Hacking in the IOB Reports

If I’m not mistaken, this — in the Q3 2008 NSA Report to the Intelligence Oversight Board — is the first mention of Computer Network Exploitation in the reports.

Screen Shot 2015-01-04 at 9.25.22 AM


As with almost every single reference to CNE — that is, hacking, or the use of malware to be able to spy on a target — this one is entirely redacted. (The sole exception is a targeted email that was detasked because the target entered the US, in the Q1 2009 report).

The number/complexity of incidents or details expand for some years, as with this in Q2 2009.

Screen Shot 2015-01-04 at 9.31.07 AM

The entries invariably cite 18 USC 798 as a FOIA exemption. They vary on whether they’re FVEY (that is, permissibly shared with members of the Five Eyes) or NF (that is, not to be shared with any foreign government), though in later years the entries have much more frequently been NF — take that, Brits! And the entries appear under “Other,” not EO 12333 (which is curious, given that hacking should be governed by EO 12333).

After that first, single-incident mention, CNE appears in each report until Q4 2011, after which it doesn’t appear again (though there is an entirely redacted section that appears in all but the most recent report in the EO 12333 section).

I make these observations not because they tell us anything about what kind of hacking the NSA is doing (you can look to Snowden’s documents for that). But to lay out several questions.

If — as claimed in Shane Harris’ @War hacking is increasingly how we collect SIGINT — how is it regulated? Did NSA, does NSA still, consider it to be something other than EO 12333 collection? What counts as a violation when you’re hacking to collect intelligence? To what degree is IOB overseeing the methods used, as opposed to just the actions that’d be violations regardless of the collection type (as detasking someone in the US would be)? And if CNE (hacking) has entirely disappeared from these reports, does that mean NSA has just cleaned up its act, or that it simply doesn’t report on this anymore?

I get why these passages are entirely redacted. In part, NSA is sustaining the same myth it sustains when it doesn’t admit StuxNet. It’s pretending it is not engaging in the same hacking it sanctions North Korea for.

Only it is. Which raises real questions about what kind of oversight it gets.


3 replies
  1. wallace says:

    quote”I get why these passages are entirely redacted.”unquote

    ROTFIGSL. Declassified=ephumism for Classified.

    Q. When is Top Secret not?
    A. When Top Secret is crossed out.

    quote:” It’s pretending it is not engaging in the same hacking it sanctions North Korea for.

    Only it is. Which raises real questions about what kind of oversight it gets.”unquote

    What kind of Oversite? Haha.

    take your pick.

    a. : a mistake made because someone forgets or fails to notice something.
    b : an inadvertent omission or error
    a : watchful and responsible care
    b : regulatory supervision

    Now..let’s try Rubes for $2k

  2. wallace says:

    I’m sorry. My tolerance level for this shit is fucking zero anymore. How many years have you pinned these lying sacks of shit to the wall, and nothing happens except expansion of the surveillance state. The only thing left is total cynicism. Unless one just gives completely up and moves to ..where? All I know is ..Jim Garrison is dead on. The whole system is a bald faced lie.

  3. earlofhuntingdon says:

    Oversight? We don’t need no stinking oversight.

    As for previous comments, mainstream economics notwithstanding, irrationality has a lot going for it. Churchill was irrational, he probably should have sued for peace in 1940, but what would that outcome have been like? Nicht gemuetlich. If lying down and never getting up were an option, John lennon would have gone home, Howard Zinn and Noam Chomsky never would have survived John Silber and Dick Nixon. Optimism, as well as fecundity, are why and how we survive. Imposing passivity is how they win.

Comments are closed.