Remember that weird passage in the President’s Review Group Report warning against changing the account numbers in financial accounts as part of offensive cyberattacks?
(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;
Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.
It was the kind of warning that left the strong impression that the US had already been engaged in such books-baking.
Integrity of Information
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
- Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.
Altering data to misinform decision-makers is not new — part of the Stuxnet attack involved making the Iranians believe everything was going swimmingly even though centrifuges were spinning out of control (though it’s not clear how much of this involved data and how much visuals).
But the persistent concern that the US not engage in such behaviors and now the apparent rising concern that someone would do the same to us sure raises questions about which financial institutions have already had their books cyber-cooked.
In the Q&A portion of a James Clapper chat at Council on Foreign Relations yesterday, he was asked about the phone dragnet and Section 215 (this starts after 48:00).
He made news for the way he warned Congress that if they take away Section 215 (he didn’t specify whether he was talking about just the phone dragnet or Section 215 and the roughly 175 other orders authorized under it) and something untoward happens as a result, they better be prepared to take some of the blame.
Q: In recent days the government reauthorized the telephone metadata collection program through June 1st, when there’s the Sunset date, obviously, of Section 215 of the PATRIOT Act. What do you want to see happen after that?
Clapper: Well, what we have agreed to, Attorney General Eric Holder and I, last September, signed a letter saying that we supported the notion of moving the retention of the data to providers in a bill that was — actually came out of the Senate from Senator Leahy, so we signed up to that. I think that’s the only thing that’s realistic if we’re going to have this at all. In the end, the Congress giveth and the Congress taketh away. So if the Congress in its wisdom decides that the candle isn’t worth the flame, the juice isn’t worth the squeeze, whatever metaphor you want to use, that’s fine. And the Intelligence Community will do all we can within the law to do what we can to protect the country. But, I have to say that every time we lose another tool in our toolkit, you know? It raises the risk. And so if we have — if that tool is taken away from us, 215, and some untoward incident happens which could have been thwarted had we had it I just hope that everyone involved in that decision assumes responsibility. And it not be blamed if we have another failure exclusively on the intelligence community.
At one level, I’m absolutely sympathetic with Clapper’s worries about getting blamed if there’s another attack (or something else untoward). In some cases (particularly in the aftermath of the 2009 Nidal Hasan and Umar Farouk Abdulmutallab attacks), politicians have raised hell about the Intelligence Community missing a potential attack. But that really did not happen after the Boston Marathon; contemporaneous polls even said most people accepted that you couldn’t prevent every attack. Moreover, in that case, NSA — the entity running the phone dragnet — was excluded from more intensive Inspector General review, as NSA has repeatedly been in the past (including, to a significant extent, the 9/11 attack), even though it had collected data on one or both of the Tsarnaev brothers but not accessed it until after the attack. In other words, NSA tends not to be held responsible even when it is.
Clapper’s fear-mongering has gotten most of the attention from that Q&A, even more than Clapper’s admission elsewhere that “moderate” in Syria — he used scare quotes — means “anyone who’s not affiliated w/I-S-I-L.”
But on the phone dragnet, I found this a far more intriguing exchange.
Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?
Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.
In general, discussions about why the NSA needs 5 years of phone dragnet have used a sleeper argument: a suspect might have spoken to someone of interest 4 years ago, which would be an important connection to identify and pursue. But that’s not what Clapper says here. They need years and years of our phone records not to find calls we might have made 5 years ago, but to “discern patterns.”
Well, that changes things a bit, and may even suggest how they’re actually using the phone dragnet.
While we know they have, at times, imputed some kind of meaning to the lengths of calls — for a while they believed calls under 2 minutes were especially suspicious until they realized calls to the pizza joint also tend to be under 2 minutes — there’s another application where pattern analysis is even more important: matching burner phones. You need a certain volume of past calls to establish a pattern of a person’s calls so as to be able to identify another unrelated handset that makes the same pattern of calls as the same person.
Connection chaining, not contact chaining.
Clapper’s revelation that they need years of retention for pattern analysis, not for contact chaining, seems consistent with the language describing the chaining process under USA Freedom Act.
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
That is, they’d be getting all the calls the target had made, as well as all the calls an identifiable target’s associate or additional phone had made.
And remember, one of the NSA’s two greatest “successes” with the phone dragnet — when they found that Adis Medunjanin, whom they already knew to be associated with Najibullah Zazi, had a phone they hadn’t known about — involves burner matching. That match took place at an important moment, too, when the NSA had turned off its automatic correlation process (which uses a dedicated database to identify the other known identities of a person in a chain), and when its queries were as closely controlled as they ever have been in the wake of the massive violations in 2009. At a time when they were running a bare bones phone dragnet, they were still doing burner matching, and considered that a success.
Now, let me be clear: matching the burner phones of real suspects is a reasonable use for a phone dragnet, though the government ought to provide more clarity about whether they’re matching solely on call patterns or on patterns of handset use, including on the Internet. It’d also be nice if anyone caught in this fashion had some access to the accuracy claims the government has made and the basis used to make those accuracy claims (for one incarnation of the Hemisphere dragnet, DEA was claiming 94% accuracy, based of 10 years of data and, apparently, multiple providers). And this points to the importance of retaining FISC review of the targets, because people for whom there is not reasonable articulable suspicion of ties to terrorism ought to be able to use burner phones.
James Clapper’s office has gone to great lengths to try to hide any mention of pattern analysis in declassified discussions of the phone dragnet. Apparently, Clapper doesn’t think that detail needs to be classified anymore.
I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.
At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.
Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.
It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.
And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).
US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.
We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).
There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.
There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.
Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).
Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?
I noted the other day how centrally James Clapper foregrounded his recent trip to North Korea in his discussion of the alleged North Korean hack of Sony. Now that the transcript is up, I see the trip was even more central in his discussion than reports had indicated. After noting that Jim Comey (whom he called “the senior expert on the investigative side of cybersecurity”) and Admiral Mike Rogers (whom he called “the senior expert on how cybersecurity ops actually happen”) would say more in following speeches, Clapper launched into a description of his trip, as if it were central to the discussion of the hack.
I’m not an expert on cyber. I guess that’s a way of saying I’m going to refer technical questions to the real experts here.
So, I was trying to think through what my contribution to this conference could possibly be. Well, I recently traveled to North Korea (and back, happily). So I thought I’d talk about that. [delayed laughter]
Yes, that’s a joke. [laughter] I learned from Father McShane that this crowd needs cuing. [laughter, applause]
I’ll talk about that and how it applies to this week’s conversation about cyber, given the Sony hack.
The first question I always get about the trip is: “Why you?” As in, “Why on earth would we send the DNI, the director of national intelligence, especially this DNI, on a diplomatic mission to get two American citizens who were imprisoned in North Korea?”
Why would they send me? The truth is, the mission had been in the works for quite a while.
I find it interesting that Clapper described such a lead-up to the meeting. At the time, it was much more closely tied to the October 21 release of Jeffrey Fowle (though that, too, could have been in the works for months).
North Korea wanted an active member of the National Security Council and a cabinet level official to come and to bring a letter from President Obama.
Note Clapper describes North Korea’s goal was that he “bring a letter” from President Obama. I find that notable given the reporting at the time about that letter — and Clapper’s unwillingness to read it during his press blitz about it.
The White House knows I’ve had a long history of working Korean issues, since I served as chief of intelligence for U.S. Forces in Korea in the mid-‘80s. So the White House put my name forward to the DPRK, the Democratic People’s Republic of Korea as they call themselves, government in Pyongyang. And I think we were all surprised, to include me, when they agreed. That’s how and why I was picked to go.
Actually, I thought the New York Times had a better explanation: Clapper is “Gruff, blunt-speaking and seen by many as a throwback to the Cold War.” [laughter]
“An unlikely diplomat, but perfect for the North Koreans.” [laughter]
Clapper is adopting the NYT’s description to pitch this as a Cold War, even though reporting at the time suggested relations with North Korea might be improving.
That’s the nicest thing the New York Times has ever written about me. [laughter, applause]
After that jokey beginning, Clapper took a long diversion to talk about how to prevent hacks and to provide some characterization of our adversaries online. Which brought him back to his discussion of the alleged North Korea hack, presented in contradistinction to what Clapper claimed was China’s objective — to break into networks to steal data that would allow it to surpass the US economically (which I don’t believe fully describes their motives or their actions).
That’s China’s primary motivation: to catch up to and then surpass Western industrial and defense capabilities and to eventually pass by the U.S. economy.
From there, Clapper claims, dubiously, that the Sony hack was the most damaging hack in the US, presenting it as stemming from an “entirely different philosophy” than he ascribes to China.
The Chinese are focused on those goals; whereas the recent cyber attack from North Korea, which by the way is the most serious cyber attack ever made against U.S. interests with potentially hundreds-of-millions of dollars and counting in damages, was driven by an entirely different philosophy.
He then launches into his own representation of North Korea as the quintessential totalitarian society, where people do mundane, labor-intensive jobs (which could be said about many countries) and where people “don’t show any emotion,” where they don’t even converse or laugh.
So, back to the weekend trip I took, which was exactly two months ago today. We flew into Pyongyang, the capital city, on Friday evening, the seventh of November. And the first thing that struck me was just how dark the city and airport were, just completely dark. We damaged a tire on the plane while taxiing in the dark, because of the poor construction of the taxiways and runways at Sunan airport.
Then, when I saw the city on Saturday, I was expecting to see drab clothes and lack of modern tools, people walking to get around, people sweeping and doing similar, mundane, labor-intensive jobs. And those expectations were met, from what I saw of Pyongyang. But I was also struck by how impassive everyone was. They didn’t show any emotion. They didn’t stop to greet each other, didn’t nod hello, and we didn’t see anyone conversing or laughing. They were just going about their business, going wherever they were going. It was almost automaton like. It was eerie.
This is James Clapper the dystopian novelist, depicting what he saw in less than 24 hours of being exposed to those whom North Korea permitted to be exposed to America’s top spy. Which Clapper then contrasts with the pleasure enjoyed by North Korea’s Generals (I’m curious how recently Clapper has considered how our menial labors’ public lives would contrast with top Generals’ festive dinners?).
And the plight of the citizens of Pyongyang stood in solemn contrast to the dinner I had the previous night, Friday the seventh, an elaborate 12-course Korean meal. Having spent time in Korea, I consider myself somewhat a connoisseur of Korean food, and that was one of the best Korean meals I’ve ever had. Unfortunately, the company was not pleasurable.
By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits — Clapper should be sanctioned along with all the others President Obama has targeted.
That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.
But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.
Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).
You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]
Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.
IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.
Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.
But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.
He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.
However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).
I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.
Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.
Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.
But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?
As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.
For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.
The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat. For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack. The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways. The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.
There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.
Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.
No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).
Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.
Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.
It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.
Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.
Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.
U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.
Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.
The plan to send Mr. Clapper came together suddenly.
North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.
The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.
Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.
Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”
It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.
And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned).
I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.
Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.
Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.
You’ve no doubt heard that, last Friday (a pre-holiday Friday, as some people are already on their way to Thanksgiving), the Benghazi scandal ended with a fizzle.
The House Intelligence Committee released its report on the Benghazi attack, which basically says all the scandal mongering has been wrong, that Susan Rice’s talking points came from the CIA, that no one held up any rescue attempts, and so on and so on. This post will attempt to lay out why that might have happened. The short version, however, is that the report reveals (but does not dwell on) a number of failures on the part of the CIA that should raise real concerns about Syria.
Note that not all Republicans were as polite as the ultimate report. Mike Rogers, Jeff Miller, Jack Conaway, and Peter King released an additional views report, making precisely the points you’d expect them to — though it takes them until the 4th summary bullet to claim that Administration officials “perpetuated an inaccurate story that matched the Administration’s misguided view that the United States was nearing victory over al-Qa’ida.” Democrats released their own report noting that “there was no AQ mastermind” and that “extremists who were already well-armed and well-trained took advantage of regional violence” to launch the attack. Among the Republicans who presumably supported the middle ground were firebrands like Michele Bachmann and Mike Pompeo, as well as rising Chair Devin Nunes (as you’ll see, Nunes was a lot more interested in what the hell CIA was doing in Benghazi than Rogers). The day after the initial release Rogers released a second statement defending — and pointing to the limits of and Additional Views on — his report.
Now consider what this report is and is not.
The report boasts about the 1000s of hours of work and 1000s of pages of intelligence review, as well as 20 committee events, interviews with “senior intelligence officials” and 8 security personnel (whom elsewhere the report calls “the eight surviving U.S. personnel”) who were among the eyewitnesses in Benghazi. But the bulk of the report is sourced to 10 interviews (the 8 security guys, plus the Benghazi and Tripoli CIA Chiefs), and a November 15, 2012 presentation by James Clapper, Mike Morell, Matt Olsen, and Patrick Kennedy. (Here are the slides from that briefing: part one, part two.) As I’ll show, this means some of the claims in this report are not sourced to the people who directly witnessed the events. And the reports sources almost nothing to David Petraeus, who was CIA Director at the time.
One of the best explanations for why this is such a tempered report may be that FBI performed better analysis of the cause of the attack than CIA did. This is somewhat clear from the summary (though buried as the 4th bullet):
There was no protest. The CIA only changed its initial assessment about a protest on September 24, 2012, when closed caption television footage became available on September 18, 2012 (two days after Ambassador Susan Rice spoke), and after the FBI began publishing its interviews with U.S. officials on the ground on September 22, 2012.
That is, one reason Susan Rice’s talking points said what they did is because CIA’s analytical reports still backed the claim there had been a protest outside State’s Temporary Mission Facility.
Moreover, in sustaining its judgment there had been a protest as long as it did, CIA was actually ignoring both a report from Tripoli dated September 14, and the assessment of the Chief of Station in Tripoli, who wrote the following to Mike Morell on September 15.
We lack any ground-truth information that protest actually occurred, specifically in the vicinity of the consulate and leading up to the attack. We therefore judge events unfolded in a much different manner than in Tunis, Cairo, Khartoum, and Sanaa, which appear to the the result of escalating mob violence.
In a statement for the record issued in April 2014, Mike Morell explained that Chiefs of Station “do not/not make analytic calls for the Agency.” But it’s not clear whether Morell explained why CIA appears to have ignored their own officer.
While the report doesn’t dwell on this fact, the implication is that the FBI was more successful at interviewing people on the ground — including CIA officers!! — to rebut a common assumption arising from public reporting. That’s a condemnation of CIA’s analytical process, not to mention a suggestion FBI is better at collecting information from humans than CIA is. But HPSCI doesn’t seem all that worried about these CIA failures in its core missions.
Or maybe CIA failed for some other reason. Continue reading
The White House has come out with an enthusiastic statement supporting USA Freedom Act.
The Administration strongly supports Senate passage of S. 2685, the USA FREEDOM Act. In January, the President called on Congress to enact important changes to the Foreign Intelligence Surveillance Act (FISA) that would keep our Nation safe, while enhancing privacy and better safeguarding our civil liberties. This past spring, a broad bipartisan majority of the House passed a bill that answered the President’s call. S. 2685 carefully builds on the good work done in the House and has won the support of privacy and civil liberties advocates and the private sector, including significant members of the technology community. As the Attorney General and the Director of National Intelligence stated in a letter dated September 2, 2014, the bill is a reasonable compromise that enhances privacy and civil liberties and increases transparency.
The bill strengthens the FISA’s privacy and civil liberties protections, while preserving essential authorities that our intelligence and law enforcement professionals need.
It says the bill ends bulk collection which might be a useful record if the President used a definition besides “without any discriminator,” but that is what he is on the record as meaning by “bulk.”
The bill would prohibit bulk collection through the use of Section 215, FISA pen registers, and National Security Letters while maintaining critical authorities to conduct more targeted collection. The Attorney General and the Director of National Intelligence have indicated that the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection, based on communications providers’ existing practices.
Perhaps the most troubling part of Obama’s statement, however, is its endorsement of John Bates’ language about the amicus as echoed by James Clapper and Eric Holder, which among other things said that the amicus could not be required to represent the interests of civil liberties and privacy.
The bill also authorizes an independent voice in significant cases before the Foreign Intelligence Surveillance Court (FISC) — the Administration is aware of the concerns with regard to this issue, as outlined in the letter from the Attorney General and the Director of National Intelligence, and the Administration anticipates that Congress will address those concerns. Finally, the bill will enhance transparency by expanding the amount of information providers can disclose and increasing public reporting requirements.
In sum, this legislation will help strengthen Americans’ confidence in the Government’s use of these important national security authorities. Without passage of this bill, critical authorities that are appropriately reformed in this legislation could expire next summer. The Administration urges Congress to take action on this legislation now, since delay may subject these important national security authorities to brinksmanship and uncertainty. The Administration urges the Senate to pass the USA FREEDOM Act and for the House to act expeditiously so that the President can sign legislation into law this year. [my emphasis]
As I said here, the designed impotence of the amicus is not a reason to oppose the bill; it’s just a reason to expect to have to wait 9 years before it becomes functional, as happened with PCLOB. Still, it is very very troubling that given all the evidence that the Executive has been abusing the process of the FISC for a decade, the Executive is moving to ensure they’ll still be able to do so.
I’m now being accused by USA Freedom Act champions of not providing constructive suggestions on how to improve USAF (even though I have, both via channels they were involved in and channels they are not party to) [oops, try this tweet, which is still active].
Now that it appears people who previously claimed I was making all this up now concede some of my critiques as a valid, here goes: my suggestions for how to fix the problems I identified in this post.
There is one application of connection chaining that I find legitimate, and two that are probably unconstitutional. The legitimate application is the burner phone one: to ask providers to use their algorithms (including new profiles of online use) to find the new phones or online accounts that people adopt after dropping previous ones, which is what AT&T offers under Hemisphere. To permit that, you might alter the connection chaining language to say providers can chain on calls and texts made, as well as ask providers to access their own records to find replacement phones. Note, however, that accuracy on this mapping is only about 94% per Hemisphere documents, so it seems there needs to be some kind of check before using those records.
The two other applications — the ones I’m pretty sure are or should be unconstitutional without a warrant — are 1) the use of cloud data, like address books, calendars, and photos, to establish connections, and 2) the use of phone records like Verizon’s supercookie to establish one-to-one correlations between identities across different platforms. I think these are both squarely unconstitutional under the DC Circuit’s Maynard decision, because both are key functions in linking all these metadata profiles together, and language in Riley would support that too. But who knows? I’m not an appellate judge.
To prevent the government from doing this without really independent judicial review — and more generally to ensure Section 215 is not abused going forward — the best fix is to require notice to defendants if any evidence from Section 215 or anything derived from it, including the use of metadata as an index to identify content, is used in a proceeding against them. Given that Section 215’s secret application is now unclassified, they should even get a fairly robust description of how it was used. After all, if this is just third party doctrine stuff, it can’t be all that secret!
I’m frankly of the opinion that ACLU’s Alex Abdo kicked DOJ’s ass so thoroughly in the 2nd Circuit, that unless that decision is mooted, it will provide a better halt to dragnets than any legislation could. But I get that that’s a risk, especially with Larry Klayman botching an even better setup in the DC Circuit.
But I do think the one way to make sure we don’t lose the opportunity for a judicial fix to this is to provide notice to defendants of any use or derivative use of Section 215. The government has insisted (most recently in the Reaz Qadir Khan case, but also did so in the Dzhokhar Tsarnaev and derivative cases, where we know they used the phone dragnet) that it doesn’t have to give such notice. If they get it — with the ability to demonstrate that their prosecution arises out of a warrantless mosaic analysis of their lives which provides the basis for the order providing access to their content — then at least there may be a limited judicial remedy in the future, even if it’s not Abdo fighting for his own organization. FISCR said PAA was legal because of precisely these linking procedures, but if they’re not (or if they require a warrant) then PRISM is not legal either. Defendants must have the ability to argue that in court.
USAF prohibits using a communications provider corporate person as a selector, but permits the use of a non-communications corporate person as a selector, meaning it could still get all of Visa’s or Western Union’s records. I understand the government claims it needs to retain the use for corporate person selectors to get things like all the guests at Caesars Palace to see if there are suspected terrorists there. The way to permit this, without at the same time permitting a programmatic dragnet (of, say, all Las Vegas hotels all the time), might be to temporally limit the order — say, limit the use of any non-communications provider order to get a month of records.
But this creates a problem, which is that it currently takes (per the NSL IG Report) 30-40 days to get a Section 215 order. The way to make it possible to get records when you need them, rather than keeping a dragnet, is to permit the use of the emergency provision more broadly. You might permit it to be used with counterintelligence uses as well as the current counterterrorism use (that is, make it available in any case where Section 215 would be available), though you should still limit use of any data collected to the purpose for which it was collected. You might even extend the deadline to submit an application beyond 7 days.
That exacerbates the existing problems with the emergency provision, however, which is that the government gets to keep records if the court finds they misused the statute. To fix this, I’d advise tying the change to the adoption of the existing language from the emergency provision currently in place on the phone dragnet order, specifically permitting FISC to require records be discarded if the government shouldn’t have obtained them. I’d also add a reporting requirement on how many emergency provisions were used (that one would be included in the public reporting) and, in classified form to the intelligence and judiciary committees, fairly precisely what it had been used for. I’d additionally require FBI track this data, so it can easily report what has become of it.
Given that the government may have already abused the emergency provisions, this requires close monitoring. So no loosening of the emergency provision should be put into place without the simultaneous controls.
I’d do two things to fix the current overly expansive immunity provisions. First, I’d put the language that exists in other immunity provisions requiring good faith compliance with orders, such that providers can’t be immunized for stuff that they recognize is illegal.
I’d also add language giving them an appeal if the government were obtaining proprietary information. While under current law the government should be able to obtain call records, they shouldn’t be able to require providers also share their algorithms about business records, which is (I suspect) where this going (indeed, the Yahoo documents suggest that’s where it has already gone under PRISM). So make it clear there’s a limit to what is included under third party doctrine, and provide providers with a way to protect their data derived from customer records.
This should be simple. Just include language letting the court review minimization procedures and review compliance, which is currently what happens and should happen as we get deeper and deeper into mosaic collection (indeed, this might be pitched as a solution to what should be a very urgent constitutional problem for the status quo practice).
Additionally, the bill should integrate the emergency provision currently applicable to the phone dragnet for all Section 215 use, along with reporting on how often and how it is used.
Both of these, importantly, simply codify the current status quo. If the government won’t accept the current status quo, after years of evidence on why it needs this minimal level of oversight from FISC, then that by itself should raise questions about the intelligence community’s intent going forward.
One minimal fix to the transparency provisions is to require reporting not just from all communications providers, but from all providers who have received orders, such that the government would have to report on financial and location dragnets, which are both currently excluded. This would ensure that financial and location dragnets that currently exist and are currently exempted from reporting are included.
As to the other transparency provisions, the biggest problem is that the bill permits both the NSA and FBI to say “omigosh we simply can’t count all this.” I think they’re doing so for different reasons. In my opinion, the NSA is doing so because it is conducting illegal domestic wiretapping, especially to pursue cybersecurity targets. It is doing so because it hasn’t gotten Congress to buy off on using domestic wiretapping to pursue cybertargets. I would impose a 2 year limit on how long ODNI can avoid reporting this number, which should provide plenty of time for Congress to legislate a legal way to pursue cybertargets (along with limits to what kind of cybertargets merit such domestic wiretapping, if any).
I think the FBI refusing to count its collection because it wants to passively collect huge databases of US persons so it can just look up whether people who come under its radar are suspicious. I believe this is unconstitutional — it’s certainly something the government lied to the FISCR in order to beat back Yahoo’s challenge, and arguably the government made a similar lie in Amnesty v. Clapper. If I had my way, I’d require FBI to count how many US persons it was collecting on and back door searching yesterday. But if accommodation must be made, FBI, too, should get just 2 years (and significant funding) to be able to 1) tag all its data (as NSA does, so most of it would come tagged) 2) count it and its back door searches 3) determine whether incoming data is of interest within a short period of time, rather than sitting on it for 30 years. Ideally, FBI would also get 2 years to do the same things with its NSL data.
Again, I think the better option is just to make NSA and FBI count their data, which will show both are violating the Constitution. Apparently, Congress doesn’t want to make them do that. So make them do that over the next 2 years, giving them time to replace unconstitutional programs.
In this post, I noted that the provision requiring the advocate have all the material she needs to do to do her job conflicts with the provision permitting the government to withhold information on classification or privilege grounds. If there is any way to limit this — perhaps by requiring the advocate be given clearance into any compartments for the surveillance under question (though not necessarily the underlying sources and methods used in an affidavit), as well as mandating that originator controlled (ORCON) documents be required to be shared. This might work like a CIPA provision, that the government must be willing to share something if it wants FISC approval (and with it, the authority to obligate providers).
But since that post, we’ve seen how, in the Yahoo challenge, the government convinced Reggie Walton to apply the ex parte provisions applying to defendants to Yahoo. That precedent would now, in my opinion, apply language on review to any adversary. To fix that, the bill should include conforming language in all the places (such as at 50 USC 1861(c)) that call for ex parte review to make it clear that ex parte review does not apply to an advocate’s review of an order.
I fully expect the IC to find this unacceptable (Clapper has already made it clear he’ll only accept an advocate that is too weak to be effective). But bill reformers should point to the clear language in the President’s speech calling for “a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.” If the IC refuses to have an advocate that can do the job laid out by statute, they should have to answer to the President, who has called for real advocates (not amici).
To recap — all this pertains only to the bill on its face, not to the important things the bill is missing, such as a prohibition on back door searches. But these are things that would make USA Freedom Act far better.
I suspect the intelligence community would object to many, if not all of them. But if they do, then it would certainly clarify what their intent really is.
Earlier today, Harry Reid filed for cloture for the USA Freedom Act. So Patrick Leahy’s reform for the phone dragnet will get a vote in the lame duck.
As you may remember, I don’t support USAF. Here’s a summary of why.
USAF rolls out a new Call Detail Record provision providing for prospective daily collection of selected phone records. While it would replace the phone dragnet — which is a really really important improvement– there are many questions about the provision that James Clapper’s office refused to answer (and refused to respond to a FOIA I filed to find out). Most importantly, no one can explain what “connection chaining” — which clearly permits the chaining on things other than phone calls and texts made — includes. I worry that language will be used to connect on things available through phone cloud storage, like address books, calendars, and photos (which we know the NSA uses overseas). I also strongly believe (though some people I’ve talked to disagree) that Verizon’s supercookie qualifies as a CDR under the bill (it can be collected under other authorities in any case) and therefore will make it easier to access communications records for “correlated” identities accessed via the same phone. Whether this is the intent or not, we know from the Yahoo precedent that there will be significant mission creep within months of passing this bill.
Right now, the main PATRIOT authorities at question here — Section 215 and PRTT — are scheduled to sunset in June. They’ll be renewed one way or another. But in April to May, reformers will have more leverage than they do now.
Bill supporters claim civil liberties groups have never gotten concessions from a sunset. That’s plainly wrong, because reformers did on FISA Amendments Act, where (among other things) protection for Americans overseas was won with the wait. Admittedly, given the new Senate, we’d be worse positioned (with the exception of Thad Cochran being potentially better than Barb Mikulski at Appropriations). That said, we would likely be better prepared not to squander our far stronger position in the House, as civil liberties groups did on USAF, so legislatively it might be a wash, though with reformers having more leverage.
More importantly, passing this now may moot court decisions in 3 circuit courts (the 2nd and DC, where phone dragnet challenges have already been heard, and the 9th, where the hearing hasn’t been held yet). While Larry Klayman clearly botched his hearing in DC with a surprisingly receptive panel and a precedent that would make this program glaringly illegal, the 2nd seems otherwise poised to rule the FISC’s redefinition of “relevant to” to mean “everything” illegal, across all programs. In other words, this legislation will probably pre-empt making real change in the courts in the near term. And no one will get standing again on these issues in the near future.
As I said, I believe USAF eliminates the existing phone dragnet by requiring the use of selectors for collection. That’s good!
However, because the bill permits non-communications companies to be used as selectors, it almost certainly won’t end known financial dragnets involving Western Union transfers and purchase records (and as I describe below, those dragnets are also excluded from transparency provisions). I also think the bill will do nothing to limit FBI’s PRTT program (if it still exists — it existed and was sharing data with the NSA at least until 2012); I suspect — this is a wildarseguess — that is a bulky, not bulk, use of Stingrays to get location, which also would be exempted from reporting. There’s absolutely no reason to believe that the bill would affect other PRTT or NSL programs, because the ones included are all currently bulky, not bulk, programs. So it will eliminate the ability for the government to get every phone record in the US, but it will leave other non-phone dragnets intact and largely hidden by deceptive “transparency” provisions.
USAF provides providers — and 2nd level contractors — expansive immunity. So long as they are ordered to do something, whether they believe it is legal or not, they cannot be held liable. In addition, the bill compensates providers, which the existing Section 215 cannot do (the government even had to stop compensating telecoms after the first 2 dragnet orders). Finally, the bill requires assistance of providers, whereas the existing law can only collect existing business records (I believe the absence of all three things explains the big gaps in the government’s cell phone coverage). These three provisions are designed, I strongly suspect, to overcome Verizon’s disinterest in being an affirmative spy wing of the government, which is probably the real point of this bill. Possibly, they’re designed to get Verizon — the most important mobile provider — to do the kind of affirmative analysis for the government that AT&T currently does.
In at least 3 areas, I worry that USAF will actually weaken existing minimization procedures. Under both the PRTT and Section 215 authority, the FISC currently imposes minimization procedures. For the former, the bill would put the authority to devise “privacy procedures” in the hands of the Attorney General (though says it doesn’t change the law; thing is, FISC minimization procedures aren’t in the law). The bill mandates minimization procedures for bulky collection, but it’s not clear whether those procedures are even as good as what the FISC currently imposes (they’re probably very similar). Most troubling of all, the bill doesn’t provide the FISC authority to require the government to destroy records collected under the emergency provision if found to have been improperly collected, a significant deterioration from the status quo, and one that it appears the FISC may have already needed to use.
I don’t mean to be an asshole on this point, but I actually think many of USAF’s “transparency” provisions are counter-productive, because they are very obviously designed to hide the programs that we know exist, but that won’t be affected by USAF’s selection term provisions, because only communications dragnets get counted, sort of; financial dragnets won’t get counted and location dragnets won’t get counted. That will make it very very difficult to organize to eliminate any of the residual bulk programs (because the bill champions will have assured people they don’t exist and they won’t show up in transparency provisions). In addition, they tacitly permit the NSA and FBI to pretend they’re not conducting fairly bulky domestic wiretapping by providing them ways to avoid counting that illegal wiretapping. In addition, the FBI will be permitted to hide how much spying they’re doing on Americans (though for some, not all, provisions, their collection will be reported misleadingly as foreign collection). And the introduction of ranges will hide still more of they spying. See this post for my estimate of how the bill hides millions of Americans affected.
My other big warning about the bill is not meant to disqualify it, but is meant to suggest supporters are vastly overestimating its impact. James Clapper has made it very clear that he intends to ensure the Advocate (or amicus, as Clapper calls it) remains powerless. And the Yahoo documents make it clear that precedent at the FISCR says the ex parte procedures in FISA will be used to prevent the Advocate from reviewing materials she needs to do her job. As I said here, though, that’s not reason to oppose the bill; if PCLOB is any indication, the bill will start us down a 9-year process at the end of which we might have a functioning advocate. But it’s reason to be honest about how leaving ex parte provisions intact in FISA will make this Advocate very weak.
All this is before the things the bill doesn’t even claim to address: back door searches, EO 12333, spying on foreigners.
The bill will get phone records out of the hands of the government. But from that point on, I’m not sure how much of an improvement it is.