The Trump Administration Has Given The CIA Free Rein To Engage In A Cyberwar

from the cybercoups-on-tap dept

Outside of the agencies desiring to participate in a cyberwar, cyberwars are generally considered to be a bad idea. At some point, the cyber is going to turn physical and we'll just be stuck in a regular war that actually kills people. And since accurate attribution still remains elusive, the potential for picking the wrong fight remains.

There was some talk of going to cyberwar with Russia after the DNC server hacking. The CIA, in particular, was all too willing to send its keyboard warriors out to do battle. This desire to draw virtual blood found some backing in the press when NBC acted as the agency's PR office, talking up the new bright, shiny warfare and asking viewers if they'd like to know more.

As long as officials have been claiming we're on the cusp of a "cyber Pearl Harbor," the CIA has been wanting to go on the offensive. The CIA already participates in plenty of cyber-attacks, but it's mostly of the one-to-one variety, targeting individuals the agency has placed under surveillance. But the agency does know how to disrupt elections, participate in coups, and otherwise wreak havoc in "enemy" lands.

Now it can do it at the cyber level. And, as Yahoo News was the first to report, it's been doing it for a few years now thanks to the new kid in town.

The Central Intelligence Agency has conducted a series of covert cyber operations against Iran and other targets since winning a secret victory in 2018 when President Trump signed what amounts to a sweeping authorization for such activities, according to former U.S. officials with direct knowledge of the matter.

The secret authorization, known as a presidential finding, gives the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations. The finding allows the CIA to more easily authorize its own covert cyber operations, rather than requiring the agency to get approval from the White House.

Rather than develop targets over months and years, the CIA can now rush in whenever it feels there's a target worth attacking. It's not just attacks targeting infrastructure or weapons development capability. It's also disinformation campaigns and the breaching of protected servers to obtain sensitive (and potentially embarrassing) documents to leak locally. Yes, the CIA is now a self-contained Wikileaks that sources and obtains its own documents.

But there's more to it than that. The authorization of CIA activities allows it to go after targets that were previously considered off-limits if it can find the slightest justification for doing so.

The presidential authorization makes it much easier for the CIA to target “cut-outs” believed to be working surreptitiously for hostile foreign intelligence services at media organizations, charities, religious institutions, or other non-state entities for disruptive or destructive cyber actions, said former officials. In the past, the burden of proof for targeting such entities was high; now, standards have been made far more lax, said former officials.

The administration has also given the CIA more power to attack foreign financial institutions, something previous administrations -- and the Treasury Department itself -- opposed due to concerns about collateral damage to international relations or the world economy itself. These concerns are now being ignored. The CIA -- thanks in part to the departed John Bolton -- now operates with near-impunity. The end result of the Trump Administration casting off the shackles binding this component of the Deep State is operations like the one described in the Yahoo article -- one that appears to have been performed by the CIA.

In another stunning hack-and-dump operation, an unknown group in March 2019 posted on the internet chat platform Telegram the names, addresses, phone numbers and photos of Iranian intelligence officers allegedly involved in hacking operations, as well as hacking tools used by Iranian intelligence operatives. That November, the details of 15 million debit cards for customers of three Iranian banks linked to Iran’s Islamic Revolutionary Guard Corps were also dumped on Telegram.

Although sources wouldn’t say if the CIA was behind those Iran breaches, the finding’s expansion of CIA authorities to target financial institutions, such as an operation to leak bank card data, represents a significant escalation in U.S. cyber operations.

The CIA is a power player in the cyber-arena now. It has finally secured the powers it's been seeking for three straight administrations. But, on top of concerns about potential international "incidents" the CIA may be leading us towards, there's the more immediate concern about how the CIA secures its own stuff. If you want to wage a cyberwar, you'd better have your home front locked down tight. Recent events have shown the CIA's approach to internal security is lax at best. If the agency is out picking fights with foreign hackers, it won't be long before someone takes the CIA's weapons and starts wielding them against our allies… or the United States itself.

Filed Under: cia, cyberwar, hacking

The US Government Is Considering Drafting Middle-Aged Hackers To Fight The Cyberwar

from the could-not-have-found-a-worse-way-to-approach-its-personnel-problem dept

There's no time like the near future to be conscripted into military service. Due to citizens' declining interest in being personally involved in the government's multiple Forever Wars, the Commission on Military, National and Public Service is exploring its options. And one of the options on the table is removing restrictions on certain draftees (or volunteers) headed for certain positions in the armed forces.

Got hacking skills? Uncle Sam may want you for the U.S. Army—even if you’re far past traditional draft age.

The National Commission on Military, National and Public Service is seeking public feedback on a slew of possible changes to the way the government handles its selective service requirements, including drafting people with cyber skills regardless of their age or gender.

The commission study was directed by Congress in the 2017 version of the National Defense Authorization Act, an annual defense policy bill, and is due to Congress in 2020.

This expansion would net the government essential personnel needed to fight the still-undeclared Cyberwar. No matter your age or severity of bone spurs, the government might have a desk job for you. And you might not have a say in the matter. If the commission recommends a draft targeting key non-combat personnel, people in their thirties and forties might find themselves parachuting telecommuting into the war zone despite having careers in place elsewhere.

The key points of the Commission's directive [PDF] can be found in this paragraph.

Congress has specifically directed the Commission to consider:

“(1) the need for a military selective service process, including the continuing need for a mechanism to draft large numbers of replacement combat troops;

(2) means by which to foster a greater attitude and ethos of service among United States youth, including an increased propensity for military service;

(3) the feasibility and advisability of modifying the military selective service process in order to obtain for military, national, and public service individuals with skills (such as medical, dental, and nursing skills, language skills, cyber skills, and science, technology, engineering, and mathematics (STEM) skills) for which the Nation has a critical need, without regard to age or sex; and

(4) the feasibility and advisability of including in the military selective service process, as so modified, an eligibility or entitlement for the receipt of one or more Federal benefits (such as educational benefits, subsidized or secured student loans, grants or hiring preferences) specified by the Commission for purposes of the review.”

Congress may be looking to reinstate the draft. It seems we wouldn't need to "draft large numbers of replacement troops" if we weren't continually sending them off to foreign lands to get shot at or blown up. Scaling back our military presence might nip the draft idea in the bud, but with few exceptions, things have only escalated since September 11, 2001, rather than cooled down.

Dropping the age and sex requirement for other positions is wise, but it quickly becomes foolhardy once it's no longer voluntary. The reason the government can't keep the military stocked is it's done all it can over the past 50 years to destroy Americans' faith in it. Things went south reputationally during the Vietnam War, which is the last time the draft was in place. A bungled "military action," punctuated by atrocities, extended for purely political reasons, and ended with what one could generously call a "tie," did little to warm the hearts of American citizens. The years since then have seen "wars on" various ideas declared, with no definitive enemy or endpoint. There's not a lot of enthusiasm left for joining the world's police force, especially when threats to American way of life shift with White House regime changes. The rebels we once sold arms to are now a terrorist organization in need of stomping out by boots on the ground.

That dovetails into the second task of the Commission: "fostering a greater attitude and ethos of service." This is the government's fault and the government needs to fix it. It won't be able to do it overnight or even in time to rustle up a bunch of "replacement troops" to send to whatever area of the world is in need of gunpoint democracy. I'm sure the final report may have something to say about millennials failing to adopt the ethos and pro-American enthusiasm of their generational predecessors, but who could blame them? The Social Security safety net will have dried up before they have a chance to access it and their economic future is in the hands of malicious actors the government has never shown an interest in punishing. (See every administration ever vs. "too big to fail.")

Knowing this ship won't be righted easily may prompt the Commission to suggest something no one would imagine being enacted here. A few pages down, the Commission asks a bunch of questions of itself -- one that would appear to answer another one, but with a "solution" most commonly found in totalitarian dictatorships.

(1) Is a military draft or draft contingency still a necessary component of U.S. national security?

(2) Are modifications to the selective service system needed?

(3) How can the United States increase participation in military, national, and public service by individuals with skills critical to address the national security and other public service needs of the nation?

(4) What are the barriers to participation in military, national, or public service?

(5) Does service have inherent value, and, if so, what is it?

(6) Is a mandatory service requirement for all Americans necessary, valuable, and feasible?

(7) How does the United States increase the propensity for Americans, particularly young Americans, to serve?

Yes, one sure way to "increase participation" is to mandate participation via a draft. Another way is to make it mandatory across the board for all citizens, making the draft redundant. Neither of these efforts will solve other problems like "fostering a greater attitude or ethos of service." If either of these are enacted, the military will be full of people who don't want to be there and who won't have their eye on anything other than the calendar. This will only exacerbate the military's current issues. The only thing it addresses is the need for periodic infusions of cannon fodder.

The cyberwar the government has been gearing up to fight for most the last decade will be another Forever War. Even if it's a bloodless battle, it will be far from harmless. The government already makes policy decisions based on highly-speculative attribution. In the future, it will engage in both cyberwar and conventional war using the same information. There won't be bodies to bury, but someone's going to end up taking out the wrong critical infrastructure or targeting the wrong critical government entity based on political wind shifts. A steady infusion of keyboard warriors may sound like a good idea, but displacing people and uprooting their lives to act on political whims won't restore faith in the US of A. No one's going to be throwing parades for cyberveterans marching home with college money and participation ribbons. And if the tech side of the military industrial complex thinks it already has a problem with insider threats, just wait till it's mostly composed of people who have been pressed into service against their will.

Filed Under: cyberwar, draft, hackers

US Officials 'Strategically Leak' That US Is Ready To Hack Russia If It Interferes With Election

from the oh-come-on dept

For the past few months, we've been covering the increasingly eager stance of some in the "cybersecurity" and government worlds to proactively launch offensive cyberattacks on Russia. Going all the way back to the early summer, when Russia's role in any hacks was totally speculative, some were already advocating for "cyberwar" as a response. As we reached the fall, suddenly it was leaked that many inside the government were getting itchy trigger fingers to launch some sort of digital attack. And, government officials really seemed to rely on the ever gullible reporters at NBC to push this story.

So it comes as little surprise that NBC has the rather clumsily, if strategically linked news that the US government is all ready to cause cyber havoc on Russia if it does anything serious to interfere with US elections. Think, for just a second, how people in the government and national security worlds would react if someone like Ed Snowden leaked the following bit of info:

U.S. military hackers have penetrated Russia's electric grid, telecommunications networks and the Kremlin's command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News.

But, of course, since it's the US government leaking this info, no one seems to care. Of course, that's because everyone knows what's going on here. This is US officials basically telling Russia: "Hey, don't mess with our election or we'll do some cyber stuff." The claim that the US has hacked into Russian systems is certainly believable. That's what the NSA does after all (y'know, when it's not collecting info on Americans).

But the whole story is just silly posturing in a weird election year filled with silly posturing about hacks and cyberwar. Who knows what's going to happen tomorrow, but it would be nice if it didn't involve any nation state feeling the need to break out "cyber weapons" for any reason.

Filed Under: cyberwar, election, hack, hack back, leaks, nsa, russia
Companies: nbc

NBC Happily Parrots The CIA's Case For Escalating Cyber War With Russia

from the putting-out-fires-by-burning-the-house-down dept

As we've been noting there have been growing calls for the Obama Administration to publicly scold Russia for hacking the DNC, and to dole out some kind of righteous punishment for this unseemly behavior. Calls on this front have ranged from launching larger cyber offensives or even a brick and mortar military response. We've noted repeatedly how this is stupid for a multitude of reasons, since hacking "proof" is (if the hacker's any good) impossible to come by, with false-flag operations consistently common.

Despite the obvious dangers of escalation, the U.S. press seems pretty intent on helping the intelligence community justify doing exactly that. Countless outlets are breathlessly passing along the idea that we simply must "retaliate" for Russia's behavior, willfully ignoring that the United States wrote the book on nation state hacking and lacks the moral high ground to lecture anyone on cybersecurity. As Snowden and other whistleblowers should have made abundantly clear by now, we've been hacking allies, fiddling in Democratic elections, creating indiscriminately dangerous malware and worse for decades.

Led by our bad example, we've cultivated a global environment in which nation state operators hack one another every second of every day to keep pace with the United States. As such, the idea that the United States is an innocent daisy nobly defending its untarnished honor from uncivilized international ruffians is absurdly, indisputably false, yet this concept sits at 90% of the reporting on this subject. Case in point: eager to get the escalation ball rolling, the CIA last week used NBC to make the case for a renewed cyber-warfare campaign against Russia in the coming months:

According to the full NBC report, the CIA is cooking up a rotating platter of different proposals, most of which involve launching similar hack and leak campaigns intended to embarrass Putin and company:

"The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News. Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging "clandestine" cyber operation designed to harass and "embarrass" the Kremlin leadership."

Again though, if you understand that the NSA and its army of private contractors are covertly probing and attacking countless nations day in and day out (allies and enemies alike), the very idea that we'd announce this single counterattack via god-damned NBC should strike you as transparently theatrical and a bit silly. And as some pointed out, the wording of the story seems to strongly suggest we've already obtained plenty of documents that could prove embarrassing to Russia:Like most news coverage of the Russian hacks, our own responsibility for global cyber war escalation is left entirely unmentioned by a media that fancies itself a truth teller, yet somehow still can't escape the grip of fevered nationalism when covering militarism and cyber warfare. And you'll note the only hesitation from most of the government sources quoted in the article is that our "retaliation" won't be vicious enough:

Sean Kanuck, who was until this spring the senior U.S. intelligence official responsible for analyzing Russian cyber capabilities, said not mounting a response would carry a cost. "If you publicly accuse someone," he said, "and don't follow it up with a responsive action, that may weaken the credible threat of your response capability." President Obama will ultimately have to decide whether he will authorize a CIA operation. Officials told NBC News that for now there are divisions at the top of the administration about whether to proceed.

Good. There should be "divisions." Escalating our cyber-offensive "strategies" resulted in the conundrum we're currently enjoying. And escalation here could prove notably fatal to many given our ongoing proxy war with Russia in Syria. But it's abundantly clear the CIA wants the green light and is getting some resistance from the current administration, encouraging NBC to suggest that escalation could protect the sanctity of the November elections:

"The CIA's cyber operation is being prepared by a team within the CIA's Center for Cyber Intelligence, documents indicate. According to officials, the team has a staff of hundreds and a budget in the hundreds of millions, they say. The covert action plan is designed to protect the U.S. election system and insure that Russian hackers can't interfere with the November vote, officials say. Another goal is to send a message to Russia that it has crossed a line, officials say."

Again though, there is no "line," and any ethical or legal lines that do exist, we obliterated years ago. We've hacked nations aggressively for decades, and are now fanning our collective faces in indignation at the idea that anybody would dare hack us back. We've contributed to escalating cyber-security tensions by being among the most badly behaved nations on Earth, consistently using the resulting threat escalation to justify our ongoing war on encryption, bloated security contractor budgets, and domestic surveillance expansion. It's a vicious, expensive ouroboros of dysfunction.

We've tried escalation as the aggressor, and it consistently makes things collectively, internationally worse, and certainly doesn't stop us from being the targets of these kinds of attacks. That's why we've noted repeatedly that the smart play here is to focus on defense, instead of letting Putin (and our own security contractors and intelligence community) goad us into more idiotic behavior than ever before.

Filed Under: cia, cybersecurity, cyberwar, escalation, russia

US Gov't Officially Accuses Russia Of Hacking... Question Is What Happens Next

from the this-is-unlikely-to-end-well dept

It's been quite a crazy Friday, and in the midst of it all, the US government finally came out with an official accusation that Russia is behind various hack attacks concerning the US election:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.

The same report says that they don't (yet) have enough information to also accuse Russia of the recent hacks on state election computers:

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.

But they also stick with the party line that actually hacking the election would be difficult:

The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.

Of course, people have been pointing the finger at Russia over these hacks for a while, and according to various reports there's been widespread debate within the Obama administration about making a public accusation. There are two main issues here:

1. Attribution for computer attacks is really really difficult. No one knows for sure, and there are ways to spoof where attacks come from. There does appear to be quite a lot of evidence pointing back at Russia for these hacks, so it does seem like a safe bet. But that doesn't mean it's definitely them. It would be nice if people gave actual confidence values when they make statements like these, but no one in politics ever does that these days.
2. The much bigger question is what comes next. There are political benefits and costs to naming Russia. But the big thing here is that by naming Russia, it gives the US government more leeway to do something in response. And, as we warned many months ago, this is a horrifically bad idea. It will only escalate matters and make things worse overall.

As I noted just the other day, cybersecurity should be a defensive game. Going offensive is really, really dangerous, because things will get worse, and we really don't know what the capabilities of the other side(s) truly are. Focus on protecting critical infrastructure, not on some meaingless symbolic strike back.

But, of course, in this day and age, people seem to feel that every action requires some sort of reaction, and in a computer security realm, that's just stupid. But it seems to be where we're inevitably heading. The cybersecurity firms will get wonderfully rich off of this. But almost everyone will be less safe as a result.

Filed Under: cybersecurity, cyberwar, dhs, hacking, nsa, russia

Trump Joins Clinton In Pushing For Cyberwar

from the well,-that's-just-great dept

We've noted a few times in the past our serious concerns about Hillary Clinton's hawkish and tone deaf views on cybersecurity, in which she wants the US to go on the offensive on cyberattacking, even being willing to respond to attacks with real world military responses. She seems to ignore the fact that the US has a history of being some of the most aggressive players on offense on such things (Stuxnet, anyone?), and doesn't seem to recognize how escalating such situations may not end well at all.

Of course, her opponent, Donald Trump has been totally incomprehensible on cybersecurity during the course of his campaign. There was his first attempt to respond to questions about cybersecurity in which it's not clear he understood the question, and started talking about nuclear weapons instead. Or the time he took a question on cybersecurity and answered by talking about the latest CNN poll. Or, of course, who can forget his debate performance on the topic, where his key insights were that his 10 year old was good with computers and a 400 lb. hacker may be responsible for the DNC hacks.

It appears that the Trump campaign finally decided that maybe Trump should say something marginally coherent on the subject, and sent him out earlier this week with a prepared teleprompter speech, which Trump actually managed to get through without going too far off script. And... it's basically the same kind of bullshit as Clinton -- pushing for more aggressive and offensive cyberattacks.

“I will also ask my secretary of Defense and joint chiefs to present recommendations for strengthening and augmenting our Cyber Command,” Trump said of his cybersecurity plan. “As a deterrent against attacks on our critical resources, the United States must possess, and has to, the unquestioned capacity to launch crippling cyber counterattacks, and I mean crippling. Crippling. This is the warfare of the future. America’s dominance in this area must be unquestioned, and today it’s totally questioned.”

There was also the kind of hilarious claim that the government has not made cybersecurity issues a priority, which is laughable if you've been paying attention to, well, anything in the "cybersecurity" policy space over the past few years. You could say that their priorities within that realm are screwed up. Or that the government seems to mainly use "cybersecurity" as a cloak to hide NSA surveillance efforts. But to argue that it's not been a priority is clearly false.

And, really, having our own side launching "crippling" cyberattacks (as with Clinton's plan) doesn't seem like the most effective plan. These kinds of things only escalate. Being an aggressor here seems particularly shortsighted. Taking out, say, China's internet, may show strength, but for what purpose? Will it really stop Chinese computer attacks on US infrastructure? Doubtful. Cybersecurity is mostly a defensive game, and it should remain that way. Encrypt everything possible. Disconnect critical infrastructure from the wider network wherever possible, and do everything to stop attackers from getting in, taking down, or mucking with systems.

This hawkish talk about offensive attacks in response to inbound online attacks is probably poll-tested to sound good as "being tough," but it's really stupid actual policy.

Filed Under: computer security, cyberattack, cybersecurity, cyberwar, donald trump, hillary clinton, offensive

Declaring Cyberwar On Russia Because Of The DNC Hack Is A Bad Idea

from the calm-the-fuck-down dept

There's been plenty of talk, of course, about whether or not Russia did the hack that exposed various Democratic National Committee emails and other documents. While we've already pointed out that this shouldn't impact the newsworthy nature of the material leaked, it's still an interesting story. We've highlighted some reasons to be skeptical of the claims attributing the hack to Russia, but it does appear that more and more evidence is pointing in that direction. Thomas Rid, over at Vice, has a pretty good analysis of why much of the evidence points to Russia as being behind the attack, and the FBI is now apparently on board with that as well. While I'd still prefer more evidence, at least at this point, it should be admitted that there's quite a lot of evidence pointing in Russia's direction making it, at the very least, the most likely suspect.

But, then, of course, there's the question about what it means and what should be done about it. And we're seeing some hysterical responses. Over at Ars Technica, they have a "guest editorial" from a cybersecurity firm CEO, Dave Aitel, (who also is, of course, ex-NSA), more or less arguing that we should declare cyberwar on Russia over this:

What occurred with the recently disclosed breach of the Democratic National Committee servers, and the dumping of stolen data on a WordPress site, is more than an act of cyber espionage or harmless mischief. It meets the definition of an act of cyberwar, and the US government should respond as such.

This is insane for a variety of reasons, and hopefully no one is seriously listening to this. First of all, hacking happens all the time. In fact, as Ed Snowden points out, revealed documents show that the US itself has authorized the hacking of foreign political parties. So if Russian hackers possibly doing that to us is a "cyberwar attack" and it's the kind of thing we need to hit back on, then, uh, haven't we been committing "cyberwar" on tons of other parties via the NSA -- for which we, too, deserve retaliation?

Second, the idea that hacking into a political party's servers is "cyberwar" is a ludicrous exaggeration -- especially when their own security practices were suspect. As the ACLU's Chris Soghoian reminds us, it wasn't that long ago that our very own CIA director John Brennan found his personal email hacked by a 16-year-old. Was that a "cyberwar attack" as well? People are going to get hacked. It happens. Sometimes because they have weak security, and sometimes because the hackers are persistent and determined (no system is completely secure). That, alone, should never make it something that escalates to the level of "war."

Finally, beware of so-called "cybersecurity" firms continuing to beat this drum. Their entire business relies on keeping people freaked out about this stuff, including the idea that "nation state" hackers are trying to break into everything. They have lots of incentive to play up attacks and get people worked up about "war." "Cyberwar" (whatever the hell that means) is good for business for cybersecurity companies. In fact, some of those companies admit that the lessening of "cyber" tensions between the US and other countries is bad for their business: None of this is to deny that nation state-level hacks may very well be happening. But let's keep things in perspective. Even if something like a "cyberwar" (again, whatever that means) happens, it's likely to be a lot less bloody than an actual war, and so much of the talk about this seems to be driven entirely by people who have a vested interest in promoting greater fear -- with little reason to suggest that, perhaps, this isn't a huge deal. In fact, perhaps a lot of this could be helped by simply employing better security practices and more encryption. But, you know, those kinds of solutions don't make headlines. "Cyberwar" does.

Filed Under: cybersecurity, cyberwar, dnc hack, exaggeration, russia

President Obama Threw A Cyberwar.... And No One Showed Up

from the firing-off-a-blank-check-from-the-'Executive-Order'-account dept

Last spring, in the wake of the Sony hack, President Obama threw a cyberwar. And no one showed up.

In April 2015, President Obama issued Executive Order 13694 declaring a national emergency to deal with the threat of hostile cyber activity against the United States.

But six months later, the emergency powers that he invoked to punish offenders had still not been used because no qualifying targets were identified, according to a newly released Treasury Department report.

It certainly sounded scary enough. Obama said things about "cyber threats" being a serious threat to national security and the US economy. The state of emergency, according to the President, would create a "targeted tool" for combating our cyber-enemies.

This state of emergency is just one more in a line of uninterrupted states of emergencies dating back to the mid-1970s. A perpetual state of emergency is far more useful to the government than a "targeted tool," so a declaration of (cyber) war against a bunch of noncombatants still served a purpose, if only indirectly.

It started the ball rolling on the CISPA/CISA resurgence, which eventually "passed" after being attached to the coattails of a budget bill with far more momentum and support, as few legislators were willing to stare down the barrel of a government shutdown just to prevent a badly-written cyber-bill from passing.

More importantly, the president's statement and executive order gave the administration permission to do things it doesn't normally get to do.

Under the powers delegated by such statutes, the President may seize property, organize and control the means of production, seize commodities, assign military forces abroad, institute martial law, seize and control all transportation and communication, regulate the operation of private enterprise, restrict travel, and, in a variety of ways, control the lives of United States citizens.

Declaring a state of emergency allows for the potential wreaking of havoc in taxpayers' lives. And even if these powers go unexercised (or anything), it still costs the taxpayers money.

Even though it generated no policy outputs, implementation of the executive order nevertheless incurred costs of “approximately $760,000, most of which represent wage and salary costs for federal personnel,” the Treasury report said.

The expenses of national states of emergency aren't being offset by seized funds or assets related to the targets of the executive order. The Treasury Department's report logically notes that zero targets means zero seizures. According to another report quoted by Steven Aftergood of the Federation of American Scientists, the long-running "state of emergency" prompted by various North Korean actions is resulting in less than ~$60,000 a year -- compared to an operational cost of at least $125,000/month (presumably the North Korean state of emergency is more expensive than the "cyberwar" one). No one really expects a "break even" government, but it's inarguable that targeting known or unknown entities via executive orders really isn't doing much to cripple their operations.

Filed Under: administration, cybersecurity, cyberwar, executive order 13694, president obama, white house

Dangerously Underpowered NSA Begging Legislators For Permission To Go To Cyberwar

from the poor,-neglected-NSA dept

Cyber-this and cyber-that. That's all the government wants to talk about. The NSA, which has always yearned for a larger slice of the cybersecurity pie, is pushing legislators to grant it permission to go all-out on the offensive to protect foreign-owned movie studios the USofA from hackers.

NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.

Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards, backdoors in networking hardware, backdoors in hard drives, compromised encryption standards, collection points on internet backbones, the cooperation of national security agencies around the world, stealth deployment of malicious spyware, the phone records of pretty much every American, access to major tech company data centers, an arsenal of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn't enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.

The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 - and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.

That was four years ago -- a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don't believe it. They'd just act like they do.

Unfortunately, legislators may be in a receptive mood. CISA -- CISPA rebranded -- is back on the table. The recent Sony hack, which caused millions of dollars of embarrassment, has gotten more than a few of them fired up about the oft-deployed term "cybersecurity." Most of those backing this legislation don't seem to have the slightest idea (or just don't care) how much collateral damage it will cause or the extent to which they're looking to expand government power.

The NSA knows, and it wants this bill to sail through unburdened by anything more than its requests for permission to fire.

The bill will do little to stop cyberattacks, but it will do a lot to give the NSA even more power to collect Americans’ communications from tech companies without any legal process whatsoever. The bill’s text was finally released a couple days ago, and, as EFF points out, tucked in the bill were the powers to do the exact type of “offensive” attacks for which Rogers is pining.

In the meantime, Section 215 languishes slightly, as Trevor Timm points out. But that's the least of the NSA's worries. It has tech companies openly opposing its "collect everything" approach. Apple and Google are both being villainized by security and law enforcement agencies for their encryption-by-default plans. More and more broad requests for user data are being challenged, and (eventually) some of the administration's minor surveillance tweaks will be implemented.

Section 215 may die. (Or it may keep on living even in death, thanks to some ambiguous language in the PATRIOT Act.) But I would imagine the bulk phone metadata is no longer a priority for the NSA. It has too many other programs that harvest more and face fewer challenges. The NSA wants to be a major cyberwar player, which is something that will only increase its questionable tactics and domestic surveillance efforts. If it gets its way via CISA, it will be able to make broader and deeper demands for information from tech companies. Under the guise of "information sharing," the NSA will collect more and share less. And what it does share will be buried under redactions, gag orders and chants of "national security." Its partnerships with tech companies will bear a greater resemblance to parasitic relationships than anything approaching equitable, especially when these companies will have this "sharing" foisted upon them by dangerously terrible legislation.

But until it reaches that point, the NSA will keep claiming it's under-equipped to handle the modern world. And it will continue to make the very dubious claim that the best defense is an unrestrained offense.

Filed Under: admiral mike rogers, cyberattacks, cyberwar, nsa

Rep. Mike Rogers, On His Way Out Of Congress, Slams Obama For Not Launching Premature Cyberwar Against North Korea

from the and-for-not-giving-his-precious-nsa-your-data dept

Rep. Mike Rogers is just about out of Congress, but the NSA's biggest defender (despite his supposed role in "overseeing" the agency) is using his last days on Capitol Hill to keep pushing his favorite causes. Over the weekend, he complained that President Obama basically should have gone to "cyberwar" with North Korea over the Sony hack.

“Unfortunately, he’s laid out a little of the playbook,” Rogers said. “That press conference should have been here are the actions.” ...

Without discussing specifics, Rogers said the U.S. has the capability to cripple North Korea’s cyberattack capabilities, which have been rapidly improving over the last few years.

“I can tell you we have the capability to make this very difficult for them in the future,” he said.

And I can tell you that Mike Rogers is full of bluster with little basis. First off, there is still some fairly strong skepticism in the actual computer security field that North Korea was behind the hack. Launching an all out attack without more proof would seem premature. Second, Rogers is simply wrong or clueless. We don't have the capability to "cripple" anyone's "cyberattack capabilities" unless he means taking out the entire internet. There are always ways around that. Even the reports that we've seen that do blame North Korea don't seem to think the full attack came from North Korea, so doing something like taking the few internet connections in North Korea off the map wouldn't do much good if the actual attack came from, say, China or Eastern Europe or somewhere else.

Third, can we just get over this ridiculous idea that a hack of one company, which may or may not have been by actors working for a government, is an act of either "terrorism" or "war." It's not. It's a hack. Tons of companies get hacked every day. Some have good security and still get hacked. Some, like Sony, appear to have terrible security and get hacked very easily. It's not terrorism. It's not war. It's a hack. We shouldn't be talking about retaliation or destroying countries over a hack. We should be talking about better security. Jim Harper does a good job explaining why an overreaction is a bad idea:

The greatest risk in all this is that loose talk of terrorism and “cyberwar” lead nations closer to actual war. Having failed to secure its systems, Sony has certainly lost a lot of money and reputation, but for actual damage to life and limb, you ain’t seen nothing like real war. It is not within well-drawn boundaries of U.S. national security interests to avenge wrongs to U.S. subsidiaries of Japanese corporations. Governments in the United States should respond to the Sony hack with nothing more than ordinary policing and diplomacy.

But, no, not Mike Rogers. Instead, he's using this as his opportunity to push for his favorite bad law: giving the NSA more power to sift through your data:

Rogers, who is retiring from Congress in just a few days, made a final plug for his bill to facilitate cybersecurity information sharing between the private sector and National Security Agency (NSA). The measure passed the House, but stalled in the Senate, held up by privacy concerns.

It’s necessary, Rogers argued, if the U.S. wants to protect itself from similar attacks in the future. Because of laws on the books, the NSA is limited in its ability to protect private critical infrastructure networks.

“This isn’t about reading your email, it’s about reading malicious source code,” Rogers said.

He's talking, of course, about his beloved CISPA, which would effectively remove any liability from companies for sharing your private data with the NSA (and the rest of the government). But, as per usual with Rogers, he's wrong about nearly all of the details. There is nothing in CISPA that would have made it so the NSA could have "protected" Sony. Sony's problem here was Sony's terrible computer security. So, no, we don't need CISPA or other cybersecurity legislation to better protect the internet.

And is Mike Rogers really trying to argue that Sony's private intranet is "critical infrastructure"?

Finally, there's nothing in the law today that stops a company from sharing "malicious source code" with the government or others. We already have a good way for dealing with that that doesn't require a new law that gives the NSA more access to everyone's data.

Either way, it looks like Rogers is going out in typical fashion -- shooting his mouth off in favor of his friends and pet projects, without actually understanding or caring about the details. No wonder he's going into AM talk radio. He'll be a perfect fit.

Filed Under: cispa, cyber terrorism, cyberwar, exaggerations, mike rogers, north korea, sony hack, terrorism, war