[photo: cdrummbks via Flickr]

[UPDATE – see end of article.]

One weaselly senator–with long-identified agendas and a pathetically thin understanding of technology–takes to the microphone. Suddenly, by virtue of wrapping his senatorial lips around a few scary words on topics about which he knows little, we citizens are supposed to quake in fear and plead for salvation.

Screw that noise. This is textbook  “fear, uncertainty, and doubt” — more commonly referred to as FUD in the information technology industry.

Since the 1970s, FUD tactics have used to suppress competition in the computer marketplace, targeting both hardware and software. Roger Irwin explained,

…It is a marketing technique used when a competitor launches a product that is both better than yours and costs less, i.e. your product is no longer competitive. Unable to respond with hard facts, scare-mongering is used via ‘gossip channels’ to cast a shadow of doubt over the competitors offerings and make people think twice before using it.In general it is used by companies with a large market share, and the overall message is ‘Hey, it could be risky going down that road, stick with us and you are with the crowd. Our next soon-to-be-released version will be better than that anyway’. …

FUD has non-technology applications as well; one need only look at product and service brands that encourage doubts about using any product other than their own, in lieu of actually promoting the advantages their product or service might have.

So what’s the FUD about? Senator Joe Lieberman spouted off about cyber attacks in September last year, claiming Iran was behind disruptive efforts targeting U.S. banks.

Right. Uh-huh. Predictable, yes?

But FUD is used in situations where there is competition, one might point out. Yes, exactly; in September 2012, the case for support of unilateral attacks against Iran was up against the news cycle crush, powered by the post-Benghazi fallout and the drive toward the November general election, followed by the terror that was the “fiscal cliff.” That’s a lot of powerful, compelling competition for both attention, votes, and tax dollars, when members of a reliable but lame duck Congress could be mounting up a pre-emptive cyber war without the headwind of public awareness and resistance, or the too-inquisitive pushback from newbies in the next seated Congress.

The pressure was on; our intrepid weaselly senator speedily whipped out some FUD!
The problem, though, is that no respectable consultant in the IT security industry picked up the flaming bag of smelly FUD. Take a gander through Kaspersky or Langner websites and look for panicked reports of DDoS assaults on banking–you won’t find them. RSA’s blog never mentions Iran last year at all; F-Secure makes an oblique comment about nation-state cyberwarfare, implicitly critical of U.S. with regard to its deployment of cyberweapons. Kaspersky mentions Iran exactly once, in relation to the “Ma(h)di incident” last year, and not at all in a forecast of 2013. Langner mentions the difficulty of providing adequate cybersecurity, noting Secretary of Defense Leon Panetta’s October 11 speech–again, no reference to Iran.

Intentionally or otherwise, Panetta furthered the FUD with his speech in a way that the mainstream media easily distorted:

…Let me give you some examples of the kinds of attacks that we have already experienced.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks.  These attacks delayed or disrupted services on customer websites.  While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

Then just days after this incident, there was a similar attack on RasGas of Qatar, a major energy company in the region.  All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.

Imagine the impact an attack like that would have on your company or your business.

These attacks mark a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold. …

Notice Panetta never actually says U.S. banks suffered Iranian-based DDoS attacks? He segues over to attacks on Saudi machines that might affect oil production, never mentioning what entity was likely responsible. Panetta mentions Iran exactly once–approximately 2184 words after beginning his 3898 word speech–and 861 words after the excerpt above, quite a distance from the examples he cited.

In contrast, he mentions Russia and China in a sentence directly ahead of the mention of Iran; he notes Russia once, and China three times in the same speech.

How are we supposed to infer from this speech that cyber attacks using DDoS on banks were imminent, if not already underway? Mainstream media solved that problem for us, by repeatedly claiming Panetta said in his speech that Iran was a cyber threat to banks.

It didn’t help that Panetta was preoccupied and didn’t step up to demand corrections about reporting on his speech.

Less-than-happy journalism has been too common on this topic. The September 21 Washington Post article that spawned Lieberman’s FUD refers to “U.S. officials.”

…“I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites,” said Lieberman in an interview taped for C-SPAN’s “Newsmakers” program. “I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability.” The Quds Force is a special unit of Iran’s Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to “the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

U.S. officials suspect Iran was behind similar cyberattacks on U.S. and other Western businesses here and in the Middle East, some dating as far back as December. A conservative Web site, the Washington Free Beacon, reported that the intelligence arm of the Joint Chiefs of Staff said in an analysis Sept. 14 that the cyberattacks on financial institutions are part of a larger covert war being carried out by Tehran. …

[emphasis mine–R.]

Gee, why not name them? Is this just our favorite weaselly senator again, and a mouse in his pocket? Or perhaps these nameless officials were Senators Lieberman, Collins, Rockefeller, and Feinstein, who sponsored the Cybersecurity Act of 2012, up for a vote less than ten days after the election?

Or are these “U.S. officials” part of another government group airing these suspicions without offering any substantive support? Why is the WaPo quoting the cyber attacks claim made by a tiny, little conservative outlet like the Washington Free Beacon? The outlet stated a secret report by “intelligence arm of the Joint Chiefs of Staff” revealed Iran’s anticipated DDoS assault on U.S. banking. Why would anybody affiliated with J-2 disclose anything at all from a secret report to a puny right-wing rag?

It appears there’ve been a number of folks who are allegedly close to the issue and unauthorized to speak to media who’ve been chattering away. Um, why wasn’t Senator Feinstein puling about intelligence leaks, especially when a bill she’s co-sponsored may be directly affected?

It all smells like old fashioned FUD; there’s a lot of fear being pushed, but nothing to remove uncertainty and doubt. Others have criticized the FUD as well as proliferation through distortion and inaccuracies. Computerworld reports experts are not all in agreement about attacks’ origins; see also this excerpt from Digital Dao’s Sept. 28 post, pushing back at Lieberman and media alike:

Bloomberg: “The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to (Dmitri) Alperovitch and (Rodney) Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said. “The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said.”

CNN: “To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a “botnet.”

FALSE. This attack did not take months to plan for two reasons: 1) This was a crowd-sourced opt-in botnet commonly used in social activism (aka hacktivist) attacks, and 2) No one needs to create a botnet from scratch anymore. You can find them to rent on pretty much any hacker forum world-wide.

While all scaremongering proliferates–without any credible information documenting the claims that a nation-state is behind DDoS attacks on banks–more realistic threats to U.S. banking emerged nearly in tandem with the allegations about Iran’s cyber assault. Note the stories published by information security journalist Brian Krebs, FastCompany, and other IT news outlets about Project Blitzkrieg, a criminal program targeting 30 U.S. banks with the intent to steal money while tying up the banks’ systems with DDoS attacks. How does the public not know that trojans and viruses launched in late summer/early autumn weren’t proof-of-concept efforts in advance of real attacks? Skype in particular experienced a widespread virus spread within its community in late September–oddly enough, just before news reports about Project Blitzkrieg–and reporting to date on Project Blitzkrieg indicates that Skype will be a component of the attack.

There’s more than one issue that could underpin concerted FUD using the mythos of Iranian cyberwarfare, including the conflicts between the U.S. and the E.U. on surveillance, or tensions over the puzzling inadequate response by the U.S. banking system with regard to their persistent laxity on authentication standards compared to EU banks. (The U.S. has used a single factor while the EU has relied on a two-factor standard. While the EU is more secure, both are inadequate according to security expert Bruce Schneier.)

Whatever the truth, whatever drives the FUD, know this:

— The Cybersecurity Act of 2012 died in November, though it may be resurrected under the newly seated Congress, or the White House could choose to implement all desired features through an executive order;

— Don’t let the FUD distort your perceptions. “…Some in (IT) industry say DDoS attacks are pretty common. …” They are. They are not the exclusive domain of cyberwarfare, are far more frequently generated by criminal or hacktivist activity.

— Lastly, practice safe computing and safe banking. 1) Run antivirus and anti-malware applications frequently, using more than one antivirus package; 2) Don’t assume Mac OS and iOS are immune, as criminals go where there’s money, not operating systems; 3) If you bank online, use Linux–see Brian Krebs for an overview.

UPDATE — 8:10 PM EST — Check out this interesting report from ProPublica just today, How a Government Report Spread a Questionable Claim About Iran, by Justin Elliott. Notice anything familiar in this article? Looks like a classic dispersion of FUD and at least one familiar outlet. Huh.

There is only one substantive case left in litigation with the ability to bring tangible accountability for the illegal and unconstitutional acts of the Bush/Cheney Administration’s warrantless wiretapping and surveillance program. That case is Al-Haramain v. Bush/Obama. Yes, there is still Clapper v. Amnesty International, but that is a prospective case of a different nature, and was never designed to attack the substantive crimes of the previous Administration.

A little over a couple of hours ago, late morning here in the 9th, the vaunted “most liberal of all Circuit Courts of Appeal”, the Ninth Circuit, drove what may be the final stake in the heart of Al-Haramain by declining to conduct an en banc review of its August 7, 2012 opinion. The notice from the court today is brief:

The opinion filed on August 7, 2012, and appearing at 690 F.3d 1089, is hereby amended. An amended opinion is filed concurrently with this order.

With these amendments, the panel has voted to deny the petition for panel rehearing and the petition for rehearing en banc.

The full court has been advised of the petition for rehearing and rehearing en banc and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petition for panel rehearing and petition for rehearing en banc are DENIED. No further petitions for en banc or panel rehearing shall be permitted.

Before going further with analysis, a word about the “amendments” to the opinion. The “Amended Opinion” is here. You can compare for yourself to the August 7 original opinion linked above, but the difference is pretty slight.

It appears all the court did is delete a few sentences here and there about 18 USC 2712(b). The court did not address, nor change, their erroneous assertion that plaintiffs’ Al-Haramain could have sued under 1806(a), or restore the misleadingly-omitted (by elipsis) language from 1806(a). Nor did the court address plaintiffs’ alternative theory of waiver of sovereign immunity.

Now, more than ever, you have to wonder just exactly what is in the secret sealed filings originally lodged by the DOJ in the 9th Circuit in Al-Haramain that the government scrambled so tellingly to “correct” in November of 2009. It would be nice if the inestimable Judges Harry Pregerson, Margaret McKeown and Michael Hawkins, “liberal lions” all, would deign to tell the American public what lies and/or fraud the Department of Justice perpetrated upon the court and the Al-Haramain plaintiffs that necessitated their blatant ass covering moves in November of 2009, and how those falsities interrelated to the decision to deny justice to the plaintiffs and the American public. How do these judges sleep at night?

With that out of the way, what does it all mean? Well, the key language in the original 9th Circuit opinion dated August 7, 2012 was:

Congress can and did waive sovereign immunity with respect to violations for which it wished to render the United States liable. It deliberately did not waive immunity with respect to § 1810, and the district court erred by imputing an implied waiver. Al Haramain’s suit for damages against the United States may not proceed under § 1810.

In short, wiretapping crimes against citizens and their organizations cannot, under any circumstance, be addressed. Because….IMMUNITY SUCKERS!

The perspective was explained by Marcy at the time of the August 7 opinion:

Because al-Haramain, at a time when Vaughn Walker was using 1810 to get by the government’s State Secrets invocation, said “it was not proceeding under other sections of FISA,” its existing claim is limited to 1810. The government used the information collected–in a secret process that ended up declaring al-Haramain a terrorist supporter–but not in a trial, and therefore not in a way al-Haramain can easily hold the government liable for.

The implication, of course, is that all the rest of the collection the government engages in–of all of us, not just al-Haramain–also escapes all accountability. So long as the government never uses the information itself–even if the entire rest of their case is based on illegally collected information (as it was in, at a minimum, al-Haramain’s terrorist designation)–a person cannot hold the government itself responsible.

The people who can be held accountable? The non-governmental or non law enforcement persons who conduct the surveillance.

But of course, they–the telecoms–have already been granted immunity.

Yes, there is now immunity every which way from Sunday, and between the AT&T cases of Hepting and Jewel, and now Al-Haramain, it has all been sanctioned by the “most liberal Circuit” in the land. Booyah.

A last word about why the title contains the words “death blow”. In short, it is because if this case, with these facts, with that judge (Vaughn Walker), and that trial court decision, cannot make it past the rank cynicism, duplicity and secrecy of the Bush/Obama continuum of regimes, then no case can. If none of that is possible in the “liberal” 9th Circuit, with a completely “liberal” panel of judges, then it is simply not possible. Yes, it is possible that plaintiffs Al-Haramain petition for certiorari to the Supreme Court, but it is almost certainly fruitless if they cannot even make it in the 9th Circuit, and they may well have a fear of further ingraining heinous law into the national books. We shall see, but it is certainly no given.

You have to feel for plaintiffs Al-Haramain, Wendell Belew and Asim Ghafoor who lost their constitutional rights and cause of action, Judge Vaughn Walker who meticulously crafted a solid opinion working around state secrets and FISA constraints, as well as plaintiffs’ attorney Jon Eisenberg, who lost, along with co-counsel, over $2.5 million dollars worth of attorney fees and expenses, and the time those fees represented out of their lives. All down the drain to a craven Executive Branch, a duplicitous Department of Justice and a fraudulent “war on terror”. Ain’t that America.

Danger Room answers–sort of–one of the big questions I had after reading NYT’s report (relying in part on Israeli sources) that Syria appeared to be preparing to use its chemical weapons: what is the connection between Syria’s two and a half day Internet outage last week and today’s barrage of leaks reporting on the CW?

On Thursday, Syria abruptly became disconnected from the internet, likely after the regime disabled the four cables that provide Syria with connectivity. The rebels use the internet not only to document regime atrocities but to disseminate training tactics and to spread their propaganda,. Yet the regime also relies on the internet: it’s tried to hijack rebel hardware by spreading spyware in the form of fake security software. As Danger Room predicted last week, the outage ended quickly, as online monitor Renesys confirmed a “largely complete restoration of the Syrian Internet” by Saturday.

The U.S. official doesn’t believe the internet blackout was related to the combination of the chemical weapon binaries. And at the Pentagon, Defense Department spokesman Little said the online outage didn’t make a difference for the U.S. understanding of Assad’s dangerous weapons. “The U.S. government has good visibility into the chemical weapons program and we continue to monitor it,” Little said.

These paragraphs make it clear that:

1. The US and Israel are not relying on the Toobz to spy on the Assad regime
2. A US source claims to believe there is no tie between alleged Syrian moves, taken on Wednesday, to mix sarin precursors and the complete shutdown on Thursday of Syria’s Internet

Danger Room’s sources aren’t even asserting that both events–the mixing of the CW on Wednesday and the Intertoobz blackout on Thursday–are both signs of Bashar al-Assad’s panic.

Which would sort of be the default unless intelligence sources had reason to know that the Intertoobz blackout had nothing to do with the CW mixing.

We’ve long traced interesting Intertoobz blackouts caused by cut cables on this blog: the recent blackout in Djibouti. to a cable in the Bay Area, to a number of cut cables in the Middle East back in 2008.

It appears to be an increasingly common tactic, one difficult to attribute to a specific actor.

But if one of those actors comes out a few days after an outage and says they have no reason to find that outage as suspicious as the mixing of CW, maybe it’s not so hard to attribute after all.

Update: See Moon of Alabama’s description of why Assad is not mixing chemicals. Which makes it all the more interesting that US sources claim to be so certain the outage had not ties to their claimed sarin mixing.

The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.

A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.

According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.

Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.

Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.

McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.

Leon Panetta made similarly unconvincing claims back in October.

Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.

Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.

Here’s the very important detail they left out.

Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.

It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.

More amusing still is this:

Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.

[snip]

Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.

The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.

Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.

But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.

Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.

In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.

It’s a very neat system our Military Intelligence Industrial Complex has created.

Back when David Sanger revealed new details of how StuxNet broke free of Natanz, he used the metaphor of an escaped zoo animal actively unlocking its cage.

In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. [my emphasis]

This zoo animal found the keys to its cage, broke free, spread to an engineer’s computer, failed to recognize its new environment, and then began replicating itself all around the world.

That is, Sanger used the language of a cognizant being, acting as an agent to spread itself. That’s not inapt. After all, viruses do spread themselves (though they don’t actually go seek out keys to do so).

Which is why this detail, noted in Obama’s other pre-Thanksgiving document dump, is so stunning. (h/t Trevor Timm)

The Defense Department does not require developers of computer systems that launch cyber operations to implement the same safeguards required of traditional arms makers to prevent collateral damage.

[snip]

A directive, released Nov. 21, mandated that automated and semi-autonomous weaponry — such as guided munitions that independently select targets — must have human machine interfaces and “be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force.” The mandate called for “rigorous hardware and software verification and validation” to ensure that engagements could be terminated if not completed in a designated time frame. The goal is to minimize “unintended engagements,” the document states.

The Pentagon is permitting less human control over systems that deploy malware, exploits and mitigation tools, highlighting Defense’s focus on agile responses to computer threats. The document, signed by Deputy Secretary of Defense Ashton Carter, explicitly states that the directive “does not apply to autonomous or semi-autonomous cyberspace systems for cyberspace operations.”

We have already lost control of one our semi-autonomous cyberspace operations. The potential danger from its “escape” could be tremendous.

And yet DOD specifically exempts similar operations in the future? So we can commit the same error again?

One of the issues making the rounds like wildfire today was a report from Declan McCullagh at CNET regarding certain proposed amendments to the Electronic Communications Privacy Act (ECPA). The article is entitled “Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants” and relates:

A Senate proposal touted as protecting Americans’ e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.

CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans’ e-mail, is scheduled for next week.

Leahy’s rewritten bill would allow more than 22 agencies — including the Securities and Exchange Commission and the Federal Communications Commission — to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

This sounds like the predictably craven treachery that regularly comes out of Senate, indeed Congressional, legislation on privacy issues. And exactly what many had hoped would cease coming out of Washington after the public scrutiny brought on by the Petraeus/Broadwell/Kelley scandal. And, should these amendments make it into law, they may yet prove detrimental.

But there are a couple of problems here. First, as Julian Sanchez noted, those abilities by the government already substantially exist.

Lots of people RTing CNET’s story today seem outraged Congress might allow access to e-mail w/o warrant—but that’s the law ALREADY!

Well, yes. Secondly, and even more problematic, is Pat Leahy vehemently denies the CNET report. In fact, Senator Leahy does not support broad exemptions for warrantless searches for email content. A source within the Judiciary Committee described the situation as follows:

The CNET story reports as if the Chairman is offering an amendment to that end, which is not the case. What is pending before the committee is a substitute bill, HR 2471, that seeks to update pieces of the Electronic Privacy Communications Act and the Video Privacy Protection Act. The committee adopted that substitute in September, and will resume marking it up next week.

And that comports with the press release Senator Leahy issued later in the afternoon. Included in the press release is a section by section breakdown of what Leahy really has in mind trying to get out of committee and to the floor; it is not long and worth a look. While it does not go nearly far enough, there are some decent steps in Leahy’s proposed ECPA Amendment. The Title I changes regarding video tapes will not do a lot in the ever more digital streaming world, but the Title II proposals by Leahy do make some substantive improvements. It is, as they say, a start.

There should, however, be more, much more, added protection to citizen’s electronic privacy. Here is a comprehensive report from the Congressional Research Service just a week and a half ago entitled Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions that demonstrates what the government is going to do to protect itself. But what will the government do to protect you?

You would think the entitled royalty of the Washington DC Beltway would have had a wake up call as to just how little privacy American citizens have in their electronic communications as a result of the broad spider webbing of information the FBI sucked in on potentates such as David Petraeus, Gen. John Allen and supposed security expert Paula Broadwell. Not just collecting the information, but backtracing it to specific computers, users, and whatever location the users were at any given time. But that is not really the case. As Adam Serwer said:

If the director of the CIA can’t keep his private life secret from the FBI, you can’t either.

It is stunning what the government can get with effectively no process at all from providers; even more what they can get with common administrative bench subpoenas. All that is without a court supervised warrant. This report details the more than 300 different modalities of Federal administrative subpoena permitted by existing law. Couple that with an all too often rubber stamp traditional warrant process, and there is not much restraint on the government probing your deepest facets of electronic life.

The video above is a little longer than normal at 16 minutes, but it is a well paced look at Why Privacy Matters and has many people you will recognize in it. Privacy does matter.

Another giant shoe has dropped in L’Affaire Petraeus. Not simply more specifics, but yet another General:

Gen. John Allen, the top American and NATO commander in Afghanistan, is under investigation for what a senior defense official said early Tuesday was “inappropriate communication’’ with Jill Kelley, the woman in Tampa who was seen as a rival for David H. Petraeus’s attentions by Paula Broadwell, the woman who had an extramarital affair with Mr. Petraeus.

In a statement released to reporters on his plane en route to Australia early Tuesday, Defense Secretary Leon E. Panetta said that the F.B.I. had informed him on Sunday of its investigation of General Allen.

Mr. Panetta turned the matter over to the Pentagon’s inspector general to conduct its own investigation into what the defense official said were 20,000 to 30,000 pages of documents, many of them e-mails between General Allen and Ms. Kelley, who is married with children.

Really, at this point, what can you even say about the secret storm soap opera that roils within the rarified brass air of the US Military? This was just the last hit for a night that saw the emergence of the Shirtless FBI Guy (now under investigation himself by the Office of Professional Responsibility at DOJ) to a nightime search of Paula Broadwell’s home by the FBI.

There are too many tentacles, evolving too quickly, to go too deep on all the facts that have rolled out even in the last twelve hours. But the General Allen/Jill Kelley bit is fascinating. Remember, the handful of emails Paula Broadwell sent to Kelley reportedly did not mention Petraeus by name. This latest report at least raises the possibility Broadwell was referring to an inappropriate relationship between Kelley and Allen, and not Kelley and Petraeus. I am not saying such is the case, but it is also arguably consistent with the currently known substance of Broadwell’s emails to Kelley, so the question is valid to be raised.

A couple of other data points to note. First, Broadwell’s father made a somewhat cryptic comment yesterday that may be being explained now:

“This is about something else entirely, and the truth will come out,” he told the Daily News.

“There is a lot more that is going to come out … You wait and see. There’s a lot more here than meets the eye.”

He said that his daughter, who’s at the center of the controversy that prompted CIA director David Petraeus to resign from his post, is a victim of character assassination, and that there’s something much bigger lurking behind the curtain.

Second, as I noted early yesterday morning, Jill Kelley has hired some of the most astoundingly powerful criminal defense and PR help imaginable:

They hired Abbe Lowell, a Washington lawyer who has represented clients such as former presidential candidate John Edwards and lobbyist Jack Abramoff. And the couple are employing crisis PR person Judy Smith, who has represented big names like Monica Lewinsky, Michael Vick and Kobe Bryant.

Now, let’s be honest, an innocent recipient of a handful of crank non-threatening emails, as Kelley was commonly portrayed when her name first came out, does NOT need that kind of heavy hitter professional service. Seriously, Abbe Lowell is not only a great attorney, he is as preeminent a counsel as exists for spook and national security defense cases. No one in their right mind pays for that unless they need it, especially 1,000 miles away from his office.

Another oddity occurred last night: The North Carolina home of Paula Broadwell was searched for nearly four hours by a full on execution team from the FBI. From the New York Times:

On Monday night, F.B.I. agents went to Ms. Broadwell’s home in Charlotte, N.C., and were seen carrying away what several reporters at the scene said were boxes of documents. A law enforcement official, speaking on condition of anonymity because the case remains open, said Ms. Broadwell had consented to the search.

The key word in that quote that strikes me is “consensual”. Broadwell has lawyered up too, having hired prominent Washington DC defense attorney Robert F. Muse. If an attorney feels his client is the target of a proposed search, he does not consent, he makes the officers get a warrant and search for only what a court orders and nothing else. You have to wonder what was being searched for that Broadwell and her counsel were not more worried about?

It is still early in the Allen portion of this mess, but it sure does cast the entire matter in a new light. Seriously, 30,000 pages of communications between Allen and Kelley in two years? That is 41 pages a day. When in the world did Allen find time to make war? And keep in mind, Kelley had already been stated to be regularly (up to once a day) emailing Petraeus for some of that period…she must be getting carpal tunnel syndrome.

There is also the pressing question of exactly what the methods and means were for discovering and extracting these 30,000 some odd pages of communications between General Allen and Jill Kelley, and how that came to pass when she was supposedly and innocent victim of Paula Broadwell. There were already great questions in this regard about Broadwell and Petraeus. I will leave that for later, I suspect Marcy may have something to say on those issues.

Four-star generals. Two of them wrapped up in one salacious scandal. The Stones may need to modify their lyrics ever so slightly.

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

This goes for any other firms out there that are dealing with the same exposure. Perhaps you believe it’s a business intelligence risk to let your competitors know you’ve got a problem– frankly, we’re way past that. The potential risks to the public outweigh your short-term profitability, and if your plant blows up/dumps chemicals/produces unsafe or faulty products because of Stuxnet, our public problem becomes your public relations/long-term shareholder value problem anyhow.

By the way: perhaps it might be worthwhile to actively recruit American citizens who qualify for security clearance when hiring SCADA application analysts to fix your Stuxnet problems. Why compound your problem for lack of foresight with regard to national security risks? We can see you’re hiring. Ahem.

Dear Senate Intelligence Committee: You are in way over your heads when it comes to technology. You need to rethink how you handle anything involving software and the hardware on which it runs as well as any technology attached to a network. That includes phones.

You let this thing loose when you signed off on it–you signed off on a weapon payload that was inherently insecure, or designed deliberately to be insecure, because it relied on delivery applications requiring security and upgrade patches every frigging month, delivered via network in nearly all cases. It’s laughable that you think there was a leak requiring investigation when this insecure cyberweapon of mass destruction was released with your blessing.

What was it you thought you were authorizing? Did you not realize that this bug could spread because its was designed for delivery via an insecure application? Or did you permit an undisclosed quid pro quo to some unidentified entity so that all SCADA-based manufacturing could be affected at will at some point in the future?

There were at least three countries involved in this process, too. Did you rely too heavily on one of the two partners to keep a leash on the other? Have you asked how one of the partners is protecting its own manufacturing environment from exposure? Or did it never occur to you that they are our competitor for manufacturing jobs and have less exposure to this weapon because they don’t rely as much on a private corporation’s inherently buggy applications in their manufacturing? Did it ever occur to ask if there were secondary agendas on the part of any participant in the design, development, and distribution of this weapon?

And now that we the public know your little xenomorph has gone rogue and into the wild, when are you going to mitigate the risks of proliferation by ensuring manufacturers as well as SCADA users like utility companies, mass transportation providers, and any site requiring physical maintenance and security controlled by computers are informed of the risks and take action to limit potential failures? Recall Congress’ reaction to the risks from Y2K; Stuxnet and its precursors and variants may pose a far bigger risk than Y2K, worthy of deeper consideration.

Perhaps the Permanent Subcommittee on Investigations should review this mess to prevent future snafus like the Stuxnet debacle. Perhaps if you can’t or won’t tell us, you’ll tell that committee what other monsters you’ve unleashed that might blow back on us all.

Dear Fellow Americans: Welcome to the 21st century, where proliferation is about bits and bytes of information, and not physical fissile materials. Perhaps it’s time for voters to ask whether we have a 21st century government, capable of understanding the risks that technology poses. Or are we really comfortable with elected officials who think of the internet as a series of tubes, don’t understand The Facebook, and wouldn’t understand the concept of futureshock if it came up and bit them on the nose like it did with Stuxnet?

[Note: Video embedded here features preeminent Stuxnet expert Ralph Langner of Langer Communications, “The first deployed cyber weapon in history: Stuxnet’s architecture and implications” presented at NATO’s International Conference on Cyber Conflict, Tallin (Estonia), June 2011. The definitive presentation to the SCADA industry from January 2012 can be found at this link; it is not embeddable. The most important portion of the video is in the last third, though the entire video, if rather technical, is worth watching.]

Today, the NYT–serving its role as spokesperson for the Cold War against Iran–confirms what blabby Joe Lieberman told CSPAN last month: the government suspects Iran was behind a series of crude cyberattacks on US banks.

Or to put it differently, Leon Panetta wants us to be more afraid of crude DNS attacks on US online banking sites than he wants us to be of the orders of magnitude greater damage the banks cause all by themselves. Because … Iran!

More interesting is the widely reported speculation we think Iran was behind the more serious attack on Aramco.

The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August. Saudi Arabia is Iran’s main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it “probably the most destructive attack that the private sector has seen to date.”

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”

That’s interesting not because the attack did real damage–it didn’t, because it hit the business, not the production, computers.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

“All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

“Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus.”

It’s interesting because the malware was introduced into the Aramco network by an insider.

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

[snip]

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination.

Once you translate the NYT’s spin, here’s what we’re left with:

• We’re supposed to treat cyberattacks by Iran as an existential threat, even though they expose Iran’s relative impotence in the cyber sphere.
• We’re supposed to get panicked about computers here at home because Iran succeeded in human espionage with Aramco.

And while Panetta cries wolf over and over, the banksters and the oil companies continue to real damage he ignores.

We can play a game we often play here at emptywheel with Leon Panetta’s address on cybersecurity last night. For each major attack he discusses or potential threat he envisions, there is an equivalent one that has or could easily happen without the cyber component.

Panetta talks about the Shamoon malware that hit Aramco infecting 30,000 computers.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

But how did that do more damage than the Richmond Refinery fire and subsequent spike in gas prices, likely caused by a corroded pipe neglected in a recent turnaround? How did that do more damage than the damage BP, Transocean, and Halliburton did when their negligence led to the Deepwater Horizon spill, which still appears to be leaking 31 months later?

Panetta talks about DDS attacks on banks that disrupted customer websites.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks.  These attacks delayed or disrupted services on customer websites.  While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

How is this worse than the damage done by repeated flash crashes and other irregularities caused by high frequency trading? To say nothing of the damage done by reckless gambling during the housing crisis, which wiped out trillions of dollars in wealth?

Panetta talks about passenger or transport trains derailing.

They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals.

Apparently Panetta is unaware that trains derail all the time, and even spill dangerous chemicals, often because of operational or maintenance issues.

To some degree we could continue this game indefinitely, always finding an equivalent threat to the imagined or real threat posed by a cyberattack.

But there is a logic to the game: it reveals not only that Panetta is fearmongering while ignoring the reality of equally or more dangerous non-cyber threats.

It suggests that he–and frankly, the rest of government trying to address this problem–misunderstands why corporations are not responding to the serial fearmongering about cyber. If corporations refuse to take obvious precautions against cyberthreats, but also refuse to take obvious precautions against non-cyberthreats, it suggests the problem is not the cyber component in the least.

The problem is that these corporations don’t want to–and in many cases refuse to–take obvious precautions against risk in general.

This suggests, then, that these corporations have not been given the sufficient combination of carrot and stick generally to mitigate obvious risks. And giving them immunity for cyber-negligence is likely not going to mitigate the threat reckless, negligent corporations pose to our society, whether because our enemies cause them to do things, or whether they do them of their own accord.

The problem is a culture that encourages corporations to skirt all accountability. No amount of fancy programmers are going to change that by themselves.