Features
Scary words about nuclear hijacking
Today’s Senate hearing on strategic and cyber matters took a Bondian turn when Sen. Bill Nelson wanted to know if a cyber attacker could take control of Russian or Chinese nuclear missiles and launch them.
A Minuteman Missile test. Credit: U.S. Air Force
The answer was not reassuring: “Senator, I don’t know,” said Air Force Gen. Robert Kehler, commander of U.S. Strategic Command. “I do not know.”
Seated next to Kehler was Army Gen. Keith Alexander, the commander of Cyber Command. If he knows, he stayed mum through the exchange.
Nelson, D-Fla., suggested that the U.S. might need to do something in the international cyber realm akin to the 1991 Nunn Lugar legislation. It set in motion a process for collaboratively safeguarding dismantled weapons of mass destruction.
“Let’s don’t stop with China. What about the Brits? What about the French? Do they have the capabilities of stopping a rogue cyber attack from coming in and suddenly messing up their command and control?” Nelson said.
Nelson and Sen. Carl Levin, D-Mich., the Senate Armed Services Committee chairman, agreed to take up the issue in a closed session.
Kehler tried to calm the conversation a bit. He said Russian commanders are "very careful about their nuclear command and control," and he said the U.S. would like to have military-to-military dialogues with China on the topic.
The battle over war-zone fingerprints
US-VISIT wants prints collected in Iraq, Afghanistan
On the bucolic grounds of the FBI’s campus in Clarksburg, W.V., stands an architectural marvel sometimes jokingly called the Taj Mahal. Inside is a repository of identity data, mostly fingerprints, on 110 million people – criminals, terrorists and suspected terrorists. It was here, eight years ago, that a heated internal debate took place on the subject of whether and how to share fingerprint records across federal agencies.
Collecting fingerprints in Afghanistan. Credit: U.S. Defense Dept.
Attending were representatives from the Departments of Defense and State and the recently created US-VISIT, an office of the Department of Homeland Security with a mission to use biometrics to keep terrorists from breezing through legal entry points, as they had before the Sept. 11, 2001 attacks.
US-VISIT came to Clarksburg with a demand: Share the fingerprint records of the Iraqis, Afghans and foreign fighters encountered by U.S. troops. Defense officials were reluctant to do that. The records were scattered among numerous databases, some of them highly classified, recalled a participant at the meeting. US-VISIT played its trump card: If there were an attack inside the U.S. and it turned out the Defense Department unwittingly possessed the attackers’ fingerprints, but hadn’t shared them, the Defense Department would be responsible. Voices were raised. Finally, the Army’s intelligence representative slammed his fist on the table. The records would be shared, but the process would turn out to be less than elegant and very incomplete.
The meeting was nevertheless significant because it set a precedent for sharing the troves of prints and names gathered by U.S. troops. Some of the prints came from detainees, but more often they were gathered through incentives or coercion – civilians had to submit to fingerprinting to re-enter Fallujah, Iraq, after the coalition offensive there, for example.
Flash forward, and not much has changed about the sharing process. It's gone from handing off data tapes to manually uploading records via file transfer protocol. The system is kluged together with stop gaps to prevent the wrong people from getting visas or walking through customs. The Clarksburg meeting wasn't the victory it seemed, but since November a group of underdogs at US-VISIT has been pushing to unlock millions of military fingerprint records by establishing an automated connection with the military’s repository.
It won’t be easy. US-VISIT’s parent agency, the Department of Homeland Security, hasn’t embraced the plan, and there's sequestration to deal with. On top of that, even after the Clarksburg meeting, the military continued collecting millions of records in a format incompatible with US-VISIT’s fingerprint repository.
UGLY WORKAROUNDS
If US-VISIT can overcome those obstacles, consulate and border protection officers would be able to query a set of fingerprints across the military’s records in real time. They would know, for example, if the person submitting his fingerprints for a visa application gave a different name when troops collected his prints. Odds of handing a visa to a dangerous person would be reduced because no one would be waiting for ftp files to be uploaded. Today, those consulate and border officers can query against an 800,000-record watchlist provided by the Defense Department. They can’t search against the balance of the 9.5-million records in the military repository.
The country’s array of biometric databases is complicated, to put it mildly. US-VISIT’s repository, called IDENT, is connected to the FBI's repository but not directly to the military's. Only the FBI repository is fully connected. The FBI’s repository is located in Clarksburg and is called IAFIS for the Integrated Automated Fingerprint Identification System. The military repository is called ABIS for the Automated Biometrics Identification System. It's now co-located with IAFIS.
It’s a triangle with a missing link and ugly workarounds.
“I’ve always said the biometric safety net around our country is really kind of a patchwork quilt,” said David Cuthbertson, assistant director of FBI's Criminal Justice Information Services Division, which runs IAFIS.
Cuthbertson participated in an unusually frank discussion of the problem during the Feb. 26 – 28 Armed Forces Communication and Electronics Homeland Security conference in Washington, D.C.
SEARCH FOR A SOLUTION
One idea was to mash all the records into a giant database. That was ruled out a few years ago because the rules governing the sharing of identity information vary widely among agencies. The database would be too hard to manage.
The three databases should interact “but we do need to keep them separate…so that we can protect privacy, protect civil liberties, and really conduct the missions that we need to,” Cuthbertson said.
In lieu of a giant repository, US-VISIT wants to establish an automated interface with ABIS, the military repository.
Here’s the political problem: US-VISIT doesn’t have buy-in from DHS, said current and former DHS officials. DHS hasn't blocked US-VISIT from pursuing the concept -- US-VISIT staff held a big meeting in February with their DoD counterparts -- but DHS has avoided doing anything that could be construed as a public embrace.
For example, DHS declined to provide someone to participate on the AFCEA biometrics panel last month.
In an unusual step, the session moderator, former US-VISIT director Jim Williams, drafted US-VISIT’s Greg Ambrose to come out of the audience and up to a microphone to answer a question from the audience.
Ambrose is the soft-spoken, bespectacled chief information officer for US-VISIT. If the gap is to be closed, Ambrose will be the unlikely hero.
He’ll need to come to terms with Don Salo, a retired Army colonel with a grumbling voice who spent 27 years as a military cop and investigator. Salo, who was on the biometrics panel, came over to the Defense Department from Commerce to direct the Defense Forensics and Biometrics Agency.
When people talk about cultural gaps, they mean Ambrose and Salo.
Ambrose has been laying low since November, when he told an industry audience that the interoperability ball was in the Pentagon’s court: “We’re waiting to see how DoD wants to proceed,” he said.
Williams pressed him for specifics, and Ambrose described a twofold plan:
“We’ve been working with DoD to put an interface in place so that we can query each other’s systems, and that continues to be worked through in terms of requirements, understanding where DoD is headed with their program,” Ambrose said.
In the meantime, US-VISIT is “looking to move all of the files that DoD has into IDENT…so we can query those data files that they have,” Ambrose said.
Why is it hard? Salo put it like this: “It’s the number of files that have to go over and the conversion of formatting the files, the textual. DHS is working on that. They’re coming up with a system where they can read our files. But the type of files we have are in a format that they can’t read.”
Ambrose said US-VISIT and the Defense Department still need to “ensure that we’ve got funding and prioritization between the two organizations to put that interface in place.”
Translation: There’s a long, long way to go.
Williams wanted to know when the gap would be closed -- “Later this year, isn’t it?”
Salo: “We think by ‘14 there will be evolving connections.”
Something that could help coordination, Salo said, is the decision to move the military’s repository from another facility in West Virginia to the FBI’s Clarksburg site.
Beyond that, he and Ambrose painted a portrait of two bureaucracies hard at work on interoperability: “We had a meeting on it yesterday,” Salo said.
STOPPING THE DRIFT
The push to close the gap could be just in time, especially if it brings better overall biometrics coordination. For years, biometrics meant fingerprints, but technologists are working on iris scans and possibly facial recognition as strategies for securing buildings, prisons and borders. The agencies will need to coordinate their approaches and investments, or they could end up where they are today on fingerprints.
Cuthbertson gave a glimpse of an immediate issue. Other agencies are warming to iris scans, but for law enforcement, fingerprints will always be critical, he said. “When you commit a crime you can leave a photograph” -- ie, from an ATM camera – “You can leave a fingerprint. Pretty hard to leave an iris there at a crime scene. If the iris was left there, I think we’ve got the fingers.”
Williams has been around long enough to sense where this is going: “The worry is, as we have all these new applications, now modalities, new things. If you don’t have synchronized funding, then frankly you could have somebody moving in one direction, and the other part of the system -- the federated system -- not speaking up,” he said.
For now, job number one is closing the fingerprint gap.
Boeing eyes global coverage with Phantom Eye
Now that Boeing’s Phantom Eye unmanned plane is flying again, the company will take a cautious approach toward sending the Boeing-funded aircraft to an altitude of 65,000 feet, where it would have an incredible view.
The view would only come once Boeing has the confidence to install an expensive sensor package. Phantom Eye can carry up to 450 pounds of equipment, but it will carry ballast until Boeing proves it won't crash.
Phantom Eye takes off Feb. 25. Credit: Boeing
“We want to operate this vehicle safely, that’s the first goal. The second goal is to get it up to the altitude,” said Drew Mallow, Boeing’s Phantom Eye program manager. “We’re going to slowly expand the envelope of Phantom Eye with the eventual goal of getting up to 65,000 feet.”
The big intelligence pitch likely will come with the larger version of Phantom Eye Boeing wants to build. Before it can do that, Boeing needs to prove the endurance capability of the plane’s twin, hydrogen-fueled engines, which were adapted from Ford Ranger pickup truck engines.
The hydrogen engines sound daring compared to traditional aviation fuel engines, but Boeing calculates the risks will be worth it:
“Hydrogen has three times the energy content of normal av gas, so it allows us to, with the amount of hydrogen we can store on the vehicle, have quite long endurance,” said Boeing’s Brad Shaw, chief program engineer for Phantom Eye.
A larger version of Phantom Eye would have a wingspan of 250 feet compared to Phantom Eye’s 150-foot span. It would fly for up to 10 days compared to Phantom Eye’s four, with the exact endurance depending on the weight of the payload, Boeing said.
“That would allow you with basically three vehicles to...cover almost the entire globe (with) a surveillance-type capability,” Mallow said.
First things first though. Phantom Eye flew to an altitude of 8,000 feet Feb. 25 and landed without incident on the same dry lakebed in California where the plane broke its nose wheel on its inaugural flight last June.
Phantom Eye flew for 66 minutes and cruised at 62 knots this time.
The June 1, 2012 flight taught Boeing some rough lessons. Engineers turned to the company’s landing gear experts for the F-15 and F/A-18 to help build and install a stronger gear system.
Boeing also changed the location of the cutters that Phantom Eye’s nose wheel uses to break through the Mylar covering that keeps the nose aerodynamic. The cutters dragged on the lakebed during the inaugural flight.
Maybe most importantly, they added an aerodynamic fairing to the wheeled takeoff cart Phantom Eye uses so it can land on skids and a single nose wheel.
“That was to address takeoff acceleration in the second flight -- so again, that was a lesson learned from the first flight,” said Shaw.
This article was updated March 6
Encryption spending jumps
The hospitality industry uses more encryption than do governments. So does the leisure industry and also the transportation sector. The public sector, in fact, ranks sixth for use of encryption, according to a survey of security practitioners in seven countries. The survey was sponsored by Thales e-Security, the data protection arm of the Paris-based defense giant.
Credit: Thales e-Security
At the same time, estimated total spending on encryption by all sectors grew by 2.5 percent from 2011 to 2012, one of the biggest jumps in the eight years the survey has been conducted.
Thales released the “2012 Global Encryption Trends Study” today. The Ponemon Institute of Traverse City, Mich., surveyed 4,205 individuals on Thales’ behalf.
The spending figures were particularly interesting to Thales: “This last year we saw one of the biggest hikes in budgets that we’ve seen for the last seven years or so,” said Thales e-Security’s Richard Moulds, vice president of product strategy.
In 2011, businesses and governments spent 15.1 percent of their information technology security budget on encryption. The number jumped to 17.6 in 2012.
As for the public sector's low ranking, Moulds suspects it's because more governments are requiring credit card information to be encrypted wherever it resides or flows within an organization. Ironically, that pushes those governments below "such security hotspots as hospitality and leisure."
Perhaps most significantly, the study shows that encryption strategies – once the purview of IT managers – are increasingly being set at higher levels.
“In the U.S., this was the first year that business centric managers” in government and private businesses “became the primary responsibility for writing the encryption strategy,” he said.
That means protecting data through encryption is becoming a bigger deal, he said.
“Most other security technologies out there, whether it’s identity management or intrusion detection, or whatever it might be, are pretty much constrained to the security group and IT group. But encryption seems to be different because it’s tied so squarely to public policy, public privacy laws, information disclosure, data disclosure acts,” Moulds said.
TEXT: Army statement on LEMV cancellation
A single flight over the New Jersey pines last August was not enough to convince the Army to continue work on the Long Endurance Multi Intelligence Vehicle, a 302-foot long airship that by now should have been spotting IEDs in Afghanistan. Prime contractor Northrop Grumman referred inquiries to the Army, which issued this statement:
LEMV last August on its first and only flight. Credit: U.S. Army
"The Long Endurance Multi-Intelligence Vehicle (LEMV), a hybrid air vehicle, is
a technology demonstration project administered by the U.S. Army Space and
Missile Defense Command. This project was initially designed to support
operational needs in Afghanistan in Spring 2012; it will not provide a
capability in the timeframe required. Due to technical and performance
challenges, and the limitations imposed by constrained resources, the Army has
determined to discontinue the LEMV development effort."
Asteroid hunting 101: Go to space
When a 45-meter wide asteroid whizzed by Earth closer than our geosynchronous satellites, it was a good reminder that the world relies on a loose conglomeration of amateur and government-run telescopes to spot dangerous things headed our way.
NOTE: This story was updated Feb. 15 -- the day of the asteroids.
The explanation point was the unexpected explosion of an estimated 17-meter asteroid over Chelyabinsk, Russia, on the same day. Just a few days earlier, NASA's best asteroid scientists held a teleconference with reporters to talk about Earth's impending close-call with the 45-meter asteroid. They had no idea something else was bearing down on Earth and would be the real newsmaker.
If the smaller asteroid was bad, asteroid 2012 DA14 would have been a lot worse. NASA's Don Yoemans said it would be traveling eight times faster than a rifle bullet and would have packed a wallop of 2.4 megatons -- about the same as the 1908 Tunguska, Siberia, explosion that leveled trees for 820 square miles.
Helpful but not enough -- DARPA's Space Surveillance Telescope in New Mexico. Credit: DARPA
So what's in the works to improve our surveillance? A bit of an upgrade will come later this year when detections from the DARPA-developed Space Surveillance Telescope in New Mexico are fed into the Minor Planet Center at Harvard University, the world’s official repository of such data.
The DARPA telescope is still not the answer the rock hunters are looking for. Spanish astronomers detected what is now known as asteroid 2012 DA14 only last Feb. 23. That's not much warning time to plan a deflection mission, and of course no one saw the Chelyabinsk asteroid coming at all.
“Being able to detect these objects is much easier…in the infrared region of the spectrum, and to do that, you really need to get out into space,” said NASA's Lindley Johnson in a media teleconference.
If the intelligence community already has something up there that can do that, the asteroid hunters aren’t acting like it.
NASA has a cooperative Space Act Agreement with a non-profit group called the B612 Foundation, Johnson said. B612 is the name of the asteroid in the children’s book, “The Little Prince,” but this is no game. The foundation wants to launch a space-based infrared telescope called Sentinel that would orbit the sun on a hunt for asteroids.
Ball Aerospace is on contract to deliver prototypes of the sensors for Sentinel, the company confirmed. Because it’s a commercial deal, Ball isn’t saying how much the contract is worth.
The B612 Foundation could have plenty of time. Scientists consider an asteroid impact like the one in Tunguska to be an event that happens on average once every 1,200 years. Then again, why play those odds?
Wanted: ICITE acquisition strategy
Network overhaul aims to soften intel budget pain
No sector of government wants to deal with sequestration, but the intelligence community could make a compelling case for why it’s in the worst position of all. On top of the usual work of trying to stay ahead of events in North Korea, Iran and Syria, the community is trying to figure out how to roll out a massive information technology modernization project.
NRO's Jill Singer: Critical tests underway for ICITE computing tech. Credit: Government Executive and INSA.
The Intelligence Community Information Technology Enterprise initiative is supposed to reduce the community’s annual IT spending by 20 percent by 2018. The savings would come gradually, a CIA official said, because the new community-wide operating system would be run in parallel with existing networks until managers gained enough confidence to unplug the old ones.
If the plan works, agencies would no longer operate their own unique operating systems for top secret work. That change plus a shift toward cloud computing and adoption of apps are supposed to offset reductions to the $80 billion annual intelligence budget.
It sounds good, but a year and half into the work, the community has yet to decide on an overarching acquisition strategy for ICITE. The community also is showing signs of waffling on its promise to have an early version of the system running at DIA and NGA by the end of March.
Anxieties about ICITE (pronounced eyesight) and sequestration were palpable today at a seminar produced by the Nextgov news site and the Intelligence and National Security Alliance.
Big data firms and software providers are anxious to win new work in a tightening budget. Intelligence workers would gain all sorts of 21st Century tools, like inter-agency instant messaging and an online applications mall filled with data crunching apps supplied by the various intelligence agencies. This vision is going to require solving some big problems. One is getting face time with acquisition staffs to work out how ICITE would be implemented.
“If you all are working with the acquisition workforce across the intelligence community, you know that they are overtaxed, that they are overworked,” said Jill Singer, NRO’s chief information officer. She helped conceive of ICITE with peers at other agencies. “Certainly at the NRO they are understaffed. So finding free time with them has been quite a challenge,” she said.
Gus Hunt, the CIA’s chief technology officer, said the threat of automatic budget cuts is soaking up staff time at his agency: “We’re spending an enormous amount of time planning for sequestration,” he said.
Paige Atkins, chair of an ICITE task force convened by the Intelligence and National Security Alliance, said decisions about what to cut are being made by leaders outside of the acquisition staffs. But she said sequestration could slow the rollout of ICITE. The "biggest impact would probably be to stretch out the schedule(s) -- particularly for FOC versus IOC," she said by email, referring to ICITE's initial operating capability and full operating capability.
Singer was pressed about the March date for ICITE’s initial operating capability, defined as having the common desktop environment ready at NGA and DIA, with NSA providing a cloud computing service.
“Some independent testing (is) going on right now, and it will depend on how successful that is. If they run into any show stoppers, then they’ll step back. But certainly I believe the goal is spring of calendar year 13,” she said.
Then there is the question of the acquisition strategy. The intelligence community was able to do the initial ICITE work through “creative” financing, Singer told Deep Dive after the seminar.
A long-term plan would be needed to roll out the system across the community’s 16 agencies and the Office of the Director of National Intelligence.
Only the basic principle has been agreed upon: ICITE won’t be a program of record or a traditional acquisition. CIA, DIA, NGA and NSA have been assigned specific roles under ICITE, and they are funding their work out of their own budgets. NGA and DIA are creating the common desktop. CIA and NSA are collaborating to shift collection troves out of traditional data centers and into private cloud servers. In ICITE parlance, the agencies are “service providers” for intelligence staffs across the community, who are their customers. The agencies are supposed to recoup their ICITE investments from their customers in some fashion but no one knows exactly how that would be managed or implemented.
Industry officials are curious too: “Understanding that the service providers will be the ones that do the acquiring, how will you get them to fund what you want, and how will you keep them on track, and how will you prevent those service providers from not recreating today’s stovepipes?” CSC’s Joe Mazzafro asked.
Singer said performance metrics would be established for periodic assessments, perhaps quarterly, and that ICITE managers are working with chief financial officers across the community “to figure out what the right cost recovery models will be for the various services.”
A fall back could be a more traditional acquisition: “There is always an option inside the intelligence community to dispense with too much administrative burden and have it be appropriated,” Singer said.
OPINION: Three steps for a safer cyberspace
The spy gadget guru "Q" in the Bond movie Skyfall claims he can do more damage from his laptop sitting in his pajamas than Bond can do in a whole year. The movie is a fairly accurate, if highly dramatized, account of where global society is headed in the 21st Century. That is -- If we don’t get our collective cyber houses in order.
W. Hord Tipton is executive director of (ISC)2, the International Information Systems Security Certification Consortium. He is a former chief information officer at the U.S. Department of Interior.
We just can’t reach our potential as civilized societies under today’s unfettered, state-of-nature approach to cybersecurity. For a while it looked like the wilderness of cyberspace was a national security advantage for the U.S., given our technological edge over nearly all others. I’m just not sure that edge exists anymore. If it does, it’s quickly eroding, and we see it in the headlines nearly every week.
The organization I lead, (ISC)2, the International Information Systems Security Certification Consortium, places its stake in building a safer cyber world by certifying information security professionals throughout their careers. These professionals, however, are only as good as the cybersecurity construct they operate within.
Here’s a few things we as a nation should do, and soon, to improve our security:
• Establish an international cyber code of conduct or treaty
We need to establish rules for engagement in cyberspace, whether we like it or not. As the country that invented the Internet, the U.S. should lead this effort.
In the physical world, the existence of established norms of warfare provides influence -- some call it soft power -- to those who live up to those norms. The same can be true for actions in cyberspace.
We need to start this process by clarifying what constitutes an act of war in cyberspace.
Was targeting Iranian centrifuges with the Stuxnet virus an act of war? Arguably it was. Establishing a foolproof, internationally recognized means of attributing such an attack remains a major hurdle for governments. But if a nation state or non-state actor had shut down an American nuclear plant with a weapon like Stuxnet, I’m confident we’d consider that an act of war.
What do we do then? We need to define what would constitute a just, proportional response, and get others to agree. Once we do that, those who might consider attacking our critical infrastructure or that of our friends would have a clear sense of the retaliation they would risk.
• Stop glorifying hackers
I hear too many people in the three-letter agencies claiming they need to hire former hackers to help protect their networks. We need to stop glorifying hackers with claims like that. It only serves to inspire the next generation of those folks.
In reality, at a moment’s notice I could assemble a corps of certified security experts to do anything those hackers can do. Our 90,000-strong members must meet the highest ethical standards in order to earn and keep the certifications we issue. In a government of law and order, there are some rights that convicted criminals forfeit forever. Someone who commits a crime with a gun should never be allowed to buy a gun. Someone who abuses children in school shouldn’t be allowed into a school again. It doesn’t matter if the person has done his or her time. It should be the same with hacking and other cyber offenses.
• Pass comprehensive cyber legislation
Just as with so many other issues before Congress, we’ve reached paralysis on cyber legislation at a time when the threats are so great that we can ill afford it. By now it should be clear that volunteer measures and lists of best practices will not be enough to secure financial institutions, defense contractors, and other sectors. The cyber threat has been well recognized for years, but a stubborn 90 percent of break-ins continue to result from simple to intermediate sophistication levels of attack. Nearly all could be avoided if basic control measures and human expertise were in place.
Reasonable regulations, a cyber treaty, and the highest possible hiring standards should not be feared. They should be embraced for the economic vitality and stability they can help guarantee.
EXCERPTS: Brennan CIA hearing
John O. Brennan kept his cool as members of the Senate Select Committee on Intelligence criticized his beloved CIA for lack of transparency with lawmakers and questioned the drone strike program he orchestrates. The panel’s top Republican tried to paint Brennan as an opportunist for distancing himself from EITs – the “enhanced interrogation techniques” applied to terror suspects during Brennan’s years at CIA under the Bush administration. The Feb. 7 hearing was a key test for Brennan’s nomination to become director of CIA.
Brennan defends his record. Credit: C-SPAN
Excerpts by topic >>
Drone strategy >>
Sen. Dianne Feinstein, D-Calif.: “I also intend to review proposals...[including one] to create an analog of the Foreign Intelligence Surveillance Court to review the conduct of such strikes.”
Brennan in a terse exchange with Sen. Saxby Chambliss, R-Ga: “Well I respectfully disagree senator….I never believe it’s better to kill a terrorist than to detain him. We want to detain as many terrorists as possible so we can elicit the intelligence from them in the appropriate manner so that we disrupt follow-on terrorist attacks.”
Drone transparency >>
Feinstein: “…civilian casualties that have resulted from such (drone) strikes each year has typically been in the single digits. When I’ve asked to give out the actual numbers, I’m told: You can’t. And I said why not? Because it’s classified. It’s a covert program. For the public it doesn’t exist. Well, I think that rationale, Mr. Brennan, is long gone.”
Brennan: “…it is understandable that there is great interest in the legal basis as well as the thresholds, criteria, processes, procedures, approvals and reviews of such actions. I have strongly promoted such public discussion with the Congress, and with the American people. As I believe that our system of government and our commitment to transparency demands nothing less.”
Drone memos >>
Feinstein: “Up to last night, when the president called the vice chairman; Sen. Wyden and myself (to say) that they were providing the OLC (Dept. of Justice Office of Legal Counsel) opinions, we had not been able to get them.”
Brennan: “I would certainly be an advocate of making sure that this committee has the documentation it needs in order to perform its oversight functions. I have been an advocate of that position. I will continue to be.”
Feinstein: “…I’m counting on you to provide eight (additional) OLC opinions.”
Reporting drone strikes >>
Brennan: "...if I were to go to CIA, and the CIA was involved in any type of lethal activity, I would damn well make sure that this committee had that information. Absolutely."
Staff frustrations >>
Feinstein: “When the (Office of Legal Counsel) opinion came over, our staff were banned from seeing it this morning….This is upsetting to a number of members. We depend on our staff because you can’t take material home. You can’t take notes with you.”
Detention and interrogation >>
Chambliss: “We know that the 2009 executive order removed the CIA from the detention business, but the current framework is simply not working to get real time access to intelligence from terrorist detainees.”
Committee alleges mismanaged interrogations>>
Brennan: “The report right now still remains classified…There clearly were a number of things, many things…that I would want to look into immediately if I were to be confirmed as CIA director. (The report) talked about mismanagement of the program, misrepresentations of information, providing inaccurate information...I look forward, if confirmed, to reading the entire 6,000 page volume because it is of such gravity and importance.”
Accusation of opportunism>>
Chambliss: “What steps did you take to stop CIA from moving to these (enhanced interrogation) techniques you now say you found objectionable at the time?
Brennan: I had expressed my personal objections and views to my, some agency colleagues, about certain of those EITs, such as waterboarding, nudity and others, where I professed my personal objections to it, but I did not try to stop it because it was…something that was being done in a different part of the agency under the authority of others, and it was something that was directed by the administration at the time.”
Chambliss: “….We just (have) not seen anybody who has come forward and said they ever heard any objections from you with respect to these programs…Mr. (Buzzy) Krongard, your boss at CIA, told the Wall Street Journal that you had a role in setting parameters of the program…”
Brennan: “I respectfully disagree with my former colleague, Buzzy Krongard. I was not involved in the establishing the parameters of that program.”
Chambliss: “In a November 2007 interview you said that information from the interrogation techniques saved lives, closed quotes.”
Brennan: “I must tell you senator that reading this report from the committee raises serious questions about the information that I was given at the time…at this point, senator, I do not know what the truth is.”
Sen. John D. Rockefeller IV, D-W.V.: "There never can be that kind of situation again -- where we have to tell you what’s going wrong in your agency..."
Waterboarding Abu Zubaydah>>
Brennan: “…I had awareness that the agency was going forward on it, I had some visibility into some of the activities there, but I was not part of any type of management structure or aware of most of the details.
Chambliss: That being the case, why would you be the recipient of a minimum of 50 emails Mr. Brennan on the progress of the interrogation of Abu Zubaydah, including the techniques used in that interrogation?
Brennan: Senator, as part of a standard email distribution, I was on thousand upon thousands of email distributions as deputy executive director. I think I was just cc’d on them.”
Torture>>
Sen. Carl Levin, D-Mich: Do you have a personal opinion as to whether waterboarding is torture?
Brennan: I have a personal opinion that waterboarding is reprehensible and it’s something that should not be done. And again, I am not a lawyer senator, and I can’t address that question.
Thumbs-down for 1998 Bin Laden capture try >>
Brennan to Chambliss: (The proposed mission) “was not well grounded in intelligence, and its chance of success were minimal….Senator, I have no second thoughts whatsoever about my advice, which was to look carefully at this operation because the chance of success were minimal.”
Defense Clandestine Service vs. CIA's National Clandestine Service >>
Brennan: "I want to make sure that these efforts are not going to be redundant whatsoever. And I’ve had conversations with Mike Morell as well as with Gen. Flynn over at DIA, to make sure that these efforts are truly going to be integrated and complementary..."
A nod to Petraeus >>
“As I appear before you today, I would additionally like to extend a special salute to David Petraeus, a patriot who remains, as do all former directors, one of the staunchest advocates of the agency’s mission and workforce.”
Jersey roots >>
“I have a reputation for speaking my mind, and at times doing so in a rather direct manner, which some attribute to my New Jersey roots.”
When hacks get hacked
Media accuses China. Will other industries follow?
Investigators at Mandiant, a small company that mops up big cyber messes, have seen it all. They usually can’t talk about any of it, because most clients would rather not trouble consumers, investors or business relations with harrowing tales of stolen passwords and hacked email.
That’s not the case in the matter of the hacking of the New York Times, allegedly by the Chinese government and possibly by the Chinese military. We're about to see if dragging hackers into the public square makes any difference at all.
The Times company has given Mandiant the green light to talk about the investigation it began in November, including the evidence it says it gathered of official Chinese involvement.
One revelation is that the targeted nature of the hacking -- against 53 computers at various New York Times sites -- was not particularly unusual and required no technical breakthroughs on the part of the hackers.
“People have been asking, ‘Is this a new trend that we’re seeing?’” said Mandiant’s Nick Bennett, who managed the investigation. “I would say no, it’s not a new trend. The only thing unique about this particular situation is that the New York Times decided to come out and talk about it,” he told Deep Dive.
The hackers seemed most interested in the computer and email of Shanghai Bureau Chief David Barboza. He’s the author of an October article detailing the wealth amassed by China’s Prime Minister Wen Jiaboa.
Why does Mandiant think the hackers were working for the Chinese military? Because their work matches the pattern of other cases believed attributable to the Chinese military, and because they were “stealing data that matches Chinese interests,” Bennett said.
The Times company turned to Mandiant in November after AT&T reported suspicious network traffic. Mandiant worked clandestinely at first to learn everything it could about the tactics of the hackers without alerting them. Forensics suggest that the hackers entered the network in September.
The New York Times published a 2,400-word feature Jan. 30 laying out the evidence for Chinese government or military involvement and quoting a strong denial from the Chinese military.
The Times felt confident enough about the evidence to run a photo of Wen, the prime minister, as the teaser for a video accompanying the article.
The Times contends that the Chinese targeted Barboza’s email account in the erroneous belief that he had cultivated a Chinese “Deep Throat,” meaning a human source. In fact, Barboza pieced the story together from public information, says reporter Nicole Perlroth, in the video.
The moxy of the Times will be a good test of what happens when suspected hackers are outed and their victims go public.
The wisdom of that strategy has been a hard sell in other business sectors. The Securities and Exchange Commission had poor response last year to a new guideline urging businesses to disclose hacking incidents in their regulatory filings, reported the Insurance Journal and Reuters.
In the Times case, the revelation by one company led to a dam break of similar revelations. The Wall Street Journal followed with a report saying its computers had been broken into too. The Washington Post, responding to an account by Brian Krebs of the “Krebs on Security” blog, confirmed that it, too, was a victim of hacking from China. The Post reported it brought in Mandiant in 2011 to neutralize Chinese attacks that began as far back as 2008. The Post took exception with a claim that it turned over one of its servers to the National Security Agency and Defense Department for analysis. A spokeswoman was quoted expressing confidence that such a turnover did not happen.
The coming months will tell us whether this sudden openness can extend beyond the media sector, or whether newspapers have a built-in incentive to let readers know the Chinese government fears them too.
