Cybersecurity

1 2 3 40

Friday Morning: Nasty Habits

I got nasty habits; I take tea at three.
— Mick Jagger

Hah. Just be careful what water you use to make that tea, Mick. Could be an entirely different realm of nasty.

Late start here, too much to read this morning. I’ll keep updating this as I write. Start your day off, though, by reading Marcy’s post from last night. The claws are coming out, the life boats are getting punctured.

Many WordPress-powered sites infected with ransomware
Your next assignment this morning: check and update applications as out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are most prone to this new wave of ransomware affecting WordPress sites. Back up all your data files to offline media in case you are hit with ransomware, and make it a habit to back up data files more frequently.

Planes inbound to the UK from regions with Zika virus may be sprayed
Take one tightly-closed oversized can, spray interior with insecticide, then insert humans before sealing for several hours. This sounds like a spectacularly bad idea to me. What about you? Yet this is what the UK is poised to do with planes flying in from areas with frequent Zika infections.

Comcast a possible smartphone service provider
NO. I don’t even have Comcast, yet I think this company is one of the worst suited to offering smartphones and service to their users. The company has expressed interest in bidding on spectrum for wireless, however. Comcast has struggled for years with one of — if not THE — worst reps for customer service. How do they think they will manage to expand their service offering without pissing off more customers?

AT&T obstructing muni broadband
No surprise here that AT&T is lobbying hard against more broadband, especially that offered by communities. The public knows there’s a problem with marketplace competition when they don’t have multiple choices for broadband, and they want solutions even if they have to build it themselves. When AT&T annoys a Republican lawmaker while squelching competition, they’ve gone too far. Keep an eye on this one as it may shape muni broadband everywhere.

Volkswagen roundup
VW delayed both its earnings report scheduled March 10th and its annual meeting scheduled April 21. The car maker says it needs more time to assess impact of the emissions control scandal on its books. New dates for the report and meeting have not been announced.

Volkswagen Financial Services, the banking arm of VW’s holding company structure which finances auto sales and leases, suffers from the ongoing scandal. Ratings firms have downgraded both the bank and parent firm. Not mentioned in the article: potential negative impact of emissions control scandal on VW’s captive reinsurer, Volkswagen Insurance Company Ltd (VICO).

Both the Justice Department and the Environmental Protection Agency filed a civil suit against VW in Detroit this week. Separate criminal charges are still possible.

That’s a wrap, I’m all caught up on my usual read-feed. Get nasty as you want come 5:00 p.m. because it’s Friday!

Data Mining Research Problem Book, Working Thread

Yesterday, Boing Boing liberated a fascinating 2011 GCHQ document from the Snowden collection on GCHQ’s partnership with Heilbronn Institute for Mathematical Research on datamining. It’s a fascinating overview of collection and usage. This will be a working thread with rolling updates.

In addition to BoingBoing’s article, I’ll update with links to other interesting analysis.

[1] The distribution list is interesting for the prioritization, with 4 NSA research divisions preceding GCHQ’s Information and Communications Technology Research unit. Note, too, the presence of Livermore Labs on the distribution list, along with an entirely redacted entry that could either be Sandia (mentioned in the body), a US university, or some corporation. Also note that originally only 18 copies of this were circulated, which raises real questions about how Snowden got to it.

[9] At this point, GCHQ was collecting primarily from three locations: Cheltenham, Bude, and Leckwith.

[9-10] Because of intake restrictions (which I believe other Snowden documents show were greatly expanded in the years after 2011), GCHQ can only have 200 “bearers” (intake points) on “sustained cover” (being tapped) at one time. Each collected at 10G a second. GCHQ cyclically turns on all bearers for 15 minutes at a time to see what traffic is passing that point (which is how they hack someone, among other things). Footnote 2 notes that analysts aren’t allowed to write up reports on this feed, which suggests research, like the US side, is a place where more dangerous access to raw data happens.

[10] Here’s the discussion of metadata and content; keep in mind that this was written within weeks of NSA shutting down its Internet dragnet, probably in part because it was getting some content.

Roughly, metadata comes from the part of the signal needed to set up the communication, and content is everything else. For telephony, this is simple: the originating and destination phone numbers are the metadata, and the voice cut is the content. Internet communications are more complicated, and we lean on legal and policy interpretations that are not always intuitive. For example, in an HTTP request, the destination server name is metadata (because it, or rather its IP address, is needed to transmit the packet), whereas the path-name part of the destination URI is considered content, as it is included inside the packet payload (usually after the string GET or POST). For an email, the to, from, cc and bcc headers are metadata (all used to address the communication), but other headers (in particular, the subject line) are content; of course, the body of the email is also content.

[10] This makes it clear how closely coming up as a selector ties to content collection. Remember, NSA was already relying on SPCMA at this point to collect US person Internet comms, which means their incidental communications would come up easily.

GCHQ’s targeting database is called BROAD OAK, and it provides selectors that the front-end processing systems can look for to decide when to process content. Examples of selectors might be telephone numbers, email addresses or IP ranges.

[11] At the Query-Focused Dataset level (a reference we’ve talked about in the past), they’re dealing with: “the 5-tuple (timestamp, source IP, source port, destination IP, destination port) plus some information on session length and size.”

[11] It’s clear when they say “federated” query they’re talking global collection (note that by this point, NSA would have a second party (5 Eyes) screen for metadata analysis, which would include the data discussed here.

[11] Note the reference to increased analysis on serious crime. In the UK there’s not the split between intel and crime that we have (which is anyway dissolving at FBI). But this was also a time when the Obama Admin’s focus on Transnational Crime Orgs increased our own intel focus on “crime.”

[12] This is why Marco Rubio and others were whining about losing bulk w/USAF: the claim that we are really finding that many unknown targets.

The main driver in target discovery has been to look for known modus operandi (MOs): if we have seen a group of targets behave in a deliberate and unusual way, we might want to look for other people doing the same thing.

Continue reading

Thursday Morning: Better than a Week

You know the joke: 4:30 p.m. is better than an hour away from 5:00 p.m., right? Thursday is better than a week away from the weekend. For folks traveling home for the Lunar New Year holiday in China, there are four days left to get home, and the train stations are crazy-full. But today is better than five days away from family and friends.

Goldman Sachs questions capitalism
YEAH. I KNOW. I did a double-take when I read the hed on this piece. In a GS analysts’ note they wrote, “There are broader questions to be asked about the efficacy of capitalism.” They’re freaking out because the market isn’t acting the way it’s supposed to, where new entrants respond to fat margins generated by first-to-market or mature producers.

I wonder how much longer it will take them to realize they killed the golden goose with their plutocratic rewards for oligopolies? How long before they realize this isn’t capitalism at all?

Whistleblower tells Swiss (and banks) to get over themselves on whistleblowing
Interviewed last week, former UBS banker Bradley Birkenfeld said, “We have to make some changes in Switzerland — it’s long overdue … The environment there is hostile toward people exposing corruption.” Birkenfeld’s remarks prod Swiss lawmakers currently at work on whistleblowing legislation. When passed, the law is not expected to offer protections employees have in the U.S. and the UK (and we know those are thin and constantly under attack). But perhaps the law will prevent cases like Nestle SA’s suit against a former executive who disclosed food safety risks. That suit and another alleging a former UBS employee libeled the bank may be affected assuming the EU adopts the same approach toward whistleblowing and corruption reduction.

“Computer failure” at IRS halts acceptance of tax return e-filings
No details about the nature of the “computer failure” apart from a “hardware problem” or “hardware failure” appeared in any reports yesterday afternoon and overnight. The IRS expects to have repairs completed today to allow e-filings once again; filings already submitted are not affected.

FBI agent on new car purchases: entering ‘wild, wild west’
Four cybersecurity experts spoke at a meeting of the Automotive Press Association in Detroit yesterday, one of whom was an FBI cyber squad agent. The feedback from the speakers wasn’t reassuring, apart from the observation by a specialist from a start-up automotive cyber security firm that they did not know of a “real world incident where someone’s vehicle was attacked and taken over remotely by someone hacking into the vehicle.” A lawyer whose firm handles automotive industry cyber threats undercut any feeling of relief with an observation that judges aren’t savvy about cyber crime on vehicles. I think I’ll stick with my old school car for a while longer.

The Repair Coalition formed to protect the ‘Right to Repair’
Speaking of old school car, I hope I can continue to get it repaired in the future without worrying about lawsuits for copyright violations. We’ve already seen tractor owners in conflict with John Deere over repairs, and exemptions to copyright for repair have been granted only after tedious and costly effort, and then to the farmer only, not to their mechanic. Hence the emergence of The Repair Coalition, which takes aim at repealing the DMCA’s Section 1201 — terms in it make it illegal to “circumvent a technological measure that effectively controls access to a work protected under [the DMCA].”

It’s long been an American ethic to “Use it up, wear it out, make do, or do without,” an ethic we need to restore to primacy if we are to reduce our CO2 footprint. Repairing rather than tossing goods is essential to our environmental health, let alone a necessity when wages for lower income workers remain stagnant.

That’s a wrap — I could go on but now we’re better than a day away from Friday. Whew.

Wednesday Morning: Full of Whoa

CapagnoloFrontBrakes_BillGracey-FlickrWhoa. Halt. Stop. The brakes need firm application, even mid-week.

Zika virus infects media with crappy reporting
I can’t tell you how many times in the last 24 hours I yelled at my computer, “Are you f****** kidding me with this crap?” With so many news outlets focused on hot takes rather than getting the story right, stupidity reached pandemic levels faster than mosquito-borne viruses. And all because Dallas County health officials and the Center for Disease Control used the words “sexually transmitted” in reference to a new Zika case in the U.S.

The following sampling of heds, tweets, and reports? WRONG.

  • US reports first case of sexually transmitted Zika in Texas (Gizmodo, io9)
    [Not the first sexually transmitted case in the U.S., just the first in Texas]
  • First US case of the Zika virus infection was sexually transmitted, officials say (Verge)
    [Not the first U.S. case of Zika virus]
  • The first known case of the #ZikaVirus contracted within the US confirmed in Dallas (Newsweek)
    [Not the first known case of Zika contracted within the U.S.]
  • The first case of the #ZikaVirus contacted within the US was through sexual transmission (Newsweek)
    [Neither the first sexually transmitted case in the U.S. or the first contracted within the U.S.]
  • The First Sexually Transmitted Case of the Zika Virus Is Confirmed in Texas (Slate)
    [Not the first sexually transmitted case in the U.S.]

The first case in which Zika virus was contracted inside the continental U.S. occurred in 2008. This was the first sexual transmission of the virus in the continental U.S. as well. Scientist Brian Foy had been studying Zika in Senegal during an outbreak; he had been infected by the virus, became ill, and was still carrying the virus when he came home to Colorado. His wife became infected though she had not traveled abroad, had not been bitten by a mosquito, and children residing in their home did not contract the virus. More details on the case can be found here.

The first cases of Zika virus in the U.S. in this outbreak were not locally transmitted inside the U.S., but contracted outside the continental 48 states and diagnosed on return here. States in which cases have been reported include Hawaii, New York, Virginia, Arkansas, Florida, and now Texas — in the case of the traveler who brought the disease home and infected their partner through sex.

It’s incredible how very little effort many news outlets put into researching the virus’ history or the case in Texas. Bonus points to Newsweek for trying to get it wrong in multiple tweets for the same story.

Best reporting I’ve read so far has been WaPo’s piece on the new Dallas cases, and WIRED’s collection of Zika reports. The CDC’s site on the Zika virus can be found here.

Gonna’ be a massive Patch Day for F-35 sometime soon
Whether or not Monday’s earthshaking sonic booms over New Jersey were generated by F-35 test flights, there’s still a long and scary list of bugs to be fixed on the fighter jet before it is ready for primetime. Just read this; any pilot testing these now is either a stone-cold hero, or a crazed numbnuts, and they’d better weigh between 136 and 165 pounds to improve their odds of survival.

Oral Roberts University mandates students wear FitBits for tracking
Guess the old “Mark of the Beast” is interpreted loosely at ORU in Oklahoma. Fitness is measured on campus by more than theological benchmarks. Begs the question: who would Jesus monitor?

The last straw: Fisher Price Wi-Fi-enabled toys leave kids’ info out in the open
Fisher Price is the fourth known manufacturer of products aimed at children and their families in which the privacy and safety of children were compromised by poor information security. In this case, Smart Toy Bears are leaking information about their young owners. Maybe it’s about time that either the FCC or FTC or Congress looks into this trend and the possibility toy makers are not at all concerned with keeping their youngest customers safe.

EDIT: #FlintWaterCrisis
Forgot to note the House Oversight and Government Reform Committee will hold a hearing on lead contaminated drinking water in Flint, Michigan at 9:00 a.m. EST. C-SPAN3 will carry the hearing live.

Tap the brakes a few more times before you take off, eh? It’s all downhill from here.

NSA Reorganizing in Manner that Directly Conflicts with President’s Review Group Recommendation

Back in 2013, the President’s Review Group recommended that NSA’s defensive function — the Information Assurance Directorate — be removed from NSA. I’ve put the entirety of that recommendation below, but PRG recommended the change to:

  • Eliminate the conflict of interest between NSA’s offensive and defense functions
  • Eliminate the asymmetry between the two functions, which can lead the defensive function to be less visible
  • Rebuild trust with outside cybersecurity stakeholders

Not only didn’t President Obama accept that recommendation, but he pre-empted it in several ways, before the PRG could publicly release their findings.

[O]n Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panelPresident Obama set up in August to review the NSA’s activities in response to theEdward Snowden leaks.

The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were “still being finalized”). The biggest news item were reports about a recommendation that the director of the NSA(Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.

Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.

By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split.

Today, Ellen Nakashima reports that NSA will go further still, and completely merge its offensive and defensive missions.

In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each.

[snip]

Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks.

“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”

But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature.

Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger “sigint” collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves.

While Nakashima presents some conflicting views on whether IAD will be able to cooperate with industry, none of the comments she includes addresses the larger bureaucratic issue: that defense is already being shortchanged in favor of the glitzier offensive function.

But Edward Snowden did weigh in, in response to a comment I made on this onTwitter.

When defense is an afterthought, it’s not a National Security Agency. It’s a National Spying Agency.

It strikes me this NSA reorganization commits the country to a particular approach to cybersecurity that will have significant ramifications for some time. It probably shouldn’t be made with the exclusive review of the Intelligence Committees mostly in secret.


We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.

In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.

We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.

A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.

Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.

There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to  block penetration. Such collaboration could and must occur even if IAD is organizationally separate.

In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress. Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.

Tuesday Morning: Don’t Drive Angry

Okay, campers, rise and shine! It’s Groundhog Day! Like that genius film Groundhog Day we are stuck in an unending, repeating hell — like the dark circus that is our general election cycle in the U.S.

The lesson: it’s hell by choice. Let’s choose better. What’ll we choose today?

BPS, replacement for plastic additive BPA, not so safe after all
Here’s a questionable choice we could examine: using BPS in “BPA-free” plastics. A study by Geffen School of Medicine at UCLA found that BPS negatively affects reproductive organs and increased the likelihood of “premature birth” in zebrafish, accelerating development of the embryos. Relatively small amounts and short exposures produced effects.

As disturbing as this finding may be, the FDA’s approach to BPA is worrisome. Unchanged since 2014 in spite of the many studies on BPA, the FDA’s website says BPA is safe. Wonder how long it will be before the FDA’s site says BPS is likewise safe?

Exoskeleton assists paraplegic for only $40,000
Adjustable to its wearer’s body, SuitX’s exoskeleton helps paraplegic users to walk, though crutches are still needed. It’s not a perfect answer to mobility given the amount of time it takes to put on the gear, but it could help paraplegics avoid injuries due to sitting for too long in wheelchairs. It’s much less expensive than a competing exoskeleton at $70K; the price is expected to fall over time.

SuitX received an NSF grant of $750,000 last April for its exoskeleton work. Seems like a ridiculous bargain considering how much we’ve already invested in DARPA and other MIC-development of exoskeletons with nothing commercial to show for it. Perhaps we should choose to fund more NSF grants instead of DOD research?

Patches and more patches — Cisco, Android, Microsoft

Dudes behaving badly

  • Former Secret Service agent involved in the Silk Road investigation and later charged with theft of $800K in Bitcoins has been arrested just one day before he was to begin serving his sentence for theft. This Silk Road stuff is a movie or cable series waiting to happen.
  • Massachusett’s Rep. Katherine Clark, who proposed the Interstate Swatting Hoax Act last November, was swatted this weekend. Fortunately, the local police used a low-key approach to the hoax call. Way to make the case for the bill‘s passage, swatters, let alone increased law enforcement surveillance.

I know I’ve missed something I meant to post, but I’ll choose to post it tomorrow and crawl back into my nest this morning to avoid my shadow. In the meantime, don’t drive angry!

A Whole Lot of Inspector General Scrutiny on Intelligence Community Networks

Between this report, released today, on DOD Inspector General’s ongoing work and the Intelligence Community’s Inspector General Semiannual report, released in mid-January, the Intelligence Community is doing a whole bunch of audits and inspections of its own network security, some of them mandated by Congress. And there are at least hints that all is not well in the networks that enable the Intelligence Community to share profusely.

The most interesting description of a report from ICIG’s Semiannual review, for example, suggests that, given the IC’s recent move to share everything on an Amazon-run cloud, the bad security habits of some elements of the IC are exposing other elements within the IC.

AUD-2015-006: Transition to the Intelligence Community Cloud Audit

The DNI, along with Intelligence Community leadership, determined that establishing a common IT architecture across the IC could advance intelligence integration, information sharing, and enhance security while creating efficiencies. This led to the Intelligence Community Information Technology Enterprise, an IC-wide initiative coordinated through the Office of the Intelligence Community Chief Information Officer. IC ITE’s sharing capability is enabled by a cloudbased architecture known as the IC Cloud – a secure resource delivering IT and information services and capabilities to the entire community. The cloud will allow personnel to share data, systems, and applications across the IC. The IC elements’ effective transition to the IC ITE cloud environment is key to achieving the initiative’s overarching goals and as such, systems working together in a cloud environment creates potential security concerns.

In particular, information system security risks or vulnerabilities to one IC element operating within IC ITE may put all IC elements at risk. Information from a joint IG survey of 10 IC elements suggested that the elements may have the differing interpretations of policies and requirements, or are not fully aware of their responsibilities for transitioning to the IC Cloud. As a result of these preliminary observations, IC IG initiated an audit that will: 1. Assess how the IC elements are planning to transition to the IC ITE Cloud environment; 2. Determine IC elements’ progress in implementing cloud transition plans; and, 3. Compare how IC elements are applying the risk management framework to obtain authorizations to operate on the IC Cloud. We plan to issue a report by the end of the first quarter of FY 2017. [my emphasis]

The IC is banking quite a bit on being able to share safely within the cloud. I would imagine that fosters a culture of turf war and recriminations for any vulnerabilities. It certainly seems that this report arises out of problems — or at least the identification of potential problems — arising from the move to the cloud. Note that this report won’t be completed until the end of this calendar year.

Then there’s this report, which was mandated in a classified annex of the Intelligence Authorization passed in December and, from the looks of things, started immediately.

Audit of Controls Over Securing the National Security Agency Network and Infrastructure (Project No. D2016-DOOORC-0072.000)

We plan to begin the subject audit in January 2016. Our objective is to determine whether initiatives implemented by the National Security Agency are effective to improve security over its systems, data, and personnel activities. Specifically, we will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity. The classified annex to accompany H.R. 2596, the Intelligence Authorization Act for Fiscal Year 2016, contained a Department of Defense Inspector General classified reporting requirement. This audit is the first in a series. We will consider suggestions from management on additional or revised objectives.

It seems to be an assessment — the first in a series — of whether limits on privileged access to NSA systems are working. This may well be a test of whether the changes implemented after the Snowden leak (such as requiring two parties to be present when performing functions in raw data, such as required on dragnet intake) have mitigated what were some obviously huge risks.

I’m mostly curious about the timing of this report. You would have thought the implementation of such controls would come automatically with some kind of audit, but they’re just now, 2.5 years later, getting around to that.

Here are some other reports from the ICIG report, the latter three of which indicate a real focus on information sharing.

AUD-2015-007: FY 2015 Consolidated Federal Information Security Modernization Act of 2014 Capstone Reports for Intelligence Community Elements’ Inspectors General

This project will focus on FY 2015 FISMA report submissions from the OIGs for the IC elements operating or exercising control of national security systems. We will summarize 11 IC elements’ information security program strengths and weaknesses; identify the cause of the weaknesses in these programs, if noted by the respective OIGs; and provide a brief summary of the recommendations made for IC information security programs. To perform this evaluation, we will apply the Department of Homeland Security FY 2015 IG FISMA metrics for ten information security program areas.

1. Continuous Monitoring Management 2. Security Configuration Management 3. Identity and Access Management 4. Incident Response and Reporting 5. Risk Management 6. Security Training 7. Plan of Action and Milestones 8. Remote Access Management 9. Contingency Planning 10. Contractor Systems We will issue our report by the end of the first quarter of FY 2016

INS-2015-004: Inspection: Office of the Intelligence Community Chief Information Officer

The IC CIO is accountable for overall formulation, development, and management of the Intelligence Community Information Technology Enterprise. The scope of our review was limited and informed by a concurrent IC IG Audit survey of IC ITE, as well as an ongoing evaluation of IC ITE progress by the ODNI Systems and Resources Analyses office. Additional details of this report are in the classified annex.

INS-2015-005: Joint Evaluation of Field Based Information Sharing Entities

Along with our OIG partners at the Departments of Justice and Homeland Security, we are evaluating federally supported entities engaged in field-based domestic counterterrorism, homeland security, and information sharing activities in conjunction with state, tribal, and local law enforcement agencies. This review is in response to a request from Senate committees on Intelligence, Judiciary, Homeland Security and Governmental Affairs. We will issue our report during FY 2016.

INS-2015-006: Inspection: ODNI Office of the Program Manager–Information Sharing Environment

We last inspected the ODNI PM-ISE office in 2013 and are conducting a follow-up review with a focus on resource management.

How the Purpose of the Data Sharing Portal Changed Over the OmniCISA Debate

Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.

Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.

I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.

With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.

With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.

While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.

[snip]

Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.

It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.

Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.

  1. CISA in Context: Privacy Protections and the Portal

  2. CISA in Context: The Voluntary Sharing Model and that “Other” Portal
  3. CISA in Context: Government Use and What Really Matters for Civil Liberties

Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.

So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?

Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?

At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.

Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.

Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.

Its concerns included:

  • Because companies could share with other agencies, the bill permitted sharing content with law enforcement. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
  • The bill permitted companies to share more information than that permitted under the existing portal. “Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator.”
  • Because the bill required sharing in real time rather than in near-real time, it would mean DHS could not do all the privacy scrubs it was currently doing. “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”
  • Sharing in real rather than near-real time also means participants might get overloaded with extraneous information (something that has made existing info-sharing regimes ineffective). “If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.”
  • The bill put the Attorney General, not DHS, in charge of setting the rules for the portal. “Since sharing cyber threat information with the private sector is primarily within DHS’s mission space, DHS should author the section 3 procedures, in coordination with other entities.”
  • The 90-day implementation timeline was too ambitious; according to DHS, the bill should provide for an 180-day implementation. “The 90-day timeline for DHS’s deployment of a process and capability to receive cyber threat indicators is too ambitious, in light of the need to fully evaluate the requirements pertaining to that capability once legislation passes and build and deploy the technology.”

As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.

Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.

All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.

Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.

Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.

In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.

Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.

At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.

This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.

Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.

Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.

Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.

Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,

From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.

But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.

[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

[snip]

AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.

That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.

In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.

But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.

[snip]

That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.

To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.

And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.

Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.

Monday Morning: Java Junky Jonesing

This morning will not launch without coffee. I don’t care how you deliver it, just bring it or nothing will start and finish today without it.

Need more of it than usual given the wacky stuff I’ve been reading into the wee hours over the weekend — like this stuff:

Former DHS Secretary now University of California prez surveils staff emails
Holy cats. This is ugly. After an alleged network security breach in June last year at UCLA’s medical center, an outside party was contracted by University of California president Janet Napolitano to monitor networks at all of University of California’s campuses. Collection of content both inbound and outbound, in violation of UoC-Berkeley’s IT policy, is alleged. UCOP has been opaque about the reason for the monitoring or data collection. Keep an eye on this case.

DDoS attack on HSBC crimps UK freelancers’ tax filing
The end of January in the United Kingdom is the filing deadline for the self-employed. Unfortunately, those who banked with HSBC lost access to their records for roughly four hours on Friday due to a distributed denial of service (DDoS) attack. It’s the second service outage inside a month for HSBC. The last outage lasted roughly two days but was not attributed to a DDoS.  If UK lawmakers were testy after the first outage in January, they’re going to be ugly today.

Oil crash: massive wealth transfer, or increased dependency on oil?
Francisco Blanch, Commodities and Derivatives Strategist at BofA Merrill Lynch, claims plummeting oil prices have transferred roughly $3 trillion to consumers away from oil producers, and the resulting uptick in consumption will spur the economy. This assumption neatly ignores the likelihood consumers will have to pay one way or another for increasing losses due to unchecked climate change. Buying more insurance against weather damage and paying more taxes to replace infrastructure, as well as paying more for food due to crop losses won’t stimulate anything but consumer frustration.

War of words inside military about F-35’s readiness
In a December memo, the Defense Department’s director of operational test and evaluation Michael Gilmore wrote that the Joint Program Office’s July 2017 deadline for the F-35 jet’s full warfighting capability is “not realistic.” Software completion, testing and debugging is the risk. Folks in JPO are pushing back, with at least one official grousing online. So not cool, JPO. Address the concerns and then get to work on that software. Americans are paying for a working jet, not trash talk on Facebook.

Speaking of military…Sonic boom(s) caused minor earthquake in New Jersey
Just for fun, browse through a Twitter search for tweets from last Friday. Something caused more than one sonic boom — perhaps as many as nine — loud enough to register as an earthquake on USGS’ meters. At first, the military said it knew nothing about it, claiming there are no training exercises or other missions in the area. NASA’s Wallops Flight Facility-Virginia, Federal Aviation Administration, and the North American Aerospace Defense Command had no knowledge of flights in the area capable of generating sonic booms. But then the Navy piped up later, saying the Naval Test Wing Atlantic had been conducting test flights. Though not named, the F-35 fighter is believed to be the source of the booms. Were JPO and Lockheed Martin trying to make a rather loud and indiscreet point?

Or were the sonic booms due to some other unknown/unspecified cause, given Joint Base McGuire-Dix-Lakehurst’s inability to explain the booms when asked? USGS’ website is still taking feedback from folks in New Jersey — did you feel the earth move, too?

Time to taper off from espresso and move to an Americano. Hope your Monday is as caffeinated as you need it to be.

Friday Morning: Know When to Fight

Sun Tzu said,

“There are five occasions when victory can be foretold: When the general knows the time to fight and when not to fight…”

Fridays are lousy times for fights, eh? Unless it’s just for fun.

Speaking of fun…

Oil crash wreaking havoc with MIC
Huh. Who could have guessed when buyers of defense goods suffer deep cuts in income, their suppliers feel the same pinch?

Kolkata-based call center workers arrested for telecom fraud
Some cyberthreats aren’t malware or hackers, but human beings with ready access to customers’ personal information and banking. In this case, three call center employees at Wipro-India working on UK accounts committed fraud of undisclosed nature, costing thousands of pounds. Seems to me these folks couldn’t have been too bright, traceability should have been easy. And being located in India offered no protection for either the criminals or the victims.

Zika virus may be transmitted sexually?
At least two cases so far suggest the virus may be transferred between partners during sex. One case involved a Colorado State University researcher who came down with Zika in 2008 after infection in Senegal. His wife came down with it after he came home from abroad; both tested positive for Zika antibodies. His children in the same household did not get sick, however.

Ukrainian power plant attackers now using BlackEnergy-infected Word documents
Though earlier attempts to launch BlackEnergy relied on Powerpoint and Excel documents, the attackers now use Word documents — but all document types contained macros that were enabled. Kaspersky’s SecureList says the entities most at risk for BlackEnergy infection are:

  • ICS, Energy, government and media in Ukraine
  • ICS/SCADA companies worldwide
  • Energy companies worldwide

At some point, this will move beyond energy and government targets. Keep your software patched and updated, run antivirus frequently, don’t open emails or documents you weren’t expecting, and only enable macros after validating the document’s source. This is pretty much standard operating practice for the last decade if you’ve been smart.

If you’re looking for something to read this weekend, you might try comparing two different translations of Sun Tzu’s The Art of War. The quote I used above is from the E. F. Calthrop version; the same bit in the Lionel Giles version renders,

“Thus we may know that there are five essentials for victory: … He will win who knows when to fight and when not to fight. …”

The Giles version is both more simplistic — at some points too much so — but filled with supplemental commentators’ content fleshing out interpretation. Relevant to political and business warfare, as much as traditional and asymmetric warfare today.

Save me a seat at the bar at the end of the day!

1 2 3 40
Emptywheel Twitterverse
bmaz @billmon1 @jaolson28 ...for Sanders. Few more like that, and with Sanders econ message, it is possible there's some movement. Dunno.
4mreplyretweetfavorite
bmaz @billmon1 @jaolson28 Well I live where Hispanics are a healthy demo, and they are still pretty much Clinton. But Raul Grijalva is big catch
5mreplyretweetfavorite
bmaz @billmon1 @jaolson28 Agree. And if Sanders keeps making inroads with non-whites, which is entirely possible, she might be in real trouble.
9mreplyretweetfavorite
bmaz @Pachacutec_ @billmon1 @jaolson28 That Clinton way. But that will really piss off Sanders youth+movement people who'll be needed for general
18mreplyretweetfavorite
bmaz @billmon1 @jaolson28 Though I do suspect there is still some truth that the POC vote gives her a firewall in south and southwest.
21mreplyretweetfavorite
bmaz @AlGiordano I'll work on that.
23mreplyretweetfavorite
bmaz @billmon1 @jaolson28 But that is so Clinton isn't it? She lashed out when she could have moved toward Sanders stronger.
24mreplyretweetfavorite
bmaz @AlGiordano My apologies then; most every other Clinton supporter said differently.
27mreplyretweetfavorite
bmaz @billmon1 @jaolson28 Whatever the reason or reasons, and even if it is off slightly, the movement is pretty darn stunning.
31mreplyretweetfavorite
bmaz RT @billmon1: .@jaolson28 Get this: Looks like almost entirely white female voters who've shifted. Sanders goes from tied among them to abo…
33mreplyretweetfavorite
bmaz RT @billmon1: Have some confirmation on Quinnipiac poll from this morning. Reuters/Ipsos: Clinton: 48 Sanders: 45 Seems to be real https://…
34mreplyretweetfavorite
February 2016
S M T W T F S
« Jan    
 123456
78910111213
14151617181920
21222324252627
2829