After the Torture Report came out, I argued we ought to take a broader lesson from it about failures of accountability in CIA’s covert programs. Specifically, I noted how the drone program — which operated under the same Memorandum of Notification as torture for years — appeared to suffer from the same problems as the torture program.
On the second day of Barack Obama’s presidency, he prohibited most forms of physical torture. On the third, a CIA drone strike he authorized killed up to 11 civilians.
Other reporting may explain why the report portrays Bush, rightly or wrongly, as so uninvolved in the torture program. Both Woodward and Mayer explain that the Sept. 17, 2001, MON was designed to outsource all the important decision-making to the CIA. “To give the President deniability, and to keep him from getting his hands dirty,” Mayer writes in The Dark Side, “the [MON] called for the President to delegate blanket authority to Tenet to decide on a case-by-case basis whom to kill, whom to kidnap, whom to detain and interrogate, and how.” Whether or not Bush had knowledge of what was going on, the very program itself was set up to insulate him from the dirty work, giving him the ability to claim ignorance of a torture program everyone else knew about. (Later, Bush claimed that he was fully briefed.)
But as we know, this insulation created the conditions for a program that was allowed to spin so horribly out of control that the CIA was able to misplace 29 detainees and not worry all that much.
The implications of this subterfuge, however, do not end with the torture program. Nor with George W. Bush. This is the same MON that authorizes the CIA’s current drone program. Presumably that means the drone program is characterized by the same unaccountable structures.
Indeed, after Obama escalated the CIA’s use of drones when he took office, the program suffered from some of the same problems as the torture program. The CIA appears to have misinformed Congress about the details, given claims by people like House Intelligence Committee ranking member Dutch Ruppersberger (D-Md.) that the program had “very minor” civilian casualties, despite the fact that evidence shows that more than 1,000 people have been killed while targeting fewer than 50 terrorists. And like the CIA’s detention and torture of the wrong suspects, a number of drone strikes have killed the wrong people — but with even greater frequency.
Top-ranking members of Congress, including Sen. Dianne Feinstein (D-Calif.), the chair of the Senate Intelligence Committee, have long insisted they have more oversight over the drone program than they did over torture. But the number of significant mistakes — take, for example, the attack on a wedding party earlier this year — suggests that oversight isn’t preventing the same kind of mistakes that happened with torture. Moreover, as with the torture program, the congressional intelligence committees aren’t able to get the information they request from the White House and the CIA. It was only after years of requests that the intelligence committees were allowed to review the administration’s justification for having the CIA kill Anwar al-Awlaki, a U.S. citizen, with a drone strike. Worse, the reports that the CIA killed Awlaki’s 16-year-old son, Abdulrahman, are also shrouded in secrecy and full of inconsistencies.
AP’s Ken Dilanian has a long article in similar vein, noting that the drone and Non Official Cover program have never been scrutinized this closely, in spite of complaints of abuse.
Yet the intelligence committees have never taken a similar look at what is now the premier counterterrorism effort, the CIA’s drone-killing program, according to congressional officials who were not authorized to be quoted discussing the matter.
Intelligence committee staff members are allowed to watch videos of CIA drone missile strikes to monitor the agency’s claims that civilian casualties are limited. But these aides do not typically get access to the operational cables, message traffic, interview transcripts and other raw material that forms the basis of a decision to kill a suspected terrorist.
Nor have they been able to examine cables, emails and raw reporting to investigate recent perceived intelligence lapses, such as why the CIA failed to predict the swift fall of Arab governments, Russia’s move into Ukraine or the rapid military advance of the Islamic State group.
And there have been no public oversight reports on the weak performance of the CIA’s multibillion-dollar “nonofficial cover” program to set up case officers posing as businessmen, which has met with some criticism.
In addition to the nice review of how Dianne Feinstein’s staffers’ managed to do this work (which you should click through to read), Dilanian also got a fairly scathing interview with Feinstein herself (though she insists drones get enough oversight). In it, she professes to have lost her faith that CIA is telling the truth in briefings.
The torture investigation, she said in an interview with The Associated Press, has “changed how I view management in the CIA. It’s changed how I view the brotherhood of the CIA. I believe you do not lie to your oversight committee. And I think the way the program was managed was sloppy.”
The lesson for traditional intelligence oversight, she said, was that “you can sit and listen to a report ??? you don’t know whether it’s all the truth, you don’t know what gets left out. And part of (CIA) tradecraft is deception.”
She said she believes the CIA continues to lie about the effectiveness of torture.
And she dishes on White House collaboration with the CIA to overclassified the report.
But while Obama publicly supported releasing the report’s findings and conclusions, the administration privately pushed to keep significant parts of the summary secret, Feinstein said.
“The president said that he agreed the report should be made public, that he doesn’t condone (the harsh interrogations), but it sort of ends there,” Feinstein said.
She said she perceived “an incredible closeness” between Obama’s chief of staff, Denis McDonough, and Brennan, “and the president and John Brennan.” In negotiations with Feinstein about what parts of the summary should be censored, McDonough spoke for the White House, but there was no daylight between him and the CIA, she said.
Feinstein said both wanted to black out large chunks of the executive summary in the name of protecting sensitive information.
It also provides more details on the attempt to fearmonger DiFi into suppressing the report at the last minute, including that Democrats found James Clapper’s report on the dangers of releasing it to be all that convincing.
This is, I think, one of the necessary conclusions to draw from the Torture Report: oversight isn’t working, because — as DiFi notes — CIA’s tradecraft is all about deception.
Let’s hope she really has learned a bit from this process, even if it’s too late to do anything about it as Chair.
As I keep explaining to gobsmacked security experts, according to the DHS, not only are motion picture studios like Sony considered Critical Infrastructure the security establishment must protect, but so are casinos (and campgrounds!) as part of the “Commercial Facilities Sector.”
The Commercial Facilities Sector consists of eight subsectors:
- Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
- Sports Leagues (e.g., professional sports leagues and federations).
- Gaming (e.g., casinos).
- Lodging (e.g., hotels, motels, conference centers).
- Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
- Entertainment and Media (e.g., motion picture studios, broadcast media).
- Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
- Retail (e.g., retail centers and districts, shopping malls).
Which is why I find it interesting that along with noting that hackers might start altering — rather than just zeroing out — the entries in software, in his Global Threats testimony James Clapper asserted that “Iranian actors have been implicated” in hacking Sheldon Adelson’s casino.
Iran very likely values its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence. Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company.
A number of outlets reported that Iran, rather than Iranian actors, did the hack.
Bloomberg reported that Iranians were behind the hack in December.
I can think of a number of reasons why the US didn’t make a bigger deal out of Iranians hacking our critical infrastructure Sheldon Adelson’s casinos. Because they couldn’t prove the tie between the actors and the Iranian state, because fighting to protect Adelson’s corruption is less palatable than fighting to protect Hollywood, because it would have focused on Adelson’s threats to bomb Iran, and because they’re trying to craft a peace deal.
And that’s probably just a start.
Still, I’m surprised others — such as Bibi Netanyahu — haven’t made a bigger issue out of Iranian actors’ successful attack on one of the people funding the anti-Iranian lobby.
Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?
(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;
Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.
It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.
Integrity of Information
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
- Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.
Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).
But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.
In the Q&A portion of a James Clapper chat at Council on Foreign Relations yesterday, he was asked about the phone dragnet and Section 215 (this starts after 48:00).
He made news for the way he warned Congress that if they take away Section 215 (he didn’t specify whether he was talking about just the phone dragnet or Section 215 and the roughly 175 other orders authorized under it) and something untoward happens as a result, they better be prepared to take some of the blame.
Q: In recent days the government reauthorized the telephone metadata collection program through June 1st, when there’s the Sunset date, obviously, of Section 215 of the PATRIOT Act. What do you want to see happen after that?
Clapper: Well, what we have agreed to, Attorney General Eric Holder and I, last September, signed a letter saying that we supported the notion of moving the retention of the data to providers in a bill that was — actually came out of the Senate from Senator Leahy, so we signed up to that. I think that’s the only thing that’s realistic if we’re going to have this at all. In the end, the Congress giveth and the Congress taketh away. So if the Congress in its wisdom decides that the candle isn’t worth the flame, the juice isn’t worth the squeeze, whatever metaphor you want to use, that’s fine. And the Intelligence Community will do all we can within the law to do what we can to protect the country. But, I have to say that every time we lose another tool in our toolkit, you know? It raises the risk. And so if we have — if that tool is taken away from us, 215, and some untoward incident happens which could have been thwarted had we had it I just hope that everyone involved in that decision assumes responsibility. And it not be blamed if we have another failure exclusively on the intelligence community.
At one level, I’m absolutely sympathetic with Clapper’s worries about getting blamed if there’s another attack (or something else untoward). In some cases (particularly in the aftermath of the 2009 Nidal Hasan and Umar Farouk Abdulmutallab attacks), politicians have raised hell about the Intelligence Community missing a potential attack. But that really did not happen after the Boston Marathon; contemporaneous polls even said most people accepted that you couldn’t prevent every attack. Moreover, in that case, NSA — the entity running the phone dragnet — was excluded from more intensive Inspector General review, as NSA has repeatedly been in the past (including, to a significant extent, the 9/11 attack), even though it had collected data on one or both of the Tsarnaev brothers but not accessed it until after the attack. In other words, NSA tends not to be held responsible even when it is.
Clapper’s fear-mongering has gotten most of the attention from that Q&A, even more than Clapper’s admission elsewhere that “moderate” in Syria — he used scare quotes — means “anyone who’s not affiliated w/I-S-I-L.”
But on the phone dragnet, I found this a far more intriguing exchange.
Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?
Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.
In general, discussions about why the NSA needs 5 years of phone dragnet have used a sleeper argument: a suspect might have spoken to someone of interest 4 years ago, which would be an important connection to identify and pursue. But that’s not what Clapper says here. They need years and years of our phone records not to find calls we might have made 5 years ago, but to “discern patterns.”
Well, that changes things a bit, and may even suggest how they’re actually using the phone dragnet.
While we know they have, at times, imputed some kind of meaning to the lengths of calls — for a while they believed calls under 2 minutes were especially suspicious until they realized calls to the pizza joint also tend to be under 2 minutes — there’s another application where pattern analysis is even more important: matching burner phones. You need a certain volume of past calls to establish a pattern of a person’s calls so as to be able to identify another unrelated handset that makes the same pattern of calls as the same person.
Connection chaining, not contact chaining.
Clapper’s revelation that they need years of retention for pattern analysis, not for contact chaining, seems consistent with the language describing the chaining process under USA Freedom Act.
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
That is, they’d be getting all the calls the target had made, as well as all the calls an identifiable target’s associate or additional phone had made.
And remember, one of the NSA’s two greatest “successes” with the phone dragnet — when they found that Adis Medunjanin, whom they already knew to be associated with Najibullah Zazi, had a phone they hadn’t known about — involves burner matching. That match took place at an important moment, too, when the NSA had turned off its automatic correlation process (which uses a dedicated database to identify the other known identities of a person in a chain), and when its queries were as closely controlled as they ever have been in the wake of the massive violations in 2009. At a time when they were running a bare bones phone dragnet, they were still doing burner matching, and considered that a success.
Now, let me be clear: matching the burner phones of real suspects is a reasonable use for a phone dragnet, though the government ought to provide more clarity about whether they’re matching solely on call patterns or on patterns of handset use, including on the Internet. It’d also be nice if anyone caught in this fashion had some access to the accuracy claims the government has made and the basis used to make those accuracy claims (for one incarnation of the Hemisphere dragnet, DEA was claiming 94% accuracy, based of 10 years of data and, apparently, multiple providers). And this points to the importance of retaining FISC review of the targets, because people for whom there is not reasonable articulable suspicion of ties to terrorism ought to be able to use burner phones.
James Clapper’s office has gone to great lengths to try to hide any mention of pattern analysis in declassified discussions of the phone dragnet. Apparently, Clapper doesn’t think that detail needs to be classified anymore.
I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.
At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.
Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.
It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.
And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).
US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.
We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).
There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.
There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.
Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).
Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?
I noted the other day how centrally James Clapper foregrounded his recent trip to North Korea in his discussion of the alleged North Korean hack of Sony. Now that the transcript is up, I see the trip was even more central in his discussion than reports had indicated. After noting that Jim Comey (whom he called “the senior expert on the investigative side of cybersecurity”) and Admiral Mike Rogers (whom he called “the senior expert on how cybersecurity ops actually happen”) would say more in following speeches, Clapper launched into a description of his trip, as if it were central to the discussion of the hack.
I’m not an expert on cyber. I guess that’s a way of saying I’m going to refer technical questions to the real experts here.
So, I was trying to think through what my contribution to this conference could possibly be. Well, I recently traveled to North Korea (and back, happily). So I thought I’d talk about that. [delayed laughter]
Yes, that’s a joke. [laughter] I learned from Father McShane that this crowd needs cuing. [laughter, applause]
I’ll talk about that and how it applies to this week’s conversation about cyber, given the Sony hack.
The first question I always get about the trip is: “Why you?” As in, “Why on earth would we send the DNI, the director of national intelligence, especially this DNI, on a diplomatic mission to get two American citizens who were imprisoned in North Korea?”
Why would they send me? The truth is, the mission had been in the works for quite a while.
I find it interesting that Clapper described such a lead-up to the meeting. At the time, it was much more closely tied to the October 21 release of Jeffrey Fowle (though that, too, could have been in the works for months).
North Korea wanted an active member of the National Security Council and a cabinet level official to come and to bring a letter from President Obama.
Note Clapper describes North Korea’s goal was that he “bring a letter” from President Obama. I find that notable given the reporting at the time about that letter — and Clapper’s unwillingness to read it during his press blitz about it.
The White House knows I’ve had a long history of working Korean issues, since I served as chief of intelligence for U.S. Forces in Korea in the mid-‘80s. So the White House put my name forward to the DPRK, the Democratic People’s Republic of Korea as they call themselves, government in Pyongyang. And I think we were all surprised, to include me, when they agreed. That’s how and why I was picked to go.
Actually, I thought the New York Times had a better explanation: Clapper is “Gruff, blunt-speaking and seen by many as a throwback to the Cold War.” [laughter]
“An unlikely diplomat, but perfect for the North Koreans.” [laughter]
Clapper is adopting the NYT’s description to pitch this as a Cold War, even though reporting at the time suggested relations with North Korea might be improving.
That’s the nicest thing the New York Times has ever written about me. [laughter, applause]
After that jokey beginning, Clapper took a long diversion to talk about how to prevent hacks and to provide some characterization of our adversaries online. Which brought him back to his discussion of the alleged North Korea hack, presented in contradistinction to what Clapper claimed was China’s objective — to break into networks to steal data that would allow it to surpass the US economically (which I don’t believe fully describes their motives or their actions).
That’s China’s primary motivation: to catch up to and then surpass Western industrial and defense capabilities and to eventually pass by the U.S. economy.
From there, Clapper claims, dubiously, that the Sony hack was the most damaging hack in the US, presenting it as stemming from an “entirely different philosophy” than he ascribes to China.
The Chinese are focused on those goals; whereas the recent cyber attack from North Korea, which by the way is the most serious cyber attack ever made against U.S. interests with potentially hundreds-of-millions of dollars and counting in damages, was driven by an entirely different philosophy.
He then launches into his own representation of North Korea as the quintessential totalitarian society, where people do mundane, labor-intensive jobs (which could be said about many countries) and where people “don’t show any emotion,” where they don’t even converse or laugh.
So, back to the weekend trip I took, which was exactly two months ago today. We flew into Pyongyang, the capital city, on Friday evening, the seventh of November. And the first thing that struck me was just how dark the city and airport were, just completely dark. We damaged a tire on the plane while taxiing in the dark, because of the poor construction of the taxiways and runways at Sunan airport.
Then, when I saw the city on Saturday, I was expecting to see drab clothes and lack of modern tools, people walking to get around, people sweeping and doing similar, mundane, labor-intensive jobs. And those expectations were met, from what I saw of Pyongyang. But I was also struck by how impassive everyone was. They didn’t show any emotion. They didn’t stop to greet each other, didn’t nod hello, and we didn’t see anyone conversing or laughing. They were just going about their business, going wherever they were going. It was almost automaton like. It was eerie.
This is James Clapper the dystopian novelist, depicting what he saw in less than 24 hours of being exposed to those whom North Korea permitted to be exposed to America’s top spy. Which Clapper then contrasts with the pleasure enjoyed by North Korea’s Generals (I’m curious how recently Clapper has considered how our menial labors’ public lives would contrast with top Generals’ festive dinners?).
And the plight of the citizens of Pyongyang stood in solemn contrast to the dinner I had the previous night, Friday the seventh, an elaborate 12-course Korean meal. Having spent time in Korea, I consider myself somewhat a connoisseur of Korean food, and that was one of the best Korean meals I’ve ever had. Unfortunately, the company was not pleasurable.
By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits — Clapper should be sanctioned along with all the others President Obama has targeted.
That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.
But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.
Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).
You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]
Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.
IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.
Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.
But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.
He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.
However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).
I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.
Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.
Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.
But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?
As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.
For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.
The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack. The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways. The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.
There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.
Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.
No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).
Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.
Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.
It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.
Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.
Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.
U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.
Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.
The plan to send Mr. Clapper came together suddenly.
North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.
The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.
Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.
Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”
It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.
And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned).
I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.
Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.
Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.
You’ve no doubt heard that, last Friday (a pre-holiday Friday, as some people are already on their way to Thanksgiving), the Benghazi scandal ended with a fizzle.
The House Intelligence Committee released its report on the Benghazi attack, which basically says all the scandal mongering has been wrong, that Susan Rice’s talking points came from the CIA, that no one held up any rescue attempts, and so on and so on. This post will attempt to lay out why that might have happened. The short version, however, is that the report reveals (but does not dwell on) a number of failures on the part of the CIA that should raise real concerns about Syria.
Note that not all Republicans were as polite as the ultimate report. Mike Rogers, Jeff Miller, Jack Conaway, and Peter King released an additional views report, making precisely the points you’d expect them to — though it takes them until the 4th summary bullet to claim that Administration officials “perpetuated an inaccurate story that matched the Administration’s misguided view that the United States was nearing victory over al-Qa’ida.” Democrats released their own report noting that “there was no AQ mastermind” and that “extremists who were already well-armed and well-trained took advantage of regional violence” to launch the attack. Among the Republicans who presumably supported the middle ground were firebrands like Michele Bachmann and Mike Pompeo, as well as rising Chair Devin Nunes (as you’ll see, Nunes was a lot more interested in what the hell CIA was doing in Benghazi than Rogers). The day after the initial release Rogers released a second statement defending — and pointing to the limits of and Additional Views on — his report.
Now consider what this report is and is not.
The report boasts about the 1000s of hours of work and 1000s of pages of intelligence review, as well as 20 committee events, interviews with “senior intelligence officials” and 8 security personnel (whom elsewhere the report calls “the eight surviving U.S. personnel”) who were among the eyewitnesses in Benghazi. But the bulk of the report is sourced to 10 interviews (the 8 security guys, plus the Benghazi and Tripoli CIA Chiefs), and a November 15, 2012 presentation by James Clapper, Mike Morell, Matt Olsen, and Patrick Kennedy. (Here are the slides from that briefing: part one, part two.) As I’ll show, this means some of the claims in this report are not sourced to the people who directly witnessed the events. And the reports sources almost nothing to David Petraeus, who was CIA Director at the time.
One of the best explanations for why this is such a tempered report may be that FBI performed better analysis of the cause of the attack than CIA did. This is somewhat clear from the summary (though buried as the 4th bullet):
There was no protest. The CIA only changed its initial assessment about a protest on September 24, 2012, when closed caption television footage became available on September 18, 2012 (two days after Ambassador Susan Rice spoke), and after the FBI began publishing its interviews with U.S. officials on the ground on September 22, 2012.
That is, one reason Susan Rice’s talking points said what they did is because CIA’s analytical reports still backed the claim there had been a protest outside State’s Temporary Mission Facility.
Moreover, in sustaining its judgment there had been a protest as long as it did, CIA was actually ignoring both a report from Tripoli dated September 14, and the assessment of the Chief of Station in Tripoli, who wrote the following to Mike Morell on September 15.
We lack any ground-truth information that protest actually occurred, specifically in the vicinity of the consulate and leading up to the attack. We therefore judge events unfolded in a much different manner than in Tunis, Cairo, Khartoum, and Sanaa, which appear to the the result of escalating mob violence.
In a statement for the record issued in April 2014, Mike Morell explained that Chiefs of Station “do not/not make analytic calls for the Agency.” But it’s not clear whether Morell explained why CIA appears to have ignored their own officer.
While the report doesn’t dwell on this fact, the implication is that the FBI was more successful at interviewing people on the ground — including CIA officers!! — to rebut a common assumption arising from public reporting. That’s a condemnation of CIA’s analytical process, not to mention a suggestion FBI is better at collecting information from humans than CIA is. But HPSCI doesn’t seem all that worried about these CIA failures in its core missions.
Or maybe CIA failed for some other reason. Continue reading
The White House has come out with an enthusiastic statement supporting USA Freedom Act.
The Administration strongly supports Senate passage of S. 2685, the USA FREEDOM Act. In January, the President called on Congress to enact important changes to the Foreign Intelligence Surveillance Act (FISA) that would keep our Nation safe, while enhancing privacy and better safeguarding our civil liberties. This past spring, a broad bipartisan majority of the House passed a bill that answered the President’s call. S. 2685 carefully builds on the good work done in the House and has won the support of privacy and civil liberties advocates and the private sector, including significant members of the technology community. As the Attorney General and the Director of National Intelligence stated in a letter dated September 2, 2014, the bill is a reasonable compromise that enhances privacy and civil liberties and increases transparency.
The bill strengthens the FISA’s privacy and civil liberties protections, while preserving essential authorities that our intelligence and law enforcement professionals need.
It says the bill ends bulk collection which might be a useful record if the President used a definition besides “without any discriminator,” but that is what he is on the record as meaning by “bulk.”
The bill would prohibit bulk collection through the use of Section 215, FISA pen registers, and National Security Letters while maintaining critical authorities to conduct more targeted collection. The Attorney General and the Director of National Intelligence have indicated that the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection, based on communications providers’ existing practices.
Perhaps the most troubling part of Obama’s statement, however, is its endorsement of John Bates’ language about the amicus as echoed by James Clapper and Eric Holder, which among other things said that the amicus could not be required to represent the interests of civil liberties and privacy.
The bill also authorizes an independent voice in significant cases before the Foreign Intelligence Surveillance Court (FISC) — the Administration is aware of the concerns with regard to this issue, as outlined in the letter from the Attorney General and the Director of National Intelligence, and the Administration anticipates that Congress will address those concerns. Finally, the bill will enhance transparency by expanding the amount of information providers can disclose and increasing public reporting requirements.
In sum, this legislation will help strengthen Americans’ confidence in the Government’s use of these important national security authorities. Without passage of this bill, critical authorities that are appropriately reformed in this legislation could expire next summer. The Administration urges Congress to take action on this legislation now, since delay may subject these important national security authorities to brinksmanship and uncertainty. The Administration urges the Senate to pass the USA FREEDOM Act and for the House to act expeditiously so that the President can sign legislation into law this year. [my emphasis]
As I said here, the designed impotence of the amicus is not a reason to oppose the bill; it’s just a reason to expect to have to wait 9 years before it becomes functional, as happened with PCLOB. Still, it is very very troubling that given all the evidence that the Executive has been abusing the process of the FISC for a decade, the Executive is moving to ensure they’ll still be able to do so.