DHS’ Top Cybersecurity Officer Resigns

As Marc Ambinder reports, the top cybersecurity guy at DHS, Phil Reitinger, announced his resignation today. Which is pretty odd, given that Obama just rolled out his cybersecurity strategy a few days ago. Though that’s the excuse that Reitinger offered for the timing of his departure.

With significant progress having been made in activities across NPPD [National Protection and Programs Directorate], with growing recognition of DHS’s roles and authorities, and the cybersecurity legislative proposal now delivered to the Hill, it’s a logical point for me to leave the Department of Homeland Security and allow the team that we have developed together to carry our initiatives forward. [bracketed comment Ambinder’s]

Okaaayyyy then. You finally win the pissing contest between NSA and DHS over who will lead cybersecurity and then you … leave? Leaving no one to lead the program you’ve fought so hard to lead, not to mention leaving no one to lobby for the legislative proposal just sent to Congress?

Though Reitinger isn’t technically the CyberCzar, he makes at least the 10th top cybersecurity official to have left since 9/11.

Update: Here’s how his job was described when he was hired.

In addition to overseeing the department’s mandate to protect government networks, Reitinger also will be responsible for coordinating Uncle Sam’s outreach to private companies that own and operate the nation’s most vital information assets. These digital assets power everything from water and electricity distribution systems to telecommunications and transportation networks.

As I described here, one of the most sensitive aspects of the cybersecurity legislation the Administration proposed (and, I think, one of its weakest parts), is the means by which critical infrastructure entities prove to the government that they have adequate cybersecurity. It would seem really important to have continuity in this position to shepherd this part of the legislation through Congress.

Unless, of course, he’s planning on representing the industry as the bill wends its way through Congress. Or, set up one of the auditing companies that will get rich off the way the legislation was written.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Eric Holder Claims Rule of Law Exists in Cyberspace

Just days after asking Congress not to give the intelligence community a hard deadline to put a basic cybersecurity measure into place, the Obama Administration rolled out a cybersecurity strategy yesterday with great fanfare. The event itself seemed designed to bring as many Cabinet Secretaries into one place at one time–Hillary Clinton, Gary Locke, Janet Napolitano, and Eric Holder, along with DOD Deputy Secretary William Lynn and White House Cybersecurity Coordinator Howard Schmidt–to give the appearance of real cooperation on cyberspace issues.

The strategy itself is still mostly fluff, with paragraphs like this:

This future promises not just greater prosperity and more reliable networks, but enhanced international security and a more sustainable peace. In it, states act as responsible parties in cyberspace—whether configuring networks in ways that will spare others disruption, or inhibiting criminals from using the Internet to operate from safe havens. States know that networked infrastructure must be protected, and they take measures to secure it from disruption and sabotage. They continue to collaborate bilaterally, multilaterally, and internationally to bring more of the world into the information age and into the consensus of states that seek to preserve the Internet and its core characteristics.

And loaded paragraphs like this, in the section on military goals:

Recognize and adapt to the military’s increasing need for reliable and secure networks. We recognize that our armed forces increasingly depend on the networks that support them, and we will work to ensure that our military remains fully equipped to operate even in an environment where others might seek to disrupt its systems, or other infrastructure vital to national defense. Like all nations, the United States has a compelling interest in defending its vital national assets, as well as our core principles and values, and we are committed to defending against those who would attempt to impede our ability to do so.

Lucky for DOD, there was no discussion of deadlines anywhere in the document, so they didn’t have to admit their plan to “adapt to the military’s increasing need for reliable and secure networks” was a long term project.

And then the strategy had a lot of language about norms, which places our cybersecurity strategy in the paradigm and language of international regime development from foreign relations (interestingly, Hillary started off the parade of Secretaries, further emphasizing this diplomatic approach).

But what struck me most about this dog and pony show, delivered on the day SCOTUS endorsed the executive branch’s efforts to hide torture behind the invocation of state secrets, was Eric Holder’s discussion about rule of law in cyberspace.

In recent months, the Justice Department has announced takedowns of significant criminal groups operating from Romania, Egypt, and elsewhere that had been victimizing American businesses and citizens – including children.  We’ve also brought multiple criminal conspirators to justice for their roles in coordinated cybercrimes that, according to court documents, netted nearly 1.5 million dollars from U.S. victims.  And, just a few weeks ago, we announced an operation to disable an international criminal network that had infected more than two million computers worldwide with malicious software.  Until we stepped in – with the help of industry and security experts, as well as key international partners – this malware was allowing criminals to capture bank account numbers, user names, and other sensitive and financial information online.

While we can all be encouraged by these and other successes, we cannot become complacent.  As President Obama has repeatedly indicated – we must, and we will, take our global fight against cyber threats to the next level.  The strategy that we are announcing today is an affirmation of that promise.  It reinforces our nation’s support for the Budapest Convention –and for efforts to establish the rule of law in cyberspace.   It also reflects our ongoing commitment to prevent terrorists and other criminals from exploiting the Internet for operational planning or financing – or for the execution of attacks. [my emphasis]

We’re going to build rule of law in cyberspace apparently. Sort of like an extraterrestrial colony to preserve a way of life that used to exist on Earth (or at least in the US), but no longer does.

So rest assured, if this cyberstrategy is successful, we can expect rule of law in cyberspace as compensation for the fact that the government has destroyed rule of law in meatspace.

Oh, on that note, there was no discussion of any investigation into how it was that a media outlet, Wikileaks, was attacked with a sophisticated DDOS attack, ultimately damaging free speech.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Obama Administration: Sorry, 2013 Is Too Soon to Fix Gaping Holes in Our Network Security

You’ve no doubt read the multiple posts in which I responded with growing incredulity at the response of DOD and the Intelligence Community to the gaping holes in their network security.

Basically, a review of DOD networks after Bradley Manning’s alleged leaking (which came two years after they reviewed DOD networks after a bad malware infection introduced via a thumb drive), DOD admitted that they still let service members access computers on DOD’s classified network with removable media (like Lady Gaga CDs) two years after they vowed to end the practice; they didn’t have personal keys to offer better authentication and tracking of actions taken online; and they couldn’t audit for unusual activities online.

In short, they don’t have the kind of security that is considered routine in the private sector.

On our classified network.

And in response to their admission of gaping holes in Department of Defense’s (and presumably, because they want the same deadline, other parts of the IC’s) network security, they laid out a plan to fix the problems … by 2013.

Cause I’m sure none of our enemies will come looking for our secrets between now and then.

It’s becoming an obsession for me, this disinterest in fixing gaping holes in our network security even as the Administration claims Bradley Manning’s alleged leak could be a capital offense. If this stuff is so damned secret, plug the fucking holes!

So you can imagine my shock when I read the Obama Administration’s response to the intelligence bill’s endorsement of the 2013 deadline DOD and the IC asked for: (h/t Steven Aftergood)

Section 402 requires the DNI to create an insider threat detection program for the information resources of each element of the IC to detect unauthorized access to classified information. The Administration wholeheartedly agrees with the need to be vigilant and proactive in trying to detect, mitigate, and deter insider threats, and supports a comprehensive insider threat detection capability. The Administration is currently working toward its implementation. However, the Administration is concerned with the unrealistic timelines required by this provision for the program’s operational readiness, and strongly requests that the provision be amended to grant the DNI flexibility in implementation timelines of the program.

Hey bad guys?!?!?!? No one is checking the intelligence community’s networks to see whether you’re nicking highly classified information off of them. No one is checking their networks to see what kind of abnormal activities their own spooks are engaging in.

And they’re not going to be until … well, they don’t know. A deadline, you see, would be rather restrictive. And our fucking classified networks just aren’t a priority for network security! All I can tell you is 2013–two full years from now–that’s too soon.

So China, Iran? Just take what you want. Just make sure you do it in the next two … or maybe three … or who knows? years, because sometime in the distant future the IC aspires to have the same kind of network security your average bland business has.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity

Two and a half years after privatized auditors largely signed off on practices that contributed to the collapse of Wall Street, and a year after coziness between government inspectors and the oil industry they regulate allowed a massive oil spill in the gulf, the Obama Administration proposes relying on private auditors to ensure that private companies guard our nation’s cybersecurity.

That’s one of two troubling aspects of the fact sheet the Administration just released, summarizing proposed legislation on cybersecurity it just sent to Congress.

At issue is who investigates the adequacy of a private companies’ cybersecurity plan to both certify it is adequate and ensure compliance with it. The answer? Auditors paid by the private companies.

The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate. In the event that the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology, could modify a framework. DHS can also work with firms to help them shore up plans that are deemed insufficient by commercial auditors.

While the promise to make these plans transparent is all well and good, the problem remains that private companies and the auditors they pay get to decide what is sufficient, not someone without a financial stake in the outcome. If government inspectors are important enough for safety issues, shouldn’t they be required for the cyberinfrastructure that is so critical to our safety?

In addition, a big part of this plan may give up one of the sticks the government has to ensure compliance.

One of the reasons why private companies don’t like to reveal when they’ve been hacked is liability issues: not only might their customers respond badly, but in some fields (like finance companies) the companies may face other liability issues.

But the fact sheet offers companies immunity, at the least, for any private data it shares with the government when it reveals it has been hacked.

Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

The fact sheet doesn’t describe the extent of the immunity, and the plan does, at least, make immunity contingent upon privacy protections.

  • When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.

[snip]

  • Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

But I wonder about the breadth of this immunity. Does it also offer companies immunity for negligence in the handling of consumer data?

One thing that Al Franken, among others, is pushing, is making it easier for consumers to expect a certain level of protection for their data. Thus, if Sony has two-year-old consumer data sitting around in an unsecure server, it would bear some liability if a hacker came and access that data. Such measures would effectively expose companies to lawsuit if they totally blew off their customers’ data security.

Now at least this proposal mandates that companies tell consumers when their data has been accessed (though I always worry when federal legislation claims to simplify state legislation–it’s often code for “water down”).

National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

But it’s not clear whether companies would bear any liability for such breaches if and when they alert consumers. Moreover, this says nothing about other public disclosure on breaches, which consumers may have as big an interest in (for example, investors ought to be able to know if banks and other major investors routinely get hacked, and stock holders ought to be able to know if critical proprietary information has been stolen).

Call me crazy, but my hackles start to rise when the government starts granting immunity willy nilly, with almost nothing demanded in exchange.

Update: Kashmir Hill offers one example why a national “simplified” law might be a problem–because it’ll eliminate elements like mandatory identity theft protection and penalties from the most stringent law, in MA.

As for telling customers about their data being breached, the White House says it will “help businesses” by simplifying and standardizing the “existing patchwork of 47 state laws” that have various requirements about how soon to notify customers. In the fact sheet, at least, there’s no mention of penalties for businesses, nor mandatory provision of identity theft monitoring after a breach — two aspects of the harshest data breach law currently in the country, in Massachusetts.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

Robert Chesney notes that the HASC Mark on the Defense Authorization bill includes a section on cyberwar. Here’s the entire section:

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to the Authorization for the Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) outside of the United States or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities.

While these terrorist actions often lead to increased danger for U.S. and coalition forces in areas of ongoing hostilities, terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally.

In certain instances, the most effective way to neutralize threats and protect U.S. and coalition forces is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense’s authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

While Chesney focuses on the use of “clandestine” in this passage (which I’ll return to), I think one of the key phrases is simply the requirement that DOD brief the Armed Services Committees quarterly on what it’s doing in cyberspace. As the AP reported in January, the SASC complained during the confirmation hearings of Michael Vickers that they weren’t getting briefed on clandestine cyberwar activities. Vickers claimed in response that the law only required that DOD brief Congress on human clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber activities were not included in the quarterly report on clandestine activities. But Vickers, in his answer, suggested that such emerging high-tech operations are not specifically listed in the law — a further indication that cyber oversight is still a murky work in progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for clandestine human intelligence activity. But if confirmed, he said, he would review the reporting requirements and support expanding the information included in the report.

So this section appears to close Vickers’ loophole, now requiring that DOD brief Congress on its activities in its quarterly clandestine activities reports.

In addition to legally demanding briefings, the section appears to affirmatively approve–as clandestine activities–cyberattacks against an AUMF-authorized target (so, al Qaeda and people like Anwar al-Awlaki we claim to be included in AUMF), and cyberdefense against an attack on an asset of DOD.

By the way, anyone want to speculate whether a Specialist allegedly downloading several databases onto a Lady Gaga CD constitutes a cyberattack on a DOD asset? Because if this permission includes WikiLeaks, then this section might be retroactively authorize attacks–say, DNS attacks on US-based servers–on WikiLeaks (note that DOD can attack outside the US, but such geographical limits are not placed on defensive actions).

In any case, as Chesney emphasizes, this section specifically authorizes attacks on AUMF-authorized targets and defense against attacks on DOD targets. Chesney notes that by calling these activities “clandestine,” it makes them a Traditional Military Activity.

That is to say, the language in § 962 refers to DOD authority to engage in cyber operations which are mean to go undiscovered but not meant to be denied.  That alone would presumably keep them from being categorized as a “covert action” subject to presidential finding and SSCI/HPSCI notification requirements.  Yet one can imagine that this does not quite suffice to solve the boundary dispute, insofar as it might not be clear on the front end that one would be willing to acknowledge sponsorship of an operation publicly if it becomes known…and indeed it might well be that the activity is very much meant to be both concealed and denied, making it hard at first blush to show that the activity is not a Title 50 covert action after all.  But in at least some instances there is a separate reason it should not be deemed a covert action: i.e., when the action is best understood as a high-tech equivalent to a traditional military activity (the “TMA” category being an explicit exception to the T50 covert action definition).  And that appears to be the case with the two categories explicitly described above, or at least arguably so.

The explanatory statement accompanying § 962 supports this reading.  It opens by stating that

[t]he committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

So, to summarize, this section appears to affirmatively authorize two types of activities, defining them as clandestine operations, and mandating that Congress get quarterly briefings on them.

But note this clause: “this section is not meant to identify all or in any way limit other possible military activities in cyberspace.”

So, it appears, there may be these two types of explicitly authorized clandestine operations, and then the stuff John Rizzo warned about.

I did want to mention–cause I find this interesting–cyberwarfare, on the issue of cyberwarfare. Again, increasing discussion there clearly is an active arena, will continue to be active. For us lawyers, certainly for the lawyers in the intelligence community, I’ve always found fascinating and personally I think it’s a key to understanding many of the legal and political complexities of so-called cyberlaw and cyberwarfare is the division between Title 10, Title 10 operations and Title 50 operations. Title 10 operations of course being undertaken by the Pentagon pursuant to its war-making authority, Title 50 operations being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know being practitioners, how these cyber-operations are described will dictate how they are reviewed and approved in the executive branch, and how they will be reported to Congress, and how Congress will oversee these activities. When I say, “these activities,” I’m talking about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive branch for many years, actually. I mean I remember serious discussions during the Clinton Administration. So, again, this is not a post-9/11 phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve always been envious of my colleagues at the Department of Defense because under the rubrik of Title 10, this rubrik of “preparing the battlefield.” They have always been able to operate with a–to my mind [?] a much greater degree of discretion and autonomy than we lawyers at CIA have been, have had to operate under, because of the various restrictions and requirements of Title 50 operations. Covert actions require Presidential Findings, fairly explicit reports to the Intelligence Oversight Committees. We have a very, our Intelligence Committees are … rigorous, rigorous and thorough in their review. I’ve never gotten the impression that the Pentagon, the military, DOD is subject to the same degree of scrutiny for their information warfare operations as CIA. I’m actually very envious of the flexibility they’ve had, but it’s critical–I mean I guess I could say interesting but critical how–I mean if there were operations that CIA was doing, they would be called covert actions, there’s no getting around that. To the extent I’ve ever understood what DOD does in this arena, they certainly sound like covert actions to me but given that I’ve had more than my hands full over the years trying to keep track of what CIA’s doing at any given time, I’ve never ventured deeply into that area. But I think it’s fascinating. [my emphasis]

Now, maybe this section just politely puts the kibosh on all of this Title 50 masquerading as Title 10 stuff, stuff done under the auspices of DOD to avoid the oversight requirements that Title 10 intelligence operations would require. Maybe this section limits DOD’s activities to its two authorized clandestine activities.

But I doubt it. With the language about not limiting DOD to these two functions, you can pretty much assume there’s some Special Access Programs (like the kind the Air Force refuses to talk to Congress about) not safe to be mentioned in public documents like laws.

Look on the bright side, though: Congress is at least requiring that DOD brief Congress on some of the secret stuff they’re doing in cyberspace.

Update: Specialist corrected per Ralph.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

CIFA 2.0 Back in the Outsourcing Business

Remember the Counterintelligence Field Activity (CIFA)? Here’s how I described it back in 2007.

CIFA is, along with the National Security Letters Congress is now cracking down on, probably the biggest abuse of civil rights and privacy BushCo has hatched up. It was designed to gather intelligence on threats to defense installments in the United States–to try to collect information (in the TALON database) on threatening people scoping out domestic bases. But it ended up focusing on peace activists and the lefty blogosphere’s own Jesus’ General70 percent of CIFA’s employees are contractors, a figure that makes it a prime candidate for politicized contracting scandal.

Among the contractors spying on Americans was MZM, one of the companies that bribed Duke Cunningham. Prosecutors in that case started investigating MZM’s CIFA contracts in May 2006. Three months after that, the top two managers at CIFA, who had directed CIFA keep sending MZM contracts, resigned suddenly. When DOD’s Inspector General tried to investigate CIFA in 2007, it discovered (it claimed) that the entire CIFA database had been destroyed in June 2006, just as prosecutors were closing in on those contracts.

Later, in 2008, just as CIFA was claiming it couldn’t publicly reveal its unclassified contracts, we learned that Stephen Cambone (who had led one of the inquiries into CIFA), had won a contract from it, sort of a payoff for not finding anything, I guess.

Later that year, DOD “disestablished” CIFA.

Or rather, they renamed it, calling it the Defense Counterintelligence and Human Intelligence Center. Then, last year, we learned that database DOD claimed had been destroyed in 2006 really hadn’t been, and CIFA 2.0 was getting back in the business of keeping a database of information on big threats to the US like Quakers and bloggers.

The Defense Intelligence Agency wants to open a new repository for information about individuals and groups in what appears to be a successor to a controversial counterintelligence program that was disbanded in 2008.

The new Foreign Intelligence and Counterintelligence Operation Records section will be housed in DIA’s Defense Counterintelligence and Human Intelligence Center, or DCHC, formed after the demise of the Counterintelligence Field Activity, or CIFA, according to an announcement that appeared Tuesday in the Federal Register.

The “activity” was disbanded, but evidently not its records database, which seems to be headed to the new unit. One of the criticisms of CIFA was that it vacuumed up raw intelligence on legal protest groups and individuals from local police and military spies.

When the DCHC was launched in 2008, the Pentagon said “it shall NOT be designated as a law enforcement activity and shall not perform any law enforcement functions previously assigned to DoD CIFA.”

Why the new depository would want such records while its parent agency no longer has a law enforcement function could not be learned. Not could it be learned whether the repository will include intelligence reports on protest groups gathered by its predecessor, CIFA.

The only thing left, at that point, was to figure out what defense contractor was getting rich spying on American citizens.

The answer? Lockheed Martin.

Lockheed Martin has openings for talented and motivated professionals in the counterintelligence (CI) field to be part of an evolving and highly specialized team that will provide direct support to the Defense Intelligence Agency’s (DIA) Defense Counterintelligence and Human Intelligence Center (DCHC).

The team Lockheed Martin is assembling a team which will function in CI areas such as: force protection; support to Joint Terrorism Task Force (JTTF); CI in Cyberspace; research, development and acquisitions; critical infrastructure protection; CI support to Offensive CI Operations; analysis & production (A&P); collections; campaigns; policy; assessments; TSCM; security; information assurance, and Enterprise governance support (administrative).

Not only is the entire concept wrong, using contractors to spy on Quakers and bloggers. Not only is it especially troublesome that Lockheed–a company with close ties to NSA–is doing this work (which would make it easy for reports from physical surveillance to migrate into the signals surveillance NSA does). But note what else is now included in CIFA 2.0: “CI in Cyberspace.” That is, Lockheed with its close ties to NSA is now in charge of spying on those claimed to present an online counterintelligence threat to the United States. And maybe doing things like hacking a media site to try to exercise illegal prior restraint.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

WikiLeaks Reveals that China Already Knows What WikiLeaks Reveals

I’ve been bitching and bitching and bitching and bitching about DOD’s refusal to fix the gaping holes in its network security even while it cries that Bradley Manning allegedly downloaded a bunch of cables using those gaping holes. As I point out, if all it took Manning to get all these databases was one Lady Gaga CD, then presumably our enemies can and do get what they want pretty easily, too.

As citizens, we just don’t ever find out about those other data breaches.

Well, apparently someone leaked a set of previously unreported WikiLeaks cables to Reuters, which used them as one of many sources to report on how much data China is just hacking from our government networks, including the sieve-like DOD ones.

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches — colorfully code-named “Byzantine Hades” by U.S. investigators — to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department’s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were “involved in Byzantine Hades intrusion activity in 2006.”

[snip]

What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst — that any network is vulnerable. [my emphasis]

Oh, okay.

Our government has apparently conceded it can’t keep its networks secret from China.

I’m not surprised, mind you. While I assume the problems at DOD are a worst case scenario (because of its size and logistical issues stemming from all the wars we’re running), the size of the gaping holes at DOD (and the lackadaisical attitude DOD has about closing them) shows how low a priority network security is in our government generally.

Plus, Chinese hackers are that good.

But the confirmation that China can basically just take what it wants at will really raises new questions about our government’s treatment of Bradley Manning specifically and its hyper-secrecy more generally.

If we’re not keeping all these secrets from China, our biggest rival, who are we keeping them from? If our adversaries can just go and get whatever they want off our networks, then why has the government treated Bradley Manning’s allegedly doing the same a capital offense? And if our government has just conceded that China can take what it wants, then why won’t it let its own citizens know what China presumably already knows?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.