As I keep explaining to gobsmacked security experts, according to the DHS, not only are motion picture studios like Sony considered Critical Infrastructure the security establishment must protect, but so are casinos (and campgrounds!) as part of the “Commercial Facilities Sector.”
The Commercial Facilities Sector consists of eight subsectors:
- Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
- Sports Leagues (e.g., professional sports leagues and federations).
- Gaming (e.g., casinos).
- Lodging (e.g., hotels, motels, conference centers).
- Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
- Entertainment and Media (e.g., motion picture studios, broadcast media).
- Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
- Retail (e.g., retail centers and districts, shopping malls).
Which is why I find it interesting that along with noting that hackers might start altering — rather than just zeroing out — the entries in software, in his Global Threats testimony James Clapper asserted that “Iranian actors have been implicated” in hacking Sheldon Adelson’s casino.
Iran very likely values its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence. Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company.
A number of outlets reported that Iran, rather than Iranian actors, did the hack.
Bloomberg reported that Iranians were behind the hack in December.
I can think of a number of reasons why the US didn’t make a bigger deal out of Iranians hacking our critical infrastructure Sheldon Adelson’s casinos. Because they couldn’t prove the tie between the actors and the Iranian state, because fighting to protect Adelson’s corruption is less palatable than fighting to protect Hollywood, because it would have focused on Adelson’s threats to bomb Iran, and because they’re trying to craft a peace deal.
And that’s probably just a start.
Still, I’m surprised others — such as Bibi Netanyahu — haven’t made a bigger issue out of Iranian actors’ successful attack on one of the people funding the anti-Iranian lobby.
Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?
(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;
Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.
It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.
Integrity of Information
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
- Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.
Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).
But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.
I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.
At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.
Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.
It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.
And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).
US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.
We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).
There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.
There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.
Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).
Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?
Admittedly, after its alarmism on encryption, one should always treat FBI claims about necessary tools skeptically. But I’m interested in the claim, made by FBI’s Assistant Director of its Cyber Division, that the Bureau relies on 215 for computer intrusion investigations.
The FBI’s cyber crime investigations would “obviously” suffer if Congress doesn’t reauthorize Section 215 of the Patriot Act, which allows the FBI to request business records from major companies.
“If that expires, obviously it’s going to impact what we do as an organization and certainly on cyber,” said Joseph Demarest, assistant director of the FBI’s Cyber Division, during a roundtable discussion with reporters Tuesday.
Congress must reauthorize the controversial portion of the law by June 1. Civil liberties advocates argue the 215 program is an invasion of privacy, granting the National Security Agency (NSA) blanket authority to spy on Americans.
But two leaders of the FBI’s digital crime unit said losing the program would reduce the bureau’s effectiveness.
The business records request program based on Section 215 allows the FBI to obtain customer records from places like major telecom companies without going through the public court system.
“We use that in working with, I’ll say major providers,” Demarest said. “And we’re looking at historical records.”
“Not having the ability to use that as a vehicle to obtain that information,” Demarest added, “that’s the problem we face.”
The FBI argues that the 215 program approach allows investigators to go after cyber crooks without tipping their hand to possible accomplices.
Let me interject and note that the reporting on this — and therefore presumably the questions asked at this little eat-the-journalists-for-lunch-event — was atrocious.
The guy in charge of hacking told a group of reporters they rely on Section 215 to investigate hacking. And several of those reporters then reported that he said they needed the phone dragnet.
If true, that would be huge news, because the phone dragnet has pretty tight controls limiting its use to terrorists and Iran. So if the NSA is now also using the phone dragnet to catch hackers, it means the government has blown up the definition of hackers even further than they obviously have.
But it’s unlikely that’s what Demarest meant, though that doesn’t mean his comment, if true, isn’t newsworthy for other reasons.
The reporters claiming the FBI uses the phone dragnet to catch hackers are — as far too many activist organizations do — probably conflating the phone dragnet, a program authorized by Section 215, with Section 215, which authorizes the collection of a lot more things — things like money transfers, explosives precursors, hotel records, probably credit card data, and Internet records — including in what you and I would call bulk, even if Bob Litt would not.
There were roughly 180 Section 215 orders last year. Only 5 of those orders supported the phone dragnet.
I’m guessing, but probably what Demarest was talking about is FBI’s (note, not NSA’s) reliance, since 2009, to collect records from Internet companies. At least during 2011 and 2012, the majority of the Section 215 orders were for Internet records.
We can say a few things about this collection. First, FBI conducted the collection using NSLs until 2009, when publication of an OLC opinion limiting the interpretation of phone records covered by NSLs led the Internet companies to successfully challenge the use of NSLs to collect that data anymore. This collection obtains “electronic communication transaction records,” but for something other than the Internet equivalent of call time and participants (because that’s what the OLC opinion excluded). These orders are probably fairly programmatic, because it can take 30 to 40 days to obtain a Section 215 order (meaning the FBI would run whatever collection on a set of standing orders, just like they do the phone dragnet). And these collections are probably substantive enough that FISC imposed minimization procedures on the collection.
And, we can now guess (assuming, of course, the FBI isn’t talking out of its arse again) that these collections support cyberinvestigations.
One reason this is important, however, is that it changes the stakes for reauthorization of Section 215. If the FBI considers this mission critical, it means activists should account for this collection when they consider the leverage they have in debates moving forward.
Back during John Brennan’s confirmation process, I noted he got zero questions about cybersecurity, in spite of the fact that that is a big part of the portfolio of the White House Homeland Security Czar (as has been made evident by Lisa Monaco’s central role in the Sony hack response).
Since then, John Brennan permitted his subordinates to hack the email accounts supposedly designated for the Senate Intelligence Committee’s designated use.
Those are both reasons you should be concerned by the news that — as part of a larger “subject matter” reorganization of CIA, Brennan wants to hack.
U.S. officials said Brennan’s plans call for increased use of cyber capabilities in almost every category of operations — whether identifying foreign officials to recruit as CIA informants, confirming the identities of targets of drone strikes or penetrating Internet-savvy adversaries such asthe Islamic State.
Several officials said that Brennan’s team has even considered creating a new cyber directorate — a step that would put the agency’s technology experts on equal footing with the operations and analysis branches that have been pillars of the CIA’s organizational structure for decades.
All the more so given that neither all of the Intelligence Committees nor NSA’s leadership knows what Brennan is up to.
Brennan provided only broad outlines of his plan in recent congressional meetings that excluded all but the four highest-ranking members of the House and Senate intelligence panels. A senior U.S. intelligence official said that some senior NSA executives remain in the dark on Brennan’s cyber ambitions.
But then, if all of SSCI knew what Brennan was up to, I guess it’d be harder for him to hack them in the future.
Judge Jeffrey White, who has been presiding over the EFF’s challenges to warrantless wiretapping since Vaughn Walker retired, just threw out part of Carolyn Jewel’s challenge to the dragnet on standing and state secrets ground (h/t Mike Scarcella).
Based on the public record, the Court finds that the Plaintiffs have failed to establish a sufficient factual basis to find they have standing to sue under the Fourth Amendment regarding the possible interception of their Internet communications. Further, having reviewed the Government Defendants’ classified submissions, the Court finds that the Claim must be dismissed because even if Plaintiffs could establish standing, a potential Fourth Amendment Claim would have to be dismissed on the basis that any possible defenses would require impermissible disclosure of state secret information.
White also does what no self-respecting judge should ever do: cite Sammy Alito on Amnesty’s “speculative” claims about Section 702 collection in Amnesty v. Clapper, which have since been proven to be based off false government claims.
In Clapper, the Court found that allegations that plaintiffs’ communications were intercepted were too speculative, attenuated, and indirect to establish injury in fact that was fairly traceable to the governmental surveillance activities. Id. at 1147-50. The Clapper Court held that plaintiffs lacked standing to challenge NSA surveillance under FISA because their “highly speculative fear” that they would be targeted by surveillance relied on a “speculative chain of possibilities” insufficient to establish a “certainly impending” injury.
Also along the way, White claims the plaintiffs had made errors in their depiction of the upstream dragnet.
But I’m fairly certain he has done the same when he claims that only specific communications accounts can be targeted under both PRISM and upstream Section 702 collection.
Once designated by the NSA as a target, the NSA tries to identify a specific means by which the target communicates, such as an e-mail address or telephone number. That identifier is referred to a “selector.” Selectors are only specific communications accounts, addresses, or identifiers. (See id; see also Privacy and Civil Liberties Oversight Board Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“PCLOB Report”) at 32-33, 36.)
Indeed, his citation to PCLOB doesn’t support his point at all. Here are what I guess he means to be the relevant sections.
The Section 702 certifications permit non-U.S. persons to be targeted only through the “tasking” of what are called “selectors.” A selector must be a specific communications facility that is assessed to be used by the target, such as the target’s email address or telephone number.113 Thus, in the terminology of Section 702, people (non-U.S. persons reasonably believed to be located outside the United States) are targeted; selectors (e.g., email addresses, telephone numbers) are tasked.
Because such terms would not identify specific communications facilities, selectors may not be key words (such as “bomb” or “attack”), or the names of targeted individuals (“Osama Bin Laden”).114 Under the NSA targeting procedures, if a U.S. person or a person located in the United States is determined to be a user of a selector, that selector may not be tasked to Section 702 acquisition or must be promptly detasked if the selector has already been tasked.115
The process of tasking selectors to acquire Internet transactions is similar to tasking selectors to PRISM and upstream telephony acquisition, but the actual acquisition is substantially different. Like PRISM and upstream telephony acquisition, the NSA may only target non-U.S. persons by tasking specific selectors to upstream Internet transaction collection.131 And, like other forms of Section 702 collection, selectors tasked for upstream Internet transaction collection must be specific selectors (such as an email address), and may not be key words or the names of targeted individuals.132
First of all, unless they’ve changed the meaning of “such as” and “for example,” PCLOB’s use of email and telephone numbers is not exhaustive (though it does mirror the party line witnesses before PCLOB used, and accurately reflects PCLOB’s irresponsible silence on the use of 702 — upstream and downstream — for cybersecurity, even after ODNI has written publicly on the topic). Indeed, the NSA uses other selectors, including cyberattack signatures, in addition to things more traditionally considered a selector.
And given the government’s past, documented, expansion of the term “facility” beyond all meaning, there’s no reason to believe the government’s use of “use” distinguishes appropriately between participants in communications.
Ah well, all that discussion probably counts as a state secret. A concept which is getting more and more farcical every year.
Update: Clarified to note this is only partial summary judgment.
A fresh spin on insider trading also made news this week, when the SEC filed a lawsuit against two Capital One fraud investigators who made 1800 percent on their investment over three years, based on their use of a Capital One credit card user database.
The two investigators, Bonan Huang and Nan Huang, grew an investment of $147,300 to $2.8 million based on thousands of searches across a database comprised of credit card customer transactions. Noting the volume of use of credit cards at a particular fast food company, they bought and traded the company’s stock based on this data.
Over time they made similar stock trades based on transactional volume and other publicly available news about three different companies.
Had the database been one for sale by a company rather than their employer’s proprietary database, the Huangs would have been lauded as investment rock stars. But because the method they used “misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information,” the two men are being sued for insider trading.
The Huangs’ trading experience gives pause when one considers the value of metadata, and of the data breach at JP Morgan Chase this past year.
Metadata can offer a volume of transactional activity, though it will not disclose the value of a transaction. Imagine smartphones indicating they are being used at particular devices – point-of-sale devices – at any retailer, from fast food to hard lines. An uptick in overall activity at a specific retailer indicates greater volume of business, the data fresher than that reported in a 10-Q report filed publicly with the SEC. What could an investor do with this kind of data? One could imagine success not much different than the Huangs experienced, provided they also understood other publicly available information about the retailers under observation. Continue reading
Bob Litt is giving a speech. In it he described what “serious crimes” FBI can use 702-derived information to investigate and prosecute. They include:
Can use for 702: Crimes involving death, kidnapping, bodily harm, v minor, infrastructure, cybersecurity, transnational crimes.
Both cybersecurity and infrastructure are big, and potentially egregiously interpreted. They surely can include a whole slew of innocent protestors who are deemed a threat to things like fracking or city infrastructure.
But also, if FBI can use 702 to investigate “transnational crime” then why isn’t Jamie Dimon in prison?
As noted, Ron Wyden used Eric Holder’s imminent departure as an opportunity to point to some secrets that he believes should be told. One of those pertains to what the 2003 OLC opinion on common commercial service agreements refers to.
Second, I have written to you on multiple occasions about a particular legal opinion from the Justice Department’s Office of Legal Counsel (OLC) interpreting common commercial service agreements. As I have said, I believe that opinion is inconsistent with the public’s understanding of the law, and should be withdrawn. I also believe that this opinion should be declassified and released to the public, so that anyone who is party to one of these agreements can consider whether their agreement should be revised or modified.
In her December 2013 confirmation hearing to be General Counsel of the CIA, the deputy head of the OLC stated that she would not rely on this opinion today. While I appreciate her restraint, I believe the wisest course of action would be for you to withdraw and declassify this opinion, so that other government officials are not tempted to rely on it in the future. I urge you to take these actions as soon as practicable, since I believe it will be difficult for Congress to have a fully informed debate on cybersecurity legislation if it does not understand how these agreements have been interpreted by the Executive Branch.
As I laid out in October 2013, Wyden has been trying to liberate this memo since before summer 2012, and he has (as he now is doing) renewed his request every time cybersecurity bills come up (and then some).
Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”
That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.
Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked againon September 26.
Since then, we’ve learned that the memo dates to 2003, and was a matter of first impression when it was written.
I’ve been writing about this memo since 2013, but I don’t have the legal support to FOIA something DOJ is obviously pretty embarrassed about.
But why hasn’t big tech? Why haven’t other companies that sign common commercial service agreements? Why hasn’t some lawyered up company — or lawyered up trade group — sued for this thing, as it clearly may affect their businesses?
Or would they just rather prefer not to know?
The NYT has a story describing the rise of the North Korean 6,000-strong hacking unit, which (the story explains) the NSA has been watching closely since 2010.
Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.
It goes on to explain why, in spite of having beacons throughout North Korea’s network, it didn’t warn Sony.
The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials.
But those attacks did not look unusual. Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.
It even suggests that Clapper knew about North Korea’s “capabilities” even as he was having dinner with the guy in charge of it (though it does not say whether he knew about this hack).
“Because of the sensitivities surrounding the effort” to win the Americans’ release, Mr. Hale said, “the D.N.I. was focused on the task and did not want to derail any progress by discussing other matters.” But he said General Clapper was acutely aware of the North’s growing capabilities.
For the moment, I’ll set aside whether this is convincing (parts of the story — such as that North Korea’s hackers trained in China and now target China) don’t add up.
But I did want to point out two things. First, NYT relies on a document liberated by Snowden to bolster its case. It’s not clear how well it actually does bolster the case: it shows the NSA piggybacking on South Korean efforts in 2007, and then setting its own beacons. It provides a different timeline and doesn’t say how extensively the US has infiltrated North Korea. In any case, though, it is a Snowden document the secret cyber sources finally love, one that backs their immediate claims.
Finally, note what else this says: this is another example where we have intelligence but aren’t using it not because of information sharing rules, but because we’re too inattentive to make use of it. This will be useful when Congress tries to pass CISPA because of Sony.