Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity

Two and a half years after privatized auditors largely signed off on practices that contributed to the collapse of Wall Street, and a year after coziness between government inspectors and the oil industry they regulate allowed a massive oil spill in the gulf, the Obama Administration proposes relying on private auditors to ensure that private companies guard our nation’s cybersecurity.

That’s one of two troubling aspects of the fact sheet the Administration just released, summarizing proposed legislation on cybersecurity it just sent to Congress.

At issue is who investigates the adequacy of a private companies’ cybersecurity plan to both certify it is adequate and ensure compliance with it. The answer? Auditors paid by the private companies.

The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate. In the event that the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology, could modify a framework. DHS can also work with firms to help them shore up plans that are deemed insufficient by commercial auditors.

While the promise to make these plans transparent is all well and good, the problem remains that private companies and the auditors they pay get to decide what is sufficient, not someone without a financial stake in the outcome. If government inspectors are important enough for safety issues, shouldn’t they be required for the cyberinfrastructure that is so critical to our safety?

In addition, a big part of this plan may give up one of the sticks the government has to ensure compliance.

One of the reasons why private companies don’t like to reveal when they’ve been hacked is liability issues: not only might their customers respond badly, but in some fields (like finance companies) the companies may face other liability issues.

But the fact sheet offers companies immunity, at the least, for any private data it shares with the government when it reveals it has been hacked.

Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

The fact sheet doesn’t describe the extent of the immunity, and the plan does, at least, make immunity contingent upon privacy protections.

  • When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.


  • Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

But I wonder about the breadth of this immunity. Does it also offer companies immunity for negligence in the handling of consumer data?

One thing that Al Franken, among others, is pushing, is making it easier for consumers to expect a certain level of protection for their data. Thus, if Sony has two-year-old consumer data sitting around in an unsecure server, it would bear some liability if a hacker came and access that data. Such measures would effectively expose companies to lawsuit if they totally blew off their customers’ data security.

Now at least this proposal mandates that companies tell consumers when their data has been accessed (though I always worry when federal legislation claims to simplify state legislation–it’s often code for “water down”).

National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

But it’s not clear whether companies would bear any liability for such breaches if and when they alert consumers. Moreover, this says nothing about other public disclosure on breaches, which consumers may have as big an interest in (for example, investors ought to be able to know if banks and other major investors routinely get hacked, and stock holders ought to be able to know if critical proprietary information has been stolen).

Call me crazy, but my hackles start to rise when the government starts granting immunity willy nilly, with almost nothing demanded in exchange.

Update: Kashmir Hill offers one example why a national “simplified” law might be a problem–because it’ll eliminate elements like mandatory identity theft protection and penalties from the most stringent law, in MA.

As for telling customers about their data being breached, the White House says it will “help businesses” by simplifying and standardizing the “existing patchwork of 47 state laws” that have various requirements about how soon to notify customers. In the fact sheet, at least, there’s no mention of penalties for businesses, nor mandatory provision of identity theft monitoring after a breach — two aspects of the harshest data breach law currently in the country, in Massachusetts.

Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

Robert Chesney notes that the HASC Mark on the Defense Authorization bill includes a section on cyberwar. Here’s the entire section:

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to the Authorization for the Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) outside of the United States or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities.

While these terrorist actions often lead to increased danger for U.S. and coalition forces in areas of ongoing hostilities, terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally.

In certain instances, the most effective way to neutralize threats and protect U.S. and coalition forces is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense’s authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

While Chesney focuses on the use of “clandestine” in this passage (which I’ll return to), I think one of the key phrases is simply the requirement that DOD brief the Armed Services Committees quarterly on what it’s doing in cyberspace. As the AP reported in January, the SASC complained during the confirmation hearings of Michael Vickers that they weren’t getting briefed on clandestine cyberwar activities. Vickers claimed in response that the law only required that DOD brief Congress on human clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber activities were not included in the quarterly report on clandestine activities. But Vickers, in his answer, suggested that such emerging high-tech operations are not specifically listed in the law — a further indication that cyber oversight is still a murky work in progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for clandestine human intelligence activity. But if confirmed, he said, he would review the reporting requirements and support expanding the information included in the report.

So this section appears to close Vickers’ loophole, now requiring that DOD brief Congress on its activities in its quarterly clandestine activities reports.

In addition to legally demanding briefings, the section appears to affirmatively approve–as clandestine activities–cyberattacks against an AUMF-authorized target (so, al Qaeda and people like Anwar al-Awlaki we claim to be included in AUMF), and cyberdefense against an attack on an asset of DOD.

By the way, anyone want to speculate whether a Specialist allegedly downloading several databases onto a Lady Gaga CD constitutes a cyberattack on a DOD asset? Because if this permission includes WikiLeaks, then this section might be retroactively authorize attacks–say, DNS attacks on US-based servers–on WikiLeaks (note that DOD can attack outside the US, but such geographical limits are not placed on defensive actions).

In any case, as Chesney emphasizes, this section specifically authorizes attacks on AUMF-authorized targets and defense against attacks on DOD targets. Chesney notes that by calling these activities “clandestine,” it makes them a Traditional Military Activity.

That is to say, the language in § 962 refers to DOD authority to engage in cyber operations which are mean to go undiscovered but not meant to be denied.  That alone would presumably keep them from being categorized as a “covert action” subject to presidential finding and SSCI/HPSCI notification requirements.  Yet one can imagine that this does not quite suffice to solve the boundary dispute, insofar as it might not be clear on the front end that one would be willing to acknowledge sponsorship of an operation publicly if it becomes known…and indeed it might well be that the activity is very much meant to be both concealed and denied, making it hard at first blush to show that the activity is not a Title 50 covert action after all.  But in at least some instances there is a separate reason it should not be deemed a covert action: i.e., when the action is best understood as a high-tech equivalent to a traditional military activity (the “TMA” category being an explicit exception to the T50 covert action definition).  And that appears to be the case with the two categories explicitly described above, or at least arguably so.

The explanatory statement accompanying § 962 supports this reading.  It opens by stating that

[t]he committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

So, to summarize, this section appears to affirmatively authorize two types of activities, defining them as clandestine operations, and mandating that Congress get quarterly briefings on them.

But note this clause: “this section is not meant to identify all or in any way limit other possible military activities in cyberspace.”

So, it appears, there may be these two types of explicitly authorized clandestine operations, and then the stuff John Rizzo warned about.

I did want to mention–cause I find this interesting–cyberwarfare, on the issue of cyberwarfare. Again, increasing discussion there clearly is an active arena, will continue to be active. For us lawyers, certainly for the lawyers in the intelligence community, I’ve always found fascinating and personally I think it’s a key to understanding many of the legal and political complexities of so-called cyberlaw and cyberwarfare is the division between Title 10, Title 10 operations and Title 50 operations. Title 10 operations of course being undertaken by the Pentagon pursuant to its war-making authority, Title 50 operations being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know being practitioners, how these cyber-operations are described will dictate how they are reviewed and approved in the executive branch, and how they will be reported to Congress, and how Congress will oversee these activities. When I say, “these activities,” I’m talking about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive branch for many years, actually. I mean I remember serious discussions during the Clinton Administration. So, again, this is not a post-9/11 phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve always been envious of my colleagues at the Department of Defense because under the rubrik of Title 10, this rubrik of “preparing the battlefield.” They have always been able to operate with a–to my mind [?] a much greater degree of discretion and autonomy than we lawyers at CIA have been, have had to operate under, because of the various restrictions and requirements of Title 50 operations. Covert actions require Presidential Findings, fairly explicit reports to the Intelligence Oversight Committees. We have a very, our Intelligence Committees are … rigorous, rigorous and thorough in their review. I’ve never gotten the impression that the Pentagon, the military, DOD is subject to the same degree of scrutiny for their information warfare operations as CIA. I’m actually very envious of the flexibility they’ve had, but it’s critical–I mean I guess I could say interesting but critical how–I mean if there were operations that CIA was doing, they would be called covert actions, there’s no getting around that. To the extent I’ve ever understood what DOD does in this arena, they certainly sound like covert actions to me but given that I’ve had more than my hands full over the years trying to keep track of what CIA’s doing at any given time, I’ve never ventured deeply into that area. But I think it’s fascinating. [my emphasis]

Now, maybe this section just politely puts the kibosh on all of this Title 50 masquerading as Title 10 stuff, stuff done under the auspices of DOD to avoid the oversight requirements that Title 10 intelligence operations would require. Maybe this section limits DOD’s activities to its two authorized clandestine activities.

But I doubt it. With the language about not limiting DOD to these two functions, you can pretty much assume there’s some Special Access Programs (like the kind the Air Force refuses to talk to Congress about) not safe to be mentioned in public documents like laws.

Look on the bright side, though: Congress is at least requiring that DOD brief Congress on some of the secret stuff they’re doing in cyberspace.

Update: Specialist corrected per Ralph.

CIFA 2.0 Back in the Outsourcing Business

Remember the Counterintelligence Field Activity (CIFA)? Here’s how I described it back in 2007.

CIFA is, along with the National Security Letters Congress is now cracking down on, probably the biggest abuse of civil rights and privacy BushCo has hatched up. It was designed to gather intelligence on threats to defense installments in the United States–to try to collect information (in the TALON database) on threatening people scoping out domestic bases. But it ended up focusing on peace activists and the lefty blogosphere’s own Jesus’ General70 percent of CIFA’s employees are contractors, a figure that makes it a prime candidate for politicized contracting scandal.

Among the contractors spying on Americans was MZM, one of the companies that bribed Duke Cunningham. Prosecutors in that case started investigating MZM’s CIFA contracts in May 2006. Three months after that, the top two managers at CIFA, who had directed CIFA keep sending MZM contracts, resigned suddenly. When DOD’s Inspector General tried to investigate CIFA in 2007, it discovered (it claimed) that the entire CIFA database had been destroyed in June 2006, just as prosecutors were closing in on those contracts.

Later, in 2008, just as CIFA was claiming it couldn’t publicly reveal its unclassified contracts, we learned that Stephen Cambone (who had led one of the inquiries into CIFA), had won a contract from it, sort of a payoff for not finding anything, I guess.

Later that year, DOD “disestablished” CIFA.

Or rather, they renamed it, calling it the Defense Counterintelligence and Human Intelligence Center. Then, last year, we learned that database DOD claimed had been destroyed in 2006 really hadn’t been, and CIFA 2.0 was getting back in the business of keeping a database of information on big threats to the US like Quakers and bloggers.

The Defense Intelligence Agency wants to open a new repository for information about individuals and groups in what appears to be a successor to a controversial counterintelligence program that was disbanded in 2008.

The new Foreign Intelligence and Counterintelligence Operation Records section will be housed in DIA’s Defense Counterintelligence and Human Intelligence Center, or DCHC, formed after the demise of the Counterintelligence Field Activity, or CIFA, according to an announcement that appeared Tuesday in the Federal Register.

The “activity” was disbanded, but evidently not its records database, which seems to be headed to the new unit. One of the criticisms of CIFA was that it vacuumed up raw intelligence on legal protest groups and individuals from local police and military spies.

When the DCHC was launched in 2008, the Pentagon said “it shall NOT be designated as a law enforcement activity and shall not perform any law enforcement functions previously assigned to DoD CIFA.”

Why the new depository would want such records while its parent agency no longer has a law enforcement function could not be learned. Not could it be learned whether the repository will include intelligence reports on protest groups gathered by its predecessor, CIFA.

The only thing left, at that point, was to figure out what defense contractor was getting rich spying on American citizens.

The answer? Lockheed Martin.

Lockheed Martin has openings for talented and motivated professionals in the counterintelligence (CI) field to be part of an evolving and highly specialized team that will provide direct support to the Defense Intelligence Agency’s (DIA) Defense Counterintelligence and Human Intelligence Center (DCHC).

The team Lockheed Martin is assembling a team which will function in CI areas such as: force protection; support to Joint Terrorism Task Force (JTTF); CI in Cyberspace; research, development and acquisitions; critical infrastructure protection; CI support to Offensive CI Operations; analysis & production (A&P); collections; campaigns; policy; assessments; TSCM; security; information assurance, and Enterprise governance support (administrative).

Not only is the entire concept wrong, using contractors to spy on Quakers and bloggers. Not only is it especially troublesome that Lockheed–a company with close ties to NSA–is doing this work (which would make it easy for reports from physical surveillance to migrate into the signals surveillance NSA does). But note what else is now included in CIFA 2.0: “CI in Cyberspace.” That is, Lockheed with its close ties to NSA is now in charge of spying on those claimed to present an online counterintelligence threat to the United States. And maybe doing things like hacking a media site to try to exercise illegal prior restraint.

WikiLeaks Reveals that China Already Knows What WikiLeaks Reveals

I’ve been bitching and bitching and bitching and bitching about DOD’s refusal to fix the gaping holes in its network security even while it cries that Bradley Manning allegedly downloaded a bunch of cables using those gaping holes. As I point out, if all it took Manning to get all these databases was one Lady Gaga CD, then presumably our enemies can and do get what they want pretty easily, too.

As citizens, we just don’t ever find out about those other data breaches.

Well, apparently someone leaked a set of previously unreported WikiLeaks cables to Reuters, which used them as one of many sources to report on how much data China is just hacking from our government networks, including the sieve-like DOD ones.

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches — colorfully code-named “Byzantine Hades” by U.S. investigators — to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department’s Cyber Threat Analysis Division noted that several Chinese-registered Web sites were “involved in Byzantine Hades intrusion activity in 2006.”


What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst — that any network is vulnerable. [my emphasis]

Oh, okay.

Our government has apparently conceded it can’t keep its networks secret from China.

I’m not surprised, mind you. While I assume the problems at DOD are a worst case scenario (because of its size and logistical issues stemming from all the wars we’re running), the size of the gaping holes at DOD (and the lackadaisical attitude DOD has about closing them) shows how low a priority network security is in our government generally.

Plus, Chinese hackers are that good.

But the confirmation that China can basically just take what it wants at will really raises new questions about our government’s treatment of Bradley Manning specifically and its hyper-secrecy more generally.

If we’re not keeping all these secrets from China, our biggest rival, who are we keeping them from? If our adversaries can just go and get whatever they want off our networks, then why has the government treated Bradley Manning’s allegedly doing the same a capital offense? And if our government has just conceded that China can take what it wants, then why won’t it let its own citizens know what China presumably already knows?