Posts

As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

/9 Comments/in , /by

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

CYBERCOM versus NSA: On Fighting Isis or Spying on Them

/6 Comments/in /by

I keep thinking back to this story, in which people in the immediate vicinity of Ash Carter and James Clapper told Ellen Nakashima that they had wanted to fire Admiral Mike Rogers, the dual hatted head of CyberCommand and NSA, in October. The sexy reason given for firing Rogers — one apparently driven by Clapper — is that NSA continued to leak critical documents after Rogers was brought in in the wake of the Snowden leaks.

But further down in the story, a description of why Carter wanted him fired appears. Carter’s angry because Rogers’ offensive hackers had not, up until around the period he recommended to Obama Rogers be fired, succeeded in sabotaging ISIS’ networks.

Rogers has not impressed Carter with his handling of U.S. Cyber Command’s cyberoffensive against the Islamic State. Over the past year or so, the command’s operations against the terrorist group’s networks in Syria and Iraq have not borne much fruit, officials said. In the past month, military hackers have been successful at disrupting some Islamic State networks, but it was the first time they had done that, the officials said.

Nakashima presents this in the context of the decision to split CYBERCOM from NSA and — click through to read that part further down in the piece — with Rogers’ decision to merge NSA’s Information Assurance Directorate (its defensive wing) with the offensive spying unit.

The expectation had been that Rogers would be replaced before the Nov. 8 election, but as part of an announcement about the change in leadership structure at the NSA and Cyber Command, a second administration official said.

“It was going to be part of a full package,” the official said. “The idea was not for any kind of public firing.” In any case, Rogers’s term at the NSA and Cyber Command is due to end in the spring, officials said.

The president would then appoint an acting NSA director, enabling his successor to nominate their own person. But a key lawmaker, Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, threatened to block any such nominee if the White House proceeded with the plan to split the leadership at the NSA and Cyber Command.

I was always in favor of splitting these entities — CYBERCOM, NSA, and IAD — into three, because I believed that was one of the only ways we’d get a robust defense. Until then, everything will be subordinated to offensive interests. But Nakashima’s article focuses on the other split, CYBERCOM and NSA, describing them as fundamentally different missions.

The rationale for splitting what is called the “dual-hat” arrangement is that the agencies’ missions are fundamentally different, that the nation’s cyberspies and military hackers should not be competing to use the same networks, and that the job of leading both organizations is too big for one person.

They are separate missions: CYBERCOM’s job is to sabotage things, NSA’s job is to collect information. That is made clear by the example that apparently irks Carter: CYBERCOM wasn’t sabotaging ISIS like he wanted.

It is not explicit here, but the suggestion is that CYBERCOM was not sabotaging ISIS because someone decided it was more important to collect information on it. That sounds like an innocent enough trade-off until you consider CIA’s prioritization for overthrowing Assad over eliminating ISIS, and its long willingness to overlook that its trained fighters were fighting with al Qaeda and sometimes even ISIS. Add in DOD’s abject failure at training their own rebels, such that the job reverted to CIA along with all the questionably loyalties in that agency.

There was a similar debate way back in 2010, when NSA and CIA and GCHQ were fighting about what to do with Inspire magazine: sabotage it (DOD’s preference, based on the understanding it might get people killed), tamper with it (GCHQ’s cupcake recipe), or use it to information gather (almost certainly with the help of NSA, tracking the metadata associated with the magazine). At the time, that was a relatively minor turf battle (though perhaps hinting at a bigger betrayed by DOD’s inability to kill Anwar al-Alwaki and CIA’s subsequent success as soon as it had built its own drone targeting base in Saudi Arabia).

This one, however, is bigger. Syria is a clusterfuck, and different people in different corners of the government have different priorities about whether Assad needs to go before we can get rid of ISIS. McCain is clearly on the side of ousting Assad, which may be another reason — beyond just turf battles — why he opposed the CYBERCOM/NSA split.

Add in the quickness with which Devin Nunes, Donald Trump transition team member, accused Nakashima’s sources of leaking classified information. The stuff about Rogers probably wasn’t classified (in any case, Carter and Clapper would have been the original classification authorities on that information). But the fact that we only just moved from collecting intelligence on ISIS to sabotaging them likely is.

CYBERCOM and NSA do have potentially conflicting missions. And it sounds like that was made abundantly clear as Rogers chose to prioritize intelligence gathering on ISIS over doing things that might help to kill them.

Trump Versus the [Dead-Ender] Spooks

/17 Comments/in /by

The big news from yesterday — aside from the blizzard of Mike Pence at Hamilton stories that drowned out news of Trump’s $25 million settlement for defrauding a bunch of Trump University students — is that NSA Director Mike Rogers had a meeting.

As the WaPo reported, Rogers met with Trump on Thursday morning without telling his bosses — Secretary of Defense Ash Carter and Director of National Intelligence James Clapper.

In a move apparently unprecedented for a military officer, Rogers, without notifying superiors, traveled to New York to meet with Trump on Thursday at Trump Tower. That caused consternation at senior levels of the administration, according to the officials, who spoke on the condition of anonymity to discuss internal personnel matters.

Actually, that’s not the lead of the story. This is:

The heads of the Pentagon and the nation’s intelligence community have recommended to President Obama that the director of the National Security Agency, Adm. Michael S. Rogers, be removed.

Which suggests that, in retaliation for having a meeting without their approval, people close to Carter and Clapper decided to reveal that they had been planning on firing Rogers, but simply haven’t gotten around to it.

The reason for firing Rogers is more obscure.

Carter has concerns with Rogers’s performance, officials said. The driving force for Clapper, meanwhile, was the separation of leadership roles at the NSA and U.S. Cyber Command, and his stance that the NSA should be headed by a civilian.

[snip]

Rogers was charged with making sure another insider breach never happened again.

Instead, in the past year and a half, officials have discovered two major compromises of sensitive hacking tools by personnel working at the NSA’s premier hacking unit: the Tailored Access Operations. One involved a Booz Allen Hamilton contractor, Harold T. Martin III, who is accused of carrying out the largest theft of classified government material. Although some of his activity took place before Rogers arrived and at other agencies, some of it — including the breach of some of the most sensitive tools — continued on Rogers’s watch, the officials said.

[snip]

But there was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee, one official said. That individual also has been arrested, but his case has not been made public. The individual is not believed to have shared the material with another country, the official said.

Rogers was put on notice by his two bosses — Clapper and Carter — that he had to get control of internal security and improve his leadership style. There have been persistent complaints from NSA personnel that Rogers is aloof, frequently absent and does not listen to staff input.

The NYT version of this story makes it sound like Rogers was supposed to be relieved of duty when the CYBERCOM/NSA split was announced but that got delayed because John McCain complained.

But the WaPo’s sources piled on, blaming Rogers for the Martin theft that started even before his tenure, another still unrevealed one, and (later in the article) for another hack during his tenure as head of the Navy’s CyberCommand.

Which has Devin Nunes — ostensibly in his role as House Intelligence Chair, and not his role on Trump’s transition team — calling an immediate hearing (perhaps before Obama can fire Rogers?).

Ostensibly, this is a hearing scheduling meeting.

Accordingly, I will convene an open-session hearing at the earliest possible opportunity so the
Committee may understand the veracity of the Post article and fully understand the impact of the
proposed separation of NSA and USCYBERCOM on the IC. Please provide, no later than November
21, 2016, at 5:00pm, a list of dates and times you are available to appear before the Committee between
now and the end of December 2016.

Of course, usually such discussions take place between aides. But by including that language in his letter, Nunes invented an opportunity to issue an implicit threat — that something in the WaPo story (perhaps the detail that another person had been arrested for stealing TAO files) remained classified.

I am also concerned that the article may contain unauthorized disclosures of classified
information.

And to provide a vote of confidence for Rogers.

Since Admiral Rogers was appointed as NSA Director in April 2014, I have been consistently
impressed with his leadership and accomplishments. His professionalism, expertise, and deckplate
leadership have been remarkable during an extremely challenging period for NSA. I know other
members of Congress hold him in similarly high esteem.
Given the Committee’s constitutional responsibility to conduct oversight of the Intelligence
Community (IC), I am asking you to provide a full explanation of the allegations contained in the Post
article.

Nunes went on to demand briefing on the planned split (he is supposed to be on the opposite side as McCain, hoping for CYBERCOM to remain under DOD and the House Armed Service Committee, but NSA to become entirely a House Intelligence Committee issue, but I wonder whether Trump has something else entirely in mind).

Consider: A big part of this presidential campaign involved weekly leaks about an FBI investigation into a national security issue (Hillary’s potential mishandling of classified information). All through that, Nunes was at best silent, if not a willing participant. But here he is insinuating that the WaPo leak (presumably from two Original Classification Authorities) was improper?

And consider this detail: Trump has already picked Mike Flynn to be his National Security Adviser, whom Clapper and Mike Vickers got fired in 2014. The Thursday meeting between Rogers and Trump was reportedly a meeting about whether Rogers should become Director of National Intelligence. Yesterday, Trump interviewed General James Mattis to be Secretary of Defense; Obama fired Mattis from CENTCOM in 2013 for opposition to Obama’s Iran deal. There are also rumors that Trump is considering Stanley McChrystal for some role.

In other words, Trump seems to be going out of his way to select military officers who have a grudge against the Obama Administration (which goes along perfectly with his policy of hiring people like Jared Kushner and Jeff Sessions, white men who harbor grudges against some past perceived wrong).

But if Trump creates a NatSec team entirely of generals who’ve been fired for cause or dissent, what will that do for a Commander in Chief’s ability to assert civilian control by firing generals going forward? What kind of incentive will that give top officers to intervene in the political process?

Stay tuned.

Now Can We Ditch the Saudis?

/4 Comments/in /by

Mohammed bin Salman, the third ranking royal Saudi, is in the US — ostensibly to visit John Kerry, Ash Carter, and Barack Obama.

But as FP reports, the latter hasn’t happened, and may not.

It was billed by Riyadh’s state media as a trip for Saudi Arabia’s powerful deputy crown prince to meet with President Barack Obama and other senior U.S. officials. But now that Prince Mohammed bin Salman has arrived in Washington, it’s still unclear if the president or any White House officials will meet with him, a spokeswoman said Tuesday.

“No confirmation at this time for any WH meetings,” White House spokesperson Dew Tiantawach told Foreign Policy.

The absence of any scheduled meetings with even National Security Adviser Susan Rice is fueling speculation among Gulf experts about a diplomatic snub. It comes amid sharp policy differences between Washington and Riyadh, and unease among U.S. officials about overplaying alliances with the 30-year-old prince, who some view as locked in a power struggle with the older Saudi Crown Prince Mohammed bin Nayef.

“Very unusual for the Saudis to come out saying he is meeting with Obama and White House not confirming it,” said David Ottaway, a Saudi expert at the Wilson Center in Washington. “They certainly knew he was coming.”

Meanwhile, Haykal Bafana, a usually reliable commentator on events in Yemen, has suggested that not just the one UAE helicopter reported more broadly, but two more, have been downed in recent days, by Saudi missiles. And the UAE tweeted out yesterday that it was withdrawing from the war in Yemen.

UAE, of course, was supporting (or headlining?) our efforts to continue targeting AQAP even as the Saudi invasion empowered the group, one the US has just added new resources to. If UAE withdraws we’ll be alone fighting AQAP.

Or, alternately, they may go back to benefitting wildly from the Saudi invasion of Yemen.

Are we getting closer to the point where we admit the Saudis are not our friends?

If Ending DOD’s Train and Assist Program Is about Returning to Covert Status, Will Congress Get Details?

/7 Comments/in /by

When Mike Lee, Joe Manchin, Chris Murphy, and Tom Udall wrote the Administration calling for an end to the Syria Train and Equip Program last week, they addressed it to CIA Director John Brennan, along with Defense Secretary Ash Carter (its primary addressee, given the clear reference to details about DOD’s T&E mission) and Secretary of State John Kerry.

It appears the Senators got the result they desired. As a number of outlets are reporting, Carter has decided to end DOD’s T&E program, which has done little except arm al Qaeda affiliates in Syria. But it’s not that we’re going to end our involvement in Syria. The stories provide different descriptions of what we intend to continue doing. The NYT, which pretended not to know about the CIA covert program, described a shift of training to Turkey, while discussing armed Sunnis in eastern Syria.

A senior Defense Department official, who was not authorized to speak publicly and who spoke on the condition of anonymity, said that there would no longer be any more recruiting of so-called moderate Syrian rebels to go through training programs in Jordan, Qatar, Saudi Arabia or the United Arab Emirates. Instead, a much smaller training center would be set up in Turkey, where a small group of “enablers” — mostly leaders of opposition groups — would be taught operational maneuvers like how to call in airstrikes.

[snip]

The official said the training was “to be suspended, with the option to restart if conditions dictate, opportunities arise.” The official also said that support to Sunni Arab fighters in eastern Syria was an example of focusing on groups already fighting the Islamic State, also known as ISIS or ISIL, “rather than using training to try to manufacture new brigades.”

The LAT to its credit did acknowledge the parallel CIA program in a piece vaguely describing our “new” approach of working with a wide range of groups on the Turkish border.

Under the new approach, the administration will continue to work with a range of groups to capitalize on the successes that Kurdish, Arab and Turkmen groups have had over the last several months driving the Islamic State forces out of much of the Turkey-Syria border region.‎

[snip]

The decision to end the Pentagon training program does not appear to immediately affect a separate program run by the CIA.

While Ash Carter’s public remarks associated with this discussion make it clear Russia’s actions in the same region remain a concern, the reporting I’ve seen thus far hasn’t tied the decision to end the DOD program to the need to respond to Russia in any way.

Which raises the question: is this just an attempt to shift our existing T&E efforts entirely under a covert structure again? There are many reasons why you’d want to do that, not least because it would make it a lot easier to hide that not only aren’t your “rebels” “moderate,” but they’re al Qaeda affiliates (as David Petraeus and others were floating we should do). Given Qatari and Saudi efforts to flood more weapons into Syria in response to Russia’s involvement, you’d think the US would want to play along too.

But especially since Tom Udall is the guy who — a year ago — raised the crazy notion that Congress should know some details about the (at that point) two year long effort by CIA to support “moderate” forces …

Everybody’s well aware there’s been a covert operation, operating in the region to train forces, moderate forces, to go into Syria and to be out there, that we’ve been doing this the last two years. And probably the most true measure of the effectiveness of moderate forces would be, what has been the effectiveness over that last two years of this covert operation, of training 2,000 to 3,000 of these moderates? Are they a growing force? Have they gained ground? How effective are they? What can you tell us about this effort that’s gone on, and has it been a part of the success that you see that you’re presenting this new plan on?

… I wonder whether Congress has ever gotten fully briefed on that program — and whether they would going forward.

After all, none of the men who signed this letter would be privy to how a covert effort to train rebels was going under normal guidelines unless Udall or Murphy were getting details on the Appropriations Committee.

So while it may be — and I think it likely this is — just an effort to make it easier to partner with al Qaeda to defeat Bashar al-Assad and Putin (teaming with al Qaeda to fight Russia! just like old times!) — I also wonder whether this is an effort to avoid telling most of Congress just how problematic (even if effective from an anti-Assad perspective) both the DOD and CIA effort are.