Operation Buckshot Yankee and WikiLeaks

Ellen Nakashima had a long article on Thursday using the 2008 thumb drive infection of DOD’s networks (including, she mentions in passing, the top-secret JWICS system) to describe the evolution of our approach to cybersecurity.

The whole thing is worth a close reading. But I’m particularly interested (as always) in reading it with WikiLeaks in mind. As Nakashima notes after describing the supposedly stringent response to the 2008 infection, which included “banning” thumb drives, Bradley Manning is suspected of downloading entire databases via the same means, removable media.

As the NSA worked to neutralize Agent.btz on its government computers, Strategic Command, which oversees deterrence strategy for nuclear weapons, space and cyberspace, raised the military’s information security threat level. A few weeks later, in November, an order went out banning the use of thumb drives across the Defense Department worldwide. It was the most controversial order of the operation.

Agent.btz had spread widely among military computers around the world, especially in Iraq and Afghanistan, creating the potential for major losses of intelligence. Yet the ban generated backlash among officers in the field, many of whom relied on the drives to download combat imagery or share after-action reports.


The ban on thumb drives has been partially lifted because other security measures have been put in place.


What is clear is that Agent.btz revealed weaknesses in crucial U.S. government computer networks — vulnerabilities based on the weakest link in the security chain: human beings. The development of new defenses did not prevent the transfer of massive amounts of information from one classified network to the anti-
secrecy group WikiLeaks, an act that the government charges was carried out by an Army intelligence analyst.

Now, first of all, is it really a stunning revelation that introducing removable media into a secret or top-secret network might be a “vulnerability”? It took an attack to make that clear?

And if DOD has put so many security measures in place, then how did the Creech Air Force Base, which controls our drones, get infected?

Then there’s Nakashima’s discussion of how DOD could respond to “an attack” in the United States. She makes it clear that in the aftermath of the thumb drive attack, the military decided (to its chagrin) its rules of operations should not allow it to bring down a server in this country.

By the summer of 2009, Pentagon officials had begun work on a set of rules of engagement, part of a broader cyberdefense effort called Operation Gladiator Phoenix. They drafted an “execute order” under which the Strategic and Cyber commands could direct the operations and defense of military networks anywhere in the world. Initially, the directive applied to critical privately owned computer systems in the United States.

Several conditions had to be met, according to a military official familiar with the draft order. The provocation had to be hostile and directed at the United States, its critical infrastructure or citizens. It had to present the imminent likelihood of death, serious injury or damage that threatened national or economic security. The response had to be coordinated with affected government agencies and combatant commanders. And it had to be limited to actions necessary to stop the attack, while minimizing impacts on non-military computers.


The debate bogged down over how far the military could go to parry attacks, which can be routed from server to server, sometimes in multiple countries. “Could you go only to the first [server] you trace back to? Could you go all the way to the first point at which the attack emanated from? Those were the questions that were still being negotiated,” said a former U.S. official.

The questions were even more vexing when it came to potentially combating an attack launched from servers within the United States. The military has no authority to act in cyberspace when the networks are domestic — unless the operation is on its own systems.

Ultimately, Nakashima seems to say, the government decided DOD should not be able to disable a server in the US.

But then, the next year, someone disrupted WikiLeaks servers, including–probably using political, not cyber force–its US-based Amazon servers. Aside from the supposedly “former” special forces member who claimed credit for the first attacks, we’ve never had adequate explanation of how and under what authority the government brought down WikiLeaks.

And check out the standards–more of the Executive Branch deciding who our enemy is in secret–they used.

The provocation had to be hostile and directed at the United States, its critical infrastructure or citizens. It had to present the imminent likelihood of death, serious injury or damage that threatened national or economic security.

Did someone decide WikiLeaks met these terms? If so, is the standard for a threat to national security so low that the WikiLeaks disclosures would merit such an action? Really?

And where does the use of other authorities–pressuring Visa and MasterCard and PayPal and Amazon to stop doing business with an entity–come into this?

Nakashima’s sources seem to want to suggest that they have no authority to stop attacks in the US. But someone does–and has already used it. And used it against an entity DOJ had not yet created an exception for in its definition of media.

19 replies
  1. Clark Hilldale says:

    The Nakashima WaPo piece – filled with authorized leaks, and featuring thumb drive skullduggery – appears right in time for Manning’s Article 32 hearing next week at Fort Meade.

    Gotta be just one of them coincidences.

  2. MadDog says:

    …The provocation had to be hostile and directed at the United States, its critical infrastructure or citizens. It had to present the imminent likelihood of death, serious injury or damage that threatened national or economic security. Or the provocation had to be the embarrassment of the United States

    I’m sure the part I’ve bolded was merely left out due to an oversight.

  3. Clark Hilldale says:


    No direct impact I suppose, but my point was about the convenient timing for the influencing of public opinion.

    The prominent placement of the story in the print newspaper could help ensure that many readers are prepared to have the desired opinion as to the damage caused by Manning when the news from his hearing follows closely behind.

    You and I (and everyone here) knows that these are two separate security flaps, but the average person might not. Anyway, the Agent.btz infection occurred in 2008. Somebody decided that the reveal had to come right now.

    Perhaps I am tilting at windmills here. Perhaps not.

  4. MadDog says:

    OT – Via the AP:

    “CIA spy plane loss exposes covert US-Iran conflict

    …The covert operations in play are “much bigger than people appreciate,” said Stephen Hadley, former national security adviser under President George W. Bush. “But the U.S. needs to be using everything it can.”

    Hadley said that if Iran continues to defy U.N. resolutions and doesn’t curb its nuclear ambitions, the quiet conflict “will only get nastier…”

  5. MadDog says:

    @MadDog: Is this related to Hadley’s tenure perhaps? The timing says yes:

    “…U.S. surveillance of Iran through various means has been going on for years, U.S. officials and others with direct knowledge of the situation say.

    A private U.S. defense expert, who spoke on condition of anonymity, said that when he visited the command center at a U.S. military base in the Gulf region in 2008, it was clear that the installation was receiving multiple feeds of electronic surveillance information from inside Iran.

    Some of the information appeared to be transmitted from high-altitude aircraft and some from electronic sensors which the United States had somehow installed on the ground in Iran, the expert said…”

  6. bmaz says:

    @Clark Hilldale: No, I can see it may have some of the public opinion shaping value you note, though not sure how much as it is only tangentially related to WL/Manning in that they both demonstrate weaknesses (weaknesses that STILL are not necessarily remedied). I guess my point was, since it is a UCMJ process, there is not the normal, or not same level anyway, of concern of jury pool contamination.

    I honestly do not think there will be an actual trial in Manning, I think the level of evidence against him is likely far more damning than people think, especially on all the back up charges. As to the top counts, he has at least a shot at defeating the “aiding the enemy” element; but, even on these counts, I think he is likely to have an extremely uphill fight to be acquitted, especially in front of a military jury.

    If I were defending him, I would see where the evidence stands after the Article 32, and then start talking about a deal to keep him to ten years or less incarceration with credit for time served. The key weakness is whether the govt can really tie him to the predicate acts. If everything relies on Lamo and those chat logs, they have a big problem. If they have detailed computer forensics we don’t really know about yet, which I think is likely, then Manning is in a world of hurt and you probably have to plea him.

  7. orionATL says:


    if military trials were ever truly fact-based, law-based and fair, manning’s trial would work from a base of a specfic offence which is a misdemeanor carrying 6-months max.

    the other charges, along the lines of aid-and-comfort -to-the-enemy are sham charges manufactured by angry military and civilian muckty-mucks after american supporters of manning began bringing his torture to the american and world opinion.

    but important military trials are rigged to meet the presumed ” needs” of the military; they are, in fact, show trials. manning’s will be such a trial.

    the military’s trial of col. billy mitchell is an example of this kind of “trial” – the outcome is foregone; “punishment tribune” would be a better name.

    no matter what the cicumstances of law or fact, you can be sure that manning will be severely punished. a death sentence would not surprise me at all.

    his trial will NOT be about fact or law. it will be a flogging designed to scare the hell out of other soldiers.

    i would argue command influence, inhumane treatment designed to illicit a confession, releasing info kept hidden from the american people by their govt officials, and the knowing neglect of military security by military officials and a foolish decision by the state dep’t,

    in addition to the simple facts of the case.

    might as well be hung for a sheep as a lamb.

  8. bmaz says:

    @pdaly: Dude. There is that which is, and that which may in a different world, may be. As a lawyer, with an actual live client to represent, that is how, from what I know, I would be thinking. The constructs of the starry eyed masses are much different from those within the actual decision frame. I would hazard a guess this is not a foreign thought to you.

  9. Jim White says:

    @MadDog: I read that comment earlier this morning, not too long before picking up my copy of Jay Feldman’s Manufacturing Hysteria that is going to be in a Book Salon at Firedoglake on January 8.

    On pages 35 and 36, Feldman is telling us about Postmaster General A.S. Burleson and how he chose to enforce the Espionage Act passed at the beginning of World War I in 1917:

    As soon as the Espionage Act became law, the postmaster general rolled up his sleeves and got down to serious business. The day after Wilson signed the new legislation, Burleson sent a secret directive to local postmasters across the country, instructing them to “keep a close watch on unsealed matters, newspapers, etc.,” looking for anything “calculated to . . . cause insubordination, disloyalty, mutiny, or refusal of duty in the military or naval service, or to obstruct the recruiting, draft or enlistment services . . . or otherwise embarrass or hamper the Government in conducting the war.” Local postmasters were instructed to forward any suspect material to Washington. By including material that might “embarrass” the government, Burleson clearly exceeded his authority, imputing to the Espionage Act stipulations that its language nowhere expressed or even implied.

    Wilson attempted to rein in Burleson a few times, but ultimately let him do as he pleased. Burleson held up delivery of several labor, Socialist and anarchist publications and then followed by cancelling their second class postage status on the basis that they were no longer periodicals since one issue had not been delivered.

    I’m only three chapters in so far, but this is a tremendous book. [The appended part of the title is “A History of Scapegoating, Surveillance, and Secrecy in Modern America”.] I can’t decide if it’s reassuring that these same abuses of civil rights have been used for over a hundred years to fan the hysteria of patriotism through suppressing minority opinions with our country still surviving or if it is depressing that the same tactics by the monied war-mongers always succeed.

  10. pdaly says:


    My comment was meant as snark, but I didn’t think it was that far off the mark.

    If Manning’s prolonged mistreatment in pretrial custody does not rise to the level of torture, well then that is depressing.

    If you agree, however, that his treatment meets the definition of torture, but you, as his lawyer (and I defer to your expertise in the court’s dynamics) would steer very clear of raising such charges in any hypothetical deal, well, then that is depressing, too.

    Torture cannot be mentioned as a reason for releasing early a guilty (for the sake of this argument) party?
    If there cannot be blind justice, then let’s hope for at least justice with really advanced cataracts… and a pretty pony, too.

  11. orionATL says:



    well said, pdaly.

    i would add, for bmaz’ sake,

    that harvard-trained lawyer barraks obama, is treating the u.s. presidency,

    in a time of great societal crisis,

    in precisely the same hyper-cautious, conservative way that bmaz advocates lawyering in manning’s unusual case.

    this kind of no-imagination-needed conservative approach to a client (lawyer) or patient (physician) is appropriate in the great majority of cases/clients;

    it is most certainly not appropriate in rare cases like manning’s.

    a conventional approach to defending manning will protect the jag officer’s career, but guarantee that manning receives severe punishment for an activity that should have accorded him a tolerant brief sentence.

    we all know that the u.s. military will not commend manning;

    we all know that the judge in manning’s trial will bat down reasonable arguments using legal sophistry,

    in the same intellectually dishonest way that military judges batted down reasonable arguments in the guantanamo cases – and do so over and over again.

    we all, or most of us, know that, in the reign of king barracks, manning is likely to be severely punished.

    thus the need for a balls-out defense of manning, rather than a “please don’t be too mean to my client defense” of the sort bmaz invokes.

    the manning case is too important to the man and the nation to applaud a recommendation supporting timid, pleading lawyering.

  12. pdaly says:


    If bmaz were to choose not to mention torture in front of a judge/plea deal in this hypothetical, I’m sure he would follow that tact in order to protect his hypothetical client’s interests.

    That the court would react negatively (and bmaz’s client’s interests would likely be harmed) if the word torture was uttered by defense counsel is what I find offensive.

  13. bmaz says:

    @pdaly: As loathsome as it is/was, Manning’s treatment during detention does not, in any way I am aware of (i.e. such as confessions etc, of which there were none) impact or impinge on his guilt or innocence. So, not only would I not raise it in defense on the merits I doubt it would be deemed admissible even if I wanted to. It would, however, be a valid factor to raise in terms of sentencing, and mitigation thereof.

Comments are closed.