Edward Snowden Archives - Page 6 of 21

Posts

Shaping Traffic and Spying on Americans

July 1, 2016/5 Comments/in FISA /by emptywheel

At the Intercept earlier this week, Peter Maass described an interview he had with a former NSA hacker he calls Lamb of God — this is the guy who did the presentation boasting “I hunt SysAdmins.” On the interview, I agree with Bruce Schneier that it would have been nice to hear more from Lamb of God’s side of things.

But the Intercept posted a number of documents that should have been posted long, long ago, covering how the NSA “shapes” Internet traffic and how it identifies those using Tor and other anonymizers.

I’m particularly interested in the presentations on shaping traffic — which is summarized in the hand-written document to the right and laid out in more detail in this presentation.

Both describe how the NSA will force Internet traffic to cross switches where it has collection capabilities. We’ve known they do this. Beyond just the logic of it, some descriptions of NSA’s hacking include descriptions of tracking traffic to places where a particular account can be hacked.

But the acknowledgement that they do this and discussions of how they do so is worth closer attention.

That’s true, first of all, because of wider discussions of cable maps. In discussing the various ways to make Internet traffic cross switches to which the NSA has access, Lamb of God facetiously (as is his style) suggests you could bomb or cut all the cable lines that feed links to which the NSA doesn’t have access.

Lamb of God dismisses this possibility as “fun to think about, but not very reasonable.”

But we know that cable lines do get cut. Back in 2008, for example, there were a slew of cables coming into the Middle East that got cut at one time (though that may have been designed to cut Internet communication more generally). Then there’s the time in 2012 when NSA tried to insert an exploit into a Syrian route, only to knock out almost all of the country’s Internet traffic.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Again, we’ve known this happened, which is why it would have been nice to have this presentation three years ago, if only to explain the concept to those who don’t factor it into considerations of how the NSA works.

The other reason this is important is because of the possibility the NSA could deliberately shape traffic to take it out of FISA-controlled domestic space and into EO 12333-governed international space, a possibility envisioned in a 2015 paper. The slides from the paper present the same techniques laid out in the NSA presentation as hypothetical. And, as their more accessible write up explains, the NSA’s denials about this practice don’t actually address their underlying argument, which is that 1) the technology would make this easy, 2) the legal regime is outdated and thereby tolerates such loopholes, and 3) the parts of declassified versions of USSID-18 that might address it are all redacted.

In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.

As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.

“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.

As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected.

Once you’re collecting in bulk overseas, you have access to US person communications with a far lower bar than you do under the FISA regime (which is what John Napier Tye strongly suggested he had seen).

This is one of the reasons I think the NSA’s decision not to answer obvious questions about where FISA ends and EO 12333 begins, in the context of concerns Snowden raised at precisely the time he was learning about this traffic shaping, to be very newsworthy. Using traffic shaping to access US person content even if it’s only in bulk (in the same way that hacking Google cables overseas) clearly bypasses the FISA regime. We don’t know that they do this intentionally for US traffic. But we do know it would be technically trivial for the NSA to pull off, and we do know that multiple NSA documents make it clear they were playing in that gray area at least until 2013 (and probably 2014, when Tye came forward).

The traffic shaping paper ultimately tries to point out how our legal regime fails to account for obvious technical possibilities, technical possibilities we know NSA exploits, at least overseas. Particularly as ODNI threatens to permit the sharing EO 12333 data more broadly — along with access to back door searches — this possibility needs to be more broadly discussed.

How Did Booz Employee Analyst-Trainee Edward Snowden Get the Verizon 215 Order?

June 10, 2016/13 Comments/in EO 12333, FISA, Leak Investigations /by emptywheel

One thing I’ve been pondering as I’ve been going through the Snowden emails liberated by Jason Leopold is the transition Snowden made just before he left. They show that in August 2012, Snowden was (as we’ve heard) a Dell contractor serving as a SysAdmin in Hawaii.

The training he was taking (and complaining about) in around April 5 – 12, 2013 was in preparation to move into an analyst role with the National Threat Operations Center.

That would mean Snowden would have been analyzing US vulnerabilities to cyberattack in what is a hybrid “best defense is a good offense” mode; given that he was in HI, these attacks would probably have been launched predominantly from, and countermeasures would be focused on, China. (Before Stewart Baker accuses me of showing no curiosity about this move, as Baker did about the Chinese invitation to Snowden’s girlfriend to a pole dancing competition, I did, but got remarkably little response from anyone on it.)

It’s not clear why Snowden made the switch, but we have certainly seen a number of cybersecurity related documents — see the packet published by Charlie Savage in conjunction with his upstream cyber article. Even the PRISM PowerPoint — the second thing released — actually has a cybersecurity focus (though I think there’s one detail that remains redacted). It’s about using upstream to track known cyberthreat actors.

I suspect, given the inaccuracies and boosterism in this slide deck, that it was something Snowden picked up while at Booz training, when he was back in Maryland in April 2013. Which raises certain questions about what might have been available at Booz that wasn’t available at NSA itself, especially given the fact that all the PRISM providers’ names appear in uncoded fashion.

Incidentally, Snowden’s job changes at NSA also reveal that there are Booz analysts, not NSA direct employees, doing Section 702 analysis (though that is technically public). In case that makes you feel any better about the way the NSA runs it warrantless surveillance programs.

Anyway, thus far, all that makes sense: Snowden got into a cybersecurity role, and one of the latest documents he took was a document that included a cybersecurity function (though presumably he could have gotten most of the ones that had already been completed as a SysAdmin before that).

But one of the most sensitive documents he got — the Verizon Section 215 primary order — has nothing to do with cybersecurity. The Section 215 dragnet was supposed to be used exclusively for counterterrorism. (And as I understand it, there are almost no documents, of any type, listing provider names in the Snowden stash, and not all that many listing encoded provider names). But the Verizon dragnet order it is dated April 23, 2013, several weeks into the time Snowden had moved into a cybersecurity analytical role.

There’s probably an easy explanation: That even though NSA is supposed to shift people’s credentials as they move from job to job, it hadn’t happened for Snowden yet. If that’s right, it would say whoever was responsible for downgrading Snowden’s access from SysAdmin to analyst was slow to make the change, resulting in one of the most significant disclosures Snowden made (there have been at least some cases of credentials not being adjusted since Snowden’s leaks, too, so they haven’t entirely addressed what would have to be regarded as a major fuck-up if that’s how this happened).

Interestingly, however, the declassification stamp on the document suggests it was classified on April 12, not April 23, which may mean they had wrapped up the authorization process, only to backdate it on the date it needed to be reauthorized. April 12, 2013 was, I believe, the last day Snowden was at Fort Meade.

Whatever the underlying explanation, it should be noted that the most sensitive document Snowden leaked — the one that revealed that the government aspired to collect phone records from every single Verizon customer (and, significantly, the one that made court challenges possible) — had to have been obtained after Snowden formally left his SysAdmin, privileged user, position.

NSA’s Curious Goal-Post Moving on Snowden’s Complaints

June 8, 2016/6 Comments/in EO 12333, FISA /by emptywheel

In our piece on NSA’s response to requests for records of Edward Snowden’s complaints, Jason Leopold and I reported that a senior NSA official apologized to Admiral Mike Rogers for providing insufficient context about Snowden’s contacts with oversight entities before Snowden’s email to OGC got released on May 29, 2014. (See PDF 6 for the email and response as they got publicly released.) More importantly, we reported that the apology — written after several days of fact-checking — included at least one clear error. After we pointed that out to the intelligence community and asked questions for clarification, the NSA significantly moved the goalposts on its claims about whether Snowden had raised concerns, denying that Snowden had talked to the top three NSA officials rather than lower level ones. Here’s why I think that’s significant.

Conflicting claims about what happened between compliance and Snowden

On April 8, 2014, NSA learned that an upcoming Vanity Fair piece would include a claim from Edward Snowden that “I contacted N.S.A. oversight and compliance bodies.” (PDF 13)

Apparently in response to that claim, on the following day a woman involved in training in Signals Intelligence Compliance and Oversight (what the NSA calls SV) wrote up an exchange she had with Snowden a year earlier. (PDF 147) Here’s how that email appeared on April 10, after at least one draft.

The individual appeared at the side of my desk in the SV training area during the timeframe between 5 – 12 April 2013, shortly after lunch time. He did not introduce himself and instead asked if he could talk to someone about the OVSC1203 [Section 702] course. I indicated that he could talk to me. He seemed upset and proceeded to say that he had tried to take OVSC1203 and that he had failed. He then commented that he felt we had trick questions throughout the course content that made him fail. SV Training has standard (canned) responses we use to respond to questions like this. I introduced myself and provided the information to him. My comments were standard and part of our “canned” responses, and informed him that the OVSC courses did not contain any trick questions and that all of the answers to the test questions could be located within the course content (our standard response when someone states they have failed any of our courses). Also, as part of our standard response with this type of question, we remind the student that the course is open book and not timed, also part of our routine canned response. I also reminded him that students receive multiple attempts to successfully pass the course and if they are not successful after multiple attempts he would need to contact us for further assistance. He seemed to have calmed down by then and said he still thought the questions tricked the students but he would try again.

Several pieces of evidence in the email collection suggest this email was the first time she wrote up the exchange (though I imagine there’s an FBI 302 of an interview with her). Not only did no other written version of it get turned over in Leopold’s FOIA, but when the Chief of SV explained the exchange to superiors, no claim of contemporaneous report was made. (PDF 255) Similarly, there’s no definitive written evidence of this report getting reported to the various investigators (though there is one piece of evidence it may have been orally described). In addition, the woman had to revise at least the dates during which she described the exchange taking place on April 10, suggesting she wasn’t working from an existing written document. (PDF 300)

On May 29, 2014, first Dianne Feinstein (there’s evidence she was prodded by someone at NSA or ODNI) released Snowden’s email exchange with OGC, then NSA formally released it.

Later the evening of May 29, Edward Snowden told WaPo the release did not include “correspondence” with SV in which he said they “believed that a classified executive order could take precedence over an act of Congress.”

Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.

About an hour and a half after Feinstein had released Snowden’s email on May 29 but before WaPo published Snowden’s claim, the Media Leaks Task Force discovered the write-up of the SV exchange from April, but did not release it publicly (meaning when Snowden made his claim, he did not know they had written up the exchange). Around, or even before that, OGC realized that some of the discussions they were having would have to be turned over in response to this FOIA, and then-General Counsel Raj De “ask[ed] that no one else comment on the low-side [less secure] (or add additional folks to the e-mail exchange),” (PDF 148), so it’s not clear subsequent discussions about this exchange got released in the FOIA.

In response to conflicting claims, NSA does a fact check … and then an internal apology

In the days thereafter, NSA Chief of Staff Elizabeth Brooks got asked to fact check the claims that had been made so far, with the SV Chief and Deputy Chief providing more details on the exchange. It appears there was a senior meeting, probably including Admiral Rogers, at 10AM on June 3, at which someone (probably Brooks) wrote down (PDF 261) “conversation between Snowden & compliance officer where he complained / wants in writing exactly what Snowden has done in writing and verbally.”

Later that day, “the accountable NSA official for Media Disclosures issues” wrote Admiral Rogers a pretty remarkable apology for not providing sufficient context about Snowden’s interactions. (PDF 96) It’s remarkable that it happened — kudos to Admiral Rogers for trying to get clarity on this issue. But it’s remarkable, too, because even after the two day fact-checking process, the apology endeavoring to keep NSA leadership fully informed did not do so.

The error in the apology email

For example, the apology does not tell Rogers that the face-to-face exchange could have happened on one of the same days as the OGC email (and definitely happened within the same week), making it more likely the OGC email and the SV face-to-face exchange were actually two parts of the same exchange (Snowden would have known SV had been involved in his OGC response from both the final response he got, as well as the email forwarding the question from OGC to SV, which got forwarded to him). The apology also, like NSA’s response to this FOIA, doesn’t disclose what got discussed between 7 people as they decided who and how to respond to Snowden’s email (the apology itself, because it gave Rogers the redacted version of Snowden’s email released to the public, would have obscured that 6 people were involved in this response, but he could have gotten that information in previous email threads had he read them closely). It also makes what — given the evidence in the emails, at least — appears to be a clear error by claiming that the SV woman wrote up her exchanges with Snowden in response to NSA’s request for information on contacts with him: “In response to the June 2013 Agency All (See Attachment B) [the SV training woman] provided in writing her account of these engagements.”

That claim appears to be erroneous on two counts.

Lawyer Who Filed Crime Report against SSCI Staffer, Robert Eatinger, Complains about Lack of Trust

June 6, 2016/4 Comments/in Torture /by emptywheel

Robert Eatinger, whose name was redacted 1,600 times in the Senate Torture report, and who went on to file a crime report against Senate staffers for using materials provided to them by CIA, is complaining about lack of trust in this summary of Edward Snowden’s role in surveillance debates.

“The loss in trust with the U.S. public and businesses has a real operational effect. Despite Hollywood portrayals, U.S. intelligence has limited authorities, personnel, and resources,” Robert Eatinger, former senior deputy general counsel at the CIA, said. “Our intelligence agencies depend on the willingness of U.S. persons and companies to provide information and assistance, either voluntarily or through a contract mechanism. A loss in trust reduces the number of Americans willing to assist our intelligence agencies. It reduces not only voluntary assistance but also the number of companies willing to enter into contracts.”

“We have seen recent examples of major U.S. companies not only declining to help U.S. intelligence, but activity seeking to frustrate it. Perhaps the most obvious is Twitter, Inc.’s recent directive to the data analytics company Dataminr to cease selling data, not precisely defined in the press reporting, to U.S. intelligence agencies,” Eatinger added.

At least according to Twitter, this is a false representation of what has happened. Twitter says that its policy on Dataminr selling data to the intelligence community is longstanding, not a recent change.

Constitution Project’s Katherine Hawkins actually tried to have Eatinger’s name unredacted in the released summary via the formal process to do so, with no luck.

I can think of few things that have eroded trust in recent years than the serial coverups of CIA’s torture, in which Eatinger has had a central role.

So I guess they went to the expert in eroding trust.

Carrie Cordero’s Counterintelligence Complaints

June 5, 2016/10 Comments/in Leak Investigations /by emptywheel

I wasn’t going to respond to Carrie Cordero’s Lawfare piece on my and Jason Leopold’s story on NSA’s response to Edward Snowden’s claims he raised concerns at the agency, largely because I think her stance is fairly reasonable, particularly as compared to other Snowden critics who assume his leaks were, from start to finish, an FSB plot. But a number of people have asked me to do so, so here goes.

Let’s start with this:

As far as we know – even after this new reporting – Snowden didn’t lodge a complaint with the NSA Inspector General. Or the Department of Defense Inspector General. Or the Intelligence Community Inspector General. He didn’t follow up with the NSA Office of General Counsel. He didn’t make phone calls. He didn’t write letters. He didn’t complain to Members of Congress who would have been willing to listen to his concerns.

Now here’s the rub: do I think that had he done all these things, the programs he questioned would have been shut down and there would have been the same effect as his unauthorized disclosures? No. He probably would have been told that more knowledgeable lawyers, leadership officials, congressmen and dozens of federal judges all assessed that the activities he questioned were legal.

Without noting the parts of the article that show that, nine months into the Snowden leaks and multiple hearings on the subject, Keith Alexander still didn’t know how contractors might raise complaints, and that the NSA editing of its Q&A on Snowden show real questions about the publicity and viability of reporting even to the IG, especially for legal violations, Cordero complains that he did not do so. Then she asserts that had Snowden gone to NSA’s IG (ignoring the record of what happened to Thomas Drake when he did the same), the programs would not have changed.

And yet, having taken a different approach, some of them have changed. Some of the programs — notably Section 215, but also tech companies’ relationship with the government, when exposed to democratic and non-FISA court review, and FISA court process itself — did get changed. I think all but the tech company changes have largely been cosmetic, Cordero has tended to think reforms would go too far. But the record shows that Snowden’s leaks, along with whatever else damage critics want to claim they caused, also led to a democratic decision to shift the US approach on surveillance somewhat. Cordero accuses Snowden of doing what he did because of ego — again, that’s her prerogative; I’m not going to persuade people who’ve already decided to think differently of Snowden — but she also argues that had Snowden followed the already problematic methods to officially report concerns, he would have had less effect raising concerns than he had in fact. Some of what he exposed may have been legally (when argued in secret) sustainable before Snowden, but they turned out not to be democratically sustainable.

Now let’s go back to how Cordero characterizes what the story showed:

Instead, the report reveals:

An NSA workforce conducting a huge after-action search for documents seeking to affirm or refute Snowden’s claim that he had raised red flags internally before resorting to leaking classified documents;

Numerous officials terrified that they would miss something in the search, knowing full-well how easily that could happen in NSA’s giant and complex enterprise; and

The NSA and ODNI General Counsels, and others in the interagency process –doing their job.

The emails in the report do reveal that government officials debated whether to release the one document that was evidence that Snowden did, in fact, communicate with the NSA Office of General Counsel. It’s hard to be surprised by this. On one hand, the one email in and of itself does not support Snowden’s public claim that he lodged numerous complaints; on the other hand, experienced senior government officials have been around the block enough times to know that as soon as you make a public statement that “there’s only one,” there is a very high likelihood that your door will soon be darkened by a staff member telling you, “wait, there’s more.” So it is no wonder that there was some interagency disagreement about what to do.

For what it’s worth, I think the emails show a mixed story about how well various participants did their job. They make Admiral Rogers look great (which probably would have been more prominently noted had the NSA not decided to screw us Friday night, leading to a very rushed edit job). They make Raj De, who appears to have started the push to release the email either during or just as Snowden’s interview with Brian Williams finished airing (it aired at 10:00 PM on May 28; though note the time stamps on this string of De emails are particularly suspect), look pretty crummy, and not only for that reactive response. (I emailed De for comment but got no response.)

Later on, Cordero admits that, in addition to the OGC email, the story reported for the first time that there had also been a face-to-face conversation with one of the people involved in responding to that email.

The Vice report reveals that Snowden did do at least these things related to his interest in legal authorities and surveillance activities: (i) he clicked on a link to send a question to NSA OGC regarding USSID 18 training, which resulted in an emailed response from an NSA attorney; and (ii) he had a personal interaction (perhaps a short conversation) with a compliance official regarding questions in a training module. But according to the report, in his public statements, “Snowden insisted that he repeatedly raised concerns while at the NSA, and that his concerns were repeatedly ignored.”

(Note Cordero entirely ignores that interviews with Snowden’s colleagues — the same people whom she characterized as terrified they’d miss something in the media response but doesn’t consider whether they would be even more terrified conversations about privacy with Snowden might be deemed evidence of support for him — found a number of them having had conversations about privacy and the Constitution).

She doesn’t get into the chronology of the NSA’s treatment of the face-to-face conversation, though. What the story lays out is this:

Released emails show NSA now asserts that Snowden complained about two training programs within the span of a week, possibly even on the same day, with Compliance being involved in both complaints (Snowden would have known they were involved in the OGC response from forwarded emails)
Given the record thus far, it appears that there is no contemporaneous written record of the face-to-face complaint (we asked the NSA for any and that’s when they decided to just release the emails in the middle of the night instead of responding, though I assume there is an FBI 302 from an interview with the training woman)
Given the record thus far, NSA only wrote up that face-to-face complaint the day after and because NSA first saw teasers from the April 2014 Vanity Fair article revealing Snowden’s claim to have talked to “oversight and compliance”
In spite of what I agree was a very extensive (albeit frantic and limited in terms of the definition of “concern”) search, NSA did not — and had not, until our story — revealed that second contact, even though it was written up specifically in response to claims made in the press and well before the May 29 release of Snowden’s email
In the wake of NSA not having acknowledged that second contact, a senior NSA official wrote Admiral Rogers a fairly remarkable apology and (as I’ll show in a follow-up post) the NSA is now moving the goal posts on whom they claim Snowden may have talked to

Now, I actually don’t know what happened in that face-to-face contact. We asked both sides of the exchange very specific questions about it, and both sides then declined to do anything but release a canned statement (the NSA had said they would cooperate before they saw the questions). Some would say, so what? Snowden was complaining about training programs! Training programs, admittedly, that related to other documents Snowden leaked. And at least one training program, as it turns out, that the NSA IG had been pushing Compliance to fix for months, which might explain why they don’t want to answer any questions. But nevertheless “just” training programs.

I happen to care about the fact that NSA seems to have a pattern of providing, at best, very vague information about how seriously NSA has to take FISA (or, in the one program we have in its entirety, perfectly legal tips about how to bypass FISA rules), but I get that people see this as just a training issue.

I also happen to care about the fact that when Snowden asked what NSA would like to portray as a very simple question — does what would be FISA take precedence over what would be EO 12333 — it took 7 people who had been developing that training program to decide who and how to answer him. That question should be easier to answer than that (and the emailed discussion(s) about who and how to answer were among the things conspicuously withheld from this FOIA).

But yes, this is just two questions about training raised at a time (we noted in the story) when he was already on his way out the door with NSA’s secrets.

Which is, I guess, why the balance of Cordero’s post takes what I find a really curious turn.

If this is all there is – a conversation and a question – then to believe that somehow NSA attorneys and compliance officials were supposed to divine that he was so distraught by his NSA training modules that he was going to steal the largest collection of classified documents in NSA history and facilitate their worldwide public release, is to live in a fantasy land.

No, what this new report reveals is that NSA lawyers and compliance personnel take questions, and answer them. Did they provide a simple bureaucratic response when they could or should have dug deeper? Maybe. Maybe not.

Because what they apparently do not do is go on a witch hunt of every employee who asks a couple legal questions. How effective do we think compliance and training would be, if every person who asks a question or two is then subject to intense follow-up and scrutiny? Would an atmosphere like that support a training environment, or chill it?

[snip]

NSA is an organization, and a workforce, doggedly devoted to mission, and to process. In the case of Snowden, there is an argument (one I’ve made before) that its technical security and counterintelligence function failed. But to allude – as today’s report does – that a couple questions from a low level staffer should have rung all sorts of warning bells in the compliance and legal offices, is to suggest that an organization like NSA can no longer place trust in its workforce. I’d wager that the reason the NSA lawyers and compliance officials didn’t respond more vigorously to his whispered inquiries, is because they never, in their wildest dreams, believed that a coworker would violate that trust.

Cordero turns a question about whether Snowden ever complained into a question about why the NSA didn’t notice he was about to walk off with the family jewels because he complained about two training programs.

There are two reasons I find this utterly bizarre. First, NSA’s training programs suck. It’s not just me, based on review of the few released training documents, saying it (though I did work for a number of years in training), it’s also NSA’s IG saying the 702 courses, and related materials, are factually wrong or don’t address critical concepts. Even the person who was most negative towards Snowden in all the emails, the Chief of SID Strategic Communications Team, revealed that lots of people complain about the 702 test (as is also evident from the training woman’s assertion they have canned answers for such complaints).

Complaints about fairness/trick questions are something that I saw junior analysts in NTOC … would pose — these were all his age and positional peers: young enlisted Troops, interns, and new hires. Nobody that has taken this test several times, or worked on things [redacted] for more than a couple of years would make such complaints. It is not a gentleman’s course. *I* failed it once, the first time I had to renew.

I’m all for rigorous testing, but all the anecdotes about complaints about this test may suggest the problem is in the test, not the test-takers. It’s not just that — as Cordero suggested — going on a witch hunt every time someone complains about training courses would chill the training environment (of a whole bunch of people, from the sounds of things). It’s that at precisely the moment Snowden took this training it was clear someone needed to fix NSA’s training, and Cordero’s response to learning that is to wonder why someone didn’t launch a CI investigation.

Which leads me to the other point. As Cordero notes, this is not the first time she has treated the Snowden story as one primarily about bad security. I happen to agree with her about NSA’s embarrassing security: the fact that Snowden could walk away with so much utterly damns NSA’s security practices (and with this article we learn that, contrary to repeated assertions by the government, he was in an analytical role, though we’ve already learned that techs are actually the ones with unaudited access to raw data).

But here’s the thing: you cannot, as Cordero does, say that the “foreign intelligence collection activities [are] done with detailed oversight and lots of accountability” if it is, at the same time, possible for a SysAdmin to walk away with the family jewels, including raw data on targets. If Snowden could take all this data, then so can someone maliciously spying on Americans — it’s just that that person wouldn’t go to the press to report on it and so it can continue unabated. In fact, in addition to rolling out more whistleblower protections in the wake of Snowden, NSA has made some necessary changes (such as not permitting individual techs to have unaudited access to raw data anymore, which appears to have been used, at times, as a workaround for data access limits under FISA), even while ratcheting up the insider threat program that will, as Cordero suggested, chill certain useful activities. One might ask why the IC moved so quickly to insider threat programs rather than just implementing sound technical controls.

Carrie Cordero’s lesson, aside from grading the participants in this email scrum with across-the-board As, is that Snowden complaining about the same training programs the IG was also complaining about should have been a counterintelligence issue but wasn’t because of the great trust at NSA. That argument, taken in tandem with Cordero’s vouching for NSA’s employees, should not, itself, inspire trust.

James Clapper’s Latest Effort To Fearmonger about Snowden’s Damage

May 11, 2016/8 Comments/in Cybersecurity, EO 12333, FISA /by emptywheel

In addition to getting him to admit the US can’t fix the Middle East but we have to stay because our “leadership” is needed there, in this column David Ignatius asked James Clapper, again, about how much damage Edward Snowden has caused.

Clapper said the United States still can’t be certain how much harm was done to intelligence collection by the revelations of disaffected National Security Agency contractor Edward Snowden. “We’ve been very conservative in the damage assessment. Overall, there’s a lot,” Clapper said, noting that the Snowden disclosures made terrorist groups “very security-conscious” and speeded the move to unbreakable encryption of data. And he said the Snowden revelations may not have ended: “The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Let’s unpack this.

Clapper provides two pieces of evidence for damage:

Snowden disclosures have made terrorist groups “very security-conscious”
Snowden disclosures have “speeded the move” [by whom, it’s not entirely clear] to unbreakable encryption

That’s a bit funny, because what we saw from the terrorist cell that ravaged Paris and Belgium was — as The Grugq describes it — “drug dealer tradecraft writ large.” Stuff that they could have learned from watching the Wire a decade ago, with a good deal of sloppiness added in. With almost no hints of the use of encryption.

If the most dangerous terrorists today are using operational security that they could have learned years before Snowden, then his damage is not all that great.

Unless Clapper means, when he discusses the use of unbreakable encryption, us? Terrorists were already using encryption, but journalists and lawyers and US-based activists might not have been (activists in more dangerous places might have been using encryption that the State Department made available).

Neither of those developments should be that horrible. Which may be why Clapper says, “We’ve been very conservative in the damage assessment” even while insisting there’s a lot. Because this is not all that impressive, unless as Chief Spook you think you should have access to the communications of journalists and lawyers and activists.

I’m most interested, however, in this escrow idea.

“The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Snowden and Glenn Greenwald and Laura Poitras and Bart Gellman have said about a zillion times that Snowden handed everything off before he went to Russia. And everyone who knows anything about Russia would assume if he brought documents there, Putin has had them for almost 3 years.

Sure, there are surely documents that reporters have that, reviewed in the future by other people, may result in new disclosures. But the suggestion that Snowden himself is asking the journalists to hold back some of the documents “in escrow” is rather curious. Why would Snowden withhold documents until such time that the technology behind disclosures would be out of date.

I mean, it’s useful as a basis to claim that Snowden will continue to damage the IC when there’s actually not that much evidence he already has. But it doesn’t make much sense to me.

Ah well. In the article Clapper says he’ll be around for 265 days, which means around February 9 of next year, someone else will take up fearmongering about Edward Snowden.

The IC Can’t Even Decide What Is Classified in Hillary’s Emails But They’re Attempting To Do Same on the Internet

May 4, 2016/2 Comments/in Leak Investigations /by emptywheel

Yesterday, Steven Aftergood noted that, rather than prosecute leakers, the Intelligence Community is instead taking administrative measures against people who leak information. We’ve know they were moving in that direction for some time (largely through Aftergood’s efforts). But he posts now de-classified testimony obtained via FOIA that Bob Litt gave in 2012 explaining the change.

“This Administration has been historically active in pursuing prosecution of leakers, and the Intelligence Community fully supports this effort,” said ODNI General Counsel Robert S. Litt in testimony from a closed hearing of the Senate Intelligence Committee in 2012 that was released last week in response to a Freedom of Information Act request.

But, he said, “prosecution of unauthorized disclosure cases is often beset with complications, including difficult problems of identifying the leaker, the potential for confirming or revealing even more classified information in a public trial, and graymail by the defense.”

Therefore, Mr. Litt said, in 2011 Director of National Intelligence James Clapper ordered intelligence agencies “to pursue administrative investigations and sanctions against identified leakers wherever appropriate. Pursuant to this DNI directive, individual agencies are instructed to identify those leak incidents that are ripe for an administrative disposition….”

As Aftergood notes, such measures sure didn’t dissuade Edward Snowden.

There are two more interesting details of note in the testimony Aftergood liberated. First, Litt provides a somewhat redacted assessment of whether IC elements have the ability to audit employee activities on their networks. Most members of the IC has some audit and monitoring in place. Whereas some are what Litt describes as “robust,” he admitted that “other agencies have less mature programs, but some ability to track employee online activity.”

I do hope for Litt’s sake he didn’t tell SSCI, a year before Snowden’s leaks, that the NSA was among the agencies with robust systems, because they ended up having no ability to track what he took, much less see him taking huge amounts of data in real time.

Perhaps most interesting, though, is Litt’s reference to the development of “automated systems … that will assist in identifying classified information published on the Internet.” By Litt’s testimony on February 9, 2012, an IC study had “concluded that it would be beneficial and feasible for ONCIX/S to implement a centralized and automated capability to identify potential unauthorized disclosures of classified information published electronically on the Internet.” The IC was looking for funding to develop a pilot program to do just that in 2012.

The example of Hillary’s email is testament to one of many problems with such a plan. Various intelligence agencies accused her aides of sharing classified information. But in at least some cases, the same information was available via open source (not to mention that it’s easy to suss out what the IC thinks its biggest secrets are).

So the IC will be scanning the Internet for stuff they think is theirs. But short of tracking classification markings, this will necessarily involved scanning for either known leaked information (so imagine them currently tracking everyone discussing a document Snowden leaked, anywhere in the world), or scanning for information that looks to have the particular syntax (heh) of an intelligence report.

There are a range of problems I can imagine that would result.

But that likely won’t stop the IC from trying to hold their glut of classified information inside their fences, or to hunt down people who seem to understand the same things the IC knows, in case that person can be caught talking to some person the IC would also like to enclose behind that fence.

Why Do They Call It Panama Papers, Anyway?

April 4, 2016/29 Comments/in Financial Fraud /by emptywheel

Over the weekend, a bunch of media outlets let loose shock and awe in bulk leak documents, PanamaPapers, with project leaders ICIJ and Sueddeutsche Zeitung — as well as enthusiastic partner, Guardian — rolling out bring spreads on a massive trove of data from the shell company law firm Mossack Fonseca.

If all goes well, the leak showing what MF has been doing for the last four decades will lead us to have a better understanding of how money gets stripped from average people and then hidden in places where it will be safe from prying eyes.

Before I raise some questions about the project, I wanted to point to one of the best pieces of journalism I’ve seen from the project so far: this Miami Herald piece showing how its high end real estate boom has been facilitated by the money laundering facilitated by MF.

At the end of 2011, a company called Isaias 21 Property paid nearly $3 million — in cash — for an oceanfront Bal Harbour condo.

But it wasn’t clear who really owned the three-bedroom unit at the newly built St. Regis, an ultra-luxury high-rise that pampers residents with 24-hour room service and a private butler.

In public records, Isaias 21 listed its headquarters as a Miami Beach law office and its manager as Mateus 5 International Holding, an offshore company registered in the British Virgins Islands, where company owners don’t have to reveal their names.

[snip]

Buried in the 11.5 million documents? A registry revealing Mateus 5’s true owner: Paulo Octávio Alves Pereira, a Brazilian developer and politician now under indictment for corruption in his home country.

A Miami Herald analysis of the never-before-seen records found 19 foreign nationals creating offshore companies and buying Miami real estate. Of them, eight have been linked to bribery, corruption, embezzlement, tax evasion or other misdeeds in their home countries.

That’s a drop in the ocean of Miami’s luxury market. But Mossack Fonseca is one of many firms that set up offshore companies. And experts say a lack of controls on cash real-estate deals has made Miami a magnet for questionable currency.

The story is deeply contextualized with localized reporting that goes beyond the leaked documents. And it can lead to policy changes — restrictions on cash real estate transactions — that can help to stem (or at least redirect) the flow of this corrupt money. You could tell similar stories from big cities around North America (this has been a particular focus in NYC and Vancouver). And with effort, cities could crack down on such cash transactions, with all the negative effects they bring to localities.

But much of the other reporting so far remains at the level of shock and awe. Biggest leak ever! Putin Putin Putin! And much of the reporting reflects not just editorial bias, but some apparent innumeracy (though no one has yet released the real numbers) to claim that people from evil countries are proportionally more corrupt than people from good countries like the UK.

Where did these documents come from?

Here’s how SZ describes how they got these documents.

Over a year ago, an anonymous source contacted the Süddeutsche Zeitung (SZ) and submitted encrypted internal documents from Mossack Fonseca, a Panamanian law firm that sells anonymous offshore companies around the world. These shell companies enable their owners to cover up their business dealings, no matter how shady.

In the months that followed, the number of documents continued to grow far beyond the original leak. Ultimately, SZ acquired about 2.6 terabytes of data, making the leak the biggest that journalists had ever worked with. The source wanted neither financial compensation nor anything else in return, apart from a few security measures.

Nowhere I’ve seen explains where this source got the documents.

For almost three years, we have openly debated what I consider a fair question: what was Edward Snowden’s motivation for stealing the NSA’s crown jewels and was any foreign country involved? People have also asked questions about how he accessed so much: Did he steal colleagues’ passwords? Did he join Booz Allen solely to be able to steal documents? I think the evidence supports an understanding that his motives were good and his current domicile an unfortunate outcome. And we know some details about how he managed to get what he did — but the key detail is that he was a Sysadmin in a location where insider detection systems were not yet implemented and credentials to have unaudited access to many of the documents he obtained. Those details are a key part of understanding some of the story behind his leaks (and how NSA and GCHQ are organized).

Somehow, journalists aren’t asking such questions when it comes to this leak, the Unaoil leak that broke last week, or the leak of files on British Virgin Isles have activity a few years back (which, like this project, ICIJ also had a central role in). I’m sympathetic to the argument that IDing who stole these documents would put her or him in terrible danger (depending on who it is). But I also think this level of description the Intercept gave — in the first paragraph of a story about stolen recordings of jailhouse phone calls that revealed improper retention of attorney client conversations — would be useful.

The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. [my emphasis]

The Intercept’s source, knowing of the problem, hacked recordings from an inadequately protected server.

As the Guardian’s own graphic makes clear, this leak dwarfs the leaks by Chelsea Manning and Hervé Falciani (the security engineer behind the HSBC leak). It probably dwarfs the Snowden leak (though oddly the Guardian, which had fingers in both, doesn’t include Snowden in its graphic). That ought to raise real questions about how someone could access so much more information than tech experts with key credentials working at the core of security in the targeted organizations could. And those questions are worth asking because if these files come from an external hacker — a definite possibility — than it ought to raise questions about how they were able to get so much undetected and even — as everyone felt appropriate to ask with Snowden — whether an intelligence agency was involved.

Where are the corrupt Americans?

As with the BVI leak before it, thus far this leak has included no details on any Americans. Some have suggested that’s because the Panama trade deal already brought transparency on US persons’ activities through the haven of Panama, except these files go back four decades and. Americans not only used Panama as a haven before that, but the CIA used it as a key laundering vehicle for decades, as Manuel Noriega would be all too happy to explain if western countries would let him out of prison long enough to do so. Moreover, the files are in no way restricted to Panama (indeed, some of the stories already released describe the establishment of shell companies within the US).

Not only haven’t we heard about any Americans, but even for the close American friends identified so far — starting with Saudi Crown Prince and close CIA buddy Mohammed bin Nayef — the details provided to date are scanty, simply the name of the shell he was using.

Craig Murray has already been asking similar questions.

Russian wealth is only a tiny minority of the money hidden away with the aid of Mossack Fonseca. In fact, it soon becomes obvious that the selective reporting is going to stink.

The Suddeutsche Zeitung, which received the leak, gives a detailed explanation of the methodology the corporate media used to search the files. The main search they have done is for names associated with breaking UN sanctions regimes. The Guardian reports this too and helpfully lists those countries as Zimbabwe, North Korea, Russia and Syria. The filtering of this Mossack Fonseca information by the corporate media follows a direct western governmental agenda. There is no mention at all of use of Mossack Fonseca by massive western corporations or western billionaires – the main customers. And the Guardian is quick to reassure that “much of the leaked material will remain private.”

What do you expect? The leak is being managed by the grandly but laughably named “International Consortium of Investigative Journalists”, which is funded and organised entirely by the USA’s Center for Public Integrity. Their funders include

Ford Foundation
Carnegie Endowment
Rockefeller Family Fund
W K Kellogg Foundation
Open Society Foundation (Soros)

among many others. Do not expect a genuine expose of western capitalism. The dirty secrets of western corporations will remain unpublished.

Expect hits at Russia, Iran and Syria and some tiny “balancing” western country like Iceland. A superannuated UK peer or two will be sacrificed – someone already with dementia.

Now, in response to people like me and Murray and Moon of Alabama asking those questions, the SZ editor in charge of their side of the project promises dirt on Americans will be coming. Let’s hope so, because this is a worthwhile leak of data, and it would be unfortunate for Americans and Brits to be deprived of learning more about the corruption among their elite.

Does this project follow up on Ken Silverstein’s earlier reporting?

Back in December 2014, Ken Silverstein did a fairly thorough review of MF at Vice (though he worked at the Intercept at the time).

[A] yearlong investigation reveals that Mossack Fonseca—which theEconomist has described as a remarkably “tight-lipped” industry leader in offshore finance—has served as the registered agent for front companies tied to an array of notorious gangsters and thieves that, in addition to Makhlouf, includes associates of Muammar Gaddafi and Robert Mugabe, as well as an Israeli billionaire who has plundered one of Africa’s poorest countries, and a business oligarch named Lázaro Báez, who, according to US court records and reports by a federal prosecutor in Argentina, allegedly laundered tens of millions of dollars through a network of shell firms, some which Mossack Fonseca had helped register in Las Vegas.

Documents and interviews I’ve conducted also show that Mossack Fonseca is happy to help clients set up so-called shelf companies—which are the vintage wines of the money-laundering business, hated by law enforcement and beloved by crooks because they are “aged” for years before being sold, so that they appear to be established corporations with solid track records—including in Las Vegas. One international asset manager who talked to Mossack Fonseca about doing business with them told me that the firm offered to sell a 50-year-old shelf company for $100,000.

If shell companies are getaway cars for bank robbers, then Mossack Fonseca may be the world’s shadiest car dealership.

Silverstein clearly had some documents, though there’s no indication he had the trove that started getting leaked to SZ and ICIJ in early 2015, just weeks after Silverstein’s story.

On Twitter, Silverstein suggested his story never got published because this was the period when the Intercept wasn’t publishing (I had something similar happen to me while there).

But given the close continuity between Silverstein’s story and SZ receipt of the first documents, are they part of the same effort?

Why do they call it the Panama Papers?

These aren’t papers showing the corruption that flows through Panama (for that matter, neither did the BVI leaks show all the corruption that flows through BVI, and there’s a significant BVI aspect to this leak). Rather, they show the corruption flowing through a Panamian-based but global firm, Mossack Fonseca. Reporting on this tells us MF is only the fourth largest of these laundering specialists.

So, aside from the fact that few people have heard of MF, why are we calling this the Panama Papers and not “Here’s what the fourth largest of these companies is involved with”?

All of which is to say as huge as this leak is — which is good! — it’s still just a tiny fraction of what’s out there.

Let the resignations begin

None of this is meant to undermine the importance of this leak or the reporting the team of journalists covering it. Indeed, the story already threatens to take down the Prime Minister of Iceland whose conflict of interest the files revealed. We should have more of these leaks, covering all the havens and shell-creators.

Just remember, as you’re watching the coverage, that we’re getting selective coverage of one particular corner of that industry (ICIJ has said something about releasing files in several months). By all means let’s go after the crooks this story exposes, but let’s remember the crooks who, for whatever reason, aren’t included in this one.

Update: Fusion, which is part of the data sharing, admits there are only 211 Americans identified in the stash, though thus far this is just from recent years (that is, the years that might be affected by the trade agreement).

International Consortium of Investigative Journalists (ICIJ) has only been able to identify 211 people with U.S. addresses who own companies in the data (not all of whom we’ve been able to investigate yet). We don’t know if those 211 people are necessarily U.S. citizens.

All that said, the very good experts (including Jack Blum, who’s as good on these issues as anyone) don’t have very compelling explanations why there aren’t Americans in the stash.

Update: McClatchy describes some of the 200-some Americans whose passports show up in the files. All the ones it describes have been prosecuted (though several got light punishments).

NSA Reorganizing in Manner that Directly Conflicts with President’s Review Group Recommendation

February 2, 2016/1 Comment/in Cybersecurity /by emptywheel

Back in 2013, the President’s Review Group recommended that NSA’s defensive function — the Information Assurance Directorate — be removed from NSA. I’ve put the entirety of that recommendation below, but PRG recommended the change to:

Eliminate the conflict of interest between NSA’s offensive and defense functions
Eliminate the asymmetry between the two functions, which can lead the defensive function to be less visible
Rebuild trust with outside cybersecurity stakeholders

Not only didn’t President Obama accept that recommendation, but he pre-empted it in several ways, before the PRG could publicly release their findings.

[O]n Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panelPresident Obama set up in August to review the NSA’s activities in response to theEdward Snowden leaks.

The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were “still being finalized”). The biggest news item were reports about a recommendation that the director of the NSA(Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.

Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.

By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split.

Today, Ellen Nakashima reports that NSA will go further still, and completely merge its offensive and defensive missions.

In place of the Signals Intelligence and Information Assurance directorates, the organizations that historically have spied on foreign targets and defended classified networks against spying, the NSA is creating a Directorate of Operations that combines the operational elements of each.

[snip]

Some lawmakers who have been briefed on the broad parameters consider restructuring a smart thing to do because an increasing amount of intelligence and threat activity is coursing through global computer networks.

“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”

But there have been rumblings of discontent within the NSA, which is based at Fort Meade, Md., as some fear a loss of influence or stature.

Some advocates for the comparatively small Information Assurance Directorate, which has about 3,000 people, fear that its ability to work with industry on cybersecurity issues will be undermined if it is viewed as part of the much larger “sigint” collection arm, which has about eight times as many personnel. The latter spies on overseas targets by hacking into computer networks, collecting satellite signals and capturing radio waves.

While Nakashima presents some conflicting views on whether IAD will be able to cooperate with industry, none of the comments she includes addresses the larger bureaucratic issue: that defense is already being shortchanged in favor of the glitzier offensive function.

But Edward Snowden did weigh in, in response to a comment I made on this onTwitter.

When defense is an afterthought, it’s not a National Security Agency. It’s a National Spying Agency.

It strikes me this NSA reorganization commits the country to a particular approach to cybersecurity that will have significant ramifications for some time. It probably shouldn’t be made with the exclusive review of the Intelligence Committees mostly in secret.

We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.

In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.

We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.

A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.

Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.

There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to block penetration. Such collaboration could and must occur even if IAD is organizationally separate.

In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress. Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.

A Whole Lot of Inspector General Scrutiny on Intelligence Community Networks

February 1, 2016/4 Comments/in Cybersecurity /by emptywheel

Between this report, released today, on DOD Inspector General’s ongoing work and the Intelligence Community’s Inspector General Semiannual report, released in mid-January, the Intelligence Community is doing a whole bunch of audits and inspections of its own network security, some of them mandated by Congress. And there are at least hints that all is not well in the networks that enable the Intelligence Community to share profusely.

The most interesting description of a report from ICIG’s Semiannual review, for example, suggests that, given the IC’s recent move to share everything on an Amazon-run cloud, the bad security habits of some elements of the IC are exposing other elements within the IC.

AUD-2015-006: Transition to the Intelligence Community Cloud Audit

The DNI, along with Intelligence Community leadership, determined that establishing a common IT architecture across the IC could advance intelligence integration, information sharing, and enhance security while creating efficiencies. This led to the Intelligence Community Information Technology Enterprise, an IC-wide initiative coordinated through the Office of the Intelligence Community Chief Information Officer. IC ITE’s sharing capability is enabled by a cloudbased architecture known as the IC Cloud – a secure resource delivering IT and information services and capabilities to the entire community. The cloud will allow personnel to share data, systems, and applications across the IC. The IC elements’ effective transition to the IC ITE cloud environment is key to achieving the initiative’s overarching goals and as such, systems working together in a cloud environment creates potential security concerns.

In particular, information system security risks or vulnerabilities to one IC element operating within IC ITE may put all IC elements at risk. Information from a joint IG survey of 10 IC elements suggested that the elements may have the differing interpretations of policies and requirements, or are not fully aware of their responsibilities for transitioning to the IC Cloud. As a result of these preliminary observations, IC IG initiated an audit that will: 1. Assess how the IC elements are planning to transition to the IC ITE Cloud environment; 2. Determine IC elements’ progress in implementing cloud transition plans; and, 3. Compare how IC elements are applying the risk management framework to obtain authorizations to operate on the IC Cloud. We plan to issue a report by the end of the first quarter of FY 2017. [my emphasis]

The IC is banking quite a bit on being able to share safely within the cloud. I would imagine that fosters a culture of turf war and recriminations for any vulnerabilities. It certainly seems that this report arises out of problems — or at least the identification of potential problems — arising from the move to the cloud. Note that this report won’t be completed until the end of this calendar year.

Then there’s this report, which was mandated in a classified annex of the Intelligence Authorization passed in December and, from the looks of things, started immediately.

Audit of Controls Over Securing the National Security Agency Network and Infrastructure (Project No. D2016-DOOORC-0072.000)

We plan to begin the subject audit in January 2016. Our objective is to determine whether initiatives implemented by the National Security Agency are effective to improve security over its systems, data, and personnel activities. Specifically, we will determine whether National Security Agency processes and technical controls are effective to limit privileged access to National Security Agency systems and data and to monitor privileged user actions for unauthorized or inappropriate activity. The classified annex to accompany H.R. 2596, the Intelligence Authorization Act for Fiscal Year 2016, contained a Department of Defense Inspector General classified reporting requirement. This audit is the first in a series. We will consider suggestions from management on additional or revised objectives.

It seems to be an assessment — the first in a series — of whether limits on privileged access to NSA systems are working. This may well be a test of whether the changes implemented after the Snowden leak (such as requiring two parties to be present when performing functions in raw data, such as required on dragnet intake) have mitigated what were some obviously huge risks.

I’m mostly curious about the timing of this report. You would have thought the implementation of such controls would come automatically with some kind of audit, but they’re just now, 2.5 years later, getting around to that.

Here are some other reports from the ICIG report, the latter three of which indicate a real focus on information sharing.

AUD-2015-007: FY 2015 Consolidated Federal Information Security Modernization Act of 2014 Capstone Reports for Intelligence Community Elements’ Inspectors General

This project will focus on FY 2015 FISMA report submissions from the OIGs for the IC elements operating or exercising control of national security systems. We will summarize 11 IC elements’ information security program strengths and weaknesses; identify the cause of the weaknesses in these programs, if noted by the respective OIGs; and provide a brief summary of the recommendations made for IC information security programs. To perform this evaluation, we will apply the Department of Homeland Security FY 2015 IG FISMA metrics for ten information security program areas.

1. Continuous Monitoring Management 2. Security Configuration Management 3. Identity and Access Management 4. Incident Response and Reporting 5. Risk Management 6. Security Training 7. Plan of Action and Milestones 8. Remote Access Management 9. Contingency Planning 10. Contractor Systems We will issue our report by the end of the first quarter of FY 2016

INS-2015-004: Inspection: Office of the Intelligence Community Chief Information Officer

The IC CIO is accountable for overall formulation, development, and management of the Intelligence Community Information Technology Enterprise. The scope of our review was limited and informed by a concurrent IC IG Audit survey of IC ITE, as well as an ongoing evaluation of IC ITE progress by the ODNI Systems and Resources Analyses office. Additional details of this report are in the classified annex.

INS-2015-005: Joint Evaluation of Field Based Information Sharing Entities

Along with our OIG partners at the Departments of Justice and Homeland Security, we are evaluating federally supported entities engaged in field-based domestic counterterrorism, homeland security, and information sharing activities in conjunction with state, tribal, and local law enforcement agencies. This review is in response to a request from Senate committees on Intelligence, Judiciary, Homeland Security and Governmental Affairs. We will issue our report during FY 2016.

INS-2015-006: Inspection: ODNI Office of the Program Manager–Information Sharing Environment

We last inspected the ODNI PM-ISE office in 2013 and are conducting a follow-up review with a focus on resource management.