In recent days, there have been reports that the same (presumed Chinese) hackers who stole vast amounts of data from the Office of Personnel Management have also hacked at least United Airlines and American. (Presuming the Chinese attribution is correct — and I believe it — I would be surprised if Chinese hackers hadn’t also tried to hack Delta, given that it has a huge footprint in Asia, including China; if that’s right and Delta managed to withstand the attack, we should find out how and why.)
Those hacks — and the presumption that the Chinese are stealing the data to flesh out their already detailed map of the activities of US intelligence personnel — have led a bunch of Cyber Information Sharing Act supporters (Susan Collins and Barb Mikulski have already voted for it, and Bill Nelson almost surely will, because he loves surveillance) to admit its inadequacy.
In recent months, hackers have infiltrated the U.S. air traffic control system, forced airlines to ground planes and potentially stolen detailed travel records on millions of people.
Yet the industry lacks strict requirements to report these cyber incidents, or even adhere to specific cybersecurity standards.
“There should be a requirement for immediate reporting to the federal government,” Sen. Susan Collins (R-Maine), who chairs the Appropriations subcommittee that oversees the Federal Aviation Administration (FAA), told The Hill.
“We need to address that,” agreed Sen. Bill Nelson (D-Fla.), the top Democrat on the Senate Commerce Committee.
[snip]
“We need a two-way exchange of information so that when a threat is identified by the private sector, it’s shared with the government, and vice versa,” Collins added. “That’s the only way that we have any hope of stopping further breaches.”
[snip]
That’s why, Nelson said, the airline industry needs mandatory, immediate reporting requirements.
“All the more reason for a cybersecurity bill,” he said.
But for years, Congress has been unsuccessful in its efforts.
Sen. Barbara Mikulski (D-Md.), the Senate Appropriations Committee’s top Democrat, tried three years ago to move a cyber bill that would have included rigid breach reporting requirements for critical infrastructure sectors, including aviation.
“We were blocked,” she told The Hill recently. “So it’s time for not looking at an individual bill, but one that’s overall for critical infrastructure.”
So now we have some Senators calling for heightened cybersecurity standards for cars, and different, hawkish Senators calling for heightened cybersecurity sharing (though they don’t mention security standards) for airlines. Bank regulators are already demanding higher standards from them.
And someday soon someone will start talking about mandating response time for operating system fixes, given the problems with Android updates.
Maybe the recognition that one after another industry requires not immunity, but an approach to cybersecurity that actually requires some minimal actions from the companies in question, ought to lead Congress to halt before passing CISA and giving corporations immunity and think more seriously about what a serious approach to our cyber problems might look like.
That said, note that the hawks in this story are still adopting what is probably an approach of limited use here. Indeed, the story is notable in that it cites a cyber contractor, JAS Global Advisors Jeff Schmidt, actually raising questions whether mandated info-sharing (with the government, not the public) would be all that effective.
If OPM has finally demonstrated the real impact of cyberattacks, then maybe it’s time to have a real discussion of what might help to keep this country safe — because simply immunizing corporations is not going to do it.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2015-08-10 09:40:432015-08-10 11:40:00Several Supporters of CISA Admit Its Inadequacy
In the CRomnibus legislation — the appropriations bill that will pass Congress in the next few days — the powers that be (largely Barb Mikulski and AlabamaKentucky’s Harold Rogers) stripped out the Massie-Lofgren Amendment that would have prohibited back door searches of Section 702 information and required back doors on software, and replaced it with this language.
SEC. 8128. None of the funds made available by this Act may be used by the National Security Agency to—
(1) conduct an acquisition pursuant to section 702 of the Foreign Intelligence Surveillance Act of 1978 for the purpose of targeting a United States person; or
(2) acquire, monitor, or store the contents (as such term is defined in section 2510(8) of title 18, United States Code) of any electronic communication of a United States person from a provider of electronic communication services to the public pursuant to section 501 of the Foreign Intelligence Surveillance Act of 1978.
The language is ridiculous on three counts.
First, it defunds only the NSA. The original might have defunded anything that involved DOD, including FBI and CIA.
Clause 1 does nothing but say that NSA has to follow the law, by prohibiting Section 702 from being used to target Americans (but not including penalties or legal recourse).
Clause 2 does nothing but say that NSA has to follow the law, by prohibiting the government from using Section 215 to get content (this clause might be more interesting if it applied to FBI, too, because I’m fairly certain some of what they get is arguably content).
That is, this replaces real legislation, supported by a huge majority in the House, with the same word games NSA has been hiding behind for over 18 months.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-12-09 21:51:492014-12-09 22:25:37Barb Mikulski Still Thinks You’re Stupid about “Target” and “Content”
There has been a lot of belated attention to the impact that Mark Udall’s loss yesterday will have on the Senate Intelligence Committee. I’ve been pointing to the possibility of a Udall loss and a Richard Burr Chairmanship since March. I warned you all of this when there was still time to do something about it!
Yesterday’s election will have huge impact on intelligence matters. It’s crystal clear, for example, that Burr has zero intention of exercising any oversight into the intelligence community, as we know he has been uninterested in their law-breaking in the past. I actually think Burr may be more interested in their competence than Feinstein has been, but that may be just a pipe-dream.
Burr might even be the very very rare Gang of Four member who doesn’t use the position to leak what the intelligence community wants to make public to the press. I say that because Burr was a key player in requiring the White House to provide the committees a list of sanctioned leaks, which I actually think was a badly needed reform (though I have no idea whether the White House has complied).
There’s also the matter of the 3 or 4 new Republicans that will gain seats on the Intelligence Committee (adding at least one for the majority, along with replacing Saxby Chambliss and Tom Coburn, both of whom retired). It’d be nice to see a libertarian among these — perhaps someone like Mike Lee, given that Utah has a lot of intelligence equities. But I highly doubt Mitch McConnell would put anyone with an interest in civil liberties on the Committee.
But there is one area where yesterday’s shellacking might harbor good news for civil liberties: Thad Cochran.
With Republicans in the majority, Barb Mikulski (D-NSA) will lose her Chairmanship of the Appropriations Committee; Cochran is expected to get that Chair. Mikulski has always been — even more than Dianne Feinstein — the impediment to any real civil liberties change in the Senate, because she is far more powerful. Importantly, she served as a guarantee that smart policies put through on appropriations bills — like Alan Grayson’s elimination of a requirement that NIST consult with the NSA on encryption standards, and the Massie-Lofgren amendment to defund back door searches — would not make it into any final bill.
Losing the majority, even losing Mikulski on Appropriations on all other matters, is a huge loss, don’t get me wrong.
But it does mean that Thad Cochran might, just maybe, allow good things to move through the Senate on appropriations. With Barb Mikulski there was no chance in hell of doing something on an appropriations bill. Without her, there’s at least a possibility. (Remember that Ted Stevens permitted a Ron Wyden amendment defunding TIA to go through appropriations in 2003, so such things are not unheard of.)
There’s no reason to believe that Cochran, in general, is any friendlier to civil liberties than Mikulski. But he’s not the NSA’s own personal senator. And that may be a tiny bright spot.
In a piece at MoJo, David Corn argues the Senate Intelligence Committee – CIA fight has grown into a Constitutional crisis.
What Feinstein didn’t say—but it’s surely implied—is that without effective monitoring, secret government cannot be justified in a democracy. This is indeed a defining moment. It’s a big deal for President Barack Obama, who, as is often noted in these situations, once upon a time taught constitutional law. Feinstein has ripped open a scab to reveal a deep wound that has been festering for decades. The president needs to respond in a way that demonstrates he is serious about making the system work and restoring faith in the oversight of the intelligence establishment. This is more than a spies-versus-pols DC turf battle. It is a constitutional crisis.
I absolutely agree those are the stakes. But I’m not sure the crisis stems from Feinstein “going nuclear” on the floor of the Senate today. Rather, I think whether Feinstein recognized it or not, we had already reached that crisis point, and John Brennan simply figured he had prepared adequately to face and win that crisis.
Which is why I disagree with the assessment of Feinstein’s available options as laid out by Shane Harris and John Hudson in FP.
If she chooses to play hardball, Feinstein can make the tenure of CIA Director John Brennan a living nightmare. From her perch on the intelligence committee, she could drag top spies before the panel for months on end. She could place holds on White House nominees to key agency positions. She could launch a broader investigation into the CIA’s relations with Congress and she could hit the agency where it really hurts: its pocketbook. One of the senator’s other committee assignments is the Senate Appropriations Committee, which allocates funds to Langley.
Take these suggestions one by one: Feinstein can only “drag top spies” before Congress if she is able to wield subpoena power. Not only won’t her counterpart, Saxby Chambliss (who generally sides with the CIA in this dispute) go along with that, but recent legal battles have largely gutted Congress’ subpoena power.
Feinstein can place a hold on CIA-related nominees. There’s even one before the Senate right now, CIA General Counsel nominee Caroline Krass, though Feinstein’s own committee just voted Krass out of Committee, where Feinstein could have wielded her power as Chair to bottle Krass up. In the Senate, given the new filibuster rules, Feinstein would have to get a lot of cooperation from her Democratic colleagues to impose any hold if ever she lost Senate Majority Leader Harry Reid’s support (though she seems to have that so far).
But with Krass, what’s the point? So long as Krass remains unconfirmed, Robert Eatinger — the guy who ratcheted up this fight in the first place by referring Feinstein’s staffers for criminal investigation — will remain Acting General Counsel. So in fact, Feinstein has real reason to rush the one active CIA nomination through, if only to diminish Eatinger’s relative power.
Feinstein could launch a broader investigation into the CIA’s relations with Congress. But that would again require either subpoenas (and the willingness of DOJ to enforce them, which is not at all clear she’d have) or cooperation.
Or Feinstein could cut CIA’s funding. But on Appropriations, she’ll need Barb Mikulski’s cooperation, and Mikulski has been one of the more lukewarm Democrats on this issue. (And all that’s assuming you’re only targeting CIA; as soon as you target Mikulski’s constituent agency, NSA, Maryland’s Senator would likely ditch Feinstein in a second.)
Then FP turns to DOJ’s potential role in this dispute.
The Justice Department is reportedly looking into whether the CIA inappropriately monitored congressional staff, as well as whether those staff inappropriately accessed documents that lay behind a firewall that segregated classified information that the CIA hadn’t yet cleared for release. And according to reports, the FBI has opened an investigation into committee staff who removed classified documents from the CIA facility and brought them back to the committee’s offices on Capitol Hill.
Even ignoring all the petty cover-ups DOJ engages in for intelligence agencies on a routine basis (DEA at least as much as CIA), DOJ has twice done CIA’s bidding on major scale on the torture issue in recent years. First when John Durham declined to prosecute both the torturers and Jose Rodriguez for destroying evidence of torture. And then when Pat Fitzgerald delivered John Kiriakou’s head on a platter for CIA because Kiriakou and the Gitmo detainee lawyers attempted to learn the identities of those who tortured.
There’s no reason to believe this DOJ will depart from its recent solicitous ways in covering up torture. Jim Comey admittedly might conduct an honest investigation, but he’s no longer a US Attorney and he needs someone at DOJ to actually prosecute anyone, especially if that person is a public official.
Implicitly, Feinstein and her colleagues could channel Mike Gravel and read the 6,000 page report into the Senate record. But one of CIA’s goals is to ensure that if the Report ever does come out, it has no claim to objectivity. Especially if the Democrats release the Report without the consent of Susan Collins, it will be child’s play for Brennan to spin the Report as one more version of what happened, no more valid than Jose Rodriguez’ version.
And all this assumes Democrats retain control of the Senate. That’s an uphill battle in any case. But CIA has many ways to influence events. Even assuming CIA would never encourage false flags attacks or leak compromising information about Democrats, the Agency can ratchet up the fear mongering and call Democrats weak on security. That always works and it ought to be worth a Senate seat or three.
If Democrats lose the Senate, you can be sure that newly ascendant Senate Intelligence Chair Richard Burr would be all too happy to bury the Torture Report, just for starters. Earlier today, after all, he scolded Feinstein for airing this fight.
“I personally don’t believe that anything that goes on in the intelligence committee should ever be discussed publicly,”
Burr’s a guy who has joked about waterboarding in the past. Burying the Torture Report would be just the start of things, I fear.
And then, finally, there’s the President, whose spokesperson affirmed the President’s support for his CIA Director and who doesn’t need any Democrats help to win another election. As Brennan said earlier today, Obama “is the one who can ask me to stay or to go.” And I suspect Brennan has confidence that Obama won’t do that.
Which brings me to my comment above, on AJE, that Brennan knows where the literal bodies are buried.
I meant that very, very literally.
Not only does Brennan know firsthand that JSOC attempted to kill Anwar al-Awlaki on December 24, 2009, solely on the President’s authority, before the FBI considered him to be operational. But he also knows that the evidence against Awlaki was far dodgier than it should have been before the President authorized the unilateral execution of an American citizen.
Worse still, Feinstein not only okayed that killing, either before or just as it happened. But even the SSCI dissidents Ron Wyden, Mark Udall, and Martin Heinrich declared the Awlaki killing “a legitimate use of the authority granted the President” in November.
I do think there are ways the (Legislative) Democrats might win this fight. But they’re not well situated in the least, even assuming they’re willing and able to match Brennan’s bureaucratic maneuvering.
Again, I don’t blame Feinstein for precipitating this fight. We were all already in it, and she has only now come around to it.
I just hope she and her colleagues realize how well prepared Brennan is to fight it in time to wage an adequate battle.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-03-11 21:44:582014-03-11 23:36:32Where the Bodies Are Buried: A Constitutional Crisis Feinstein Better Be Ready To Win
It turns out that Mark Kirk — not Bernie Sanders — was the first member of Congress to raise concerns about the NSA spying on Senators after Edward Snowden’s leaks started being published. Kirk did so less than a day after the Guardian published the Verizon order from the phone dragnet, in an Appropriations Committee hearing on the Department of Justice’s budget (see at 2:00). After Susan Collins raised the report in the context of drone killing, Kirk asked for assurances that members of Congress weren’t included in the dragnet.
Kirk: I want to just ask, could you assure to us that no phones inside the Capitol were monitored, of members of Congress, that would give a future Executive Branch if they started pulling this kind of thing up, would give them unique leverage over the legislature?
Holder: With all due respect, Senator, I don’t think this is an appropriate setting for me to discuss that issue–I’d be more than glad to come back in an appropriate setting to discuss the issues that you’ve raised but in this open forum–
Kirk: I’m going to interrupt you and say, the correct answer would say, no, we stayed within our lane and I’m assuring you we did not spy on members of Congress.
The first substantive question Congress asked about the dragnet was whether they were included in it.
After that, a few moments of chaos broke out, as other Senators — including NSA’s representative on the Senate Intelligence Committee, Barb Mikulski — joined in Kirk’s concerns, while suggesting the need for a full classified Senate briefing with the AG and NSA. Richard Shelby jumped in to say Mikulski should create the appropriate hearing, but repeated that what Senator Kirk asked was a very important question. Mikulski agreed that it’s the kind of question she’d like to ask herself. Kirk jumped in to raise further separation of powers concerns, given the possibility that SCOTUS had their data collected.
The very first concern members of Congress raised about the dragnet was how it would affect their power.
And then there was a classified briefing and …
… All that noble concern about separation of power melted away. And some of the same people who professed to have real concern became quite comfortable with the dragnet after all.
It’s in light of that sequence of events (along with Snowden’s claim that Members of Congress are exempt, and details about how data integrity analysts strip certain numbers out of the phone dragnet before anyone contact-chains on it) that led me to believe that NSA gave some assurances to Congress they need not worry that their power was threatened by the phone dragnet.
The best explanation from external appearances was that Congress got told their numbers got protection the average citizen’s did not, perhaps stripped out with all the pizza joints and telemarketers (that shouldn’t have alleviated their concerns, as some of that data has been found sitting on wayward servers with no explanation, but members of Congress can be dumb when they want to be).
And they were happy with the dragnet.
Then, 7 months later, Bernie Sanders started asking similar — but not the same –questions. In a letter to Keith Alexander, he raised several issues:
Phone calls made
Emails sent
Websites visited
Foreign leaders wiretapped
He even defined what he meant by spying.
“Spying” would include gathering metadata on calls made from official or personal phones, content from websites visited or emails sent, or collecting any other data from a third party not made available to the general public in the regular course of business.
In response, Alexander rejected Sanders’ definition of spying (implicitly suggesting it wasn’t fair), while using a dodge he repeatedly has: the Americans in question are not being targeted, even while they might be collected “incidentally.”
Nothing NSA does can fairly be characterized as “spying on Members of Congress or other American elected officials.”
[snip]
NSA may not target any American for foreign intelligence collection without a finding of probable cause that the proposed target of collection is a foreign power or an agent of a foreign power. Moreover, as you are aware, whenever an NSA activity results in the incidental collection of information about Americans, that information is handled pursuant to the very robust procedures designed to protect privacy interests — procedures that must be approved by the Attorney general or the Foreign Intelligence Surveillance Court, as appropriate. All those protections apply to members of Congress, as they do to all Americans.
Alexander then addressed just one of the three kinds of spying Sanders raised: phone data (which, if I’m right that NSA strips Congressional numbers at the data integrity stage, is the one place Alexander can be fairly sure Sanders’ contacts won’t be found).
Your letter focuses on NSA’s acquisition of telephone metadata…
And used the controls imposed on the raw data of the phone dragnet as an excuse for not answering Sanders’ question.
Among those protections is the condition that NSA can query the metadata only based on phone numbers reasonably suspected to be associated with specific foreign terrorist groups. For that reason, NSA cannot lawfully search to determine if any records NSA has received under the program have included metadata of the phone calls of any member of Congress, other American elected officials, or any other American without that predicate.
Alexander totally ignored Sanders’ two other specified concerns: emails sent and websites visited.
Which is mighty convenient, because for a very large segment of that collection (the internet metadata collected under EO 12333 and via PRISM, though not the data collected domestically before 2011 or domestic upstream collection), NSA believes it doesn’t even need Reasonable Articulable Suspicion to search on US person identifiers. Read more →
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2014-01-14 23:11:102014-01-14 23:13:14Dragnet at Bernie’s: On Spying on Congress
A big part of Stephen Preston’s response to Mark Udall’s questions about whether he supports adequate disclosure to Congress consists of insisting the CIA Directors he worked with — Leon Panetta, David Petraeus, presumably Mike Morell as Acting Director, and John Brennan — have supported full disclosure to Congress.
Doing a better job of congressional notification and ensuring the proper provision of information concerning covert action and other intelligence activities to the Intelligence Committees has been a top priority of the Directors under which I have served, starting with Director Panetta, and one that I have fully supported.
[snip]
What we regard as proper practice today is driven by faithful application of the National Security Act of 1947. It is also informed by the very high priority the Directors under which I have served have placed on doing a better job of congressional notification and ensuring the proper provision of information concerning covert action and other intelligence activities to the Intelligence Committees. To repeat, I have fully supported these efforts and, if confirmed, will be fully committed to such efforts with respect to the Armed Services Committees.
While it may or may not be true that the Directors under whom Preston has served have not engaged in the kind of manipulative briefings that characterized the torture program, every time I read these assurances from Preston I remembered what Barb Mikulski said at John Brennan’s confirmation hearing.
Now, I want to get to the job of the CIA director. I’m going to be blunt — and this would be no surprise to you, sir.
But I’ve been on this committee for more than 10 years. And with the exception of Mr. Panetta, I feel I’ve been jerked around by every CIA director.
I’ve either been misled, misrepresented, had to pull information out, often at the most minimal kind of way, from Tenet, with his little aluminum rods to tell us that we had weapons of mass destruction in Iraq to Porter Goss, not worth coming.
You know the problems we’ve had with torture. The chair has spoken eloquently about it all the way.
And, quite frankly, during those questions, they were evaded, they were distorted, et cetera.
While she didn’t name him as she did Tenet and Goss, neither did she except David Petraeus, like she did Leon Panetta.
This would seem to suggest that Mikulski has a very different understanding of Petraeus’ commitment to briefing Congress than Preston claims to have.
https://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.png00emptywheelhttps://www.emptywheel.net/wp-content/uploads/2016/07/Logo-Web.pngemptywheel2013-10-18 12:27:372013-10-18 12:27:37Barb Mikulski and Stephen Preston Seem to Disagree Over Whether David Petraeus “Jerked Around” Congress
