Posts

Intelligence Community Will Close Gaping Hole that Allegedly Led to WikiLeaks Disclosure … in 2013

I did a long post yesterday describing how embarrassingly, pathetically bad DOD’s information security was and remains 3 years after a malware attack and a full year after the alleged WikiLeaks leak. Along with DOD’s gaping security problems, I noted that some entities in the intelligence community are still in the process of implementing user authentication which would have exposed someone taking entire databases off of their networks.

While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

Just in case the intelligence community can’t get around to providing this fairly common security on our intelligence community networks by their planned timeframe of the first quarter of FY 2012 (which would mean the last quarter of calendar year 2011), the Senate Intelligence Committee is requiring the IC to have a fully operational ability to audit online access by October 2013.

Section 402 requires the Director of National Intelligence, not later than October 1, 2012, to establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information. Section 402 requires that the program be at full operating capability by October 1, 2013.

Not later than December 1, 2011, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the resources required to implement the program and any other issues the Director considers appropriate to include in the report.

In other words, if closing this security gap a year and a half after the leaks are alleged to have occurred is too tough, then they can go ahead and take another year or so to close the barn door.

Though to be fair, this deadline may come directly from the lackadaisical DOD, as the deadlines given here seem to match those DOD aspires to hit.

Now, maybe it’s considered unpatriotic to note that our intelligence community–and its congressional overseers–are tolerating pretty shoddy levels of security all while insisting that they takes leaks seriously.

But seriously: if our government is going to claim that leaks are as urgent as it does, if it’s going to continue to pretend that secrets are, you know, really secret, then it really ought to at least pretend to show urgency on responding to the gaping technical issues that will not only protect against leakers, but also provide better cybersecurity and protect against spies. Aspiring to fix those issues years after the fact really doesn’t cut it.

The Incredible Disappearing PFIAB

Smintheus provides a good background on Bush’s Executive Order to gut PFIAB (h/t scribe).

On Friday afternoon the White House posted without fanfare a new Executive Order that revamps an important though little known intelligence board. There are a few minor changes, but the most radical revision appears to be that the board has now been stripped of nearly all its powers to investigate and check illegal intelligence activities. It’s difficult to see what legitimate reasons there could have been for gutting the oversight activities of the board in this way, and the WH has not explained the changes.

[snip]

The newly revised IOB is much more passive. Gone is the duty to review agency guidelines regarding illegal intelligence activities. Gone is the duty to hold accountable the intelligence watchdog offices, such as inspectors general, who are supposed to serve as a bulwark against illegal activities.

Gone is the duty ("shall…forward") to take illegal activities directly to the Attorney General.

I wanted to add just a few details of context.

First, recall that the referrals by IOB–and the absence of any response to such referrals–got Alberto Gonzales in trouble.

In 2005, Gonzales had assured Congress there were no violations of privacy associated with the PATRIOT Act. But last year it became clear that Gonzales received reports of at least six violations.

As he sought to renew the USA Patriot Act two years ago, Attorney General Alberto R. Gonzales assured lawmakers that the FBI had not abused its potent new terrorism-fighting powers. "There has not been one verified case of civil liberties abuse," Gonzales told senators on April 27, 2005.

Six days earlier, the FBI sent Gonzales a copy of a report that said its agents had obtained personal information that they were not entitled to have. It was one of at least half a dozen reports of legal or procedural violations that Gonzales received in the three months before he made his statement to the Senate intelligence committee, according to internal FBI documents released under the Freedom of Information Act.

When cornered on his lie, Gonzales invented some mumbo jumbo about how violations that get reported to the IOB aren’t really violations.

Read more

Phone Slip

MadDog points out that the documents released through FOIA to EFF are available. These are documents, remember, relating to communications about the FISA amendment between DNI McConnell and Congress or representatives of telecom companies.

Declaration of what’s included

Document dump one

Document dump two

I’m reading through things now. But one thing is immediately apparent. There is almost no trace of any conversations between telecom companies and ODNI employees–there’s just one phone slip.

ODNI located one document that is potentially responsive to request number one. This document is a telephone message slip that contains the handwritten personal notes and mental impressions of an ODNI employee. This document is being withheld because it is not an agency record under FOIA. In addition, the documents qualifies to be withheld pursuant to FOIA exemptions 1,3,5 and 6.

Boy, those phone companies, they’re pretty careful, huh? Read more