Posts

Sheldon Whitehouse and the Russia Investigation Deconfliction

Laura Rozen has me worried.

She pointed to this CNN article — posted sometime this afternoon — describing Sheldon Whitehouse’s worries that the scope of the DOJ inquiry into Trump and Russia might conflict with the Congressional inquiries.

Sen. Sheldon Whitehouse, the top Democrat on a Judiciary subcommittee, told CNN Thursday that it’s possible Flynn is cooperating with the Justice Department — and that Capitol Hill has not been kept in the loop. He warned that congressional probes that have subpoenaed Flynn for records could undercut Mueller’s investigation if the former national security adviser is secretly working with the Justice Department as part of its broader investigation into possible collusion between Russian officials and Trump associates during the campaign season.

“There is at least a reasonable hypothesis that Mike Flynn is already cooperating with the DOJ investigation and perhaps even has been for some time,” said Whitehouse, a Rhode Island Democrat.

Whitehouse added he had no direct evidence to suggest that Flynn is cooperating with the Justice Department. But he said there is circumstantial evidence to suggest that it could be the case, saying Mueller must immediately detail the situation to “deconflict” with probes on the Hill to “make sure that congressional investigations aren’t inadvertently competing with DOJ criminal investigations.”

[snip]

The Rhode Island Democrat said there are number of factors that suggest Flynn is working the Justice Department in its probe. He pointed out that “all reporting indicates they’ve got him dead to rights on a false statement felony” in his private interview with the FBI over his conversations last year with Russian Ambassador Sergey Kislyak. He also noted that Flynn has gone silent and retroactively signed on as a foreign agent to Turkey. And he noted that a federal grand jury has been summoned and has issued subpoenas to Flynn associates.

“So none of that proves anything but it’s all consistent with the hypothesis that he’s already cooperating,” Whitehouse told CNN.

“But that’s certainly a hypothetical case of a time when we do need need this de-confliction apparatus in place to make sure that congressional investigations aren’t inadvertently competing DOJ criminal investigations.”

Now, in point of fact, that deconfliction has already happened — or at least started. That’s what a May 11 meeting between Rod Rosenstein, Richard Burr, and Mark Warner was described as at the time.

Rosenstein was tight-lipped as he entered and emerged from a secure facility Thursday on Capitol Hill, where he huddled with Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Mark R. Warner (D-Va.). The senators said the meeting had been scheduled before Comey’s ouster to discuss “deconfliction” — keeping the FBI’s and committee’s investigations of alleged ties between the Trump campaign and the Russian government from stepping on each other’s toes.

According to reports, the meeting was scheduled before the Jim Comey ouster, so it should reflect the scope of what he was investigating, and therefore presumably resembles the scope of what Robert Mueller will investigate.

But there are three reasons why Whitehouse might be justified in worrying that Congress might fuck up what DOJ is investigating.

Obviously, the first is Mueller: the Comey firing might have reflected some new investigative approach (including Flynn immunity), or Mueller, because of the firing, might be scoping the investigation differently.

A second is jurisdiction. Whitehouse and Lindsey Graham have assumed jurisdiction over the Russia investigation for their subcommittee — and the Senate Judiciary Committee obviously should oversee the FBI. So it may be that former US Attorney Sheldon Whitehouse wants to have a deconflicting conversation for himself, because he knows how investigations work (and for all we know is getting tips from DOJ).

The other is another announcement from this afternoon: that the Senate Intelligence Committee had voted to give Chair Richard Burr and Vice Chair Mark Warner the ability to issue subpoenas themselves going forward, without consulting the committee.

The leaders of the Senate Intelligence Committee now have broad authority to issue subpoenas in the Russia investigation without a full committee vote, Chairman Richard Burr (R-N.C.) said Thursday.

The panel voted unanimously to give Burr and Vice Chairman Mark Warner (D-Va.) the blanket authority for the duration of the investigation into Russia’s election meddling and possible collusion with President Trump’s campaign.

The two Senate leaders must be in agreement in order to issue an order.

Now, as the article notes, thus far, the committee has asked for documents, not testimony. My suspicion is this might have more to do with ensuring Comey’s testimony — promised after Memorial Day — is “compelled” in such a way that DOJ can’t object.

Nevertheless, the power to subpoena does grant someone (like former Trump National Security Advisor Richard Burr) the ability to fuck with the DOJ investigation by potentially working at cross-purposes. To grant immunity (and therefore to fuck up the investigation as happened in Iran-Contra), I think Burr would still need the support of the committee.

Still, this still gives Burr far more power to thwart the investigation, with only Mark Warner (who unlike Whitehouse has never been a prosecutor) to prevent it.

In theory, I think Whitehouse is just pushing for jurisdiction (and for the ability to demand the same kind of deconfliction conversation Burr and Warner have gotten).

But upon reflection, I don’t think his concerns are entirely unjustified.

In any case, I trust Whitehouse (with whatever leftover ties he has to DOJ) to do this review more than Mark Warner.

Update: Burr told Bloomberg he has had a deconfliction conversation with Mueller.

Senate Intelligence Chairman Richard Burr, a Republican from North Carolina, said he has contacted Mueller to discuss their parallel probes of Russian meddling.

One Takeaway from the Five Takeaways from the Comey Hearing: Election 2016 Continues to Suffocate Oversight

The Senate Judiciary Committee had an oversight hearing with Jim Comey yesterday, which I live-tweeted in great depth. As you can imagine, most of the questions pertained either to Comey’s handing of the Hillary investigation and/or to the investigation into Russian interference in the election. So much so that The Hill, in its “Five Takeaways from Comey’s testimony,” described only things that had to do with the election:

  • Comey isn’t sorry (but he was “mildly nauseous” that his conduct may have affected the outcome)
  • Emotions over the election are still raw
  • Comey explains DOJ dynamic: “I hope someday you’ll understand”
  • The FBI may be investigating internal leaks
  • Trump, Clinton investigations are dominating FBI oversight

The Hill’s description of that third bullet doesn’t even include the “news” from Comey’s statement: that there is some still-classified detail, in addition to Loretta Lynch’s tarmac meeting with Bill Clinton and the intercepted Hillary aide email saying Lynch would make sure nothing happened with the investigation, that led Comey to believe he had to take the lead on the non-indictment in July.

I struggled as we got closer to the end of it with the — a number things had gone on, some of which I can’t talk about yet, that made me worry that the department leadership could not credibly complete the investigation and declined prosecution without grievous damage to the American people’s confidence in the — in the justice system.

As I said, it is true that most questions pertained to Hillary’s emails or Russia. Still, reports like this, read primarily by people on the Hill, has the effect of self-fulfilling prophecy by obscuring what little real oversight happened. So here’s my list of five pieces of actual oversight that happened.

Neither Grassley nor Feinstein understand how FISA back door searches work

While they primarily focused on the import of reauthorizing Section 702 (and pretended that there were no interim options between clean reauthorization and a lapse), SJC Chair Chuck Grassley and SJC Ranking Member Dianne Feinstein both said things that made it clear they didn’t understand how FISA back door searches work.

At one point, in a discussion of the leaks about Mike Flynn’s conversation with Sergey Kislyak, Grassley tried to suggest that only a few people at FBI would have access to the unmasked identity in those intercepts.

There are several senior FBI officials who would’ve had access to the classified information that was leaked, including yourself and the deputy director.

He appeared unaware that as soon as the FBI started focusing on either Kislyak or Flynn, a back door search on the FISA content would return those conversations in unmasked form, which would mean a significant number of FBI Agents (and anyone else on that task force) would have access to the information that was leaked.

Likewise, at one point Feinstein was leading Comey through a discussion of why they needed to have easy back door access to communication content collected without a warrant (so we don’t stovepipe anything, Comey said), she said, “so you are not unmasking the data,” as if data obtained through a back door search would be masked, which genuinely (and rightly) confused Comey.

FEINSTEIN: So you are not masking the data — unmasking the data?

COMEY: I’m not sure what that means in this context.

It’s raw data. It would not be masked. That Feinstein, who has been a chief overseer of this program for the entire time back door searches were permitted doesn’t know this, that she repeatedly led the effort to defeat efforts to close the back door loophole, and that she doesn’t know what it means that this is raw data is unbelievably damning.

Incidentally, as part of the exchange wit Feinstein, Comey said the FISA data sits in a cloud type environment.

Comey claims the government doesn’t need the foreign government certificate except to target spies

Several hours into the hearing, Mike Lee asked some questions about surveillance. In particular, he asked if the targeting certificates for 702 ever targeted someone abroad for purposes unrelated to national security. Comey seemingly listed off the certificates we do have — foreign government, counterterrorism, and counterproliferation, noting that cyber gets worked into other ones.

LEE: Yes. Let’s talk about Section 702, for a minute. Section 702 of the Foreign Intelligence Surveillance Amendments Act authorizes the surveillance, the use of U.S. signals surveillance equipment to obtain foreign intelligence information.

The definition includes information that is directly related to national security, but it also includes quote, “information that is relevant to the foreign affairs of the United States,” close quote, regardless of whether that foreign affairs related information is relevant to a national security threat. To your knowledge, has the attorney general or has the DNI ever used Section 702 to target individuals abroad in a situation unrelated to a national security threat?

COMEY: Not that I’m aware of. I think — I could be wrong, but I don’t think so, I think it’s confined to counterterrorism to espionage, to counter proliferation. And — those — those are the buckets. I was going to say cyber but cyber is fits within…

He said they don’t need any FG information except that which targets diplomats and spies.

LEE: Right. So if Section 702 were narrowed to exclude such information, to exclude information that is relevant to foreign affairs, but not relevant to a national security threat, would that mean that the government would be able to obtain the information it needs in order to protect national security?

COMEY: Would seem so logically. I mean to me, the value of 702 is — is exactly that, where the rubber hits the road in the national security context, especially counterterrorism, counter proliferation.

I assume that Comey said this because the FBI doesn’t get all the other FG-collected stuff in raw form and so isn’t as aware that it exists. I assume that CIA and NSA, which presumably use this raw data far more than FBI, will find a way to push back on this claim.

But for now, we have the FBI Director stating that we could limit 702 collection to national security functions, a limitation that was defeated in 2008.

Comey says FBI only needs top level URLs for ECTR searches

In another exchange, Lee asked Comey about the FBI’s continued push to be able to get Electronic Communication Transaction Records. Specifically, he noted that being able to get URLs means being able to find out what someone was reading.

In response, Comey said he thought they could only get the top-level URL.

After some confusion that revealed Comey’s lie about the exclusion of ECTRs from NSLs being just a typo, Comey said FBI did not need any more than the top domain, and Lee answered that the current bill would permit more than that.

LEE: Yes. Based on the legislation that I’ve reviewed, it’s not my recollection that that is the case. Now, what — what I’ve been told is that — it would not necessarily be the policy of the government to use it, to go to that level of granularity. But that the language itself would allow it, is that inconsistent with your understanding?

COMEY: It is and my understanding is we — we’re not looking for that authority.

LEE: You don’t want that authority…

(CROSSTALK)

COMEY: That’s my understanding. What — what we’d like is, the functional equivalent of the dialing information, where you — the address you e-mailed to or the — or the webpage you went to, not where you went within it.

This exchange should be useful for limiting any ECTR provision gets rushed through to what FBI claims it needs.

The publication of (US) intelligence information counts as intelligence porn and therefore not journalism

Ben Sasse asked Comey about the discussion of indicting Wikileaks. Comey’s first refusal to answer whether DOJ would indict Wikileaks led me to believe they already had.

I don’t want to confirm whether or not there are charges pending. He hasn’t been apprehended because he’s inside the Ecuadorian embassy in London.

But as part of that discussion, Comey explained that Wikileaks’ publication of loads of classified materials amounted to intelligence porn, which therefore (particularly since Wikileaks didn’t call the IC for comment first, even though they have in the past) meant they weren’t journalism.

COMEY: Yes and again, I want to be careful that I don’t prejudice any future proceeding. It’s an important question, because all of us care deeply about the First Amendment and the ability of a free press, to get information about our work and — and publish it.

To my mind, it crosses a line when it moves from being about trying to educate a public and instead just becomes about intelligence porn, frankly. Just pushing out information about sources and methods without regard to interest, without regard to the First Amendment values that normally underlie press reporting.

[snip]

[I]n my view, a huge portion of WikiLeaks’s activities has nothing to do with legitimate newsgathering, informing the public, commenting on important public controversies, but is simply about releasing classified information to damage the United States of America. And — and — and people sometimes get cynical about journalists.

American journalists do not do that. They will almost always call us before they publish classified information and say, is there anything about this that’s going to put lives in danger, that’s going to jeopardize government people, military people or — or innocent civilians anywhere in the world.

I’ll write about this more at length.

Relatedly (though technically a Russian investigation detail), Comey revealed that the investigation into Trump ties to Russia is being done at Main Justice and EDVA.

COMEY: Yes, well — two sets of prosecutors, the Main Justice the National Security Division and the Eastern District of Virginia U.S. Attorney’s Office.

That makes Dana Boente’s role, first as Acting Attorney General for the Russian investigation and now the Acting Assistant Attorney General for National Security, all the more interesting, as it means he is the person who can make key approvals related to the investigation.

I don’t have any problem with him being chosen for these acting roles. But I think it supremely unwise to effectively eliminate levels of oversight on these sensitive cases (Russia and Wikileaks) by making the US Attorney already overseeing them also the guys who oversees his own oversight of them.

The US is on its way to becoming the last haven of shell corporations

Okay, technically these were Sheldon Whitehouse and Amy Klobuchar comments about Russia. But as part of a (typically prosecutorial) line of questioning about things related to the Russian investigation, Whitehouse got Comey to acknowledge that as the EU tries to crack down on shell companies, that increasingly leaves the US as the remaining haven for shell companies that can hide who is paying for things like election hacks.

WHITEHOUSE: And lastly, the European Union is moving towards requiring transparency of incorporations so that shell corporations are harder to create. That risks leaving the United States as the last big haven for shell corporations. Is it true that shell corporations are often used as a device for criminal money laundering?

COMEY: Yes.

[snip]

WHITEHOUSE: What do you think the hazards are for the United States with respect to election interference of continuing to maintain a system in which shell corporations — that you never know who’s really behind them are common place?

COMEY: I suppose one risk is it makes it easier for illicit money to make its way into a political environment.

WHITEHOUSE: And that’s not a good thing.

COMEY: I don’t think it is.

And Klobuchar addressed the point specifically as it relates to high end real estate (not mentioning that both Trump and Paul Manafort have been alleged to be involved in such transactions).

There have been recent concerns that organized criminals, including Russians, are using the luxury real estate market to launder money. The Treasury Department has noted a significant rise in the use of shell companies in real estate transactions, because foreign buyers use them as a way to hide their identity and find a safe haven for their money in the U.S. In fact, nearly half of all homes in the U.S. worth at least $5 million are purchased using shell companies.

Does the anonymity associated with the use of shell companies to buy real estate hurt the FBI’s ability to trace the flow of illicit money and fight organized crime? And do you support efforts by the Treasury Department to use its existing authority to require more transparency in these transactions?

COMEY: Yes and yes.

It’s a real problem, and not just because of the way it facilitates election hacks, and it’d be nice if Congress would fix it.

Why We Should Remain Skeptical of the Five (!!) Congressional Investigations into the Russian Hack

I was interviewed (on Thursday) about the Flynn resignation and larger investigation into the Russia hack for Saturday’s On the Media. In what made the edit, I made one error (which I’ll explain later), but a key point I made holds. The leaking about Flynn and other Russian events are hypocritical and out of control. But they may create pressure to fix two problems with the current investigations into the Russian hack: the role of Jeff Sessions overseeing the DOJ-led investigations, and the role of Trump advisory officials Devin Nunes and Richard Burr overseeing the most appropriate congressional investigations.

In this post I’ll look at the latter conflicts. In a follow-up I’ll look at what the FBI seems to be doing.

As I noted in the interview, contrary to what you might think from squawking Democrats, there are five congressional investigations pertaining to Russian hacks, though some will likely end up focusing on prospective review of Russian hacking (for comparison, there were seven congressional Benghazi investigations). They are:

  • Senate Intelligence Committee: After months of Richard Burr — who served on Trump’s campaign national security advisory council — saying an inquiry was not necessary and going so far as insisting any inquiry wouldn’t review the dossier leaked on Trump, SSCI finally agreed to do an inquiry on January 13. Jim Comey briefed that inquiry last Friday, February 17.
  • House Intelligence Committee: In December, James Clapper refused to brief the House Intelligence Committee on the latest intelligence concluding Russian hacked the DNC with the goal of electing Trump, noting that HPSCI had been briefed all along (as was clear from some of the leaks, which clearly came from HPSCI insiders). In January, they started their own investigation of the hack, having already started fighting about documents by late January. While Ranking Democratic Member Adam Schiff has long been among the most vocal people complaining about the treatment of the hack, Devin Nunes was not only a Trump transition official, but made some absolutely ridiculous complaints after Mike Flynn’s side of some conversations got legally collected in a counterintelligence wiretap. Nunes has since promised to investigate the leaks that led to Flynn’s forced resignation.
  • Senate Armed Services Committee: In early January, John McCain announced he’d form a new subcommittee on cybersecurity, with the understanding it would include the Russian hack in its focus. Although he originally said Lindsey Graham would lead that committee, within weeks (and after Richard Burr finally capitulated and agreed to do a SSCI inquiry), McCain instead announced Mike Rounds would lead it.
  • Senate Foreign Relations Committee: In December, Bob Corker announced the SFRC would conduct an inquiry, scheduled to start in January. At a hearing in February, the topic came up multiple times, and both Corker and Ben Cardin reiterated their plans to conduct such an inquiry.
  • Senate Judiciary Subcommittee on Crime and Terrorism: After Graham was denied control of the SASC panel, he and Sheldon Whitehouse announced they’d conduct their own inquiry, including a prospective review of “the American intelligence community’s assessment that Russia did take an active interest and play a role in the recent American elections.”

All the while, some Senators — McCain, Graham, Chuck Schumer, and Jack Reed — have called for a Select Committee to conduct the investigation, though in true McCainesque fashion, the maverick has at times flip-flopped on his support of such an inquiry.

Also, while not an investigation, on February 9, Jerry Nadler issued what I consider (strictly as it relates to the Russian hack, not the other conflicts) an ill-advised resolution of inquiry calling for the Administration to release materials relating to the hack, among other materials. Democrats in both the House and Senate have introduced legislation calling for an independent commission, but have gotten no support even from the mavericky Republicans.

As you can see from these descriptions, it took pressure from other committees, especially Lindsey Graham getting control of one of the inquiries, before Richard Burr let himself be convinced by SSCI Vice Chair Mark Warner to conduct an inquiry. Thus far, Mitch McConnell has staved off any Select Committee. As soon as SSCI did claim to be launching an investigation, a bunch of Republicans tried to shut down the others, claiming it was all simply too confusing.

Let me be clear: as I noted in the OTM interview, the intelligence committees are the appropriate place to conduct this investigation, as it concerns really sensitive counterintelligence matters — people who could be witnesses to it are getting killed! — and an ongoing investigation. The only way to conduct a responsible inquiry is to do so in secret, and unless a select committee with clearance is formed, that means doing so in the dysfunctional intelligence committees.

That’s made worse by Nunes and Burr’s obvious conflicts, having served on Trump’s pre-inauguration advisory teams (at a time when Mike Flynn was chatting about ongoing sanctions with Russia), and their equally obvious disinterest in conducting the investigation. Remember that the intelligence committees successfully bolloxed up the independent investigation into Iran-Contra. While neither Nunes nor Burr is as smart as Dick Cheney, who had a key role in that intentional bolloxing, Democrats should be cognizant of the ways that such bolloxing has happened in the past.

And now that SSCI has finally started its inquiry, Ali Watkins published an uncharacteristically credulous report on Burr’s role in the investigation, slathering on the colorful vocabulary — “brutally yanked;” “underground cohort;” “dark shadow of Langley;” “Wearily, they’re trudging forward on a probe littered with potential political landmines;” — before portraying the allegedly difficult position Burr is in:

That he’s now in charge of the sweeping Russia inquiry puts the North Carolina Republican in between a rock and a hard place. Since taking over the helm of the intelligence committee, Burr has pressed for more active and aggressive oversight, and has kept a rigorous travel schedule to match. But his decisive reelection victory in November came at a cost — throughout the contentious race, Burr towed Trump’s line, and hasn’t yet directly criticized the White House publicly.

But Burr has shown no indication that he’s ever angled for a Trump administration job, and says he’s not running for re-election. How seriously he takes his obligation to carry his president’s water remains to be seen.

Burr has been slammed by colleagues in recent days, who fear he’s slow-rolling an investigation into a fast-moving story. But much of the inquiry’s slow start was due to bureaucratic wrangling — some intelligence agencies insisted products be viewed on site rather than sent to the Hill, and some of the intelligence was so tightly controlled that it was unclear if staffers could even view it.

This is just spin. There is abundant public record that Burr has thwarted oversight generally (he has said things supporting that stance throughout his history on both the Senate and House Intelligence Committee, even ignoring his role in covering up torture, and Watkins’ earlier incorrect claims about Burr’s open hearings remain only partly corrected). There is no mention in this article that Burr was on Trump’s national security advisory committee. Nor that SSCI had reason to do hearings about this hack well before January 2017, back when it might have made a difference — at precisely the time when Burr apparently had time to advise Trump about national security issues as a candidate. Plus, it ignores all the things laid out here, Burr’s continued equivocation about whether there should even be a hearing.

There is no reason to believe Burr or Nunes intend to have a truly rigorous investigation (bizarrely, Warner seems to have had more success pushing the issue than Schiff — or Dianne Feinstein when she was Vice Chair — though that may be because the Ranking position is stronger in the Senate than in the House). And history tells us we should be wary that their investigations will be counterproductive.

As I noted, on Friday — the Friday before a recess — Jim Comey briefed the SSCI on the Russian hack. That briefing was unusual for the date (regular SSCI meetings happen on Tuesday and Thursday, and little business of any kinds happens right before a recess). Reporters have interpreted that, along with the presumed silence about the content of the briefing, as a sign that things are serious. That may be true — or it may be that that was the only time a 3-hour briefing could be scheduled. In the wake of the briefing, it was reported that the SSCI sent broad preservation requests tied to the inquiry (that is, they sent the request long after the inquiry was started). And while the press has assumed no one is talking, the day after the briefing, Reuters reported outlines of at least three parts of the FBI investigation into the Russian hack, attributed to former and current government officials.

Stephen Miller’s and Trump’s Gross Re-Politicization of DOJ

There was some legitimate concern about inappropriate machination of the Department of Justice when Trump named and confirmed Jeff Sessions as his Attorney General. Typical discussion followed this by Isaac Arnsdorf at Politico:

Donald Trump suggested on the campaign trail that he could use the Justice Department to fulfill his political agenda, taunting Hillary Clinton by threatening to throw her in jail over her email scandal.

Now, Sen. Jeff Sessions, Trump’s pick for attorney general, will have to decide whether to follow his predecessors by vowing to not let politics drive the DOJ’s decision-making.

That was one, and a serious, level of concern. Today we find said concern not close to being deep enough as to how the Trump White House would try to run Justice as merely a lever of their extreme politics.

But, via the New York Daily News, comes a little noticed, and truly frightening report of just how renegade and ridiculous the “fine tuned machine” the Trump White House is determined to be in politicizing the DOJ. In an article captioned “Stephen Miller called Brooklyn U.S. Attorney at home and told him how to defend travel ban in court”, comes the stunning news that:

In the chaotic hours after President Trump signed on a Friday afternoon the sloppily written executive order meant to fulfill his Muslim ban campaign promise, Stephen Miller called the home of Robert Capers to dictate to the U.S. Attorney for the Eastern District how he should defend that order at a Saturday emergency federal court hearing.

That’s according to a federal law enforcement official with knowledge of the call, which happened as Department of Justice attorneys cancelled plans, found babysitters and rushed back to their Brooklyn office to try and find out what exactly it was they were defending and who was being affected by it — how many people were already being held in America, how many were being barred from arriving here and the exact status of each person.

The full article at the NYDN is mandatory reading, but let that sink in for a second. 31 year old Stephen Miller, a wet behind the ears extreme right wing ideologue with white nationalist leanings and NO, repeat NO legal training, much less law degree, called up a United States Attorney – at home! – to “dictate” how the DOJ would operate in an emergency litigation situation in an United States District Court.

Stunning is too weak of a response. Shocking is insufficient. It is actually hard to know what the proper words for this are.

I asked Matthew A. Miller, former OPA head under the Obama DOJ for a thought on the implications of Stephen Miller’s hubris in this instance. His reply was:

The last time a White House started dictating demands to U.S. attorneys, the sitting Attorney General had to resign in disgrace. This raises yet another in a series of questions about whether the Sessions Justice Department will be independent from the Trump White House.

Exactly. I would have said “unprecedented” above along with “stunning” and “shocking”, but for what occurred during a period of the Bush/Cheney regime when the interaction and control of the DOJ from the White House was extreme. And, ultimately, blown up as beyond unacceptable and appropriate by more reasoned minds and authorities. And, I might add, substantially due to the Fourth Estate of the press, that Trump blithely and ignorantly describes as “enemies of the American people”.

Yes, it is really that important of a moment now with Stephen Miller (note: NO relation to Matthew A. Miller) and the extreme hubris and lack of institutional awareness, competence or control, and obvious disdain for any, by the Trump Administration.

Back in 2007 Senator Sheldon Whitehouse created, and displayed at a Senate hearing, a stunning graphic displaying the shocking difference between communication between the Clinton White House and DOJ, and the ridiculous political input that the Bush Cheney White House had to DOJ.

With the grossly inappropriate statements of President Donald Trump as to how “he” will direct prosecutions of political enemies and other criminal and military defendants, leakers and others, to the literally insane conduct of Stephen Miller here, it is time to remember Senator Whitehouse’s chart.

It is also time to wonder if Sheldon Whitehouse and other members of the Senate Judiciary Committee have the cojones to take the fight for the Constitution and integrity of the justice system once again to a renegade White House. And the Trump White House has quickly made the Bush/Cheney White house look better in the rear view mirror, as truly craven as they were.

And, yes, the situation is exactly that dire if you recall the same Stephen Miller, being sent out and directed to all the Sunday political shows to declare and mandate that:

“…our opponents, the media and the whole world will soon see as we begin to take further actions, that the powers of the president to protect our country are very substantial and will not be questioned.”

This is straight up an Article II Branch declaration of pure tyranny by Stephen Miller and Trump. This is a serious problem, and this is an Administration making good on its promise and determination in that regard.

CISA Update: Cloture Passed, Masters of the Universe and Sheldon Whitehouse Agree on Compromise

This morning, the Senate voted in favor of cloture on the new (this morning) manager’s amendment on CISA.

Here’s the roll call, which was a blowout. Votes against cloture were:

  • Baldwin (WI)
  • Booker (NJ)
  • Brown (OH)
  • Coons (DE)
  • Franken (MN)
  • Leahy (VT)
  • Markey (MA)
  • Menendez (NJ)
  • Merkley (OR)
  • Paul (KY)
  • Sanders (VT)
  • Udall (NM)
  • Warren (MA)
  • Wyden (OR)

Rand Paul’s amendment — requiring companies to adhere to their contract with customers — failed by a two-thirds margin (I will update with roll call when it’s posted).

One significant change in today’s manager’s amendment was that Sheldon Whitehouse’s crappy CFAA amendment got replaced in its entirety with this language:

SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL INFORMATION OF PEOPLE OF THE UNITED STATES.

Section 1029(h) of title 18, United States Code, is amended by striking ‘‘title if—’’ and all that follows through ‘‘therefrom.’’ and inserting ‘‘title if the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity organized under the laws of the United States, or any State, the District of Columbia, or other Territory of the United States.’’

This basically protects Americans’ data if the data is owned by a US entity, regardless of where the attack on it was launched from (which was the unoffensive part of Whitehouse’s CFAA amendment). Given what Tom Carper said yesterday, we still need to be vigilant against it returning in conference, but for now this is a solid compromise.

 

Sheldon Whitehouse’s Horrible CFAA Amendment Gets Pulled — But Will Be Back in Conference

As I noted yesterday, Ron Wyden objected to unanimous consent on CISA yesterday because Sheldon Whitehouse’s crappy amendment, which makes the horrible CFAA worse, was going to get a vote. Yesterday, it got amended, but as CDT analyzed, it remains problematic and overbroad.

This afternoon, Whitehouse took to the Senate floor to complain mightily that his amendment had been pulled — presumably it was pulled to get Wyden to withdraw his objections. Whitehouse complained as if this were the first time amendments had not gotten a vote, though that happens all the time with amendments that support civil liberties. He raged about the Masters of the Universe who had pulled his amendment, and suggested a pro-botnet conference had forced the amendment to be pulled, rather than people who have very sound reasons to believe the amendment was badly drafted and dangerously expanded DOJ’s authority.

For all Whitehouse’s complaining, though, it’s likely the amendment is not dead. Tom Carper, who as Ranking Member of the Senate Homeland Security Committee would almost certainly be included in any conference on the bill, rose just after Whitehouse. He said if the provision ends up in the bill, “we will conference, I’m sure, with the House and we will have an opportunity to revisit this, so I just hope you’ll stay in touch with those of us who might be fortunate enough to be a conferee.”

CISA Moves: A Summary

This afternoon, Aaron Richard Burr moved the Cyber Intelligence Sharing Act forward by introducing a manager’s amendment that has limited privacy tweaks (permitting a scrub at DHS and limiting the use of CISA information to cyber crimes that nevertheless include to prevent threat to property), with a bunch of bigger privacy fix amendments, plus a Tom Cotton one and a horrible Sheldon Whitehouse one called as non-germane amendments requiring 60 votes.

Other than that, Burr, Dianne Feinstein, and Ron Wyden spoke on the bill.

Burr did some significant goalpost moving. Whereas in the past, he had suggested that CISA might have prevented the Office of Public Management hack, today he suggested CISA would limit how much data got stolen in a series of hacks. His claim is still false (in almost all the hacks he discussed, the attack vector was already known, but knowing it did nothing to prevent the continued hack).

Burr also likened this bill to a neighborhood watch, where everyone in the neighborhood looks out for the entire neighborhood. He neglected to mention that that neighborhood watch would also include that nosy granny type who reports every brown person in the neighborhood, and features self-defense just like George Zimmerman’s neighborhood watch concept does. Worse, Burr suggested that those not participating in his neighborhood watch were had no protection, effectively suggesting that some of the best companies on securing themselves — like Google — were not protecting customers. Burr even suggested he didn’t know anything about the companies that oppose the bill, which is funny, because Twitter opposes the bill, and Burr has a Twitter account.

Feinstein was worse. She mentioned the OPM hack and then really suggested that a series of other hacks — including both the Sony hack and the DDOS attacks on online banking sites that stole no data! — were worse than the OPM hack.

Yes, the Vice Chair of SSCI really did say that the OPM hack was less serious than a bunch of other other hacks that didn’t affect the national security of this country. Which, if I were one of the 21 million people whose security clearance data had been compromised, would make me very very furious.

DiFi also used language that made it clear she doesn’t really understand how the information sharing portal works. She said something like, “Once cyber information enters the portal it will move at machine speed to other federal agencies,” as if a conveyor belt will carry information from DHS to FBI.

Wyden mostly pointed out that this bill doesn’t protect privacy. But he did call out Burr on his goalpost moving on whether the bill would prevent (his old claim) or just limit the damage 0f (his new one) attacks that it wouldn’t affect at all.

Wyden did, however, object to unanimous consent because Whitehouse’s crappy amendment was being given a vote, which led Burr to complain that Wyden wasn’t going to hold this up.

Finally, Burr came back on the floor, not only to bad mouth companies that oppose this bill again (and insist it was voluntary so they shouldn’t care) but also to do what I thought even he wouldn’t do: suggest we need to pass CISA because a 13 year old stoner hacked the CIA Director.

The Costs of Politically Free Cybersecurity Failures

Ben Wittes looks at the WaPo article and accompanying National Security Council Draft Options paper on how the White House should respond to FBI’s campaign against encryption and declares that “Industry has already won.”

[T]he document lays out three options for the administration—three options that notably do not include seeking legislation on encryption.

They are:

  • “Option 1: Disavow Legislation and Other Compulsory Actions”;
  • “Option 2: Defer on Legislation and Other Compulsory Actions”; and
  • “Option 3: Remain Undecided on Legislation or Other Compulsory Actions.”

In all honesty, it probably doesn’t matter all that much which of these options Obama chooses. If these are the choices on the table, industry has already won.

What’s most fascinating about the white paper is that it lays bare how the NSC itself sees this issue — and they don’t see it like Wittes does, nor in the way the majority of people clamoring for back doors have presented it. As the NSC defines the issue, this is not “industry” versus law enforcement. For each assessed scenario, NSC measures the impact on:

  • Public safety and national security
  • Cybersecurity
  • Economic competitiveness
  • Civil liberties and human rights

Arguably, there’s a fifth category for each scenario — foreign relations — that shows up in analysis of reaction by stakeholders that weighs the interests of foreign governments, including allies that want back doors (UK, France, Netherlands), allies that don’t (Germany and Estonia), and adversaries like Russia and China that want back doors to enable repression (and, surely, law enforcement, but the analysis doesn’t consider this).

That, then, is the real network of interests on this issue and not — as Wittes, Sheldon Whitehouse, and many though not all defenders of back doors have caricatured — simply hippies and Apple versus Those Who Keep Us Safe.

NSC not only judges the market demand for encryption — and foreign insistence that US products not appear to be captive to America’s national security state — to be real, but recognizes that those demands underlie US economic competitiveness generally.

And, as a number of people point out, the NSC readily admits that encryption helps cybersecurity. As the white paper explains,

Pro-encryption statements from the government could also encourage broader use of encryption, which would also benefit global cybersecurity. Further, because any new access point to encrypted data increases risk, eschewing mandated technical changes ensures the greatest technical security. At the same time, the increased use of encryption could stymie law enforcement’s ability to investigate and prosecute cybercriminals, though the extent of this threat over any other option is unclear as sophisticated criminals will use inaccessible encryption.

Shorter the NSC: If encryption is outlawed, only the sophisticated cyber-outlaws will have encryption.

This is the discussion we have not been having, as Jim Comey repeatedly talks in terms of Bad Guys and Good Guys, the complex trade-offs that are far more than “safety versus privacy.”

What’s stunning, however, is that NSC — an NSC that was already in the thick of responding to the OPM hack when this paper was drafted in July — sees cybersecurity as a separate category from public safety and national security. Since 2013, the Intelligence Community has judged that cybersecurity is a bigger threat than terrorism (though I’m not sure if the IC has revised that priority given ISIS’ rise). Yet the NSC still thinks of this as a separate issue from public safety and national security (to say nothing of the fact that NSC doesn’t consider the crime that encryption would prevent, such as smart phone theft).

I’m not surprised that NSC considers these different categories, mind you. Cybersecurity failures are still considered (with the sole exception of Katherine Archuleta, who was forced to resign as OPM head after the hack) politically free, such that men like John Brennan (when he was Homeland Security Czar on NSC) and Keith Alexander can have, by their own admission, completely failed to keep us safe from cyberattack without being considered failures themselves (and without it impacting Brennan’s perceived fitness to be CIA Director).

The political free ride cybersecurity failures get is a problem given the other reason that Wittes’ claim that “industry has already won” is wrong. WaPo reports that NSC still hasn’t come up with a preferred plan, ostensibly because it is so busy with other things.

Some White House aides had hoped to have a report on the issue to give to the president months ago. But “the complexity of this issue really makes it a very challenging area to arrive at any sort of policy on,” the senior official said. A Cabinet meeting to be chaired by National Security Adviser Susan Rice, ostensibly to make a decision, initially was scheduled for Wednesday, but it has been postponed.

The senior official said that the delays are due primarily to scheduling issues — “there are a lot of other things going on in the world” — that are pressing on officials’ time.

But WaPo also presents evidence that those who want back doors are just playing for time, until some kidnapping or terrorist attack investigation gets thwarted by encryption.

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

So long as the final decision never gets made, those who want back doors will be waiting for the moment when some event changes the calculus that currently weighs in favor of encryption. And, of course, we’ll all be relying on people like Jim Comey to explain why encryption made it impossible to catch a “bad guy,” which means the measure will probably ignore the other ways law enforcement can get information.

We are still living in Dick Cheney’s world, where missing a terrorist attack (other than the big one or the anthrax attack) is assumed to be career ending, even while failing to address other threats to the US (climate change and increasingly cybersecurity) are not. So long as that’s true, those waiting to use the next spectacular failure to make ill-considered decisions about back doors will await their day, putting some kinds of national security above others.

Update: Like me, Susan Landau thinks Wittes misunderstood what the White Paper said about who “won” this fight.

But the National Security Council draft options paper never mentions national-security threats as a concern in the option of disavowing legislation controlling encryption (it does acknowledge potential problems for law enforcement). The draft says that no-legislation approach would help foster “the greatest technical security.” That broad encryption use is in our national security interest is why the administration is heading to support the technology’s broad use. That’s the story here — and not the one about Silicon Valley.

The US Chamber of Commerce Is Pre-Clearing What It Is Willing to Do for Our National Security on CISA

Screen Shot 2015-08-04 at 4.11.21 PMSheldon Whitehouse just attempted (after 1:44) to rebut an epic rant from John McCain (at 1:14) in which the Arizona Senator suggested anyone who wanted to amend the flawed Cyber Intelligence Sharing Act wasn’t serious about national security.

Whitehouse defended his two amendments first by pointing out that McCain likes and respects the national security credentials of both his co-sponsors (Lindsey Graham and Max Blunt).

Then Whitehouse said,  “I believe both of the bills [sic] have now been cleared by the US Chamber of Commerce, so they don’t have a business community objection.”

Perhaps John McCain would be better served turning himself purple (really! watch his rant!) attacking the very notion that the Chamber of Commerce gets pre-veto power over a bill that (according to John McCain) is utterly vital for national security.

Even better, maybe John McCain could turn himself purple suggesting that the Chamber needs to step up to the plate and accept real responsibility for making this country’s networks safer, rather than just using our cybersecurity problems as an opportunity to demand immunity for yet more business conduct.

If this thing is vital for national security — this particular bill is not, but McCain turned himself awfully purple — then the Chamber should just suck it up and meet the requirements to protect the country decided on by the elected representatives of this country.

Yet instead, the Chamber apparently gets to pre-clear a bill designed to spy on the Chamber’s customers.

Sheldon Whitehouse’s Hot and Cold Corporate Cybersecurity Liability

Ben Wittes has a summary of last Wednesday’s “Going Dark” hearings. He engages in a really amusing straw man — comparing a hypothetically perfectly secure Internet with ungoverned Somalia.

Consider the conceptual question first. Would it be a good idea to have a world-wide communications infrastructure that is, as Bruce Schneier has aptly put it, secure from all attackers? That is, if we could snap our fingers and make all device-to-device communications perfectly secure against interception from the Chinese, from hackers, from the FSB but also from the FBI even wielding lawful process, would that be desireable? Or, in the alternative, do we want to create an internet as secure as possible from everyone except government investigators exercising their legal authorities with the understanding that other countries may do the same?

Conceptually speaking, I am with Comey on this question—and the matter does not seem to me an especially close call. The belief in principle in creating a giant world-wide network on which surveillance is technically impossible is really an argument for the creation of the world’s largest ungoverned space. I understand why techno-anarchists find this idea so appealing. I can’t imagine for moment, however, why anyone else would.

Consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners. Would you want to live in that city? The idea that ungoverned spaces really suck is not controversial when you’re talking about Yemen or Somalia. I see nothing more attractive about the creation of a worldwide architecture in which it is technically impossible to intercept and read ISIS communications with followers or to follow child predators into chatrooms where they go after kids.

This gets the issue precisely backwards, attributing all possible security and governance to policing alone, and none to prevention, and as a result envisioning chaos in a possibility that would, in fact, have less or at least different kinds chaos. Wittes simply dismisses the benefits of a perfectly secure Internet (which is what all the pro-backdoor witnesses at the hearings did too, ignoring, for example, the effect that encrypting phones would have on a really terrible iPhone theft problem). But Wittes’ straw man isn’t central to his argument, just a tell about his biases.

Wittes, like Comey, also suggests the technologists are wrong when they say back doors will be bad.

There is some reason, in my view, to suspect that the picture may not be quite as stark as the computer scientists make it seem. After all, the big tech companies increase the complexity of their software products all the time, and they generally regard the increased attack surface of the software they create as a result as a mitigatable problem. Similarly, there are lots of high-value intelligence targets that we have to secure and would have big security implications if we could not do so successfully. And when it really counts, that task is not hopeless. Google and Apple and Facebook are not without tools in the cybersecurity department.

Wittes appears unaware that the US has failed miserably at securing its high value intelligence targets, so it’s not a great counterexample.

But I’m primarily interested in Wittes’ fondness for an idea floated by Sheldon Whitehouse: that the government force providers to better weigh the risk of security by ensuring it bears liability if the cops can’t access communications.

Another, perhaps softer, possibility is to rely on the possibility of civil liability to incentivize companies to focus on these issues. At the Senate Judiciary Committee hearing this past week, the always interesting Senator Sheldon Whitehouse posed a question to Deputy Attorney General Sally Yates about which I’ve been thinking as well: “A girl goes missing. A neighbor reports that they saw her being taken into a van out in front of the house. The police are called. They come to the home. The parents are frantic. The girl’s phone is still at home.” The phone, however, is encrypted:

WHITEHOUSE: It strikes me that one of the balances that we have in these circumstances where a company may wish to privatize value by saying, “Gosh, we’re secure now. We got a really good product. You’re going to love it.” That’s to their benefit. But for the family of the girl that disappeared in the van, that’s a pretty big cost. And when we see corporations privatizing value and socializing cost so that other people have to bear the cost, one of the ways that we get back to that and try to put some balance into it, is through the civil courts, through a liability system.

If you’re a polluter and you’re dumping poisonous waste into the water rather than treating it properly, somebody downstream can bring an action and can get damages for the harm that they sustain, can get an order telling you to knock it off. I’d be interested in whether or not the Department of Justice has done any analysis as to what role the civil-liability system might be playing now to support these companies in drawing the correct balance, or if they’ve immunized themselves from the cost entirely and are enjoying the benefits. I think in terms of our determination as to what, if anything, we should do, knowing where the Department of Justice believes the civil liability system leaves us might be a helpful piece of information. So I don’t know if you’ve undertaken that, but if you have, I’d appreciate it if you’d share that with us, and if you’d consider doing it, I think that might be helpful to us.

YATES: We would be glad to look at that. It’s not something that we have done any kind of detailed analysis. We’ve been working hard on trying to figure out what the solution on the front end might be so that we’re not in a situation where there could potentially be corporate liability or the inability to be able to access the device.

WHITEHOUSE: But in terms of just looking at this situation, does it not appear that it looks like a situation where value is being privatized and costs are being socialized onto the rest of us?

YATES: That’s certainly one way to look at it. And perhaps the companies have done greater analysis on that than we have. But it’s certainly something we can look at.

I’m not sure what that lawsuit looks like under current law. I, like the Justice Department, have not done the analysis, and I would be very interested in hearing from anyone who has. Whitehouse, however, seems to me to be onto something here. Might a victim of an ISIS attack domestically committed by someone who communicated and plotted using communications architecture specifically designed to be immune, and specifically marketed as immune, from law enforcement surveillance have a claim against the provider who offered that service even after the director of the FBI began specifically warning that ISIS was using such infrastructure to plan attacks? To the extent such companies have no liability in such circumstances, is that the distribution of risk that we as a society want? And might the possibility of civil liability, either under current law or under some hypothetical change to current law, incentivize the development of secure systems that are nonetheless subject to surveillance under limited circumstances?

Why don’t we make the corporations liable, these two security hawks ask!!!

This, at a time when the cybersecurity solution on the table (CISA and other cybersecurity bills) gives corporations overly broad immunity from liability.

Think about that.

While Wittes hasn’t said whether he supports the immunity bills on the table, Paul Rosenzweig and other Lawfare writers are loudly in favor of expansive immunity. And Sheldon Whitehouse, whose idea this is, has been talking about building in immunity for corporations in cybersecurity plans since 2010.

I get there is a need for limited protection for corporations that help the Federal government spy (especially if they’re required to help), which is what liability is always about. I also get that every time we award it, it keeps getting bigger, and years later we discover that immunity covers fairly audacious spying far beyond the ostensible intent of the bill. Though CISA doesn’t even hide that this data will be used for purposes far beyond cybersecurity.

Far, far more importantly, however, one of the problems with the cyber bills on the table is by awarding this immunity, they’re creating a risk calculation for corporations to be sloppy. Sure, there will still be reputational damage every time a corporation exposes its customers’ data to hackers. But we’ve seen in the financial sector — where at least bank regulators require certain levels of hygiene and reporting — bank immunity tied to these reporting requirements appears to have made it impossible to prosecute egregious bank crime.

The banks have learned (and they will be key participants in CISA) that they can obtain impunity by sharing promiscuously (or even not so promiscuously) with the government.

And unlike those bank reporting laws, CISA doesn’t require hygiene. It doesn’t require that corporations deploy basic defenses before obtaining their immunity for information sharing.

If liability is such a great idea, then why aren’t these men pushing the use of liability as a tool to improve our cyberdefenses, rather than (on Whitehouse’s part, at least) calling for the opposite?

Indeed, if this is about appropriately balancing risk, there is no way you can use liability to get corporations to weigh the value of back doors for law enforcement, without at the same time ensuring all corporations also bear full liability for any insecurity in their system, because otherwise corporations won’t be weighing the two sides.

Using liability as a tool might be a clever idea. But using it only for law enforcement back doors does nothing to identify the appropriate balance.