You know the joke: 4:30 p.m. is better than an hour away from 5:00 p.m., right? Thursday is better than a week away from the weekend. For folks traveling home for the Lunar New Year holiday in China, there are four days left to get home, and the train stations are crazy-full. But today is better than five days away from family and friends.
Goldman Sachs questions capitalism
YEAH. I KNOW. I did a double-take when I read the hed on this piece. In a GS analysts’ note they wrote, “There are broader questions to be asked about the efficacy of capitalism.” They’re freaking out because the market isn’t acting the way it’s supposed to, where new entrants respond to fat margins generated by first-to-market or mature producers.
I wonder how much longer it will take them to realize they killed the golden goose with their plutocratic rewards for oligopolies? How long before they realize this isn’t capitalism at all?
Whistleblower tells Swiss (and banks) to get over themselves on whistleblowing
Interviewed last week, former UBS banker Bradley Birkenfeld said, “We have to make some changes in Switzerland — it’s long overdue … The environment there is hostile toward people exposing corruption.” Birkenfeld’s remarks prod Swiss lawmakers currently at work on whistleblowing legislation. When passed, the law is not expected to offer protections employees have in the U.S. and the UK (and we know those are thin and constantly under attack). But perhaps the law will prevent cases like Nestle SA’s suit against a former executive who disclosed food safety risks. That suit and another alleging a former UBS employee libeled the bank may be affected assuming the EU adopts the same approach toward whistleblowing and corruption reduction.
“Computer failure” at IRS halts acceptance of tax return e-filings
No details about the nature of the “computer failure” apart from a “hardware problem” or “hardware failure” appeared in any reports yesterday afternoon and overnight. The IRS expects to have repairs completed today to allow e-filings once again; filings already submitted are not affected.
FBI agent on new car purchases: entering ‘wild, wild west’
Four cybersecurity experts spoke at a meeting of the Automotive Press Association in Detroit yesterday, one of whom was an FBI cyber squad agent. The feedback from the speakers wasn’t reassuring, apart from the observation by a specialist from a start-up automotive cyber security firm that they did not know of a “real world incident where someone’s vehicle was attacked and taken over remotely by someone hacking into the vehicle.” A lawyer whose firm handles automotive industry cyber threats undercut any feeling of relief with an observation that judges aren’t savvy about cyber crime on vehicles. I think I’ll stick with my old school car for a while longer.
The Repair Coalition formed to protect the ‘Right to Repair’
Speaking of old school car, I hope I can continue to get it repaired in the future without worrying about lawsuits for copyright violations. We’ve already seen tractor owners in conflict with John Deere over repairs, and exemptions to copyright for repair have been granted only after tedious and costly effort, and then to the farmer only, not to their mechanic. Hence the emergence of The Repair Coalition, which takes aim at repealing the DMCA’s Section 1201 — terms in it make it illegal to “circumvent a technological measure that effectively controls access to a work protected under [the DMCA].”
It’s long been an American ethic to “Use it up, wear it out, make do, or do without,” an ethic we need to restore to primacy if we are to reduce our CO2 footprint. Repairing rather than tossing goods is essential to our environmental health, let alone a necessity when wages for lower income workers remain stagnant.
That’s a wrap — I could go on but now we’re better than a day away from Friday. Whew.
Zika virus infects media with crappy reporting
I can’t tell you how many times in the last 24 hours I yelled at my computer, “Are you f****** kidding me with this crap?” With so many news outlets focused on hot takes rather than getting the story right, stupidity reached pandemic levels faster than mosquito-borne viruses. And all because Dallas County health officials and the Center for Disease Control used the words “sexually transmitted” in reference to a new Zika case in the U.S.
The following sampling of heds, tweets, and reports? WRONG.
The first case in which Zika virus was contracted inside the continental U.S. occurred in 2008. This was the first sexual transmission of the virus in the continental U.S. as well. Scientist Brian Foy had been studying Zika in Senegal during an outbreak; he had been infected by the virus, became ill, and was still carrying the virus when he came home to Colorado. His wife became infected though she had not traveled abroad, had not been bitten by a mosquito, and children residing in their home did not contract the virus. More details on the case can be found here.
The first cases of Zika virus in the U.S. in this outbreak were not locally transmitted inside the U.S., but contracted outside the continental 48 states and diagnosed on return here. States in which cases have been reported include Hawaii, New York, Virginia, Arkansas, Florida, and now Texas — in the case of the traveler who brought the disease home and infected their partner through sex.
It’s incredible how very little effort many news outlets put into researching the virus’ history or the case in Texas. Bonus points to Newsweek for trying to get it wrong in multiple tweets for the same story.
Gonna’ be a massive Patch Day for F-35 sometime soon
Whether or not Monday’s earthshaking sonic booms over New Jersey were generated by F-35 test flights, there’s still a long and scary list of bugs to be fixed on the fighter jet before it is ready for primetime. Just read this; any pilot testing these now is either a stone-cold hero, or a crazed numbnuts, and they’d better weigh between 136 and 165 pounds to improve their odds of survival.
Oral Roberts University mandates students wear FitBits for tracking
Guess the old “Mark of the Beast” is interpreted loosely at ORU in Oklahoma. Fitness is measured on campus by more than theological benchmarks. Begs the question: who would Jesus monitor?
The last straw: Fisher Price Wi-Fi-enabled toys leave kids’ info out in the open
Fisher Price is the fourth known manufacturer of products aimed at children and their families in which the privacy and safety of children were compromised by poor information security. In this case, Smart Toy Bears are leaking information about their young owners. Maybe it’s about time that either the FCC or FTC or Congress looks into this trend and the possibility toy makers are not at all concerned with keeping their youngest customers safe.
Forgot to note the House Oversight and Government Reform Committee will hold a hearing on lead contaminated drinking water in Flint, Michigan at 9:00 a.m. EST. C-SPAN3 will carry the hearing live.
Tap the brakes a few more times before you take off, eh? It’s all downhill from here.
Back in 2013, the President’s Review Group recommended that NSA’s defensive function — the Information Assurance Directorate — be removed from NSA. I’ve put the entirety of that recommendation below, but PRG recommended the change to:
Not only didn’t President Obama accept that recommendation, but he pre-empted it in several ways, before the PRG could publicly release their findings.
[O]n Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panelPresident Obama set up in August to review the NSA’s activities in response to theEdward Snowden leaks.
The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were “still being finalized”). The biggest news item were reports about a recommendation that the director of the NSA(Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.
Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.
By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split.
Today, Ellen Nakashima reports that NSA will go further still, and completely merge its offensive and defensive missions.
In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each.
Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks.
“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”
But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature.
Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger “sigint” collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves.
While Nakashima presents some conflicting views on whether IAD will be able to cooperate with industry, none of the comments she includes addresses the larger bureaucratic issue: that defense is already being shortchanged in favor of the glitzier offensive function.
But Edward Snowden did weigh in, in response to a comment I made on this onTwitter.
When defense is an afterthought, it’s not a National Security Agency. It’s a National Spying Agency.
It strikes me this NSA reorganization commits the country to a particular approach to cybersecurity that will have significant ramifications for some time. It probably shouldn’t be made with the exclusive review of the Intelligence Committees mostly in secret.
We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.
In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.
We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.
A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.
Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.
There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to block penetration. Such collaboration could and must occur even if IAD is organizationally separate.
In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress. Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.
The lesson: it’s hell by choice. Let’s choose better. What’ll we choose today?
BPS, replacement for plastic additive BPA, not so safe after all
Here’s a questionable choice we could examine: using BPS in “BPA-free” plastics. A study by Geffen School of Medicine at UCLA found that BPS negatively affects reproductive organs and increased the likelihood of “premature birth” in zebrafish, accelerating development of the embryos. Relatively small amounts and short exposures produced effects.
As disturbing as this finding may be, the FDA’s approach to BPA is worrisome. Unchanged since 2014 in spite of the many studies on BPA, the FDA’s website says BPA is safe. Wonder how long it will be before the FDA’s site says BPS is likewise safe?
Exoskeleton assists paraplegic for only $40,000
Adjustable to its wearer’s body, SuitX’s exoskeleton helps paraplegic users to walk, though crutches are still needed. It’s not a perfect answer to mobility given the amount of time it takes to put on the gear, but it could help paraplegics avoid injuries due to sitting for too long in wheelchairs. It’s much less expensive than a competing exoskeleton at $70K; the price is expected to fall over time.
SuitX received an NSF grant of $750,000 last April for its exoskeleton work. Seems like a ridiculous bargain considering how much we’ve already invested in DARPA and other MIC-development of exoskeletons with nothing commercial to show for it. Perhaps we should choose to fund more NSF grants instead of DOD research?
Patches and more patches — Cisco, Android, Microsoft
Dudes behaving badly
I know I’ve missed something I meant to post, but I’ll choose to post it tomorrow and crawl back into my nest this morning to avoid my shadow. In the meantime, don’t drive angry!
Between this report, released today, on DOD Inspector General’s ongoing work and the Intelligence Community’s Inspector General Semiannual report, released in mid-January, the Intelligence Community is doing a whole bunch of audits and inspections of its own network security, some of them mandated by Congress. And there are at least hints that all is not well in the networks that enable the Intelligence Community to share profusely.
The most interesting description of a report from ICIG’s Semiannual review, for example, suggests that, given the IC’s recent move to share everything on an Amazon-run cloud, the bad security habits of some elements of the IC are exposing other elements within the IC.
AUD-2015-006: Transition to the Intelligence Community Cloud Audit
The DNI, along with Intelligence Community leadership, determined that establishing a common IT architecture across the IC could advance intelligence integration, information sharing, and enhance security while creating efficiencies. This led to the Intelligence Community Information Technology Enterprise, an IC-wide initiative coordinated through the Office of the Intelligence Community Chief Information Officer. IC ITE’s sharing capability is enabled by a cloudbased architecture known as the IC Cloud – a secure resource delivering IT and information services and capabilities to the entire community. The cloud will allow personnel to share data, systems, and applications across the IC. The IC elements’ effective transition to the IC ITE cloud environment is key to achieving the initiative’s overarching goals and as such, systems working together in a cloud environment creates potential security concerns.
In particular, information system security risks or vulnerabilities to one IC element operating within IC ITE may put all IC elements at risk. Information from a joint IG survey of 10 IC elements suggested that the elements may have the differing interpretations of policies and requirements, or are not fully aware of their responsibilities for transitioning to the IC Cloud. As a result of these preliminary observations, IC IG initiated an audit that will: 1. Assess how the IC elements are planning to transition to the IC ITE Cloud environment; 2. Determine IC elements’ progress in implementing cloud transition plans; and, 3. Compare how IC elements are applying the risk management framework to obtain authorizations to operate on the IC Cloud. We plan to issue a report by the end of the first quarter of FY 2017. [my emphasis]
The IC is banking quite a bit on being able to share safely within the cloud. I would imagine that fosters a culture of turf war and recriminations for any vulnerabilities. It certainly seems that this report arises out of problems — or at least the identification of potential problems — arising from the move to the cloud. Note that this report won’t be completed until the end of this calendar year.
Then there’s this report, which was mandated in a classified annex of the Intelligence Authorization passed in December and, from the looks of things, started immediately.
Audit of Controls Over Securing the National Security Agency Network and Infrastructure (Project No. D2016-DOOORC-0072.000)
We plan to begin the subject audit in January 2016. Our objective is to determine whether initiatives implemented by the National Security Agency are effective to improve security over its systems, data, and personnel activities. Specifically, we will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity. The classified annex to accompany H.R. 2596, the Intelligence Authorization Act for Fiscal Year 2016, contained a Department of Defense Inspector General classified reporting requirement. This audit is the first in a series. We will consider suggestions from management on additional or revised objectives.
It seems to be an assessment — the first in a series — of whether limits on privileged access to NSA systems are working. This may well be a test of whether the changes implemented after the Snowden leak (such as requiring two parties to be present when performing functions in raw data, such as required on dragnet intake) have mitigated what were some obviously huge risks.
I’m mostly curious about the timing of this report. You would have thought the implementation of such controls would come automatically with some kind of audit, but they’re just now, 2.5 years later, getting around to that.
Here are some other reports from the ICIG report, the latter three of which indicate a real focus on information sharing.
AUD-2015-007: FY 2015 Consolidated Federal Information Security Modernization Act of 2014 Capstone Reports for Intelligence Community Elements’ Inspectors General
This project will focus on FY 2015 FISMA report submissions from the OIGs for the IC elements operating or exercising control of national security systems. We will summarize 11 IC elements’ information security program strengths and weaknesses; identify the cause of the weaknesses in these programs, if noted by the respective OIGs; and provide a brief summary of the recommendations made for IC information security programs. To perform this evaluation, we will apply the Department of Homeland Security FY 2015 IG FISMA metrics for ten information security program areas.
1. Continuous Monitoring Management 2. Security Configuration Management 3. Identity and Access Management 4. Incident Response and Reporting 5. Risk Management 6. Security Training 7. Plan of Action and Milestones 8. Remote Access Management 9. Contingency Planning 10. Contractor Systems We will issue our report by the end of the first quarter of FY 2016
INS-2015-004: Inspection: Office of the Intelligence Community Chief Information Officer
The IC CIO is accountable for overall formulation, development, and management of the Intelligence Community Information Technology Enterprise. The scope of our review was limited and informed by a concurrent IC IG Audit survey of IC ITE, as well as an ongoing evaluation of IC ITE progress by the ODNI Systems and Resources Analyses office. Additional details of this report are in the classified annex.
INS-2015-005: Joint Evaluation of Field Based Information Sharing Entities
Along with our OIG partners at the Departments of Justice and Homeland Security, we are evaluating federally supported entities engaged in field-based domestic counterterrorism, homeland security, and information sharing activities in conjunction with state, tribal, and local law enforcement agencies. This review is in response to a request from Senate committees on Intelligence, Judiciary, Homeland Security and Governmental Affairs. We will issue our report during FY 2016.
INS-2015-006: Inspection: ODNI Office of the Program Manager–Information Sharing Environment
We last inspected the ODNI PM-ISE office in 2013 and are conducting a follow-up review with a focus on resource management.
Last year, House Homeland Security Chair Michael McCaul offered up his rear-end to be handed back to him in negotiations leading to the passage of OmniCISA on last year’s omnibus. McCaul was probably the only person who could have objected to such a legislative approach because it deprived him of weighing in as a conferee. While he made noise about doing so, ultimately he capitulated and let the bill go through — and be made less privacy protective — as part of the must-pass budget bill.
Which is why I was so amused by McCaul’s op-ed last week, including passage of OmniCISA among the things he has done to make the country more safe from hacks. Here was a guy, holding his rear-end in his hands, plaintively denying that, by claiming that OmniCISA reinforced his turf.
I was adamant that the recently-enacted Cybersecurity Act include key provisions of my legislation H.R. 1731, the National Cybersecurity Protection Advancement Act. With this law, we now have the ability to be more efficient while protecting both our nation’s public and private networks.
With these new cybersecurity authorities signed into law, the Department of Homeland Security (DHS) will become the sole portal for companies to voluntarily share information with the federal government, while preventing the military and NSA from taking on this role in the future.
With this strengthened information-sharing portal, it is critical that we provide incentives to private companies who voluntarily share known cyber threat indicators with DHS. This is why we included liability protections in the new law to ensure all participants are shielded from the reality of unfounded litigation.
While security is vital, privacy must always be a guiding principle. Before companies can share information with the government, the law requires them to review the information and remove any personally identifiable information (PII) unrelated to cyber threats. Furthermore, the law tasks DHS and the Department of Justice (DOJ) to jointly develop the privacy procedures, which will be informed by the robust existing DHS privacy protocols for information sharing.
Given DHS’ clearly defined lead role for cyber information sharing in the Cybersecurity Act of 2015, my Committee and others will hold regular oversight hearings to make certain there is effective implementation of these authorities and to ensure American’s privacy and civil liberties are properly protected.
It is true that under OmniCISA, DHS is currently (that is, on February 1) the sole portal for cyber-sharing. It’s also true that OmniCISA added DHS, along with DOJ, to those in charge of developing privacy protocols. There are also other network defense measures OmniCISA tasked DHS with — though the move of the clearances function, along with the budget OPM had been asking for to do it right but not getting, to DOD earlier in January, the government has apparently adopted a preference for moving its sensitive functions to networks DOD (that is, NSA) will guard rather than DHS. But McCaul’s bold claims really make me wonder about the bureaucratic battles that may well be going on as we speak.
Here’s how I view what actually happened with the passage of OmniCISA. It is heavily influenced by these three Susan Hennessey posts, in which she tried to convince that DHS’ previously existing portal ensured privacy would be protected, but by the end seemed to concede that’s not how it might work out.
Underlying the entire OmniCISA passage is a question: Why was it necessary? Boosters explained that corporations wouldn’t share willingly without all kinds of immunities, which is surely true, but the same boosters never explained why an info-sharing system was so important when experts were saying it was way down the list of things that could make us safer and similar info-sharing has proven not to be a silver bullet. Similarly, boosters did not explain the value of a system that not only did nothing to require cyber information shared with corporations would be used to protect their networks, but by giving them immunity (in final passage) if they did nothing with information and then got pawned, made it less likely they will use the data. Finally, boosters ignored the ways in which OmniCISA not only creates privacy risks, but also expands new potential vectors of attack or counterintelligence collection for our adversaries.
So why was it necessary, especially given the many obvious ways in which it was not optimally designed to encourage monitoring, sharing, and implementation from network owners? Why was it necessary, aside from the fact that our Congress has become completely unable to demand corporations do anything in the national interest and there was urgency to pass something, anything, no matter how stinky?
Indeed, why was legislation doing anything except creating some but not all these immunities necessary if, as former NSA lawyer Hennessey claimed, the portal laid out in OmniCISA in fact got up and running on October 31, between the time CISA passed the Senate and the time it got weakened significantly and rammed through Congress on December 18?
At long last DHS has publically unveiled its new CISA-sanctioned, civil-liberties-intruding, all-your-personal-data-grabbing, information-sharing uber vacuum. Well, actually, it did so three months ago, right around the time these commentators were speculating about what the system would look like. Yet even as the cleverly-labeled OmniCISA passed into law last month, virtually none of the subsequent commentary took account of the small but important fact that the DHS information sharing portal has been up and running for months.
Hennessey appeared to think this argument was very clever, to suggest that “virtually no” privacy advocates (throughout her series she ignored that opposition came from privacy and security advocates) had talked about DHS’ existing portal. She must not have Googled that claim, because if she had, it would have become clear that privacy (and security) people had discussed DHS’ portal back in August, before the Senate finalized CISA.
Back in July, Al Franken took the comedic step of sending a letter to DHS basically asking, “Say, you’re already running the portal that is being legislated in CISA. What do you think of the legislation in its current form?” And DHS wrote back and noted that the portal being laid out in CISA (and the other sharing permitted under the bill) was different in several key ways from what it was already implementing.
Its concerns included:
As noted, that exchange took place in July (most responses to it appeared in August). While a number of amendments addressing DHS’ concerns were proposed in the Senate, I’m aware of only two that got integrated into the bill that passed: an Einstein (that is, federal network monitoring) related request, and DHS got added — along with the Attorney General — in the rules-making function. McCaul mentioned both of those things, along with hailing the “more efficient” sharing that may refer to the real-time versus almost real-time sharing, in his op-ed.
Not only didn’t the Senate respond to most of the concerns DHS raised, as I noted in another post on the portal, the Senate also gave other agencies veto power over DHS’ scrub (this was sort of the quid pro quo of including DHS in the rule-making process, and it was how Ranking Member on the Senate Homeland Security Committee, Tom Carper, got co-opted on the bill), which exacerbated the real versus almost real-time sharing problem.
All that happened by October 27, days before the portal based on Obama’s executive order got fully rolled out. The Senate literally passed changes to the portal as DHS was running it days before it went into full operation.
Meanwhile, one more thing happened: as mandated by the Executive Order underlying the DHS portal, the Privacy and Civil Liberties Oversight Board helped DHS set up its privacy measures. This is, as I understand it, the report Hennessey points to in pointing to all the privacy protections that will make OmniCISA’s elimination of warrant requirements safe.
Helpfully, DHS has released its Privacy Impact Assessment of the AIS portal which provides important technical and structural context. To summarize, the AIS portal ingests and disseminates indicators using—acronym alert!—the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). Generally speaking, STIX is a standardized language for reporting threat information and TAXII is a standardized method of communicating that information. The technology has many interesting elements worth exploring, but the critical point for legal and privacy analysis is that by setting the STIX TAXII fields in the portal, DHS controls exactly which information can be submitted to the government. If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS.
In other words, the scenario is precisely the reverse of what Hennessey describes: DHS set up a portal, and then the Senate tried to change it in many ways that DHS said, before passage, would weaken the privacy protections in place.
Now, Hennessey does acknowledge some of the ways OmniCISA weakened privacy provisions that were in DHS’ portal. She notes, for example, that the Senate added a veto on DHS’ privacy scrubs, but suggests that, because DHS controls the technical parameters, it will be able to overcome this veto.
At first read, this language would appear to give other federal agencies, including DOD and ODNI, veto power over any privacy protections DHS is unable to automate in real-time. That may be true, but under the statute and in practice DHS controls AIS; specifically, it sets the STIX TAXXI fields. Therefore, DHS holds the ultimate trump card because if that agency believes additional privacy protections that delay real-time receipt are required and is unable to convince fellow federal entities, then DHS is empowered to simply refuse to take in the information in the first place. This operates as a rather elegant check and balance system. DHS cannot arbitrarily impose delays, because it must obtain the consent of other agencies, if other agencies are not reasonable DHS can cut off the information, but DHS must be judicious in exercising that option because it also loses the value of the data in question.
This seems to flip Youngstown on its head, suggesting the characteristics of the portal laid out in an executive order and changed in legislation take precedence over the legislation.
Moreover, while Hennessey does discuss the threat of the other portal — one of the features added in the OmniCISA round with no debate — she puts it in a different post from her discussion of DHS’ purported control over technical intake data (and somehow portrays it as having “emerged from conference with the new possibility of an alternative portal” even though no actual conference took place, which is why McCaul is stuck writing plaintive op-eds while holding his rear-end). This means that, after writing a post talking about how DHS would have the final say on protecting privacy by controlling intake, Hennessey wrote another post that suggested DHS would have to “get it right” or the President would order up a second portal without all the privacy protections that DHS’ portal had in the first place (and which it had already said would be weakened by CISA).
Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.
Elsewhere, Hennessey admits that many in government think DHS is a basket-case agency (an opinion I’m not necessarily in disagreement with). So it’s unclear how DHS would retain any leverage over the veto given that exercising such leverage would result in DHS losing this portfolio altogether. There was a portal designed with privacy protections, CISA undermined those protections, and then OmniCISA created yet more bureaucratic leverage that would force DHS to eliminate its privacy protections to keep the overall portfolio.
Plus, OmniCISA did two more things. First, as noted, back in July DHS said it would need 180 days to fully tweak its existing portal to match the one ordered up in CISA. CISA and OmniCISA didn’t care: the bill and the law retained the 90 day turnaround. But in addition, OmniCISA required DHS and the Attorney General develop their interim set of guidelines within 60 days (which as it happened included the Christmas holiday). That 60 deadline is around February 16. The President can’t declare the need for a second portal until after the DHS one gets certified, which has a 90 day deadline (so March 18). But he can give a 30 day notice that’s going to happen beforehand. In other words, the President can determine, after seeing what DHS and AG Lynch come up with in a few weeks, that that’s going to be too privacy restrictive and tell Congress FBI needs to have its own portal, something that did not and would not have passed under regular legislative order.
Finally, as I noted, PCLOB had been involved in setting up the privacy parameters for DHS’ portal, including the report that Hennessey points to as the basis for comfort about OmniCISA’s privacy risk. In final passage of OmniCISA, a PCLOB review of the privacy impact of OmniCISA, which had been included in every single version of the bill, got eliminated.
Hennssey’s seeming admission that’s the eventual likelihood appears over the course of her posts as well. In her first post, she claims,
From a practical standpoint, the government does not want any information—PII or otherwise—that is not necessary to describe or identify a threat. Such information is operationally useless and costly to store and properly handle.
But in explaining the reason for a second portal, she notes that there is (at least) one agency included in OmniCISA sharing that does want more information: FBI.
[T]here are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.
AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime.
That is, having decided that the existing portal wasn’t good enough because it didn’t offer enough immunities (and because it was too privacy protective), the handful of mostly Republican leaders negotiating OmniCISA outside of normal debate then created the possibility of extending those protections to a completely different kind of information sharing, that of content shared for law enforcement.
In her final post, Hennessey suggests some commentators (hi!!) who might be concerned about FBI’s ability to offer immunity for those who share domestically collected content willingly are “conspiracy-minded” even while she reverts to offering solace in the DHS portal protections that, her series demonstrates, are at great risk of bureaucratic bypass.
But these laws encompass a broad range of computer crimes, fraud, and economic espionage – most controversially the Computer Fraud and Abuse Act (CFAA). Here the technical constraints of the AIS system cut both ways. On one hand, the scope of cyber threat indicators shared through the portal significantly undercuts claims CISA is a mass surveillance bill. Bluntly stated, the information at issue is not of all that much use for the purposes certain privacy-minded – and conspiracy-minded, for that matter – critics allege. Still, the government presumably anticipates using this information in at least some investigations and prosecutions. And not only does CISA seek to move more information to the government – a specific and limited type of information, but more nonetheless – but it also authorizes at least some amount of new sharing.
That question ultimately resolves to which STIX TAXII fields DHS decides to open or shut in the portal. So as CISA moves towards implementation, the portal fields – and the privacy interests at stake in the actual information being shared – are where civil liberties talk should start.
To some degree, Hennessey’s ultimate conclusion is one area where privacy (and security) advocates might weigh in. When the government provides Congress the interim guidelines sometime this month, privacy (and security) advocates might have an opportunity to weigh in, if they get a copy of the guidelines. But only the final guidelines are required to be made public.
And by then, it would be too late. Through a series of legislative tactics, some involving actual debate but some of the most important simply slapped onto a must-pass legislation, Congress has authorized the President to let the FBI, effectively, obtain US person content pertaining to Internet-based crimes without a warrant. Even if President Obama chooses not to use that authorization (or obtains enough concessions from DHS not to have to directly), President Trump may not exercise that discretion.
Maybe I am being conspiratorial in watching the legislative changes made to a bill (and to an existing portal) and, absent any other logical explanation for them, concluding those changes are designed to do what they look like they’re designed to do. But it turns out privacy (and security) advocates weren’t conspiratorial enough to prevent this from happening before it was too late.
Need more of it than usual given the wacky stuff I’ve been reading into the wee hours over the weekend — like this stuff:
Former DHS Secretary now University of California prez surveils staff emails
Holy cats. This is ugly. After an alleged network security breach in June last year at UCLA’s medical center, an outside party was contracted by University of California president Janet Napolitano to monitor networks at all of University of California’s campuses. Collection of content both inbound and outbound, in violation of UoC-Berkeley’s IT policy, is alleged. UCOP has been opaque about the reason for the monitoring or data collection. Keep an eye on this case.
DDoS attack on HSBC crimps UK freelancers’ tax filing
The end of January in the United Kingdom is the filing deadline for the self-employed. Unfortunately, those who banked with HSBC lost access to their records for roughly four hours on Friday due to a distributed denial of service (DDoS) attack. It’s the second service outage inside a month for HSBC. The last outage lasted roughly two days but was not attributed to a DDoS. If UK lawmakers were testy after the first outage in January, they’re going to be ugly today.
Oil crash: massive wealth transfer, or increased dependency on oil?
Francisco Blanch, Commodities and Derivatives Strategist at BofA Merrill Lynch, claims plummeting oil prices have transferred roughly $3 trillion to consumers away from oil producers, and the resulting uptick in consumption will spur the economy. This assumption neatly ignores the likelihood consumers will have to pay one way or another for increasing losses due to unchecked climate change. Buying more insurance against weather damage and paying more taxes to replace infrastructure, as well as paying more for food due to crop losses won’t stimulate anything but consumer frustration.
War of words inside military about F-35’s readiness
In a December memo, the Defense Department’s director of operational test and evaluation Michael Gilmore wrote that the Joint Program Office’s July 2017 deadline for the F-35 jet’s full warfighting capability is “not realistic.” Software completion, testing and debugging is the risk. Folks in JPO are pushing back, with at least one official grousing online. So not cool, JPO. Address the concerns and then get to work on that software. Americans are paying for a working jet, not trash talk on Facebook.
Speaking of military…Sonic boom(s) caused minor earthquake in New Jersey
Just for fun, browse through a Twitter search for tweets from last Friday. Something caused more than one sonic boom — perhaps as many as nine — loud enough to register as an earthquake on USGS’ meters. At first, the military said it knew nothing about it, claiming there are no training exercises or other missions in the area. NASA’s Wallops Flight Facility-Virginia, Federal Aviation Administration, and the North American Aerospace Defense Command had no knowledge of flights in the area capable of generating sonic booms. But then the Navy piped up later, saying the Naval Test Wing Atlantic had been conducting test flights. Though not named, the F-35 fighter is believed to be the source of the booms. Were JPO and Lockheed Martin trying to make a rather loud and indiscreet point?
Or were the sonic booms due to some other unknown/unspecified cause, given Joint Base McGuire-Dix-Lakehurst’s inability to explain the booms when asked? USGS’ website is still taking feedback from folks in New Jersey — did you feel the earth move, too?
Time to taper off from espresso and move to an Americano. Hope your Monday is as caffeinated as you need it to be.
Sun Tzu said,
“There are five occasions when victory can be foretold: When the general knows the time to fight and when not to fight…”
Fridays are lousy times for fights, eh? Unless it’s just for fun.
Speaking of fun…
Oil crash wreaking havoc with MIC
Huh. Who could have guessed when buyers of defense goods suffer deep cuts in income, their suppliers feel the same pinch?
Kolkata-based call center workers arrested for telecom fraud
Some cyberthreats aren’t malware or hackers, but human beings with ready access to customers’ personal information and banking. In this case, three call center employees at Wipro-India working on UK accounts committed fraud of undisclosed nature, costing thousands of pounds. Seems to me these folks couldn’t have been too bright, traceability should have been easy. And being located in India offered no protection for either the criminals or the victims.
Zika virus may be transmitted sexually?
At least two cases so far suggest the virus may be transferred between partners during sex. One case involved a Colorado State University researcher who came down with Zika in 2008 after infection in Senegal. His wife came down with it after he came home from abroad; both tested positive for Zika antibodies. His children in the same household did not get sick, however.
Ukrainian power plant attackers now using BlackEnergy-infected Word documents
Though earlier attempts to launch BlackEnergy relied on Powerpoint and Excel documents, the attackers now use Word documents — but all document types contained macros that were enabled. Kaspersky’s SecureList says the entities most at risk for BlackEnergy infection are:
At some point, this will move beyond energy and government targets. Keep your software patched and updated, run antivirus frequently, don’t open emails or documents you weren’t expecting, and only enable macros after validating the document’s source. This is pretty much standard operating practice for the last decade if you’ve been smart.
If you’re looking for something to read this weekend, you might try comparing two different translations of Sun Tzu’s The Art of War. The quote I used above is from the E. F. Calthrop version; the same bit in the Lionel Giles version renders,
“Thus we may know that there are five essentials for victory: … He will win who knows when to fight and when not to fight. …”
The Giles version is both more simplistic — at some points too much so — but filled with supplemental commentators’ content fleshing out interpretation. Relevant to political and business warfare, as much as traditional and asymmetric warfare today.
Save me a seat at the bar at the end of the day!
War All The Time — seems appropriate now, and it’s been more than a dozen years since this song was released. Also rather pathetic that MTV censored a reference to suicide in this tune, like a drop of merthiolate on a gaping wound.
Say it isn’t so, girl! Wendy’s investigating possible breaches
On the face it, this doesn’t sound like a corporate-wide cybersecurity event. It may be confined to specific stores. But fast food chain Wendy’s contracted a security firm to look into unauthorized credit card charges made to cards used at their stores. Wendy’s joins Jimmy John’s and Chick-Fil-A in the growing list of compromised fast food chains.
Ransomware infects Israel’s Electric Authority
No outage has been reported as a result of ransomware infection of Israel’s electrical power system via phishing. Computers may have been isolated from the system’s network, though. The full extent of the malware’s impact is difficult to determine from reports available online; some likened this to the cyberattack on a Ukrainian power plant, and others called this a hacking, though neither description appears to fit well.
California struggles with self-driving car regulations
Oh dear Cthulhu…this bit:
Google has concluded that human error is the biggest risk in driving, and the company wants to remove the steering wheel and pedals from cars, giving people minimal ability to take over.
But computers never, ever make mistakes, right? No wonder California is struggling with this…but no. Even though Google’s DeepMind AI mastered GO a decade early, it can’t master California’s highways.
New high-speed wireless internet service launched by former Aereo CEO
Using microwave technology, new gigabit internet service provider Starry will begin in Boston this year once the FCC approves a limited test run in 15 cities. For now, this looks like a solution for urban areas, but it could be an alternative in rural areas where existing telecoms/ISPs fail to provide high-speed internet in spite of federal funds allocated to expand coverage. Imagine using wind turbine towers for Starry microcells to carry gigabit service to rural America.
All right, everybody back to the front, back to the foreverwar.
While looking for Wednesday, I discovered there’s a video short series based on a grownup version of Wednesday Addams character. Cute, though from Wednesday’s POV becoming an adult isn’t all the fun one might expect.
So much for those carefree days when one could leave all the bad news and difficult choices to parental figures. It was all an illusion there were ever any grownups in charge.
Playstation moves to U.S. as Sony melds and migrates interactive entertainment divisions
What’s this really all about? Does this consolidation of Sony Computer Entertainment with Sony Network Entertainment and their move to California as Sony Interactive Entertainment allow better collaboration with Sony Pictures? Or does this allow for easy access by U.S. government entities suspicious of Playstation Network as a potential terrorist communications platform? Or is this a means to secure a leaky business by pulling more of Sony Group inside a single network? Sony explained SIE will “retain and expand PlayStation user engagement, increase Average Revenue Per Paying Users and drive ancillary revenue” — but that sounds like fuzzy vapor to me.
“Bent spear? Oh, THAT bent spear…” Air Force review omits report of damage to nuke
I hope like hell President Obama has already called someone on the carpet and asked for heads to roll. Not reporting a “bent spear” event in a review of U.S. nuclear force isn’t exactly a little boo-boo. A “bent spear” in 2007 spawned a rigorous investigation resulting in a large number of disciplinary actions including resignations and removals from duty.
Zika virus: risk to U.S. mounting
There have been more non-locally transmitted cases of Zika virus here in the U.S. as another Latin American country warns women against pregnancy. Not to worry, it’s not like Ebola, relax, we’ve been told…except that we’ve seen this playbook before, where there were casualties as a pandemic began before either federal or state agencies took effective action. In the case of Zika, we may not see mortalities; casualties may be serious birth defects following a rapid spread with mosquito season. Fortunately President Obama has now asked for more accelerated research into Zika, though we may not see results before Aedes mosquito season hits its stride this year. For more information about this virus, see the CDC’s Zika website.
EU seeks hefty fines in draft law to overhaul auto industry regulations
At fines of €30,000 (£22,600) per vehicle found in violation, the EU might get some results out of proposed regulations governing automotive emissions standards. But the problem hasn’t been the lack of EU standards — it’s the inability to validate and extract compliance when so many member states are willing to turn a blind eye to their constituent manufacturers’ failings in order to preserve employment. Can the EU make these fines stick once new regulations are passed?
By the way, Consumer Reports published a really snappy overview of the VW emissions scandal. Worth a read.
Con Edison’s creaky website leaves online customers exposed
You’d think by now after all of the successful hacks on business and government websites that companies would catch a clue. But no, not in the case of Con Edison. Read the article here so you know what to watch for at other websites; all of ConEd’s site’s links do not open fully encrypted connections. This is a really easy thing to fix, should be the very first thing every single business allowing customers to log in or pay online should check.
Heading out to act like an adult for the next eight hours. Maybe less.