Interesting Tidbits from the House Intelligence Authorization

The House version of next year’s Intelligence Authorization just passed with big numbers, 364-58.

Among the interesting details included in the unclassified version of the bill, are the following:

Section 303, 411: Permits the ICIG and the CIA IG to obtain information from state and local governments

The bill changes language permitting the Intelligence Community Inspector General and the CIA IG to obtain information from any federal agency to obtain it from federal, state, or local governments.

Which sort of suggests the ICIG and CIA IG is reviewing — and therefore the IC is sharing information with — state and local governments.

I have no big problem with this for ICIG. But doesn’t this suggest the CIA — a foreign intelligence agency — is doing things at the state level? That I do have a problem with.

Update: Note No One Special’s plausible explanation: that the IGs would be investigating misconduct like DWIs. That makes sense, especially given the heightened focus on Insider Threat Detection.

Section 305: Tells PCLOB to stay the fuck out of covert operations

This adds language to the Privacy and Civil Liberties Oversight Board authorization stating that, “Nothing in [it] shall be construed to authorize the Board, or any agent thereof, to gain access to information regarding an activity covered by” the covert operation section of the National Security Act.

OK then! I guess Congress has put PCLOB in its place!

Remember, PCLOB currently has a mandate that extends only to counterterrorism (though it will probably expand to cyber once the CISA-type bill is passed). It is currently investigating a couple of EO 12333 authorized activities that take place in some loopholed areas of concern. I’m guessing it bumped up against something Congress doesn’t want it to know about, and they’ve gone to the trouble of making that clear in the Intelligence Authorization.

As it happens, Ron Wyden is none too impressed with this section and has threatened to object to unanimous consent of the bill in the Senate over it. Here are his concerns.

Section 305 would limit the authority of the watchdog body known as the Privacy and Civil Liberties Oversight Board.  In my judgment, curtailing the authority of an independent oversight body like this Board would be a clearly unwise decision.  Most Americans who I talk to want intelligence agencies to work to protect them from foreign threats, and they also want those agencies to be subject to strong, independent oversight.  And this provision would undermine some of that oversight.

Section 305 states that the Privacy and Civil Liberties Board shall not have the authority to investigate any covert action program.  This is problematic for two reasons.  First, while this Board’s oversight activities to date have not focused on covert action, it is reasonably easy to envision a covert action program that could have a significant impact on Americans’ privacy and civil liberties – for example, if it included a significant surveillance component.

An even bigger concern is that the CIA in particular could attempt to take advantage of this language, and could refuse to cooperate with investigations of its surveillance activities by arguing that those activities were somehow connected to a covert action program.  I recognize that this may not be the intent of this provision, but in my fifteen years on the Intelligence Committee I have repeatedly seen senior CIA officials go to striking lengths to resist external oversight of their activities.  In my judgment Congress should be making it harder, not easier, for intelligence officials to stymie independent oversight.

Section 306: Requires ODNI to check for spooks sporting EFF stickers

The committee description of this section explains it will require DNI to do more checks on spooks (actually spooks and “sensitive” positions, which isn’t full clearance).

Section 306 directs the Director of National Intelligence (DNI) to develop and implement a plan for eliminating the backlog of overdue periodic investigations, and further requires the DNI to direct each agency to implement a program to provide enhanced security review to individuals determined eligible for access to classified information or eligible to hold a sensitive position.

These enhanced personnel security programs will integrate information relevant and appropriate for determining an individual’s suitability for access to classified information; be conducted at least 2 times every 5 years; and commence not later than 5 years after the date of enactment of the Fiscal Year 2016 Intelligence Authorization Act, or the elimination of the backlog of overdue periodic investigations, whichever occurs first.

Among the things ODNI will use to investigate its spooks are social media, commercial data sources, and credit reports. Among the things it is supposed to track is “change in ideology.” I’m guessing they’ll do special checks for EFF stickers and hoodies, which Snowden is known to have worn without much notice from NSA.

Section 307: Requires DNI to report if telecoms aren’t hoarding your call records

This adds language doing what some versions of USA Freedom tried to requiring DNI to report on which “electronic communications service providers” aren’t hoarding your call records for at least 18 months. He will have to do a report after 30 days listing all that don’t (bizarrely, the bill doesn’t specify what size company this covers, which given the extent of ECSPs in this country could be daunting), and also report to Congress within 15 days if any of them stop hoarding your records.

Section 313: Requires NIST to develop a measure of cyberdamage

For years, Keith Alexander has been permitted to run around claiming that cyber attacks have represented the greatest transfer of wealth ever (apparently he hasn’t heard of slavery or colonialism). This bill would require NIST to work with FBI and others to come up with a way to quantify the damage from cyberattacks.

Section 401: Requires congressional confirmation of the National Counterintelligence Executive

The National Counterintelligence Executive was pretty negligent in scoping out places like the OPM database that might be prime targets for China. I’m hoping that by requiring congressional appointment, this position becomes more accountable and potentially more independent.

Section 701: Eliminates reporting that probably shouldn’t be eliminated

James Clapper hates reporting requirements, and with this bill he’d get rid of some more of them, some of which are innocuous.

But I am concerned that the bill would eliminate this report on what outside entities spooks are also working for.

(2) The Director of National Intelligence shall annually submit to the congressional intelligence committees a report describing all outside employment for officers and employees of elements of the intelligence community that was authorized by the head of an element of the intelligence community during the preceding calendar year. Such report shall be submitted each year on the date provided in section 3106 of this title.

We’ve just seen several conflict situations at NSA, and eliminating this report would make it less like to ID those conflicts.

The bill would also eliminate these reports.

REPORTS ON NUCLEAR ASPIRATIONS OF NON-STATE ENTITIES.—Section 1055 of the National Defense Authorization Act for Fiscal Year 2010 (50 U.S.C. 2371) is repealed.

REPORTS ON ESPIONAGE BY PEOPLE’S REPUBLIC OF CHINA.—Section 3151 of the National Defense Authorization Act for Fiscal Year 2000 (42 U.S.C. 7383e) is repealed.

Given that both of these issues are of grave concern right now, I do wonder why Clapper doesn’t want to report to Congress on them.

And, then there’s the elimination of this report.

§2659. Report on security vulnerabilities of national security laboratory computers

(a) Report required

Not later than March 1 of each year, the National Counterintelligence Policy Board shall prepare a report on the security vulnerabilities of the computers of the national security laboratories.

(b) Preparation of report

In preparing the report, the National Counterintelligence Policy Board shall establish a so-called “red team” of individuals to perform an operational evaluation of the security vulnerabilities of the computers of one or more national security laboratories, including by direct experimentation. Such individuals shall be selected by the National Counterintelligence Policy Board from among employees of the Department of Defense, the National Security Agency, the Central Intelligence Agency, the Federal Bureau of Investigation, and of other agencies, and may be detailed to the National Counterintelligence Policy Board from such agencies without reimbursement and without interruption or loss of civil service status or privilege.

Clapper’s been gunning to get rid of this one for at least 3 years, with the hysteria about hacking growing in each of those years. Department of Energy, as a whole, at least, is a weak spot in cybersecurity. Nevertheless, Congress is going to eliminate reporting on this.

Maybe the hacking threat isn’t as bad as Clapper says?

8 replies
  1. No one special says:

    I wouldn’t read too much into the ICIG or CIA IG being able to do this. For all practical purposes they’ve probably been doing so for a long time now anyways under the IG Act. They’re much more likely receiving state & local info versus actively sharing their info with state & local agencies.—-000-.html

    IGs tend to focus on employees (and employee misconduct, albeit at the “working joe” level). That might involve getting a report about a DWI arrest from a local police department.

    There are some IGs that have more outward facing programs; SSA and Labor’s IG in particular.

    My two cents.

    • emptywheel says:

      Ah, that’s a plausible explanation, especially with the heightened focus on Insider Threat detection. Thanks.

  2. Dave Cohen says:

    Section 303, 411 are needed to facilitate classified in-house coverups of CIA’s role in domestic intelligence at the fusion centers, or whatever they’ve been renamed to hide them.

  3. P J Evans says:

    Sec. 313 – who is NIST? (I’m assuming it isn’t the National Institute of Standards and Technology.)

    • haarmeyer says:

      It is. It’s the former National Bureau of Standards, and what they would do is come up with a metric, a method of collecting the data to assess that metric, and the methods of use of that metric.

      This is more than very necessary given all the attempts to get a handle on cyber war. Assessing damage likely from an attack is needed in war to assess proportionality, one of the major principles of the laws of armed conflict. While anything can be subverted, having such a metric would improve the ability to assess and enforce compliance. Cf. Rules 14, 55 the Talinn Manual.

  4. orionATL says:

    you know that sign that hangs over the door to the Senate and house intelligence committee lairs,

    the one that says:

    abandon sniffling concern for good judgment and rule of law”,

    all ye who enter here ?

    that one?

    well, it should be taken down and replaced with this sign:

    “..) in my fifteen years on the Intelligence Committee I have repeatedly seen senior CIA officials go to striking lengths to resist external oversight of their activities.  In my judgment Congress should be making it harder, not easier, for intelligence officials to stymie independent oversight…”
    senator Ron wayden.

  5. bloopie2 says:

    “Maybe the hacking threat isn’t as bad as Clapper says?”. May be, but there are others! See, for example, this recent tidbit from EPIC:
    A Congressional Committee held a hearing on the Education Department’s information security program. Here are the takeaways, from the House Committee website:
    The Department of Education (DoEd) has at least 139 million unique social security numbers in its Central Processing System (CPS). Reminiscent of OPM’s dangerous behavior, DoEd is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats. In the IG’s latest report, there were 6 repeat findings and 10 repeat recommendations. The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication. The Department received an “F” on the FITARA scorecard. The Department maintains 184 information systems. 120 are managed by outside contractors. 29 are valued by the Office of Management and Budget (OMB) as “high asset”. The National Student Loan Database (NSLD) houses significant loan borrower information. There are 97,000 accounts/users with access to this significant data yet only 5,000, less than 20%, have undergone a background check to establish security clearance. The IG penetrated DoEd systems completely undetected by both the CIO or contractor
    Anyone want to quadruple the size of the bureaucracy that works to keep the other bureaucrats’ information safe? What could possibly go wrong with that concept?

Comments are closed.