The Cyberwar Campaign against Jihadi Literature and WikiLeaks

Ellen Nakashima has a piece following up on the WSJ story previewing DOD’s cyberwar (which I posted on here). Before you read it, though, I wanted to suggest another reason we may be seeing this policy early (in addition to the hacking of all the defense contractors, now including L-3; and note, Nakashima references this legislation at the end of her article).

Last Thursday, the Defense Authorization bill passed the House. It retains Section 962, to which the Administration objected, which reads,


(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107–40) against a target located outside of the United States; or

(2) to defend against a cyber attack against an asset of the Department of Defense.

(c) BRIEFINGS ON ACTIVITIES.—Not later than 120 days after the date of the enactment of this Act, and quarterly thereafter, the Secretary of Defense shall provide a briefing to the Committees on Armed Services of the House of Representatives and the Senate on covered military cyberspace activities that the Department of Defense carried out during the preceding quarter.

(d) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.

So as you read Nakashima, remember that the Obama Administration objected to a section that authorized cyberwar in two circumstances–in support of an AUMF against a target outside of the US and in defense against a cyber attack on a DOD asset–and required quarterly briefings.

OK, now go read Nakashima.

Within the context of the Defense Authorization, a few points of DOD’s campaign to describe what they believe their cyberwar policy to be stick out. First, it envisions preparatory actions–basically spying on a presumably non-belligerent adversary’s infrastructure to map out how DOD would launch a cyberattack if the time came.

The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later. The military does not need such approval, however, to penetrate foreign networks for a variety of other activities. These include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate. Military cyber-warriors can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses, the official said.

In other words, DOD is indicating that it will engage in cyberwar activities outside of those authorized by Congress, activities which I’m sure they’re claiming fall under their “preparing the battlefield” giant loophole they use to engage in spywork.

Then there’s this:

Last year, for instance, U.S. intelligence officials learned of plans by an al-Qaeda affiliate to publish an online jihadist magazine in English called Inspire, according to numerous current and senior U.S. officials. And to some of those skilled in the emerging new world of cyber-warfare, Inspire seemed a natural target.

The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas. But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity — and hence the prerogative of the CIA.

The CIA won out, and the proposal was rejected. But as the debate was underway within the U.S. government, British government cyber-warriors were moving forward with a plan.

As Nakashima goes onto explain, the British attack on Inspire managed to delay the publication of a bomb-making article in the magazine for two weeks. But it did eventually get published.

The Inspire story is fascinating not just because it reveals the ongoing turf war between DOD and CIA–and makes clear Mac Thornberry intends to let DOD win these battles.

But also, consider the cyberattack-which-shall-not-be-named: someone’s successful effort to ensure WikiLeaks couldn’t publish the State Department cables from a US server. The Inspire story makes it clear DOD is thinking in terms of take-downs of speech, which is precisely what the WL hack was.

And since WL was ultimately a compromise of DOD’s networks, it would solidly fall under the congressionally-defined defense “against a cyber attack against an asset of the Department of Defense.”

That is, it seems that Thornberry has authorized DOD to do things like hack WL. Congress seems to be in the business of helping the government exercise prior restraint.

That First Amendment sure was nice when we had it!

Though there’s just one weird aspect to this: DOD didn’t launch a cyberattack on WL when it compromised DOD resources: the Afghan and Iraq cables. Rather, it waited until all the DOD materials were already out, and then (we assume though don’t know) started attacking free speech to protect the State Department’s assets.

Anyway, all that prior restraint isn’t good enough, it seems, and the Administration is going to campaign for more lenient guidelines allowing DOD to wade through other countries’ infrastructure to figure out how to cyberattack them when the time comes.

I guess they can’t very well complain about the Lockheed and L-3 hacks then.

Retaliating against State-Sponsored Cyber War

On the first news day after the holiday weekend reporting on Lockheed Martin, WSJ reports that the US is moving towards making cyberattacks an act of war.

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

And they’re building into this policy an assumption that the biggest attacks must have state sponsorship.

Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.

This new policy won’t be subject to intelligence manipulation at all, nosiree!

The next time someone wants to invent a casus belli against Iran, they can just point to a particularly successful hack and (ignoring all questions about appropriate retaliation for Stuxnet…) claim the Iranians have done it and say it, like evidence of WMD, is classified.

They already presumably fabricated one Laptop of Death for Iran, why not another?

And then, declaring ourselves incompetent to retaliate via cyberspace (Stuxnet notwithstanding), they’ll have their excuse to roll out the war machine.

About the Lockheed Martin Hack

As first started leaking last week, Lockheed Martin seems to have been hacked.

Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

What seems to have happened is hackers used information gotten in the RSA Data Security hack to try to break Lockheed’s own security–basically, Lockheed noticed that hackers were trying to use the keys they stole in March to open a bunch of locks at Lockheed. Lockheed appears to have discovered the effort and in response, started shutting down remote access on parts of its network.

Lockheed Martin, the Pentagon’s No. 1 supplier, is experiencing a major disruption to its computer systems that could be related to a problem with network security, a defense official and two sources familiar with the issue said on Thursday.

Lockheed, the biggest provider of information technology to the U.S. government, is grappling with “major internal computer network problems,” said one of the sources who was not authorized to publicly discuss the matter.


The slowdown began on Sunday after security experts for the company detected an intrusion to the network, according to technology blogger Robert Cringely. He said it involved the use of SecurID tokens that employees use to access Lockheed’s internal network from outside its firewall,


Loren Thompson, chief operating officer of the Lexington Institute, and a consultant to Lockheed, said the company monitored every node on its vast global computer network from a large operations center in a Maryland suburb near Washington, D.C.

“If it sees signs that the network is being compromised by outsiders it will shut down whole sectors of the network to protect information,” Thompson said.

He said Lockheed had advanced networking monitoring tools that gave it a “much better understanding of their systems’ status than most other organizations, including the Department of Defense.”

In other words, Lockheed may have prevented a much bigger breach into their own systems. But the assumption of many is that other companies might not have noticed what Lockheed did. Stories on this hack all feature a list of other defense contractors–like Boeing and Raytheon and Northrup Grumman–who “decline to comment,” which might mean they’re scrambling to address the same problem Lockheed is, only trying to do so without all the bad PR.

Now, most observers of this hack have suggested that the hackers–who might work for a state actors or some other sophisticated crime group–were after Lockheed’s war toy information (which partly explains why you’d ask Lockheed’s aerospace competitors if they’d been hacked too). But remember that Lockheed does a lot for the government besides build planes. Of particular note, they’re a huge NSA contractor. Maybe the hackers were after info on jet fighters, or maybe they were after the data and data collection programs our own government hides from its own citizens.

Which is all a reminder that, amidst the sound and fury directed at WikiLeaks (which after all shared important information with citizens who deserved to know it), there’s a whole lot more hacking we don’t learn the results of, hacking that either might result in others adopting our lethal technologies, or in third parties stealing the data we’re not even allowed to know.

Now, granted, Lockheed has far far better security than DOD’s SIPRNet does. At least they’re trying to protect their data. But it’s not clear they–or their counterparts–are entirely successful.

Obama’s Secret Cyberwars

I sort of get the feeling that the entire legislative effort on cyberwar is going on in a classified annex.

Nevertheless, even from what we can see, we’ve got a dispute. As I noted a few weeks back, The House Armed Services Committee included a provision that explicitly granted DOD the power to conduct clandestine cyberwar activities in some situations, but required quarterly briefing on such activities.


(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107–40) against a target located outside of the United States; or

(2) to defend against a cyber attack against an asset of the Department of Defense.

(c) BRIEFINGS ON ACTIVITIES.—Not later than 120 days after the date of the enactment of this Act, and quarterly thereafter, the Secretary of Defense shall provide a briefing to the Committees on Armed Services of the House of Representatives and the Senate on covered military cyberspace activities that the Department of Defense carried out during the preceding quarter.

(d) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.

That seemed to be a response to earlier claims by DOD that it didn’t have to brief such things to Congress.

As it happens, that’s another of the sections of the Defense Authorization to which the Administration objects (though they did not issue a veto threat on it).

Military Activities in Cyberspace: The Administration agrees that appropriate military operations in cyberspace are a vital component of national security, but objects to Section 962. The Administration has concerns about this provision and wants to work with Congress to ensure that any such legislation adds clarity and value to our efforts in cyberspace.

The choice by administrations to conduct cyberwar under DOD’s auspices rather than CIA’s as a way to avoid oversight is something that John Rizzo (!) warned about. And the bill has already given the Administration an extra three months of secret cyberwar before it has to start briefing Congress compared to the original bill.

What kind of war is Obama waging in cyberspace it refuses to tell Congress about?

DHS’ Top Cybersecurity Officer Resigns

As Marc Ambinder reports, the top cybersecurity guy at DHS, Phil Reitinger, announced his resignation today. Which is pretty odd, given that Obama just rolled out his cybersecurity strategy a few days ago. Though that’s the excuse that Reitinger offered for the timing of his departure.

With significant progress having been made in activities across NPPD [National Protection and Programs Directorate], with growing recognition of DHS’s roles and authorities, and the cybersecurity legislative proposal now delivered to the Hill, it’s a logical point for me to leave the Department of Homeland Security and allow the team that we have developed together to carry our initiatives forward. [bracketed comment Ambinder’s]

Okaaayyyy then. You finally win the pissing contest between NSA and DHS over who will lead cybersecurity and then you … leave? Leaving no one to lead the program you’ve fought so hard to lead, not to mention leaving no one to lobby for the legislative proposal just sent to Congress?

Though Reitinger isn’t technically the CyberCzar, he makes at least the 10th top cybersecurity official to have left since 9/11.

Update: Here’s how his job was described when he was hired.

In addition to overseeing the department’s mandate to protect government networks, Reitinger also will be responsible for coordinating Uncle Sam’s outreach to private companies that own and operate the nation’s most vital information assets. These digital assets power everything from water and electricity distribution systems to telecommunications and transportation networks.

As I described here, one of the most sensitive aspects of the cybersecurity legislation the Administration proposed (and, I think, one of its weakest parts), is the means by which critical infrastructure entities prove to the government that they have adequate cybersecurity. It would seem really important to have continuity in this position to shepherd this part of the legislation through Congress.

Unless, of course, he’s planning on representing the industry as the bill wends its way through Congress. Or, set up one of the auditing companies that will get rich off the way the legislation was written.

Eric Holder Claims Rule of Law Exists in Cyberspace

Just days after asking Congress not to give the intelligence community a hard deadline to put a basic cybersecurity measure into place, the Obama Administration rolled out a cybersecurity strategy yesterday with great fanfare. The event itself seemed designed to bring as many Cabinet Secretaries into one place at one time–Hillary Clinton, Gary Locke, Janet Napolitano, and Eric Holder, along with DOD Deputy Secretary William Lynn and White House Cybersecurity Coordinator Howard Schmidt–to give the appearance of real cooperation on cyberspace issues.

The strategy itself is still mostly fluff, with paragraphs like this:

This future promises not just greater prosperity and more reliable networks, but enhanced international security and a more sustainable peace. In it, states act as responsible parties in cyberspace—whether configuring networks in ways that will spare others disruption, or inhibiting criminals from using the Internet to operate from safe havens. States know that networked infrastructure must be protected, and they take measures to secure it from disruption and sabotage. They continue to collaborate bilaterally, multilaterally, and internationally to bring more of the world into the information age and into the consensus of states that seek to preserve the Internet and its core characteristics.

And loaded paragraphs like this, in the section on military goals:

Recognize and adapt to the military’s increasing need for reliable and secure networks. We recognize that our armed forces increasingly depend on the networks that support them, and we will work to ensure that our military remains fully equipped to operate even in an environment where others might seek to disrupt its systems, or other infrastructure vital to national defense. Like all nations, the United States has a compelling interest in defending its vital national assets, as well as our core principles and values, and we are committed to defending against those who would attempt to impede our ability to do so.

Lucky for DOD, there was no discussion of deadlines anywhere in the document, so they didn’t have to admit their plan to “adapt to the military’s increasing need for reliable and secure networks” was a long term project.

And then the strategy had a lot of language about norms, which places our cybersecurity strategy in the paradigm and language of international regime development from foreign relations (interestingly, Hillary started off the parade of Secretaries, further emphasizing this diplomatic approach).

But what struck me most about this dog and pony show, delivered on the day SCOTUS endorsed the executive branch’s efforts to hide torture behind the invocation of state secrets, was Eric Holder’s discussion about rule of law in cyberspace.

In recent months, the Justice Department has announced takedowns of significant criminal groups operating from Romania, Egypt, and elsewhere that had been victimizing American businesses and citizens – including children.  We’ve also brought multiple criminal conspirators to justice for their roles in coordinated cybercrimes that, according to court documents, netted nearly 1.5 million dollars from U.S. victims.  And, just a few weeks ago, we announced an operation to disable an international criminal network that had infected more than two million computers worldwide with malicious software.  Until we stepped in – with the help of industry and security experts, as well as key international partners – this malware was allowing criminals to capture bank account numbers, user names, and other sensitive and financial information online.

While we can all be encouraged by these and other successes, we cannot become complacent.  As President Obama has repeatedly indicated – we must, and we will, take our global fight against cyber threats to the next level.  The strategy that we are announcing today is an affirmation of that promise.  It reinforces our nation’s support for the Budapest Convention –and for efforts to establish the rule of law in cyberspace.   It also reflects our ongoing commitment to prevent terrorists and other criminals from exploiting the Internet for operational planning or financing – or for the execution of attacks. [my emphasis]

We’re going to build rule of law in cyberspace apparently. Sort of like an extraterrestrial colony to preserve a way of life that used to exist on Earth (or at least in the US), but no longer does.

So rest assured, if this cyberstrategy is successful, we can expect rule of law in cyberspace as compensation for the fact that the government has destroyed rule of law in meatspace.

Oh, on that note, there was no discussion of any investigation into how it was that a media outlet, Wikileaks, was attacked with a sophisticated DDOS attack, ultimately damaging free speech.

Obama Administration: Sorry, 2013 Is Too Soon to Fix Gaping Holes in Our Network Security

You’ve no doubt read the multiple posts in which I responded with growing incredulity at the response of DOD and the Intelligence Community to the gaping holes in their network security.

Basically, a review of DOD networks after Bradley Manning’s alleged leaking (which came two years after they reviewed DOD networks after a bad malware infection introduced via a thumb drive), DOD admitted that they still let service members access computers on DOD’s classified network with removable media (like Lady Gaga CDs) two years after they vowed to end the practice; they didn’t have personal keys to offer better authentication and tracking of actions taken online; and they couldn’t audit for unusual activities online.

In short, they don’t have the kind of security that is considered routine in the private sector.

On our classified network.

And in response to their admission of gaping holes in Department of Defense’s (and presumably, because they want the same deadline, other parts of the IC’s) network security, they laid out a plan to fix the problems … by 2013.

Cause I’m sure none of our enemies will come looking for our secrets between now and then.

It’s becoming an obsession for me, this disinterest in fixing gaping holes in our network security even as the Administration claims Bradley Manning’s alleged leak could be a capital offense. If this stuff is so damned secret, plug the fucking holes!

So you can imagine my shock when I read the Obama Administration’s response to the intelligence bill’s endorsement of the 2013 deadline DOD and the IC asked for: (h/t Steven Aftergood)

Section 402 requires the DNI to create an insider threat detection program for the information resources of each element of the IC to detect unauthorized access to classified information. The Administration wholeheartedly agrees with the need to be vigilant and proactive in trying to detect, mitigate, and deter insider threats, and supports a comprehensive insider threat detection capability. The Administration is currently working toward its implementation. However, the Administration is concerned with the unrealistic timelines required by this provision for the program’s operational readiness, and strongly requests that the provision be amended to grant the DNI flexibility in implementation timelines of the program.

Hey bad guys?!?!?!? No one is checking the intelligence community’s networks to see whether you’re nicking highly classified information off of them. No one is checking their networks to see what kind of abnormal activities their own spooks are engaging in.

And they’re not going to be until … well, they don’t know. A deadline, you see, would be rather restrictive. And our fucking classified networks just aren’t a priority for network security! All I can tell you is 2013–two full years from now–that’s too soon.

So China, Iran? Just take what you want. Just make sure you do it in the next two … or maybe three … or who knows? years, because sometime in the distant future the IC aspires to have the same kind of network security your average bland business has.

Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity

Two and a half years after privatized auditors largely signed off on practices that contributed to the collapse of Wall Street, and a year after coziness between government inspectors and the oil industry they regulate allowed a massive oil spill in the gulf, the Obama Administration proposes relying on private auditors to ensure that private companies guard our nation’s cybersecurity.

That’s one of two troubling aspects of the fact sheet the Administration just released, summarizing proposed legislation on cybersecurity it just sent to Congress.

At issue is who investigates the adequacy of a private companies’ cybersecurity plan to both certify it is adequate and ensure compliance with it. The answer? Auditors paid by the private companies.

The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate. In the event that the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology, could modify a framework. DHS can also work with firms to help them shore up plans that are deemed insufficient by commercial auditors.

While the promise to make these plans transparent is all well and good, the problem remains that private companies and the auditors they pay get to decide what is sufficient, not someone without a financial stake in the outcome. If government inspectors are important enough for safety issues, shouldn’t they be required for the cyberinfrastructure that is so critical to our safety?

In addition, a big part of this plan may give up one of the sticks the government has to ensure compliance.

One of the reasons why private companies don’t like to reveal when they’ve been hacked is liability issues: not only might their customers respond badly, but in some fields (like finance companies) the companies may face other liability issues.

But the fact sheet offers companies immunity, at the least, for any private data it shares with the government when it reveals it has been hacked.

Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

The fact sheet doesn’t describe the extent of the immunity, and the plan does, at least, make immunity contingent upon privacy protections.

  • When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.


  • Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

But I wonder about the breadth of this immunity. Does it also offer companies immunity for negligence in the handling of consumer data?

One thing that Al Franken, among others, is pushing, is making it easier for consumers to expect a certain level of protection for their data. Thus, if Sony has two-year-old consumer data sitting around in an unsecure server, it would bear some liability if a hacker came and access that data. Such measures would effectively expose companies to lawsuit if they totally blew off their customers’ data security.

Now at least this proposal mandates that companies tell consumers when their data has been accessed (though I always worry when federal legislation claims to simplify state legislation–it’s often code for “water down”).

National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

But it’s not clear whether companies would bear any liability for such breaches if and when they alert consumers. Moreover, this says nothing about other public disclosure on breaches, which consumers may have as big an interest in (for example, investors ought to be able to know if banks and other major investors routinely get hacked, and stock holders ought to be able to know if critical proprietary information has been stolen).

Call me crazy, but my hackles start to rise when the government starts granting immunity willy nilly, with almost nothing demanded in exchange.

Update: Kashmir Hill offers one example why a national “simplified” law might be a problem–because it’ll eliminate elements like mandatory identity theft protection and penalties from the most stringent law, in MA.

As for telling customers about their data being breached, the White House says it will “help businesses” by simplifying and standardizing the “existing patchwork of 47 state laws” that have various requirements about how soon to notify customers. In the fact sheet, at least, there’s no mention of penalties for businesses, nor mandatory provision of identity theft monitoring after a breach — two aspects of the harshest data breach law currently in the country, in Massachusetts.

Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

Robert Chesney notes that the HASC Mark on the Defense Authorization bill includes a section on cyberwar. Here’s the entire section:

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to the Authorization for the Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) outside of the United States or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities.

While these terrorist actions often lead to increased danger for U.S. and coalition forces in areas of ongoing hostilities, terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally.

In certain instances, the most effective way to neutralize threats and protect U.S. and coalition forces is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense’s authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

While Chesney focuses on the use of “clandestine” in this passage (which I’ll return to), I think one of the key phrases is simply the requirement that DOD brief the Armed Services Committees quarterly on what it’s doing in cyberspace. As the AP reported in January, the SASC complained during the confirmation hearings of Michael Vickers that they weren’t getting briefed on clandestine cyberwar activities. Vickers claimed in response that the law only required that DOD brief Congress on human clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber activities were not included in the quarterly report on clandestine activities. But Vickers, in his answer, suggested that such emerging high-tech operations are not specifically listed in the law — a further indication that cyber oversight is still a murky work in progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for clandestine human intelligence activity. But if confirmed, he said, he would review the reporting requirements and support expanding the information included in the report.

So this section appears to close Vickers’ loophole, now requiring that DOD brief Congress on its activities in its quarterly clandestine activities reports.

In addition to legally demanding briefings, the section appears to affirmatively approve–as clandestine activities–cyberattacks against an AUMF-authorized target (so, al Qaeda and people like Anwar al-Awlaki we claim to be included in AUMF), and cyberdefense against an attack on an asset of DOD.

By the way, anyone want to speculate whether a Specialist allegedly downloading several databases onto a Lady Gaga CD constitutes a cyberattack on a DOD asset? Because if this permission includes WikiLeaks, then this section might be retroactively authorize attacks–say, DNS attacks on US-based servers–on WikiLeaks (note that DOD can attack outside the US, but such geographical limits are not placed on defensive actions).

In any case, as Chesney emphasizes, this section specifically authorizes attacks on AUMF-authorized targets and defense against attacks on DOD targets. Chesney notes that by calling these activities “clandestine,” it makes them a Traditional Military Activity.

That is to say, the language in § 962 refers to DOD authority to engage in cyber operations which are mean to go undiscovered but not meant to be denied.  That alone would presumably keep them from being categorized as a “covert action” subject to presidential finding and SSCI/HPSCI notification requirements.  Yet one can imagine that this does not quite suffice to solve the boundary dispute, insofar as it might not be clear on the front end that one would be willing to acknowledge sponsorship of an operation publicly if it becomes known…and indeed it might well be that the activity is very much meant to be both concealed and denied, making it hard at first blush to show that the activity is not a Title 50 covert action after all.  But in at least some instances there is a separate reason it should not be deemed a covert action: i.e., when the action is best understood as a high-tech equivalent to a traditional military activity (the “TMA” category being an explicit exception to the T50 covert action definition).  And that appears to be the case with the two categories explicitly described above, or at least arguably so.

The explanatory statement accompanying § 962 supports this reading.  It opens by stating that

[t]he committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

So, to summarize, this section appears to affirmatively authorize two types of activities, defining them as clandestine operations, and mandating that Congress get quarterly briefings on them.

But note this clause: “this section is not meant to identify all or in any way limit other possible military activities in cyberspace.”

So, it appears, there may be these two types of explicitly authorized clandestine operations, and then the stuff John Rizzo warned about.

I did want to mention–cause I find this interesting–cyberwarfare, on the issue of cyberwarfare. Again, increasing discussion there clearly is an active arena, will continue to be active. For us lawyers, certainly for the lawyers in the intelligence community, I’ve always found fascinating and personally I think it’s a key to understanding many of the legal and political complexities of so-called cyberlaw and cyberwarfare is the division between Title 10, Title 10 operations and Title 50 operations. Title 10 operations of course being undertaken by the Pentagon pursuant to its war-making authority, Title 50 operations being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know being practitioners, how these cyber-operations are described will dictate how they are reviewed and approved in the executive branch, and how they will be reported to Congress, and how Congress will oversee these activities. When I say, “these activities,” I’m talking about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive branch for many years, actually. I mean I remember serious discussions during the Clinton Administration. So, again, this is not a post-9/11 phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve always been envious of my colleagues at the Department of Defense because under the rubrik of Title 10, this rubrik of “preparing the battlefield.” They have always been able to operate with a–to my mind [?] a much greater degree of discretion and autonomy than we lawyers at CIA have been, have had to operate under, because of the various restrictions and requirements of Title 50 operations. Covert actions require Presidential Findings, fairly explicit reports to the Intelligence Oversight Committees. We have a very, our Intelligence Committees are … rigorous, rigorous and thorough in their review. I’ve never gotten the impression that the Pentagon, the military, DOD is subject to the same degree of scrutiny for their information warfare operations as CIA. I’m actually very envious of the flexibility they’ve had, but it’s critical–I mean I guess I could say interesting but critical how–I mean if there were operations that CIA was doing, they would be called covert actions, there’s no getting around that. To the extent I’ve ever understood what DOD does in this arena, they certainly sound like covert actions to me but given that I’ve had more than my hands full over the years trying to keep track of what CIA’s doing at any given time, I’ve never ventured deeply into that area. But I think it’s fascinating. [my emphasis]

Now, maybe this section just politely puts the kibosh on all of this Title 50 masquerading as Title 10 stuff, stuff done under the auspices of DOD to avoid the oversight requirements that Title 10 intelligence operations would require. Maybe this section limits DOD’s activities to its two authorized clandestine activities.

But I doubt it. With the language about not limiting DOD to these two functions, you can pretty much assume there’s some Special Access Programs (like the kind the Air Force refuses to talk to Congress about) not safe to be mentioned in public documents like laws.

Look on the bright side, though: Congress is at least requiring that DOD brief Congress on some of the secret stuff they’re doing in cyberspace.

Update: Specialist corrected per Ralph.

CIFA 2.0 Back in the Outsourcing Business

Remember the Counterintelligence Field Activity (CIFA)? Here’s how I described it back in 2007.

CIFA is, along with the National Security Letters Congress is now cracking down on, probably the biggest abuse of civil rights and privacy BushCo has hatched up. It was designed to gather intelligence on threats to defense installments in the United States–to try to collect information (in the TALON database) on threatening people scoping out domestic bases. But it ended up focusing on peace activists and the lefty blogosphere’s own Jesus’ General70 percent of CIFA’s employees are contractors, a figure that makes it a prime candidate for politicized contracting scandal.

Among the contractors spying on Americans was MZM, one of the companies that bribed Duke Cunningham. Prosecutors in that case started investigating MZM’s CIFA contracts in May 2006. Three months after that, the top two managers at CIFA, who had directed CIFA keep sending MZM contracts, resigned suddenly. When DOD’s Inspector General tried to investigate CIFA in 2007, it discovered (it claimed) that the entire CIFA database had been destroyed in June 2006, just as prosecutors were closing in on those contracts.

Later, in 2008, just as CIFA was claiming it couldn’t publicly reveal its unclassified contracts, we learned that Stephen Cambone (who had led one of the inquiries into CIFA), had won a contract from it, sort of a payoff for not finding anything, I guess.

Later that year, DOD “disestablished” CIFA.

Or rather, they renamed it, calling it the Defense Counterintelligence and Human Intelligence Center. Then, last year, we learned that database DOD claimed had been destroyed in 2006 really hadn’t been, and CIFA 2.0 was getting back in the business of keeping a database of information on big threats to the US like Quakers and bloggers.

The Defense Intelligence Agency wants to open a new repository for information about individuals and groups in what appears to be a successor to a controversial counterintelligence program that was disbanded in 2008.

The new Foreign Intelligence and Counterintelligence Operation Records section will be housed in DIA’s Defense Counterintelligence and Human Intelligence Center, or DCHC, formed after the demise of the Counterintelligence Field Activity, or CIFA, according to an announcement that appeared Tuesday in the Federal Register.

The “activity” was disbanded, but evidently not its records database, which seems to be headed to the new unit. One of the criticisms of CIFA was that it vacuumed up raw intelligence on legal protest groups and individuals from local police and military spies.

When the DCHC was launched in 2008, the Pentagon said “it shall NOT be designated as a law enforcement activity and shall not perform any law enforcement functions previously assigned to DoD CIFA.”

Why the new depository would want such records while its parent agency no longer has a law enforcement function could not be learned. Not could it be learned whether the repository will include intelligence reports on protest groups gathered by its predecessor, CIFA.

The only thing left, at that point, was to figure out what defense contractor was getting rich spying on American citizens.

The answer? Lockheed Martin.

Lockheed Martin has openings for talented and motivated professionals in the counterintelligence (CI) field to be part of an evolving and highly specialized team that will provide direct support to the Defense Intelligence Agency’s (DIA) Defense Counterintelligence and Human Intelligence Center (DCHC).

The team Lockheed Martin is assembling a team which will function in CI areas such as: force protection; support to Joint Terrorism Task Force (JTTF); CI in Cyberspace; research, development and acquisitions; critical infrastructure protection; CI support to Offensive CI Operations; analysis & production (A&P); collections; campaigns; policy; assessments; TSCM; security; information assurance, and Enterprise governance support (administrative).

Not only is the entire concept wrong, using contractors to spy on Quakers and bloggers. Not only is it especially troublesome that Lockheed–a company with close ties to NSA–is doing this work (which would make it easy for reports from physical surveillance to migrate into the signals surveillance NSA does). But note what else is now included in CIFA 2.0: “CI in Cyberspace.” That is, Lockheed with its close ties to NSA is now in charge of spying on those claimed to present an online counterintelligence threat to the United States. And maybe doing things like hacking a media site to try to exercise illegal prior restraint.