According to Defense News, John Brennan was paid roughly $2,090 a day while working for The Analysis Corporation in 2008. He was paid roughly $8,496 for each of the 20 days he worked in 2009 before he became Obama’s counterterrorism czar.

A review of Brennan’s financial disclosure reports indicates that in 2009, TAC paid him a total of $169,923 in salary and bonus, which has not been previously reported. The financial disclosure reports, submitted as required of all White House employees, don’t say why he’d receive a bonus if he was leaving the company to join the government, or why he’d received such a large salary if he worked for the company for only 20 days that year.

In November 2008, two months before Brennan joined the Obama administration, TAC announced that the CEO was taking a “leave of absence” from the firm. That is, it is not clear that he was actually on the clock for the transition period before he received that $169,000.

Mind you, this isn’t anything that such illustrious people as Dick Cheney haven’t already done (and in larger figures, too).

Tim Shorrock provided some background on the company in his book.

There were questions about Brennan’s ties to his former company when it was part of the investigation into the failure to connect-the-dots before the UndieBomber attempted to strike the US, though as part of an ethics waver he agreed to recuse himself from anything specifically pertaining to TAC. 

The White House has granted a special ethics waiver to allow President Obama’s top counterterrorism adviser to conduct a review of the intelligence and screening breakdown that preceded the failed Christmas Day bombing attempt on an American passenger plane over Detroit.

[snip]

Mr. Brennan, who was a longtime C.I.A. officer, needed the waiver because for more than three years before his current post he was chief executive of the Analysis Corporation, an intelligence firm that provides services to the government. Norm Eisen, the White House ethics counsel, wrote on the White House Web site on Wednesday that Mr. Brennan’s past ties to the company, were outweighed by his knowledge of the nation’s intelligence system.

And, of course, Brennan’s the guy who has sacrificed US privacy to get more data in databases.

The umbrella company that has absorbed TAC continues to get lots of contracts doing intelligence analysis.

There are two things about this NYT article describing Obama’s new cyberwar policy that deserve note.

A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.

[snip]

The rules will be highly classified, just as those governing drone strikes have been closely held.

First, according to the WaPo, the government has conducted a search of any and all government officials who have had contact with the lead author of the story, David Sanger.

Investigators, they said, have conducted extensive analysis of the e-mail accounts and phone records of current and former government officials in a search for links to journalists.

Frankly, I think the WaPo is naively ignoring the real possibility, given the updates to DOJ’s Domestic Investigations and Operations Guide, that DOJ has accessed Sanger’s email records directly.

Nevertheless, however they’ve gotten that information, the government now has a pretty good idea who speaks to David Sanger. Presumably, folks who talk to Sanger — particularly those privy to secret workings of the White House — are cognizant of this fact.

From that I assume it’s likely — though by no means certain — that the Administration is not that unhappy about having an article boasting about its aggressive cyberwar stance, even while noting that the details of it will be remain legally classified.

Meanwhile, I’m struck by this claim.

Mr. Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran’s nuclear enrichment facilities.

Sure, there’s only been the one attack (or rather the serial set of attacks) on Iran.

But I’m struck — particularly in the wake of DOJ’s filing making it clear they’re investigating WikiLeaks as a spy, while refusing to tell us what laws it is using to conduct that investigation — that there has been a rather notable cyberattack whose author we don’t know: the DDOS attacks on WikiLeaks as it first started to release the WikiLeaks cables, and then again last summer (a group called AntiLeaks claimed credit for the second one).

As Jack Goldsmith and Thomas Rid both point out, the Administration appears to be badly fumbling cyber defense (largely because the private sector doesn’t want to play along and the Administration isn’t prepared to make them), but they are very aggressively pursuing cyberoffense. Perhaps, as Goldsmith suggests, this leak to the journalist whose contacts are being monitored is intended to deter attacks on the US (though I’m not sure how a story in a newspaper that the Chinese have hacked is going to scare the Chinese from doing what they have been doing for years).

But if the US is so intent on bragging about its offensive capability, isn’t it time we learned the scope of that offensive capability? Shouldn’t we finally know whether the government took down a publisher’s website?

In what may be one of those stories telegraphing investigative details between people being investigated, the WaPo updates the StuxNet investigation.

Prosecutors are pursuing “everybody — at pretty high levels, too,” said one person familiar with the investigation. “There are many people who’ve been contacted from different agencies.”

The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures, sometimes confronting them with evidence of contact with journalists, according to people familiar with the probe.

Here’s the detail everyone is focusing on (and I’ve seen similar claims on reporting of other leak investigations).

Investigators, they said, have conducted extensive analysis of the e-mail accounts and phone records of current and former government officials in a search for links to journalists.

[snip]

Former prosecutors said these investigations typically begin by compiling a list of people with access to the classified information. When government officials attend classified briefings or examine classified documents in secure facilities, they must sign a log, and these records can provide an initial road map for investigators.

Former prosecutors said investigators run sophisticated software to identify names, key words and phrases embedded in e-mails and other communications, including text messages, which could lead them to suspects.

The FBI also looks at officials’ phone records — who called whom, when, for how long. Once they have evidence of contact between officials and a particular journalist, investigators can seek a warrant to examine private e-mail accounts and phone records, including text messages, former prosecutors said.

Prosecutors and the FBI can examine government e-mail accounts and government-issued devices, including cellphones, without a warrant. They can also look at private e-mail accounts without a warrant if those accounts were accessed on government computers. [my emphasis]

This description may well be how the government is conducting the StuxNet (and the UndieBomb 2.0 investigation, which the article also describes).

But if WaPo is relying solely on former prosecutors, this description may be totally outdated.

After all–as I’ve reported repeatedly in the past–the 2011 update of FBI’s Domestic Investigations and Operations Guide permits using National Security Letters to get journalists’ contacts in National Security investigations (as all of these would be).

A heavily-redacted section (PDF 166) suggests that in investigations with a national security nexus (so international terrorism or espionage, as many leak cases have been treated) DOJ need not comply with existing restrictions requiring Attorney General approval before getting the phone records of a journalist. The reason? Because NSLs aren’t subpoenas, and that restriction only applies to subpoenas.

Department of Justice policy with regard to the issuances of subpoenas for telephone toll records of members of the news media is found at 28 C.F.R. § 50.10. The regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas. (The regulation requires Attorney General approval prior to the issuance of a grand jury subpoena for telephone toll records of a member of the news media, and when such a subpoena is issued, notice must be given to the news media either before or soon after such records are obtained.) The following approval requirements and specific procedures apply for the issuance of an NSL for telephone toll records of members of the news media or news organizations. [my emphasis]

So DOJ can use NSLs–with no court oversight–to get journalists’ call (and email) records rather than actually getting a subpoena.

The section includes four different approval requirement scenarios for issuing such NSLs, almost all of which are redacted. Though one only partly redacted passage makes it clear there are some circumstances where the approval process is the same as for anyone else DOJ wants to get an NSL on:

If the NSL is seeking telephone toll records of an individual who is a member of the news media or news organization [2 lines redacted] there are no additional approval requirements other than those set out in DIOG Section 18.6.6.1.3 [half line redacted]

And the section on NSL use (see PDF 100) makes it clear that a long list of people can approve such NSLs:

• Deputy Director
• Executive Assistant Director
• Associate EAD for the National Security Branch
• Assistant Directors and all DADs for CT/CD/Cyber
• General Counsel
• Deputy General Counsel for the National Security Law Branch
• Assistant Directors in Charge in NY, Washington Field Office, and LA
• All Special Agents in Charge

In other words, while DOJ does seem to offer members of the news media–which is itself a somewhat limited group–some protection from subpoena, it also seems to include loopholes for precisely the kinds of cases, like leaks, where source protection is so important.

In other words, this story about starting with the sign-in logs of people who’ve been briefed on a particular topic, then gather call records of those officials?

That may be what happened.

Or it may work the other way, with the government identifying a story it doesn’t like and then using call records to trace back from there to the potential sources of the story.

This curious phrasing would support the latter scenario.

[DC US Attorney Ronald] Machen is examining a leak to the Associated Press that a double agent inside al-Qaeda’s affiliate in Yemen allowed the United States and Saudi Arabia to disrupt the plot to bomb an airliner using explosives and a detonation system that could evade airport security checks.

The AP, after all, didn’t report that UndieBomb 2.0 was actually a sting set up by a Saudi-run infiltrator (and their reporting, at least, suggested they didn’t know UndieBomber 2.0 was an informant). John Brennan and Richard Clarke told that story. And yet WaPo describes the investigation as focusing on the AP part of the story, not the more damning part about an infiltrator.

If and when John Brennan goes unpunished for revealing the most damning part of this story, it’ll become increasingly clear: not only is the government starting with the journalists’ phone and email contacts, but it is doing so with journalists it might otherwise want to silence.

Dear unnamed power company/ies: Thank you for providing me an opportunity to post one of my favorite videos.

AGAIN.

You were warned about the possibility of security threats to your systems. Repeatedly–the video above is just one such warning. What’s it take to get through to you–a clue-by-four alongside the head? A massive, lengthy power outage you can’t resolve for days or weeks, with consumers calling for managements’ heads on pikes? A complete tank of your company’s stock value? The Department of Energy on your doorstep, taking possession of your site as it investigates you?

I love this part at 32:28 into the video where Ralf Langer says,

“…many things we thought about cyberwarfare earlier just were proven wrong. …”

Everything you thought you knew about infosec/cybersecurity needs to be revisited. The assumptions you’ve been using are clearly wrong.

Now get a frigging clue and revisit your security policies. STAT. You can start with checking these:

— No USB or other external media which have not been deeply screened for infection.

— External network connections to production equipment are to be avoided at all costs. Connections between corporate business and the power grid should be closed, dedicated network. Revisiting appropriateness of traditional isolation of production networks might be worthwhile.

— No third-party contractors permitted on site that do not comply completely with power company security policies, including spot inspections. (You do spot inspections, right? Contractors are screened coming in and out of facilities, right?)

What are you doing here, reading this? Get to work. RUN.

Dear U.S. Department of Energy: Um, hello? Did your brains’ functions suffer irreparable damage from exposure to BP’s dispersants?

It’s the only excuse I can think of as to why security measures and subsequent audits of the nation’s power grid for infections and intrusions from network and external devices haven’t removed these threats.

By the way, this 2009 document making suggestions to power companies about security measures is now out of date and needs to be revisited, in light of the Senate Intelligence Committee’s authorization of cyber weapon deployment and subsequent blowback risk, let alone the case of USB devices laden with crimeware.

Dear Fellow Americans: I really hate feeling like Cassandra. I’d love to see the power industry and our government prove me wrong by preventing outages related to security breaches about which they’ve been warned. At the rate they’re going, you’re going to end up on the short end of the stick, without electricity to read my anticipated future post which I expect to entitle, “I told you so.”

You might want to contact your government representatives and ask them what they know about power grid security and if they’ve actually done anything to investigate the safety of power in their district. If their understanding is shaped by the Department of Energy’s latency, they need to be brought up to speed and pronto. Don’t wait until you don’t have the juice to read my next post on this topic.

[photo: cdrummbks via Flickr]

One weaselly senator–with long-identified agendas and a pathetically thin understanding of technology–takes to the microphone. Suddenly, by virtue of wrapping his senatorial lips around a few scary words on topics about which he knows little, we citizens are supposed to quake in fear and plead for salvation.

Screw that noise. This is textbook  “fear, uncertainty, and doubt” — more commonly referred to as FUD in the information technology industry.

Since the 1970s, FUD tactics have used to suppress competition in the computer marketplace, targeting both hardware and software. Roger Irwin explained,

…It is a marketing technique used when a competitor launches a product that is both better than yours and costs less, i.e. your product is no longer competitive. Unable to respond with hard facts, scare-mongering is used via ‘gossip channels’ to cast a shadow of doubt over the competitors offerings and make people think twice before using it.In general it is used by companies with a large market share, and the overall message is ‘Hey, it could be risky going down that road, stick with us and you are with the crowd. Our next soon-to-be-released version will be better than that anyway’. …

FUD has non-technology applications as well; one need only look at product and service brands that encourage doubts about using any product other than their own, in lieu of actually promoting the advantages their product or service might have.

So what’s the FUD about? Senator Joe Lieberman spouted off about cyber attacks in September last year, claiming Iran was behind disruptive efforts targeting U.S. banks.

Right. Uh-huh. Predictable, yes?

But FUD is used in situations where there is competition, one might point out. Yes, exactly; in September 2012, the case for support of unilateral attacks against Iran was up against the news cycle crush, powered by the post-Benghazi fallout and the drive toward the November general election, followed by the terror that was the “fiscal cliff.” That’s a lot of powerful, compelling competition for both attention, votes, and tax dollars, when members of a reliable but lame duck Congress could be mounting up a pre-emptive cyber war without the headwind of public awareness and resistance, or the too-inquisitive pushback from newbies in the next seated Congress.

The pressure was on; our intrepid weaselly senator speedily whipped out some FUD!
The problem, though, is that no respectable consultant in the IT security industry picked up the flaming bag of smelly FUD. Take a gander through Kaspersky or Langner websites and look for panicked reports of DDoS assaults on banking–you won’t find them. RSA’s blog never mentions Iran last year at all; F-Secure makes an oblique comment about nation-state cyberwarfare, implicitly critical of U.S. with regard to its deployment of cyberweapons. Kaspersky mentions Iran exactly once, in relation to the “Ma(h)di incident” last year, and not at all in a forecast of 2013. Langner mentions the difficulty of providing adequate cybersecurity, noting Secretary of Defense Leon Panetta’s October 11 speech–again, no reference to Iran.

Intentionally or otherwise, Panetta furthered the FUD with his speech in a way that the mainstream media easily distorted:

…Let me give you some examples of the kinds of attacks that we have already experienced.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks.  These attacks delayed or disrupted services on customer websites.  While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

Then just days after this incident, there was a similar attack on RasGas of Qatar, a major energy company in the region.  All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.

Imagine the impact an attack like that would have on your company or your business.

These attacks mark a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold. …

Notice Panetta never actually says U.S. banks suffered Iranian-based DDoS attacks? He segues over to attacks on Saudi machines that might affect oil production, never mentioning what entity was likely responsible. Panetta mentions Iran exactly once–approximately 2184 words after beginning his 3898 word speech–and 861 words after the excerpt above, quite a distance from the examples he cited.

In contrast, he mentions Russia and China in a sentence directly ahead of the mention of Iran; he notes Russia once, and China three times in the same speech.

How are we supposed to infer from this speech that cyber attacks using DDoS on banks were imminent, if not already underway? Mainstream media solved that problem for us, by repeatedly claiming Panetta said in his speech that Iran was a cyber threat to banks.

It didn’t help that Panetta was preoccupied and didn’t step up to demand corrections about reporting on his speech.

Less-than-happy journalism has been too common on this topic. The September 21 Washington Post article that spawned Lieberman’s FUD refers to “U.S. officials.”

…“I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites,” said Lieberman in an interview taped for C-SPAN’s “Newsmakers” program. “I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability.” The Quds Force is a special unit of Iran’s Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to “the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

U.S. officials suspect Iran was behind similar cyberattacks on U.S. and other Western businesses here and in the Middle East, some dating as far back as December. A conservative Web site, the Washington Free Beacon, reported that the intelligence arm of the Joint Chiefs of Staff said in an analysis Sept. 14 that the cyberattacks on financial institutions are part of a larger covert war being carried out by Tehran. …

[emphasis mine–R.]

Gee, why not name them? Is this just our favorite weaselly senator again, and a mouse in his pocket? Or perhaps these nameless officials were Senators Lieberman, Collins, Rockefeller, and Feinstein, who sponsored the Cybersecurity Act of 2012, up for a vote less than ten days after the election?

Or are these “U.S. officials” part of another government group airing these suspicions without offering any substantive support? Why is the WaPo quoting the cyber attacks claim made by a tiny, little conservative outlet like the Washington Free Beacon? The outlet stated a secret report by “intelligence arm of the Joint Chiefs of Staff” revealed Iran’s anticipated DDoS assault on U.S. banking. Why would anybody affiliated with J-2 disclose anything at all from a secret report to a puny right-wing rag?

It appears there’ve been a number of folks who are allegedly close to the issue and unauthorized to speak to media who’ve been chattering away. Um, why wasn’t Senator Feinstein puling about intelligence leaks, especially when a bill she’s co-sponsored may be directly affected?

It all smells like old fashioned FUD; there’s a lot of fear being pushed, but nothing to remove uncertainty and doubt. Others have criticized the FUD as well as proliferation through distortion and inaccuracies. Computerworld reports experts are not all in agreement about attacks’ origins; see also this excerpt from Digital Dao’s Sept. 28 post, pushing back at Lieberman and media alike:

Bloomberg: “The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to (Dmitri) Alperovitch and (Rodney) Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said. “The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said.”

CNN: “To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a “botnet.”

FALSE. This attack did not take months to plan for two reasons: 1) This was a crowd-sourced opt-in botnet commonly used in social activism (aka hacktivist) attacks, and 2) No one needs to create a botnet from scratch anymore. You can find them to rent on pretty much any hacker forum world-wide.

While all scaremongering proliferates–without any credible information documenting the claims that a nation-state is behind DDoS attacks on banks–more realistic threats to U.S. banking emerged nearly in tandem with the allegations about Iran’s cyber assault. Note the stories published by information security journalist Brian Krebs, FastCompany, and other IT news outlets about Project Blitzkrieg, a criminal program targeting 30 U.S. banks with the intent to steal money while tying up the banks’ systems with DDoS attacks. How does the public not know that trojans and viruses launched in late summer/early autumn weren’t proof-of-concept efforts in advance of real attacks? Skype in particular experienced a widespread virus spread within its community in late September–oddly enough, just before news reports about Project Blitzkrieg–and reporting to date on Project Blitzkrieg indicates that Skype will be a component of the attack.

There’s more than one issue that could underpin concerted FUD using the mythos of Iranian cyberwarfare, including the conflicts between the U.S. and the E.U. on surveillance, or tensions over the puzzling inadequate response by the U.S. banking system with regard to their persistent laxity on authentication standards compared to EU banks. (The U.S. has used a single factor while the EU has relied on a two-factor standard. While the EU is more secure, both are inadequate according to security expert Bruce Schneier.)

Whatever the truth, whatever drives the FUD, know this:

— The Cybersecurity Act of 2012 died in November, though it may be resurrected under the newly seated Congress, or the White House could choose to implement all desired features through an executive order;

— Don’t let the FUD distort your perceptions. “…Some in (IT) industry say DDoS attacks are pretty common. …” They are. They are not the exclusive domain of cyberwarfare, are far more frequently generated by criminal or hacktivist activity.

— Lastly, practice safe computing and safe banking. 1) Run antivirus and anti-malware applications frequently, using more than one antivirus package; 2) Don’t assume Mac OS and iOS are immune, as criminals go where there’s money, not operating systems; 3) If you bank online, use Linux–see Brian Krebs for an overview.

UPDATE — 8:10 PM EST — Check out this interesting report from ProPublica just today, How a Government Report Spread a Questionable Claim About Iran, by Justin Elliott. Notice anything familiar in this article? Looks like a classic dispersion of FUD and at least one familiar outlet. Huh.

There is only one substantive case left in litigation with the ability to bring tangible accountability for the illegal and unconstitutional acts of the Bush/Cheney Administration’s warrantless wiretapping and surveillance program. That case is Al-Haramain v. Bush/Obama. Yes, there is still Clapper v. Amnesty International, but that is a prospective case of a different nature, and was never designed to attack the substantive crimes of the previous Administration.

A little over a couple of hours ago, late morning here in the 9th, the vaunted “most liberal of all Circuit Courts of Appeal”, the Ninth Circuit, drove what may be the final stake in the heart of Al-Haramain by declining to conduct an en banc review of its August 7, 2012 opinion. The notice from the court today is brief:

The opinion filed on August 7, 2012, and appearing at 690 F.3d 1089, is hereby amended. An amended opinion is filed concurrently with this order.

With these amendments, the panel has voted to deny the petition for panel rehearing and the petition for rehearing en banc.

The full court has been advised of the petition for rehearing and rehearing en banc and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petition for panel rehearing and petition for rehearing en banc are DENIED. No further petitions for en banc or panel rehearing shall be permitted.

Before going further with analysis, a word about the “amendments” to the opinion. The “Amended Opinion” is here. You can compare for yourself to the August 7 original opinion linked above, but the difference is pretty slight.

It appears all the court did is delete a few sentences here and there about 18 USC 2712(b). The court did not address, nor change, their erroneous assertion that plaintiffs’ Al-Haramain could have sued under 1806(a), or restore the misleadingly-omitted (by elipsis) language from 1806(a). Nor did the court address plaintiffs’ alternative theory of waiver of sovereign immunity.

Now, more than ever, you have to wonder just exactly what is in the secret sealed filings originally lodged by the DOJ in the 9th Circuit in Al-Haramain that the government scrambled so tellingly to “correct” in November of 2009. It would be nice if the inestimable Judges Harry Pregerson, Margaret McKeown and Michael Hawkins, “liberal lions” all, would deign to tell the American public what lies and/or fraud the Department of Justice perpetrated upon the court and the Al-Haramain plaintiffs that necessitated their blatant ass covering moves in November of 2009, and how those falsities interrelated to the decision to deny justice to the plaintiffs and the American public. How do these judges sleep at night?

With that out of the way, what does it all mean? Well, the key language in the original 9th Circuit opinion dated August 7, 2012 was:

Congress can and did waive sovereign immunity with respect to violations for which it wished to render the United States liable. It deliberately did not waive immunity with respect to § 1810, and the district court erred by imputing an implied waiver. Al Haramain’s suit for damages against the United States may not proceed under § 1810.

In short, wiretapping crimes against citizens and their organizations cannot, under any circumstance, be addressed. Because….IMMUNITY SUCKERS!

The perspective was explained by Marcy at the time of the August 7 opinion:

Because al-Haramain, at a time when Vaughn Walker was using 1810 to get by the government’s State Secrets invocation, said “it was not proceeding under other sections of FISA,” its existing claim is limited to 1810. The government used the information collected–in a secret process that ended up declaring al-Haramain a terrorist supporter–but not in a trial, and therefore not in a way al-Haramain can easily hold the government liable for.

The implication, of course, is that all the rest of the collection the government engages in–of all of us, not just al-Haramain–also escapes all accountability. So long as the government never uses the information itself–even if the entire rest of their case is based on illegally collected information (as it was in, at a minimum, al-Haramain’s terrorist designation)–a person cannot hold the government itself responsible.

The people who can be held accountable? The non-governmental or non law enforcement persons who conduct the surveillance.

But of course, they–the telecoms–have already been granted immunity.

Yes, there is now immunity every which way from Sunday, and between the AT&T cases of Hepting and Jewel, and now Al-Haramain, it has all been sanctioned by the “most liberal Circuit” in the land. Booyah.

A last word about why the title contains the words “death blow”. In short, it is because if this case, with these facts, with that judge (Vaughn Walker), and that trial court decision, cannot make it past the rank cynicism, duplicity and secrecy of the Bush/Obama continuum of regimes, then no case can. If none of that is possible in the “liberal” 9th Circuit, with a completely “liberal” panel of judges, then it is simply not possible. Yes, it is possible that plaintiffs Al-Haramain petition for certiorari to the Supreme Court, but it is almost certainly fruitless if they cannot even make it in the 9th Circuit, and they may well have a fear of further ingraining heinous law into the national books. We shall see, but it is certainly no given.

You have to feel for plaintiffs Al-Haramain, Wendell Belew and Asim Ghafoor who lost their constitutional rights and cause of action, Judge Vaughn Walker who meticulously crafted a solid opinion working around state secrets and FISA constraints, as well as plaintiffs’ attorney Jon Eisenberg, who lost, along with co-counsel, over $2.5 million dollars worth of attorney fees and expenses, and the time those fees represented out of their lives. All down the drain to a craven Executive Branch, a duplicitous Department of Justice and a fraudulent “war on terror”. Ain’t that America.

Danger Room answers–sort of–one of the big questions I had after reading NYT’s report (relying in part on Israeli sources) that Syria appeared to be preparing to use its chemical weapons: what is the connection between Syria’s two and a half day Internet outage last week and today’s barrage of leaks reporting on the CW?

On Thursday, Syria abruptly became disconnected from the internet, likely after the regime disabled the four cables that provide Syria with connectivity. The rebels use the internet not only to document regime atrocities but to disseminate training tactics and to spread their propaganda,. Yet the regime also relies on the internet: it’s tried to hijack rebel hardware by spreading spyware in the form of fake security software. As Danger Room predicted last week, the outage ended quickly, as online monitor Renesys confirmed a “largely complete restoration of the Syrian Internet” by Saturday.

The U.S. official doesn’t believe the internet blackout was related to the combination of the chemical weapon binaries. And at the Pentagon, Defense Department spokesman Little said the online outage didn’t make a difference for the U.S. understanding of Assad’s dangerous weapons. “The U.S. government has good visibility into the chemical weapons program and we continue to monitor it,” Little said.

These paragraphs make it clear that:

1. The US and Israel are not relying on the Toobz to spy on the Assad regime
2. A US source claims to believe there is no tie between alleged Syrian moves, taken on Wednesday, to mix sarin precursors and the complete shutdown on Thursday of Syria’s Internet

Danger Room’s sources aren’t even asserting that both events–the mixing of the CW on Wednesday and the Intertoobz blackout on Thursday–are both signs of Bashar al-Assad’s panic.

Which would sort of be the default unless intelligence sources had reason to know that the Intertoobz blackout had nothing to do with the CW mixing.

We’ve long traced interesting Intertoobz blackouts caused by cut cables on this blog: the recent blackout in Djibouti. to a cable in the Bay Area, to a number of cut cables in the Middle East back in 2008.

It appears to be an increasingly common tactic, one difficult to attribute to a specific actor.

But if one of those actors comes out a few days after an outage and says they have no reason to find that outage as suspicious as the mixing of CW, maybe it’s not so hard to attribute after all.

Update: See Moon of Alabama’s description of why Assad is not mixing chemicals. Which makes it all the more interesting that US sources claim to be so certain the outage had not ties to their claimed sarin mixing.

The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.

A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.

According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.

Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.

Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.

McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.

Leon Panetta made similarly unconvincing claims back in October.

Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.

Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.

Here’s the very important detail they left out.

Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.

It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.

More amusing still is this:

Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.

[snip]

Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.

The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.

Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.

But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.

Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.

In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.

It’s a very neat system our Military Intelligence Industrial Complex has created.

Back when David Sanger revealed new details of how StuxNet broke free of Natanz, he used the metaphor of an escaped zoo animal actively unlocking its cage.

In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. [my emphasis]

This zoo animal found the keys to its cage, broke free, spread to an engineer’s computer, failed to recognize its new environment, and then began replicating itself all around the world.

That is, Sanger used the language of a cognizant being, acting as an agent to spread itself. That’s not inapt. After all, viruses do spread themselves (though they don’t actually go seek out keys to do so).

Which is why this detail, noted in Obama’s other pre-Thanksgiving document dump, is so stunning. (h/t Trevor Timm)

The Defense Department does not require developers of computer systems that launch cyber operations to implement the same safeguards required of traditional arms makers to prevent collateral damage.

[snip]

A directive, released Nov. 21, mandated that automated and semi-autonomous weaponry — such as guided munitions that independently select targets — must have human machine interfaces and “be designed to allow commanders and operators to exercise appropriate levels of human judgment over the use of force.” The mandate called for “rigorous hardware and software verification and validation” to ensure that engagements could be terminated if not completed in a designated time frame. The goal is to minimize “unintended engagements,” the document states.

The Pentagon is permitting less human control over systems that deploy malware, exploits and mitigation tools, highlighting Defense’s focus on agile responses to computer threats. The document, signed by Deputy Secretary of Defense Ashton Carter, explicitly states that the directive “does not apply to autonomous or semi-autonomous cyberspace systems for cyberspace operations.”

We have already lost control of one our semi-autonomous cyberspace operations. The potential danger from its “escape” could be tremendous.

And yet DOD specifically exempts similar operations in the future? So we can commit the same error again?

One of the issues making the rounds like wildfire today was a report from Declan McCullagh at CNET regarding certain proposed amendments to the Electronic Communications Privacy Act (ECPA). The article is entitled “Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants” and relates:

A Senate proposal touted as protecting Americans’ e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.

CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans’ e-mail, is scheduled for next week.

Leahy’s rewritten bill would allow more than 22 agencies — including the Securities and Exchange Commission and the Federal Communications Commission — to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

This sounds like the predictably craven treachery that regularly comes out of Senate, indeed Congressional, legislation on privacy issues. And exactly what many had hoped would cease coming out of Washington after the public scrutiny brought on by the Petraeus/Broadwell/Kelley scandal. And, should these amendments make it into law, they may yet prove detrimental.

But there are a couple of problems here. First, as Julian Sanchez noted, those abilities by the government already substantially exist.

Lots of people RTing CNET’s story today seem outraged Congress might allow access to e-mail w/o warrant—but that’s the law ALREADY!

Well, yes. Secondly, and even more problematic, is Pat Leahy vehemently denies the CNET report. In fact, Senator Leahy does not support broad exemptions for warrantless searches for email content. A source within the Judiciary Committee described the situation as follows:

The CNET story reports as if the Chairman is offering an amendment to that end, which is not the case. What is pending before the committee is a substitute bill, HR 2471, that seeks to update pieces of the Electronic Privacy Communications Act and the Video Privacy Protection Act. The committee adopted that substitute in September, and will resume marking it up next week.

And that comports with the press release Senator Leahy issued later in the afternoon. Included in the press release is a section by section breakdown of what Leahy really has in mind trying to get out of committee and to the floor; it is not long and worth a look. While it does not go nearly far enough, there are some decent steps in Leahy’s proposed ECPA Amendment. The Title I changes regarding video tapes will not do a lot in the ever more digital streaming world, but the Title II proposals by Leahy do make some substantive improvements. It is, as they say, a start.

There should, however, be more, much more, added protection to citizen’s electronic privacy. Here is a comprehensive report from the Congressional Research Service just a week and a half ago entitled Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions that demonstrates what the government is going to do to protect itself. But what will the government do to protect you?

You would think the entitled royalty of the Washington DC Beltway would have had a wake up call as to just how little privacy American citizens have in their electronic communications as a result of the broad spider webbing of information the FBI sucked in on potentates such as David Petraeus, Gen. John Allen and supposed security expert Paula Broadwell. Not just collecting the information, but backtracing it to specific computers, users, and whatever location the users were at any given time. But that is not really the case. As Adam Serwer said:

If the director of the CIA can’t keep his private life secret from the FBI, you can’t either.

It is stunning what the government can get with effectively no process at all from providers; even more what they can get with common administrative bench subpoenas. All that is without a court supervised warrant. This report details the more than 300 different modalities of Federal administrative subpoena permitted by existing law. Couple that with an all too often rubber stamp traditional warrant process, and there is not much restraint on the government probing your deepest facets of electronic life.

The video above is a little longer than normal at 16 minutes, but it is a well paced look at Why Privacy Matters and has many people you will recognize in it. Privacy does matter.