Posts

Why Are FAA Boosters Satisfied with Inadequate Oversight?

/8 Comments/in /by

Julian Sanchez hosted a Cato event yesterday that examined surveillance generally and the FISA Amendments Act specifically. At it, Ron Wyden presented his concerns about the FISA Amendments Act and other surveillance, and then ACLU’s Michelle Richardson and NYT’s Eric Lichtblau added their own views.

There was one question asked during the question period claiming that the program undergoes adequate reviews. The questioner was Georgetown’s Director of National Security Studies, Carrie Cordero, who had a role on FISA implementation until 2010, who has now reprised and expanded her comments at Lawfare.

She starts by addressing Wyden’s request that DNI to tell Congress how many Americans have had their communications “collected or reviewed.”

In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. [my emphasis]

Note, first of all, that she mischaracterizes Wyden’s request. He asked about US person communication that had been “collected or reviewed,” whereas she claimed he was asking only about incidental interception. Those are different things, and what Wyden’s interested in is far more invasive than simply having your communications sitting in a data warehouse in UT unread.

That’s important because Cordero treats one aspect of the DNI IG’s response–the privacy claim–as an “interesting question,” but then she proceeds to not answer the question. She instead reverts back to what she had correctly portrayed as NSA’s claim that NSA didn’t have the capacity because it would be “unreasonable burden on the workforce,” then asks why Wyden doesn’t believe that claim.

Remember, the privacy claim was raised solely in terms of whether the NSA’s Inspector General could conduct a review, not whether NSA analysts should be pulled off reviewing intercepts to find out how many of them are Americans. So if that claim is not credible–and ultimately, she doesn’t say it is–then NSA IG’s sole remaining rationale is a manpower one.

Frankly, if it would take that much manpower to come up with an answer, it says the program isn’t being tracked adequately.

Cordero then gets to the jist of a comment she made at the hearing: that there are a bunch of reviews which provide adequate oversight.

Meanwhile, the assertion of today’s program’s title that the FAA enables “mass spying without accountability,” is debunked by the SSCI’s own report issued on June 7. The intelligence committees have been on the receiving end of a mountain of reports describing FAA activities, the FISA Court’s reviews, and the Executive Branch’s own compliance reviews. The SSCI report, and the additional written views of Senator Feinstein (D-CA), the Committee’s Chair, states that the statutorily-mandated reporting requirements “provide the Committee with extensive visibility into the application of…minimization procedures,” and have enabled the Committee to conduct “extensive” and “robust” oversight. The report goes on to detail all of the different categories of reports and briefings that have been provided to the Committee to facilitate their oversight role, in accordance with the National Security Act of 1947, as amended. [my emphasis]

Cordero claims that the SSCI report and DiFi’s additional reviews boast about reporting requirements. But only the word “extensive” appears in the report approved by SSCI as a whole, and it appears to simply repeat language from an appendix Eric Holder and James Clapper provided. The rest comes from this paragraph:

Third, the numerous reporting requirements outlined above provide the Committee with extensive visibility into the application of these minimization procedures and enable the Committee to evaluate the extent to which these procedures are effective in protecting the privacy and civil liberties of U.S. persons. Read more

Share this entry

Ron Wyden to Dianne Feinstein: Pants on Fire

/13 Comments/in /by

While the language about the FISA Amendments Act that Ron Wyden just got James Clapper to clear for release (first reported by Spencer Ackerman) doesn’t exactly call Dianne Feinstein a liar, it comes close.

Wyden got the following three statements cleared:

  • A recent unclassified report noted that the Foreign Intelligence Surveillance Court has repeatedly held that collection carried out pursuant to the FISA Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.
  • It is also true that on at least one occasion the Foreign Intelligence Surveillance Court held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.
  • I believe that the government’s implementation of Section 702 of FISA has sometimes circumvented the spirit of the law, and on at least one occasion, the FISA Court has reached this same conclusion. [my emphasis]

The unclassified report in question is the Senate Intelligence Committee’s report from the FISA Amendments Act extension mark-up.

Third, the numerous reporting requirements outlined above provide the Committee with extensive visibility into the application of these minimization procedures and enable the Committee to evaluate the extent to which these procedures are effective in protecting the privacy and civil liberties of U.S. persons. Notably, the FISA Court, which receives many of the same reports available to the Committee, has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment. [my emphasis]

The passage in question comes from DiFi’s additional views.

With this declassified language, Wyden is making clear how incomplete DiFi’s claims about the law are.

But don’t worry, James Clapper’s office says. They’ve rectified the problems. Of NSA violating minimization requirements, that is, not of the Senate Intelligence Committee Chair making grossly misleading comments to push for passage of the extension.

Share this entry

Lamar Smith’s Futile Leak Investigation

/4 Comments/in , , , , , /by

Lamar Smtih has come up with a list of 7 national security personnel he wants to question in his own leak investigation. (h/t Kevin Gosztola)

House Judiciary Committee Chairman Lamar Smith, R-Texas, told President Obama Thursday he’d like to interview seven current and former administration officials who may know something about a spate of national security leaks.

[snip]

The administration officials include National Security Advisor Thomas Donilon, Director of National Intelligence James Clapper, former White House Chief of Staff Bill Daley, Assistant to the President for Homeland Security and Counterterrorism John Brennan, Deputy National Security Advisor Denis McDonough, Director for Counterterrorism Audrey Tomason and National Security Advisor to the Vice President Antony Blinken.

Of course the effort is sure to be futile–if Smith’s goal is to figure out who leaked to the media (though it’ll serve its purpose of creating a political shitstorm just fine)–for two reasons.

First, only Clapper serves in a role that Congress has an unquestioned authority to subpoena (and even there, I can see the Intelligence Committees getting snippy about their turf–it’s their job to provide impotent oversight over intelligence, not the Judiciary Committees).

As for members of the National Security Council (Tom Donilon, John Brennan, Denis McDonough, Audrey Tomason, and Antony Blinken) and figures, like Bill Daley, who aren’t congressionally approved? That’s a bit dicier. (Which is part of the reason it’s so dangerous to have our drone targeting done in NSC where it eludes easy congressional oversight.)

A pity Republicans made such a stink over the HJC subpoenaing Karl Rove and David Addington and backed Bush’s efforts to prevent Condi Rice from testifying, huh?

The other problem is that Smith’s list, by design, won’t reveal who leaked the stories he’s investigating. He says he wants to investigate 7 leaks.

Smith said the committee intends to focus on seven national security leaks to the media. They include information about the Iran-targeted Stuxnet and Flame virus attacks, the administration’s targeted killings of terrorism suspects and the raid which killed Usama bin Laden.

Smith wants to know how details about the operations of SEAL Team Six, which executed the bin Laden raid in Pakistan, wound up in the hands of film producers making a film for the president’s re-election. Also on the docket is the identity of the doctor who performed DNA tests which helped lead the U.S. to bin Laden’s hideout.

But his list doesn’t include everyone who is a likely or even certain leaker.

Take StuxNet and Flame. Not only has Smith forgotten about the programmers (alleged to be Israeli) who let StuxNet into the wild in the first place–once that happened, everything else was confirmation of things David Sanger and security researchers were able to come up with on their own–but he doesn’t ask to speak to the Israeli spooks demanding more credit for the virus.

Read more

Share this entry

Security Clearance Tyranny

/4 Comments/in , /by

Let’s review three data points on security clearances. They’ll show that our system of security clearances are increasingly becoming an arbitrary system of control that does more to foster cowed national security employees than to foster actual national security.

We’ve already discussed one of these data points: James Clapper’s decision to add an as-yet undefined question to Intelligence Community polygraphs probing unauthorized (but not authorized) disclosure of classified information.

First, those agencies within the IC that have mandatory lie detector tests will add an unspecified question about “unauthorized disclosure of classified information.”

(1) mandating that a question related to unauthorized disclosure of classified information be added to the counterintelligence polygraph used by all intelligence agencies that administer the examination (CIA, DIA, DOE, FBI, NGA, NRO, and NSA).

Not only does this cover just some who might have access to classified information, leaving some agencies, contractors, Congressional employees, and White House employees, not to mention our international intelligence partners, in the clear. But it also brackets off the “authorized” disclosure of classified information.

It’s a bad decision because it doesn’t end the asymmetrical abuse of classified information and it’s a bad decision because polygraphs are unreliable.

But it’s also unreliable because at least one of the IC agencies involved slated for this new question–the National Reconnaissance Office–has already been conducting fishing expeditions during polygraphs to find sensitive information.

The National Reconnaissance Office is so intent on extracting confessions of personal or illicit behavior that officials have admonished polygraphers who refused to go after them and rewarded those who did, sometimes with cash bonuses, a McClatchy investigation found.

The disclosures include a wide range of behavior and private thoughts such as drug use, child abuse, suicide attempts, depression and sexual deviancy. The agency, which oversees the nation’s spy satellites, records the sessions that were required for security clearances and stores them in a database.

As McClatchy reports, the NRO pursued such confessions–which are outside the scope of what they’re supposed to ask–even after they were warned to stop.

What’s particularly troubling is that the NRO is not using this information–or not in the most obvious way, by prosecuting those who reveal past crimes. Read more

Share this entry

James Clapper’s Anti-Leak Efforts Will Increase Information Asymmetry

/8 Comments/in , /by

As Charlie Savage and others report, Director of National Security James Clapper has instituted new efforts to crack down on leaks. The plan has two aspects. First, those agencies within the IC that have mandatory lie detector tests will add an unspecified question about “unauthorized disclosure of classified information.”

(1) mandating that a question related to unauthorized disclosure of classified information be added to the counterintelligence polygraph used by all intelligence agencies that administer the examination (CIA, DIA, DOE, FBI, NGA, NRO, and NSA).

Not only does this cover just some who might have access to classified information, leaving some agencies, contractors, Congressional employees, and White House employees, not to mention our international intelligence partners, in the clear. But it also brackets off the “authorized” disclosure of classified information. Heck, it might not even cover any of the leaks currently under investigation.

Then there’s the authorization of IC Inspectors General to investigate leaks that DOJ declines to pursue.

(2) requesting the Intelligence Community Inspector General lead independent investigations of selected unauthorized disclosure cases when prosecution is declined by the Department of Justice. The IC IG will establish and lead a task force of IC inspectors general to conduct ind ependent investigations, pursuant to his statutory authority and in coordination with the Office of the National Counterintelligence Executive. This will ensure that selected unauthorized disclosure cases suitable for administrative investigations are not closed prematurely.

As Savage has noted (and this report he links makes clear) the vast majority of leaks are not prosecuted. That’s partly because information is so widely distributed that identifying a sole leaker becomes legally problematic if not impossible more generally. In addition, many leak prosecutions would risk disclosing more classified information than simply letting the alleged leaker go free (this is probably why the Bush and Obama Administrations tried to trump up a charge against Thomas Drake rather than charge known leakers who exposed the illegal wiretap program).

Clapper’s solution will instead have Inspectors General pursue suspected leakers instead. Not only would this free investigative methods from evidentiary rules (so for example, IGs might use wiretaps and other intrusive investigative techniques because they would never need to be disclosed or not in court). The secrecy of such investigations would also make the exposure of selective prosecution impossible. And given the impunity with which the government can give or withdraw clearances, it would mean those unfairly targeted would have no recourse.

All this might be less problematic if the IC IG hadn’t already proven himself to serve government cover-ups rather than the citizens of this country. But as it is, this scheme is ripe for abuse.

Which won’t end leaking. Instead, it’ll make whistleblowing even riskier, as compared with sanctioned leaks, than it already is. Which, so long as Congressional oversight committees refuse to exercise any oversight, will mean the intelligence committee will operate with further unchecked power.

Share this entry

The Only Independent Reviewer of Targeting and Minimization Refuses to Review It

/30 Comments/in , /by

On May 4, Senate Intelligence Committee members Ron Wyden and Mark Udall asked the Intelligence Community Inspector General to determine whether it was feasible to determine how many US persons have been spied on under the FISA Amendments Act.

The Temporally Perfect Fuck You

On May 22, the Committee marked up the renewal of the Act. During consideration of the bill, the Committee rejected Wyden and Udall’s efforts to require the IGs quantify such numbers based on their pending request to the IGs.

During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary. SSCI report on the bill reminds that the IC IGs are authorized–but not required too–conduct reviews of Section 702.

Note, elsewhere the bill report includes these authorized but not mandatory reviews as part of the “robust oversight” of this spying program.

In addition, the Inspectors General of the Department of Justice and certain elements of the Intelligence Community are authorized to review the implementation of Section 702 and must provide copies of any such reviews to the Attorney General, DNI, and congressional committees of jurisdiction.

Yet in rejecting the motion to actually mandate a review, Dianne Feinstein’s report emphasizes that this authority is optional.

Also while marking up the bill, Wyden and Udall attempted to direct the Committee’s Technical Advisory Group to review what was really going on with the FAA. That motion was ruled out of order (Kent Conrad joined Wyden and Udall on this one vote–otherwise the committee voted against all their efforts for greater oversight).

We also proposed directing the committee’s Technical Advisory Group to study FISA Amendments Act collection and provide recommendations for improvements. We were disappointed that our motion to request that the Technical Advisory Group study this issue was ruled by our colleagues to be out of order.

As a result, the bill was voted out of committee on May 22 without any requirement that the intelligence community report on how many US persons it is spying on with FAA.

On June 15, the IC IGs finally got back to Wyden and Udall. (h/t Wired) Note the dates cited in the response.

On 21 May 2012, I informed you that the NSA Inspector General, George Ellard, would be taking the lead on the requested feasibility assessment, as his office could provide an expedited response to this important inquiry.

The NSA IG provided a classified response on 6 June 2012. I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

As I stated in my confirmation hearing and as we have specifically discussed, I firmly believe that oversight of intelligence collection is a proper function of an Inspector General. I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight. [my emphasis]

So IC IG Charles McCullough waited 17 days to even tell Wyden what he was going to do with the request, at which point–the eve of the bill markup–he told Wyden that Ellard would prospectively conduct the inquiry. So when the Committee decided not to mandate an IG review based on the “pending” review, it had not started yet. Read more

Share this entry

Ron Wyden: “An Obvious Question I Have Not Answered”

/13 Comments/in , , /by

In the background of the larger drama of the leak witch hunts is a paragraph that, to me, summarizes where the balance between secrecy and sanity is in our country.

An obvious question that I have not answered here is whether any warrantless searches for Americans’ communications have already taken place. I am not suggesting that any warrantless searches have or have not occurred, because Senate and committee rules regarding classified information generally prohibit me from discussing what intelligence agencies are actually doing or not doing. However, I believe that we have an obligation as elected legislators to discuss what these agencies should or should not be doing, and it is my hope that a majority of my Senate colleagues will agree with that searching for Americans’ phone calls and emails without a warrant is something that these agencies should not do.

This is the language Ron Wyden used to attempt to persuade his colleagues to join his opposition to the reauthorization of the FISA Amendments Act without first including protections for Americans’ communications. A very similar paragraph appeared at the end of Wyden and Mark Udall’s dissent from the Senate Intelligence Report on the legislation.

Now, I have already shown that even leak witch hunt convert Dianne Feinstein (who supports reauthorization without telling citizens what the legislation really does) made it clear that while NSA may not target Americans under FAA, the agency does query information collected under FAA to find the communications of Americans. That is, DiFi herself made it clear that the communications collected “incidentally” are fair game for review. And both the Wyden/Udall dissent and the exchange Wyden had with Director of National Intelligence James Clapper last year–which he re-released in conjunction with his hold–make it more clear that the government is reviewing Americans’ communications it collects in the guise of “targeting” non-US persons.

Everyone–Wyden, DiFi, DNI Clapper–admit that the government is accessing Americans’ communications under FAA; it’s just the latter two are pretending they’re not doing so by hiding behind the magic word “targeting.”

With that said, let’s look at Wyden’s paragraph closely and what it says about democracy in the age of secrecy. The first sentence reads like CYA, insulation against any accusation that Wyden has revealed classified information.

An obvious question that I have not answered here is whether any warrantless searches for Americans’ communications have already taken place.

Yet at the same time, Wyden defines the question that DiFi refuses to answer clearly: whether or not the government is using FAA to conduct warrantless searches of Americans’ communications.

It’s an obvious question, Wyden continues, but he’s not legally permitted to answer it.

I am not suggesting that any warrantless searches have or have not occurred, because Senate and committee rules regarding classified information generally prohibit me from discussing what intelligence agencies are actually doing or not doing.

That said, Wyden makes it clear he knows the answer. Read more

Share this entry

Yet More White House Involvement in FOIA Responses

/6 Comments/in , , , , /by

As I’ve been writing my series on the Administration’s extensive efforts to hide all mention of what I have decided to call the Gloves Come Off Memorandum of Notification, this passage from Daniel Klaidman’s article on the Administration’s equivocations about revealing information on the Anwar al-Awlaki killing has been nagging me.

Another senior official expressing caution about the plan was Kathryn Ruemmler, the White House counsel. She cautioned that the disclosures could weaken the government’s stance in pending litigation. The New York Times has filed a lawsuit against the Obama administration under the Freedom of Information Act seeking the release of the Justice Department legal opinion in the Awlaki case. (The department has declined to provide the documents requested.)

The suggestion here is that White House Counsel Kathryn Ruemmler didn’t want to affirmatively reveal details about Awlaki’s killing because doing so would mean they’d have to reveal details in the ACLU and NYT’s FOIAs for … the same information.

That never really made sense (though I never dwelt too much on it because the Administration’s stance on secrecy rarely makes sense).

But in the last few days, I’ve been wondering if Ruemmler was thinking not about the drone FOIA–about revealing details of one element authorized by the Gloves Come Off MON–but instead thinking about the MON itself. After all, if the government reveals one (torture) after another (drones) of the programs authorized by the Gloves Come Off MON, then it gets harder and harder to claim the whole MON must remain secret. And remember, still to be litigated in the torture FOIA is the MON itself, in addition to what I believe are references to it in the title of the Tenet memo.

And while this may mean nothing, the government has been stalling on its response to the drone FOIA. Back on April 9, the government asked for 10 more days to respond to the FOIA. Judge Colleen McMahon responded by snipping, “Ok, but dont ask for any more time. If government official can give speeches about this matter without creating security problem, any involved agency can.” Yet in spite of her warning, they asked for an additional month-long extension today.

We write respectfully on behalf of the Department of Justice and the Central Intelligence Agency (collectively, the “Government”) to seek a further extension until May 21, 2012, of the Government’s deadline to file its consolidated motion for summary judgment in these related Freedom of Information Act cases seeking records pertaining to alleged targeted lethal operations directed at U.S. citizens and others affiliated with al Qaeda or other terrorist groups. Attorney General Eric H. Holder, Jr. has personally directed us to seek this additional time to allow the Government to finalize its position with regard to the sensitive national security matters presented in this case.

We are mindful of the Court’s admonition in its April 9, 2012, order that the Government not seek an further extensions of its briefing deadline, and we do not take this request lightly. Given the significance of the matters presented in this case, the Government’s position is being deliberated at the highest level of the Executive Branch. It has become clear that further consultation and discussion at that level of the Executive Branch is necessary before the Government can make its submission to the Court.

Read more

Share this entry

The “Oversight” over NCTC’s Not-Terrorist-Terrorist Database

/20 Comments/in , /by

Back when John Negroponte appointed him to be the Director of National Intelligence’s Civil Liberties Protection Officer, Alexander Joel admitted he had no problem with Cheney’s illegal domestic wiretap program.

When the NSA wiretapping program began, Mr. Joel wasn’t working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency’s surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown.

“Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else,” he says.

That should trouble you, because he’s the cornerstone of oversight over the National Counterterrorism Center’s expanded ability to obtain and do pattern analysis on US person data.

The Guidelines describe such oversight to include the following:

  • Periodic spot checks overseen by CLPO to make sure database use complies with Terms and Conditions
  • Periodic reviews to determine whether ongoing use of US person data “remains appropriate”
  • Reporting (the Guidelines don’t say by whom) of any “significant failure” to comply with guidelines; such reports go to the Director of NCTC, the ODNI General Counsel, the CLPO, DOJ (it doesn’t say whom at DOJ), and the IC Inspector General; note, the Guidelines don’t require reporting to the Intelligence Oversight Board, which should get notice of significant failures
  • Annual reports from the Director of NCTC on an (admittedly worthwhile) range of metrics on performance to the Guidelines; this report goes to the CLPO, ODNI General Counsel, the IC IG, and–if she requests it–the Assistant Attorney General for National Security

There are a few reasons to be skeptical of this. First, rather than replicate the audits recently mandated under the PATRIOT Act–in which the DOJ Inspector General develops the metrics, these Guidelines have NCTC develop the metrics themselves. And they’re designed to go to the CLPO, who officially reports to the NCTC head, rather than an IG with some independence.

That is, to a large extent, this oversight consists of NCTC reporting to itself.

Read more

Share this entry

Does NCTC Have the Minimal Data Security to Guard Its New Not-Terrorist-Terrorist Database?

/4 Comments/in , , , /by

As I noted here and here, yesterday the Director of National Intelligence and DOJ rolled out new Guidelines allowing the National Counterterrrorism Center to acquire non-terrorist datasets from federal agencies–including US person data–so they can do pattern analysis on those datasets and pass off the resulting data to other agencies.

When intelligence officials wanted to explain to Charlie Savage how this would work, they pointed to a State Department dataset–visa applications–as one dataset NCTC might now access directly.

A person from Yemen applies for a visa and lists an American as a point of contact. There is no sign that either person is a terrorist. Two years later, another person from Yemen applies for a visa and lists the same American, and this second person is a suspected terrorist.

Under the existing system, they said, to discover that the first visa applicant now had a known tie to a suspected terrorist, an analyst would have to ask the State Department to check its database to see if the American’s name had come up on anyone else’s visa application — a step that could be overlooked or cause a delay. Under the new rules, a computer could instantly alert analysts of the connection.

The State Department is, of course, still reportedly recovering from the fact that because of DOD’s lax network security, 250,000 diplomatic cables got liberated for the world to see.

Not surprisingly, then, the new Guidelines appear determined to reassure original dataset owners that their data won’t be compromised by sharing it with NCTC (which can then share it with other elements of the Intelligence Community and even foreign allies). You can tell they’re serious about this, because it’s one of the places they occasionally use “shall” (in other sensitive areas, they use the squishier “will”).

For access to or acquisition of specific datasets, the DNI, or the DNI’s designee, shall collaborate with the data provider to identify any legal constraints, operational considerations, privacy or civil rights or civil liberties concerns and protections, or other issues, and to develop appropriate Terms and Conditions that will govern NCTC’s access to or acquisition of datasets under these guidelines.

[snip]

In addition to the [general requirements laid out for sharing this data], at the time when NCTC acquires a new dataset or a new portion of a dataset, the Director of NCTC shall determine, in writing, whether enhanced safeguards, procedures, and oversight mechanisms are needed.

Though this bold approach almost immediately breaks down, as the Guidelines not only revert to “will,” but–worse–dig out the passive voice when describing the data transfer.

Measures will be put into place to ensure that the dataset is received and stored in a manner to prevent unauthorized access and use prior to the completion of replication.

And when the Guidelines get into specifics, they use that passive “will” again.

Access to these datasets will be monitored, recorded, and audited. This includes tracking of logons and logoffs, file and object manipulation, and changes, and queries executed, in according with audit and monitoring standards applicable to the Intelligence Community.

Who will (“shall”) implement these data security measures? What if he or she fails to do so adequately?

It’s a really, really important question because–as this year’s intelligence authorizations make clear, the Intelligence Community does not yet have insider threat detection–the kind of security that would permit these audits–and they’re not going to get it until 18 months from now. Hell, they’re not even going to start getting it until 6 months from now!

(a) Initial Operating Capability.–Not later than October 1, 2012, the Director of National Intelligence shall establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the intelligence community in order to detect unauthorized access to, or use or transmission of, classified intelligence.

Read more

Share this entry