Steve Aftergood has posted a new directive from James Clapper mandating that Intelligence Community members warn individuals (be they corporate or natural persons) of a threat of death of seriously bodily harm.
This Directive establishes in policy a consistent, coordinated approach for how the Intelligence Community (IC) will provide warning regarding threats to specific individuals or groups of intentional killing, serious bodily injury, and kidnapping.
The fine print on it is quite interesting. For example, if you’re a drug dealer, someone involved in violent crime, or you’re at risk solely because you’re involved in an insurgency, the IC is not obliged to give you notice. Remember, the FBI did not alert members of Occupy Wall Street someone was plotting to assassinate them. Did they (then) not do so because they considered Occupy an “insurgency”? Would they consider them as one going forward?
But I’m most interested in what this should mean for hacking.
Here’s how the directive defines “seriously bodily harm.”
Serious Bodily Injury means an injury which creates a substantial risk of death or which causes serious, permanent disfigurement or impairment.
As I have noted, NSA has secretly defined “serious bodily harm” to include threat to property — that is, threats to property constitute threats of bodily harm.
If so, a serious hack would represent a threat of bodily harm (and under NSA’s minimization procedures they could share this data). While much of the rest of the Directive talks about how to accomplish this bureaucratically (and the sources and methods excuses for not giving notice), this should suggest that if a company like Sony is at risk of a major hack, NSA would have to tell it (and the Directive states that the obligation applies for US persons and non-US persons, though Sony is in this context a US person).
So shouldn’t this amount to a mandate for cybersharing, all without the legal immunity offered corporations under CISA?
I Con the Record just announced that the NSA will make the phone dragnet data it has “analytically unavailable” after the new system goes live in November, and unavailable even to techs three months later.
On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.
NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.
Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.
As I understand it, whatever data has been found to be two or three degrees of separation from a baddie will remain in NSA’s maw, but the data that has never returned off a search will not.
I’m pleasantly surprised by this, as I suspect it reflects a decision to accept the Second Circuit verdict in ACLU v. Clapper and to move to shut down other lawsuits.
As I noted, two weeks ago, the ACLU moved for an injunction against the dragnet, which not only might have led to the Second Circuit ordering the government to purge ACLU’s data right away (and possibly, to stop collecting all data), but also basically teed up the Second Circuit to remind the FISC it is not an appellate court. I worried that would lead the FISC to ask FISCR to review its dragnet decisions under a provision newly provided under the USA F-ReDux.
Shortly after ACLU filed its request for an injunction, the government asked for an extension to … today, which the court granted.
So I assume we’ll shortly see that filing arguing that, since the government has voluntarily set a purge date for all the dragnet data, ACLU should not get its injunction.
That doesn’t necessarily rule out a FISCR fast track request, but I think it makes it less likely.
The other player here, however, is the EFF.
I believe both ACLU and EFF’s phone dragnet client Council on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.
EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).
We’ll see soon enough. For the moment, though, I’m a bit surprised by the cautious approach this seems to represent.
Update: Timeline on data availability fixed.
Update: Here’s the government’s brief submitted today. I’m rather intrigued by how often the brief claims USA F-ReDux was about bulk “telephony” data when it was supposed to be about all bulk collection. But I guess I can return to that point.
Update: They depart from describing USA F-ReDux as a ban bulk collection of telephony when they describe it as a ban on collection of bulk collection under Section 215, also not what the bill says.
Part of the compromise on which Congress settled, which the President supported, was to add an unequivocal ban on bulk collection under Section 215 specifying that “[n]o order issued under” Section 215(b)(2) “may authorize collection of tangible things without the use of a specific selection term that meets the requirements” of that subsection.
Update: This is key language — and slightly different from what they argued before FISC. I will return to it.
Plaintiffs assert that, by not changing the language of Section 215 authorizing the collection of business records during the transition period, Congress implicitly incorporated into the USA FREEDOM Act this Court’s opinion holding that Section 215 did not authorize bulk collection. See Pls.’ Mot. 7- 8. Plaintiffs rely on language providing that the legislation does not “alter or eliminate the authority of the Government to obtain an order under” Section 215 “as in effect prior to the effective date” of the statute. USA FREEDOM Act § 109, 129 Stat. at 276. That language does not advance plaintiffs’ argument, however, because the statute says nothing expressly about what preexisting authority the government had under Section 215 to obtain telephony metadata in bulk. It is implausible that Congress employed the word “authority” to signify that the government lacked authority to conduct the Section 215 bulk telephony-metadata program during the 180-day transition period, contrary to the FISC’s repeated orders and the Executive Branch’s longstanding and continuing interpretation and application of the law, and notwithstanding the active litigation of that question in this Court. That is especially so because language in the USA FREEDOM Act providing for the 180-day transition period has long been a proposed feature of the legislation. It is thus much more plausible that the “authority” Congress was referring to was not the understanding of Section 215 reflected in this Court’s recent interpretation of Section 215, but rather the consistent interpretation of Section 215 by 19 different FISC judges: to permit bulk collection of telephony metadata.
Amid posts bewailing Rand Paul because the Senator’s substantial discussions of the problems with EO 12333 and Section 702 spying aren’t the substantial discussions he wants (I’ll return to these once more pressing matters have passed), Steve Vladeck has returned to the USA F-ReDux topic on which he doesn’t keep contradicting himself: the amicus.
As he notes (and I noted here), Mitch McConnell is (as we speak) attempting to water down the already flimsy FISC amicus via amendment. And Vladeck — as he has before — exposed the false claims that the objections to the amicus comes from the judiciary, this time as represented in the letter from Director of the Administrative Offices of US Courts James Duff.
Why is such a radical amendment to a provision in the House bill that was negotiated very carefully so necessary? According to the memo, “Amendment 1451 is responsive to the judiciary’s continual opposition to the amicus structure of the USA Freedom Act,” as manifested in “a letter to Congress from the director of the Administrative Office of the U.S. Courts.”
I don’t mean to belabor the point. If anything, as I suggested yesterday, section 401 of the House-passed USA FREEDOM Act is a terribly weak version of what should have been a very good (and unobjectionable) idea–allowing a security-cleared outside lawyer to participate in the tiny percentage of cases before the FISC that involve applications for anything besides individualized warrants (you know, the cases in which adversarial participation is already authorized).Part of why section 401 is so weak is because members of Congress have consistently allowed themselves to be snookered by (or have found it convenient to hide behind) the objections of the “judiciary.”
On the merits, though, these objections are patently unavailing. And they certainly aren’t the objections of the “judiciary.”
I’ve also tracked how others, like James Clapper, have been using these purported judiciary concerns to undercut the “advocate” that President Obama used to pretend to want.
What’s particularly interesting, however, is one of the recurrent problems the “judges” seem to keep having. Duff emphasizes that one problem with amici is the Executive would lie to the FISC if telling the truth might risk revealing useful information to an amici. And as one part of that, he focuses on USA F-ReDux’s intent to get
Designated amici are required to have access to “all relevant” legal precedent, as well as certain other materials “the court determines are relevant.
We are concerned that a lack of parallel construction in proposed clause (6)(A)(i) (apparently differentiating between access to legal precedent as opposed to access to other materials) could lead to confusion in its application.
This is what Clapper seemed to be going after last September.
Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.
(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—
(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;
Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.
But the really interesting thing — the reason McConnell’s as-we-speak attempt to gut the amicus further — is that the House already fixed some of this. In a manager’s amendment presented as technical clarifications (but which, on this issue, were not), Bob Goodlatte rewrote this passage:
(i) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;
To read like this, to directly address one of Huff’s stated concerns:
(i) shall have access to any relevant legal precedent, and application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;
That is, Goodlatte already gave the court complete discretion over what the amicus could access, up to and including underlying legal precedents.
Of course, all that assumes the courts will get all the information they need, which they have a long history of not doing.
Here’s the real takeaway though. The President likes to claim he supports this reform. But he has already made it clear he didn’t really want an advocate at the FISC, but would instead like the FISC to remain a rubber stamp.
After the Torture Report came out, I argued we ought to take a broader lesson from it about failures of accountability in CIA’s covert programs. Specifically, I noted how the drone program — which operated under the same Memorandum of Notification as torture for years — appeared to suffer from the same problems as the torture program.
On the second day of Barack Obama’s presidency, he prohibited most forms of physical torture. On the third, a CIA drone strike he authorized killed up to 11 civilians.
Other reporting may explain why the report portrays Bush, rightly or wrongly, as so uninvolved in the torture program. Both Woodward and Mayer explain that the Sept. 17, 2001, MON was designed to outsource all the important decision-making to the CIA. “To give the President deniability, and to keep him from getting his hands dirty,” Mayer writes in The Dark Side, “the [MON] called for the President to delegate blanket authority to Tenet to decide on a case-by-case basis whom to kill, whom to kidnap, whom to detain and interrogate, and how.” Whether or not Bush had knowledge of what was going on, the very program itself was set up to insulate him from the dirty work, giving him the ability to claim ignorance of a torture program everyone else knew about. (Later, Bush claimed that he was fully briefed.)
But as we know, this insulation created the conditions for a program that was allowed to spin so horribly out of control that the CIA was able to misplace 29 detainees and not worry all that much.
The implications of this subterfuge, however, do not end with the torture program. Nor with George W. Bush. This is the same MON that authorizes the CIA’s current drone program. Presumably that means the drone program is characterized by the same unaccountable structures.
Indeed, after Obama escalated the CIA’s use of drones when he took office, the program suffered from some of the same problems as the torture program. The CIA appears to have misinformed Congress about the details, given claims by people like House Intelligence Committee ranking member Dutch Ruppersberger (D-Md.) that the program had “very minor” civilian casualties, despite the fact that evidence shows that more than 1,000 people have been killed while targeting fewer than 50 terrorists. And like the CIA’s detention and torture of the wrong suspects, a number of drone strikes have killed the wrong people — but with even greater frequency.
Top-ranking members of Congress, including Sen. Dianne Feinstein (D-Calif.), the chair of the Senate Intelligence Committee, have long insisted they have more oversight over the drone program than they did over torture. But the number of significant mistakes — take, for example, the attack on a wedding party earlier this year — suggests that oversight isn’t preventing the same kind of mistakes that happened with torture. Moreover, as with the torture program, the congressional intelligence committees aren’t able to get the information they request from the White House and the CIA. It was only after years of requests that the intelligence committees were allowed to review the administration’s justification for having the CIA kill Anwar al-Awlaki, a U.S. citizen, with a drone strike. Worse, the reports that the CIA killed Awlaki’s 16-year-old son, Abdulrahman, are also shrouded in secrecy and full of inconsistencies.
AP’s Ken Dilanian has a long article in similar vein, noting that the drone and Non Official Cover program have never been scrutinized this closely, in spite of complaints of abuse.
Yet the intelligence committees have never taken a similar look at what is now the premier counterterrorism effort, the CIA’s drone-killing program, according to congressional officials who were not authorized to be quoted discussing the matter.
Intelligence committee staff members are allowed to watch videos of CIA drone missile strikes to monitor the agency’s claims that civilian casualties are limited. But these aides do not typically get access to the operational cables, message traffic, interview transcripts and other raw material that forms the basis of a decision to kill a suspected terrorist.
Nor have they been able to examine cables, emails and raw reporting to investigate recent perceived intelligence lapses, such as why the CIA failed to predict the swift fall of Arab governments, Russia’s move into Ukraine or the rapid military advance of the Islamic State group.
And there have been no public oversight reports on the weak performance of the CIA’s multibillion-dollar “nonofficial cover” program to set up case officers posing as businessmen, which has met with some criticism.
In addition to the nice review of how Dianne Feinstein’s staffers’ managed to do this work (which you should click through to read), Dilanian also got a fairly scathing interview with Feinstein herself (though she insists drones get enough oversight). In it, she professes to have lost her faith that CIA is telling the truth in briefings.
The torture investigation, she said in an interview with The Associated Press, has “changed how I view management in the CIA. It’s changed how I view the brotherhood of the CIA. I believe you do not lie to your oversight committee. And I think the way the program was managed was sloppy.”
The lesson for traditional intelligence oversight, she said, was that “you can sit and listen to a report ??? you don’t know whether it’s all the truth, you don’t know what gets left out. And part of (CIA) tradecraft is deception.”
She said she believes the CIA continues to lie about the effectiveness of torture.
And she dishes on White House collaboration with the CIA to overclassified the report.
But while Obama publicly supported releasing the report’s findings and conclusions, the administration privately pushed to keep significant parts of the summary secret, Feinstein said.
“The president said that he agreed the report should be made public, that he doesn’t condone (the harsh interrogations), but it sort of ends there,” Feinstein said.
She said she perceived “an incredible closeness” between Obama’s chief of staff, Denis McDonough, and Brennan, “and the president and John Brennan.” In negotiations with Feinstein about what parts of the summary should be censored, McDonough spoke for the White House, but there was no daylight between him and the CIA, she said.
Feinstein said both wanted to black out large chunks of the executive summary in the name of protecting sensitive information.
It also provides more details on the attempt to fearmonger DiFi into suppressing the report at the last minute, including that Democrats found James Clapper’s report on the dangers of releasing it to be all that convincing.
This is, I think, one of the necessary conclusions to draw from the Torture Report: oversight isn’t working, because — as DiFi notes — CIA’s tradecraft is all about deception.
Let’s hope she really has learned a bit from this process, even if it’s too late to do anything about it as Chair.
As I keep explaining to gobsmacked security experts, according to the DHS, not only are motion picture studios like Sony considered Critical Infrastructure the security establishment must protect, but so are casinos (and campgrounds!) as part of the “Commercial Facilities Sector.”
The Commercial Facilities Sector consists of eight subsectors:
- Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
- Sports Leagues (e.g., professional sports leagues and federations).
- Gaming (e.g., casinos).
- Lodging (e.g., hotels, motels, conference centers).
- Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
- Entertainment and Media (e.g., motion picture studios, broadcast media).
- Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
- Retail (e.g., retail centers and districts, shopping malls).
Which is why I find it interesting that along with noting that hackers might start altering — rather than just zeroing out — the entries in software, in his Global Threats testimony James Clapper asserted that “Iranian actors have been implicated” in hacking Sheldon Adelson’s casino.
Iran very likely values its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence. Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company.
A number of outlets reported that Iran, rather than Iranian actors, did the hack.
Bloomberg reported that Iranians were behind the hack in December.
I can think of a number of reasons why the US didn’t make a bigger deal out of Iranians hacking our critical infrastructure Sheldon Adelson’s casinos. Because they couldn’t prove the tie between the actors and the Iranian state, because fighting to protect Adelson’s corruption is less palatable than fighting to protect Hollywood, because it would have focused on Adelson’s threats to bomb Iran, and because they’re trying to craft a peace deal.
And that’s probably just a start.
Still, I’m surprised others — such as Bibi Netanyahu — haven’t made a bigger issue out of Iranian actors’ successful attack on one of the people funding the anti-Iranian lobby.
Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?
(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;
Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.
It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.
Integrity of Information
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
- Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.
Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).
But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.
In the Q&A portion of a James Clapper chat at Council on Foreign Relations yesterday, he was asked about the phone dragnet and Section 215 (this starts after 48:00).
He made news for the way he warned Congress that if they take away Section 215 (he didn’t specify whether he was talking about just the phone dragnet or Section 215 and the roughly 175 other orders authorized under it) and something untoward happens as a result, they better be prepared to take some of the blame.
Q: In recent days the government reauthorized the telephone metadata collection program through June 1st, when there’s the Sunset date, obviously, of Section 215 of the PATRIOT Act. What do you want to see happen after that?
Clapper: Well, what we have agreed to, Attorney General Eric Holder and I, last September, signed a letter saying that we supported the notion of moving the retention of the data to providers in a bill that was — actually came out of the Senate from Senator Leahy, so we signed up to that. I think that’s the only thing that’s realistic if we’re going to have this at all. In the end, the Congress giveth and the Congress taketh away. So if the Congress in its wisdom decides that the candle isn’t worth the flame, the juice isn’t worth the squeeze, whatever metaphor you want to use, that’s fine. And the Intelligence Community will do all we can within the law to do what we can to protect the country. But, I have to say that every time we lose another tool in our toolkit, you know? It raises the risk. And so if we have — if that tool is taken away from us, 215, and some untoward incident happens which could have been thwarted had we had it I just hope that everyone involved in that decision assumes responsibility. And it not be blamed if we have another failure exclusively on the intelligence community.
At one level, I’m absolutely sympathetic with Clapper’s worries about getting blamed if there’s another attack (or something else untoward). In some cases (particularly in the aftermath of the 2009 Nidal Hasan and Umar Farouk Abdulmutallab attacks), politicians have raised hell about the Intelligence Community missing a potential attack. But that really did not happen after the Boston Marathon; contemporaneous polls even said most people accepted that you couldn’t prevent every attack. Moreover, in that case, NSA — the entity running the phone dragnet — was excluded from more intensive Inspector General review, as NSA has repeatedly been in the past (including, to a significant extent, the 9/11 attack), even though it had collected data on one or both of the Tsarnaev brothers but not accessed it until after the attack. In other words, NSA tends not to be held responsible even when it is.
Clapper’s fear-mongering has gotten most of the attention from that Q&A, even more than Clapper’s admission elsewhere that “moderate” in Syria — he used scare quotes — means “anyone who’s not affiliated w/I-S-I-L.”
But on the phone dragnet, I found this a far more intriguing exchange.
Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?
Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.
In general, discussions about why the NSA needs 5 years of phone dragnet have used a sleeper argument: a suspect might have spoken to someone of interest 4 years ago, which would be an important connection to identify and pursue. But that’s not what Clapper says here. They need years and years of our phone records not to find calls we might have made 5 years ago, but to “discern patterns.”
Well, that changes things a bit, and may even suggest how they’re actually using the phone dragnet.
While we know they have, at times, imputed some kind of meaning to the lengths of calls — for a while they believed calls under 2 minutes were especially suspicious until they realized calls to the pizza joint also tend to be under 2 minutes — there’s another application where pattern analysis is even more important: matching burner phones. You need a certain volume of past calls to establish a pattern of a person’s calls so as to be able to identify another unrelated handset that makes the same pattern of calls as the same person.
Connection chaining, not contact chaining.
Clapper’s revelation that they need years of retention for pattern analysis, not for contact chaining, seems consistent with the language describing the chaining process under USA Freedom Act.
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
That is, they’d be getting all the calls the target had made, as well as all the calls an identifiable target’s associate or additional phone had made.
And remember, one of the NSA’s two greatest “successes” with the phone dragnet — when they found that Adis Medunjanin, whom they already knew to be associated with Najibullah Zazi, had a phone they hadn’t known about — involves burner matching. That match took place at an important moment, too, when the NSA had turned off its automatic correlation process (which uses a dedicated database to identify the other known identities of a person in a chain), and when its queries were as closely controlled as they ever have been in the wake of the massive violations in 2009. At a time when they were running a bare bones phone dragnet, they were still doing burner matching, and considered that a success.
Now, let me be clear: matching the burner phones of real suspects is a reasonable use for a phone dragnet, though the government ought to provide more clarity about whether they’re matching solely on call patterns or on patterns of handset use, including on the Internet. It’d also be nice if anyone caught in this fashion had some access to the accuracy claims the government has made and the basis used to make those accuracy claims (for one incarnation of the Hemisphere dragnet, DEA was claiming 94% accuracy, based of 10 years of data and, apparently, multiple providers). And this points to the importance of retaining FISC review of the targets, because people for whom there is not reasonable articulable suspicion of ties to terrorism ought to be able to use burner phones.
James Clapper’s office has gone to great lengths to try to hide any mention of pattern analysis in declassified discussions of the phone dragnet. Apparently, Clapper doesn’t think that detail needs to be classified anymore.
I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.
At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.
Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.
It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.
And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).
US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.
We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).
There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.
There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.
Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).
Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?
I noted the other day how centrally James Clapper foregrounded his recent trip to North Korea in his discussion of the alleged North Korean hack of Sony. Now that the transcript is up, I see the trip was even more central in his discussion than reports had indicated. After noting that Jim Comey (whom he called “the senior expert on the investigative side of cybersecurity”) and Admiral Mike Rogers (whom he called “the senior expert on how cybersecurity ops actually happen”) would say more in following speeches, Clapper launched into a description of his trip, as if it were central to the discussion of the hack.
I’m not an expert on cyber. I guess that’s a way of saying I’m going to refer technical questions to the real experts here.
So, I was trying to think through what my contribution to this conference could possibly be. Well, I recently traveled to North Korea (and back, happily). So I thought I’d talk about that. [delayed laughter]
Yes, that’s a joke. [laughter] I learned from Father McShane that this crowd needs cuing. [laughter, applause]
I’ll talk about that and how it applies to this week’s conversation about cyber, given the Sony hack.
The first question I always get about the trip is: “Why you?” As in, “Why on earth would we send the DNI, the director of national intelligence, especially this DNI, on a diplomatic mission to get two American citizens who were imprisoned in North Korea?”
Why would they send me? The truth is, the mission had been in the works for quite a while.
I find it interesting that Clapper described such a lead-up to the meeting. At the time, it was much more closely tied to the October 21 release of Jeffrey Fowle (though that, too, could have been in the works for months).
North Korea wanted an active member of the National Security Council and a cabinet level official to come and to bring a letter from President Obama.
Note Clapper describes North Korea’s goal was that he “bring a letter” from President Obama. I find that notable given the reporting at the time about that letter — and Clapper’s unwillingness to read it during his press blitz about it.
The White House knows I’ve had a long history of working Korean issues, since I served as chief of intelligence for U.S. Forces in Korea in the mid-‘80s. So the White House put my name forward to the DPRK, the Democratic People’s Republic of Korea as they call themselves, government in Pyongyang. And I think we were all surprised, to include me, when they agreed. That’s how and why I was picked to go.
Actually, I thought the New York Times had a better explanation: Clapper is “Gruff, blunt-speaking and seen by many as a throwback to the Cold War.” [laughter]
“An unlikely diplomat, but perfect for the North Koreans.” [laughter]
Clapper is adopting the NYT’s description to pitch this as a Cold War, even though reporting at the time suggested relations with North Korea might be improving.
That’s the nicest thing the New York Times has ever written about me. [laughter, applause]
After that jokey beginning, Clapper took a long diversion to talk about how to prevent hacks and to provide some characterization of our adversaries online. Which brought him back to his discussion of the alleged North Korea hack, presented in contradistinction to what Clapper claimed was China’s objective — to break into networks to steal data that would allow it to surpass the US economically (which I don’t believe fully describes their motives or their actions).
That’s China’s primary motivation: to catch up to and then surpass Western industrial and defense capabilities and to eventually pass by the U.S. economy.
From there, Clapper claims, dubiously, that the Sony hack was the most damaging hack in the US, presenting it as stemming from an “entirely different philosophy” than he ascribes to China.
The Chinese are focused on those goals; whereas the recent cyber attack from North Korea, which by the way is the most serious cyber attack ever made against U.S. interests with potentially hundreds-of-millions of dollars and counting in damages, was driven by an entirely different philosophy.
He then launches into his own representation of North Korea as the quintessential totalitarian society, where people do mundane, labor-intensive jobs (which could be said about many countries) and where people “don’t show any emotion,” where they don’t even converse or laugh.
So, back to the weekend trip I took, which was exactly two months ago today. We flew into Pyongyang, the capital city, on Friday evening, the seventh of November. And the first thing that struck me was just how dark the city and airport were, just completely dark. We damaged a tire on the plane while taxiing in the dark, because of the poor construction of the taxiways and runways at Sunan airport.
Then, when I saw the city on Saturday, I was expecting to see drab clothes and lack of modern tools, people walking to get around, people sweeping and doing similar, mundane, labor-intensive jobs. And those expectations were met, from what I saw of Pyongyang. But I was also struck by how impassive everyone was. They didn’t show any emotion. They didn’t stop to greet each other, didn’t nod hello, and we didn’t see anyone conversing or laughing. They were just going about their business, going wherever they were going. It was almost automaton like. It was eerie.
This is James Clapper the dystopian novelist, depicting what he saw in less than 24 hours of being exposed to those whom North Korea permitted to be exposed to America’s top spy. Which Clapper then contrasts with the pleasure enjoyed by North Korea’s Generals (I’m curious how recently Clapper has considered how our menial labors’ public lives would contrast with top Generals’ festive dinners?).
And the plight of the citizens of Pyongyang stood in solemn contrast to the dinner I had the previous night, Friday the seventh, an elaborate 12-course Korean meal. Having spent time in Korea, I consider myself somewhat a connoisseur of Korean food, and that was one of the best Korean meals I’ve ever had. Unfortunately, the company was not pleasurable.
By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits — Clapper should be sanctioned along with all the others President Obama has targeted.
That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.
But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.
Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).
You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]
Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.
IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.
Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.
But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.
He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.
However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).
I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.
Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.
Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.
But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?