Posts

Under Keith Alexander’s Guard, America Can Be Plundered Like a Colony

/22 Comments/in /by

Admittedly, Keith Alexander made things very easy on himself in this article on “Defending America in Cyberspace” by not mentioning the way DOD (or our ally, Israel) let StuxNet go free, not only exposing the attack on Iran, but also providing a map and code that others can use on us.

That reckless mistake and its potential consequences remains unmentioned, however, in the piece in which Alexander claims that his team has found and is implementing the magic formula for defending the country in cyberspace.

We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats.

We know how to defend the country, Alexander says. It involves creating security holes, then using them to find out who will attack us, all while living on the network and watching what private citizens are also doing.

But then Alexander utterly contradicts the claim that his team has found the successful formula by describing the sheer scale of successful attacks against the US, suggesting it rivals the plunder of the Mongols and the colonies (though curiously, not slavery).

Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.

This repeats a claim he and others have made repeatedly, though after having been proven wrong about past claims about the scale of financial wealth transfer, he seems to have shifted to measuring the plunder that has occurred on his watch in terabytes, not dollars. Our country — which he has served in a key defense role for 8 years — has been plundered like a colony (I don’t buy this, mind you — I find the analogy downright offensive. But it is the argument he’s making).

In much of the rest of his paper, Alexander explains his future plans, which we should follow, he tells us, because he has been so successful that our country has been plundered like a colony.

I wonder. Might the most sane response to this paper be to, at a minimum, question what success looks like? At a minimum, might we discuss publicly some alternatives? And if being plundered like a colony is not our goal, perhaps we should consider whether what Alexander presents as the “only viable response” really is?

“Folksy and Firm” Flummoxes Fancy NYT Journalists

/18 Comments/in /by

Less than 10 days ago, Keith Alexander admitted to Patrick Leahy that the single solitary case in which the phone dragnet proved critical was that of Basaaly Moalin. But that was not an attack. Rather, it was an effort to send money to al-Shabaab (and others) because they were protecting Somalia against a US backed Ethiopian invasion.

And yet two crack “journalists” used this as the lead of their “interview” with Alexander with not a hint of pushback.

The director of the National Security Agency, Gen. Keith B. Alexander, said in an interview that to prevent terrorist attacks he saw no effective alternative to the N.S.A.’s bulk collection of telephone and other electronic metadata from Americans.

The phone dragnet has never — never! — been more than one tool in preventing any attack, and yet Alexander gets to imply, unchallenged, it is critical going forward.

Instead of actual reporting, we get platitudes like this.

General Alexander was by turns folksy and firm in the interview. But he was unapologetic about the agency’s strict culture of secrecy and unabashed in describing its importance to defending the nation.

That culture is embodied by two installations that greet visitors to Fort Meade. One is a wall to honor N.S.A. personnel killed on overseas missions. The other is a tribute to the Enigma program, the code-breaking success that helped speed the end of World War II and led to the creation of the N.S.A. The intelligence community kept Enigma secret for three decades.

The only thing remotely resembling a challenge came when these “reporters” note Alexander’s claim to have willingly shut down the Internet metadata program (which the NSA has largely kept secret, in spite of having been disclosed) ignores NSA claims it (like the phone dragnet now, purportedly) was critical.

But he said the agency had not told its story well. As an example, he said, the agency itself killed a program in 2011 that collected the metadata of about 1 percent of all of the e-mails sent in the United States. “We terminated it,” he said. “It was not operationally relevant to what we needed.”

However, until it was killed, the N.S.A. had repeatedly defended that program as vital in reports to Congress.

The rest consists of more of the same kind of rebuttal by redefinition. The claim that NSA shares data with Israel is wrong, this “journalism” says, because “the probability of American content in the shared data was extremely small” (which of course says nothing about the way it would violate minimization procedures in any case). The claim that NSA launched 200 offensive cyberattacks in 2011 is wrong because many of those were actually other “electronic missions.” Besides, Alexander claims,

“I see no reason to use offensive tools unless you’re defending the country or in a state of war, or you want to achieve some really important thing for the good of the nation and others,” he said. [my link, for shits and giggles]

We are not now nor were we in 2006 when StuxNet started “in a state of war” with Iran, so how credible are any of these claims?

Mostly though, this appears to be an attempt, four months after highlighting the importance of PRISM against cyberattacks but then going utterly silent about that function, to reassert the importance of NSA’s hacking to prevent hacking.

Even there, though, Alexander presented dubious claims that got no challenge.

General Alexander said that confronting what he called the two biggest threats facing the United States — terrorism and cyberattacks — would require the application of expanded computer monitoring. In both cases, he said, he was open to much of that work being done by private industry, which he said could be more efficient than government.

In fact, he said, a direct government role in filtering Internet traffic into the United States, in an effort to stop destructive attacks on Wall Street, American banks and the theft of intellectual property, would be inefficient and ineffective.

“I think it leads people to the wrong conclusion, that we’re reading their e-mails and trying to listen to their phone calls,” he said.

The NSA already is filtering Internet traffic into the United States (and also searching on and reading incidentally collected Internet traffic without a warrant) under Section 702 certificates supporting counterterrorism, counterproliferation and … cyberattacks.

But nosiree, Alexander can’t envision doing what he’s already doing — and had been doing in a way that violated statute and the Fourth Amendment for three years already by 2011 — in the name of protecting the banksters who’ve gutted our economy. Only all of that — including the retention of US person data in the name of protecting property (presumably including intellectual property) is baked right into the NSA’s minimization procedures.

And that bit about violating Section 702 and the Fourth Amendment for over three years with a practice that was also baked into NSA’s minimization procedures? Here’s the claim the NYT’s crack journalists allow Alexander to end this charade with.

“We followed the law, we follow our policies, we self-report, we identify problems, we fix them,” he said. “And I think we do a great job, and we do, I think, more to protect people’s civil liberties and privacy than they’ll ever know.”

How Can NSA Protect Our Power Grid from Cyberattack When It Can’t Keep Its Own Power On?

/34 Comments/in , /by

In the United States, it is usually a safe bet to attribute massive government fuck-ups to the bloated contractors we’ve outsourced our projects to.

And the electrical problems plaguing NSA’s new UT data center — described as lightening in a box that has caused $100,000 of damage each of the 10 times it has happened — do seem to stem from poorly supervised contractors.

The Army Corps of Engineers is overseeing the data center’s construction. Chief of Construction Operations, Norbert Suter said, “the cause of the electrical issues was identified by the team, and is currently being corrected by the contractor.” He said the Corps would ensure the center is “completely reliable” before handing it over to the NSA.

But another government assessment concluded the contractor’s proposed solutions fall short and the causes of eight of the failures haven’t been conclusively determined. “We did not find any indication that the proposed equipment modification measures will be effective in preventing future incidents,” said a report last week by special investigators from the Army Corps of Engineers known as a Tiger Team.

[snip]

It took six months for investigators to determine the causes of two of the failures. In the months that followed, the contractors employed more than 30 independent experts that conducted 160 tests over 50,000 man-hours, according to project documents.

[snip]

Contractors have started installing devices that insulate the power system from a failure and would reduce damage to the electrical machinery. But the fix wouldn’t prevent the failures, according to project documents and current and former officials.

Now, don’t pee your pants laughing.

But I did have two thoughts as I read this.

First, this extended confusion sounds similar to that which Iranian nuclear scientists experienced as they tried to figure out why their centrifuges kept blowing up, thanks to StuxNet. While I think the chances some kind of hack caused this are small (but not zero), I do find it ironic that we cause ourselves the same kind of havoc we cause our worst enemies.

And consider the mission!

Back in February, Keith Alexander warned of the possibility of cyberattacks on our grid (which, anonymous sources made clear, could probably only be launched by China or Russia, but that didn’t stop Alexander from suggesting Anonymous might launch such attacks). The NSA needs more authority to protect against attacks that might bring down our power sources, the head of the NSA suggested.

But the entity that proposes to wield that authority, it seems, can’t even build a brand spanking new electrical system immune from some kind of failure.

NSA and Compromised Encryption: The Sword Cuts Both Ways

/19 Comments/in , /by

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

If you want fresh and weedy perspectives you won’t find in corporate-owned media, please donate!

A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…

And * BOOM *

Payload delivered.

This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.

The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.

In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.

Defense, though, is but one side of the NSA’s sword; it has two lethal edges.

While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.

Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.

In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.

We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.

One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.

Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.

A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.

And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Read more

The Stenography Dance between Israel and the US

/1 Comment/in /by

I’ve been meaning to comment on this story from Bill Gertz from last week. After reporting that the Israelis bitched about US reports of the Israeli strike on Russian made missiles shipped to Syria,

Israeli government officials voiced anger at U.S. press leaks traced to the Pentagon following the July 5 Israeli missile attack on the Syrian port of Latakia that destroyed a shipment of Russian-made anti-ship missiles, according to U.S. officials.
Senior Pentagon officials, including Deputy Secretary of Defense Ashton Carter who is currently visiting Israel, discussed the leaks during meetings with Israeli officials this week. The Israelis argued in private meetings and other exchanges that the disclosures could lead to Syrian counterattacks against Israel and should have been coordinated first with the Israeli government. [my emphasis]

It catalogs multiple people — both American and Israeli — talking about the intent of the gag and concerns about secrecy.

A U.S. official said signs of Israeli anger over the Latakia raid disclosures appeared in several Israel press outlets. One Israeli official was described as “furious” over the leak because the Pentagon did not coordinate its release of information first with Israel.

Other Israeli officials were quoted as saying that in the aftermath of the Yakhont missile strikes that ties between Israel and Syria had reached a new peak and that there are worries that tying Israel to the attack will prompt Syrian leader Bashar al-Assad to retaliate soon or against a future Israeli attack. [my emphasis]

As far as I know, no one besides Gertz has reported on Israeli anger, in spite of the fact that the reports were published by notorious DOD mouthpieces. There’s Barbara Starr,

A series of explosions on July 5 at a critical Syrian port was the result of airstrikes by Israeli warplanes, according to multiple U.S. officials.

Regional media widely reported the predawn explosions at Latakia, but no one had officially claimed responsibility.

Three U.S. officials told CNN the target of the airstrikes were Russian-made Yakhont anti-ship missiles that Israel believes posed a threat to its naval forces.

And Michael Gordon,

Israel carried out an air attack in Syria this month that targeted advanced antiship cruise missiles sold to the Syria government by Russia, American officials said Saturday.

The officials, who declined to be identified because they were discussing intelligence reports, said the attack occurred July 5 near Latakia, Syria’s principal port city. The target was a type of missile called the Yakhont, they said.

Mind you, the Israelis don’t claim to be pissed that the leaks occurred (in spite of claims that revealing it publicly will make it more likely someone — I’m not sure precisely who — will attack Israel. Just that they (allegedly) occurred without coordinating with the Israelis.

Compare this treatment with the efforts to mandate investigations of leaks last year that made it harder to gin up war against Iran.

And with reports that retired General Hoss Cartwright is being investigated for repeating stories about Israel’s purported role in letting StuxNet escape Iranian nuke facilities (a leak which, it should be said, added to an earlier Michael Gordon co-byline).

Funny. Just a few weeks before the Latakia leaks to noted stenographers, leaking about Israel could get even a top General investigated.

But when stenographers report similar stories, crickets.

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

/32 Comments/in /by

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

Compare DOD’s Autonomy to Engage in Cyber-War with Obama’s Close Control over DOD Drone Targeting

/3 Comments/in , /by

It will likely be some time, if ever, before one of our enemies succeeds at doing more than launching limited, opportunistic drone strikes at the US. By contrast, every day brings new revelations of how our enemies and rivals are finding new vulnerabilities in American cyber-defense.

Which is why it is so curious to compare this account of the multi-year process that has led to an expansion of DOD’s authority to approve defensive cyber-attacks with this account of Obama’s close hold on DOD’s drone targeting.

In both cases, you had several agencies — at least DOD and CIA — in line to execute attacks, along with equities from other agencies like State.

An interagency process had been started because cyber concerns confront a variety of agencies, the intelligence community and DoD as well as State, Homeland Security and other departments, with each expressing views on how the domain would be treated.

For much of Obama’s term, it seems, both DOD drone attacks outside of the hot battlefield and cyberattacks had to be approved by the White House. With drones, Obama wanted to retain that control (over DOD, but not CIA) to prevent us from getting into new wars.

But from the outset of his presidency, Obama personally insisted that he make the final decision on the military’s kill or capture orders, so-called direct action operations. Obama wanted to assume the moral responsibility for what were in effect premeditated government executions. But sources familiar with Obama’s thinking say he also wanted to personally exercise supervision over lethal strikes away from conventional battlefields to avoid getting embroiled in new wars. As responsibility for targeted strikes in places like Yemen, Somalia, and, over time, Pakistan shifts to the military’s Joint Special Operations Command, Obama will be the final decider for the entire program.

With cyber, White House control was designed partly to limit blowback — almost the same purpose as his micromanagement of drone targeting — but also to mediate disputes between agencies.

In every instance where cyber was involved, the NSC had to be involved. That helped settle some of the disputes between agencies by limiting any independent application of cyber capabilities, but was useful neither for expediting any cyber action nor for integrating cyber into larger military capabilities. Several sources said that this has slowed the integration of cyber into broader military tactics, possibly giving rivals without the same hesitation, like China, a chance to become more adept at military cyber.

[snip]

Because every decision had to be run through the West Wing, potential political blowback limited the use of cyber tools, the former senior intelligence official said. “If they can’t be used without a discussion in the West Wing, the president’s got no place to run if something goes wrong when he uses them,” he said. Those decisions included what to do if the US confronted a cyberattack.

But over the course of the Obama Administration, DOD lobbied to increase its autonomy in both areas, in drones via the year-long process of crafting a drone rulebook, and with cyber, via the three year process of drafting new standing rules of engagement.

It had far more success in its efforts to expand autonomy with cyber.

Read more

What if China Not Just Hacked — But Sabotaged — the F-35?

/24 Comments/in , , , /by

Screen shot 2013-02-24 at 10.24.35 AM

Over the last week, two perennial stories have again dominated the news. China continues to be able to hack us — including top DC power players — at will. And the F-35 has suffered another setback, this time a crack in an engine turbine blade (something which reportedly happened once before, in 2007).

The coincidence of these two events has got me thinking (and mind you, I’m just wondering out loud here): what if China did more than just steal data on the F-35 when it hacked various contractors, and instead sabotaged the program, inserting engineering flaws into the plane in the same way we inserted flaws in Iran’s centrifuge development via StuxNet?

We know China has hacked the F-35 program persistently. In 2008, an IG report revealed that BAE and some of the other then 1,200 (now 1,300) contractors involved weren’t meeting security requirements; last year an anonymous BAE guy admitted that the Chinese had been camped on their networks stealing data for 18 months. In April 2009, WSJ provided a more detailed report on breaches going back to 2007.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into.

Read more

The 2011 DIOG Permits Using NSLs to Get Journalist Contacts

/10 Comments/in , /by

In what may be one of those stories telegraphing investigative details between people being investigated, the WaPo updates the StuxNet investigation.

Prosecutors are pursuing “everybody — at pretty high levels, too,” said one person familiar with the investigation. “There are many people who’ve been contacted from different agencies.”

The FBI and prosecutors have interviewed several current and former senior government officials in connection with the disclosures, sometimes confronting them with evidence of contact with journalists, according to people familiar with the probe.

Here’s the detail everyone is focusing on (and I’ve seen similar claims on reporting of other leak investigations).

Investigators, they said, have conducted extensive analysis of the e-mail accounts and phone records of current and former government officials in a search for links to journalists.

[snip]

Former prosecutors said these investigations typically begin by compiling a list of people with access to the classified information. When government officials attend classified briefings or examine classified documents in secure facilities, they must sign a log, and these records can provide an initial road map for investigators.

Former prosecutors said investigators run sophisticated software to identify names, key words and phrases embedded in e-mails and other communications, including text messages, which could lead them to suspects.

The FBI also looks at officials’ phone records — who called whom, when, for how long. Once they have evidence of contact between officials and a particular journalist, investigators can seek a warrant to examine private e-mail accounts and phone records, including text messages, former prosecutors said.

Prosecutors and the FBI can examine government e-mail accounts and government-issued devices, including cellphones, without a warrant. They can also look at private e-mail accounts without a warrant if those accounts were accessed on government computers. [my emphasis]

This description may well be how the government is conducting the StuxNet (and the UndieBomb 2.0 investigation, which the article also describes).

But if WaPo is relying solely on former prosecutors, this description may be totally outdated.

After all–as I’ve reported repeatedly in the past–the 2011 update of FBI’s Domestic Investigations and Operations Guide permits using National Security Letters to get journalists’ contacts in National Security investigations (as all of these would be).

A heavily-redacted section (PDF 166) suggests that in investigations with a national security nexus (so international terrorism or espionage, as many leak cases have been treated) DOJ need not comply with existing restrictions requiring Attorney General approval before getting the phone records of a journalist. The reason? Because NSLs aren’t subpoenas, and that restriction only applies to subpoenas.

Department of Justice policy with regard to the issuances of subpoenas for telephone toll records of members of the news media is found at 28 C.F.R. § 50.10. The regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas. (The regulation requires Attorney General approval prior to the issuance of a grand jury subpoena for telephone toll records of a member of the news media, and when such a subpoena is issued, notice must be given to the news media either before or soon after such records are obtained.) The following approval requirements and specific procedures apply for the issuance of an NSL for telephone toll records of members of the news media or news organizations. [my emphasis]

So DOJ can use NSLs–with no court oversight–to get journalists’ call (and email) records rather than actually getting a subpoena.

The section includes four different approval requirement scenarios for issuing such NSLs, almost all of which are redacted. Though one only partly redacted passage makes it clear there are some circumstances where the approval process is the same as for anyone else DOJ wants to get an NSL on:

If the NSL is seeking telephone toll records of an individual who is a member of the news media or news organization [2 lines redacted] there are no additional approval requirements other than those set out in DIOG Section 18.6.6.1.3 [half line redacted]

And the section on NSL use (see PDF 100) makes it clear that a long list of people can approve such NSLs:

  • Deputy Director
  • Executive Assistant Director
  • Associate EAD for the National Security Branch
  • Assistant Directors and all DADs for CT/CD/Cyber
  • General Counsel
  • Deputy General Counsel for the National Security Law Branch
  • Assistant Directors in Charge in NY, Washington Field Office, and LA
  • All Special Agents in Charge

In other words, while DOJ does seem to offer members of the news media–which is itself a somewhat limited group–some protection from subpoena, it also seems to include loopholes for precisely the kinds of cases, like leaks, where source protection is so important.

In other words, this story about starting with the sign-in logs of people who’ve been briefed on a particular topic, then gather call records of those officials?

That may be what happened.

Or it may work the other way, with the government identifying a story it doesn’t like and then using call records to trace back from there to the potential sources of the story.

This curious phrasing would support the latter scenario.

[DC US Attorney Ronald] Machen is examining a leak to the Associated Press that a double agent inside al-Qaeda’s affiliate in Yemen allowed the United States and Saudi Arabia to disrupt the plot to bomb an airliner using explosives and a detonation system that could evade airport security checks.

The AP, after all, didn’t report that UndieBomb 2.0 was actually a sting set up by a Saudi-run infiltrator (and their reporting, at least, suggested they didn’t know UndieBomber 2.0 was an informant). John Brennan and Richard Clarke told that story. And yet WaPo describes the investigation as focusing on the AP part of the story, not the more damning part about an infiltrator.

If and when John Brennan goes unpunished for revealing the most damning part of this story, it’ll become increasingly clear: not only is the government starting with the journalists’ phone and email contacts, but it is doing so with journalists it might otherwise want to silence.

Cyber-9/11 Warning!! … Screams Man Making Huge Profit Off Such Screams

/5 Comments/in /by

The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.

A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.

According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.

Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.

Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.

McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.

Leon Panetta made similarly unconvincing claims back in October.

Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.

Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.

Here’s the very important detail they left out.

Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.

It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.

More amusing still is this:

Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.

[snip]

Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.

The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.

Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.

But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.

Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.

In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.

It’s a very neat system our Military Intelligence Industrial Complex has created.