Cybersecurity

How Much Does Keith Alexander’s Patented Solution for Creating Fear Depend on CISA?

Keith Alexander has attempted to explain his million dollar salary demands for cyber consulting to Shane Harris. This story doesn’t necessary hang together any better than his claims about NSA’s spying.

Alexander is worth a million a month, he says (though he already dropped his price to $600K) because he has a unique approach to detecting persistent threats that he plans to patent.

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and “unique” approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March.

Alexander developed the technologies behind these patents — which Alexander says would address precisely the kind of attacks he facetiously argues have carried out the greatest transfer of wealth in history, the ones attacking the US — in his spare time.

A source familiarly [sic] with Alexander’s situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

To which Harris asked the obvious question: if this solution is so great, then why not implement it while he was still in government? Why not save America from that greatest transfer of wealth in history?

Alexander then added that his solution relies on behavioral analysis one of his partners contributed.

Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do.

[snip]

Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

Perhaps the best (anonymous) quote Harris includes in his story is a “former national security official with decades of experience in security technology” who says such behavioral models are highly speculative and have never before worked. 

So it’s possible that Keith Alexander is simply going to sell his new approach to a bunch of chumps who have gotten rich trading off of algorithms — proof behavioral models “work” even if they don’t work! — and therefore believe they will work to find persistent threats.

The guy who couldn’t find Edward Snowden absconding with thousands of files and his friends the big banks are going to start policing their networks by using algos to find suspicious behavior.

Harris sort of alludes to one problem with this scheme. Alexander used his perch at DIRNSA to create this market. As Harris points out, that’s in part because Wiper — a variant of the StuxNet attack developed under Alexander’s tenure — is what the banks are so afraid of.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence.

That is, Alexander will get rich helping banks defeat the weapons he released in the first place.

More generally, too, this fear exists because Alexander sowed it. The banks are responding to the intelligence claims Alexander has been making for years, whether or not a real threat exists behind it (and whether not resilience would be a better defense than Alexander’s algos).

One more thing: as far as we know, in addition to inventing this purportedly new technology in his free time, Alexander was consulting with his partners — which as far as we know include Promontory Financial Group and Chertoff — while he was DIRNSA. So it’s not just the underlying technology, but the discussions of partnership, that likely derive from Alexander’s time at DIRNSA.

And that seems to be the fourth part of Alexander’s magic sauce (in addition to the tech developed on the government dime, his ability to sow fear, and partnerships laid out while still in the private sector). After all, with Alexander out of his NSA, where will he and his profitable partners get the data they need to model threats? How much of this model will depend on the Cyber Information sharing plan that Alexander has demanded for years? How much will Alexander’s privatized solutions to the problem he couldn’t solve at NSA depend on access to all the information the government has, along with immunity?

To what degree is CISA about making Keith Alexander rich?

 

Fact-Checking 9/11 Anniversary Report on Info and Dragnets with 9/11 Report

In Salon, I point out something funny about the report released on Tuesday to mark the 10 year anniversary of the release of the 9/11 Commission report. The report says we must fight the “creeping tide of complacency.” But then it says the government has done almost everything the 9/11 Commission said it should do.

There is a “creeping tide of complacency,” the members of the 9/11 Commission warned in a report released on Tuesday, the 10-year anniversary of the release of their original report. That complacency extends not just to terrorism. “On issue after issue — the resurgence and transformation of al Qaeda, Syria, the cyber threat — public awareness lags behind official Washington’s.” To combat that “creeping tide of complacency,” the report argues, the government must explain “the evil that [is] stalking us.”

Meanwhile, the commissioners appear unconcerned about complacency with climate change or economic decline.

All that fear-mongering is odd, given the report’s general assessment of counterterrorism efforts made in the last decade. “The government’s record in counterterrorism is good,” the report judged, and “our capabilities are much improved.”

If the government has done a good job of implementing the 9/11 Commission recommendations but the terror threat is an order of magnitude worse now, as the report claims, then those recommendations were not sufficient to addressing the problem. Or perhaps the 13 top security officials whom the Commission interviewed did a slew of other things — like destabilizing Syria and Libya — that have undermined the apparatus of counterterrorism recommended by the original 9/11 Commission?

Which is a polite way of saying the 10-year report is unsatisfying on many fronts, opting for fear-mongering than another measured assessment about what we need to do to protect against terrorism.

Perhaps that’s because, rather than conduct the public hearings with middle-level experts, as it boasted it had done in the original report, it instead privately interviewed just the people who’ve been in charge for the last 10 years, all of whom have a stake in fear and budgets and several of whom now have a stake in profiting off fear-mongering?

Suffice it to say I’m unimpressed with the report.

Which brings me to this really odd detail about it.

The report takes a squishy approach to Edward Snowden’s leaks. It condemns his and Chelsea Manning’s leaks and suggests they may hinder information sharing. It also suggests Snowden’s leaks may be impeding recruiting for cybersecurity positions.

But it also acknowledges that Snowden’s leaks have been important to raising concerns about civil liberties — resulting in President Obama’s decision to impose limits on the Section 215 phone dragnet.

Since 2004, when we issued the report, the public has become markedly more engaged in the debate over the balance between civil liberties and national security. In the mid-2000s, news reports about the National Security Agency’s surveillance programs caused only a slight public stir. That changed with last year’s leaks by Edward Snowden, an NSA contractor who stole 1.7 million pages of classified material. Documents taken by Snowden and given to the media revealed NSA data collection far more widespread than had been popularly understood. Some reports exaggerated the scale of the programs. While the government explained that the NSA’s programs were overseen by Congress and the courts, the scale of the data collection has alarmed the public.

[snip]

[I]n March, the President announced plans to replace the NSA telephone metadata program with a more limited program of specific court-approved searches of call records held by private carriers. This remains a matter of contention with some intelligence professionals, who expressed to us a fear that these restrictions might hinder U.S. counterterrorism efforts in urgent situations where speedy investigation is critical.

Having just raised the phone dragnet changes, the report goes on to argue “these programs” — which in context would include the phone dragnet — should be preserved.

We believe these programs are worth preserving, albeit with additional oversight. Every current or former senior official with whom we spoke told us that the terrorist and cyber threats to the United States are more dangerous today than they were a few years ago. And senior officials explained to us, in clear terms, what authorities they would need to address those threats. Their case is persuasive, and we encountered general agreement about what needs to be done.

Senior leaders must now make this case to the public. The President must lead the government in an ongoing effort to explain to the American people—in specific terms, not generalities—why these programs are critical to the nation’s security. If the American people hear what we have heard in recent months, about the urgent threat and the ways in which data collection is used to counter it, we believe that they will be supportive. If these programs are as important as we believe they are, it is worth making the effort to build a more solid foundation in public opinion to ensure their preservation.

This discussion directly introduces a bizarre rewriting of the original 9/11 Report.

Given how often the government has falsely claimed that we need the phone dragnet because it closes a gap that let Khalid al-Midhar escape you’d think the 9/11 Commission might use this moment to reiterate the record, which shows that the government had the information it needed to discover the hijacker was in the US.

Nope.

It does, however, raise a very closely related issue: the FBI’s failure to discover Nawaf al Hazmi’s identity. Continue reading

CISA: The Banks Want Immunity and a Public-Private War Council

A group of privacy and security organizations have just sent President Obama a letter asking him to issue a veto threat over the Cybersecurity Information Sharing Act passed out of the Senate Intelligence Committee last week. It’s a great explanation of why this bill sucks and doesn’t do what it needs to to make us safer from cyberattacks. It argues that CISA’s exclusive focus on information sharing — and not on communications security more generally — isn’t going to keep us safe.

Which is why it really pays to look at the role of SIFMA — the Securities Industry and Financial Markets Association – in all this.

As I’ve noted, they’re the banksters whom Keith Alexander is charging big bucks to keep safe. As Bloomberg recently reported, Alexander has convinced SIFMA to demand a public-private cyber war council, involving all the stars of revolving door fearmongering for profit.

Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.

The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.

The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to “facilitate” the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former U.S. Secretary of Homeland Security, and his firm, Chertoff Group.

Public reporting positions SIFMA as the opposition to the larger community of people who know better, embracing this public-private war council approach.

Kenneth Bentsen, chief executive at the Securities Industry and Financial Markets Association, said in a statement that leaders of the Senate Intelligence panel who wrote the bill have “taken a balanced and considered approach which will help the financial services industry to better protect our customers from cyber terrorists and criminals, as well as their privacy.”

According to the same banksters who crashed our economy 6 years ago, this bill is about protecting them at the expense of our privacy and rule of law.

And in their reply to Alan Grayson’s questions about WTF they’re paying Keith Alexander so handsomely for, SIFMA repeats this line (definitely click through to read about Quantum Dawn 2).

Cyber attacks are increasingly a major threat to our financial system. As such, enhancing cyber security is a top priority for the financial services industry. SIFMA believes we have an obligation to do everything possible to protect the integrity of our markets and the millions of Americans who use financial services every day.

[snip]

However, the threat increases every day. SIFMA and its members have undertaken additional efforts to develop cyber defense standards for the securities industry sector as a follow on to the recently published NIST standards. And we are developing enhanced recovery protocols for market participants and regulators in the event of an attack that results in closure of the equity and fixed income markets. We are undertaking this work in close collaboration with our regulators and recently held a meeting to brief them on our progress. And, we plan to increase our efforts even further as the risks are too great for current efforts alone.

We know that a strong partnership between the private sector and the government is the most efficient way to address this growing threat. Industry and investors benefit when the private sector and government agencies can work together to share relevant threat information. We would like to see more done in Congress to eliminate the barriers to legitimate information sharing, which will enable this partnership to grow stronger, while protecting the privacy of our customers.

This is not — contrary to what people like Dianne Feinstein are pretending — protecting the millions who had their credit card data stolen because Target was not using the cyberdefenses it put into place.

Rather, this is about doing the banksters’ bidding, setting up a public-private war council, without first requiring them to do basic things — like limiting High Frequency Trading — to make their industry more resilient to all kinds of attacks, from even themselves.

Meanwhile, if that’s not enough indication this is about the bankstsers, check out what Treasury Secretary Jack Lew is doing this afternoon.

In the afternoon, the Secretary will visit Verizon’s facilities in Ashburn, Virginia to discuss cybersecurity and highlight the important role of telecommunications companies in supporting the financial system. 

Just what we need: our phone provider serving the interests of the financial system first.

DiFi wants to make it easier to spy on Americans domestically to help private companies that have already done untold damage to Main Street America. We ought to be protecting ourselves from them, not degrading privacy to subsidize their insecure practices.

Keith Alexander Has Finance Worried about Being Zeroed Out, Just Like President’s Review Group

Keith Alexander’s clients in the finance industry are proposing what he proposed to them: a government-finance industry council to protect against cyberthreats.

Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.

He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults.

How tidy.

I’ll have more to say about their plot in a follow-up. But for the moment, look at what the consider one of the threats to the industry.

The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.

“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.

This seems like tacit admission that the finance industry doesn’t create enough backups, but instead of doing that, they apparently prefer setting up this government-finance council.

It’s great to see Keith Alexander creating such a profitable panic among the richest industry.

But I can’t help but note that this fear mimics one the President’s Review Group raised in an oblique recommendation.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

So are these seeming parallel worries based on classified information? If so, has Keith Alexander already started leaking classified information, as Alan Grayson raised concerns about?

In Advance of USA Freedom and CISA Fights, PCLOB Pretends Section 702 Doesn’t Have a Cyber Function

In a piece for Salon, I note some of the weird silences in yesterday’s PCLOB report, from things like the failure to give defendants notice (which I discussed yesterday) to the false claim that Targeting Procedures haven’t been released (they have been — by Edward Snowden). One of the most troubling silences, however, pertains to cybersecurity.

That’s especially true in one area where PCLOB inexplicably remained entirely silent. PCLOB noted in its report that, because Congress limited its mandate to counterterrorism programs, it focused primarily on those uses of Section 702. That meant a number of PCLOB’s discussions — particularly regarding “incidental collections” of Americans sucked up under Section 702 — minimized the degree to which Americans who corresponded with completely innocent foreigners could be in a government database. That said, PCLOB did admit there were other uses, and it discussed the government’s use of Section 702 to pursue weapons proliferators.

Yet PCLOB remained silent about a use of Section 702 that both Director of National Intelligence James Clapper’s office, in its very first information sheet on Section 702 released in June 2013, and multiple government witnesses at PCLOB’s own hearing on this topic in March, discussed: cybersecurity. Not only should that have been discussed because Congress is preparing to debate cybersecurity legislation that would be modeled on Section 702. But the use of Section 702 for cybersecurity presents a number of unique, and potentially more significant, privacy concerns.

And PCLOB just dodged that issue entirely, even though Section 702′s use for cybersecurity is unclassified.

In the transcript of the March PCLOB hearing on Section 702 uses, the word “cyber” shows up 12 times. Four of those references come from DOJ’s Deputy Assistant Attorney General Brad Wiegmann’s description of the kinds of foreign intelligence uses targeted under Section 702. (The other references came from Information Technology Industry Council President Dean Garfield.)

MR. WIEGMANN: You task a selector. So you’re identifying, that’s when you take that selector to the company and say this one’s been approved. You’ve concluded that it is, does belong to a non-U.S. person overseas, a terrorist, or a proliferator, or a cyber person, right, whoever it is, and then we go to the company and get the information.

[snip]

It’s aimed at only those people who are foreign intelligence targets and you have reason to believe that going up on that account that I mentioned, bad guy at Google.com is going to give you back information, information that is foreign intelligence, like on cyber threats, on terrorists, on proliferation, whatever it might be.

[snip]

So in other words, if I need to, if it’s Joe Smith and his name is necessary if I’m passing it to that foreign government and it’s key that they understand that it’s Joe Smith because that’s relevant to understanding what the threat is, or what the information is, let’s say he’s a cyber, malicious cyber hacker or whatever, and it was key to know the information, then you might pass Joe Smith’s name.

Yesterday’s report, however, doesn’t mention “cyber” a single time. Indeed, it seems to go out of its way to avoid mentioning it.

As discussed elsewhere in this Report, the Board believes that the Section 702 program significantly aids the government’s efforts to prevent terrorism, as well as to combat weapons proliferation and gather foreign intelligence for other purposes.

[snip]

The Section 702 program, for instance, is also used for surveillance aimed at countering the efforts of proliferators of weapons of mass destruction.473 Given that these other foreign intelligence purposes of the program are not strictly within the Board’s mandate, we have not scrutinized the effectiveness of Section 702 in contributing to those other purposes with the same rigor that we have applied in assessing the program’s contribution to counterterrorism. Nevertheless, we have come to learn how the program is used for these other purposes, including, for example, specific ways in which it has been used to combat weapons proliferation and the degree to which the program supports the government’s efforts to gather foreign intelligence for the benefit of policymakers.

It’s footnote to that last section cites DOJ’s 2012 report to SSCI on the uses of Section 702 (which doesn’t mention cyber) rather than the information sheet released in June 2013, which does.

I find PCLOB’s silence about the use of Section 702 to pursue cyber targets particularly interesting for several reasons.

First, because cyber targets pose unique privacy threats — in part because cyberattackers are more likely to hide their location and exploit the communications of entirely innocent people, meaning Section 702′s claimed targeting limits offer no protection to Americans. Additionally, targeting (as Wiegmann describes it) a “malicious cyber hacker” goes beyond any traditional definition of foreign agent; it is telling he didn’t use a Chinese military hacker as his example instead! Indeed, while proliferation (along with foreign governments, the other presumed certification) is solidly within FISA Amendment Act’s definition of foreign intelligence, cybersecurity is not. In its discussion of back door searches, PCLOB admits there are concerns raised by back door searches that are heightened (or perhaps more sensitive, because they involve affluent white people) outside the counterterrorism context, that’s especially true for cybersecurity targeting.

Consider, too, the likelihood that cyber collection is among the categories of about collection that PCLOB obliquely mentions but doesn’t describe due to classification.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

At the beginning of the report, PCLOB repeated the government’s claim this is primarily about emails; here in the guts of it, it obliquely references other categories of collection, without really considering whether these categories present different privacy concerns.

Remember, too, that the original, good version of USA Freedom Act remains before the Senate Judiciary Committee. That bill would disallow the use of upstream 702 for any use but counterterrorism and counterproliferation. Did PCLOB ignore this use of Section 702 just to avoid alerting Senators who haven’t been briefed on it that it exists?

Finally, I also find PCLOB’s silence about NSA’s admitted use of Section 702 to pursue cyberattackers curious given that, after Congress largely ditched ideas to involve PCLOB in various NSA oversight — such as providing it a role in the FISA Advocate position — Dianne Feinstein’s Cyber Information Sharing Act all of a sudden has found a use for PCLOB again (serving a function, I should add, that arguably replaces FISC review).

(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 1 year after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—

(A) an assessment of the privacy and civil liberties impact of the type of activities carried out under this Act; and

(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing privacy and civil liberties concerns.

Feinstein introduced this bill on June 17, several weeks after PCLOB briefed her staffers on their report (they briefed Congressional committee aides on June 2, and the White House on June 17 — see just after 9:00).

A renewed openness to expanding PCLOB’s role may be entirely unmotivated, or it may stem from PCLOB’s chastened analysis of the legal issues surrounding Section 702.

But I do find it interesting that PCLOB uttered, literally, not one word about the topic that, if DiFi’s bill passes, would expand their mandate.

Former Deputy DIRNSA Chris Inglis Goes to Private Equity Firm, Paladin

I’ve been tracking how former DIRNSA Keith Alexander has shacked up with shadow bank regulator Promontory Financial Group to scare banks into making him rich.

Today, we learned where his Deputy, Chris Inglis, will spend his sinecure: at Paladin private equity firm. In their release announcing the hire, Paladin’s Managing Director and former DIRNSA from the Clinton years, Kenneth Minihan, hailed Inglis’ role in cybersecurity.

“Having worked at the highest levels of the NSA, Chris has incredible insight and a great sense of the current and ever evolving cyber threat,” said Lt. General (Ret.) Kenneth Minihan, Managing Director at Paladin Capital Group.  “We are delighted to have Chris join as a Venture Partner, Chris will play a key role in further developing our cyber knowledge base.”

[snip]

“Chris brings almost 40 years of experience in the government to the Paladin team” said Mike Steed, Founder and Managing Partner at Paladin. “His broad experience in government and with cyber products and services will be a valuable asset to the company.”

Many of the companies in Paladin’s cyber portfolio are key partners with the government or big contractors like SAIC. So Inglis’ background will be very useful to Paladin indeed.

In Advance of PCLOB, WaPo Busts ODNI’s Limited Hang Out on Certifications

Earlier today, I got to tell the journalists who have long ignored that the FBI does back door searches — or even suggested I was guessing that they do, when it appeared in multiple public documents — that I had been telling them so for a long time.

But today I also have to admit I got suckered by a year-long Director of National Intelligence effort at a limited hangout. That effort was, I’m convinced, designed to hide that the Section 702 program is far broader than government witnesses wanted to publicly admit it was. Nevertheless, I was wrong about a supposition I had believed until about 2 months ago.

Since the first days after the Snowden leaks, the government has suggested it had 3 certificates under Section 702, covering counterterrorism, counterproliferation, and cybersecurity.  But — as the WaPo reports (as with the ODNI back door search numbers, in convenient timing that conveniently preempts the PCLOB report) — that’ s not the case. The NSA has a certificate that covers every foreign government except the other 4 members of the 5 Eyes (UK, Canada, New Zealand, and Australia), as well as various foreign organizations like OPEC, the European Central Bank, and various Bolivarist groups.

For an entire year, the government has been suggesting that is not the case. I even believed them, the one thing I know of where I got utterly suckered. I was wrong.

Frankly, this certification should not be a surprise. It is solidly within the letter of the law, which permits collection on any agent of a foreign power. From the very first PRISM revelations, which showed collection on Venezuela, it was clear NSA collected broadly, including on Bolivarist governments and energy organizations.

But consistently over the last year, the NSA has suggested it only had certifications for CT, CP, and cyber.

On June 8 of last year, for example, ODNI listed 3 Section 702 successes.

  • Communications collected under Section 702 have provided the Intelligence Community insight into terrorist networks and plans. For example, the Intelligence Community acquired information on a terrorist organization’s strategic planning efforts.
  • Communications collected under Section 702 have yielded intelligence regarding proliferation networks and have directly and significantly contributed to successful operations to impede the proliferation of weapons of mass destruction and related technologies.
  • Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States including specific potential computer network attacks. This insight has led to successful efforts to mitigate these threats

The October 3, 2011 John Bates opinion, released in October, made it clear there were just 3 certificates at that point.

3 certificates

 

 

(Though note the Semiannual Compliance Review released last year looked to be consistent with at least one more certificate.)

The President’s Review Group emphasized the categorical nature of certificates, and in its second discussion thereof named those same three categories.

[S]ection 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

[snip]

Section 702 requires that NSA’s certifications attest that a “significant purpose” of any acquisition is to obtain foreign intelligence information (i.e. directed at international terrorism, nuclear proliferation, or hostile cyber activities), that it does not intentionally target a United States person, that it does not intentionally target any person known at the time of acquisition to be in the United States, that it does not target any person outside the United States for the purpose of targeting a person inside the United States, and that it meets the requirements of the Fourth Amendment.

And in March testimony before PCLOB, NSA General Counsel Raj De suggested those same three topics.

But beyond that there has to be a valid foreign intelligence reason within the ambit of one of those certifications that the FISC approves annually. Those are certifications on things like counterterrorism, encountering WMDs, for example, weapons of mass destruction.

Most recently, former DOJ official Carrie Cordero – who has been involved in this whole certification process – claimed in the CATO debate we’ve been engaged in “they are not so broad that they cover any and everything that might be foreign intelligence information.”

And yet, there’s a foreign intelligence certificate that covers any and everything that might be foreign intelligence information, a certificate that destroys the whole point of having certificates (though if there’s a cyber one, I suspect it has its own problems, in that it permits domestic collection).

Lots of people are claiming WaPo’s latest is no big deal, because of course the NSA spies on foreign government’s. They’re right, to a point. Except that the government has been strongly implying, since day one, that Section 702 was narrowly deployed, not available to use against all but our 4 closest spying allies.

PCLOB is surely about to make it clear that’s not the case. And voila! All of a sudden it becomes clear the government has been misleading when it claimed this was narrowly deployed.

Defund All “Bad Guy” National Security Thinking

Ellen Nakashima has a report on the development of CyberCommand’s national mission teams. Here’s how her anonymous “senior defense official” source described their job.

Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.

“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”

Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”

It’s defense appropriations season, though admittedly too late into the process to do this. But can I suggest an amendment defunding any program or person who discusses targeting in terms of “good guys” and “bad guys”?

Even when discussing physical attacks — say those about to be unleashed on ISIS — it encourages a kind of simplistic thinking. But when discussing online targeting, in which sorting legitimate targets from Big Data chaff should involve a lot of nuanced analysis, and which does happen with little oversight, thinking in such Manichean terms betrays a sloppiness that is unacceptable.

And for both kinds of targeting, physical and digital, presuming we are always the “good guys” fosters a sense of impunity for whatever we do, no matter how rash and — at times — disproportionate our actions are.

Our national security establishment seems to be run by men (mostly men, anyway) with the cognitive sophistication of children. Perhaps we’d be well-served to change that.

Remotely Yours: Internet of Things Meets Father’s Day

[Graphic: Google Glass by Wilbert Baan via Flickr]

[Graphic: Google Glass by Wilbert Baan via Flickr]

After all you father-types have finished opening your gift-wrapped nifty new cellphones and car stereo systems, wireless remote thermostats, fitness tracking watches, and Google Glasses received from your adoring spawn, you might want set aside a little downtime for reading — perhaps on that tablet or e-reader you received for Father’s Day.

Predicting the future on the Web’s 25th anniversary*, a Pew Internet study published in March this year, reveals the depth of naivete bordering on gross ignorance on the part of so-called experts surveyed for this report.

The subhead alone should concern you:

Experts say the Internet will become ‘like electricity’ over the next decade–less visible, yet more deeply embedded in people’s lives, with many good and potentially bad results

Emphasis mine — because really, how much more deeply embedded does the internet need to become in our lives before we begin to rethink its widening application?

At the risk of sounding Ted Kaczynski-ish, we have allowed the development, implementation and integration of technology to run amok. We’ve only paid attention to the narrowest benefits we might receive from explicit application of any new technology, failing to look at the systemic repercussions of all our technology on all our society and on the planet we share.

It’s not your remote controlled light switch in itself that is a problem. Go ahead, turn on your lights at home while you’re on your summer vacation across country.

It’s the lack of thought about the entirety of the internet itself and its embedment that is a major problem. We’ve already become utterly dependent upon it. The additional little tools and toys we inanely call the “internet of things” will only make the situation more complex.

Ask yourself this: If the internet suddenly crashed this week, completely collapsed for an unspecified length of time, what would happen to the global economy?

What would happen to the health of patients in hospitals and care facilities — are there monitoring and medication-dispensing applications that are both life saving and internet mediated?

How would we conduct and record any kind of transaction, between individuals, between businesses, between governments?

Would our power grid continue to run smoothly without the use of the internet?

At a minimum we should be asking ourselves at what point our government will limit its tracking and compilation of meta data, let alone whether it can use data from one’s wireless slowcooker as a criteria to dispatch a deadly drone. Imagine the mind-boggling size of the data farm required to house all the meta data alone from the internet of things.

We should be asking what happens if foreign governments conduct cyber war through this internet of things what our response should be — conduct cyber-retaliation with equal and measured response, taking out wireless ricecookers and teapots on the other side of the globe?

What happens if our cyberweapons are deployed against us, like a customized Stuxnet invisibly tweaking all the settings on all our internet of things? Would we know we’d been targeted until far too late?

Anyhow, just some food for thought, something to mull over as you flip your remotely monitored ribs on the smoker while sipping on your icy cold brew produced from your wirelessly controlled refrigerator — which may tell you soon you’re low on beer.

Happy Father’s Day!

* h/t @sarahkendzior

Mike Rogers Says Google Must Lose Its Quarter to Save a Rickety Bank

Screen shot 2014-06-12 at 10.03.25 PMJosh Gerstein already wrote about some of this Mike Rogers blather. But I wanted to transcribe the whole thing to display how utterly full of shit he is.

At a conference at Georgetown the other day, (see video 3), Rogers laid into the tech companies for opposing USA Freedumber, which he badly misrepresented just before this. The context of European opportunism beings at 1:06, the quote begins after 1:08.

We should be very mad at Google, and Microsoft, and Facebook, because they’re doing a very interesting, and I think, very dangerous thing. They’ve come out and said, “well, we oppose this new FISA bill because it doesn’t go far enough.” When you peel that onion back a little bit, and why are you doing this, this is a good bill, it’s safe, bipartisan, it’s rational, it meets all the requirements for Fourth Amendment protection, privacy protection, and allowing the system to work,

Rogers claims they’re doing so solely because they’re afraid to lose European business. And Rogers — a Republican! — is furious that corporations prioritize their profits (note, Rogers has never complained that some of these same companies use European tax shelters to cheat the tax man).

And they say, “well, we have to do this because we have to make sure we don’t lose our European business.” I don’t know about the rest of you, that offends me from the word, “European business.” Think about what they’re doing. They’re willing, in their minds, to justify the importance of their next quarter’s earnings in Europe, versus the National Security of the United States. Everybody on those boards should be embarrassed, and their CEOs should be embarrassed, and their stockholders should be embarrassed.That one quarter cannot be worth the National Security of the United States for the next 10 generations. And if we don’t get this part turned around very quickly, it will likely get a little ugly, and that emotional piece that we got by is going to be right back in the center of the room to no good advantage to our ability to protect the United States.

Mostly, he seems pissed because he knows the collective weight of the tech companies may give those of us trying to defeat USA Freedumber a fighting chance, which is what Rogers considers an emotional place because Democracy.

But Rogers’ rant gets truly bizarre later in the same video (after 1:23) where he explains what the security interest is:

We have one particular financial institution that clears, somewhere about $7 trillion dollars in global financial transactions every single day. Imagine if tomorrow that place gets in there and through an attack of which we know does exist, the potential does exist where the information is destroyed and manipulated, now you don’t know who owes what money, some of that may have lost transactions completely forever, imagine what that does to the economy, $7 trillion. Gone — right? Gone. It’s that serious.

Mind you, Rogers appears unaware that a banks shuffling of money — while an incredibly ripe target for hackers — does not really contribute to the American economy. This kind of daily volume is churn that only the very very rich benefit from. And one big reason it’s a target is because it is an inherently fragile thing.

To make all this even more hysterical, Rogers talks about risk driving insurance driving proper defensive measures from the target companies … yet he seems not to apply those rules to banks.

Mike Rogers, it seems, would rather kill Google’s business than permit this rickety vitality killing bank to feel the full brunt of the risk of its own business model.

Emptywheel Twitterverse
bmaz @OKnox @emptywheel Quit guessing and man up you wimp!
1hreplyretweetfavorite
emptywheel @TorEkelandPC To me, battle should be abt 2nd Amendment right to bear drones and bear hacks.
2hreplyretweetfavorite
JimWhiteGNV RT @DougWilliams85: I'm just happy that my father never accepted that his only son would have to work twice as hard to deserve simple equal…
2hreplyretweetfavorite
emptywheel RT @pwnallthethings: @csoghoian "On devices running IOS 8, your personal data is stored in our cloud, so law enforcement no longer needs to…
2hreplyretweetfavorite
emptywheel @csoghoian That only applies if THEY have the phone, the cops?
2hreplyretweetfavorite
emptywheel Just in time for USAF, I might add. http://t.co/n0578eXsTt
2hreplyretweetfavorite
emptywheel In addition to being great marketing this is a nice list of the things Apples has already been asked for. http://t.co/n0578eXsTt
2hreplyretweetfavorite
JimWhiteGNV RT @ArifCRafiq: Reports are wrong. They got an al-Zawahiri. But it was one of his brothers. Tito or Jermaine.
2hreplyretweetfavorite
emptywheel @McCully11 Agree. Too bad that doesn't work for most defendants.
2hreplyretweetfavorite
emptywheel @jilliancyork LOL. Yup. Just being an asshole.
2hreplyretweetfavorite
emptywheel @jilliancyork Shush now. I'm supposed to be the nihilist who won't compromise, you know.
2hreplyretweetfavorite
September 2014
S M T W T F S
« Aug    
 123456
78910111213
14151617181920
21222324252627
282930