Yet Another “Lady Gaga” Exposure Forces DOD to Wipe Drone Control Computers

On Friday, Wired broke the news that the DOD suffered yet another breach because they continue to leave computers exposed to outside storage systems. (h/t WO) In this case, the Ground Control Stations they use to control drones got infected with a keylogger virus.

But time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. The Pentagon is still disinfecting machines, three years later.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

After a virus was introduced into computers in Iraq three years ago via thumb drive, DOD claimed it had prohibited the use of any removable media with their computers. But then Bradley Manning allegedly removed hundreds of thousands of classified cables from SIPRNet using a Lady Gaga CD. Rather than making all computers inaccessible to removable media at that point, DOD left 12% of their computers vulnerable, deploying a buddy-system to prevent people from taking files inappropriately; but human buddy systems don’t necessarily prevent the transmission of viruses.

The good news is that the Host-Based Security System implemented in response to Wikileaks discovered the virus–two weeks ago.

But here’s the other interesting wrinkle. To get rid of these viruses, techs have resorted to wiping the hard drives of the targeting computers.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

Given what little we know about the Anwar al-Awlaki assassination (which, as Wired points out, happened after the virus had knowingly infected these computers), this should not affect the computers that ten days ago killed two US citizens with no due process. The Newsweek story describing the CIA’s targeting process says that targeting is done in VA, not NV, where the virus hit.

But particularly given the questions about Samir Khan’s death, consider if that weren’t the case. That would mean a key piece of evidence about whether or not the US knowingly executed an American engaging in speech might be completely eliminated, wiped clean to fix a predictable virus.

That’s not the only risk, of course. We’ve talked before about how long it’ll take for Iran or Mexican drug cartels to hack our armed drones. If this virus were passed via deliberate hack, rather than sloppiness, then we might be one step closer to that eventuality.

All because DOD continues to refuse to take simple steps to secure their computers.

The Omnivore Bites Back

Okay, okay, I should have used a pun on “Echelon” for my title here, not “Carnivore.” After all, it was that earlier SigInt program that the US and its Anglophone partners used to steal industrial secrets in the 1990s.

The point being that, while I am concerned by McAfee’s description of the extent of the data theft carried out in the last six years using a hack it calls Shady RAT, I am also cognizant that the US has used equivalent tactics to steal intellectual property in the past and present.

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.


McAfee provides all the clues to make it clear China is behind these hacks–though it never says so explicitly.

The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks. The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.

The report is perhaps most interesting because of some of the entities–along with the defense contractors and US and other government agencies–described as targets of this hack: a number of construction companies (which could include companies like KBR), real estate firms, various state and county governments, two think tanks, and the NY and Hong Kong offices of a US media company. These are where the secrets China wants to steal are kept.

The problem, of course, is that our intellectual property is one of the few advantages the US has left. Our exports are increasingly limited to things that rely on legally enforcing intellectual property to retain its value: drugs, movies and music, software, GMO ag. Which sort of makes China’s ability to sit undetected in the servers of these kinds of organizations for up to 28 months a bit of a problem.

Good thing the FBI is busy going after hacktavists and whistleblowers instead.

Thomas Drake Proved To Be Bloody Well Right

Well hello there Wheelhouse members! Marcy is still on the road, but I am back and ready to roll, so there will start being actual content here again! I want to start with a bit of interesting post-mortem news on Thomas Drake.

As you will recall, Tom Drake was belligerently prosecuted by the DOJ on trumped up espionage charges (See: here, here, here and here) and their case fell out from underneath them because they cravenly wanted to hide the facts. As a result, Drake pled guilty to about the piddliest little misdemeanor imaginable, and will be sentenced, undoubtedly, to no incarceration whatsoever, no fine and one year or less of unsupervised probation on July 15, 2011. But the entire Tom Drake matter emanated out of Drake’s attempt to internally, and properly, cooperate with a whistleblowing to the Department of Defense Inspector General.

The report from the DOD IG in this regard has now, conveniently after Drake entered his plea, been publicly released through a long sought FOIA to the Project On Government Oversight (POGO), albeit it in heavily redacted form:

The U.S. Department of Justice (DOJ) prosecuted Drake under the Espionage Act for unauthorized possession of “national defense information.” The prosecution was believed to be an outgrowth of the DOJ’s investigation into disclosures of the NSA warrantless wiretapping to The New York Times and came after Drake blew the whistle on widespread problems with a NSA program called TRAILBLAZER. Most of the Espionage Act charges against Drake dealt with documents associated with his cooperation with this DoD IG audit. However, this month the government’s case against Drake fell apart and prosecutors dropped the felony charges. Instead, Drake pleaded to a misdemeanor charge of exceeding the authorized use of a computer.

The report, which was heavily redacted, found that “the National Security Agency is inefficiently using resources to develop a digital network exploitation system that is not capable of fully exploiting the digital network intelligence available to analysts from the Global Information Network.” The DoD IG also found, in reference to TRAILBLAZER, that “the NSA transformation effort may be developing a less capable long-term digital network exploitation solution that will take longer and cost significantly more to develop.”

Here is a full PDF of the entire redacted public version of the report in two parts because of file size: Part One and Part Two.

The report speaks for itself and I will not go in to deep quotes from it; suffice it to say, the DOD IG report proves that Tom Drake was precisely correct in his initial complaints that the TRAILBLAZER program was a nightmarish fraud on the taxpayers and inherently inefficient compared to the THIN THREAD program originally devised in house. The money quotes, as noted by POGO, are:

…the National Security Agency is inefficiently using resources to develop a digital network exploitation system that is not capable of fully exploiting the digital network intelligence available to analysts from the Global Information Network.


…the NSA transformation effort may be developing a less capable long-term digital network exploitation solution that will take longer and cost significantly more to develop.

So, in sum, thanks to POGO’s FOIA release here, we now know that not only was the persecution of Tom Drake by the DOJ completely bogus and vindictive, Tom Drake was bloody well right about TRAILBLAZER versus THIN THREAD to start with. Who couldda predicted?

Another NSA-Private Sector Partnership

Ellen Nakashima reports on a partnership between the NSA, defense contractors, and their Internet service providers to find hackers before they hack.

The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say.


Officials say the pilot program does not involve direct monitoring of the contractors’ networks by the government. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats.

The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is moving its headquarters to Falls Church. The contractors have the option, but not the obligation, to report the success rate to the NSA’s Threat Operations Center.

From a technical stand-point, this is probably a better way to find hackers than waiting until they steal your data. But of course, it raises all sorts of privacy issues.

But for all the generalized concerns I have about it, I kept thinking of HB Gary when I read this story. After all, the NSA is surely working with contractors on their own side of this. And threat detection like this is precisely the kind of thing HB Gary did, before they started pitching the Chamber of Commerce to spy on activists.

So who are the other contractors involved in this, and what else are they doing with the technology?

China Is Hiding Its Counterfeit Electronics Parts

The Senate Armed Services Committee is trying to investigate how allegedly counterfeit parts get into the military supply chain. But China won’t give visas–or promise freedom of movement without minders–to its investigators.

Two key US senators on Tuesday accused China of hampering a congressional probe into how counterfeit electronics end up in the US military supply chain by denying entry visas to investigators.


And the senators said China had required that government minders attend any interviews conducted in China as part of the investigation, which was announced in March, but agreed that request was a “non-starter.”

Levin and McCain said that they had worked for weeks to get entry visas for staff to visit the city of Shenzhen in Guangdong province, which they described as the epicenter of the fake parts trade based on US government reports.

The development is interesting for several reasons. First, while the article cites F-15 and USMDA parts as the problem, most cybersecurity initiatives these days suggest we’ve got parts that are helping people hack our network. Thus, while Levin suggests China isn’t really our adversary, these “counterfeit” parts may well be designed for more than failure. It seems someone has gotten a backdoor into some of our networks because of hardware vulnerabilities.

Then there’s the more obvious issue raised by this. If military contractors can’t source parts to China without being “infiltrated” with counterfeit parts, and if China won’t let us investigate how these counterfeit parts keep getting into our supply chain, then why are we still allowing contractors to use Chinese parts? It seems to me this shows precisely why our outsourcing–and the consequent loss of manufacturing capacity–is really a defense issue.

IMF Blames State Actor for Hack

Over the weekend, I expressed some curiosity over who hacked the IMF. They at least say it was a state actor.

Security experts said the source seemed to be a “nation state” aiming to gain a “digital insider presence” on the network of the IMF, the inter-governmental group that oversees the global financial system and brings together 187 member countries.

Tom Kellermann, a cybersecurity expert who has worked for the IMF and was in charge of cyberintelligence in the World Bank’s treasury team, said the intrusion could have yielded a treasure trove of non-public economic data used by the IMF to promote exchange rate stability, support balanced international trade, and provide resources to remedy members’ balance-of-payments crises. “It was a targeted attack,” said Kellermann, who serves on the International Cyber Security Protection Alliance.


An internal memo issued on 8 June from the IMF’s chief information officer, Jonathan Palmer, told staff that suspicious file transfers had been detected and that an investigation had shown a desktop computer “had been compromised and used to access some Fund systems”. Significantly, he said that he had “no reason to believe that any personal information was sought for fraud purposes”.

The article mentions alleged Chinese hacks in three other places, suggesting they may be trying to cast blame.

But now this has gotten me thinking. If you were to talk about a country establishing a “digital insider presence” on computer networks looking to collect sensitive financial data, you could be describing this alleged hacker or … the United States’ wiretappers. And that’s even before we threaten to wiretap the SWIFT database so we can take what SWIFT won’t just give us.

I’m not suggesting, mind you, that we’re the ones who hacked IMF. Presumably we can just go and get what we want. But given that we are taking financial information on foreign powers that flows across the telecommunications backbones that transit our country, what’s to distinguish our spying from other countries’ hacking?

The Chambermaid’s Revenge: IMF Hacked

Usually, the apparent purpose of hacks is fairly banal. To steal defense secrets. To profit organized crime. To embarrass a political opponent.

But a reported sophisticated hack on the IMF is far more intriguing.

Because the fund has been at the center of economic bailout programs for Portugal, Greece and Ireland — and possesses sensitive data on other countries that may be on the brink of crisis — its database contains potentially market-moving information. It also includes communications with national leaders as they negotiate, often behind the scenes, on the terms of international bailouts. Those agreements are, in the words of one fund official, “political dynamite in many countries.” It was unclear what information the attackers were able to access.

The concern about the attack was so significant that the World Bank, an international agency focused on economic development, whose headquarters is across the street from the I.M.F. in downtown Washington, cut the computer link that allows the two institutions to share information.

The story mentions market-moving information, so I assume it could just be someone trying to play the bond markets.

But what is the scenario under which hackers compromise IMF’s top secret files to get information on the deals signed between the banksters and debtor nations? While I’d like to see that information–and I’m sure the Greeks rioting in the streets and the Irish stoically bearing down accepting their fate would like to see that information–I don’t understand what entity would sponsor the hackers? Organized crime? China? Hacktivists? If it were the latter–which seems most plausible to me–wouldn’t we already be looking at the demands German banksters made of Greek leaders?

I’m sure we’ll learn more about this in the future. But for now, I’m really curious about who had the means and motive to hack the IMF.

Aside from a bunch of chambermaids, of course.

Anglo-Americans at Cyberwar: Two Weeks of Cupcakes

I’ve been meaning to return to this Ellen Nakashima story on our cyberwar efforts. As you recall, it lays out the turf war between the CIA and DOD over clandestine cyberops, partly by telling the story a fight over whether or not to disrupt the jihadist online magazine “Inspire.”

Last year, for instance, U.S. intelligence officials learned of plans by an al-Qaeda affiliate to publish an online jihadist magazine in English called Inspire, according to numerous current and senior U.S. officials. And to some of those skilled in the emerging new world of cyber-warfare, Inspire seemed a natural target.

The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas. But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity — and hence the prerogative of the CIA.

The CIA won out, and the proposal was rejected. But as the debate was underway within the U.S. government, British government cyber-warriors were moving forward with a plan.

When Inspire launched on June 30, the magazine’s cover may have promised an “exclusive interview” with Sheik Abu Basir al-Wahishi, a former aide to Osama bin Laden, and instructions on how to “Make a Bomb in the Kitchen of Your Mom.” But pages 4 through 67 of the otherwise slick magazine, including the bomb-making instructions, were garbled as a result of the British cyber-attack.

It took almost two weeks for al-Qaeda in the Arabian Peninsula to post a corrected version, said Evan Kohlmann, senior partner at Flashpoint Global Partners, which tracks jihadi Web sites.

The Telegraph elaborated on that story by telling of the swell cupcake recipes MI6 replaced the bomb recipe with.

The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit “lone-wolf” terrorists with a new English-language magazine, the Daily Telegraph understands.

When followers tried to download the 67-page colour magazine, instead of instructions about how to “Make a bomb in the Kitchen of your Mom” by “The AQ Chef” they were greeted with garbled computer code.

The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for “The Best Cupcakes in America” published by the Ellen DeGeneres chat show.

Written by Dulcy Israel and produced by Main Street Cupcakes in Hudson, Ohio, it said “the little cupcake is big again” adding: “Self-contained and satisfying, it summons memories of childhood even as it’s updated for today’s sweet-toothed hipsters.”

It included a recipe for the Mojito Cupcake – “made of white rum cake and draped in vanilla buttercream”- and the Rocky Road Cupcake – “warning: sugar rush ahead!”

By contrast, the original magazine featured a recipe showing how to make a lethal pipe bomb using sugar, match heads and a miniature lightbulb, attached to a timer.

So apparently this operation against Inspire, which had government hackers and their bosses on two continents scheming and in-fighting, succeeded in delaying for two weeks the publication of a bomb recipe that probably existed elsewhere on the Internet already.

With cupcakes.

And these spooks are apparently impressed enough with themselves that they’re boasting about it openly to journalists.

Dudes. Two weeks of cupcakes do not equate to Stuxnet.

I’ve been pondering the apparent self-congratulation over this op ever since I read this story, particularly in light of the seeming similarity between this op and the WikiLeaks hack last year. Do our cyberwarriors consider it a legitimate “win” to simply delay the publication of a transnational internet operation for a week or so? At what cost? And by “cost,” I mean both the tens of millions we’re investing to develop, apparently, the capability to engage in juvenile pranks. And also the cost in credibility as a purported defender of free speech wastes its time harassing, but not preventing, the free speech of groups it doesn’t like.

I mean, there must be more to our cyberwarfare than two weeks of cupcakes, isn’t there?

Of course, there must be, if the CIA was concerned about sources and methods. Presumably, CIA was already monitoring who was reading Inspire. Which–whatever it says about the First Amendment in this country–is probably still a better use of cyberwar time and dollars than two weeks of cupcakes.

Or are we to believe that the Generals think we’re going to win the GWOT by playing cyber-whack-a-mole with a group whose competitive advantage over us is in its nimbleness?

The Crux of the Cisco-US Government Collaboration

As I said in this comment, we’re going to have to wait until the Canadian court releases more details on the failed extradition of Peter Alfred Adekeye to get a better sense of what the government did to piss off the court so badly. But this is my attempt to  the crux of the matter.

The Adekeye deposition in Canada was set up in April 2010 for a several day time period in May. On May 19 at the deposition, Adekeye admitted to accessing Cisco’s website perhaps five times, though he said a Cisco employee had offered him that access. That part of his deposition was streamed back to Northern California. That same day–May 19–the arrest warrant was signed in the US (making it possible that Adekeye’s deposition served to establish the probable cause to arrest him). And the Magistrate who signed the US arrest warrant was the same Magistrate overseeing discovery in this case. By the time Adekeye was arrested on May 20, his lawyers had not yet had an opportunity to question Adekeye. In effect, Cisco had gotten 14 hours of unrebutted deposition from Adekeye, after which he became unavailable to his lawyers.

In response, his lawyers requested that the civil procedure be stayed and that the judge order an accelerated discovery from Cisco with regards to its involvement in getting Adekeye extradited. As they described in their motion for a stay,

Mr. Adekeye’s deposition commenced in Vancouver, Canada on May 18, 2010. After Cisco spent nearly fourteen (14) full hours deposing Mr. Adekeye, the proceedings were interrupted by the Royal Canadian Mounted Police, who were accompanied by additional uniformed Vancouver Police Officers. The Mounted Police informed counsel and the Special Master appointed by the Court to oversee Mr. Adekeye’s deposition, that they were there in order to effectuate the arrest of Mr. Adekeye. The Mounted Police presented to counsel and the Special Master a “Warrant For Provisional Arrest” issued pursuant to Section 13 of the Extradition Act, wherein the Honourable Mr. Justice Leask had executed a provisional arrest warrant for Mr. Adekeye. Attached to this provisional arrest warrant was a bench warrant issued by the Honorable Howard R. Lloyd—the assigned Magistrate Judge to this matter–for the arrest of Mr. Adekeye.


At no point during these entire proceedings was there any mention to Mr. Adekeye or to his attorneys of a criminal investigation relating to the exact same facts underlying the instant civil lawsuit. Instead, Cisco insisted that the Court order Mr. Adekeye to be deposed, and proceeded to depose Mr. Adekeye for fourteen (14) hours. Despite having over three (3) days to do so, Cisco did not finish its questioning of Mr. Adekeye prior to his arrest. Mr. Adekeye’s attorneys, moreover, were entirely unable to question their client in order to clarify or develop Mr. Adekeye’s responses further. Because Mr. Adekeye is currently detained in Canada, without bail, he has not been able to review his testimony pursuant to Fed. R. Civ. P. 30, nor has he been able to otherwise summarize his testimony or prepare an affidavit to the Court requesting an extension of time to further brief the Underlying Motions.

In addition to the very real Fifth Amendment issues now a part of this case, Multiven fears that in the event the Court does not vacate or continue the supplemental briefing deadline and the June 7 hearing, Cisco will present, as evidence in support of its Underlying Motion, incomplete deposition testimony of a party witness. Such incomplete, one-sided and out of context evidence is entirely prejudicial to Multiven, and the Court should not consider it.

The judge denied both motions, largely because in the interim both parties had submitted briefs based on Adekeye’s deposition.

So in effect, the timing of the arrest accomplished two things. It gave Cisco an advantage in the civil case (insofar as Adekeye’s lawyers didn’t have a chance to depose him). But it also likely elicited evidence that supported Adekeye’s arrest warrant.

Within 2 months of the arrest, the judge ruled on the summary judgments, basically ruling against Adekeye. Here’s the logic he used to justify the claim that Adekeye got unauthorized access to Cisco’s compuuters.

Multiven admit that on one occasion Adekeye accessed secure areas of the Cisco network. They contend however, that a Cisco employee, Wes Olson, supplied Adekeye with his login and password, thus authorizing Adekeye to access the restricted website. (Multiven’s Opposition at 7-12.) It is undisputed that Wes Olson provided Adekeye with his login and “external” password. Olsen declares that the password was given to Adekeye “to give him access to Cisco’s network on one occasion, for a specific purpose.”10 However, it is also undisputed that an employee’s giving his login and password to Adekeye was a violation of Cisco’s policies, and thus Olson’s providing access to Adekeye in this manner did not constitute a valid authorization.

And here’s how he dismissed the Fifth Amendment concerns about the deposition.

On June 8, 2010, Multiven filed a Motion to Stay Counterclaims. (hereafter, “Motion to Stay,” Docket Item No. 234.) Multiven contend that further litigation of the counterclaims will jeopardize Adekeye’s Fifth Amendment privileges in parallel criminal proceedings arising out of the same factual circumstances. (Motion to Stay at 5-7.)


Here, Adekeye has already voluntarily submitted declarations in support of Multiven’s briefs regarding the parties’ cross-motions for summary judgment and has been deposed extensively, including fourteen hours of deposition testimony that he voluntarily provided in Vancouver, Canada prior to his arrest. Without deciding whether Adekeye was sufficiently aware of the likelihood of criminal prosecution for his declarations and deposition testimony to effect a waiver of his Fifth Amendment rights,21 the Court finds that continuing the litigation will only minimally implicate Adekeye’s Fifth Amendment rights, given the extensive testimony he has already provided in this


So that’s the real background to the settlement: Cisco had largely already won on their substantive claim, using evidence from Adekeye’s partial deposition. Which left Adekeye with the risk that continuing his anti-trust claim would expose him to ongoing risk on the criminal claims.

Now it does seem like Adekeye is vulnerable in the computer fraud charges (though presumably 5 of them, not 97). But at the same time, it does seem clear that the government used the deposition to set up–and probably collect evidence for–the arrest and with it the criminal case.

Why Didn’t We Ask China to Find Scooter Libby’s Missing Plame Leak E-Mails?

WSJ has an article reporting on the purportedly Chinese-launched GMail hacks that targeted top White House officials.

The article is interesting not because it claims the Chinese want to hack top officials. Who do you think they’d be most interested in hacking?

Rather, the article is interesting for some of the implications bandied about in the article. For example, Darrell Issa and CREW’s Melanie Sloan suggest the only reason the Chinese would hack the GMail accounts of White House officials is if those people were improperly conducting official business on GMail.

“If all White House officials were following rules prohibiting the use of personal email for official business, there would simply be no sensitive information to find,” said Rep. Darrell Issa, Republican chairman of the House Oversight and Government Reform Committee, and a frequent thorn in the Obama administration’s side. “Unfortunately, we know that not everyone at the White House follows those rules and that creates an unnecessary risk.”

Melanie Sloan, executive director of Citizens for Responsibility and Ethics in Washington, a watchdog group, said the hacking “suggests China believes government officials are using their personal accounts for official business, because I doubt they were looking for their weekend plans or a babysitter’s schedule. Presumably, the Chinese wouldn’t have done this if they weren’t getting something.”

More plausible is the suggestion that the Chinese were phishing for information they could then use to compromise other accounts.

Stewart Baker, a former homeland security official in the Bush administration, said he suspects the ultimate goal of the hacking may have been to use the email accounts as a stepping stone to penetrate the officials’ home computers.

“If you can compromise that machine, you may well be able to access the communications they are having with the office,” said Mr. Baker.

I’m most interested in all the assumptions here, that a bunch of Chinese hackers know precisely how the White House email system works. If that’s true, why haven’t we asked the Chinese to turn over the emails OVP deleted from the first days of the Plame leak investigation? And why haven’t we asked the Chinese to turn over all those emails hidden on the RNC’s server? Maybe they can also help us find all of John Yoo’s torture emails?

Given how common it is, these days, for top officials to just delete their most inconvenient emails, I’m thinking American citizens ought to invite Chinese hackers to help us reclaim all the official records our overlords try to destroy.