Posts

Still No Answer on How Minh Quang Pham Materially Supported Terror While in Custody

/1 Comment/in /by

The WaPo has an interesting story about US intelligence efforts to disrupt the most recent release of Inspire magazine. While the confirmation that the US was responsible for the recent disrupted release is not surprising, I find this rather interesting.

“You can make it hard for them to distribute it, or you can mess with the content. And you can mess with the content in a way that is obvious or in ways that are not obvious,” said one intelligence official, who, like others, spoke on condition of anonymity to discuss sensitive internal debates.

WaPo’s sources are now bragging that they’ve altered the content of Inspire, in addition to delaying its release.

While the article focuses on this most recent sabotage, it rather bizarrely makes no mention that the first installment of Inspire was hacked in very similar way (purportedly by the Brits).

In the case of Inspire, the debate stretches back three years. The first issue contained a recipe for making a bomb using common materials, such as nails and a pressure cooker like the ones used in Boston. The title of the article was “Make a Bomb in the Kitchen of Your Mom.”

There was also a threat to Molly Norris, a Seattle cartoonist who published a satirical cartoon about the prophet Muhammad. “She should be taken as a prime target of assassination,” wrote Anwar al-Awlaki, the American-born cleric who was killed in a U.S. drone strike.

Though it does quote Keith Alexander making the case for sabotage.

“It’s obvious if people are calling for crazies to murder a U.S. citizen, why wouldn’t you stop it?” said one former official, recalling the debate in which National Security Agency Director Gen. Keith B. Alexander argued on behalf of disruption.

In that case, the administration decided against action, in part because the CIA preferred to use the site to gather intelligence. In subsequent debates, the danger of an imminent threat “really made the difference” in terms of whether to disrupt issues of the magazine, according to a former administration official.

DOD and CIA have, according to public reports without details, had significant deconfliction issues in the past on cyber operations. Are we so convinced DOD didn’t help the Brits insert cupcake recipes in that first installment?

And this article doesn’t mention something I’ve been tracking for a while: the case of Vietnamese-English Minh Quang Pham graphic artist, whom the US charged with materially support Al Qaeda in the Arabian Peninsula last year. Of note, when they charged him, they called for him to forfeit any means he had to influence AQAP.

As a result of planning and perpetuating Federal crimes of terrorism against the United States … defendant [] shall forfeit … all right, title, and interest in all assets, foreign and domestic, affording a source of influence over al Shabaab and AQAP.

Which is all the more interesting still considering the period for which the US charged Pham for material support includes five months — from July to December 2011 — during which a great deal of evidence suggests he was in British custody.

I suppose it might make it easier to hack Inspire if you had their graphic artist in secret custody.

Section 215 Order Reveals Secrecy Only Serves to Prevent Court Challenge

/21 Comments/in /by

Last March, when Hank Johnson asked him a poorly worded question about what NSA was doing with its data center in Utah, NSA head Keith Alexander kept saying the NSA had no power to collect in the US.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

As I noted at the time, Alexander didn’t actually deny it happens. He just said the FBI would have that authority in the US.

Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

I even pointed to the great deal of circumstantial evidence that the FBI uses Section 215 to do bulk collection.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.

The Guardian’s publication of a 215 Order collecting metadata from all of Verizon Network Business Services customers proves that I was correct. It proves that Alexander’s obviously false non-denial was just that: a dodge of the truth.

Indeed, the order also shows that FBI’s role is simply to provide legal cover by submitting the 215 request, but NSA gets the data.

The (anonymous, of course) Administration response to last night’s disclosure is to claim it is no big deal.

An administration official called the phone data a “critical tool in protecting the nation from terrorist threats to the United States.”

“It allows counter terrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States,” the official added.

[snip]

“The order reprinted in the article does not allow the Government to listen in on anyone’s telephone calls, said the administration official Thursday defending the decision. “The information acquired does not include the content of any communications or the name of any subscriber. It relates exclusively to metadata, such as a telephone number or the length of a call.”

Note: congratulations to The Hill’s Meghashyam Mali, who actually repeated this anonymous person’s claim that 1) the program allows the government to ID terrorists but 2) the 215 Order does not return the ID of any subscriber, as if doing so constituted journalism. (Note: Marc Ambinder just posts the talking points, without noting how internally contradictory they are–I’ll return to them shortly.)

Here’s the question, though: if this program is no big deal, as the Administration and some members of Congress are already claiming in damage control, then why has the Administration been making thin non-denial denials about it for years? If it is so uncontroversial, why is it secret?

Is there anything about the order that tips people off to whom, precisely, is being targeted? Does it explain how good (or bad) NSA’s data analysis tools are?

No. The collection is so broad, it could never provide hints of who is being investigated.

The WaPo suggests this order is just regular, routine collection, that quarterly 215 order sent to Verizon NBS. But even if, as I wondered last night, it’s triggered to a specific investigation, is there anything in there that tells people what or who is being investigated?

No.

There is nothing operational about this Section 215 order that needs to be secret. Nothing. A TS/SCI classification for zero operational reason.

The secrecy has been entirely about preventing American citizens from knowing how their privacy had been violated. It serves the same purpose as Alexander’s obviously dishonest answer.

And the most important reason to keep this secret comes from this claim, from the Administration’s LOL talking points.

As we have publicly stated before, all three branches of government are involved in reviewing and authorizing intelligence collection under the Foreign Intelligence Surveillance Act. Congress passed that act and is regularly and fully briefed on how it is used, and the Foreign Intelligence Surveillance Court authorizes such collection.

The Administration wants you to believe that “all three branches” of government have signed off on this program (never mind that last year FISC did find part of this 215 collection illegal — that’s secret too).

But our court system is set up to be an antagonistic one, with both sides represented before a judge. The government has managed to avoid such antagonistic scrutiny of its data collection and mining programs — even in the al-Haramain case, where the charity had proof they had been the target of illegal, unwarranted surveillance — by ensuring no one could ever get standing to challenge the program in court. Most recently in Clapper v. Amnesty, SCOTUS held that the plaintiffs were just speculating when they argued they had changed their habits out of the assumption that they had been wiretapped.

This order might just provide someone standing. Any of Verizon’s business customers can now prove that their call data is, as we speak, being collected and turned over to the NSA. (Though I expect lots of bogus language about the difference between “collection” and “analysis.”)

That is what all the secrecy has been about. Undercutting separation of powers to ensure that the constitutionality of this program can never be challenged by American citizens.

It’s no big deal, says the Administration. But it’s sufficiently big of a deal that they have to short-circuit the most basic principle of our Constitution.

Compare DOD’s Autonomy to Engage in Cyber-War with Obama’s Close Control over DOD Drone Targeting

/3 Comments/in , /by

It will likely be some time, if ever, before one of our enemies succeeds at doing more than launching limited, opportunistic drone strikes at the US. By contrast, every day brings new revelations of how our enemies and rivals are finding new vulnerabilities in American cyber-defense.

Which is why it is so curious to compare this account of the multi-year process that has led to an expansion of DOD’s authority to approve defensive cyber-attacks with this account of Obama’s close hold on DOD’s drone targeting.

In both cases, you had several agencies — at least DOD and CIA — in line to execute attacks, along with equities from other agencies like State.

An interagency process had been started because cyber concerns confront a variety of agencies, the intelligence community and DoD as well as State, Homeland Security and other departments, with each expressing views on how the domain would be treated.

For much of Obama’s term, it seems, both DOD drone attacks outside of the hot battlefield and cyberattacks had to be approved by the White House. With drones, Obama wanted to retain that control (over DOD, but not CIA) to prevent us from getting into new wars.

But from the outset of his presidency, Obama personally insisted that he make the final decision on the military’s kill or capture orders, so-called direct action operations. Obama wanted to assume the moral responsibility for what were in effect premeditated government executions. But sources familiar with Obama’s thinking say he also wanted to personally exercise supervision over lethal strikes away from conventional battlefields to avoid getting embroiled in new wars. As responsibility for targeted strikes in places like Yemen, Somalia, and, over time, Pakistan shifts to the military’s Joint Special Operations Command, Obama will be the final decider for the entire program.

With cyber, White House control was designed partly to limit blowback — almost the same purpose as his micromanagement of drone targeting — but also to mediate disputes between agencies.

In every instance where cyber was involved, the NSC had to be involved. That helped settle some of the disputes between agencies by limiting any independent application of cyber capabilities, but was useful neither for expediting any cyber action nor for integrating cyber into larger military capabilities. Several sources said that this has slowed the integration of cyber into broader military tactics, possibly giving rivals without the same hesitation, like China, a chance to become more adept at military cyber.

[snip]

Because every decision had to be run through the West Wing, potential political blowback limited the use of cyber tools, the former senior intelligence official said. “If they can’t be used without a discussion in the West Wing, the president’s got no place to run if something goes wrong when he uses them,” he said. Those decisions included what to do if the US confronted a cyberattack.

But over the course of the Obama Administration, DOD lobbied to increase its autonomy in both areas, in drones via the year-long process of crafting a drone rulebook, and with cyber, via the three year process of drafting new standing rules of engagement.

It had far more success in its efforts to expand autonomy with cyber.

Read more

Ron Wyden: Liar, Liar, Alexander Pants on Fire

/7 Comments/in /by

Ron Wyden, Dianne Feinstein, and a few other Senators are conducting what constitutes “a debate” on the FISA Amendments Act extension.

The highlight of the debate, thus far, came when DiFi promised to wave a classified letter answering some of Ron Wyden’s questions around in front of the TV. Mind you, she has not yet fulfilled that promise. But she made the promise, so I am glued to the screen waiting for her to embody the ridiculous nature of this so-called debate by waving her letter in lieu of telling us what it actually says.

Aside from that excitement, however, the high point of the debate has come from Ron Wyden, repeatedly suggesting NSA head General Keith Alexander is a liar.

At issue was a speech Alexander made in July at the DefCon hackers conference. He made two claims that Wyden and Mark Udall questioned in an October letter.

Specifically, you said:

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrayed privacy protections for Americans’ communications as being stronger than they actually are. We urge you to correct this statement, so that Congress and the public can have a debate over the renewal of this law that is informed by at least some accurate information about the impact it has had on Americans’ privacy.

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false.” We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark. Specifically we ask that you please answer the following questions:

  • The intelligence community has stated repeatedly that it is not possible to provide even a rough estimate of how many American communications have been collected under the FISA Amendments Act, and has even declined to estimate the scale of this collection. Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, or at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?
  • Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

Alexander replied to Wyden and Udall on November 13. In it, he responded to the first Wyden/Udall question by claiming he was speaking about a foreign intelligence context.

I noted at the outset that NSA has a foreign intelligence mission, and my subsequent reference focused on the type of circumstance in which U.S. person information may be disseminated when this foreign intelligence requirement is not met (e.g., when there is evidence of a crime).

He went on to rehearse the legal requirements for minimization, which only applies to information not deemed “foreign intelligence information.” That is, he basically admitted that information deemed to be foreign intelligence information can be shared.

Alexander answered the second Wyden/Udall question by dodging.

Second, my response did not refer to or address whether it is possible to identify the number of U.S. person communications that may be lawfully but incidentally intercepted pursuant to foreign intelligence collection directed against non-U.S. persons located outside the United States as authorized under FAA 702.

In your letter, you asked for unclassified answers to several questions that you feel are important to allow the public to better understand my remarks delivered at the conference. While I appreciate your desire to have responses to these questions on the public record, they directly relate to operational activities and complete answers would necessarily include classified information essential to our ability to collect foreign intelligence.

Wyden referred to these letters at least twice in his various speeches in this “debate.” And while he has been careful to suggest that Alexander may have just misspoke, he has repeatedly made it clear that Alexander lied when he said US person data could not be shared.

I don’t know why General Alexander described minimization as he did. But why did it take Udall and I to make big push to correct?

The implication, it seems, is that the government has simply deemed all the US person information they collect to be foreign intelligence (indeed, elsewhere Jeff Merkley talked about how the “relevant to an investigation” standard makes all conceivable information context for foreign intelligence), meaning minimization requirements are largely meaningless.

In response to Alexander’s claims on hundreds of millions of dossiers, Wyden noted, over and over again, that in spite of NSA’s refusal to answer the question of how many Americans’ data has been collected, Alexander did not in his response–and has not since–denied that NSA keeps hundreds of millions of dossiers on people.

Director of NSA would not provide public answer on whether NSA keeps hundreds of millions of dossiers on people.

Clearly, Alexanders denial that NSA keeps dossiers (which itself stems from claims former NSA coder William Binney made) is simply a word game about the meaning of dossier. NSA doesn’t have dossiers, you see. It has information on hundreds of millions of Americans.

Information–that Wyden makes clear–is not subject to the plain meaning of minimization requirements.

If Everything NSA Does is “Auditable,” Why Can’t NSA Tell Us How Many Americans They’ve Spied On?

/10 Comments/in /by

NSA Director Keith Alexander just said this to the hackers at DefCon (while wearing an absolutely ridiculous hacker costume):

“We get oversight by Congress, both intel committees and their congressional members and their staffs,” he continued, “so everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody. And I will tell you that those who would want to weave the story that we have millions or hundreds of millions of dossiers on people is absolutely false.”

But a month ago, Alexander’s Inspector General told Ron Wyden that an estimate of the number of people inside the United States who have had their communications collected or reviewed under the FISA Amendments Act “was beyond the capacity of his office.” Of note, the IG and NSA leadership–that is, presumably Alexander himself–claimed such a review would “violate the privacy of U.S. persons.”

I look forward to Ron Wyden’s response to Alexander’s seeming reversal on that earlier letter with claims of this unlimited auditability.

5 Years of Data Not Collected by NSA

/18 Comments/in /by

Just days after General Keith Alexander successfully dodged questions about the NSA’s massive new data storage facility by disclaiming any responsibility for collecting US person data, the National Counterterrorism Center is preparing to extend how long they can retain US person data to 5 years.

The Justice Department is close to approving guidelines that would allow the intelligence community to lengthen the period of time it retains information about U.S. residents, even if they have no known connection to terrorism.

Senior U.S. officials familiar with the guidelines said the changes would allow the National Counterterrorism Center, the intelligence community’s clearinghouse for counterterrorism data, to keep such information for up to five years.

Currently, the center must promptly destroy any information about U.S. citizens or residents unless a connection to terrorism is evident.

I guess if you’ve got all that data storage space in UT, you’re going to need something to fill it with.

To justify this power grab, the WaPo’s sources point to two attacks that had nothing to do with the length of data retention: the Nidal Hasan attack, in which information on his conversations with Anwar al-Awlaki hadn’t been shared throughout the government, and Umar Farouk Abdulmutallab, in which his suspect status hadn’t been loaded into the no-fly list.

They don’t, however, point to a concrete example where 5 year old data of US persons might have helped solve an actual terror attack.

But thanks to this measure pushed through in almost complete secrecy, when they declare–say–your Church a terrorist organization in three year’s time, they’ll have records of your association with it in a database in UT.

Update: Here’s Charlie Savage on this. Here’s the new guidelines. And here’s the guidelines they replaced. I’ll come back to these later.

NSA Director Keith Alexander: The FBI Does the Domestic Collection

/33 Comments/in , /by

[youtube]oYNXVgYhPOc[/youtube]

Congressman Hank Johnson asked NSA Director Keith Alexander about James Bamford’s Wired article describing the data storage and analysis center in UT. Unfortunately, rather than ask Alexander about these activities–storage and analysis–Johnson asked Alexander about data collection. Here are excerpts of the exchange:

Johnson: Does NSA have the ability to identify Cheney bashers based on the content of their emails?

Alexander: No. Can I explain? NSA does not have the ability to do that in the United States. In the United States we would have to go through an FBI process–a warrant–to serve it to somebody to actually get it.

Johnson: But you do have the capability to do it?

Alexander: Not in the United States. We’re not authorized to collect nor do we have the equipment in the United States.

Johnson: “NSA’s signals intercepts include eavesdropping on domestic phone calls and inspection of domestic emails.” Is that true?

Alexander: No, not in that context. I think what he’s trying to raise is are we gathering all the information on the United States? No, that is not correct.

Johnson: What judicial consent is required for NSA to intercept communications and information involving American citizens?

Alexander: Within the United States, that would be the FBI lead.  If it was foreign actor in the United States the FBI would still have the lead and could work that with the NSA or other intelligence agencies as authorized. But to conduct that kind of collection in the United States it would have to go through a court order and a court would have to authorize it. We’re not authorized to do it nor do we do it.

Note that Alexander never denies that such capabilities exist. Rather, he says that FBI would intercept communications–with a court order–and FBI would search for certain content–with a warrant.

Also note, all of Alexander’s responses were in the present tense: he doesn’t say the NSA hasn’t done these things. Only that the NSA is not now authorized to do them and does not do them.

We know several things about the government’s collection in the US. First, the telecoms own the equipment–they’re the ones that do the intercepts, not FBI or NSA. Second, the FBI can and does get bulk data information from telecoms and other businesses using Section 215 of the PATRIOT Act.

I will have more to say about this later–until then, read this post and this post as background.

There is a great deal of circumstantial information to suggest that after the 2004 hospital confrontation–which was in part a response to Congress prohibiting any DOD use of data mining on Americans–chunks of the illegal wiretap program came to be authorized under Section 215 of the PATRIOT Act, which authorizes FBI data collection.

There’s nothing General Alexander said in this non-denial denial that would conflict with the notion that FBI collects data the telecoms intercept using Section 215 of the PATRIOT Act.

Operation Buckshot Yankee and WikiLeaks

/19 Comments/in /by

Ellen Nakashima had a long article on Thursday using the 2008 thumb drive infection of DOD’s networks (including, she mentions in passing, the top-secret JWICS system) to describe the evolution of our approach to cybersecurity.

The whole thing is worth a close reading. But I’m particularly interested (as always) in reading it with WikiLeaks in mind. As Nakashima notes after describing the supposedly stringent response to the 2008 infection, which included “banning” thumb drives, Bradley Manning is suspected of downloading entire databases via the same means, removable media.

As the NSA worked to neutralize Agent.btz on its government computers, Strategic Command, which oversees deterrence strategy for nuclear weapons, space and cyberspace, raised the military’s information security threat level. A few weeks later, in November, an order went out banning the use of thumb drives across the Defense Department worldwide. It was the most controversial order of the operation.

Agent.btz had spread widely among military computers around the world, especially in Iraq and Afghanistan, creating the potential for major losses of intelligence. Yet the ban generated backlash among officers in the field, many of whom relied on the drives to download combat imagery or share after-action reports.

[snip]

The ban on thumb drives has been partially lifted because other security measures have been put in place.

Read more

Anglo-Americans at Cyberwar: Two Weeks of Cupcakes

/in /by

I’ve been meaning to return to this Ellen Nakashima story on our cyberwar efforts. As you recall, it lays out the turf war between the CIA and DOD over clandestine cyberops, partly by telling the story a fight over whether or not to disrupt the jihadist online magazine “Inspire.”

Last year, for instance, U.S. intelligence officials learned of plans by an al-Qaeda affiliate to publish an online jihadist magazine in English called Inspire, according to numerous current and senior U.S. officials. And to some of those skilled in the emerging new world of cyber-warfare, Inspire seemed a natural target.

The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas. But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity — and hence the prerogative of the CIA.

The CIA won out, and the proposal was rejected. But as the debate was underway within the U.S. government, British government cyber-warriors were moving forward with a plan.

When Inspire launched on June 30, the magazine’s cover may have promised an “exclusive interview” with Sheik Abu Basir al-Wahishi, a former aide to Osama bin Laden, and instructions on how to “Make a Bomb in the Kitchen of Your Mom.” But pages 4 through 67 of the otherwise slick magazine, including the bomb-making instructions, were garbled as a result of the British cyber-attack.

It took almost two weeks for al-Qaeda in the Arabian Peninsula to post a corrected version, said Evan Kohlmann, senior partner at Flashpoint Global Partners, which tracks jihadi Web sites.

The Telegraph elaborated on that story by telling of the swell cupcake recipes MI6 replaced the bomb recipe with.

The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit “lone-wolf” terrorists with a new English-language magazine, the Daily Telegraph understands.

When followers tried to download the 67-page colour magazine, instead of instructions about how to “Make a bomb in the Kitchen of your Mom” by “The AQ Chef” they were greeted with garbled computer code.

The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for “The Best Cupcakes in America” published by the Ellen DeGeneres chat show.

Written by Dulcy Israel and produced by Main Street Cupcakes in Hudson, Ohio, it said “the little cupcake is big again” adding: “Self-contained and satisfying, it summons memories of childhood even as it’s updated for today’s sweet-toothed hipsters.”

It included a recipe for the Mojito Cupcake – “made of white rum cake and draped in vanilla buttercream”- and the Rocky Road Cupcake – “warning: sugar rush ahead!”

By contrast, the original magazine featured a recipe showing how to make a lethal pipe bomb using sugar, match heads and a miniature lightbulb, attached to a timer.

So apparently this operation against Inspire, which had government hackers and their bosses on two continents scheming and in-fighting, succeeded in delaying for two weeks the publication of a bomb recipe that probably existed elsewhere on the Internet already.

With cupcakes.

And these spooks are apparently impressed enough with themselves that they’re boasting about it openly to journalists.

Dudes. Two weeks of cupcakes do not equate to Stuxnet.

I’ve been pondering the apparent self-congratulation over this op ever since I read this story, particularly in light of the seeming similarity between this op and the WikiLeaks hack last year. Do our cyberwarriors consider it a legitimate “win” to simply delay the publication of a transnational internet operation for a week or so? At what cost? And by “cost,” I mean both the tens of millions we’re investing to develop, apparently, the capability to engage in juvenile pranks. And also the cost in credibility as a purported defender of free speech wastes its time harassing, but not preventing, the free speech of groups it doesn’t like.

I mean, there must be more to our cyberwarfare than two weeks of cupcakes, isn’t there?

Of course, there must be, if the CIA was concerned about sources and methods. Presumably, CIA was already monitoring who was reading Inspire. Which–whatever it says about the First Amendment in this country–is probably still a better use of cyberwar time and dollars than two weeks of cupcakes.

Or are we to believe that the Generals think we’re going to win the GWOT by playing cyber-whack-a-mole with a group whose competitive advantage over us is in its nimbleness?

Putting “Really Mushy” Functions in a Department that Refuses to Be Audited

/in /by

Noah Shachtman points to NextGov’s unsuccessful attempt to define how much DOD plans to spend on cybersecurity next year. DOD or its components have offered three different versions:

  • DOD’s mid-February report it would spend $2.3 billion
  • Air Force’s mid-February report it, by itself, would spend $4.6 billion
  • DOD’s March 23 revised report it would spend $3.2 billion

Part of the problem, as Shachtman explains in the NextGov piece, is that the definition of what counts as cybersecurity is not yet well defined.

“All of this stuff is still really mushy,” Shachtman said. Further obscuring visibility into the budget is the fact that some cybersecurity funding is classified at Defense components such as the NSA. Meanwhile, Cyber Command presents a new spending variable, he noted.

“Exactly where the NSA ends and the Cyber Command ends is a very open question,” Shachtman said. “How the Cyber Command is supposed to interact with the services is still being worked out.” He predicted it will take years to untangle the process of budgeting for federal computer security.

While you’re trying to get your head around how the Air Force has a bigger budget than the whole DOD for cybersecurity, remember a couple of things.

First, both the Air Force and DOD generally have stated policies of not telling Congress about Special Access Programs (in the case of Air Force) or clandestine cyberops. So to the extent that this mushy budget is mixed in with cyberops (as distinct from cybersecurity), there’s a decent chance Congress isn’t seeing all of it.

But even if Congress decided to look, to the extent that NSA (or CyberCommand, which General Keith Alexander also commands) has a hand in it, Congress is almost guaranteed to be unable to track it closely. That’s because NSA books can’t be audited and apparently NSA doesn’t intend to fix those problems.

Now all of would be pretty funny except that, insofar as the government can’t distinguish between legitimate cybersecurity (you know, preventing hackers and leakers from using thumb drives to upload malware and download entire databases) and cyberwar financially, there’s a decent chance they can’t do so organizationally either.

Or to put it in more tangible terms, HB Gary’s past governmental work has been about cybersecurity–assessing malware and finding intrusions. But they’ve been proposing collecting information about citizens’ First Amendment activity to use to target those citizens. And the Air Force–that entity with a cybersecurity budget bigger than all of DOD’s cybersecurity budget–is the service that was engaging cybersecurity firms to develop persona management software.

But aside from that, why should we be worried that such dangerous entities are organizationally such a clusterfuck?