Richard Clarke Also Suggests Hacking Has Made F-35 Ineffective

A number of people have pointed to this interview for Richard Clarke’s suggestion that the US, not Israel, bears most of the responsibility for the StuxNet attack.

But I’m just as interested in his assessment that hacking threatens to undercut our ability to deploy our fanciest war toys.

“I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” he tells me. “Every major company in the United States has already been penetrated by China.

“What?”

“The British government actually said [something similar] about their own country. ”

Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don’t get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them—“logic bombs,” trapdoors and “Trojan horses,” all ready to be activated on command so we won’t know what hit us. Or what’s already hitting us.

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….After a while you can’t compete.”

But Clarke’s concerns reach beyond the cost of lost intellectual property. He foresees the loss of military power. Say there was another confrontation, such as the one in 1996 when President Clinton rushed two carrier battle fleets to the Taiwan Strait to warn China against an invasion of Taiwan. Clarke, who says there have been war games on precisely such a revived confrontation, now believes that we might be forced to give up playing such a role for fear that our carrier group defenses could be blinded and paralyzed by Chinese cyberintervention. [my emphasis]

The other day, I suggested that our inability to protect our defense and defense contractor networks means we’re wasting billions on hacking-related rework.

That’s not the only way our vulnerability to hacking will rot our national security supremacy. As Clarke notes, it will make all the defenses we build into our weapons systems less effective. All of which won’t stop us from dumping the national treasure into already-compromised toys. It’ll just make those toys more expensive.

Does NCTC Have the Minimal Data Security to Guard Its New Not-Terrorist-Terrorist Database?

As I noted here and here, yesterday the Director of National Intelligence and DOJ rolled out new Guidelines allowing the National Counterterrrorism Center to acquire non-terrorist datasets from federal agencies–including US person data–so they can do pattern analysis on those datasets and pass off the resulting data to other agencies.

When intelligence officials wanted to explain to Charlie Savage how this would work, they pointed to a State Department dataset–visa applications–as one dataset NCTC might now access directly.

A person from Yemen applies for a visa and lists an American as a point of contact. There is no sign that either person is a terrorist. Two years later, another person from Yemen applies for a visa and lists the same American, and this second person is a suspected terrorist.

Under the existing system, they said, to discover that the first visa applicant now had a known tie to a suspected terrorist, an analyst would have to ask the State Department to check its database to see if the American’s name had come up on anyone else’s visa application — a step that could be overlooked or cause a delay. Under the new rules, a computer could instantly alert analysts of the connection.

The State Department is, of course, still reportedly recovering from the fact that because of DOD’s lax network security, 250,000 diplomatic cables got liberated for the world to see.

Not surprisingly, then, the new Guidelines appear determined to reassure original dataset owners that their data won’t be compromised by sharing it with NCTC (which can then share it with other elements of the Intelligence Community and even foreign allies). You can tell they’re serious about this, because it’s one of the places they occasionally use “shall” (in other sensitive areas, they use the squishier “will”).

For access to or acquisition of specific datasets, the DNI, or the DNI’s designee, shall collaborate with the data provider to identify any legal constraints, operational considerations, privacy or civil rights or civil liberties concerns and protections, or other issues, and to develop appropriate Terms and Conditions that will govern NCTC’s access to or acquisition of datasets under these guidelines.

[snip]

In addition to the [general requirements laid out for sharing this data], at the time when NCTC acquires a new dataset or a new portion of a dataset, the Director of NCTC shall determine, in writing, whether enhanced safeguards, procedures, and oversight mechanisms are needed.

Though this bold approach almost immediately breaks down, as the Guidelines not only revert to “will,” but–worse–dig out the passive voice when describing the data transfer.

Measures will be put into place to ensure that the dataset is received and stored in a manner to prevent unauthorized access and use prior to the completion of replication.

And when the Guidelines get into specifics, they use that passive “will” again.

Access to these datasets will be monitored, recorded, and audited. This includes tracking of logons and logoffs, file and object manipulation, and changes, and queries executed, in according with audit and monitoring standards applicable to the Intelligence Community.

Who will (“shall”) implement these data security measures? What if he or she fails to do so adequately?

It’s a really, really important question because–as this year’s intelligence authorizations make clear, the Intelligence Community does not yet have insider threat detection–the kind of security that would permit these audits–and they’re not going to get it until 18 months from now. Hell, they’re not even going to start getting it until 6 months from now!

(a) Initial Operating Capability.–Not later than October 1, 2012, the Director of National Intelligence shall establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the intelligence community in order to detect unauthorized access to, or use or transmission of, classified intelligence.

Read more

BAE F-35 Hack Confirmed

I’ve long complained that the government’s obsession with WikiLeaks is badly misplaced. After all, DOD and some of its contractors simply can’t keep their networks secure from Chinese hackers. So if our chief rival can take what it wants, why worry so much that actual American citizens have access to what China can take with abandon?

Case in point. The Australian has confirmed what was initially reported three years ago: China hacked BAE to steal performance information on the F-35.

CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the $300 billion F-35 Joint Strike Fighter, a multinational project to create a plane that will give the West air supremacy for years to come, according to the sources.

[snip]

One of those present said: “The BAE man said that for 18 months, Chinese cyber attacks had taken place against BAE and had managed to get hold of plans of one of its latest fighters.”

This plane will have taken more than $385 billion to develop and will take $1 trillion to sustain. It is the most expensive weapons system in history. And yet for 18 months, the Chinese were just living on (at least) BAE’s networks taking what they wanted. How much of the considerable cost and rework on this program comes from the data on it China has stolen along the way?

In fact, I’m wondering whether China isn’t borrowing from our own playbook: during the Cold War, we made Russia go bankrupt by engaging in an arms race it couldn’t afford. China doesn’t need to do that. By hacking our data, they can just make us go bankrupt by setting up an arms race between our contractors and its hackers. With the result that we build a trillion dollar plane that it can already exploit.

And yet the government’s priority seems to be shutting up leakers who reveal its crimes, not networks that reveal our biggest military secrets.

Is This What Robert Mueller Meant by Cyber Expertise?

Back on February 3, I noted what I thought was the irony that, four days after FBI Director Robert Mueller bragged about FBI’s cybersecurity expertise–including its partnerships with counterparts overseas–Anonymous released an earlier hacked call between Scotland Yard and FBI.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

We now know that at the time of both the hack and Mueller’s comment, the FBI was running Hector Xavier Monsegur–Sabu–as a confidential informant–and the Scotland Yard call is one of the hacks they busted others for with his assistance last week.

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

And meanwhile, all of the things Sabu was saying on his twitter account were closely monitored–if not written–by the FBI, including the comment about FBI’s informants, above, and the multiple “celebrations” of the Scotland Yard hack.

Read more

So It Was the FBI Threatening to Take Down the Internet, Then?

As soon as the news came out today that Sabu, the head of LulzSec, offered an FBI computer to facilitate the publication of Stratfor (no doubt set up a LulzSec-assisted indictment of Julian Assange in the future)…

Hector Xavier Monsegur, an unemployed 28-year-old Puerto Rican living in New York, was unmasked as “Sabu”, the leader of the LulzSec hacking group that has been behind a wave of cyber raids against American corporations including Rupert Murdoch’s News Corporation, the intelligence consultancy Stratfor, British and American law enforcement bodies, and the Irish political party Fine Gael.

[snip]

In a US court document, the FBI’s informant – there described as CW – “acting under the direction of the FBI” helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK’s Serious and Organised Crime Agency in February.

Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.

A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

…I though back to the threat Anonymous made to TAKE DOWN THE ENTIRE INTERNET!!! Which of course made more sense understood as a ploy to help fear monger than an actual threat from actual terrorists.

Was it the FBI making such threats?

Which makes this conversation Sabu had just two weeks before he was indicted all the more interesting.

<SABU> You just said there was a claim that I may be a terrorist. You “researched” it and wrote the article

<SABU> There re claims I am with the CIA pushing to get tighter / stricter cyber-laws passed

<SABU> its literally the same shit, two different extremes.

[snip]

<SABU> The people are aware that our governments in the UK and the US have involved themselves in black operations in the past. it makes a lot of sense if lets say a rogue group of hackers suddenly began attaking national interests — spawning a massive overhaul of internet security, theoretically.

Read more

Treasury Accuses Iran of Hacking

The Treasury Department just added the Iranian Ministry of Intelligence and Security (MOIS) to the other Iranian entities listed as Specially Designated National (other entities already covered include Quds Force and the National Police and their leaders). It sanctioned MOIS for a laundry list of reasons generally categorized as support for Syria’s human rights abuses, Iran’s own human rights abuses, and support for terrorism. Under the latter section, Treasury lists the following:

  • MOIS provides financial, material, or technological support for, or financial or other services to Hizballah, a terrorist organization designated under E.O. 13224. MOIS has participated in multiple joint projects with Hizballah in computer hacking.
  • MOIS provides financial, material, or technological support for, or financial or other services to HAMAS, a terrorist group also designated under E.O. 13224.
  • MOIS has facilitated the movement of al Qa’ida operatives in Iran and provided them with documents, identification cards, and passports.
  • MOIS also provided money and weapons to al Qa’ida in Iraq (AQI), a terrorist group designated under E.O. 13224, and negotiated prisoner releases of AQI operatives.

It is the official position of our government that Iran has facilitated the travel of al Qaeda operatives (this accusation may, in fact, date to pre-9/11 transiting of Iran on the same terms as others). And, not surprising, the government says Iran helped Hamas and Al Qaeda in Iraq.

But it’s the Hezbollah claim I’m most intrigued by. Treasury says that Iran’s intelligence service “participated in multiple joint projects with Hizballah in computer hacking.”

Hacking? We’re declaring hacking a terrorist act now? Like the StuxNet project we engaged in with Israel.

And what, precisely, is Iran alleged to have hacked? Because the most public allegations pertain to … drones. You know, the drones violating Iran and Lebanon’s airspace?

We’ve made that a terrorist act now?

Alan Gross and Jacob Appelbaum

This AP story describing the backstory of USAID contractor Alan Gross’s imprisonment in Cuba is interesting in its own right. Past reporting had made it clear that Cuba had declared Gross a spy because he was setting up secure communications technology for Cuba’s Jewish community.

Gross’ company, JBDC Inc., which specializes in setting up Internet access in remote locations like Iraq and Afghanistan, had been hired by Development Associates International Inc. of Bethesda, Maryland, which had a multimillion-dollar contract with USAID to break Cuba’s information blockade by “technological outreach through phone banks, satellite Internet and cell phones.”

The AP story describes the vast array of telecom equipment Gross and some Jewish humanitarian groups he partnered with smuggled into Cuba, where some of it is explicitly prohibited:

12 iPods, 11 BlackBerry Curve smartphones, three MacBooks, six 500-gigabyte external drives, three Internet satellite phones known as BGANs, three routers, three controllers, 18 wireless access points, 13 memory sticks, three phones to make calls over the Internet, and networking switches.

And it explains what it was that finally got Gross arrested: his importation of a “discreet” SIM card that would make it impossible to track satellite phone transmissions.

On his final trip, he brought in a “discreet” SIM card — or subscriber identity module card — intended to keep satellite phone transmissions from being pinpointed within 250 miles (400 kilometers), if they were detected at all.

The type of SIM card used by Gross is not available on the open market and is distributed only to governments, according to an official at a satellite telephone company familiar with the technology and a former U.S. intelligence official who has used such a chip. The officials, who spoke on condition of anonymity because of the sensitivity of the technology, said the chips are provided most frequently to the Defense Department and the CIA, but also can be obtained by the State Department, which oversees USAID.

So Gross was arrested for trying to make sure a subset of Cuba’s population could access the Internet in privacy.

Back when Alan Gross was “convicted,” the White House officially condemned the decision, as they’ve condemned his treatment repeatedly since.

Alan Gross has been unjustly detained and deprived of his liberty and freedom for the last 14 months. Instead of releasing Mr. Gross so he can come home to his wife and family, today’s decision by Cuban authorities compounds the injustice suffered by a man helping to increase the free flow of information, to, from, and among the Cuban people.

We remain deeply concerned for Mr. Gross’ well being and that of his family and reiterate our call for his immediate release.

Gross’ case would make you think the government inherently valued secure Internet communication.

But compare their treatment of Gross with the treatment they’ve given Jacob Appelbaum, the Tor researcher who they’ve treated like a suspected terrorist.

Tor, like the communications equipment Gross was installing, makes it easier for dissidents and other members of civil society to communicate freely.

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor’s hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization.

And like Gross, Appelbaum has traveled internationally to help foster such private communications. If you follow him on Twitter, you can even see him tracking and responding to attacks on secure networks in the Middle East.

So if Administration expressions of concern about the free flow of information were sincere, you’d think they’d be celebrating Appelbaum’s efforts.

Instead, partly because of his ties to WikiLeaks, they routinely harass him. Not only have they subpoenaed his Twitter IP information and a slew of other data as part of their WikiLeaks investigation, but every time he returns to the country, they temporarily detain him. Read more

FBI Director Mueller Boasts of FBI’s Cyber Expertise before Anonymous Hacks Cyber Call

As you may have heard, Anonymous hacked into and released a conference call between the FBI and Scotland Yard discussing their efforts to crack down on the hackers’ group.

What makes the hack all the more ironic is its release comes just days after Robert Mueller bragged of the FBI’s cyber expertise at the Threat Assessment hearing on Tuesday (the actual call took place on January 17, which makes me wonder whether they have gotten subsequent calls as well). In response to MD (and therefore NSA’s) Senator Barbara Mikulski’s suggestion that the NSA was the only entity able to investigate cybercrime, Mueller insisted (after 2:01) the FBI can match the expertise of NSA. He even bragged about how important partnering with counterparts in other countries–like Scotland Yard–was to the FBI’s expertise.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

I don’t want to sell the FBI short or anything. But regardless of their expertise in investigating cybercrimes, it sure seems like they’ve got the same crappy security the rest of the Federal government has.

On the Manning Art. 32, Court Secrecy & Nat. Sec. Cases

I somehow stumbled into an article for The Nation by Rainey Reitman entitled Access Blocked to Bradley Manning’s Hearing. To make a long story short, in a Twitter exchange today with Ms. Reitman and Kevin Gosztola of Firedoglake (who has done yeoman’s work covering the Manning hearing), I questioned some of the statements and inferences made in Ms. Reitman’s report. She challenged me to write on the subject, so here I am.

First, Ms. Reitman glibly offered to let me use her work as “foundation” to work off of. Quite frankly, not only was my point not originally to particularly go further; my point, in fact, was that her foundation was deeply and materially flawed.

Reitman starts off with this statement:

The WikiLeaks saga is centered on issues of government transparency and accountability, but the public is being strategically denied access to the Manning hearing, one of the most important court cases in our lifetime.

While the “WikiLeaks saga” is indeed centered on transparency and accountability for many of us, that simply is not the case in regard to the US Military prosecution of Pvt. Bradley Manning. The second you make that statement about the UCMJ criminal prosecution of Manning, you have stepped off the tracks of reality and credibility in court reportage and analysis. The scope of Manning’s Article 32 hearing was/is were the crimes detailed in the charging document committed and is there reason to believe Manning committed them. Additionally, in an Article 32 hearing, distinct from a civilian preliminary hearing, there is limited opportunity for personal mitigating information to be adduced in order to argue for the Investigating Officer to recommend non-judicial punishment as opposed to court martial trial. That is it. There is no concern or consideration of “transparency and accountability”, within the ambit suggested by Ms. Reitman, in the least.

Calling the Manning Article 32 hearing “one of the most important court cases in our lifetime” is far beyond hyperbole. First off, it is, for all the breathless hype, a relatively straight forward probable cause determination legally and, to the particular military court jurisdiction it is proceeding under, it is nothing more than that. The burden of proof is light, and the issues narrow and confined to that which is described above. The grand hopes, dreams and principles of the Manning and WikiLeaks acolytes simply do not fit into this equation no matter how much they may want them to. Frankly, it would be a great thing to get those issues aired in this country; but this military UCMJ proceeding is not, and will not be, the forum where that happens.

Moving on, Reitman raises the specter of “the death penalty” for Manning. While the death penalty remains a technical possibility under one of the charges, the prosecution has repeatedly stated it will not be sought and, after all the statements on the record in that regard, there is simply no reason to embellish otherwise. Reitman next states:

This case will show much about the United States’s tolerance for whistleblowers who show the country in an unflattering light.

No, it most certainly will not. In fact, the Manning criminal military prosecution has nothing whatsoever to do with “whistleblowers”. Despite the loose and wild eyed use of the term “whistleblower” in popular culture, not to mention by supporters of Bradley Manning, the concept Read more

Ahmed Warsame and StuxNet

Back in November, I suggested one intended purpose of the detainee provisions in the Defense Authorization is to require a paper trail that would make it a little harder for the Administration to disappear detainees on floating prisons. The bill:

  • Requires written procedures outlining how the Administration decides who counts as a terrorist
  • Requires regular briefings on which groups and individuals the Administration considers to be covered by the AUMF
  • Requires the Administration submit waivers whenever it deviates from presumptive military detention

These are imperfect controls, certainly. But they do seem like efforts to bureaucratize the existing, arbitrary, detention regime, in which the President just makes shit up and tells big parts of Congress–including the Armed Services Committees, who presumably have an interest in making sure the President doesn’t make the military break the law–after the fact.

I suggested this effort to impose bureaucratic controls was, in part, a reaction to the Ahmed Warsame treatment, in which it appears that the Armed Services Committees learned Obama had declared war against parts of al-Shabaab and used that declaration as justification to float Warsame around on a ship for two months. (It appears that the Intelligence Committees, but not the Armed Services Committees, got briefed in this case, though Admiral McRaven was testifying about floating prisons as it was happening). [Update: I may be mistaken about what Lindsey Graham’s language about making sure the AUMF covered this action meant, so italicized language may be incorrect.]

This is not to say the ASCs are going to limit what the President does–just make sure they know about it and make sure the military has legal cover for what they’re doing.

With that in mind, take a look at Robert Chesney’s review of the new cyberwar authorization in the Defense Authorization, which reads:

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

Chesney’s interpretation of this troubling language is that by requiring a Presidential statement in some cases, it will force interagency consultation before, say, DOD launches a cyberwar on Iran. (Oh wait, too late.)

Read more

image_print