Skip to content

Today’s Headlines and Commentary

By
Tuesday, April 15, 2014 at 12:15 PM

Today is the anniversary of the Boston Marathon bombing. The New York Times gives us an update on Dzhokar Tsarnaev and the ongoing preparations for his November trial.

The search for the missing Malaysian Airlines flight went underwater yesterday, although the submarine’s first look at the seabed of the Indian Ocean was cut short because of depth restrictions. It has been a week since any pings have been detected. Meanwhile, China has been on the receiving end of some ire from the international community for false reports and misleading information, which has thrown the search effort off course.

Shocker! The Washington Post and the Guardian won Pulitzer Prizes for public service for their reporting on NSA surveillance. The Washington Post covers the story—and, minimally, the controversy. It also comes as no surprise that Ben dissents on the matter.

Speaking of Bens, the Associated Press’ Ben Fox writes about the thick veil of secrecy surrounding Guantanamo’s Camp 7. Unsurprisingly, Fox strongly implies that the degree of secrecy is excessive and perhaps nefarious.

Hearings at Guantanamo Bay on United States v. Mohammed et. al. ground to a sudden halt yesterday as defense attorneys alleged that FBI agents had sought to enlist the help of members of defendant Ramzi bin al-Shibh’s defense team. Spencer Ackerman of the Guardian reports on yesterday’s proceedings, and Carol Rosenberg of the Miami Herald covers today’s. Wells was almost-there, covering it almost-live, until today’s public proceedings also ground to a halt.

The Hill reports that the U.S. Army has denied an appeal from Chelsea (formerly Bradley) Manning, as convening authority Maj. Gen. Jeffrey S. Buchanan approved the finding and sentencing of the court. Josh Gerstein of Politico also has the story.

As Jane noted yesterday, a massive bomb blast has killed at least 72 and injured over 164 more in the largest terrorist attack in the Nigerian capital of Abuja. Islamic militants are assumed responsible.

Despite significant delays, Syria’s recent delivery of chemical weapons brings the total percentage of weapons that the Assad regime has surrendered close to two thirds. Originally, the surrender and destruction of the weapons was supposed to be completed by mid-February. The Times has more.

The Times editorial board discusses the futility of the Israeli-Palestinian peace talks, and argues that it is time to move on from the Middle East.

We move on, then, to the latest from Ukraine. The Wall Street Journal informs us that Ukrainian troops have moved to retake cities in the eastern part of the country. There has been at least one clash between the military and pro-Russian forces so far. President Vladimir Putin wanted to talk to President Obama last night; the latter said a diplomatic solution was still possible.

MIT Technology Review has a brief interview with Eugene Kaspersky, founder of the Moscow-based computer security firm Kaspersky Labs, on issues related to cyber—including a brief comment on the state of the cyber conflict in Ukraine.

Forbes has a piece on the implications of Google’s recent acquisition of Titan Aerospace, a producer of high-altitude drones. Business Insider takes a closer look at the drones themselves.

Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

9/11 Defense Counsel on the FBI’s Contacts with Defense Team Members

By
Tuesday, April 15, 2014 at 9:29 AM

Defense lawyers for 9/11 accused Ammar al-Baluchi had this to say yesterday, about an emergency defense filing in the 9/11 case concerning alleged FBI contacts with a member of another accused’s defense team:

GUANTANAMO BAY, CUBA Today, defense attorneys in the 9/11 military commission revealed that the FBI had interrogated a Defense Security Officer, and required him to sign an agreement establishing a “special relationship” between the defense team member and the FBI.

“The U.S. government’s breach of the integrity of the defense teams is outrageous,” said Lt Col Sterling R. Thomas, USAF, a former prosecutor now detailed to defend Ammar al Baluchi.

Under Military Commission Protective Order #1, most recently amended in December 2013, a “Defense Security Officer is, for limited purposes associated with this case, a member of the Defense Team, and therefore shall not disclose to any person any information provided by the Defense, other than information provided in a filing with the Military Commission.”  The duties of a Defense Security Officer are:

(1)    Assist the Defense with applying classification guides, including reviewing pleadings and other papers prepared by the defense to ensure they are unclassified or properly marked as classified;

(2)    Assist the Defense in performing their duty to apply derivative classification markings pursuant to E.O. 13526 § 2.1(b).

(3)    Ensure compliance with the provisions of any Protective Order.

9/11 Case Motions Hearing: April 15 Session

By
Tuesday, April 15, 2014 at 8:48 AM

Tax day is upon us; so is day two in a four-day, pre-trial motions hearing in United States v. Mohammed et al.  (You can find coverage of yesterday’s quite brief open session here.)

As always, Lawfare will file mini-updates on the hearing throughout the day, in our “Events Coverage” section—and link to those updates here.

4/15 Session #1: Housekeeping, and FBI Things

4/15 Session #2: What Sorts of Evidence, Part One

4/15 Session #3: What Sorts of Evidence, Part Two (And a Recess)

Update [11:30 a.m.]: proceedings have concluded for the day; no court will be held tomorrow. Stay tuned for a possible resumption of the hearing on Thursday.

The Washington Post and Guardian Pulitzers: I Dissent

By
Tuesday, April 15, 2014 at 8:30 AM

I know it is rude and churlish to offer anything but warm congratulations when former colleagues win a major prize—much less journalism’s most prestigious award. I know I am courting a barrage of hostile tweets and emails with these words. I know as well that I am on the losing end of elite opinion on these subjects—that we are settling on a narrative that makes a public interest triumph out of journalism I regard as shoddy and beneath the great names of the organizations that produced it. But for whatever it’s worth (not much) and to whomever, I dissent from the Pulitzer Committee’s decision to give its public service award to either the Guardian or the Washington Post.

The Pulitzer Board’s citation to these two organizations has a faintly comic air. The Post the board congratulates not merely for “its revelation of widespread secret surveillance by the National Security Agency” but for “authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security.” For the Guardian, by contrast, the board rather conspicuously omits any reference to authority or to insight, noting only that the paper had “help[ed] through aggressive reporting to spark a debate about the relationship between the government and the public over issues of security and privacy.”

The latter is at least true. The commendation to the Post, by contrast, involves an assertion of fact that is, at a minimum, highly contestable. The Post got big things wrong in the stories the board honors. It reported that NSA has access to the servers of internet companies—a fact it then changed in the story without running a correction, for example. It grossly misreported, using entirely true facts, on a compliance audit so as to present it as suggesting nearly the opposite of what it actually shows. And it frequently reported on the most routine sort of overseas intelligence collection, collection of precisely the sort the law authorizes, in breathless tones suggestive of gross impropriety. The Post‘s reporting has indeed been authoritative, though not because it has been good or consistently accurate; its authority has been part of the problem. Its coverage has often been the opposite of insightful. And it has in fact served to help the public misunderstand the issues on which it was intended to shed light.

As to the Guardian, well, if sparking a debate is enough to earn the Pulitzer’s coveted public service medal, then sure. Congrats. I would note, however, that merely sparking a debate is an exceedingly low standard.

There was a time, and it wasn’t very long ago, when this medal meant something more, when “aggressive reporting” meant more than being a vehicle to shovel leaked documents to the public, with stops along the way for obligatory government comment, for fawning characterizations of one’s own sources, and for tendentious claims about what those documents say.

In 1999 and 2000, when I was a young editorial writer at the Post, the Post won the public service medal two years running. In 1999, it was for a series analyzing and reinvestigating a series of police shootings in D.C. The following year, it was for the incredibly moving work of Kate Boo in investigating abuse in D.C. group homes for the mentally disabled. I remember the meetings in the Post newsroom the days those awards were announced, partly because I was personally close to several of the reporters involved but also because the work was journalism at its very finest craft and a source of huge institutional pride for the paper for which I worked. They passed a test much higher than the “sparked a debate” test, a test that the Westboro Baptist Church and the Church of Scientology, I might add, pass with some regularity, and they were not merely transit stops for leaks from others. They passed a test that involved building a story and reporting it richly for the public out of what was not previously there.

This kind of journalism still exists. This year’s Pulitzer finalist, according to the board’s citations, went to Newsday, for “its use of in-depth reporting and digital tools to expose shootings, beatings and other concealed misconduct by some Long Island police officers, leading to the formation of a grand jury and an official review of police accountability.” How sad it is that such work today comes in second—and how much sadder what now defeats it.

Today’s Headlines and Commentary

By
Monday, April 14, 2014 at 12:12 PM

Last night, the UN Security Council held an emergency meeting to discuss the worsening crisis in Ukraine, reports CNN. The Ukrainian government set a Monday 9 a.m. deadline for pro-Russian militants to vacate buildings across eastern Ukraine, reports the New York Times; the deadline was ignored. The country’s acting President Oleksandr Turchynov has requested the deployment of UN peacekeeping troops for an “anti-terrorist operation” to be conducted jointly with Ukrainian security forces against the insurgents, reports the Associated Press.

On Friday the White House announced it would block Iran’s proposed envoy to the UN, Hamid Aboutalebi, from entering the United States, one day after the House of Representatives voted unanimously to bar entry to those involved in terrorism or deemed a threat to U.S. security; Aboutalebi was allegedly involved in the 1979 seizure of the U.S. Embassy in Tehran. The Washington Post has more. Iran has officially lodged a complaint with the UN over the ban, reports Reuters.

The sanctions relief promised as part of the temporary nuclear accord between Iran and major world powers has translated into little economic relief for Iranians. The NY Times speculates as to what that means for Iran’s willingness to negotiate a permanent deal by the July 20 deadline.
In an address at Damascus University, Syrian President Bashar al-Assad claimed to have reached a “turning point” in the country’s three-year civil war, noting that his army was winning “the war against terror.” The BBC reports.
Libya’s interim prime minister, Abdullah al-Thinni, announced on Sunday that he is stepping down. His announcement came a day after Thinni and his family were allegedly attacked in a residential neighborhood, possibly by militiamen, writes the New York Times.
Where is Sharif Mobley? The American jailed for over four years in Yemen has disappeared after allegedly making contact with an American-born radical preacher and being grabbed off the street by Yemeni security agents in 2010; his attorneys have not seen him since late February. Here‘s the Washington Post story.
Two bombs blasted through Nyanya motor park in Nigeria’s capital on Monday. No one has officially claimed responsibility, but bus stations have been a major target for the country’s Islamist militants. At least 71 are dead, reports the Associated Press.
Former Ku Klux Klan leader Frazier Glenn Cross, the subject of a 1987 federal manhunt, has been arrested for allegedly gunning down three people at a Jewish community center and Jewish retirement complex near Kansas City, reports the AP. Attorney General Eric Holder has instructed the DOJ to determine whether the shootings broke federal hate crimes law. See the AP by way of ABC.
Last night Guantanamo defense lawyers filed for an urgent hearing on the grounds that FBI agents turned a security officer on Yemeni detainee Ramzi bin al Shibh into a “confidential informant,” creating a conflict-of-interest in the 9/11 case. The Miami Herald has the story.
The Heartbleed security nightmare is shedding light on how NSA exploits zero days to access secure networks, says the Wall Street Journal. On Friday, Bloomberg reported that NSA knew about the flaw for at least two years, prompting a flat denial from ODNI: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.”
Al Jazeera America is reporting that the fine print of a $1.5 billion contract between USAID and a firm contracted by the U.S. government to help set up a Twitter-style social network in Cuba suggested some classified work could be involved.
The Pentagon will be turning old drones into wi-fi hotspots, reports the BBC. Darpa has just completed the first of three test phases, but not everybody is happy about it. According to Chris Cole, editor of Drone Wars UK, “Regardless of whether drones are delivering weapons or wi-fi it seems that the growing use of unmanned systems simply means more war and less overall security in the future.”
Email the Roundup Team noteworthy law and security-related articles to include, and follow us on Twitter and Facebook for additional commentary on these issues. Sign up to receive Lawfare in your inbox. Visit our Events Calendar to learn about upcoming national security events, and check out relevant job openings on our Job Board.

The Policy Tension on Zero-Days Will Not Go Away

By
Monday, April 14, 2014 at 11:32 AM

The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters.  It is based on at least two false assumptions.  The first is that the number of zero-days is finite, or, if not finite, then at least small enough that, at prevailing market prices, the United States could clear the market without either bankrupting the Treasury or creating inflation of Argentine dimensions.  Someone should do the math on this, but surely the assumption is incorrect.  The number of zero-days is unknowably huge and will continue to grow as long as people write software.  Markets are notoriously difficult to corner.  Consequently, one must always assume that there are (1) undiscovered zero-days and (2) zero-days that have been and will continue to be discovered by adversaries but not by us.

The second false assumption is that the Russians, the Chinese, the Iranians, and other cyber-capable actors would adopt the same disarmament policy.  Indeed, our unilateral adoption of that policy would make it less likely they would follow.

The sigint vs. security tension has existed at NSA for many years.  When I arrived at NSA in 2002, sigint nearly always had the upper hand over defense.  As I have observed the agency, the balance since then has shifted significantly in favor of defense.   I cannot quantify this observation, however, and I do not know precisely how this tension is now being managed.  What I do know is that the tension will not go away, and that pretending otherwise would lead to a very dangerous policy.

9/11 Case Motions Hearing: April 14 Session

By
Monday, April 14, 2014 at 8:43 AM

Today marks the beginning of a four-day hearing in the 9/11 case, a.k.a. United States v. Mohammed et al.   Lawfare will cover the session, with almost-live updates from a Closed Circuit TV viewing facility located at Maryland’s Fort Meade.

Throughout the day, we’ll publish each post over at our Events Coverage page, and link to them below.  We expect the gavel bang at 0900—and extensive litigation over the competency of 9/11 accused Ramzi Binalshibh.

4/14 Session #1: Ex Parte Hearings, FBI Investigations, and a Recess

UPDATE [10:00 a.m.]: open proceedings stand in recess until tomorrow.

The Week That Will Be

By
Monday, April 14, 2014 at 12:00 AM

Event Announcements (More details on the Events Calendar)

  • Mon, April 14 – Thurs, April 17: United States v. KSM et. al. motions hearing.
  • Mon, April 14 at 2:00 pm: The Brookings Institution hosts “Challenges to Further Nuclear Arms Reductions.“ The Arms Control and Non-Proliferation Initiative at Brookings and the Heinrich Böll Foundation North America will hold a discussion on the challenges that inhibit further nuclear reductions.
  • Mon, April 14 at 7:00 pm: Georgetown University Law Center hosts “Allies at War: Legal Issues in Multinational Security Operations.” The discussion will focus on legal considerations in conducting multinational security operations including issues of interoperability, targeting, and detention, as viewed through the lens of Afghanistan, Libya, and counter-piracy operations in the Indian Ocean.
  • Wed, April 16 at 8:30 am: The Atlantic Council hosts “Beyond Data Breaches: Global Interconnections of Cyber Risk.” This event is the release of a new report written by the Atlantic Council’s Jason Healey, which “seeks to prepare the public and private sectors to endure these cyber shocks of tomorrow and bounce back quickly.”

Statement of the Chief Prosecutor on This Week’s Hearing in the 9/11 Case

By
Sunday, April 13, 2014 at 9:19 PM

You’ll find it here.

And that’s as good a reminder as any that, tomorrow, Lawfare will resume coverage of pretrial motions hearings in United States v. Mohammed et. al.  This week’s four-day session will feature (among other things) litigation over the competence of accused 9/11 co-conspirator Ramzi Binalshibh to take part in the proceedings.

In his written remarks, the Chief Prosecutor, Brig. Gen. Mark Martins, discussed a variety of subjects, including transparency:

Part of an Open and Accountable Process that Considers All Relevant Facts

Recently, a victim family member asked me why critics continue to claim the process is too secretive. Her perspective about the proceedings is an informed one, as she has visited Guantanamo, has viewed military commissions as well as federal civilian trials, and has, on occasion, obtained transcripts and briefs from the military commissions website. Indeed, a thesis that persists in the blogs and talking points of certain private advocacy groups—despite a mounting record contradicting it—is that in military commission trials, allegations of past misconduct by officials or agents of the government can be kept secret. It is even darkly suggested that secrecy and alleged overclassification of information may be a reason for using military commissions. While I acknowledge and respect the desire for scrutiny of government action that seems to lay behind some of the criticism, this secrecy or intentional overclassification thesis, as applied to trials ultimately held under the Military Commissions Act of 2009 (the “Act”), is difficult to reconcile with fundamental truths. Read more »

The Aboutalebi Visa Denial: U.S. Law and Historical Precedents

By
Sunday, April 13, 2014 at 4:11 PM

President Obama’s decision to deny a visa to Iran’s would-be Ambassador to the United Nations, Hamid Aboutalebi, is based on U.S. law dating back to 1947 and has numerous historical precedents.  Although the U.N. and other countries have occasionally criticized the U.S. for refusing to grant visas to individuals to come to the U.N., it is not clear that other countries will want to make an issue over the denial of a visa to Aboutalebi, who played at least some role, even if small, in the most egregious violation of diplomatic law and the security of diplomatic personnel in modern times.

The U.S. obligation to admit foreign nationals, including representatives of U.N. member states, to the United States to come to the U.N. is set forth in the so-called U.N. Headquarters Agreement, which was signed on June 26, 1947 by then Secretary of State George Marshall and then U.N. Secretary General Trygve Lie.  Section 11 of the Headquarters Agreement prohibits the United States from imposing any restrictions on travel to the U.N. by representatives of U.N. members (and certain other persons coming to the U.N.).

Although the Headquarters Agreement itself does not contain any exceptions to this prohibition, Section 6 of the Joint Resolution of Congress of August 4, 1947 (for text scroll down below the Headquarters Agreement) , which authorized President Truman to enter into the Headquarters Agreement, provides as follows:

Nothing in the agreement shall be construed as in any way diminishing, abridging, or weakening the right of the United States to safeguard its own security and completely to control the entrance of aliens into any territory of the United States other than the headquarters district and its immediate vicinity, as to be defined and fixed in a supplementary agreement between the Government of the United States and the United Nations in pursuance of section 13 (3) (e) of the agreement, and such areas as it is reasonably necessary to traverse in transit between the same and foreign countries.

Thus, under this so-called “security reservation,” Congress limited the U.S. obligation to allow representatives of other U.N. members to enter the U.S. if necessary to “safeguard its own security.”  Some observers, including my friend Kevin Heller over at Opinio Juris, have read Section 6 as reserving the authority of the Executive branch only to control the travel of foreign nationals into areas of the United States outside the U.N. “headquarters district” and not to deny absolutely the entrance of foreign nationals into the United States.   Although this is one possible reading of Section 6, an equally plausible reading of Section 6 is that it reserves a general and absolute right for the U.S. to “safeguard its own security” as well as a more specific right to limit travel outside the U.N. district.   It is hard for me to believe that Congress in 1947 would have acceded to an unfettered obligation to allow any foreign national to come to the U.N. headquarters district, as long as they did not travel outside that district. Read more »

The Foreign Policy Essay: Preventing the Proliferation of Armed Drones

By
Sunday, April 13, 2014 at 10:00 AM

Editor’s Note: Drone warfare and its many implications is a favorite subject for Lawfare readers. Yet even as the United States develops policies for the use of drones on and off the battlefield, it must contend with their proliferation to other countries. Indeed, while many voices continue to call for limiting this new form of warfare, the market for drones, especially U.S. drones, is expanding. Sarah Kreps, a professor at Cornell and author of the forthcoming book Drone Warfare, presents us with several questions to consider as we ponder U.S. export policies on drones. She argues that drones are a destabilizing technology and that the United States should foster nonproliferation norms and build institutions to counter their spread.

***

Despite lingering questions about whether armed drone strikes are legal or ethical, a number of countries have indicated that they want what the United States has and are trying to import American technology. After all, what’s not to like about the capacity to conduct counterterrorism missions without incurring meaningful risk? To date, the United States has only exported armed drones to the United Kingdom, but a question under consideration by an interagency review process set up by the Obama administration is whether the United States should liberalize its exports. Especially in an era of declining defense budgets at home, the prospect of selling more armed drones abroad looks attractive as a way to prop up the U.S. industrial base. Whether it should or not depends on the answers to three questions.

First, are drones qualitatively different from other weapons platforms and is this technology destabilizing? Yes, drones should be treated as a distinct class of weapons and yes, their attributes can cause them to be used in ways that are potentially destabilizing. The main difference between drones and other platforms is that they are unmanned and therefore pose no risk to those operating them. For the United States, this means that drones have expanded the military’s range of operations to include many that would have been too risky to attempt with other platforms. Of the estimated 465 non-battlefield targeted killings undertaken by the United States since November 2002, approximately 98 percent were carried out by drones. If the U.S. experience is any guide, states equipped with armed drones will be more willing to use force in ways and in areas they might not otherwise have. Armed drone proliferation in regions that are already crisis prone such as the Middle East, the Caucasus, or East Asia could potentially lower the threshold for using force, making these combustible regions even more volatile.

Sarah Kreps photoSecond, is drone proliferation inevitable? If so, it makes little sense to worry about whether American export policy is liberal or stringent and, in fact, U.S. businesses may as well prosper. But there are good reasons to think that the technology will not otherwise seamlessly diffuse. In some countries, such as Germany, the domestic political environment is hostile towards acquiring armed drones and has put a pause on previous plans to acquire drones. A bigger reason is technological. While one can go onto Amazon.com and buy a rudimentary drone (basically just a remote-controlled airplane), constructing an advanced armed drone is no small feat. U.S. armed drones require sophisticated beyond-line-of-sight communications, access to satellite bandwidth, and systems engineering—from internal fire control to ground control stations—that are currently beyond the reach of most states.

Even countries that have relatively advanced aerospace programs—such as Russia, France, and Italy—have struggled to develop and deploy this systematic architecture of capabilities and processes. Russia, which has experienced a number of setbacks in its aerospace industry since the end of the Cold War, has been frustrated in its efforts to develop more advanced drones. In January 2010, an armed drone prototype of Russia’s Stork Unmanned Aerial Vehicle (UAV) crashed and burned as it attempted to take off, providing further evidence that Russia is decades behind the United States in UAV technology. France and Italy have not been able to produce the requisite technology indigenously and have therefore been limited to purchasing unarmed versions of the United States’ MQ-9 Reaper. Despite many countries expressing an interest in drones, only Israel, China, and perhaps Iran have indigenously produced advanced armed drones. This is not a story of rampant armed drone proliferation.

Third, what is the status of a nonproliferation norm when it comes to armed drones? Currently, the Missile Technology Control Regime (MTCR) regulates the transfer of unmanned aerial vehicles. But drones are a bolt-on to a regime that was intended to restrict the spread of nuclear weapons delivery systems. The regime was far from perfect in this original function since it was a non-legally binding agreement among 34 countries, most of whom are advanced industrialized countries. Excluded are countries such as China, India, Iran, and Israel (although Israel purports to adhere unilaterally). Read more »

More on USG Policy on Cyber Vulnerabilities

By
Saturday, April 12, 2014 at 9:04 PM

This morning I wondered why the USG could not say more about its policy (assuming it had one) on stockpiling v. revealing computer software vulnerabilities.  Today two senior administration officials told David Sanger of the NYT that President Obama decided in January that “when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks.”  This statement implies two exceptions: (1) not every software vulnerability constitutes a “major flaw in Internet security,” and thus those vulnerabilities that do not rise to that level need not be disclosed, and (2) the phrase “in most circumstances” implies that sometimes the NSA will not reveal even a major flaw in Internet security.  Also, the same officials told Sanger that the President “carved a broad exception for ‘a clear national security or law enforcement need,’” a loophole that Sanger says “is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.”  Sanger also reports that NSC spokeswoman Caitlin Hayden says that “[t]his process is biased toward responsibly disclosing such vulnerabilities.”

It is impossible to tell from the Sanger story whether any of this is a change from prior practice, or whether the President’s January decision will have any effect on NSA capabilities and operations going forward.  As Sanger notes, our adversaries will continue to develop or buy vulnerabilities.  That fact makes me think that the President’s decision, with its seemingly large exceptions, will have no practical impact.  But who knows?

Exploring the Effect of NSA Disclosures on the U.S. Technology Industry

By
Saturday, April 12, 2014 at 4:00 PM

This past Monday, I had the honor of moderating a panel organized by students at the American University Washington College of Law’s National Security Law Brief, on Understanding the Global Implications of the NSA Disclosures on the U.S. Technology Industry. The panel (Elizabeth Banker (ZwillGen), David Fagan (Covington), Joseph Moreno (Cadwalader), Gerard Stegmaier (Wilson Sonsoni) and Lawrence Greenberg (Motley Fool)) was stacked with practitioners who are navigating, on a daily basis, issues related to data privacy, transparency, and cooperation with law enforcement/government requests, among other related issues. As we explored during the discussion, there are a number of recent media and other reports describing the “fallout” for U.S. industry as a result of the disclosures. So, at least two questions arise: first, are the reports to be believed, and second, if so, will there be a lasting impact, or is this only temporary?

The short answer is that it is too soon to judge. But, as we all read these reports, such as this one produced by NTT Communications and cited in Guardian article late last month, it will be important to look at the source and potential motivations behind them before drawing firm conclusions about the state of U.S. industry.

Of interest, several of the panelists suggested that the reactions to the recent disclosures perhaps represent the tipping point of what was already a growing discomfort with, if not outright opposition to, changes to the law in the national security area since the USA Patriot Act of October 2001. Another panelist noted that despite the reports of dramatic effects, stock prices of certain affected U.S. technology companies have gone up in recent months (while some others have gone down). It is an important point: drawing conclusions about the long term effects on U.S. industry will take careful study, over a sustained period of time. In the meantime, I intend to spend more time looking into this issue. It seems to me that, given that foreign intelligence surveillance activities conducted by the United States are subject to more laws, rules, procedures and oversight than any other nation, the rush – if there is one – to displace U.S. companies, may be misguided. There just may be a different story to tell.

Lawfare Podcast, Episode #70: Bruce Schneier on Technology and Privacy

By
Saturday, April 12, 2014 at 1:55 PM

Bruce Schneier of the Berkman Center for Internet and Society at Harvard Law School gave a keynote address at the National Security Agency at the Crossroads conference Bobby put together at UT-Austin last week. Schneier spoke about the challenges to maintaining privacy in the evolving digital environment, and had provocative and interesting insights about the big picture that has emerged from almost a year of NSA revelations. We linked to audio of the rest of the conference sessions earlier; be sure to check it out.

The Week That Was

By
Saturday, April 12, 2014 at 9:55 AM

Once again, FISA was front and center on Laware this week.

Tim Edgar gave us a lesson in intelligence surveillance law 101, defining terms like “incidental collection” and “collection over the wire.” Chris Donesa, former chief counsel for the House intelligence committee, lamented the piecemeal, “band-aid” approach of recent attempts at FISA reform and called for a bolder and more comprehensive public debate about intelligence and national security policy. Lauren updated us on the ongoing metadata preservation saga, explaining that the government’s failure to notify the FISC of applicable preservation orders was—at least according to the government—an oversight.

Wells posted this week’s Lawfare Podcast, a wide-ranging conversation between Ben and NSA Deputy Director John “Chris” Inglis. Ben and Bobby then followed up with a veritable treasure trove of audio from a recent conference, “The National Security Agency at a Crossroads.” Recorded sessions include panels on the changing role of the media, NSA in historical and diplomatic perspective, the future of the Fourth Amendment, metadata collection, content collection, current reform efforts, compliance and oversight, and an opening speech from former NSA director Admiral Bob Inman.

For an internationalist perspective on metadata collection, Hugo Teufel III analyzed the ECJ’s decision striking down the EU’s 2006 Data Retention Directive as exceeding the limits of “proportionality.” He noted that individual member states’ data retention law remain unaffected for the moment, but worries that communications providers are being forced into a privacy versus security is a zero-sum game where they will likely receive conflicting orders.

Ben and Jack both responded to a Bloomberg report on Friday that NSA knew about and exploited the Heartbleed OpenSSL bug—and to the government’s denials of the claim. Wrote Jack: “the government faces a difficult choice: It can hoard a zero-day for offensive purposes but leave all computer systems affected by the zero-day vulnerable to exploitation or attack; or it can disclose the vulnerability and allow it to be patched, enhancing defense at the cost of a potential offensive tool.”

And Joel Brenner wrote a piece about the statement this week by the FTC and the Justice Department’s Antitrust Division on cybersecurity and antitrust.

In this week’s foreign policy essay, Brookings scholar William McCants analyzes the waning fortunes of the Muslim Brotherhood as Saudi Arabia recently appears to have turned on Brotherhood affiliates forcefully.

Zachary flagged last week’s executive order authorizing the Treasure Department to impose sanctions on individuals and organizations responsible for the ongoing bloodshed in South Sudan.

Paul noted some wishful thinking in Defense Secretary Hagel’s recent attempt to encourage reciprocal transparency with China on cyberdefense doctrine. Jack responded, suggesting that there are benefits even to a unilateral disclosure if it allows the Chinese to interpret US actions accurately and thereby avoid a mistaken escalation. At the same time, he also questioned whether the Chinese have any reason to believe us.

And while we’re discussing the Chinese, Lauren analyzed some of the issues at play in Ralls Corp. v. CFIUS, a case probing the extent of Presidential discretion to block foreign companies from buying businesses and property in the US on national security grounds. The case, involving a Chinese-owned firm, will be heard by the DC Circuit on May 5th.

Paul gave us two more installments of his “bits and bytes” feature. In the first, he noted an Israeli INSS report on the development of Iran’s cyber program, an army war college bibliography on cyber, a guide on cyber for Joint Forces commanders, a Foreign Affairs piece on the “internet of things.” In the second, he flagged the New York Times story on the Open SSL bug.

Paul also flagged US District Judge Esther Salas’ decision in the “most important cybersecurity case you’ve never heard of,” Wyndham v. FTC. Denying a motion to dismiss, Salas ruled that FTC’s general power to regulate “unfair” business practices includes authority to compel businesses to adopt cybersecurity practices.

Stewart Baker posted the next installment of the Steptoe Cyberlaw Podcast, featuring special guest . . . Benjamin Wittes. The usual gang discussed NSA’s influence on encryption standards, a rise in judicially imposed limits on computer search warrants, FISA reform and more.

Lawfare also went to the Hill this week: On Monday, I flagged two congressional hearings this week featuring contributors. On Tuesday, Ben testified before a House Foreign Affairs subcommittee on the continuing necessity of the AUMF and the FISA 702 program, and on Thursday, Paul testified about the transfer of the IANA function to ICANN.  Ben gave us a summary version of his testimony, while Ritika flagged the actual hearing and posted the testimony of all witnesses. And in turn, Paul linked to his testimony, and posted some general reflections on the hearing itself.

In the targeted killing department, Matt Danzer summarized U.S. District Court Judge Rosemary Collyer’s decision granting the government’s motion to dismiss a Bivens suit brought by the family of Anwar al-Aulaqi, his son, and Samir Khan—all of whom were killed in U.S. drone strikes in Yemen. Collyer found the suit justiciable but reprimanded the government for failing to produce classified documents; she ruled that “special factors” precluded the extension of Bivens liability to such cases.

Peter Margulies summarized some of the discussion at a recent Yale Information Society Project Symposium.

Bobby noted a conversation happening at the ICRC DC blog, intercross, on IHL’s applicability in connection with the 2001 AUMF that includes contributions from Gary Brown, Jen Daskal and Bobby himself. And on Friday, he flagged a Washington Post story discussing the intense cooperation between JSOC and the FBI, including FBI participation in JSOC raids and firefights.

And that was the week that was.

Cyber Paradox: Every Offensive Weapon is a (Potential) Chink in Our Defense — and Vice Versa

By
Saturday, April 12, 2014 at 7:37 AM

As Ben notes, the USG denied a Bloomberg News report that the “U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence.”  The NYT story on this denial says:

James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said that the claim that the N.S.A. knew about the Heartbleed bug and stockpiled it for its own purposes was not in keeping with the agency’s policy.

“In this case, it would be weird for the N.S.A. to let this one go if they thought there was such a widespread risk,” he said.

I do not know what the NSA “policy” is on this matter.  But there is an important and very hard and not-much-discussed issue lurking here.

Public reports suggest that the NSA engineers or discovers or purchases, and then stores, zero-day vulnerabilities (i.e. software defects unknown to the vendor and to others).  Zero-days assist NSA and Cyber Command in their cyber-exploitations and cyberattacks.  (For example, Stuxnet reportedly used four zero-day vulnerabilities.)  Zero-days are useful in building offensive exploits only to the extent that they unknown and unpatched.  But if the NSA stockpiles such vulnerabilities, and if the vulnerabilities persist in generally available software, then another party besides the NSA might discover the vulnerability and use it offensively – including against USG and U.S.-firm and U.S.-person computer systems.  And so the government faces a difficult choice: It can hoard a zero-day for offensive purposes but leave all computer systems affected by the zero-day vulnerable to exploitation or attack; or it can disclose the vulnerability and allow it to be patched, enhancing defense at the cost of a potential offensive tool.  Former NSA Director Michael Hayden described this as a “perennial” question of signals intelligence: “What do you do with a vulnerability, do you patch it or do you exploit it?” (See embedded video, about 2:20.)

Presumably the policy that James Lewis is referring to is one that explains how the USG decides which zero-days to keep secret and unpatched and which ones to make public and patchable.  (Note that Former White House cybersecurity advisor and President’s Review Group member Richard Clarke has said that there is no such policy: “There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn’t.”)  There are obviously significant tradeoffs here.  How to think about them? Read more »

NSA Knew About and Exploited Heartbleed—Unless it Didn’t

By
Friday, April 11, 2014 at 11:07 PM

The other day, walking out of Aikido class, I was chatting with a friend about Heartbleed. I joked that the latest revelation reminded me of a scene from the classic Martin Scorsese movie, After Hours. In it, the hero, chased by an angry mob, runs up a fire escape, where–by coincidence–he watches a woman shoot her husband in an apartment across the alley. “I’ll probably get blamed for that,” he says fatalistically. That, I told my friend, is what they must be saying at Fort Meade today. That was Tuesday.

Bloomberg today reported:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

NSA this evening denies it:

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong,” said agency spokeswoman Vanee Vines in a statement after Bloomberg released its story.

As does the DNI:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

When Federal agencies discover a new vulnerability in commercial and open source software—a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it—it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.

In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

Cyber Threat Information and the Antitrust Canard

By
Friday, April 11, 2014 at 10:42 PM

Those of us who tried to do big things in government have learned to be grateful for small things.  Yesterday, the Justice Department’s Antitrust Division and the Federal Trade Commission jointly declared, “they do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing.” The business press immediately jumped on this as a giant step forward, removing a big impediment to the sharing of cyber threat information among private parties. In fact, when it comes to that kind of sharing, “antitrust” was always a red herring. Threat reports, indicators, malware signatures, and the like are highly technical and have nothing to do with prices, terms of sale, territories, or other price- and output-related subjects that can create antitrust concerns. The Antitrust Division reached this conclusion in a business review letter 14 years ago, and both agencies say that analysis then “remains very current” now.  Any competent antitrust counsel has known this all along. Any counsel who worried about it could have sought a business review letter from the Division and would have received the same advice.

So what explains the persistence of the antitrust roadblock to information sharing?  Corporate counsel are an understandably conservative lot.  In their release yesterday, the agencies noted that some companies “have been counseled that sharing of information among competitors may raise antitrust concerns.”  Insofar as it was true, that advice in these circumstances was beyond conservative.  It was unsound.

In other cases, “antitrust” was simply an excuse for companies’ not sharing threat information they did not want to share.  In one industry I’m familiar with, executives from several top-tier competitors all told me they believed their threat information gave them a competitive advantage.  That could not logically be true for all of them. In any case, even among highly capable companies, the knowledge that comes from sharing cyber threat information is enormously greater than any single competitor can achieve acting alone.

Yesterday’s public release was welcome, but given the persistence of the antitrust canard, I tried to get the Division to issue such a statement about five years ago while I was the national counterintelligence executive.  Too bad it took so long.

Foreign Purchases of U.S. Businesses, Presidential Power, and National Security: Ralls Corp. v. CFIUS

By
Friday, April 11, 2014 at 11:00 AM

When then-Representative Barney Frank contemplated the ability of foreign interests to acquire American companies at the expense of national security, he made the following statement:

There is no right to buy.  You do not have to file [with the Committee on Foreign Investment in the United States (CFIUS), but by not filing, you do not immunize yourself from a finding that the transaction could be canceled on security grounds.

But Representative Frank's interpretation of the law remains judicially under-theorized.  How---and under what circumstances---may the Executive cancel foreign purchases?  The Committee on Foreign Investment in the United States (CFIUS) may review “any merger, acquisition, or takeover … by or with any foreign person which could result in foreign control of any person engaged in interstate commerce in the United States.”  And the President may unilaterally block any investment where he finds “credible evidence that leads [him] to believe that the foreign interest exercising control might take action that threatens to impair the national security.”  The extent of CFIUS’s and the President’s power in this arena is currently being litigated before the D.C. Circuit in Ralls Corporation v. CFIUS.

Two years ago, Ralls Corporation, an American company with Chinese ownership, purchased four small companies in Oregon on which to develop windfarms.  CFIUS ordered Ralls to sell off the companies, destroy the construction, stay off the land, and refrain from selling its goods.  In response, Ralls filed suit alleging that the CFIUS order violated due process and the Administrative Procedure Act.  Subsequently, President Obama issued an order stating that he had “credible evidence” that, by exercising control over the Oregon companies, the owners of Ralls “might take action” that “threaten[ed] to impair the national security of the United States.”  The Presidential order stopped the deal, ordered Ralls to divest, and gave federal agents access to all Ralls facilities in the United States in order to perform inspections. Read more »

House Judiciary Hearing on ICANN

By
Friday, April 11, 2014 at 10:24 AM

I testified yesterday at the House Judiciary Committee hearing on the proposed transfer of the IANA function to ICANN.  You can find my testimony (and that of the other witnesses) at the committee web site.   I was struck, at the hearing, by a few items that seem worth noting:

  • The Administration’s testimony was, essentially, to the effect that the transition is no big deal.  It is merely the elimination of the last vestiges of ministerial control, and has been in the works for over a decade.   As readers of the blog will know, I disagree with that view.  But more to the point, I think it is a bit self-defeating.  For if the point to make is that Congress shouldn’t care because it isn’t a big deal; then the counterpoint is that the Administration shouldn’t care either and that, in the end, it should be agnostic over the end result.  But equally clearly, the Administration is not agnostic (nor should it be in my judgment) — it is affirmatively for the change.  And that has to be because it thinks that it is achieving some good thing through the transition (and, again, I think I agree).  But you can’t be for a good thing with rhetoric that says “it isn’t really that big a deal.”  I understand the politics of why the Administration wants to minimize the importance — but that political message is inconsistent with its fundamental view of the utility of the transition.
  • Representative Nadler made an excellent point which, for me, crystallized the issue nicely.  He likened the announcement of the transition to a Request for Proposal (RFP).  You can’t really judge whether or not to go forward until you’ve actually seen the proposal that comes from the RFP.  And, rightly, we can’t really judge the transition until we see the proposal that ICANN brings forward.  But the danger, such as it is, is the perception of some that the Administration has made a pre-commitment to moving forward — in other words that it will accept any RFP from ICANN that it receives.  To combat that perception the Administration needs to credibly and convincingly keep telling Congress and ICANN that if the proposal it receives doesn’t meet its standards it will say “no.”
  • Which suggests to me that the optimum way for Congress to engage in this process (if it wishes to do so) is to determine for itself what it thinks a good IANA management function would look like.  What components of governance and oversight does it think important to maintaining the openness and freedom of the network?  If it could reach consensus on that (say through a sense of Congress resolution) that consensus would, I think, significantly inform ICANN’s consideration and also inform how the NTIA responds to ICANN’s proposal.
  • Finally, I was struck that both the NTIA and ICANN said that the current contract termination date of September 2015 was an artificial deadline that they would disregard if work was not complete.   I’m not sure I fully credit that assertion (the political pressure to finish this sooner rather than later will be quite high) but it is the “right” answer as a matter of policy.