Cybersecurity

1 2 3 26

The AP’s Recycled “We Don’t Need a Phone Dragnet” Story Lays the Groundwork for Swapping Section 215 for CISA

The AP has a story that it calls an “Exclusive” and says “has not been reported before” reporting that the NSA considered killing the phone dragnet back before Edward Snowden disclosed it.

The National Security Agency considered abandoning its secret program to collect and store American calling records in the months before leaker Edward Snowden revealed the practice, current and former intelligence officials say, because some officials believed the costs outweighed the meager counterterrorism benefits.

After the leak and the collective surprise around the world, NSA leaders strongly defended the phone records program to Congress and the public, but without disclosing the internal debate.

The proposal to kill the program was circulating among top managers but had not yet reached the desk of Gen. Keith Alexander, then the NSA director, according to current and former intelligence officials who would not be quoted because the details are sensitive. Two former senior NSA officials say they doubt Alexander would have approved it.

Still, the behind-the-scenes NSA concerns, which have not been reported previously, could be relevant as Congress decides whether to renew or modify the phone records collection when the law authorizing it expires in June.

The story looks a lot like (though has mostly different dates) this AP story, published just after USA Freedom Act failed in the Senate in November.

Years before Edward Snowden sparked a public outcry with the disclosure that the National Security Agency had been secretly collecting American telephone records, some NSA executives voiced strong objections to the program, current and former intelligence officials say. The program exceeded the agency’s mandate to focus on foreign spying and would do little to stop terror plots, the executives argued.

The 2009 dissent, led by a senior NSA official and embraced by others at the agency, prompted the Obama administration to consider, but ultimately abandon, a plan to stop gathering the records.

The secret internal debate has not been previously reported. The Senate on Tuesday rejected an administration proposal that would have curbed the program and left the records in the hands of telephone companies rather than the government. That would be an arrangement similar to the one the administration quietly rejected in 2009.

The unquestioned claim that the program doesn’t get cell data — presented even as the Dzhokhar Tsarnaev case makes clear it does — appears in both (indeed, this most recent version inaccurately references T-Mobile cell phone user Basaaly Moalin’s case — getting the monetary amounts wrong — without realizing that that case, too, disproves the cell claim).

Most importantly, however, both stories report these previous questions about the efficacy of the phone dragnet in the context of questions about whether the program will be reauthorized after June.

Perhaps the most telling detail, however, is that this new story inaccurately describes what happened to the Internet dragnet in 2011.

There was a precedent for ending collection cold turkey. Two years earlier, the NSA cited similar cost-benefit calculations when it stopped another secret program under which it was collecting Americans’ email metadata — information showing who was communicating with whom, but not the content of the messages. That decision was made public via the Snowden leaks.

The NSA in no way went “cold turkey” in 2011. Starting in 2009, just before it finally confessed to DOJ it had been violating collection rules for the life of the program, it rolled out the SPCMA program that allowed the government to do precisely the same thing, from precisely the same user interface, with any Internet data accessible through EO 12333. SPCMA was made available to all units within NSA in early 2011, well before NSA “went cold turkey.” And, at the same time, NSA moved some of its Internet dragnet to PRISM production, with the added benefit that it had few of the data sharing limits that the PRTT dragnet did.

That is, rather than going “cold turkey” the NSA moved the production under different authorities, which came with the added benefits of weaker FISC oversight, application for uses beyond counterterrorism, and far, far more permissive dissemination rules.

That AP’s sources claimed — and AP credulously reported — that this is about “cold turkey” is a pretty glaring hint that the NSA and FBI are preparing to do something very similar with the phone dragnet. As with the Internet dragnet, SPCMA permits phone chaining for any EO 12333 phone collection, under far looser rules. And under CISA, anyone who “voluntarily” wants to share this data (which always includes AT&T and likely includes other backbone providers) can share promiscuously and with greater secrecy (because it is protected by both Trade Secret and FOIA exemption). Some of this production, done under PRISM, would permit the government to get “connection” chaining information more easily than under a phone dragnet. And as with the Internet dragnet, any move of Section 215 production to CISA production evades existing FISC oversight.

A year ago, Keith Alexander testified that if they just had a classified data sharing program — like CISA — they could live without the dragnet. A year ago, basically, Alexander said he’d be willing to swap CISA for the phone dragnet.

Remarkably, these inaccurate AP stories always seem to serve that story, all while fostering a laughable myth that “ending the phone dragnet” would in any way end the practice of a phone dragnet.

Did Authorizing Torture Make the National Security Council an Agency Subject to FOIA?


Almost 3 years ago, I discovered that the judge in the ACLU torture FOIA, Alvin Hellerstein (who recently ordered the Administration to release images from torture), was trying to force the Administration to declassify a phrase making it clear torture had been authorized by the September 17, 2001 “Gloves Come Off” Memorandum of Notification. The phrase appeared on a January 28, 2003 Guidelines on Interrogation document signed by George Tenet (this post describes what great CYA including the phrase was).

In my reporting on it, I noted that National Security Advisor James Jones had secretly written a declaration in the suit arguing the phrase couldn’t be released. And I also noted that CIA’s own declarations conflicted about who had made torture a Special Access Program, CIA or the National Security Council.

Ultimately, however, the 2nd Circuit — in an opinion written by Judge Richard Wesley — reversed Hellerstein and permitted the Administration to keep that short phrase secret (though the Administration permitted that detail to be declassified for the Torture Report).

These issues have resurfaced in a related FOIA suit being reviewed by the 2nd Circuit (including Wesley and Judges Reena Raggi and Gerard Lynch).

Back in late 2012, Main Street Legal Services FOIAed the NSC for records on drone killing (including minutes of NSC meetings in 2011). The government refused to respond, arguing NSC is not an Agency subject to FOIA. So Main Street asked for discovery that might help it show that NSC is an Agency. It lost that argument with District Judge Eric Vitaliano, and this Appeal focuses on the issue of whether NSC is an Agency for purposes of FOIA or not.

In addition to pointing to statutory and historical reasons why NSC is an Agency, the appeal also points to things — including torture, but also including things like cybersecurity, crafting Benghazi talking points, and drone-killing — that were run out of NSC. The government, in response, argued that the President was very closely involved in NSC and presided over the Principals Committee, meaning NSC was too proximate to the President to be subject to FOIA. The response also keeps insisting that NSC is an advisory body, not anything that can make decisions without the President.

That back and forth took place in the first half of 2014.

Then, the Torture Report Summary got released, showing that CIA records indicate President Bush was not briefed on torture until 2006 but that NSC figures — Alberto Gonzales and Condi Rice, among others — told CIA torture was authorized. Main Street wrote a letter in February pointing to the evidence that the President was not in the loop and that NSC authorized torture.

The SSCI Report found that NSC committees, on which the President does not sit, debated, authorized, and directed CIA to apply specific interrogation techniques to specific detainees. In 2004, for example, CIA “sought special approval from the National Security Council Principals Committee” to use “enhanced interrogation techniques” on detainee Janat Gul. Thereafter, NSC principals met and “agreed that ‘[g]iven the current threat and risk of delay, CIA was authorized and directed to utilize” the techniques on Mr. Gul.

The question of who authorized torture thus became a central issue at the oral argument in this suit on March 2 (this discussion starts after 34:00). After Raggi raised this issue, Wesley went on with some urgency about the possibility that someone started torturing without the input of the President.

Judge Wesley: Are you saying then that anything the CIA did in terms of enhanced interrogation techniques clearly, was clearly a Presidential directive?

NSC Counsel Jaynie Lilley:  No, your honor —

Wesley: Well then, well if that’s not the case, its a very curious position for you to take because some of these bear heavy burdens. Some of these assertions that you’re making that the President is at the end of all these decision chains bear heavy burdens and I don’t quite understand it. Congress said sole duty is to advise and assist the President. If someone else decides to use enhanced interrogation techniques and we decide that this is done by the group, solely by the advisor, assistant to the President, then it’s the President’s decision is it not? Did the decision flow through the NSC?

Lilley: Your Honor, many decisions–

Wesley: Would it, structurally, I’ll it easier, would it structurally have flowed through the NSC as it’s currently structure pursuant to presidential order and an act of Congress, would a decision to conduct enhanced interrogation techniques have flowed through the NSC up to the President. Pursuant to the way it’s structured now.

Lilley: Your Honor, let me be sure I’m answering the question that your asking. There are decisions that are made on matters of national security policy that come through the various–

Wesley: Pursuant to law and the structure of the NSC who had the authority?  Did only one person have the authority to order enhanced interrogations techniques?

Lilley: Your Honor, –

Wesley [voice is rising]: Yes or no?!

Lilley: I cannot speak to individual decisions –

Wesley: Well, if you can’t tell me, then you’re telling me that then the President perhaps didn’t make that decision. And then you’re telling me that someone else did. And if someone else did, then I begin to have a problem. Because I have a hard time understanding how their sole function is to advise or assist the President if suddenly they decide, independent of any Presidential approval, that they can torture someone!

Lilley: Your Honor–

Wesley: It’s very simple Counselor, and I’ve been troubled by the government’s position on this throughout. I’ve been troubled — for twenty years the Office of Legal Counsel said that this was an Agency. And then suddenly in a letter, in 1994, for some reason the Agency flips. We have in the legislative record, we have the committee notes from the two committees, and what is one of the entities that’s listed when they decided to include the Executive office, what is one of the Agencies that Congress lists, one of the groups that Congress lists as an Agency? The NSC. Who created the NSC? The President didn’t. An act of Congress did. An Act of Congress creates two of the Subcommittees. A very curious advisor forced on the President — it sounds like a Separation of Powers issue to me. But, tell me. And then I won’t ask again. And if you don’t want to answer my question don’t answer.

Pursuant to the way the it is currently structured if in your view the NSC is solely an advisory authority, who had the authority to order enhanced interrogation techniques? Who?

Lilley: In any matter of national security policy, there are two places where decisions can be made. One by the President and one by that Agency with the statutory authority to take the act.

Wesley: So you’re telling me that the CIA had the authority to do that?

[snip]

Wesley: The Director of the CIA could have done this independent of the President’s directive?

Lilley: Your Honor, I cannot speak to that.

Wesley: But for purposes of this discussion you’re saying ‘not someone in the NSC’?

Lilley: The NSC could not — does not direct any individual Agency to take individual actions.

Wesley went onto to describe the plight of the CIA that might not want to do something (torture) it has been ordered to do by the NSC, “it’s on him, legally, not on the NSC.” “Yes, your Honor,” Lilley agreed.

While Wesley didn’t say so, that is, precisely, what Tenet argued when he noted Torture was done pursuant to Presidential order on his 2003 Interrogation document, dodging responsibility for torture. But if Lilley’s claim is correct, then CIA bears all the legal responsibility for torture.

At the end of the hearing, Wesley asked Lilley whether they intend to respond to Main Street’s letter. When Lilley said no, Wesley and Raggi specifically instructed Lilley to respond, noting actual page numbers.

In its response on March 16, the government — some members of which have been arguing for months that the NSC approved torture at every step of the process — newly asserted (ignoring the references that show Bush was never briefed until 2006) that George Tenet was only getting NSC’s advice; he was not being ordered or authorized by them.

Another cites a CIA official’s notes indicating that the Principals Committee “agreed” that CIA was “authorized and directed” to engage in certain activity, confirming the CIA had such authority, and that the then-Attorney General approved the resulting action. See id. at 345. These references confirm that the NSC functions in accordance with the advice and assistance role assigned to it by statute and by the President (currently in Presidential Policy Directive-1) as an interagency forum for coordination and exercises no independent decisional authority. The authority for the underlying decisions rested with the relevant heads of departments and agencies or the President himself.

Remember, DOJ has been claiming it never opened this document. Has it now done so?

But the SSCI evidence that Bush was never briefed is a point Main Street made in a letter last night.

Defendant still fails to explain who authorized the torture if not NSC, as CIA’s own records describe, especially given that CIA did not brief the President until years later.

A great deal of documentation shows that “NSC” (or rather, Dick Cheney and David Addington) authorized torture. But the NSC is trying to sustain the unsustainable position that a Memorandum of Notification not listing torture authorized torture, that Bush never got briefed on torture, and that all those meetings at which NSC members (and Dick Cheney) authorized torture didn’t amount to authorizing torture.

Because if it admitted the truth — that NSC or the Vice President authorized torture without any review by the President — then it would make all these documents, the 9000 documents President Obama got CIA to successfully hide, subject to FOIA.

And then we’d really start having some fun.

Update: I’ve added some to my transcription from the hearing and some additional analysis.

FBI’s Preventative Role: Hygiene for Corporations, Spies for Muslims

I’m still deep in this 9/11 Follow-up Report FBI, which Jim Comey and now-retired Congressman Frank Wolf had done last year and which released the unsurprising topline conclusion that Jim Comey needs to have more power, released earlier this week.

About the only conclusion in the report that Comey disagreed with — per this Josh Gerstein report — is that it should get out of the business of Countering Violent Extremism.

Comey said he agreed with many of the report’s recommendations, but he challenged the proposal that the FBI leave counter-extremism work to other agencies.

“I respectfully disagree with the review commission,” the director said. “It should not be focused on messages about faith it should not be socially focused, but we have an expertise … I have these people who spend all day long thinking dark thoughts and doing research at Quantico, my Behavioral Analysis Unit. They have an incredibly important role to play in countering violent extremism.”

Here’s what the report had to say about FBI and CVE (note, this is a profoundly ahistorical take on the serial efforts to CVE, but that’s just one of many analytical problems with this report).

The FBI, like DHS, NCTC, and other agencies, has made an admirable effort to counter violent extremism (CVE) as mandated in the White House’s December 2011 strategy, Empowering Local Partners to Prevent Violent Extremism in the United States. In January 2012, the FBI established the Countering Violent Extremism Office (CVEO) under the National Security Branch.322 The CVEO was re-aligned in January 2013 to CTD’s Domestic Terrorism Operations Section, under the National JTTF, to better leverage the collaborative participation of the dozens of participating agencies in FBI’s CVE efforts.323 Yet, even within FBI, there is a misperception by some that CVE efforts are the same as FBI’s community outreach efforts. Many field offices remain unaware of the CVE resources available through the CVEO.324 Because the field offices have to own and integrate the CVE portfolio without the benefit of additional resources from FBI Headquarters, there is understandably inconsistent implementation. The Review Commission, through interviews and meetings, heard doubts expressed by FBI personnel and its partners regarding the FBI’s central role in the CVE program. The implementation had been inconsistent and confusing within the FBI, to outside partners, and to local communities.325 The CVEO’s current limited budget and fundamental law enforcement and intelligence responsibilities do not make it an appropriate vehicle for the social and prevention role in the CVE mission. Such initiatives are best undertaken by other government agencies. The Review Commission recommends that the primary social and prevention responsibilities for the CVE mission should be transferred from the FBI to DHS or distributed among other agencies more directly involved with community interaction.

[snip]

(U) Recommendation 6: The Review Commission recommends that the primary social and prevention responsibilities for the CVE mission should be transferred from the FBI to DHS or distributed among other agencies more directly involved with community interaction.

For what it’s worth, Muslim communities increasingly agree that the FBI — and the federal government generally — should not be in the business of CVE. But that’s largely because the government approaches it with the same view Comey does: by thinking immediately of his analysts thinking dark thoughts at Quantico. So if some agency that had credibility — if some agency had credibility — at diverting youth (of all faiths) who might otherwise get caught in an FBI sting, I could support it moving someplace else, but I’m skeptical DHS or any other existing federal agency is that agency right now.

While the Review doesn’t say explicitly in this section what it wants the FBI to be doing instead of CVE, elsewhere it emphasizes that it wants the FBI to do more racial profiling (AKA “domain awareness”) and run more informants. Thus, I think it fair to argue that the Ed Meese-led panel thinks the FBI should spy on Muslims, not reach out to them. Occupation-style federal intelligence gathering, not community based.

Which is why I think this approach to Muslim communities should be compared directly with the Review’s approach with corporations. The same report that says FBI should not be in the business of CVE — which done properly is outreach to at-risk communities — says that it should accelerate and increase its funding for its outreach to the private sector.

(U) Recommendation 5: The Review Commission recommends that the FBI enhance and accelerate its outreach to the private sector.

  • (U) The FBI should work with Congress to develop legislation that facilitates private companies’ communication and collaboration and work with the US Government in countering cyber threats.
  • (U) The FBI should play a prominent role in coordinating with the private sector, which the Review Commission believes will require a full-time position for a qualified special agent in the relevant field offices, as well as existing oversight at Headquarters.

Indeed, in a paragraph explaining why the FBI should add more private sector liaisons (and give them the same credit they’d get if they recruited corporations as narcs, only corporations shouldn’t be called “sources” because it would carry the stigma of being a narc), the Review approvingly describes the FBI liaison officers working with corporations to promote better Internet hygiene.

The Review Commission learned that the FBI liaison positions have traditionally been undervalued but that has begun to change as more experienced special agents take on the role, although this has not yet resulted in adequate numbers of assigned special agents or adequate training for those in the position. One field office noted that it had 400 cleared defense contractors (CDCs) in its AOR—ranging from large well known names to far smaller enterprises—with only one liaison officer handling hundreds of CDCs. This field office emphasized the critical need for more liaison officers to conduct outreach to these companies to promote better internet hygiene, reduce the number of breaches, and promote long-term cooperation with the FBI.319 Another field office noted, however, some sensitivity in these liaison relationships because labeling private sector contacts as sources could create a stigma. The field office argued that liaison contacts should be considered valuable and special agents should receive credit for the quality of liaison relationships the same way they do for CHSs.320

Ed Meese’s panel wants the FBI to do the digital equivalent of teaching corporations to blow their nose and wash their hands after peeing, but it doesn’t think the FBI should spend time reaching out to Muslim communities but should instead spy on them via paid informants.

Maybe there are good reasons for the panel’s disparate recommended treatment of corporations and Muslim communities. If so, the Review doesn’t explain it anywhere (though the approach is solidly in line with the Intelligence Committees’ rush to give corporations immunity to cyber share information with the federal government).

But it does seem worth noting that this panel has advocated the nanny state for one stakeholder and STASI state for another.

CISA’s Terrorists Are Not Just Foreign Terrorists

In addition to hunting hackers, the Cybersecurity Information Security Act — the bill that just passed the Senate Intelligence Committee — collects information domestically to target terrorists if those so-called terrorists can be said to be hacking or otherwise doing damage to property.

Significantly, as written, the bill doesn’t limit itself to targeting terrorists with an international tie. That’s important, because it essentially authorizes intelligence collection domestically with no court review. Thus, the bill seems to be — at least in part — a way around Keith, the 1971 ruling that prohibited domestic security spying without a warrant.

It takes reading the bill closely to understand that, though.

The surveillance or counterhacking of a “terrorist” is permitted in three places in the bill. In the first of those, one might interpret the bill to associate the word “foreign” used earlier in the clause with the word terrorist. That clause authorizes the disclosure of cyber threat indicators for “(iii) the purpose of identifying a cybersecurity threat involving the use of an information system by a foreign adversary or terrorist.”

But the very next clause authorizes information sharing to mitigate “a terrorist act,” with no modifier “foreign” in sight. It authorizes information sharing for “(iv) the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;”

And the last mention of terrorists — reserving the authority of the Secretary of Defense to conduct cyberattacks in response to malicious cyber activity — includes the article “a” that makes it clear the earlier use of “foreign” doesn’t apply to “terrorist organization” in this usage.

(m) AUTHORITY OF SECRETARY OF DEFENSE TO RESPOND TO CYBER ATTACKS.—Nothing in this Act shall be construed to limit the authority of the Secretary of Defense to develop, prepare, coordinate, or, when authorized by the President to do so, conduct a military cyber operation in response to a malicious cyber activity carried out against the United States or a United States person by a foreign government or an organization sponsored by a foreign government or a terrorist organization.

Frankly, I’m of the belief that the distinction that has by and large applied for the last 14 years of spying betrays the problem with our dragnet targeted on Muslims. America in general seems perfectly willing to treat some deaths — even 168 deaths — perpetrated by terrorists as criminal attacks so long as they are white Christian terrorists. If white Christian terrorists can be managed as the significant law enforcement problem they are without a dragnet, then so, probably, can FBI handle the losers it entraps in dragnets and then stings.

But here, that distinction has either apparently been scrapped or Richard Burr’s staffers are just bad at drafting surveillance bills. It appears that whatever anyone wants to call a terrorist — whether it be Animal Rights activists, Occupy Wall Street members, Sovereign Citizen members, or losers who started following ISIL on Twitter — appears to be fair game. Which is particularly troubling given that CISA makes explicit what NSA used to accomplish only in secret — the expansion of “imminent threat of death or serious bodily harm” to incorporate harm to property. How much harm to a movie studio or some other IP owner does it take before someone is branded a “terrorist” engaged in the “act” of doing “serious economic harm,” I wonder?

Note, too, that according to OTI’s redlined version of this bill, most of the application of this surveillance to foreign and domestic terrorists is new, added even as SSCI dawdles in the face of imminent Section 215 sunset.

As I’ll show in a later post, one function of this bill may be to move production that currently undergoes or might undergo FISC  or other court scrutiny out from under a second branch of government, making a mockery out of what used to be called minimization procedures. If that’s right, it would also have the effect of avoiding court scrutiny on just whether this surveillance — renamed “information sharing” — complies with Supreme Court prohibition on warrantless spying on those considered domestic security threats.

Have the Banks Escaped Criminal Prosecution because They’re Spying Surrogates?

I’m preparing to do a series of posts on CISA, the bill passed out of SSCI this week that, unlike most of the previous attempts to use cybersecurity to justify domestic spying, may well succeed (I’ve been using OTI’s redline version which shows how SSCI simply renamed things to be able to claim they’re addressing privacy concerns).

But — particularly given Richard Burr’s office’s assurances this bill is great because “business groups like the Financial Services Roundtable and the National Cable & Telecommunications Association have already expressed their support for the bill” — I wanted to raise a question I’ve been pondering.

To what extent have banks won themselves immunity by serving as intelligence partners for the federal government?

I ask for two reasons.

First, when asked why she, along with Main Justice’s Lanny Breuer, authorized the sweetheart deal for recidivist transnational crime organization HSBC, Attorney General nominee Loretta Lynch implied that there was insufficient admissible evidence to try any individuals associated with this recidivism.

I and the dedicated career prosecutors handling the investigation carefully considered whether there was sufficient admissible evidence to prosecute an individual and whether such a prosecution otherwise would have been consistent with the principles of federal prosecution contained in the United States Attorney’s Manual.

That’s surprising given that Carl Levin managed to come up with 300-some pages of evidence. Obviously, there are several explanations for this response: she’s lying, the evidence is inadmissible because HSBC provided it willingly thereby making it unusable for prosecution, or the evidence was collected in ways that makes it inadmissible.

It’s the last one I’ve been thinking about: is it remotely conceivable that all the abundant evidence against banksters their regulators have used to obtain serial handslaps is for some reason inadmissible in a criminal proceeding?

I started thinking about that as a real possibility when PCLOB revealed that Treasury’s Office of Intelligence and Analysis has never once — not in the 30-plus years since Ronnie Reagan told them they had to — come up with minimization procedures to protect US person privacy with data collected under EO 12333. Maybe that didn’t matter so much in 1981, but since 2004, Treasury has had an ever-increasing role in using intelligence (collected from where?) to impose judgments against people with almost no due process. And those judgements are, in turn, used to impose other judgments on Americans with almost no due process.

The thing is, you’d think banks might care that Treasury wasn’t complying with Executive Branch requirements on privacy protection. Not only because they care (ha!) about their customers, whether American or not, but because many of them are, themselves, US persons. US bank US person status should limit how much Treasury diddles with bank-related intelligence, but Treasury doesn’t appear bound by that.

Which leads me to suspect, at least, that there’s something in it for the banks, something that more than makes up for the serial handslaps for sanctions violations.

And one possibility is that because of the way this data is collected and shared, it can’t be used in a trial. Voila! Bank immunity.

All that’s just a wildarsed guess.

But one made all the more pressing given that Treasury is among the Appropriate Federal Entities that will be default intelligence recipients for cyber information under CISA.

(3) APPROPRIATE FEDERAL ENTITIES.—

The term ‘‘appropriate Federal entities’’ means the following:

(A) The Department of Commerce.

(B) The Department of Defense.

(C) The Department of Energy.

(D) The Department of Homeland Security.

(E) The Department of Justice.

(F) The Department of the Treasury.

(G) The Office of the Director of National Intelligence.

To some degree, this is not in the least bit surprising. After all, financial regulators have increasingly made cybersecurity a key regulatory concern of late, so it makes sense for Treasury to be in the loop.

But banksters rarely — never! — add regulatory exposure for themselves without a fight and, as Burr’s office has made clear, the banks love this bill.

One more datapoint, back to HSBC. As I noted when Lanny Breuer and Loretta Lynch announced that handslap, Breuer neglected to mention that HSBC was getting a handslap not just for helping cartels profit off drugs, but also helping terrorists fund their activities (at the time Pete Seda was being held without bail on charges the government insisted amounted to material support for terrorists for handing a check to Chechens using cash that had come indirectly from HSBC). The actual settlement, however, made mention of it by explaining that HSBC had “assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.” By dint of that cooperation, in other words, HSBC went from being a material supporter of terrorism to being a deputy financial cop. And Breuer expanded that notion of banks serving as deputized financial cops thereafter.

Are the methods and terms by which we’re collecting all this financial intelligence to use against some bad guys precisely what prevents us from holding the even bigger bad guys — the ones affecting far more of us directly, in the form of the houses we own, the towns we live in, the opportunity costs paid to financial crime — accountable?

And will this system now be replicated under CISA (or has it, already) as banks turn into cyber crime deputized cops?

If Section 215 Lapsed, Would the Government Finally Accede to ECPA Reform?

Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.

That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).

But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.

We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).

The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.

The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.

But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.

Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.

But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).

And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:

Screen Shot 2015-03-19 at 5.15.23 PM

 

FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.

Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.

Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).

But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).

It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.

And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.

But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.

Choking the Security State with Its Own Bottleneck

One former and one current high-ranking intelligence official (is that you Keith?) have gone to CNBC to complain that tech firms are showing reluctance to get more of their people security clearances.

U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.

The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.

[snip]

The former intelligence official said dealing with Silicon Valley firms is much different than his experience in other industries—or with all American companies a generation ago. “It used to be, during World War II or the Cold War, that getting cooperation from boards of directors was pretty straightforward. That’s not true today, particularly at these huge start-ups that went from nothing to billions.”

It’s interesting that this complainer went to CNBC’s Eamon Javers, who covers the overlap between corporations and intelligence, rather than someone like Kim Zetter or Shane Harris, who just finished interesting books on cybersecurity. Because the only challenge to those DC insiders’ claims about the importance of information sharing comes from this anonymous executive’s suggestion that the intelligence they’d get from the government isn’t all that useful.

In Silicon Valley, however, cybersecurity executives have a different perspective on the tension. “I believe that this is more about the overclassification of information and the relatively low value that government cyberintel has for tech firms,” said one Silicon Valley executive. “Clearances are a pain to get, despite what government people think. Filling out the paper work … is a nightmare, and the investigation takes a ridiculous amount of time.”

More generally (including in each of their books), I think people are raising more questions about the value of information sharing. At a recent panel on cybersecurity (starting at 12:20) for example, a bunch of security experts seemed to agree that information sharing shouldn’t be the priority it is. Yahoo CISO Alex Stamos (who at the same conference had this awesome exchange with NSA Director Mike Rogers) argued that the government emphasizes information sharing because it’s easy — he’d rather see the government cancel just one F-35 and put the money into bug bounties for open source software.

Nevertheless, these sources have been granted anonymity to suggest tech companies are un-American because they’re not rushing to share more data with the federal government.

Not to mention, not rushing to sign up to have their lives regulated by the McCarthyite system of security clearances.

Because it’s not just that the security clearance application that is unwieldy. It’s that clearance comes with a gag order about certain issues, backed by the threat of prison (I forget whether it was Harris’ or Zetter’s book, but one describes a tech expert talking about that aspect of clearance).

Why would anyone sign up for that if the tech companies have more that the government wants than the government has that the tech companies need?

So it will be interesting to see how the security establishment respond to this. It would be a wonderful way to force the government fix some of the problems with overclassification to be able to obtain the cooperation of what are supposed to be private corporations.

In 2015, CIA Will Proactively Respond to the “Digital Revolution”

I noted some weeks ago about how John Brennan — who had failed spectacularly on cybersecurity while at the White House but then learned the joys of hacking targets when he spied on the Senate Intelligence Committee — was rolling out a cyber directorate.

On Wednesday and yesterday, Brennan rolled out that change amid a larger restructuring.

In a troubling sign, the plan twice refers to the “digital revolution” as if it were in progress right now, not something that has already happened and is now our status quo. “Second, we must be positioned to embrace and leverage the digital revolution to the benefit of all mission areas.” But don’t worry, because Brennan says this reorganization will prevent the CIA from suffering the fate of Kodak, which didn’t anticipate digital cameras. CIA is embracing the “digital revolution” so it doesn’t miss the next one, I guess, as it did with the Arab Spring.

With all the focus on the digital directorate, however, I think there are aspects of this reorganization plan that are far more worthy of note.

First, the whole thing reads like a mid-1990s business reorganization plan, organized into “themes” and speaking of “investing in our people” and a new Talent Development Center of Excellence and embracing and modernizing and blah blah blah. That’s troubling, because those jargon-driven reorganizations usually failed after some Mitt Romney type had stripped the entity in question for cash. At least in the unclassified description of the reorganization, the plan seems better served to attract credulous investors than to effect change.

Just as telling, the unclassified plan says nothing about how CIA will retain what linguistic and cultural skills it has after it shifts to a more topical and less geographic structure. Digital analysis is nice, but there will come a time when someone is going to have read the content that metadata has identified, and we can’t simply rely on foreign partners to do this or we’ll be susceptible to their disinformation.

Finally, there’s this section:

Theme Three: Modernize the way we do business. The pace of world events and technological change demands that Agency leaders be able to make decisions with agility, at the appropriate level, with the right information, and in the interests of the broader enterprise.  We must have the capacity to make the sound strategic decisions needed to build a better Agency and run it efficiently, even as we respond to urgent external requirements. We must empower our officers to address the operational, analytical, technological, support, and other issues that are at the heart of what we do every day. Accordingly, we will:

  • Enhance and empower the Executive Director’s role and responsibilities to manage day-to-day organizational functions, including overseeing a revamped corporate governance model.
  • Create a restructured Executive Secretary office to streamline core executive support functions, thereby increasing effectiveness and efficiency.
  • Even as we improve our ability to govern and make decisions and streamline our processes at the enterprise level, there will be a corresponding effort to delegate decisionmaking and accountability for achieving mission to the lowest appropriate level and to streamline our processes and practices throughout the Agency.

Perhaps I should just trust Brennan here, because he has served as both Chief of Staff to the Director and Deputy Executive Director, so he knows how these critical management roles function. But it also sounds like a bid to have the Director’s immediate staff more involved in the nitty gritty of operations, perhaps akin to the way the White House National Security Council (where Brennan has served more recently) has done the same with operations, in part to bypass oversight. If Brennan wants to make it easier to hold officers accountable for fuck-ups, great. But if Brennan wants to make it easier to conduct ill-considered operations without a grown-up objecting, it’ll lead to more problems from the CIA.

Alfreda Bikowsky has been the model of the analyst-who-sticks-her-nose into the operations function that seems to be the goal here. The CIA thinks she’s great, but she’s also the poster child for hackishness, abuse, and in some cases obstinate stupidity. I wish Brennan the best of luck in making CIA a more effective agency. I just hope he doesn’t end up making it still more problematic.

Why Didn’t the Government Make a Bigger Deal about Iranians Hacking Sheldon Adelson?

As I keep explaining to gobsmacked security experts, according to the DHS, not only are motion picture studios like Sony considered Critical Infrastructure the security establishment must protect, but so are casinos (and campgrounds!) as part of the “Commercial Facilities Sector.”

The Commercial Facilities Sector consists of eight subsectors:

  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Sports Leagues (e.g., professional sports leagues and federations).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).

Which is why I find it interesting that along with noting that hackers might start altering — rather than just zeroing out — the entries in software, in his Global Threats testimony James Clapper asserted that “Iranian actors have been implicated” in hacking Sheldon Adelson’s casino.

Iran very likely values its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence. Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company.

A number of outlets reported that Iran, rather than Iranian actors, did the hack.

Bloomberg reported that Iranians were behind the hack in December.

I can think of a number of reasons why the US didn’t make a bigger deal out of Iranians hacking our critical infrastructure Sheldon Adelson’s casinos. Because they couldn’t prove the tie between the actors and the Iranian state, because fighting to protect Adelson’s corruption is less palatable than fighting to protect Hollywood, because it would have focused on Adelson’s threats to bomb Iran, and because they’re trying to craft a peace deal.

And that’s probably just a start.

Still, I’m surprised others — such as Bibi Netanyahu — haven’t made a bigger issue out of Iranian actors’ successful attack on one of the people funding the anti-Iranian lobby.

The Persistent Concerns about Altered Financial Data

Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.

It’s back again, in James Clapper’s Global Threats Report (curiously, it was not in last year’s Global Threats Report).

Integrity of Information

Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.

  • Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.

Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).

But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.

1 2 3 26
Emptywheel Twitterverse
bmaz RT @Popehat: .@kcjohnson9 on reforms to campus sexual assault rules. Getting colleges out entirely would be a good idea-via @bmaz http://t…
2hreplyretweetfavorite
emptywheel @pwnallthethings The District judge reviews a very one-sided packet, yes. That's not testing PC. @MikeScarcella @csoghoian
2hreplyretweetfavorite
emptywheel @erinscafe Yeah, but what kind of movie would that make, really?
2hreplyretweetfavorite
bmaz @AllThingsHLS That's what I figured. Would have been nuts not to if you can.
2hreplyretweetfavorite
bmaz @adamgoldmanwp Actually kind of surprised the Phoenix Office is not in the red.; been some issues there over the years.
3hreplyretweetfavorite
bmaz KC Johnson: Rebalance the campus sex assault scales http://t.co/HKqpDyAUpe Excellent article. cc: @ScottGreenfield @Popehat
3hreplyretweetfavorite
bmaz @AllThingsHLS Good to hear. Fed policy from your better half?
3hreplyretweetfavorite
emptywheel .@davidshepardson No COUCHES!?!?! MSU is losing its edge. @MSU_Basketball @ChadLivengood
3hreplyretweetfavorite
emptywheel RT @davidshepardson: Police respond to disturbance in East Lansinng after @MSU_Basketball win via @ChadLivengood http://t.co/KYgHet7GW4
3hreplyretweetfavorite
emptywheel @pwnallthethings No no no. EVEN THAT never happens. Seriously, you know this! It's not how FISA works. Ever, @MikeScarcella @csoghoian
3hreplyretweetfavorite
March 2015
S M T W T F S
« Feb    
1234567
891011121314
15161718192021
22232425262728
293031