Ever Heard of Executive Order 13587?

As the 4 of July weekend winds to close, the Edward Snowden “Freedom Tour” – after being held over in the Moscow Airport’s International holding area for two weeks due travel document irregularities (how Soviet!) related to less than rave reviews for the show’s impact on Russian/American relations – appears to have long-term booking opportunities in Venezuela, Bolivia, and Nicaragua that the “hacker headliner” is considering.  Ed’s 15 minutes of fame has lasted a month now, and as far as I am concerned regular updates on his plight are becoming increasingly tedious.  While extradition doesn’t seem likely, Ed should never stop watching “Argo” or “Zero Dark Thirty” so he doesn’t forget the long reach of the US Intelligence Community (IC) that he has been actively warning about to anybody who will listen.

Beyond where Snowden is and where he might be going, the media also has been full of arguments about whether the scale and scope of the NSA surveillance of American phone and email externals is appropriate, necessary or constitutional.  There has also been considerable public discourse about whether contractors should be granted sensitive (aren’t they all?) security clearances and the broad access that usually goes with them.  NSA and the IC would generate more confidence regarding their surveillance programs with transparency about what they are doing and why instead of telling the American people (and themselves) how these secret programs are necessary for protecting us.  The premise that government employees are more trust worthy than contractors is as dangerous as it is false!  What do Walker, Whitworth, Pendleton, Pollard, Ames, Hansen, Montes and Manning have in common?  Correct, all were government employees with security clearances and broad access to intelligence products and/or capabilities.

Most disturbing to me, however, is what nobody in the media, the Congress, the West Wing, or the greater IC punditry is talking about:  How could Snowden exfiltrate from a secure area enough classified data to fill up four laptops in a post Wiki Leaks environment?  Private 1st Class Bradley Manning is currently being court martialed at Fort Meade for releasing gigabits of classified information he downloaded from the SIPRNET onto thumb drives while he was assigned to the Joint Intelligence Operational Center (JIOC) in Iraq.  He actions resulted in Executive Order 13587 titled “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.

EO 13587 issued on October 7, 2011 directs:

…structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties.  Agencies bear the primary responsibility for meeting these twin goals. These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government.  These policies and minimum standards will address all agencies that operate or access classified computer networks, all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the Federal Government), and all classified information on those networks. [emphasis added]

Snowden’s success indicates that NSA failed in its own environment in terms of Section 5 of EO 13587, which designates the Secretary of Defense and the Director, National Security Agency, to act jointly as the Executive Agent for Safeguarding Classified Information on Computer Networks.  Section 6 of this EO charges the Attorney General and the Director of National Intelligence with establishing an “Insider Threat Task Force” that is to be administratively supported by the Office of the National Counterintelligence Executive (ONCIX).  I can’t be the only one wondering what the minutes of this Insider Threat Task Force tells us about what could have been done to deter or detect Edward Snowden before he acted.  The Wiki Leaks Task Force also recommended standardized procedures for using removable media in classified areas, increased attention on access controls, and robust employment of enterprise monitoring and auditing software.  Progress in any of these areas surely would have raised Snowden’s threat profile if not actually working to deter or detect his unauthorized downloading of classified information from NSA networks.

With Manning on trial for leaking classified information downloaded from a secure network and EO-13587 being issued over 18 months ago to prevent a reoccurrence, the serious damage the IC says Snowden has done to national security appears to have been enabled by its own negligence.

That’s what I think; what do you think?

NSA, Can You Hear Me Now?

As I write this blog the two headlines playing over the background of the unauthorized disclosure regarding the scope and scale of NSA domestic surveillance are the election of a moderate to be the next president of Iran along with the White House announcing it is convinced that Syrian President Assad has used chemical weapons against the rebels forces trying to force him from office.  It will be curious to see how moderate Iranian President Elect Hassan Rouhani remains as the U.S. ramps up support to rebels fighting against Assad and his Iranian Hezbollah supporters.  Of course, Russia, China, and Iran are probably quietly pointing out that the U.S., despite its poor track record with chemical and biological weapons threat assessments, is ready again on the basis of “dubious intelligence” to intervene militarily in another Muslim country.  The impact on Iranian politics aside, I am not sure the American people are interested in a Syrian intervention or that the Treasury and DoD can sustain the effort needed to stabilize a post-Assad Syria

Before I began the process of moving and downsizing two weeks ago as a new Social Security annuitant, I thought I would be discussing with you President Obama’s 22 May policy speech about winding down the war on terrorism and the subsequent west coast summit with China’s Xi Jinping.   Instead, Edward Snowden shocked the Intelligence Community, Congress, and the White House with his unilateral release of classified details on the size and scope of NSA surveillance against telephone meta data and foreign emails – turning a major presidential policy speech and a summit between the leaders of the two most powerful nations in the world into one day stories on page three.  Ironically, as Snowden was informing the world about NSA surveillance in the name of transparency, Private Bradley Manning’s court martial was getting underway at Fort Meade where he is charged with releasing  a massive amount classified DoD and State Department message traffic while deployed in Iraq so all could know what the US is secretly doing.  More substantively, the administration’s contention that leaking of NSA’s surveillance has done great harm to the IC’s ability to discover and disrupt dangerous terrorist attacks aimed at the U.S. undermines the President’s contention that the perpetual war on terrorism is now anachronistic.  Similarly, Snowden’s revelations about the extent of NSA’s surveillance must have weakened the President’s ability to cogently engage the General Secretary of the Chinese Communist Party on China’s hacking of U.S. intellectual property.

Beyond arguments about the constitutionality of the NSA’s broad surveillance of U.S. citizens’ personal electronic communications and whether Snowden is a malicious traitor or a well-intentioned whistleblower, this story brought into view the number of contractors working inside of the IC with high level security clearance and access to sensitive national security information. This realization seems to have surprised many in the Congress, the media, and the electorate with the implication that contractors are by definition less trustworthy than government employees.  In Senate testimony on 13 June NSA Director Keith Alexander said NSA IT infrastructure was outsourced about 14 years ago,  providing more federal work in that area to contractors which:

“as a consequence [means] many in government — not just us — have system administrators who are contractors working and running our network. So we’ve got to address that. That is of serious concern to us, and something we have to fix. What I need, I think, is greater scrutiny.  I need to go back and look at what I am getting with my contract support and what are their capabilities and how do we manage that from a government perspective. That’s something I have concerns about.”

Along with General Alexander, Congress, GAO, OMB, media pundits, and others are starting to realize how much government IT, not just IC IT, is outsourced and why and how this happened.  This will likely explode like BlackWater did seven or eight years ago with lots of pontificating about inherently governmental functions being run by contractors only to be followed by the realization that without contractors and their skills many of these key government functions wouldn’t happen.  That will result in some self-serving policy language about contractor oversight and things will go back to the way they were (again the BlackWater example is instructive). What I fear will happen is that contractors will come in for more security scrutiny that will result in it taking longer to get people cleared and access will be become more limited  —–   less green badges.  This won’t result in any better security, but will create the aura of having done something measurable.  As an aside, I also see the CI guys getting a plus-up out of this despite having failed to identify Snowden as a risk.

The 24 June Time Magazine cover story, “Geeks that Leak,” reflects on the actions and motivations of both Manning and Snowden along with groups like Anonymous and Occupy Wall Street, pointing out that driven by “the hackivist ethos” they are a manifestation of “the age of the informant” compared to the “age of the spy” when it comes to government secrecy.  Startling to me is polling data that shows 28% of Americans don’t believe Snowden should be prosecuted, with 43% thinking this way in the 18 to 34 year old demographic.  Based on this, I am presuming that those responsible for security policy at ODNI are in the process of drafting new SF 86 forms and developing different polygraph questions that will shift away from determining if an individual being adjudicated for a security clearance is vulnerable to divulging classified information for financial, ideological, or foreign connection reasons to ones more associated with beliefs about what information should and should not be in the public domain.  Regarding basic CI, I am curious when Snowden’s absence from his “place of performance” (i.e. where he worked) was noted and reported.

Certainly terrorists will now be better able to take advantage of knowing what the legal limits are on US surveillance, limits that are about to be more rigorously enforced if not expanded, but this will pass with new technologies, tactics, techniques, and practices.  The most serious damage done here is not from the compromise of effective intelligence sources and methods, but from the doubts that American citizens are feeling about whether their Intelligence Community is needlessly taking them under surveillance.  The IC response is “not to worry” because we have high ethical standards and are subject to oversight from multiple directions, but this begs the question raised by the misuse use of IRS authorities: how do we know that the IC is acting ethically and that all this oversight is working?

That’s what I think; what do you think?