm and Raskin?

And the report is all the more weird given that Granholm was previously floated for the position in late March, at which point she declined to be considered and–the next day–accepted a position with Pew. This morning, in response to the Reuters story, Granholm tweeted,

This story says I’m under consideration for the CFPB job. I have declined to be considered for this post. I’m happy in my new roles at Pew, Berkeley and Dow. And, by the way, while I don’t know Raskin and she may be great, I think nominating Elizabeth Warren is a fight worth waging.

See, best as I can guess (and this is a guess), by pulling the plug on the AG settlement, the Administration lost its best case for appointing someone not named Elizabeth Warren to assume the CFPB position. Whereas they might have been able to claim (falsely) that Miller had achieved this great progressive settlement for homeowners, now they’ve decided to stick with the status quo rather than even a bad settlement. Which leaves them with the increasingly urgent problem of who heads the CFPB when it goes live in July.

And so they float a report that the one blond woman who is as much of a rock star as Warren is might get the position? Do they think Democrats can’t tell the difference between charismatic blonde women (or that progressives would confuse the down-to-earth but centrist Granholm for Warren)?

It’s like they’ve got a Craigslist posting up somewhere:

Wanted: blonde woman with great people skills and rock star looks to serve as figurehead for a position purported to exercise real power to protect American consumers, but which will instead be asked to serve up Timmeh Geithner coffee and complete deference. Democratic affiliation a plus but not necessary.

At first, when I read this story describing how Hamid Karzai’s government is insisting that a bunch of security contractors pay back taxes before he’ll recertify them to work in Afghanistan, I though it was just out of a desire to get rid of contractors.

The Afghan government issued its unexpected tax demand last month, at the same time it made all current security company licenses expire. The assessed taxes are in some cases higher than several years’ worth of operating profits for the companies.

“It’s not feasible for us to pay such a large bill. We wouldn’t be able to continue to operate here,” one security company official in Kabul said.

Until the companies pay the back taxes, they cannot apply for new security licenses or weapons permits, throwing their legal status in limbo and leaving them ineligible to bid on new contracts to protect diplomatic missions or government development projects.

But I think it may be even more complex than that.

Consider the reports of Karzai’s role in calling attention to Terry Jones’ Koran-burning, which in turn led to the attacks on the UN compound in Mazar-e-Sharif.

But many U.S. and other Western officials in Afghanistan say Karzai has played a more damaging role. They say that his initial statement condemning Jones four days after the March 20 Koran burning was provocative and that it informed many Afghans of an event that was not widely known and helped mobilize public anger toward the United States.

Throughout the crisis, Karzai has repeatedly pushed the issue, calling for Jones’s prosecution, even though the burning of holy books is not a crime in the United States, and for Congress to join in his condemnation.

As soon as Karzai issued his initial public condemnation, said one NATO official in Kabul, “you knew that this could really be bad.”

Consider, too, how revelations about the role Kabul Bank had in the Karzai government’s “vertically integrated criminal enterprise” has made donors pause before dumping more money into the corrupt cesspit.

The International Monetary Fund and a number of Western diplomats believe that the wrongdoers must be held to account in order to restore Afghans’ faith in the banking system, including criminal prosecutions. However, it is unclear that the government is committed to that level of public scrutiny of those close to the presidential palace. Still, the government’s official line is that those who committed the fraud will be prosecuted. “Kabul Bank is a criminal case,” said Rangin Dadfar Spanta, the Afghan National Security adviser, in an interview earlier this month.

“For the interest of the financial system we have to protect the money and property of our people; in the coming days we will have more investigations; this can not be business as usual,” he said.

The International Monetary Fund has suspended its program with Afghanistan because of its dismay at the handling of banking regulation and Kabul Bank in particular, which has delayed the ability of several western donors to funnel money to the Afghan government. One is the British government which has delayed $137 million in funds, and many others are expected to follow suit.

“The Afghans still do not have a solution to the Kabul Bank mess and they just don’t seem to realize how serious it is,” a Western diplomat said recently.

I.M.F. officials and donor countries want to see the misappropriated loans repaid out of Afghan government tax revenues — rather than through the money it gets from donors, who finance the great majority of the country’s operating budget.

And finally, consider the secondary implications for the withdrawal of security contractors: the withdrawal of humanitarian organizations (from the WSJ again).

At stake are billions of dollars in development money. Many aid organizations and U.S. Agency for International Development contractors have said they would leave Afghanistan if they can’t use private security guards—a concern that is especially acute after last week’s deadly mob attack on the United Nations compound in the city of Mazar-e-Sharif.

Development Alternatives Inc., a big subcontractor for USAID, said it would scale back its operations significantly if the security companies left Afghanistan.

“The international community is worried that if this goes through, all construction programs, consultants—everyone working on government aid and development projects—will also be taxed,” said one private security company executive.

It’s all very neat, how an attack on one of Afghanistan’s safest cities coupled with Karzai’s insistence for big payments–called taxes–on the contractors that keep humanitarian agencies safe would contribute to aide agencies withdrawing from Afghanistan.

But it also replicates the play the Taliban used to push Western entities out of Afghanistan in the past (though with the added benefit that security contracting has since become a huge business rife with corruption). It’s just a slightly more elaborate bribe than the ones the Taliban have been demanding.

It sure seems like Karzai is upping the ante on his demand for bribes to remain our “partner” in Afghanistan.

Yesterday, the Center for Public Integrity revealed the contents of a secret FBI memo treating a top ABC journalist–who turned out to be Christopher Isham (currently CBS’ DC bureau chief)–as a confidential source for a claim that Iraq’s intelligence service had helped Timothy McVeigh bomb the Murrah Federal Building.

Isham claims he alerted the FBI about the story because there were indications there might be follow-on attacks.

Christopher Isham, a vice president at CBS News and chief of its Washington bureau, later issued a statement denouncing the claims, revealing himself as the subject of the report. Mr. Isham, who worked for ABC News at the time of the bombing, said he would have passed information to the F.B.I. only to try to verify it or to alert the bureau to word of a possible terrorist attack.

“Like every investigative reporter, my job for 25 years has been to check out information and tips from sources,” Mr. Isham said in a statement released through a CBS spokeswoman. “In the heat of the Oklahoma City bombing, it would not be unusual for me or any journalist to run information by a source within the F.B.I. for confirmation or to notify authorities about a pending terrorist attack.”

Only, it turns out that Vince Cannistraro–who had told ABC the story while serving as a consultant for them and had, in turn, been told the tale by a Saudi General–had already told the FBI himself.

That source, Vincent Cannistraro, a former Central Intelligence Agency official who was a consultant for ABC News at the time, said in an interview that Mr. Isham had done something discourteous, perhaps, but not improper.

“I was working for ABC as a consultant,” he said. “I was not a confidential source.”

Mr. Cannistraro added, however, that he would have preferred it if Mr. Isham had told him that he had passed along the tip. “I was not told that Chris was also going to talk to them. And he certainly didn’t tell me.”

Now, aside from Isham ultimately revealing that his story came from Cannistraro, it seems to me the ethical questions on the part of ABC and Isham are misplaced. Isham’s call to the FBI to confirm or deny a tip really can’t be faulted.

The problem seems to lie in two issues: how ABC treated Cannistraro, and how the FBI treated Isham.

First, Cannistraro fed ABC an inflammatory tip, apparently without confirming it. Given that he was a consultant to ABC, was it his job to second source that material? As it happens, since both Cannistraro and Isham reported the tip to the FBI, it worked like a stove pipe, giving the FBI the appearance of two sources when the story derived from the same Saudi General. And how much other bullshit did Cannistraro feed ABC over the years? It’s not even necessary that Cannistraro do this deliberately–if sources knew he was an ABC consultant, particularly if they knew the information would be treated this way, it’d be easy to stovepipe further inflammatory information right to the screens of the TV. And who owns the source relationship, then, the understanding that the source can be burned for planting deliberate, inflammatory misinformation designed to stoke an illegal war?

In other words, the way ABC treated Cannistraro as a consultant muddled journalistic lines in ways that may have led to less than responsible journalism.

It wouldn’t be the first time networks’ relationships with “consultants” had compromised their reporting.

And then there’s the FBI. Anonymous sources are reassuring the NYT that Isham wasn’t really treated as a snitch, even though the report that CPI has seems to treat him as such. This seems more like FBI trying to cover its tracks–reassure other journalists the FBI isn’t typing up source reports every time a journalist calls the FBI for confirmation of a tip–than anything else. So how often does the FBI, having been asked to confirm information by a journalist, start an informant file on that tip?

And what is the relationship that evolves between the FBI and that source over the years? That is, if the FBI treats journalists who confirm information with them as sources, filing reports like this one that, if revealed, would reflect badly on the journalist, then what will the journalist do in the future when the FBI feeds him shit?

As I have posted several times, the response to WikiLeaks has ignored one entity that bears some responsibility for the leaks: DOD’s IT.

Back in 2008, someone introduced malware to DOD’s computer systems. In response, DOD announced it would no longer allow the use of removable media in DOD networks. Yet that is precisely how Bradley Manning is reported to have gotten the databases allegedly leaked. In other words, had DOD had very basic security measures in place they had already been warned they needed, it would have been a lot harder for anyone to access and leak these documents.

Often, when I have raised this issue, people are simply incredulous that DOD’s classified network would be accessible to removable media (and would have remained so two years after malware was introduced via such means). But it’s even worse than that.

A little-noticed Senate Homeland Security hearing last month (Steven Aftergood is one of the few people who noticed) provided more details about the status of DOD’s networks when the leaks took place and what DOD and the rest of government have done since. The short version is this: for over two months after DOD arrested Bradley Manning for allegedly leaking a bunch of material by downloading information onto a Lady Gaga CD, DOD and the State Department did nothing. In August, only after WikiLeaks published the Afghan War Logs, they started to assess what had gone wrong. And their description of what went wrong reveals not only how exposed DOD was, but how exposed it remains.

Two months to respond

Bradley Manning was arrested on or before May 29. Yet in spite of claims he is alleged to have made in chat logs about downloading three major databases, neither DOD or State started responding to the leak until after the Afghan War Logs were published on July 25, 2010.

The joint testimony of DOD’s Chief Information Officer Teresa Takai and Principal Deputy Under Secretary for Intelligence Thomas Ferguson explains,

On August 12, 2010, immediately following the first release of documents, the Secretary of Defense commissioned two internal DoD studies. The first study, led by the Under Secretary of Defense for Intelligence (USD(I)), directed a review of DoD information security policy. The second study, led by the Joint Staff, focused on procedures for handling classified information in forward deployed areas.

In other words, “immediately” (as in, more than two weeks) after the publication of material that chat logs (published two months earlier) had clearly explained that Manning had allegedly downloaded via Lady Gaga CD months earlier, DOD commissioned two studies.

As State Department Under Secretary of Management Patrick Kennedy explained, their response was no quicker.

When DoD material was leaked in July 2010, we worked with DoD to identify any alleged State Department material that was in WikiLeaks’ possession.

It wasn’t until November–at around the time when NYT was telling State precisely what they were going to publish–that State started responding in earnest. At that time–over four months after chat logs showed Manning claiming to have downloaded 250,000 State cables–State moved its Net Centric Diplomacy database from SIPRNet (that is, the classified network) to JWICS (the Top Secret network).

DOD’s exposed IT networks

Now, frankly, State deserves almost none of the blame here. Kennedy’s testimony made it clear that, while the WikiLeaks leak has led State to enhance their limits on the use of removable media access, they have systems in place to track precisely who is accessing data where.

DOD won’t have that across their system for another year, at least.

There are three big problems with DOD’s information security. First, as the Takai/Ferguson testimony summarized,

Forward deployed units maintained an over-reliance on removable electronic storage media.

It explains further that to make sure people in the field can share information with coalition partners, they have to keep a certain number of computers accessible to removable media.

The most expedient remedy for the vulnerability that led to the WikiLeaks disclosure was to prevent the ability to remove large amounts of data from the classified network. This recommendation, forwarded in both the USD(I) and Joint Staff assessments, considered the operational impact of severely limiting users’ ability to move data from SIPRNet to other networks (such as coalition networks) or to weapons platforms. The impact was determined to be acceptable if a small number of computers retained the ability to write to removable media for operational reasons and under strict controls.

As they did in 2008 after malware was introduced via thumb drive, DOD has promised to shut off access to removable media (note, Ferguson testified thumb drives, but not CDs, have been shut down for “some time”). But 12% of the computers on SIPRNet will still be accessed by removable media, though they are in the process of implementing real-time Host Based Security System tracking of authorized and unauthorized attempts to save information on removable media for those computers.

In response to a very frustrated question from Senator Collins, Ferguson explained that DOD started implementing a Host Based Security System in 2008 (the year DOD got infected with malware). But at the time of the leak, just 40% of the systems in the continental US had that system in place; it was not implemented outside of the US, though. They weren’t implemented overseas, he explained, because a lot of the systems in the field “are cobbled together.”

In any case, HBSS software will be in place by June. (Tech folks: Does this means those computers are still vulnerable to malware introduced by removable media? What about unauthorized software uploads?)

Then there’s data access control. DOD says it can’t (won’t) password protect access to information because managing passwords to control the access of 500,000 people is too onerous for an agency with a budget larger than Australia’s gross national product. Frankly, that may well be a fair approach given the importance of sharing information.

But what is astounding is that DOD is only now implementing public key infrastructure that will, first of all, make it possible to track what people access and–some time after DOD collects that data–to start fine tuning what they can access.

DoD has begun to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card. This is very similar to the Common Access Card (CAC) we use on our unclassified network. We will complete issuing 500,000 cards to our SIPRNet users, along with card readers and software, by the end of 2012. This will provide very strong identification of the person accessing the network and requesting data. It will both deter bad behavior and require absolute identification of who is accessing data and managing that access.

In conjunction with this, all DoD organizations will configure their SIPRNet-based systems to use the PKI credentials to strongly authenticate end-users who are accessing information in the system. This provides the link between end users and the specific data they can access – not just network access. This should, based on our experience on the unclassified networks, be straightforward.

DoD’s goal is that by 2013, following completion of credential issuance, all SIPRNet users will log into their local computers with their SIPRNet PKI/smart card credential. This will mirror what we already do on the unclassified networks with CACs.

[Takai defines what they’re doing somewhat just before 88:00]

Note what this says: DOD is only now beginning to issue the kind of user-based access keys to protect its classified network that medium-sized private companies use. And unless I’m misunderstanding this, it means DOD is only now upgrading the security on its classified system to match what already exists on its unclassified system.

Let’s hope nothing happens between now and that day in 2013 when all this is done.

And this particular problem appears to exist beyond DOD. While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

So that’s the issue of removable media and individualized access tracking.

Which leaves one more big security hole. According to Takai/Ferguson, DOD didn’t–still didn’t, as of mid-March–have the resources in place to detect anomalous behavior on its networks.

Limited capability currently exists to detect and monitor anomalous behavior on classified computer networks.

This confirms something Manning said in chat logs: no one is following the activity occurring on our networks in Iraq (or anywhere else on SIPRNet, from the sounds of things), and flagging activities that might be an intrusion.

The part of the Takai/Ferguson testimony that details very hazy plans to think about maybe implementing such a system (pages 6-7) is worth a gander just for the number of acronyms of titles of people who are considering maybe what to implement some time in the future. It’s all a bunch of bureaucratic camouflage, IMO, to avoid saying clearly, “we haven’t got it and we haven’t yet figured out how we’re going to get it.” But here are the two most concrete descriptions of what the Department of Defense plans to do to make sure no one is fiddling in their classified networks. First, once they get HBSS completely installed, then they will install an NSA audit program on top of that.

One very promising capability is the Audit Extraction Module (AEM) developed by the National Security Agency (NSA). This software leverages already existing audit capabilities and reports to the network operators on selected audit events that indicate questionable behavior. A great advantage is that it can be integrated into the HBSS we have already installed on the network, and so deployment should be relatively inexpensive and timely. AEM is being integrated into HBSS now and will be operationally piloted this summer.

But in the very next paragraph, Takai/Ferguson admit there are better solutions out there. But DOD (again, with its budget larger than the GNP of most medium sized countries) can’t implement those options.

Commercial counterintelligence and law enforcement tools – mostly used by the intelligence community – are also being examined and will be a part of the overall DoD insider threat program. These tools provide much more capability than the AEM. However, while currently in use in some agencies, they are expensive to deploy and sustain even when used in small, homogeneous networks. Widespread deployment in DoD will be a challenge.

In other words, DOD wants to be the biggest part of the intelligence community. But it and its budget bigger than Brazil’s GNP won’t implement the kind of solutions the rest of the intelligence community use.

Department. Of. Defense.

Now, let me be clear: DOD’s embarrassingly bad information security does not, in any way, excuse Bradley Manning or the other “bad apples” we don’t know about from their oath to protect this information. (Note, there was also testimony that showed DOD’s policies on information sharing were not uniformly accessible, but that’s minor compared to these big vulnerabilities.)

But in a world with even minimal accountability, we’d be talking about fixing this yesterday, not in 2013 (five years, after all, after the malware intrusion). We’d have fired the people who let this vulnerability remain after the malware intrusion. We’d aspire to the best kind of security, rather than declaring helplessness because our very expensive DOD systems were kluged together. And we’d be grateful, to a degree, that this was exposed with as little reported damage as it has caused.

If this information is really classified for good reason, as all the hand-wringers claim, then we ought to be using at least the kind of information security implemented by the private sector a decade ago. But we’re not. And we don’t plan on doing so anytime in the near future.