CIA Wanted To Throw The CFAA At Senate Staffers For Unauthorized Googling
from the stop-accessing-documents-we-couldn't-be-bothered-to-properly-secure! dept
Marcy Wheeler has picked up on an interesting claim made in the CIA's "We Did Nothing Wrong" report. This report -- an in-house investigation of the CIA's snooping on/hacking Senate staffers during the compilation of the Torture Report -- tossed out the Inspector General's findings and cleared the agency of any misconduct. It then went on to disingenuously claim that it was the Senate, not the CIA, that broke the rules.According to the CIA's investigators, Senate staffers accessed documents they weren't supposed to see, apparently by "abusing" the shared network set up explicitly for the Torture Report compilation. What Wheeler spotted -- in a very thorough fisking of the CIA investigative report by Katherine Hawkins of Just Security -- is the attempted criminalization of Google searches.
As Hawkins summarizes, the crime report was based off a flaw in the Google search that CIA’s own contractor had built into the system.So, the CIA deployed an insecure system, was warned about it, but never bothered to do anything about it until it came across documents the Senate supposedly wasn't allowed to have.
"On February 7, 2014, the CIA’s Acting General Counsel Robert Eatinger (whose name is redacted from the OIG report) filed a crimes report against Senate staff with the Department of Justice. The OIG report found that the crimes report “was unfounded,” in part because Eatinger “had been provided inaccurate information on which the letter was based.” In particular, the OIG wrote:
[T]he crimes report stated that SSCI staffers might have exploited a software vulnerability on RDINet to obtain access to the [Panetta Review documents], in violation of the Computer Fraud and Abuse Act … The report was solely based on inaccurate information provided by the two [Office of the General Counsel] attorneys [to the Office of Security].
The OIG report found that there was indeed “a vulnerability” with the Google search tool that the CIA provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings” from 2009 to April 2013. But contrary to the CIA lawyer’s memorandum and the crimes report to DOJ, OIG found no evidence that Senate staff had deliberately “exploited” this flaw until CIA personnel “confronted them” with inappropriately accessed documents. Rather, it was SSCI staff who brought the vulnerability to the CIA’s attention. On November 1, 2012, a SSCI staff member alerted CIA staff that the search tool “was indexing the Majority staff work product on a shared drive,” and asked them to make it stop. The CIA did not act on this request for months. Then in 2013, a SSCI staff member requested “a number of detainee videos not provided to the SSCI by the CIA,” based on a spreadsheet that a CIA employee recognized as being from the Panetta Review. After this incident, in April 2013, CIA IT staff finally discovered and repaired the flaw with the Google search tool."
As Hawkins points out in her Just Security post, the ongoing accusation that the Senate "hacked" the CIA's servers is pure BS. None other than Senator Feinstein addressed this bogus claim on the Senate floor in March of 2014:
[C]ommittee staff did not “hack” into CIA computers to obtain these documents as has been suggested in the press. The documents were identified using the search tool provided by the CIA to search the documents provided to the committee.It was no hack, but the CIA attempted to hurl a Senate staffer into the jaws of the CFAA -- a law that magically turns those who discover security flaws into felons. In its February 2014 letter to Eric Holder, the CIA's counsel describes the alleged hacking as nefarious exploitation of its (admittedly insecure) search function.
The information made available to me indicates that in the November 2010 timeframe, the non-employee conducted a search that appeared intended to reach into part of the computer system to which the non-employee did not have authorized access. In such a circumstance, the system was designed to bring up on the workstation screen a page that advised the non-employee was not authorized to access that document. This page, however, had the security vulnerability that has since been discovered and remedied. The security vulnerability was that the page also contained a "URL" that indicated where the document was located on the system and if an individual copied the URL and pasted it into the browser's address bar, the individual could gain access to the document, copy it, bring that copy across the firewall, and paste it into a folder on his or her side of the firewall. The information made available to me indicates the non-employee copied the URL, pasted it directly into the browser's bar, and accessed the document.That's incredibly poor security for a bunch of documents the CIA clearly didn't want the Senate to access. And it wasn't cheap, either. This custom Google search and server set-up was apparently a large portion of the $40 million spent to compile the Torture Report. And let's not forget that this vulnerability was undiscovered for over two years and not immediately patched when it eventually was discovered.
A staffer finding a flaw in a system isn't hacking, no matter how much the CIA wants it to be. But the CFAA allows the government to use the law's most charitable readings when prosecuting "hackers." The CIA finds wrongdoing everywhere but never in its own backyard. Its management, employees and contractors who presided over its illegal torture program will not be held accountable for their actions. But the CIA wanted the Senate to be held accountable for… holding the CIA accountable.
Hawkins again:
I know some of the staffers who wrote the torture report, including the probable subject of the crimes report to the DOJ. They do not leak and have never been credibly been accused of leaking. They do not confirm or deny information that is officially classified, no matter how obvious it is or how many years it has been in the public domain. They scrupulously continue to follow the classification restrictions that the CIA and the committee placed on them, no matter how absurd those restrictions are or how severe the crimes they conceal.The CIA is a rogue agency, much like its counterparts, the FBI and NSA. It may be publicly embarrassed or wince at the criticism and condemnation thrown its way, but it ultimately answers to no one -- not even after its worst behavior has been exposed. It walks away from a damning report pretty much intact and has the gall to suggest Senate staffers be punished for walking in and out of its firesieve with damaging documents in their hands.
Nevertheless, the CIA searched their computer drives and their emails, and referred them to the DOJ for prosecution. Why? Because, in the course of an official Senate investigation into the torture program, they used a CIA-installed Google search tool to find CIA documents about the torture program. They read the documents, despite the fact that they contained a questionable stamp of “privilege,” and preserved them when they thought they were in danger of destruction. The staffers’ actions were not crimes or a security breach justifying a search of Senate computers. Their actions were oversight of an agency in sore need of it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cia, doj, misconfigured tool, searching, senate, senate intelligence committee, torture report
Reader Comments
Subscribe: RSS
View by: Time | Thread
Unless your name is Aaron Swartz, or any myriad other poor fools who had the misfortune of exposing security holes in corporate software.
[ link to this | view in thread ]
NAIL THEM TO THE WALLL!!!
Or worse... get their ilk exempted, which provides a sort of catch-22 situation.
But I vote... NAIL THEM ALL TO THE WALL! Let their stupidity burn them for once!
[ link to this | view in thread ]
To quote Smokey & the Bandit ...
[ link to this | view in thread ]
subcontractor error?
>>undiscovered for over two years and not immediately
>>patched when it eventually was discovered.
Hmmm...sounds like they're subcontracting their security maintenance out to Microsoft.
[ link to this | view in thread ]
-What bob will say.
[ link to this | view in thread ]
http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-public-website-ruled- violation-of-us-law/
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Let's not forget that the current president made it a centerpiece of his campaign that if elected, he would reverse the unconstitutional "national security" policies of his predecessor.
Instead, he did the exact opposite of what he promised and expanded the government's war against its own people.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
"The CIA is a rogue agency,"
Its leaders want to hide that incompetence.
[ link to this | view in thread ]
So rather than bitch-slap the fucktard who allowed this vulnerability to get through they go after the folks who used the tool?
Well, I guess it's easier than admitting you're at best inept, and at worst incompetent.
Can anyone say "entrapment?"
[ link to this | view in thread ]
Re:
It was probably pointed out to him that the FBI had so many mentally deranged "solitary" assassins apply for doing a JFK job on him that they had to enter them in a lottery.
Perhaps he wanted to be the first black president of the United States also finishing his elected terms.
Arguably JFK has been more of a president in the time he lived to serve than Obama.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Goggle
[ link to this | view in thread ]
In other words
In other words, the security was nonexistent? Because copying and pasting links like that is a very, very common thing to do -- I do it almost daily (mostly to bypass terrible user interfaces).
The truly scary thing is that this is the freaking CIA, using systems that are so insecure that any 10 year old could have stumbled into the breach without even noticing.
[ link to this | view in thread ]
Re: In other words
But isn't jaw-dropping incompetence the central component of any government work? Consider the 'Obamacare' website, which any (private-sector) web developer would say could have been done (bug-free) for a tiny fraction of the cost. The IRS's missing emails is another example.
So by typical government standards, the CIA actually didn't do too badly.
[ link to this | view in thread ]
reality is a scam
[ link to this | view in thread ]
Re: "The CIA is a rogue agency,"
[ link to this | view in thread ]
Re: In other words
It seems weird to me that the CIA is so willing to admit to its own idiocy and lack of security.
[ link to this | view in thread ]
Sums up how things work among the CIA and all those other terror causing alphabet agencies
[ link to this | view in thread ]
Re: NAIL THEM TO THE WALLL!!!
[ link to this | view in thread ]
The Senate is the government, not the CIA
[ link to this | view in thread ]
Re:
Seal team 6 if anyone was curious.
corruption starts at the top and trickles down. those underlings notice the top men get away with treason, and figure they can too. Since charging them for their crimes would then get themselves arrested for their crimes everyone ignores what everyone else does.
The average citizen wakes up to find he has no rights anymore, because the people he trusted to look out for him discovered overwatch is nonexistent at this point
[ link to this | view in thread ]
Re: reality is a scam
As a disclaimer I do not judge a person by what they look like only what actions they take. Since I have never owned slaves or supported slavery I feel no guilt over what my ancestors may have done. Otherwise I would feel guilty for every war and atrocity done in the past several centuries
[ link to this | view in thread ]
Re: Re:
The mistake is in trusting others to look out for your rights in the first place. That's always a really terrible idea, since in doing so you are in effect handing your rights over to someone else.
The only person you can trust to look out for your rights is yourself. Such is as it has always been.
[ link to this | view in thread ]
Re: Re: reality is a scam
Surveillance is the spiritual successor of slavery. They should feel guilty about it.
[ link to this | view in thread ]