Posts

Confirmed: Listening to Whistleblower John Reidy Could Have Saved the Lives of Numerous CIA Assets

Back in 2015, I looked at the whistleblower case of John Reidy, a former CIA contractor who had warned of catastrophic failures in a communications system.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem.

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries,

When news of CIA’s loss of numerous Chinese assets came out, I again pointed back to Reidy’s warnings.

Today, Yahoo confirms that the communications system weakness first identified by Reidy 11 years ago was indeed exploited first by Iran (where, Yahoo says, Reidy was stationed), then by China, and to a lesser degree, Russia.

Iran was able to use the vulnerability to unwind the US’ network of spies by using Google to identify signatures of the system.

This hunt for CIA sources eventually bore fruit — including the identification of the covert communications system.

A 2011 Iranian television broadcast that touted the government’s destruction of the CIA network said U.S. intelligence operatives had created websites for fake companies to recruit agents in Iran by promising them jobs, visas and education abroad. Iranians who initially thought they were responding to legitimate opportunities would end up meeting with CIA officers in places like Dubai or Istanbul for recruitment, according to the broadcast.

Though the Iranians didn’t say precisely how they infiltrated the network, two former U.S. intelligence officials said that the Iranians cultivated a double agent who led them to the secret CIA communications system. This online system allowed CIA officers and their sources to communicate remotely in difficult operational environments like China and Iran, where in-person meetings are often dangerous.

A lack of proper vetting of sources may have led to the CIA inadvertently running a double agent, said one former senior official — a consequence of the CIA’s pressing need at the time to develop highly placed agents inside the Islamic Republic. After this betrayal, Israeli intelligence tipped off the CIA that Iran had likely identified some of its assets, said the same former official.

The losses could have stopped there. But U.S. officials believe Iranian intelligence was then able to compromise the covert communications system. At the CIA, there was “shock and awe” about the simplicity of the technique the Iranians used to successfully compromise the system, said one former official.

In fact, the Iranians used Google to identify the website the CIA was were using to communicate with agents. Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes. And Google’s search functions allow users to employ advanced operators — like “AND,” “OR,” and other, much more sophisticated ones — that weed out and isolate websites and online data with extreme specificity.

According to the former intelligence official, once the Iranian double agent showed Iranian intelligence the website used to communicate with his or her CIA handlers, they began to scour the internet for websites with similar digital signifiers or components — eventually hitting on the right string of advanced search terms to locate other secret CIA websites. From there, Iranian intelligence tracked who was visiting these sites, and from where, and began to unravel the wider CIA network.

Yahoo describes that Iran and China likely traded technology, which is how China proceeded to use the same technique to target CIA assets.

While Yahoo doesn’t emphasize it, it seems likely that if SAIC and Raytheon hadn’t had so much power when Reidy first started warning of this compromise, it would have been addressed far more quickly. Instead, he lost clearance and was fired.

Which, on top of a lot of other lessons, seems to be a superb example of how ignoring a whistleblower can have catastrophic consequences.

Were Shitty SAIC Systems the Cause of the CIA’s China Disaster?

The NYT has a story about how China started rolling up CIA’s spy network in 2010, the cause of which (the story says) still has not been solved. One possible cause is that a Chinese-American exposed America’s spies to the Chinese. But the government was never able to establish enough proof that he was the Chinese mole to arrest him, not even when they lured him back to the US to try to bust him.

The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.

[snip]

As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.

After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.

Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.

The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.

A second possibility is that bad tradecraft allowed China to discover America’s spies.

Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.

Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.

A third possibility — which the NYT doesn’t examine at length and which it ties to the poor tradecraft — is that China hacked the CIA’s method of communicating with assets.

Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources.

[snip]

Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets.

[snip]

This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said.

I lay these three possibilities out because the timing of the moment the exposure became critical — 2010 and 2011 — and the allusions to a hacked covert communication channel sound a lot like what CIA whistleblower John Reidy complained about seeing his employer, SAIC, oversee starting in 2005. While his complaint is heavily redacted, it sounded like he accused SAIC of providing inadequate security for a system serving the intersection of human assets and electronic reporting.

[H]is heavily redacted appeal at least appears to suggest his complaint was very serious and should have been a timely way to limit the compromise of CIA assets and officers.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem. [my emphasis]

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries, a guess that is reinforced by his stated desire to bring a “qui tam lawsuit brought against CIA contractors for providing products whose maintenance and design are inherently flawed and yet they are still charging the government for the products.”

The task force described in Reidy’s complaint coincides with the “Honey Badger” investigation described in the NYT, and the scale of the losses — 70% of operations compromised — sounds the same too. Reidy complained that those working on the task force didn’t learn how long he had been calling attention to the problem. And as he was appealing his complaint, he was being spied on by the intelligence community.

Of course, Reidy’s complaints were especially easy to silence because he was a contractor that the intelligence contractor community basically blacklisted.

I’m checking with the NYT reporters to see if this sounds like their story. But either the CIA had two catastrophic intelligence failures at the same time in 2010, or this sounds like the Chinese compromise.

In which case the fourth possibility to explain the compromise is that shitty intelligence contractors created the problem and then covered it up.

Three Things: Day 6, Bombs Away, Get Carter 2

As long as my schedule permits I’ll continue to post Three Things each day at least through next Tuesday. Here we go…

Day 6: Countdown to Tax Day deadline continues
There’s a clear trend in interest about Trump’s tax returns since the election with a spike reflecting two pages leaked from Trump’s 2005 return on Rachel Maddow’s show last month. Stretching out the Google Trends period to five years and a seasonal bump can be seen each year. This year’s seasonal bump is completely distorted by discussion of Trump’s returns.

59 Tomahawk missiles launched at Syria and a GBU-43/B MOAB dropped on Afghanistan aren’t going to change this picture. Where are your tax returns, Trump?

Bombs away
Speaking of missiles and bombs, I sure hope somebody is watching transactions related to military industrial complex stocks. The image here includes just three companies, one of which is Raytheon, the maker of Tomahawk missiles in which  Trump may or may not own shares. How convenient for shareholders of record last Friday the stock went ex dividend this Monday after a spike in price late last week when 59 missiles were aimed just off a Syrian runway.

Considering both Russia and Syria knew in advance the US was deploying missiles, one would be foolish not to wonder if any one with vested interest in NYSE:RTN or competitors might also have known in advance to buy before the 01:40 UTC launch with a sell order for Monday’s open. For those of you mentally checking off time zones of key cities and major stock markets:

Damascus Fri 07-APR-2017 4:40:00 am EEST UTC+3 hours
Washington DC Thu 06-APR-2017 9:40:00 pm EDT UTC-4 hours
Moscow Fri 07-APR-2017 4:40:00 am MSK UTC+3 hours
Tokyo Fri 07-APR-2017 10:40:00 am JST UTC+9 hours
Shanghai Fri 07-APR-2017 9:40:00 am CST UTC+8 hours
Corresponding UTC(GMT) Fri 07-APR-2017 01:40:00

Get Carter 2
I’d much rather talk about a second installment of the 1971 movie featuring Michael Caine but no, it’s all about Carter Page and his less-than-stellar ability to prevaricate about his dealings with Russians. While quizzed by ABC’s George Stephanopolous about the chances sanctions were discussed by Page and Russians during the 2016 campaign season, Carter replied, “Something may have come up in a conversation…”

Uh-huh. Imagine somebody at the FBI cutting to a taped conversation or two at that point. Page insists he didn’t ask or offer about the sanctions, but he’s wholly unconvincing. It’s no wonder at all known Russian spies in the Buryakov case were skeptical about Page, a.k.a. ‘Male-1’. Whatever Page claims there was enough there to pass the threshold requirements for a FISA warrant.

Why is Page talking to media now anyhow? Is he somebody’s canary-in-the-coal-mine? Definitely not a FISA warrant canary.

That’s Three Things. By the way: about 22 percent of taxpayers wait until the last two weeks before the deadline to file. Tick-tock — only a handful of hours until Day 5 before deadline.

(p.s. treat this like an open thread)

Did China and Russia Really Need Our Help Targeting Spook Techies?

LAT has a story describing what a slew of others — including me — have already laid out. The OPM hack will enable China to cross-reference a bunch of databases to target our spooks. Aside from laying all that out again (which is worthwhile, because not a lot of people are still not publicly discussing that), LAT notes Russia is doing the same.

But other than that (and some false claims the US doesn’t do the same, including working with contractors and “criminal” hackers) and a review of the dubiously legal Junaid Hussain drone killing, LAT includes one piece of actual news.

At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.

I would be unsurprised that China was rolling up actual HUMINT spies in China as a result of the OPM breach (which would explain why we’d be doing the same in response, if that’s what we’re doing). But the LAT says China (and/or Russia) is targeting “engineers and scientists who provide technical assistance” to spooks — one step removed from the people recruiting Chinese (or Russian) nationals to share its country’s secrets.

I find that description rather curious because of the way it resembles the complaint by CIA contractor whistleblower John Reidy in an appeal of a denial of a whistleblower complaint by CIA’s Inspector General. (Marisa Taylor first reported on Reidy’s case.) As I extrapolated from redactions some weeks ago, it looks like Reidy reported CIA’s reporting system getting hacked at least as early as 2007, but the contractors whose system got (apparently) hacked got him fired and CIA suppressed his complaints, only to have the problem get worse in the following years until CIA finally started doing something about it — with incomplete information — starting in 2010.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem.

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries, a guess that is reinforced by his stated desire to bring a “qui tam lawsuit brought against CIA contractors for providing products whose maintenance and design are inherently flawed and yet they are still charging the government for the products.” In his complaint, he describes Raytheon employees being reassigned, suggesting that contracting giant may be one of the culprits, but all three named contractors (SAIC, Raytheon, and Mantech) have had their lapses; remember that SAIC was the lead contractor that Thomas Drake and friends exposed.

Reidy’s appeal makes it clear that one of the things that exacerbated this problem was overlapping jurisdiction, with a functional unit apparently taking over control from a geographic unit. While that in no way rules out China, it sounded as much like the conflict between CIA’s Middle East and Counterterrorism groups that has surfaced in other areas as anything else.

The reason I raise Reidy is because — whether or not the engineers targeted as described in the LAT story are the same as the ones Reidy seems to describe — Reidy’s appeal suggests the problem he described arose from contractor incompetence and cover-ups.

I guess you could say the same about the OPM hack (though it was also OPM’s incompetence). Except in the earlier case, you’re talking far more significant intelligence contractors — including SAIC and Raytheon, who both do a lot of cybersecurity contracting on top of their intelligence contracting — and a years-long cover up with the assistance of the agency in question.

All while assets were being exposed, apparently because of insecure computer systems.

China’s hacking is a real threat to the identities of those who recruit human sources (and therefore of the human sources themselves).

But if Reidy’s complaint is true, then it’s not clear how much work China really needs to do to compromise these identities.

Another Breach of Contractor-Protected Critical Infrastructure

In my never-ending campaign to document all the ways the private sector is a bigger risk to our critical infrastructure than terrorists, hackers, political activists, or average citizens, take a look at the job Raytheon’s $100 million security system for JFK Airport has done.

Daniel Casillo, 31, was able to swim up to and enter the airport grounds on Friday night, past an intricate system of motion sensors and closed-circuit cameras designed to to safeguard against terrorists, authorities said.

[snip]

“We have called for an expedited review of the incident and a complete investigation to determine how Raytheon’s perimeter intrusion detection system-which exceeds federal requirements-could be improved. Our goal is to keep the region’s airports safe and secure at all times,” the Port Authority said in a statement.

This comes just weeks after an 82 year old peace activist was able to breach the security provided by failed Olympic security contractor G4S. In response to that failure, POGO is calling out Energy Secretary Steven Chu for his history of outsourcing to poorly-overseen contractors.

Energy Secretary Steven Chu said in a statement provided to the Knoxville News Sentinel on Monday: “The department has no tolerance for security breaches at any of our sites, and I am committed to ensure that those responsible will be held accountable.” But there is no denying that Y-12 [the actual part of Oak Ridge breached] was a giant failure of federal oversight. Now the people being axed are lower-level employees rather than those who have allowed the security standards to fall far below acceptable levels, such as Secretary Chu, himself.

Secretary Chu should be the first on the chopping block. He has been preaching for years that government overseers should get off the back of the contractors and everything will be fine. Then, of course, he is shocked when Y-12 is successfully attacked by an 82-year-old nun.

After only one year in the position, Secretary Chu’s deputy secretary, Daniel B Poneman, sent a memorandum (PDF) to the department with a safety and security reform plan aimed at curtailing pesky government oversight. “Contractors are provided the flexibility to tailor and implement safety programs in light of their situation without excessive Federal oversight or overly prescriptive Departmental requirements,” the memo said.

It should be clear by now that the current culture at DOE and its semiautonomous National Nuclear Security Administration (NNSA) is to take their orders from contractors and provide little or no oversight. Read more