December 1, 2015 / by emptywheel


Interesting Tidbits from the House Intelligence Authorization

The House version of next year’s Intelligence Authorization just passed with big numbers, 364-58.

Among the interesting details included in the unclassified version of the bill, are the following:

Section 303, 411: Permits the ICIG and the CIA IG to obtain information from state and local governments

The bill changes language permitting the Intelligence Community Inspector General and the CIA IG to obtain information from any federal agency to obtain it from federal, state, or local governments.

Which sort of suggests the ICIG and CIA IG is reviewing — and therefore the IC is sharing information with — state and local governments.

I have no big problem with this for ICIG. But doesn’t this suggest the CIA — a foreign intelligence agency — is doing things at the state level? That I do have a problem with.

Update: Note No One Special’s plausible explanation: that the IGs would be investigating misconduct like DWIs. That makes sense, especially given the heightened focus on Insider Threat Detection.

Section 305: Tells PCLOB to stay the fuck out of covert operations

This adds language to the Privacy and Civil Liberties Oversight Board authorization stating that, “Nothing in [it] shall be construed to authorize the Board, or any agent thereof, to gain access to information regarding an activity covered by” the covert operation section of the National Security Act.

OK then! I guess Congress has put PCLOB in its place!

Remember, PCLOB currently has a mandate that extends only to counterterrorism (though it will probably expand to cyber once the CISA-type bill is passed). It is currently investigating a couple of EO 12333 authorized activities that take place in some loopholed areas of concern. I’m guessing it bumped up against something Congress doesn’t want it to know about, and they’ve gone to the trouble of making that clear in the Intelligence Authorization.

As it happens, Ron Wyden is none too impressed with this section and has threatened to object to unanimous consent of the bill in the Senate over it. Here are his concerns.

Section 305 would limit the authority of the watchdog body known as the Privacy and Civil Liberties Oversight Board.  In my judgment, curtailing the authority of an independent oversight body like this Board would be a clearly unwise decision.  Most Americans who I talk to want intelligence agencies to work to protect them from foreign threats, and they also want those agencies to be subject to strong, independent oversight.  And this provision would undermine some of that oversight.

Section 305 states that the Privacy and Civil Liberties Board shall not have the authority to investigate any covert action program.  This is problematic for two reasons.  First, while this Board’s oversight activities to date have not focused on covert action, it is reasonably easy to envision a covert action program that could have a significant impact on Americans’ privacy and civil liberties – for example, if it included a significant surveillance component.

An even bigger concern is that the CIA in particular could attempt to take advantage of this language, and could refuse to cooperate with investigations of its surveillance activities by arguing that those activities were somehow connected to a covert action program.  I recognize that this may not be the intent of this provision, but in my fifteen years on the Intelligence Committee I have repeatedly seen senior CIA officials go to striking lengths to resist external oversight of their activities.  In my judgment Congress should be making it harder, not easier, for intelligence officials to stymie independent oversight.

Section 306: Requires ODNI to check for spooks sporting EFF stickers

The committee description of this section explains it will require DNI to do more checks on spooks (actually spooks and “sensitive” positions, which isn’t full clearance).

Section 306 directs the Director of National Intelligence (DNI) to develop and implement a plan for eliminating the backlog of overdue periodic investigations, and further requires the DNI to direct each agency to implement a program to provide enhanced security review to individuals determined eligible for access to classified information or eligible to hold a sensitive position.

These enhanced personnel security programs will integrate information relevant and appropriate for determining an individual’s suitability for access to classified information; be conducted at least 2 times every 5 years; and commence not later than 5 years after the date of enactment of the Fiscal Year 2016 Intelligence Authorization Act, or the elimination of the backlog of overdue periodic investigations, whichever occurs first.

Among the things ODNI will use to investigate its spooks are social media, commercial data sources, and credit reports. Among the things it is supposed to track is “change in ideology.” I’m guessing they’ll do special checks for EFF stickers and hoodies, which Snowden is known to have worn without much notice from NSA.

Section 307: Requires DNI to report if telecoms aren’t hoarding your call records

This adds language doing what some versions of USA Freedom tried to requiring DNI to report on which “electronic communications service providers” aren’t hoarding your call records for at least 18 months. He will have to do a report after 30 days listing all that don’t (bizarrely, the bill doesn’t specify what size company this covers, which given the extent of ECSPs in this country could be daunting), and also report to Congress within 15 days if any of them stop hoarding your records.

Section 313: Requires NIST to develop a measure of cyberdamage

For years, Keith Alexander has been permitted to run around claiming that cyber attacks have represented the greatest transfer of wealth ever (apparently he hasn’t heard of slavery or colonialism). This bill would require NIST to work with FBI and others to come up with a way to quantify the damage from cyberattacks.

Section 401: Requires congressional confirmation of the National Counterintelligence Executive

The National Counterintelligence Executive was pretty negligent in scoping out places like the OPM database that might be prime targets for China. I’m hoping that by requiring congressional appointment, this position becomes more accountable and potentially more independent.

Section 701: Eliminates reporting that probably shouldn’t be eliminated

James Clapper hates reporting requirements, and with this bill he’d get rid of some more of them, some of which are innocuous.

But I am concerned that the bill would eliminate this report on what outside entities spooks are also working for.

(2) The Director of National Intelligence shall annually submit to the congressional intelligence committees a report describing all outside employment for officers and employees of elements of the intelligence community that was authorized by the head of an element of the intelligence community during the preceding calendar year. Such report shall be submitted each year on the date provided in section 3106 of this title.

We’ve just seen several conflict situations at NSA, and eliminating this report would make it less like to ID those conflicts.

The bill would also eliminate these reports.

REPORTS ON NUCLEAR ASPIRATIONS OF NON-STATE ENTITIES.—Section 1055 of the National Defense Authorization Act for Fiscal Year 2010 (50 U.S.C. 2371) is repealed.

REPORTS ON ESPIONAGE BY PEOPLE’S REPUBLIC OF CHINA.—Section 3151 of the National Defense Authorization Act for Fiscal Year 2000 (42 U.S.C. 7383e) is repealed.

Given that both of these issues are of grave concern right now, I do wonder why Clapper doesn’t want to report to Congress on them.

And, then there’s the elimination of this report.

§2659. Report on security vulnerabilities of national security laboratory computers

(a) Report required

Not later than March 1 of each year, the National Counterintelligence Policy Board shall prepare a report on the security vulnerabilities of the computers of the national security laboratories.

(b) Preparation of report

In preparing the report, the National Counterintelligence Policy Board shall establish a so-called “red team” of individuals to perform an operational evaluation of the security vulnerabilities of the computers of one or more national security laboratories, including by direct experimentation. Such individuals shall be selected by the National Counterintelligence Policy Board from among employees of the Department of Defense, the National Security Agency, the Central Intelligence Agency, the Federal Bureau of Investigation, and of other agencies, and may be detailed to the National Counterintelligence Policy Board from such agencies without reimbursement and without interruption or loss of civil service status or privilege.

Clapper’s been gunning to get rid of this one for at least 3 years, with the hysteria about hacking growing in each of those years. Department of Energy, as a whole, at least, is a weak spot in cybersecurity. Nevertheless, Congress is going to eliminate reporting on this.

Maybe the hacking threat isn’t as bad as Clapper says?

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @