As you may have heard, Anonymous hacked into and released a conference call between the FBI and Scotland Yard discussing their efforts to crack down on the hackers’ group.

What makes the hack all the more ironic is its release comes just days after Robert Mueller bragged of the FBI’s cyber expertise at the Threat Assessment hearing on Tuesday (the actual call took place on January 17, which makes me wonder whether they have gotten subsequent calls as well). In response to MD (and therefore NSA’s) Senator Barbara Mikulski’s suggestion that the NSA was the only entity able to investigate cybercrime, Mueller insisted (after 2:01) the FBI can match the expertise of NSA. He even bragged about how important partnering with counterparts in other countries–like Scotland Yard–was to the FBI’s expertise.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

I don’t want to sell the FBI short or anything. But regardless of their expertise in investigating cybercrimes, it sure seems like they’ve got the same crappy security the rest of the Federal government has.

I somehow stumbled into an article for The Nation by Rainey Reitman entitled Access Blocked to Bradley Manning’s Hearing. To make a long story short, in a Twitter exchange today with Ms. Reitman and Kevin Gosztola of Firedoglake (who has done yeoman’s work covering the Manning hearing), I questioned some of the statements and inferences made in Ms. Reitman’s report. She challenged me to write on the subject, so here I am.

First, Ms. Reitman glibly offered to let me use her work as “foundation” to work off of. Quite frankly, not only was my point not originally to particularly go further; my point, in fact, was that her foundation was deeply and materially flawed.

Reitman starts off with this statement:

The WikiLeaks saga is centered on issues of government transparency and accountability, but the public is being strategically denied access to the Manning hearing, one of the most important court cases in our lifetime.

While the “WikiLeaks saga” is indeed centered on transparency and accountability for many of us, that simply is not the case in regard to the US Military prosecution of Pvt. Bradley Manning. The second you make that statement about the UCMJ criminal prosecution of Manning, you have stepped off the tracks of reality and credibility in court reportage and analysis. The scope of Manning’s Article 32 hearing was/is were the crimes detailed in the charging document committed and is there reason to believe Manning committed them. Additionally, in an Article 32 hearing, distinct from a civilian preliminary hearing, there is limited opportunity for personal mitigating information to be adduced in order to argue for the Investigating Officer to recommend non-judicial punishment as opposed to court martial trial. That is it. There is no concern or consideration of “transparency and accountability”, within the ambit suggested by Ms. Reitman, in the least.

Calling the Manning Article 32 hearing “one of the most important court cases in our lifetime” is far beyond hyperbole. First off, it is, for all the breathless hype, a relatively straight forward probable cause determination legally and, to the particular military court jurisdiction it is proceeding under, it is nothing more than that. The burden of proof is light, and the issues narrow and confined to that which is described above. The grand hopes, dreams and principles of the Manning and WikiLeaks acolytes simply do not fit into this equation no matter how much they may want them to. Frankly, it would be a great thing to get those issues aired in this country; but this military UCMJ proceeding is not, and will not be, the forum where that happens.

Moving on, Reitman raises the specter of “the death penalty” for Manning. While the death penalty remains a technical possibility under one of the charges, the prosecution has repeatedly stated it will not be sought and, after all the statements on the record in that regard, there is simply no reason to embellish otherwise. Reitman next states:

This case will show much about the United States’s tolerance for whistleblowers who show the country in an unflattering light.

No, it most certainly will not. In fact, the Manning criminal military prosecution has nothing whatsoever to do with “whistleblowers”. Despite the loose and wild eyed use of the term “whistleblower” in popular culture, not to mention by supporters of Bradley Manning, the concept and protection simply do not legally apply to Manning, nor to most any of the situations it is commonly invoked in regards to. Despite all the glittering generality with which the term is bandied about, a whistleblower defense does not particularly exist at common law; but, rather, is a statutory justification defense which must be affirmatively pled. In the scope of military jurisdiction, the sole availability of the defense is set out in The Military Whistleblower Protection Act, codified in 10 USC 1034, which provides, inter alia:

(a) Restricting Communications With Members of Congress and Inspector General Prohibited.—
(1) No person may restrict a member of the armed forces in communicating with a Member of Congress or an Inspector General.
(2) Paragraph (1) does not apply to a communication that is unlawful.
(b) Prohibition of Retaliatory Personnel Actions.—
(1) No person may take (or threaten to take) an unfavorable personnel action, or withhold (or threaten to withhold) a favorable personnel action, as a reprisal against a member of the armed forces for making or preparing—
(A) a communication to a Member of Congress or an Inspector General that (under subsection (a)) may not be restricted; or
(B) a communication that is described in subsection (c)(2) and that is made (or prepared to be made) to—
(i) a Member of Congress;
(ii) an Inspector General (as defined in subsection (i)) or any other Inspector General appointed under the Inspector General Act of 1978;
(iii) a member of a Department of Defense audit, inspection, investigation, or law enforcement organization;
(iv) any person or organization in the chain of command; or
(v) any other person or organization designated pursuant to regulations or other established administrative procedures for such communications.

Bradley Manning, as admirable as we may find his purported acts, did not release to and/or through a member of Congress, Inspector General, nor any other permitted/authorized person in his chain of command or otherwise. Not even close. Bandying about the term “whistleblower” in terms of Bradley Manning’s UCMJ prosecution is simply disingenuous. A whistleblower defense has neither been affirmatively pled by Manning’s defense, nor is it even remotely available.

Next, there is a complaint by Ms. Reitman that there is “No Transcript Available”. Yeah, welcome to the world of military law; this is not unusual. In fact, the answer of maybe in “three to four months” she got from some authority at Ft. Meade is actually responsive and impressive considering she was neither a party nor counsel of record. This is simply not unique to Manning, nor particularly nefarious in the least; it is the way it is in this jurisdiction. Same goes for “Computers and Recording Devices Banned”, which she also complained of.

Buck up sister, and understand whose sandbox you are playing in. You are subject to the rules, procedures and whims of the court in any given jurisdiction; and that is the way it has long been in courts martial proceedings under the UCMJ. To be honest, it is often not much, if any, better in many Article III Federal courts. Transcripts are the property of the court and court reporter unless and until filed on the docket; you can get one, but you pay a steep price for that pleasure. Further, although it has gotten much better since Marcy Wheeler and Jane Hamsher opened up the can of liveblogging worms via the Scooter Libby trial, it is still hit and miss as to whether federal court houses and rooms across the country permit computers and “recording devices” at all.

Ms. Reitman also complains that limited portions of Mr. Manning’s Article 32 proceeding were conducted in a closed court, with the public and press excluded. It is hard to discern whether she simply does not understand court process in relation to classified and protected information, or if it simply offends her rose colored view of how things would be in an utopian world. The fact, however, is that the federal government takes classified information seriously in court proceedings, and always have. And courts do too; in fact, the one place you never hear about leaks coming from are federal and military courts. That is the single best argument for limiting the use of the “state secrets privilege” in federal civil courts and the CIPA process in federal criminal courts.

In fact, without the CIPA process, it would be nearly impossible to prosecute breaches in government security and classified information that truly are legitimate and in the interest of national security; otherwise, every defendant would escape via a graymail defense. Yes, legitimate instances of appropriate posecutions do indeed exist. And, yes, the CIPA process is indeed embedded into UCMJ law via Military Rule of Evidence 505. Notably, the full panoply of Rule 505 CIPA like procedures do not vest until the trial process, after the case is referred from an Article 32 hearing; however, the direct provision for the closed proceedings utilized in Pvt. Manning’s Article 32 are so promulgated in Rule 505 (C)(3):

Article 32 proceedings, like courts-martial, are open to the public. This means that Article 32 investigations may only be closed in accordance with the procedures discussed in the next chapter. Under M.R.E. 505, the assertion of the classified information privilege may not occur at the Article 32 stage of the court-martial proceeding. Instead, under M.R.E. 505(d)(5), the convening authority may chose to withhold disclosure of the information, if disclosure would cause identifiable damage to the national security. Where the information is withheld, the investigating officer does not hold a hearing under M.R.E. 505(i) to determine the classified information’s relevance and necessity to an element of an offense. Those provisions all apply post- referral, in front of the military judge. If the convening authority provided classified information to the defense in discovery, it is entirely possible that classified information will be introduced during the Article 32 proceeding, by one of the parties or through witness testimony, without substantive discussion of their contents. This is most commonly referred to as the “silent witness” rule. Alternatively, the parties may decide to introduce the evidence in a closed session. When that happens, the IO will need to conduct a closure hearing under R.C.M. 806(b)(2), as discussed in Chapter Ten.

Well, Ms. Reitman, that is exactly what was done by the Convening Authority and Investigating Officer in Pvt. Manning’s article 32 process. Whether you approve or not is irrelevant; that is the well established and statutory procedure. It is what is mandated Ms. Reitman, not some nefarious conspiracy by Big Brother to deny you.

The rest of Ms. Reitman’s gripes are ticky tack, as opposed to substantive, although I would like to address briefly her beef regarding the security procedures at Ft. Meade. This simply borders on the absurd. Ft. Meade is not just a United States Army military installation, but is the headquarters of United States Cyber Command, the National Security Agency, and the Defense Courier Service. Yes, they have strict security for access and traverse of any portion of the installation. It is unclear why Ms. Reitman finds this notable, much less shocking.

One last thing that is more of a pet peeve of mine than direct point of Ms. Reitman’s, although she prominently mentions him. Daniel Ellsberg. Both Ellsberg himself, and the legion of Bradley Manning supporters, have compared Manning to Ellsberg. Mr. Ellsberg is a mythic figure to the anti-war and progressive left, and while it is easy to see how many would have that admiration for his freeing of the Pentagon Papers, in many ways it is a false paradigm to compare him with Manning. While I think they are fairly distinguishable in detail, I will leave that for another day. What they ought to keep in mind is that Daniel Ellsberg was guilty of the criminal charges filed against him and, but for the fortuitous intervention of inexplicably egregious prosecutorial misconduct causing dismissal, Ellsberg would have been convicted in 1973 and would quite likely just recently have gotten out of federal prison. Ellsberg himself admits as much. Manning supporters would do well to keep this in mind for perspective.

There is an abundance of misinformation and hyperbole regarding Pvt. Bradley Manning and WikiLeaks coursing through the internet ether already, it does neither the public, nor Mr. Manning’s enthusiastic supporters, any favor or service for Ms. Reitman to add yet more.

Back in November, I suggested one intended purpose of the detainee provisions in the Defense Authorization is to require a paper trail that would make it a little harder for the Administration to disappear detainees on floating prisons. The bill:

• Requires written procedures outlining how the Administration decides who counts as a terrorist
• Requires regular briefings on which groups and individuals the Administration considers to be covered by the AUMF
• Requires the Administration submit waivers whenever it deviates from presumptive military detention

These are imperfect controls, certainly. But they do seem like efforts to bureaucratize the existing, arbitrary, detention regime, in which the President just makes shit up and tells big parts of Congress–including the Armed Services Committees, who presumably have an interest in making sure the President doesn’t make the military break the law–after the fact.

I suggested this effort to impose bureaucratic controls was, in part, a reaction to the Ahmed Warsame treatment, in which it appears that the Armed Services Committees learned Obama had declared war against parts of al-Shabaab and used that declaration as justification to float Warsame around on a ship for two months. (It appears that the Intelligence Committees, but not the Armed Services Committees, got briefed in this case, though Admiral McRaven was testifying about floating prisons as it was happening). [Update: I may be mistaken about what Lindsey Graham’s language about making sure the AUMF covered this action meant, so italicized language may be incorrect.]

This is not to say the ASCs are going to limit what the President does–just make sure they know about it and make sure the military has legal cover for what they’re doing.

With that in mind, take a look at Robert Chesney’s review of the new cyberwar authorization in the Defense Authorization, which reads:

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

Chesney’s interpretation of this troubling language is that by requiring a Presidential statement in some cases, it will force interagency consultation before, say, DOD launches a cyberwar on Iran. (Oh wait, too late.)

Second, the utility of insisting upon presidential authorization, as opposed to just SecDef authorization or that of a commander, is that it makes it likely if not certain that there would be interagency screening of the proposed OCO (or set thereof) under the auspices of the NSC staff process, with more than just DOD weighing in on the question.  For example, the State Department – which institutional equities disposing it to perhaps pay more attention to collateral/unintended consequences that an operation might have on other countries – might well have more of a voice as a proposal for a particular operation makes its way up the chain to the President.    In this respect, I should emphasize at this point that the public record reveals that there has been a fairly long-running fight over just these sorts of issues within the executive branch over the past couple of years.  Ellen Nakashima’s story last week is highly relevant here, and there also is relevant material in the Schmitt & Shanker book Counterstrike.  Hard to tell from the outside if section 954 is a codification of what has been worked out, or if instead it will break some sort of logjam.

At least as Chesney reads it (and you should click through for the full post), this is about imposing the same kind of inadequate bureaucratic controls that the detainee provisions appear at least partly to impose.

Both, in other words, seem to be an effort to stop the Executive Branch from just launching wars unilaterally without a paper trail and adequate review.

Now, I suggested the detainee provisions were, in part, a response to Warsame’s treatment. If so, is StuxNet (and Duqu) the reason behind the cyberwar provision? Is it the proposed Libyan cyberattack, which was reportedly called off? Or did the Administration launch another cyberwar, one that hasn’t broken in the press yet?

In any case, it’s not like Congress is telling the President to stop launching wars. Just to do so in some organized bureaucratic fashion.

I’ve been saying for some time that America’s hubris about drones will end as soon as one of our antagonists figures out how to hack them.

Which is why it’s interesting that Iran has updated its claims to have “shot down” an American drone to suggest they had “brought it down.” (Note, I found this statement on the Mehr website, but not the Fars one.)

The wreckage of the Lockheed-Martin RQ-170 Sentinel stealth drone was largely intact after it was downed, the Fars news agency said.

“Iran’s army has downed an intruding RQ-170 American drone in eastern Iran,” Arabic-language al-Alam TV said, quoting an anonymous source.

“The spy drone, which has been downed with little damage, was seized by the armed forces,” the news network added.

The cyber warfare unit managed to take over controls of the drone and bring it down, a military official said, according to the TV.

An unnamed military official also told the Fars that Iran’s response “will not be limited to the country’s borders.” [my emphasis]

And after some initial doubts that the Iranian claims were correct, ISAF has now admitted that they lost control of a drone last week.

The UAV to which the Iranians are referring may be a US unarmed reconnaissance aircraft that had been flying a mission over western Afghanistan late last week. The operators of the UAV lost control of the aircraft and had been working to determine its status.

Though the US remains coy over whether DOD was operating the drone (suggesting an Afghan mission) or the CIA was (suggesting a non-Afghan mission).

Although the Sentinel was developed for the Air Force, the U.S. official declined to confirm whether it was the U.S. military or the U.S. intelligence community operating the drone at the time of the incident.

Mind you, lurking in the background are the two recent attacks on Iran–the assassination of Hassan Moqaddam and the explosion in Isfahan. With both those previous explosions, Iran has officially offered conflicting stories about whether or not there was an explosion or why.  If the drone was conducting reconnaissance of missile runs over Iran, both sides might say Iran “brought it down” to avoid discussions of where the drone was operating.

Remember, though: less than two months ago, Wired revealed that someone had gotten keylogger software onto Creech Air Force Base’s system in Nevada. So someone already infiltrated the Air Force drone system. It’s just not clear who did so.

Update: Also remember the probable disinformation from a few weeks back saying that the Israelis deliberately let Hezbollah take down one of its drones over Lebanon, which it then detonated to blow up a weapons depot. One reason the ISAF might admit to losing a drone is if it wasn’t their drone.

Update: This appears to confirm the Iranians were right. Though I would suggest both sides still might be lying about aspects of this.

The big headline that came out of yesterday’s American Bar Association National Security panels is that DOD General Counsel Jeh Johnson and CIA General Counsel Stephen Preston warned that US citizens could be targeted as military targets if the Executive Branch deemed them to be enemies.

U.S. citizens are legitimate military targets when they take up arms with al-Qaida, top national security lawyers in the Obama administration said Thursday.

[snip]

Johnson said only the executive branch, not the courts, is equipped to make military battlefield targeting decisions about who qualifies as an enemy.

We knew that. Still, it’s useful to have the Constitutional Lawyer President’s top aides reconfirm that’s how they function.

But I want to point to a few other data points from yesterday’s panels (thanks to Daphne Eviatar for her great live-tweeting).

First, Johnson also said (in the context of discussions on cyberspace, I think),

Jeh Johnson: interrupting the enemy’s ability to communicate is a traditionally military activity.

Sure, it is not news that the government (or its British allies) have hacked terrorist “communications,” as when they replaced the AQAP propaganda website, “Insight,” with a cupcake recipe (never mind whether it’s effective to delay the publication of something like this for just one week).

But note what formula Johnson is using: they’ve justified blocking speech by calling it the communication of the enemy. And then apparently using Jack Goldsmith’s formulation, they have said the AUMF gives them war powers that trump existing domestic law, interrupting enemy communications is a traditional war power, and therefore the government can block the communications of anyone under one of our active AUMFs.

Johnson also scoffed at the distinction between the battlefield and the non-battlefield.

Jeh Johnson: the limits of “battlefield v. Non battlefield is a distinction that is growing stale.” But then, it’s not a global war. ?

Again, this kind of argument gets used in OLC opinions to authorize the government targeting “enemies” in our own country. On the question of “interrupting enemy communication,” for example, it would seem to rationalize shutting down US based servers.

Then, later in the day Marty Lederman (who of course has written OLC opinions broadly interpreting AUMF authorities based on the earlier Jack Goldsmith ones) acknowledged that Americans aren’t even allowed to know everyone the US considers an enemy.

Lederman: b/c of classification, “we’re in armed conflicts with some groups the American public doesn’t know we’re in armed conflict with.”

Now, as I’ve noted, one of the innovations with the Defense Authorization passed yesterday is a requirement that the Executive Branch actually brief Congress on who we’re at war with, which I take to suggest that Congress doesn’t yet necessarily know everyone who we’re in “armed conflict” with.

Which brings us to how Jack Goldsmith defined the “terrorists” whom the government could wiretap without a warrant.

the authority to intercept the content of international communications “for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are reasonable grounds to believe … [that] a party to such communication is a group engaged in international terrorism, or activities in preparation therefor, or any agent of such a group,” as long as that group is al Qaeda, an affiliate of al Qaeda or another international terrorist group that the President has determined both (a) is in armed conflict with the United States and (b) poses a threat of hostile actions within the United States;

It’s possible the definition of our enemy has expanded still further since the time Goldsmith wrote this in 2004. Note Mark Udall’s ominous invocation of “Any other statutory or constitutional authority for use of military force” that the Administration might use to authorize detaining someone. But we know that, at a minimum, the Executive Branch used the invocations of terrorists in the Iraq AUMF–which are much more generalized than the already vague definition of terrorist in the 9/11 AUMF–to say the President could use war powers against people he calls terrorists who have nothing to do with 9/11 or al Qaeda.

So consider what this legal house of cards is built on. Largely because the Bush Administration sent Ibn Sheikh al-Libi to our Egyptian allies to torture, it got to include terrorism language in an AUMF against a country that had no tie to terrorism. It then used that language on terrorism to justify ignoring domestic laws like FISA. Given Lederman’s language, we can assume the Administration is still using the Iraq AUMF in the same way Goldsmith did. And yet, in spite of the fact that the war is ending, we refuse to repeal the AUMF used to authorize this big power grab.

Robert Mueller addressed the Commonwealth Club in San Francisco today. He repeated a familiar theme: the biggest threats to the United States are terrorists (even aspirational ones), spies, and cyber attacks.

Terrorism, espionage, and cyber attacks are the FBI’s top priorities. Terrorists, spies, and hackers are always thinking of new ways to harm us.

As he tends to do when spreading this propaganda, Mueller once again focused on Anna Chapman and her band of suburban spies.

Consider the arrest last year of 10 agents of the Russian Foreign Intelligence Service. Many of you may have seen TV news stories and videos covering the techniques we used in our investigation, code-named Ghost Stories. It featured the stuff of a John Le Carré novel—dead-drops in train tunnels, brush passes at night, and clandestine meetings in cafés.

Though he did add the example of Kexue Huang, who sent information on organic pesticides and food to Germany and China, to his list of scary spies who threaten our country.

Last month, Kexue Huang, a former scientist for two of America’s largest agricultural companies, pled guilty to charges that he sent trade secrets to his native China.

While working at Dow AgriSciences and later at Cargill, Huang became a research leader in biotechnology and the development of organic pesticides. Although he had signed non-disclosure agreements, he transferred stolen trade secrets from both companies to persons in Germany and China. His criminal conduct cost Dow and Cargill millions of dollars.

Finally, Mueller added a neat new twist to his list of people who pose a big threat to this country. The hackers who hacked into the BART website after BART cops killed the unarmed Oscar Grant and later Charles Blair Hill, and after BART shut down cell service to interrupt free speech will bring anarchy!

And “hacktivist” groups are pioneering their own forms of digital anarchy. Here in the Bay Area, you witnessed their work firsthand when individuals hacked the BART website and released personal data of BART customers.

Because it’s not anarchy when cops shoot unarmed or drunk men. It’s not anarchy when transit companies unilaterally shut down your phone. It’s only anarchy when the hackers get involved.

You’ll note what’s missing, as it always is, from Mueller’s list of scary threats to the country? Not a peep about the banksters whose systematic fraud has done–and continues to do–far more financial damage than 9/11.

It’s anarchy, apparently, when bunch of kids break into a website. But it’s not anarchy when banksters rewrite property law to steal the homes of millions of Americans.

Last week, ODNI released a report on cyberwarfare that is raising eyebrows for the way it named China and Russia as the sponsors of cyberespionage explicitly.

Jack Goldsmith wonders what naming them will accomplish.

I am sure that naming the Chinese and Russians specifically and openly was a big deal inside the government.  The Wall Street Journal reports that a “senior intelligence official said it was necessary to single out specific countries in order to confront the problem and attempt contain a threat that has gotten out of control.”  Perhaps so, but naming names alone will not accomplish much.  For one thing, the U.S. government has presented no public evidence on Chinese and Russian cyberespionage, and those countries generally deny it.  (Chinese Embassy spokesman Wang Baodang said yesterday, in response to the DNI Report, that China opposes “any form of unlawful cyberspace activities.”)  For another, Cyberespionage does not violate international law.  For yet another, the United States itself, while it does not engage in broad-ranging industrial or economic espionage, does do so on a limited scale.

[snip]

In light of these factors, it is hard for me to understand what naming names is supposed to accomplish, especially since the Chinese and Russian hand in industrial espionage is widely known.

Whereas Shane Harris compares this moment to Churchill’s Iron Curtain speech.

The report marks the first time the United States government has unequivocally stated, in empathetic and highly publicized fashion, that China and Russia are responsible for a pervasive electronic campaign to steal American intellectual property, trade secrets, negotiating strategies, and sensitive military technology. This is not the first time sitting US officials have singled out Chinese and Russian cyber theft. But those complaints were largely off the record and carefully calibrated not to be read as a shot across the bow of America’s strategic adversaries. This report, however, is that shot.

[snip]

And one is tempted to draw parallels to pivotal moments of the last cold war, which were underappreciated at the time, or even ridiculed. The release of this report may turn out to be the Internet’s Iron Curtain moment. Though it landed with much less ceremony and eloquence than Sir Winston Churchill’s fateful 1946 address, it nevertheless does the same job: It makes clear the stakes as the United States intelligence community sees them, and it throws down a challenge against Russia and China, which are judged to be the two greatest strategic threats to American prosperity and influence.

But there’s something funny about this grand moment. Sure, the report names and shames China and Russia. But it also makes clear that our allies [cough, Israel] are also stealing our stuff. Here’s how the executive summary presents the culprits.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.
• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

If this theft is such a big deal, then it’s a big deal whether China does it or Israel. Hell, since Israel often steals our defense information than sells others the war toys we sell to them, in some ways it presents a more immediate threat.

And whatever the significance of naming China and Russia might be if they were the only culprits, shaming them while at the very same time admitting that our buddies do the same thing sort of makes us look like chumps or hypocrites.

Which is all the more hysterical given that the report cover features a thumb drive–the means by which we continue to make it child’s play to give us viruses that make stealing our stuff easier–wielded like a bright red gun to represent the danger.

The short answer is that if your PC got infected by Stuxnet last year, you were just collateral damage, unless you were operating a very specific set of uranium enrichment centrifuges. If you get Duqu this year, your network is under attack from a CIA/Mossad operation. They might seem a little outrageous, but bear with me while we get into the weeds of what Duqu is all about. I will lay out a set of assertions that lead to the conclusion that Duqu really is the “precursor to the next Stuxnet” as Symantec say in their whitepaper.

1. Stuxnet was created by the CIA and the Mossad

Although no one has officially claimed responsiblity for Stuxnet, both the U.S. and Israeli governments have done everything but take offical responsibility. Neither government has ever denied responsibilty, even when directly asked. In fact, officials in both governments have been reported as breaking out in big smiles when the subject comes up.

2. Duqu is from the same team that created Stuxnet.

The first clue that Duqu is from the Stuxnet team is the similarities between the rootkit components in both pieces of malware. The folks who have studied the two most closely are sure that Duqu is based on the Stuxnet component’s source code. Despite what you may have read on the internet, the actual source code to Stuxnet is not publicly available. Some folks have reverse-engineered some of the Stuxnet source code from the binaries that are available, for various technical reasons, I’m sure that these don’t serve as the basis for Duqu.

Duqu even has a fix for a bug in Stuxnet. Also, the only two pieces of malware in history to install themselves with as Windows device drivers with legitimate, but stolen, digital certificates are Stuxnet and Duqu. Both Stuxnet and Duqu were active in the wild and managed to evade detection for many months. While that’s not unheard of for malware, it is another point of similarity.

Stuxnet targeted a specific industrial control system (ICS) installation (the Siemens PLCs that were used to control the centrifuges at Natanz). Here’s the lastest on what Duqu targets:

Some of the companies affected or targeted by Duqu include the actual equipment that an ICS would control such as motors, pipes, valves and switches. To date, the vendors that make the PLC, controllers and systems/applications found in control centers are not yet affected, although this information could change as more variants are identified and these vendors look more closely at their systems.

There are no other instances of computer malware that target these sorts of installations.

3. Stuxnet was a worm, Duqu is not.

Stuxnet was a very aggressive computer worm. It had to be to jump the “air gap” that protects a secure ICS such as the system that ran the Natanz installation. When Stuxnet was discovered, the A-V vendors quickly discovered millions of computers had been (benignly) infected with Stuxnet. Duqu, on the other hand, has been found on only a handful of computers. Interestingly, no one has yet discovered the dropper, that is, the program used to place the Duqu rootkit on the infected machines. This is almost certainly because Duqu is being placed on these machines via a spear phishing attack. In spear phishing, specific targets are chosen and the attack is customized to the target.

4. Duqu is being used to download a RAT (Remote Access Trojan)

The rootkit component was used to download a standalone program designed to steal information from the computer that it has infected (including screenshots, keystrokes, lists of files on all drives, and names of open windows). Duqu is doing computer network reconnaissance. The information gathered by Duqu is very useful for planning future attacks. Before the command and control server was taken off-line, Symantec observed Duqu downloading three additional files to an infected machine.   The first was a module that could be injected into other processes running on the machine to gather some process-specific information as well as the computer’s local and system times (including time zone and daylight savings time bias). Another downloaded module was used to extend the normal 36-day limitation on Duqu installations. The last downloaded module was a stripped down version of the standalone RAT, lacking the key logging and file exploration functionality.

5. Put it all together and it adds up to a well-executed, highly targeted covert operation

For the last ten months, Duqu has been quietly stalking a small number of industrial manufacturers. No one even noticed before early September and it wasn’t until last week that the nature of the threat was clear to anyone. Duqu is spying on a handful of companies, gathering data that will be used for the design and development of the true Stuxnet 2.0. One thing we don’t know is who the target of Stuxnet 2.0 will be. But I have a suspicion. Nothing indicates that the ultimate target (i.e., Iran) of the Stuxnet team has changed. In August of this year, Iran announced that it had activated its first pre-production set of his newer IR-2m and IR-4 centrifuges. These are the successors to the centrifuges that Stuxnet attacked. If you wanted to do these centrifuges what Stuxnet did to the earlier IR-1 centrifuges, you would need a lot of specific data about the safe operating specs of the various components that go into making advanced centrifuges. If you knew or suspected who was supplying Iran with these components, you might want to gather some data from the internal networks of those suppliers. That’s what I think the point of Duqu really is.

On Friday, Wired broke the news that the DOD suffered yet another breach because they continue to leave computers exposed to outside storage systems. (h/t WO) In this case, the Ground Control Stations they use to control drones got infected with a keylogger virus.

But time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. The Pentagon is still disinfecting machines, three years later.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

After a virus was introduced into computers in Iraq three years ago via thumb drive, DOD claimed it had prohibited the use of any removable media with their computers. But then Bradley Manning allegedly removed hundreds of thousands of classified cables from SIPRNet using a Lady Gaga CD. Rather than making all computers inaccessible to removable media at that point, DOD left 12% of their computers vulnerable, deploying a buddy-system to prevent people from taking files inappropriately; but human buddy systems don’t necessarily prevent the transmission of viruses.

The good news is that the Host-Based Security System implemented in response to Wikileaks discovered the virus–two weeks ago.

But here’s the other interesting wrinkle. To get rid of these viruses, techs have resorted to wiping the hard drives of the targeting computers.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

Given what little we know about the Anwar al-Awlaki assassination (which, as Wired points out, happened after the virus had knowingly infected these computers), this should not affect the computers that ten days ago killed two US citizens with no due process. The Newsweek story describing the CIA’s targeting process says that targeting is done in VA, not NV, where the virus hit.

But particularly given the questions about Samir Khan’s death, consider if that weren’t the case. That would mean a key piece of evidence about whether or not the US knowingly executed an American engaging in speech might be completely eliminated, wiped clean to fix a predictable virus.

That’s not the only risk, of course. We’ve talked before about how long it’ll take for Iran or Mexican drug cartels to hack our armed drones. If this virus were passed via deliberate hack, rather than sloppiness, then we might be one step closer to that eventuality.

All because DOD continues to refuse to take simple steps to secure their computers.

Okay, okay, I should have used a pun on “Echelon” for my title here, not “Carnivore.” After all, it was that earlier SigInt program that the US and its Anglophone partners used to steal industrial secrets in the 1990s.

The point being that, while I am concerned by McAfee’s description of the extent of the data theft carried out in the last six years using a hack it calls Shady RAT, I am also cognizant that the US has used equivalent tactics to steal intellectual property in the past and present.

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.

 

McAfee provides all the clues to make it clear China is behind these hacks–though it never says so explicitly.

The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks. The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.

The report is perhaps most interesting because of some of the entities–along with the defense contractors and US and other government agencies–described as targets of this hack: a number of construction companies (which could include companies like KBR), real estate firms, various state and county governments, two think tanks, and the NY and Hong Kong offices of a US media company. These are where the secrets China wants to steal are kept.

The problem, of course, is that our intellectual property is one of the few advantages the US has left. Our exports are increasingly limited to things that rely on legally enforcing intellectual property to retain its value: drugs, movies and music, software, GMO ag. Which sort of makes China’s ability to sit undetected in the servers of these kinds of organizations for up to 28 months a bit of a problem.

Good thing the FBI is busy going after hacktavists and whistleblowers instead.