I’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.
For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).
But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?
The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.
Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.
So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.
But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?
In February 2011, around the time the CIA took over the hunt for Anwar al-Awlaki, NSA started collaborating with Saudi Arabia’s Ministry of Interior’s (MOI) Technical Assistance Directorate (TAD), under the umbrella of CIA’s relationship with MOI (it had previously cooperated primarily with the Kingdom’s Ministry of Defense).
On August 15, 2011, hackers erased the data on two-thirds of the computers at Saudi Aramco; American sources claim Iran was the culprit.
On September 30, 2011, CIA killed Anwar al-Awlaki, using drones operated from a base on Saudi soil.
On November 5, 2012, King Abdullah named close John Brennan ally Mohammed bin Nayef (MbN) Minister of the Interior; MbN had for some time been our top counterterrorism partner in the Kingdom.
On December 11, 2012, James Clapper expanded NSA’s Third Party SIGINT relationship with the Kingdom of Saudi Arabia, for the first time formally including the Ministry of Interior’s Technical Affairs Directorate.
Between January 14 and 16, 2013 MbN traveled to Washington and met with just about every top National Security person (many of whom, including Brennan, were just assuming new jobs). On January 16, MbN and Hillary Clinton renewed and expanded the Technical Cooperation Agreement initiated in 2008. The TCA was modeled on the JECOR program used from the late 1970s until 2000 to recycle US dollars into development programs in Saudi Arabia; in this more recent incarnation, the Saudis recycle dollars into things like a 30,000 mercenary army and other military toys for internal stability and border control. Last year’s renewal — signed just over a month after Clapper made the Saudis full Third Person partners — added cybersecurity to the portfolio. The TCA — both the existing security resources and its expansion under close ally MbN — shored up the power base of one of our closest partners (and at a time when we were already panicking about Saudi succession).
In other words, in addition to expanding Saudi capabilities at a time when it has been cracking down on peaceful dissent, which is what the Intercept story on this document discusses, by giving the Saudi MOI Third Party status, we added to the power of a key ally within the royal family, and did so at a time when the TCA was already shoring up his power base.
We did so, the Information Paper makes clear, in part because MOI has access to internal Saudi telecommunications. While the Information paper talks about AQAP and Iran’s Republican Guard, they are also targeting Saudi targets.
And these new capabilities? They get coordinated through Chief of Station in Riyadh, the CIA. John Brennan’s agency.
It’s all very tidy, don’t you think?
Remember when it was outrageous that the Iranians had (allegedly) hacked Aramco? In addition to wiping hard drives (though in ways that left the computers recoverable), they also took and threatened to release documents.
In news that I earlier predicted, NSA and GCHQ have hacked OPEC, including Saudi Arabia’s OPEC Minister (though NSA managed to detask him when he came to the US).
Spiegel doesn’t provide much detail of what they’ve gotten — just a tantalizing overview, particularly given the likelihood that the speculation claim pertains to the skyrocketing prices in 2008, which (among other things) the Saudis used to get us into a new security cooperation agreement.
None of this is surprising. But as we try to fearmonger new wars based on one party hacking another, it’s probably safe to assume we got there first.
It stated that OPEC officials were trying to cast the blame for high oil prices on speculators. A look at files in the OPEC legal department revealed how the organization was preparing itself for an antitrust suit in the United States. And a review of the section reserved for the OPEC secretary general documented that the Saudis were using underhanded tactics, even within the organization. According to the NSA analysts, Riyadh had tried to keep an increase in oil production a secret for as long as possible.
Our TCA with Saudi Arabia (and the fact that we (Booz, in fact!) are now providing it with cybersecurity) may well be one reason it is no longer a top NSA target.
OPEC appears in the “National Intelligence Priorities Framework,” which the White House issues to the US intelligence community. Although the organization is still listed as an intelligence target in the April 2013 list, it is no longer a high-priority target.
Who needs to hack when you’re in charge of cybersecurity?
And guess which company has a lot of that business? Edward Snowden’s former employer, Booz.
Department of Energy Secretary Steven Chu just resigned.
Which got me thinking about my latest obsession: the Technical Cooperation Agreement beween Saudi Arabia and the US, under which (as far as the agreement admits publicly) the US helps the Saudis protect their critical infrastructure (read, oil fields) and borders. While the TCA is managed by State, it includes significant involvement on the part of DOD — particularly CentCom, DOE (because in Saudi Arabia infrastructure is energy), and Treasury (which handles the magic bank account at its core). In addition, a new focus on cybersecurity (presumably a response to the recent Aramco hack) gives DHS and NSA an increasing role.
So check out the list of people MbN met with while he was in DC from January 14 to 16, in significant part to “renew” the TCA (four months before the old one expired).
Prince Mohammad also met with a number of senior U.S. officials throughout his visit, including Secretary of State Hillary Clinton, Attorney General Eric Holder, Secretary of Homeland Security Janet Napolitano, Director of National Intelligence James Robert Clapper, Deputy Secretary of State Bill Burns, Treasury Deputy Secretary Neal Wolin, National Security Advisor Tom Donilon, John Brennan, assistant to the president for homeland security and counterterrorism, Director of the Federal Bureau of Investigation (FBI) Robert Mueller, and Director of the National Security Agency General Keith B. Alexander.
Remarkably, MbN didn’t waste his time with any outgoing cabinet member — not TurboTax Timmeh, not Chu, not Panetta — except for Hillary, with whom he was signing this agreement. While TurboTax Timmeh and Panetta’s departure was known, Chu’s was only rumored.
John Brennan is moving, sure, but I suspect his move won’t change his interactions with MbN — who has been a key stovepipe for Brennan — one whit.
The most interesting person MbN managed to not waste his time with on the visit, apparently, was General James Mattis, who was about to be, but had not yet been, ousted several months early the week MbN was in town.
I’m not suggesting this is all that meaningful, mind you. I just find it notable that MbN seemed to have a better sense of what was going on with Obama’s top national security leadership than most of the journalists in DC.