Insider Threats: DOJ Says Twitter Employees Spied On User Accounts For Saudi Arabia

from the internal-controls-matter dept

We live in interesting times. A year ago, the NY Times had reported that the Kingdom of Saudi Arabia was aggressively using Twitter to keep tabs on and harass critics of the government. As part of that story, it also claimed that the Saudis might have a "mole" within the company in the form of Ali Alzabarah, who had risen through the engineering ranks to a point where he could access information on people the Saudi government was interested in. That story only noted that Western intelligence agencies had alerted the company that the Saudis were "grooming" Alzabarah. Now, the DOJ has charged two former Twitter employees, including Alzabarah, along with a third individual who worked in social media marketing, with spying for the Saudis. The complaint is worth reading.

It shows how officials appeared to groom the Twitter employees, starting with Ahmad Abouammo, who was (for a time) a marketing manager at Twitter, but who left the company in 2015. It describes how Saudi officials built up a relationship with him, setting up a tour of Twitter's headquarters, and then later providing gifts, such as an expensive watch. Soon after, Abouammo is accused of accessing information on Saudi critics and dissidents;

Within one week of ABOUAMMO's meeting in London with Foreign Official-1, ABOUAMMO began access private Twitter user information of interest to Foreign Official-1 and the Saudi Royal Family.

On December 12, 2014, ABOUAMMO accessed Twitter User-1's email address through Twitter's computer systems. Based on the FBI's review of Twitter User-1's public postings, Twitter User-1 was a prominent critic of the Kingdom of Saudi Arabia and the Royal Family with over 1,000,000 Twitter followers. ABOUAMMO accessed Twitter User-1's email address again on January 5, 2015, January 27, 2015, February 4, 2015, February 7, 2015, February 18, 2015, and February 24, 2015.

On or about January 17, 2015, Foreign Official-1 began communicating with ABOUAMMO on ABOUAMMO's personal email in addition to his Twitter email account. On January 17, 2015, Foreign Official-1 emailed ABOUAMMO at ABOUAMMO's personal email and stated only "as we discussed in london..." Foreign Offical-1 attached to the email a document that discussed how Twitter User-1 had violated both Twitter policy and Saudi laws. On January 20, 2015, Foreign Official-1 called ABOUAMMO twice (the calls lasting 19 seconds and 51 seconds, respectively). On January 22, 2015, Foreign Official-1 called ABOUAMMO seven times (no answer, 6 seconds, 5 seconds, 3 seconds, 4 minutes 37 sections, 3 minutes 36 seconds, and 39 seconds, respectively). ABOUAMMO also accessed the email address provided by user @KingSalman the same day. The handle @KingSalman was the Twitter Account for Saudi King Salman bin Abdulaziz Al Saud. Foreign Official-1 called ABOUAMMO on January 23, 24, and twice on January 25, 2015 (1 minute 57 seconds, no answer, 1 minute 57 seconds, and 6 seconds, respectively). On January 27, 2015, ABOUAMMO accessed Twitter User-1's user email address again. The next day, Foreign Official-1 called ABOUAMMO three times (11 seconds, 5 seconds, and no answer).

It goes on like this with the Saudi official sending "reports" about different accounts claiming they violate Twitter's policies -- which had nothing to do with Abouammo's role in marketing. And then comes this:

On February 19, 2015, ABOUAMMO created an online user ID and password to access the Bank Audi Account his close relative opened in Lebanon on February 3, 2015. On February 24, 2015, ABOUAMMO accessed Twitter User-1's email address and phone number. On the same day, a $9,963 wire transfer was sent from the Lebanon Bank Audi Account to ABOUAMMO's Bank of America account...

There are a few more such transactions. Even after Abouammo quits Twitter (to go to Amazon) he apparently continues to receive money, and would reach out to former colleagues at Twitter to try to access the information the Saudis were seeking. Also, according to the DOJ, Abouammo lied to the FBI (not a good idea), then tried to "alter" documents he gave to the FBI (a very, very bad idea). Indeed, the DOJ's complaint suggests that while the FBI was talking to him, he asked to go use his computer without them present, and then presented them with what they believe to be a doctored invoice.

During the interview, ABOUAMMO offered to obtain a copy of the consulting contract from a desktop computer that he claimed was in his bedroom, and requested that the Agents not follow him to the bedroom. A few minutes later, ABOUAMMO emailed an undated invoice to the email address of a Palo Alto, California based FBI Special Agent.

I believe that ABOUAMMO created the invoice in his residence on a computer while Agents were waiting for ABOUAMMO to provide them with the invoice that was discussed. The address on the invoice for services ABOUAMMO said were rendered in 2015 and 2016 was ABOUAMMO's current address, however, public records show that the property was built in 2017 and ABOUAMMO did not purchase it until August 2017, and the metadata properties associated with the file emailed to the FBI indicates that the file was created on the date of the interview (i.e., October 20, 2018)....

Yeah, don't do that.

As for Alzabarah, the DOJ has details of him flying to DC to meet with various Saudi officials, and then upon returning to work getting pretty damn busy getting info on Twitter users critical of the Saudi government.

Within one week of returning to San Francisco, ALZABARAH began to access without authorization private data of Twitter users en masse. Specifically, although ALZABARAH had not access the private user data of any Twitter Accounts since February 24, 2015, starting on May 21, 2015, through November 18, 2015, ALZABARAH accessed without authorization through Twitter's computer systems the Twitter user data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter. A Twitter Security Engineer informed the FBI that, although ALZABARAH may have had grandfathered access to view user information through an internal Twitter tool called "Profile Viewer," ALZABARAH had no legitimate business purpose as a Site Reliability Engineer to access user accounts. ALZABARAH's job was to help keep the site up and running, which did not involve accessing individual user accounts.

The DOJ then notes that the Saudi official had email notes detailing the locations of some of the key Twitter users that Alzabarah was looking up for them. Alzabarah also created notes for himself about whether or not he was eligible for reward money the Saudi government was offering for information on certain "terrorists." There are also notes about "secur[ing]" his "future and my family's." Alzabarah later fled the US and apparently resigned from Twitter via email after his flight took off from LA.

This is all kind of fascinating. For all the concerns about outside hacking, insider attacks are still considered a much bigger threat and much harder to detect or prevent. While it does sound like there were some lax controls in place to prevent people who shouldn't have access to certain information from getting to that info, that's not all that unexpected in Silicon Valley (and an area that many companies need to significantly improve in). The complaint does suggest that Alzabarah made "unauthorized" access to this information, even though he was allowed to access a tool. That certainly suggests criminal CFAA charges, and some aspects of that seem problematic. While it does appear that there are other laws Alzabarah broke, arguing it's a CFAA violation to use tools he was granted access to seems like a stretch. And, of course, there are broader questions with Abouammo and why he even had access to any of this data at all.

If anything, hopefully these charges wake up many Silicon Valley companies to the value and importance of better internal controls on how data is made accessible. In the rush to build up companies, insider controls are often one of the last things companies care about (if no one uses a service, who cares, and if a service is growing like gangbusters, then there are many other, more important issues to focus on). But companies need to recognize that when these services are used as broadly as they are, they become an attack vector, and employees are often targeted by governments to try to access information. Of course, it's always going to be impossible to stop all access to information -- hell, even the NSA has had to deal with poor controls and "insider" attempts to access information (see: Snowden, Ed). But it does seem increasingly important for companies to be aware of how valuable their data might be to governments, and do more to protect it.

Filed Under: ahmad abouammo, ali alzabarah, cfaa, controls, employee access, espionage, insider threats, saudi arabia, spying
Companies: twitter

Mozilla Says Australia's Compelled Access Law Could Turn Staff There Into 'Insider Threats'

from the how-to-undermine-your-software-industry-without-really-trying dept

Despite unanimous warnings from experts that it was a really bad idea, the Australian government went ahead and passed its law enabling compelled access to encrypted devices and communications. Apparently, the powers have already been used. Because of the way the Australian government rammed the legislation through without proper scrutiny, the country's Parliamentary Joint Committee on Intelligence and Security has commenced a review of the new law. That's the good news. The bad news is that Andrew Hastie, the Chair of the Committee, still thinks fairy tales are true:

I note with the House the concerns raised by some stakeholders in the tech sector about these laws, including in today's press. I welcome the ongoing contribution from these stakeholders as the committee continues its review. I note, however, that the legislation as passed prohibits the creation of so-called back doors. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.

Sure, whatever, Andrew. One of the stakeholders that has made a submission to the Committee is Mozilla, which is worried by one aspect in particular (pdf):

Due to ambiguous language in [the compelled access law], one could interpret the law to allow Australian authorities to target employees of a Designated Communications Provider (DCP) rather than serving an order on the DCP itself through its General Counsel or an otherwise designated official for process. It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.

As Tim Cushing explained in his December post when the compelled access law was approved, that would put employees in an impossible position. They would be forced by the authorities to put backdoors of some kind in a product, but it had to be accomplished in secret. Moreover, they risked five years in prison if any of their colleagues noticed, which they probably would, since unauthorized changes to code would naturally be spotted and challenged. Because of that ridiculous situation, Mozilla warns it would have to take drastic action:

this potential would force DCP’s [like Mozilla] to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities.

What's true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely. It will also have a big impact on the trustworthiness of any code produced in the country. In fact, that's already a problem, as another submission to the Parliamentary Joint Committee makes clear. It comes from one of the leading Australian software companies, FastMail, which provides hosted email services to 40,000 companies around the world. It says that "we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice." Like Mozilla, FastMail is worried about the impossible position of employees (pdf), who may be coerced by the Australian authorities into weakening the company's code:

Our staff have expressed concerns that they may be forced to attempt to secretly add back doors or security holes in our service -- actions that would be just cause for dismissal -- and be unable to tell us why they have made these changes.

…

This is not just a matter of looking after our own staff's mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer's interests.

The comments of these two organizations show clearly the practical problems of this ill-thought-out legislation. They also confirm that bringing in this kind of law is one of the quickest ways to undermine the local software industry, and increase dependence on foreign companies that are less likely to comply with demands to insert backdoors in their code. If the Australian government cares about those consequences, or indeed about the online safety of its citizens, it would do well to heed the words that conclude Mozilla's submission to the review:

This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad. We urge the Committee and the Australian Parliament to move swiftly to remedy the significant harms posed by this legislation. Ultimately, the best course of action is to repeal this law and start afresh with a proper, public consultation.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: australia, backdoors, encryption, insider threats
Companies: fastmail, mozilla

The Proper Channels For Whistleblowers Are Still A Joke

from the like-a-big,-dysfunctional-family...-fighting-over-a-will dept

This administration has made it clear whistleblowing isn't tolerated. It has prosecuted more whistleblowers than all other administrations combined. It's even planning a "Welcome Home" prosecution for the nation's most famous whistleblower -- Edward Snowden -- should he ever decide to return to the US.

Officials, of course, claim to love whistleblowing. That seems to be the main objection raised to Snowden's activities: "If only he'd gone through the proper channels, we wouldn't be seeking to jail him the moment he returns to American soil (or the soil of any country with a favorable extradition policy)."

But there are no official channels -- or, at least, no channels whistleblowers feel safe using.

Foreign Policy has the story of another NSA whistleblower the agency has chosen to make miserable rather than investigate the source of her complaints. It started with an FBI raid of her house -- something she found out via a phone call from an FBI agent already in her house. From there, it got worse.

“They suspended my clearances without giving me any reason,” she remembers. She wasn’t allowed at work, and for two years, the NSA made her “call every day like a criminal, checking in every morning before 8.” Khorasani went to the agency only for interrogations, she says: eight or nine sessions that ran at least five hours each. She was asked about her family, her travel, and her contacts.

This was all triggered by a meeting she set up with Thomas Drake -- another famous whistleblower prosecuted by this administration -- about how to follow through with a complaint about what she felt was an unfair reassignment. According to Drake, it was already too late.

“He said, ‘You’ve got the bull’s-eyes on you. You’re done,’” Khorasani recalls.

As the article points out, her story is one of several. The agency -- and the administration -- have made no meaningful distinction between whistleblowing and insider threats. They treat both in the same way, even if one is an integral part of government accountability. Anything the agency considers to be a threat, it handles with swift severity.

Individuals can find their clearances yanked, something that is signalled to other NSA employees with a red security badge, rather than the normal blue one. Employees are encouraged to report anything questionable about other employees to supervisors. Some employees aren't even employees. They're plants put in place to encourage incriminating statements or actions.

This isn't doing the NSA -- and dozens of other government agencies -- any favors. Talented people are leaving because they don't want to work in this environment. Potential employees are looking elsewhere for work. And still others are being forced out of a job because they aren't willing to simply shut up when they see something that bothers them.

The DOJ is no different. It's no fan of whistleblowers either. Unfortunately for it, it's not a national security agency so it can't maintain quite as much control over disclosures by whistleblowers. That's why it's been fighting legislators over whistleblower protection proposals. Marcy Wheeler has highlighted some of its objections to Senator Grassley's legislation, raised in recent testimony in front of a Congressional committee.

First off, it apparently feels too many of the proper channels are out of its direct control.

[A]s Attorney General Loretta Lynch revealed, DOJ is worried that permitting FBI Agents to report crimes or waste through their chain of command would risk exposing intelligence programs.

"What I would say is that as we work through this issue, please know that, again, any concerns that the Department raises are not out of a disagreement with the point of view of the protection of whistleblowers but again, just making sure that the FBI’s intelligence are also protected at the same time."

I suspect (though am looking for guidance) that the problem may be that the bill permits whistleblowers to go to any member of Congress, rather than just ones on the Intelligence Committees. It’s also possible that DOJ worries whistleblowers will be able to go to someone senior to them, but not read into a given program.

It's also likely concerned that whistleblowers will expose a number of questionable activities.

Still, coming from an agency that doesn’t adequately report things like its National Security Letter usage to Congress, which has changed its reporting to the Intelligence Oversight Board so as to exempt more activities, and can’t even count its usage of other intelligence programs, it seems like a tremendous problem that DOJ doesn’t want FBI whistleblowers to have protection because it might expose what FBI is doing on intelligence.

The FBI must be severely damaged at this point, or have too many secrets it would hate to see fall into the hands of legislators not connected to its mostly-captive audience in the Intelligence Committee. Grassley noted one of the agency's objections to additional whistleblower protections is that there's so damn much about the agency employees would complain about.

One of the issues that your department has raised is that allowing FBI employees to report wrong-doing to their chain of command could lead to too many complaints. You know? What’s wrong with too many complaints? … Seems to me you’d invite every wrong doing to get reported to somebody so it could get corrected.

If there's any agency that is sorely in need of some periodic deep housecleaning, it's the FBI.

This is the FBI! Not only a bureau that has tremendous power over people, but also one with a well-documented history of abuse. It should be the first entity that has whistleblower protection, not the last!

This is why there aren't more whistleblowers. The "proper channels" at the NSA will most likely net a whistleblower a search of their house and belongings en route to a forced resignation. Meanwhile, the FBI, with the DOJ's backing, is trying to narrow the reporting channels so it can -- like its NATSEC big brother -- eliminate unhappy employees before they can do any damage.

Filed Under: insider threats, leakers, nsa, proper channels, whistleblowers, white house

Spyware-For-Business Company Thinks Concerns About 'Medical Bills' Are Indicators Of An 'Insider Threat'

from the terminated-for-googling-'student-loans' dept

It's no secret that many companies monitor their employees' computer use. But things are going much further than simply ensuring the normal "don'ts" -- file sharing, porn viewing, etc. -- are tracked for disciplinary reasons. Companies are now on the lookout for the next "insider threat." Some companies are viewing the Snowden saga as the ultimate cautionary tale, albeit one that results in more surveillance rather than less. (via Dealbreaker)

Guarding against such risks is an expanding niche in the security industry, with at least 20 companies marketing software tools for tracking and analyzing employee behavior. “The bad guys helped us,” says Idan Tendler, the founder and chief executive officer of Fortscale Security in San Francisco. “It started with Snowden, and people said, ‘Wow, if that happened in the NSA, it could happen to us.’ ”

But the effort to find -- and prevent -- the next "insider threat" from damaging his or her company seems to be just as misguided as the government's efforts to do the same. Looking for potential threats often results in viewing almost everything as an indicator of future treachery.

One company cited "changes in email habits" as being indicative of an "insider threat." Others, like Stroz Friedberg, aren't as selective. The company, started by former FBI agent Edward Stroz, veers into the same dangerous territory the government does when rooting out "threats." In its hands, normal activities are viewed with suspicion by its monitoring software.

The software establishes a base line and then scans for variations that may signal that an employee presents a growing risk to the company. Red flags could include a spike in references to financial stresses such as “late rent” and “medical bills.”

And what better way to tackle "late rent" or "medical bills" than suddenly finding yourself unemployed simply because re-purposed FBI analytic software thinks any small sign of (possibly temporary) financial instability indicates your next move will be to steal something. Millions of people in the US deal with these realities frequently -- especially the latter. And yet, millions of employees still find other ways to tackle these problems instead of dipping their hands in the tills or running off with sensitive documents.

Stroz's software also thinks -- like the government -- that an unhappy employee is a malicious employee.

He offers the scenario of a star trader at a bank who’s disappointed with the size of her annual bonus. Instead of being blindsided when she defects to a rival, a bank using Scout could identify her discontent early and make sure she doesn’t take sensitive data or other team members with her.

Or, the company could try to work with the employee rather than just secretly track her until her eventual exit. Once again, unhappy employees leave companies all the time without taking anything with them. Sure, a few do, but the deployment of software like this will generally produce more false positives (and a further strain work relationships) than insider threats. And there's nothing like firing people for something they haven't done (but might!) to endear a company to its remaining employees.

Despite all of this, Edward Stroz believes his company's predictive employee policing software is just another way for companies to show their employees how much their staff means to them.

He’s still careful when discussing the software, describing it as a way to help employers build a “caring workplace.”

Oh, it's anything but. While employees will often accept monitoring of their internet/computer usage as being a necessary part of the employee-employer relationship, they're not going to be happy to find out that searching for information about medical bills might see them lose a source of income. And they're definitely not going to be thrilled to learn that expressing displeasure about company practices and policies may result in the same thing. If a company wants to foster a "caring workplace," it should be addressing employee discontent, not monitoring it. But what do you expect from companies -- and the entities that provide them with spyware -- that view the Snowden leaks as justifying increased surveillance?

Oh, and employees had better believe their file sharing use will be actively monitored (and used against them). Stroz Friedberg may be making enterprise pre-crime software now, but its past as an RIAA lobbying firm (and its slightly-later past as a Six Strikes "independent expert") has been well-noted.

Filed Under: insider threats, monitoring, spyware
Companies: fortscale security

NSA Funding Bill Passed By Senate Intelligence Community Gives Agency Extra Cash To Hunt 'Insider Threats'

from the because-you-can't-be-'protected'-unless-you're-discovered,-amiri dept

An earlier attempt to defund NSA programs via amendments to the Defense Dept. appropriations bill went nowhere (but by a much narrower margin than many expected), and now it's up to both the House and Senate to push bills through reauthorizing the NSA's budget.

The Senate Intelligence Committee has already given its thumbs up to NSA spending, advancing a bill that contains a little something extra for its favorite agency.

The Senate Intelligence Committee has advanced legislation to reauthorize funding for the National Security Agency and surveillance programs.

The bill includes new funding for technology to combat "insider threats" and leaks of classified information.

The committee approved the legislation in a 13-2 vote late Tuesday.

The NSA's budget is currently $10.2 billion (which we know thanks to leaked documents). This additional funding will be earmarked for barn door closing and witch hunting.

The bill would empower the director of national intelligence to make improvements to the government's process for investigating people with security clearances, such as Snowden.

The phrase, "throwing good money after bad" comes to mind. An intelligence agency of this size and reach should have been prepared for this eventuality and maybe, just maybe, shouldn't have been so willing to outsource everything from system administration to the background checks themselves. Giving the NSA more money in order to help it guard against an eventuality like Snowden's massive disclosures is basically rewarding it for running a leaky ship.

The bad news is that the government doesn't know how to approach the "insider threat" issue. Any nuance is obliterated by a horrible combination of bureaucracy and paranoia, which results in the government suggesting that an employee's "dissatisfaction with US policies" or financial problems indicate he or she is a possible "insider threat."

According to the press release issued by the committee, the bill will also include some sort of protection for whistleblowers provided, of course, they go through official channels.

[Institutes] new statutory protections that protect the ability of legitimate whistleblowers to bring concerns directly to the attention of lawmakers, inspectors general and intelligence community leaders

That's the press release wording, so we'll have to wait until the text of the bill is made public before we'll be able to judge the merits of this claim. The administration has talked a strong game about transparency but has prosecuted more whistleblowers than all other administrations combined. Requiring whistleblowers to go through official channels in order to be afforded any legal protections just makes it that much more difficult for any true whistleblowing to occur. Official channels are in place to discourage whistleblowing rather than accommodate it, no matter what assurances might be included in the legislation. Besides, any bill that aims at both rooting out "insider threats" (many of whom may just be whistleblowers) and protecting whistleblowers is at odds with itself.

The bill passed 13-2 out of committee. Even without a roll call of those votes, it's safe to assume the nays came from Ron Wyden and Mark Udall, which should be an indicator of the bill's indulgence of the NSA's desires and the presumably weak whistleblower protections that accompany it.

Filed Under: budget, funding, insider threats, nsa, surveillance, whistleblowers

The Only People The NSA Can't Spy On Is Its Own Employees

from the irony-or-just-incredibly-ugly? dept

The NSA is everywhere, hauling in everything. Recent leaks point out how the agency is collecting data on millions of phone calls across Europe, along with snagging SMS messages, email and internet traffic. This is on top of everything it's doing in the US with its many programs, which cover everything from phone metadata to a large percentage of internet traffic (once streaming services like YouTube and Netflix are removed from the equation).

But for all its spying power and prowess, the NSA still can't manage to keep an eye on its own backyard. A number of factors contributed to Snowden heading east with thousands of sensitive files, not the least of which was a complete lack of internal controls. The NSA honestly seems to have no idea what most of its contractors are doing. Rather than institute any more internal controls (or ones that work), the agency is leaning towards simply laying off 90% of its contractors. That may mitigate potential problems, but it stills leaves its internal systems exposed to "insider threats."

It seems that nothing goes unnoticed by its external "eyes," but those focused inward are limited in number and in vision. As was pointed out earlier, the NSA may be able to haul in millions of emails and sift through them for "relevant" information, but when asked to search its own internal email system, it draws a blank.

Additionally, as Mike covered last Friday, attempts at installing software for detecting internal threats have been thwarted by a vague "lack of bandwidth." This software, made by Raytheon, still isn't in place despite being ordered into use in 2010, shortly after Manning's leaks to Wikileaks surfaced. This lack of threat detection software made it much easier for Snowden to gather what he did -- an event the NSA had no contingency plan in place to deal with, much less head off.

As Mike said, it's unclear what this "lack of bandwidth" phrase is referring to. It could mean the software demands too many network resources to do its job. Or it could mean there aren't enough manhours to devote to installing and implementing the software. It could also simply mean the agency would rather not install the software and has come up with a plausible reason why it "can't."

Mark Hosenball, writing for Reuters, indicates it's a network issue.

Officials responsible for tightening data security say insider threat-detection software, which logs events such as unusually large downloads of material or attempts at unauthorized access, is expensive to adopt.

It also takes up considerable computing and communications bandwidth, degrading the performance of systems on which it is installed, they said.

By not installing this software (something the Dept. of Defense itself hasn't done yet), the NSA is in risk of violating the law governing insider threat detection. According to Hosenball, this software requirement was written into law in 2011, and agencies affected had until the end of October 2013 to have it in place. Obviously, the NSA won't be meeting this dealine. It has until October 2014 to have it both in place and fully operational, but it may have trouble even hitting that extended deadline.

One official said intelligence agencies had already asked Congress to extend the deadline beyond October 2014 but that legislators had so far refused.

Installing new software that plays nice with existing government software can be a lengthy nightmare, but this difficulty is hardly the only factor affecting its incredibly slow adoption. As Marcy Wheeler points out, the agency may not want to make the bandwidth tradeoff needed to deploy this threat detection software.

If the Intelligence Committees were unable to get the IC to take this mandate seriously after the Chelsea Manning leaks, I don’t see any reason they’ll show more focus on doing so after Edward Snowden. They seem either unable to back off their spying bandwidth draw far enough to implement the security to avoid another giant leak, or unwilling to subject their workers (or themselves?) to this kind of scrutiny.

If any combination of the above is true, it makes truly disturbing statement about the agency's mentality. For one, the NSA has resisted any sort of meaningful oversight. It may have no desire to subject its internal employees to additional scrutiny -- even if it means more "damaging" leaks -- simply because it would rather not generate any evidence of wrongdoing that could be used to threaten its ongoing programs.

It's also disturbing that the agency would seemingly make the tradeoff of internal security for uninterrupted and unimpaired collection activity. The agency and its supporters constantly claim there's a "balance" between security and liberty that must be considered. But its failure to implement a program that looks for potential leakers compromises the agency's security (and, consequently, the nation's, if its supporters are to be believed) in order to harvest even more data -- collections that haven't conclusively shown they're keeping the nation safer. The agency would rather deal with embarrassing leaks (or worse, the sale of information to enemy nations) rather than curtail its collection programs or subject its own staff to the same level of scrutiny the rest of the nation experiences.

Filed Under: insider threats, leak prevention, nsa, nsa surveillance

For An Intelligence Agency, The NSA Doesn't Seem To Have Much Idea What's Going On Inside Its Own Walls

from the inside-of-a-panopticon-is-the-least-secure-area dept

Better late than never, the NSA seems like it's finally getting around to fixing the problems on the inside of the agency.

So sharp is the fear of threats from within that last year the NSA planned to launch at least 4,000 probes of potentially suspicious or abnormal staff activity after scrutinizing trillions of employee keystrokes at work. The anomalous behavior that sent up red flags could include staffers downloading multiple documents or accessing classified databases they do not normally use for their work, said two people familiar with the software used to monitor employee activity.

Somebody's putting in some overtime! In addition to sifting through the vast amount of data collected in its many quasi-legal (and some completely illegal) programs, the agency has also had to wade through "trillions" of logged employee keystrokes. (The haystacks are coming from inside the house!)

This investigation has chewed up a lot of money with very little in the way of results, suffering from "critical delays" and (go figure) a lack of cohesive implementation. Meanwhile, a sysadmin headed to Hong Kong with an NSA-to-go kit. Not that a more expeditious rollout of the investigations would have mattered.

Contractors like Snowden, an NSA spokeswoman said, were not included in the plans to reinvestigate 4,000 security clearances.

The agency claims these investigations aren't in place to root out offenders (although it's certainly welcome to do so), but to "reduce the potential" of an insider compromise.

“Periodic re-investigations are conducted as one due-diligence component of our multifaceted insider threat program.”

Well, whatever's been put into place so far has failed dramatically, and what's being pursued doesn't look very promising. The agency claims the first rollout was stunted by resources being diverted towards mitigating the fallout from Bradley Manning's leaks. Now, as the agency tries to reignite the investigative process, Snowden (and several media entities) are standing behind it, periodically blowing out the flame.

The NSA still seems to have no idea what exactly Snowden took and that lack of knowledge has forced it to play nothing but defense since the leaks began. The internal vetting process seems to be about as "efficient" as the external process, albeit for very different reasons. An agency that can't search its own email doesn't have a chance against an individual with access and determination.

And then there's this aspect of the whole debacle, as pointed out by Bruce Schneier:

I am completely croggled by the fact that the NSA apparently had absolutely no contingency plans for this sort of thing.

It doesn't, and that's a very worrying issue for a NATIONAL SECURITY AGENCY. At this point, the NSA can't close the barn doors fast enough and every assertion it makes about the limits, oversight or "trustworthiness" of its programs is usually undermined within a few days by yet another leak. Something aimed at nothing more than a "reduction" in leaky insiders just isn't going to be good enough. On the other hand, the public is benefiting from the NSA's pain -- it's now more informed about the agency's activities than it's been for the previous half-decade -- and the cumulative effects of the leak-and-denial cycle have forced the NSA to actually participate in a national discussion and make tentative steps towards transparency.

Filed Under: clearance, employees, insider threats, nsa, top secret