After acknowledging that as more than 20 million people have been affected by the hack of the Office of Personnel Management, OPM head Katherine Archuleta “resigned” today.
In announcing that Office of Budget and Management Deputy Director of Management Beth Cobert would serve as acting Director, Josh Earnest played up her experience at McKinsey Consulting. So we may see the same kind of management claptrap as OPM PR in the coming days that we got from CIA’s reorganization when McKinsey took that project on. Over 20 minutes into his press conference, Earnest also revealed there was 90 day review of the security implications of the hack being led by OMB.
Happily, in spite of the easy way Archuleta’s firing has served as a proxy for real solutions to the government’s insecurity, at least some in Congress are pushing other “solutions.” Given Congress’ responsibility for failing to fund better IT purchasing, consider agency weaknesses during confirmation, and demand accountability from the intelligence community going back at least to the WikiLeaks leaks, these are worth examining.
Perhaps most predictably, Susan Collins called for passage of cybersecurity legislation.
It is time for Congress to pass a cybersecurity law that will strengthen our defenses and improve critical communication and cooperation between the private sector and government. We must do more to combat these dangerous threats in both government and the private sector.
Of course, nothing in CISA (or any other cybersecurity legislation being debated by Congress) would have done a damn thing to prevent the OPM hack. In other words, Collins’ response is just an example of Congress doing the wrong thing in response to a real need.
Giving corporations immunity is not the answer to most problems facing this country. And those who embrace it as a real solution should be held accountable for the next government hack.
Freshman Nebraska Senator Ben Sasse — both before and after Archuleta’s resignation — has appropriately laid out the implications of this hack (rebutting a comparison repeated by Earnest in his press conference, that this hack compares at all with the Target hack).
OPM’s announcement today gives the impression that these breaches are just like some of the losses by Target or Home Depot that we’ve seen in the news. The analogy is nonsense. This is quite different—this is much scarier than identity theft or ruined credit scores. Government and industry need to understand this and be ready. That’s not going to happen as long as Washington keeps treating this like just another routine PR crisis.
But one of his proposed responses is to turn this example of intelligence collection targeting legitimate targets into an act of war.
Some in the defense and intelligence communities think the attacks on OPM constitute an act of war. The rules of engagement in cyber warfare are still being written. And with them, we need to send a clear message: these types of intrusions will not be tolerated. We must ensure our attackers suffer the full consequences of their actions.
Starting now, government needs to stop the bleeding—every sensitive database in every government agency must be immediately secured or pulled offline. But playing defense is a losing game. Naming and shaming until the news cycle shifts is not enough.
Our government must completely reevaluate its cyber doctrine. We have to deter attacks from ever happening in the first place while also building resiliency.
We’re collecting the same kind of information as China — in methods that are both more efficient (because we have the luxury of being able to take off the Internet) but less so (because we are not, as far as we know, targeting China’s own records of its spooks). If this is an act of war than we gave reason for war well before China got into OPM’s servers.
Meanwhile, veterans Ted Lieu and Steve Russell (who, because they’ve had clearance, probably have been affected) are pushing reforms that will affect the kind of bureaucracy we should have to perform what is a core counterintelligence function.
Congressman Russell’s statement:
“It is bad enough that the dereliction displayed by OPM led to 25 million Americans’ records being compromised, but to continue to deflect responsibility and accountability is sad. In her testimony a few weeks ago, OPM Director Katherine Archuleta said that they did not encrypt their files for fear they could be decrypted. This is no excuse for a cyber-breach, and is akin to gross negligence. We have spent over a half a trillion dollars in information technology, and are effectively throwing it all away when we do not protect our assets. OPM has proven they are not up to the task of safeguarding our information, a responsibility that allows for no error. I look forward to working with Congressman Lieu on accountability and reform of this grave problem.”
Congressman Lieu’s statement:
“The failure by the Office of Personnel Management to prevent hackers from stealing security clearance forms containing the most private information of 25 million Americans significantly imperils our national security. Tragically, this cyber breach was likely preventable. The Inspector General identified multiple vulnerabilities in OPM’s security clearance system–year after year–that OPM failed to address. Even now, OPM still does not prioritize cybersecurity. The IG testified just yesterday that OPM ‘has not historically, and still does not, prioritize IT security.’ The IG further testified that there is a ‘high risk’ of failure on a going forward basis at OPM. The security clearance system was previously housed at the Department of Defense. In hindsight, it was a mistake to move the security clearance system to OPM in 2004. We need to correct that mistake. Congressman Steve Russell and I are working on bipartisan legislation to move the security clearance database out of OPM into another agency that has a better grasp of cyber threats. Steve and I have previously submitted SF-86 security clearance forms. We personally understand the national security crisis this cyber breach has caused. Every American affected by the OPM security clearance breach deserves and demands a new way forward in protecting their most private information and advancing the vital security interests of the United States.”
A number of people online have suggested that seeing Archuleta get ousted (whether she was forced or recognized she had lost Obama’s support) will lead other agency heads to take cybersecurity more seriously. I’m skeptical. In part, because some of the other key agencies — starting with DHS — have far to much work to do before the inevitable will happen and they’ll be hacked. But in part because the other agencies involved have long had impunity in the face of gross cyberintelligence inadequacies. No one at DOD or State got held responsible for Chelsea Manning’s leaks (even though they came 2 years after DOD had prohibited removable media on DOD computers), nor did anyone at DOD get held responsible for Edward Snowden’s leaks (which happened 5 years after the ban on removable media). Neither the President nor Congress has done anything but extend deadlines for these agencies to address CI vulnerabilities.
Perhaps this 90 day review of the NatSec implications of the hack is doing real work (though I worry it’ll produce McKinsey slop). But this hack should be treated with the kind of seriousness as the 9/11 attack, with the consequent attention on real cybersecurity fixes, not the “do something” effort to give corporations immunity.
Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).
Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.
As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.
It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.
Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.
It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.
Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.
It didn’t work out.
But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.
Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).
First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.
McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.
By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.
But if not, it won’t be the immediate end of the world.
On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.
Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.
As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.
Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.
As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.
But as with last night’s “debate,” no one really knows for sure.
I well remember when Robert Grenier testified at Scooter Libby’s trial. His performance – like most of the witness testimony — was a performance. But I was more intrigued by the response. Even the cynical old DC journalists were impressed by the smoothness of the performance. “You can tell he was a great briefer,” one journalist who had written a book on the CIA said.
Today, he takes up the role of bogus pushback to the Senate torture report, complete with all the false claims about the report, including:
But perhaps Grenier’s most cynical assertion is his claim — in a piece that falsely suggests (though does not claim outright) that Congress was adequately briefed that Congress’ job, their sole job, is to legislate, not oversee.
A second, related reason would be to build support for comprehensive legislation — that is what Congress is supposed to concern itself with, after all — to remove any of the interpretive legal ambiguity which permitted coercive interrogation to be considered in the first place, and ensure it never happens again.
It is a cynical move, but given the rest of his argument, the part that I find compelling, necessary.
Because Grenier warns Dianne Feinstein that her attack on the Presidentially authorized counterterrorism methods of the past will chill President Obama’s preferred presidentially authorized counterterrorism methods — drone strikes — going forward.
It is not just the past which is at stake, but the present and the future as well. Make no mistake — those currently serving in CIA are watching these developments closely.
Senator Feinstein, we are told, though having great moral qualms about vigorously interrogating terrorists, appears to have no particular compunction about killing them — so long as it is done remotely, with little direct contact with the gruesome details. As anyone reading the press will know, the current, Democratic administration has shown great enthusiasm for directed killings, employing drones in lethal operations around the world to an extent that might have shocked their Republican predecessors in the Bush administration. Death by video game has its attractions, particularly for those lacking intestinal fortitude. It enables them to avoid confronting the essential and unavoidable brutality of what they are doing.
Just as was the case with harsh interrogations during the last administration, the current resort to directed killings, including so-called “signature strikes,” in which the specific identities of those targeted are unknown, though remarkably uncontroversial at the outset of the current administration, has become anything but uncontroversial since. Should the perceived threat from various bits of ungoverned, terrorist-dominated geography around the globe diminish, the controversy involving drone strikes will only grow further. At some point soon, if they haven’t already, the tribunes of the people in the U.S. Congress will begin to wonder about the political wisdom of their association with directed killings.
They needn’t worry — they have already demonstrated their ability to avoid all responsibility — but those charged with carrying out such strikes should, and they know it. Those in both the White House and the Congress who have chosen to comfort themselves by propagating the myths associated with drone strikes — that they are universally “surgical,” always precisely targeted, and that any civilian casualties associated with them are rare — will inevitably find themselves shocked — perhaps “chilled” is the word — by reality when political calculation dictates that they examine it more closely. Drone strikes, like any other aspect of war, are far more messy and imprecise than advertised, involving subjective judgments easily vulnerable to second-guessing and ex-post-facto recrimination. They benefit only by comparison with more primitive methods, including ground attacks and conventional air strikes, but those comparisons will no longer matter when political interest moves in the other direction. Some successor to Dianne Feinstein may well soon find political cover or political advantage, as the case may be, in a thorough, negative investigation of the drone program — we can watch for it.
I told you CIA would invoke Obama’s drone strikes to limit the damage of the torture report.
To be sure, there is already evidence CIA is lying to Congress about drone strikes, just as it lied about torture, particularly about the numbers of civilians it has killed. Yet DiFi has willfully continued to believe those lies, to believe the CIA’s purportedly better record on drone strikes stems from some inherent skill and not the preference of foreign partners to work with a malleable CIA rather than DOD.
Grenier is absolutely right that Congress and the White House want to be lied to on this point.
Grenier then launches a more interesting implicit threat — that CIA will stop doing what the President demands under Article II.
In my own time in CIA, as perhaps in all times, there were those inside the organization who preached that the Agency should steadfastly avoid presidential directives to affect or shape events, rather than just report on them. “Stick to traditional intelligence collection,” they’d say. We hear similar voices now. But presidents always feel otherwise. Every president confronts foreign policy challenges for which a cheap, clandestine solution appears tempting. Given CIA’s unique capabilities, it’s often the right thing to do. But the opportunities to frustrate the president’s wishes and avoid such entanglements are rife for those who are so inclined. There is even a term for it: “slow rolling.” Current events, and the anticipated Senate report, will greatly strengthen the hand of the slow-rollers. It’s hard to disagree with them now.
Rather than taking responsibility for changes in counterterrorism policy on itself, it is a far safer, if more insidious course — one instinctive to Congress — to abuse the CIA to the point where it self-regulates. But as noted above, there are serious downsides to that approach. U.S. national security will not be served by fostering a culture within CIA in which the organization decides for itself which of its lawful orders it will choose to follow, and makes those judgments based on what CIA officers consider best for themselves and their institution, rather than on what their elected masters deem best for the country. That is not the way the system is supposed to work. The federal bureaucracy is supposed to follow legal orders. That is what CIA has always done, frequently to its cost, and that is what the American people need it to do. If they don’t like what their elected leaders have done, they can throw them out. They shouldn’t look to CIA to make these decisions for them — on their own, and for their own purposes.
Ostensibly, this talk about slow rolling the President’s Findings is about drone strikes. Except that the President is re-launching the war in Iraq even as we speak, based solely on Article II authority (I presume JSOC features as prominently as CIA, but CIA clearly has been on the ground for some time).
The implicit threat: if SSCI continues to push, both the President and the Democrats who want to respond to ISIS without declaring war will regret it.
Even here, Grenier is full of shit. He makes no mention of the structure of the September 17, 2001 Gloves Come Off Finding, which itself outsourced most substantive decisions to CIA. It’s one thing to demand Congress do something about that — and they should — and yet another to suggest the rest of Obama’s covert operations employ such structure (though I wouldn’t put it beyond the National Security establishment). Moreover, the abundant evidence (in CIA’s own records, which Grenier treats both as accurate and as inaccurate!) that CIA ignored even the limits imposed by DOJ makes their actions illegal, regardless of what order Bush originally gave.
The problem is the orders — both to torture and to drone strike. But it is also the type of relationship Cofer Black and Dick Cheney embraced (and Obama has retained, at least with respect to the Gloves Come Off MON).
Which is why this is my favorite line from Grenier’s piece.
Goodness. If even a substantial portion of this were true, I would be among the first to advise that CIA be razed to the ground and begun all over again.
This is coming (as Grenier alludes to but doesn’t fully lay out, just as he lays out the suggestion that CIA resumed torture after he refused in early 2006) from a guy who tried to stay within the law, stopped torturing after the Detainee Treatment Act forbade it. It is, perhaps, the best line, given the impasse we’re at.
CIA has become the instrument of illegal actions, an arm of the Executive that evades all law, precisely because of its corrupted relationships with both the Executive and Legislative branch.
So, I take you up on the suggestion, Robert Grenier. Let’s raze the damn thing and — if a thorough assessment says a democracy really needs such an agency, which it may not — start over.
My favorite call for John Brennan’s head thus far comes from Fred Fleitz, who helped John Bolton sex up WMD claims leading into the Iraq War. He says John Brennan has to resign not just to shore up CIA’s relations with Congress, but also NSA’s.
I believe CIA director John Brennan and agency officials involved in the monitoring of computers used by the SSCI staff must resign to help mend the CIA’s relationship with Congress. Such resignations would go a long way toward restoring the confidence of the SSCI in the CIA and, it is to be hoped, would win the agency and the National Security Agency some crucial allies in both houses of Congress to fend off several ill-advised intelligence-reform proposals currently under discussion there.
But that’s not my favorite part. Nor is where this “intelligence” professional says a report voted out with support from John McCain (in the first vote) and Susan Collins (in the second) is a Democratic vote. Nor is the bit where Fleitz claims the program was properly briefed, which it wasn’t.
My favorite part is Fleitz’ conflicting claims about Michael Hayden.
The main focus of the SSCI probe reportedly is to prove Democratic claims that the effectiveness of the enhanced-interrogation program has been exaggerated. Former CIA director Michael Hayden and other former senior CIA officials involved in the enhanced-interrogation program dispute this. According to Hayden, as late as 2006 fully half of the government’s knowledge about the structure and activities of al-Qaeda came from harsh interrogations.
Despite their firsthand knowledge of the enhanced-interrogation program, there is no input in the SSCI report from Hayden, former CIA general counsel John Rizzo, or other CIA officials, since the report is based solely on an examination of documents.
Assertion 1) Michael Hayden claims half of the government’s knowledge about al Qaeda came from torture, meaning no more than half came from the illegal torture he was conducting at the time over at NSA (and also meaning that relatively more intelligence has come in from SIGINT since Hayden left).
Assertion 2) Michael Hayden, whose entire CIA tenure post-dated the Detainee Treatment Act that made the torture program illegal, should have some say in a torture report.
Maybe Hayden was spying on the CIA while he was in charge of NSA. Or maybe (ok, in fact) Hayden continued torture after such time as Congress made it doubly illegal.
But in the same way that Cofer Black should not need to have a say in torture if the CIA’s false narrative were not false, Michael Hayden shouldn’t either.
Man, as much as this report is demonstrating how much CIA lies and how useless their torture program was, it also demonstrates the misnomer of the whole “intelligence” label.
Aspiring Senate Intelligence Chair Richard Burr has announced he will vote to declassify the Torture Report.
Sen. Richard Burr, R-N.C., also said he planned to vote to declassify.
Burr added: “We’ve already expressed our opposition to the content.”
Declassifying, he said, is “the only way that we get minority views out there,” because the Republicans plan to offer their views on the report.
This gives a pretty strong indication of where this Torture Report debate will go — and why CIA got so quiet all of a sudden, aside from former CIA lawyer John Rizzo’s tireless propaganda efforts.
The Committee would have published dissenting views in any case, but Republican Susan Collins specifically included them in her support for the report.
What we’re going to get will be the Executive Summary, Findings, and Additional and Dissenting Views. Because we’ll get just the Executive Summary, we won’t get much hard detail — aside from that which has been public for years — about the allegations that will appear in the Executive Summary, which will make it harder to rebut any claims CIA’s defenders make.
Moreover, I would not be in the least surprised if the same rule that applies to CIA Publication Review Board decisions — that the writings of torture critics like Ali Soufan and Glenn Carle are aggressively censored, while the views of torture boosters like Rizzo and Jose Rodriguez will be permissively published — applied here. The CIA has — as McClatchy emphasizes — already assumed they’ll do the declassification review. And in spite of calls for the White House to take the lead, I expect they won’t. After all, the White House has relied on CIA to hide the Executive Privilege-lite documents (which I suspect would show that CIA only lied to some people at the White House, but not to people like David Addington). So CIA is owed something by the White House.
That mutual embrace of incrimination will provide the CIA a great deal of protection.
Remember, too, that torture critics have gotten recent warnings not to speak publicly, even while Rodriguez and Rizzo blather away.
And all this — what will surely be calls that Democrats have unfairly tainted noble Jose Rodriguez’ reputation — will play out against electoral politics, as Republicans try to take out Mark Udall for his opposition to torture.
Thus far, too, the torture boosters have laid the groundwork to win this debate. Even ignoring Rizzo and Rodriguez’ books, they’ve been working the press with details, as compared to the vague releases that the Torture Report will find CIA lied.
Which is my pessimistic way of saying that unless torture critics get a lot more serious about the propaganda onslaught the Republicans plan to launch to defend torture, this Torture Report release may not do all that much good at all. Torture critics largely lost this debate in 2009, and they’ll actually have less new information with which to fight this if CIA gets its way on declassification.
It is fairly big — and welcome — news that, along with Angus King, Susan Collins will support the release of the Senate Torture Report. Collins’ vote will give the report the patina of bipartisanship, which will therefore increase its legitimacy among the chattering classes.
Just as welcome, however, is the language the Maine Senators use to describe what CIA did.
We remain strongly opposed to the use of torture, believing that it is fundamentally contrary to American values. While we have some concerns about the process for developing the report, its findings lead us to conclude that some detainees were subjected to techniques that constituted torture. This inhumane and brutal treatment never should have occurred. Further, the report raises serious concerns about the CIA’s management of this program.
Our vote to declassify this report does not signal our full endorsement of all of its conclusions or its methodology. The report has some intrinsic limitations because it did not involve direct interviews of CIA officials, contract personnel, or other Executive branch personnel. It also, unfortunately, did not include the participation of the staff of Republican Committee members. We do, however, believe in transparency and believe that the Executive Summary, and Additional and Dissenting Views, and the CIA’s rebuttal should be made public with appropriate redactions so the American public can reach their own conclusions about the conduct of this program.
Torture is wrong, and we must make sure that the misconduct and the grave errors made in the CIA’s detention and interrogation program never happen again. [my emphasis]
Two of the last weathervanes of right-centrism have deemed it acceptable to use the word “torture” to describe what the CIA did, a word most of the nation’s press still refuses to use for fear it will affect their claim to objectivity.
If Susan Collins can use the word torture, then can the other institutions that aspire to be such measures of centrism also do so?
Over the last few days, I’ve tracked the accusations and counter-accusations between CIA and the Senate Intelligence Committee.
A number of people have asked why, as a way to end this issue, the Committee doesn’t just declassify the entire SSCI Report.
But it’s not so simple as that.
It’s not clear there are the votes to release the Report.
Recall that when the Committee approved the Report back in 2012, the vote was largely split on party lines, with the exception of John McCain, who voted as an Ex Officio member (as Ranking Member of Senate Armed Services Committee) to release the Report. McCain is no longer SASC Ranking member: Jim Inhofe is, and I’m betting he’s not going to vote to release the Report.
There are few other changes in the Committee proper since the report was originally finalized. Martin Heinrich and Angus King have replaced Bill Nelson and Kent Conrad, and Susan Collins and Tom Coburn have replaced Olympia Snowe and Roy Blunt.
And while Heinrich has quickly become one of the better overseers on the Committee, including on torture, it’s not actually clear whether King would vote to release the report. Collins, too, has been reported to be undecided (and her vote would be critical to making this a “bipartisan vote,” now that McCain doesn’t have a vote). There are even hints that Mark Warner wouldn’t vote to support its declassification (though he supported its finalization).
And importantly, King and Collins have been reported to be undecided after the time when, in January, the Committee at least began to suspect they’d been surveilled.
There are, obviously, two different issues (though Saxby Chambliss, at least, sides with CIA on both counts). But there’s been little outcry from the swing votes on releasing the underlying report itself.
Update: h/t to JK for the link to the Collins/King report I was not finding.
Politico has an article predicting civil liberties will become a big issue this year. I’m skeptical (I say that as someone whose Rep the GOP is trying to take out largely because of his defense of civil liberties).
But I am interested in what Susan Collins had to say about Democratic challenger Shenna Bellows’ criticism of her stance on civil liberties.
In a phone interview from Maine, Collins rebutted criticism that she has not done enough to protect against civil liberties, highlighting legislation she co-sponsored in 2004 that created the independent Privacy and Civil Liberties Board and her support for recent proposals to tighten oversight over the surveillance programs. But, she said, doing away with the ability of the government to collect phone records would cause great harm to the country’s ability to root out terrorism.
“We know that there were plots thwarted solely or partially by the programs, so doing away with it altogether would mean a less safe America,” said Collins, who sits on the Senate Select Committee on Intelligence and has supported the PATRIOT Act and legislation codifying broader electronic surveillance.
You see, it was only 4 days ago that Collins was disowning her infant creation, PCLOB, because it had presented a hard-hitting report that said the dragnet was not just bad policy, but against the law.
“As the mother of this board, that [split decision] is not what I’m looking for,” said Sen. Susan Collins (R., Maine), who co-wrote the post-Sept. 11 legislation creating the Privacy and Civil Liberties Oversight Board. The split in the board’s first major report “really weakens its recommendations and undermines the role that we envisioned it would play,” she said.
At the moment when Collins’ self-described offspring took its first step, the Senator felt it had not chosen bipartisanship over stating the truth. I guess we understand what role Collins felt it could play.
And as for her purported efforts to tighten oversight over the dragnet (which includes measures to strengthen PCLOB she probably now regrets), while she did support some improvements to DiFi’s Fake FISA Fix, she not only cast a decisive vote against limiting dragnet retention to 3 years, but even backed a failed Tom Coburn amendment to “eliminate restrictions on the retention of bulk metadata.”
It turns out that Mark Kirk — not Bernie Sanders — was the first member of Congress to raise concerns about the NSA spying on Senators after Edward Snowden’s leaks started being published. Kirk did so less than a day after the Guardian published the Verizon order from the phone dragnet, in an Appropriations Committee hearing on the Department of Justice’s budget (see at 2:00). After Susan Collins raised the report in the context of drone killing, Kirk asked for assurances that members of Congress weren’t included in the dragnet.
Kirk: I want to just ask, could you assure to us that no phones inside the Capitol were monitored, of members of Congress, that would give a future Executive Branch if they started pulling this kind of thing up, would give them unique leverage over the legislature?
Holder: With all due respect, Senator, I don’t think this is an appropriate setting for me to discuss that issue–I’d be more than glad to come back in an appropriate setting to discuss the issues that you’ve raised but in this open forum–
Kirk: I’m going to interrupt you and say, the correct answer would say, no, we stayed within our lane and I’m assuring you we did not spy on members of Congress.
The first substantive question Congress asked about the dragnet was whether they were included in it.
After that, a few moments of chaos broke out, as other Senators — including NSA’s representative on the Senate Intelligence Committee, Barb Mikulski — joined in Kirk’s concerns, while suggesting the need for a full classified Senate briefing with the AG and NSA. Richard Shelby jumped in to say Mikulski should create the appropriate hearing, but repeated that what Senator Kirk asked was a very important question. Mikulski agreed that it’s the kind of question she’d like to ask herself. Kirk jumped in to raise further separation of powers concerns, given the possibility that SCOTUS had their data collected.
The very first concern members of Congress raised about the dragnet was how it would affect their power.
And then there was a classified briefing and …
… All that noble concern about separation of power melted away. And some of the same people who professed to have real concern became quite comfortable with the dragnet after all.
It’s in light of that sequence of events (along with Snowden’s claim that Members of Congress are exempt, and details about how data integrity analysts strip certain numbers out of the phone dragnet before anyone contact-chains on it) that led me to believe that NSA gave some assurances to Congress they need not worry that their power was threatened by the phone dragnet.
The best explanation from external appearances was that Congress got told their numbers got protection the average citizen’s did not, perhaps stripped out with all the pizza joints and telemarketers (that shouldn’t have alleviated their concerns, as some of that data has been found sitting on wayward servers with no explanation, but members of Congress can be dumb when they want to be).
And they were happy with the dragnet.
Then, 7 months later, Bernie Sanders started asking similar — but not the same –questions. In a letter to Keith Alexander, he raised several issues:
He even defined what he meant by spying.
“Spying” would include gathering metadata on calls made from official or personal phones, content from websites visited or emails sent, or collecting any other data from a third party not made available to the general public in the regular course of business.
In response, Alexander rejected Sanders’ definition of spying (implicitly suggesting it wasn’t fair), while using a dodge he repeatedly has: the Americans in question are not being targeted, even while they might be collected “incidentally.”
Nothing NSA does can fairly be characterized as “spying on Members of Congress or other American elected officials.”
NSA may not target any American for foreign intelligence collection without a finding of probable cause that the proposed target of collection is a foreign power or an agent of a foreign power. Moreover, as you are aware, whenever an NSA activity results in the incidental collection of information about Americans, that information is handled pursuant to the very robust procedures designed to protect privacy interests — procedures that must be approved by the Attorney general or the Foreign Intelligence Surveillance Court, as appropriate. All those protections apply to members of Congress, as they do to all Americans.
Alexander then addressed just one of the three kinds of spying Sanders raised: phone data (which, if I’m right that NSA strips Congressional numbers at the data integrity stage, is the one place Alexander can be fairly sure Sanders’ contacts won’t be found).
Your letter focuses on NSA’s acquisition of telephone metadata…
And used the controls imposed on the raw data of the phone dragnet as an excuse for not answering Sanders’ question.
Among those protections is the condition that NSA can query the metadata only based on phone numbers reasonably suspected to be associated with specific foreign terrorist groups. For that reason, NSA cannot lawfully search to determine if any records NSA has received under the program have included metadata of the phone calls of any member of Congress, other American elected officials, or any other American without that predicate.
Alexander totally ignored Sanders’ two other specified concerns: emails sent and websites visited.
Which is mighty convenient, because for a very large segment of that collection (the internet metadata collected under EO 12333 and via PRISM, though not the data collected domestically before 2011 or domestic upstream collection), NSA believes it doesn’t even need Reasonable Articulable Suspicion to search on US person identifiers. Continue reading
Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”
That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.
Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked again on September 26.
It appears that Wyden had intended to ask the question of one of the witnesses at an open Senate Intelligence Committee hearing (perhaps Deputy Attorney General James Cole), but — having had warning of his questions (because he sent them to the witnesses in advance) — Dianne Feinstein and Susan Collins ensured there would not be a second round of questions.
As it happens, Wyden made the request for the memo two days after DiFi told The Hill she was preparing to advance her version of CISPA, and the day after Keith Alexander started calling for cybersecurity legislation again.
In a brief interview with The Hill in the U.S. Capitol on Tuesday, Feinstein said she has prepared a draft bill and plans to move it forward.
The legislation would be the Senate’s counterpart to the Cyber Intelligence Sharing and Protection Act, known as CISPA, which cleared the House in April.
CISPA would remove legal barriers that prevent companies from sharing information with each other and the government about cyber attacks. It would also allow the government to share more information with the private sector.
Since then, Alexander has pitched new cybersecurity legislation in an “interview” with the NYT, admitting he needs to be more open about his places for cybersecurity.
Now, the Executive Branch’s unwillingness to actually share the law as it interprets it with us mere citizens prevents us from understanding precisely what relationship this OLC memo has with proposed cybersecurity legislation — but Wyden made it clear in January that it does have one. But here are some things we might surmise about the memo:
Let’s use the lesson we learned during the FISA Amendments Act where the telecoms were clambering for the legislation and the retroactive immunity, but the Internet companies were grateful for “clarity,” but explicitly opposed to retroactive immunity. When we learned the telecoms had been turning over the Internet companies metadata and content, this all made more sense. The Internet Companies wanted the telecoms to be punished for stealing their data.
In this case, in the first round of CISPA (which had broad immunity protections), Facebook and Microsoft were supporters. But in this go-around (which has still generous but somewhat more limited immunity), the big supporters consist of:
Now, who knows with which of these entities the government is already relying on this common commercial services memo, which of our providers we believe have made some assurances to us but in fact they’ve made entirely different ones.
But I will say the presence of the telecoms, again, angling for immunity for information sharing, along with their analogues the broadband providers does raise questions. Especially considering Verizon Exec’s trash talking about consumer-centric Internet companies that don’t prioritize national security.
Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”
“This is a more important issue than that which is generated in a press release. This is a matter of national security.”
After all, the telecoms have a history of willingly cooperating with the government, even if it bypassed the protections offered by Internet companies, even if it violated the law. Have they been joined by big broadband?
Well, DOJ could clear all this up by revoking and releasing the memo. Until they do, though, my wildarsed guess is that those operating the Toobz in the country — the telecom and broadband companies — have already started sharing consumers’ data that a plain reading of the law seemingly wouldn’t permit them to do.