Tag: NSA

Deterrence in Cyberspace and the OPM Hack

I have yet to weigh in on the recent hack on the Office of Personnel Management (OPM).   Mostly this is due to two reasons.  First is the obvious one for an academic: it is summer! But the second, well, that is due to the fact that as most cyber events go, this one continues to unfold. When we learned of the OPM hack earlier this month, the initial figures were 4 million records. That is, 4 million present and former government employees’ personal records were compromised. This week, we’ve learned that it is more like 18 million.   While some argue that this hack is not something to be worried about, others are less sanguine.   The truth of the matter is, we really don’t know. Coming out on one side or the other is a bit premature.   The hack could be state-sponsored, where the data is squirreled away in a foreign intelligence agency. Or it could be state-sponsored, but the data could be sold off to high bidders on the darknet. Right now, it is too early to tell.

What I would like to discuss, however, is what the OPM hack—and many recent others like the Anthem hack—show in relation to thinking about cybersecurity and cyber “deterrence.”     Deterrence as any IR scholar knows is about getting one’s adversary to not undertake some action or behavior.   It’s about keeping the status quo. When it comes to cyber-deterrence, though, we are left with serious questions about this simple concept. Foremost amongst them is: Deterrence from what? All hacking? Data theft? Infrastructure damage? Critical infrastructure damage? What is the status quo? The new cybersecurity strategy released by the DoD in April is of little help. It merely states that the DoD wants to deter states and non-state actors from conducting “cyberattacks against U.S. interests” (10).   Yet this is pretty vague. What counts as a U.S. interest?

Continue reading

Share

NSA Reform or Foreign Policy Signaling? Maritime Provisions in Title VIII of the USA Freedom Act

With much attention being given to the passage of the 2015 USA Freedom Act, there is some odd silence about what the bill actually contains. Pundits from every corner identify the demise of section 215 of the Patriot Act (the section that permits the government to acquire and obtain bulk telephony meta data). While the bill does in fact do this, now requiring a “specific selection term” to be utilized instead of bulk general trolling, and it hands over the holding of such data to the agents who hold it anyway (the private companies).   Indeed, the new Freedom Act even “permits” amicus curiae for the Foreign Surveillance and Intelligence Court, though the judges of the court are not required to have the curiae present and can block their participation if they deem it reasonable.   In any event, while some ring in the “win” for Edward Snowden and privacy rights, another interesting piece of this bill has passed virtually unnoticed: extending “maritime safety” rights and enacting specific provisions against nuclear terrorism.

Continue reading

Share

SOTU: Cyber What?

In last night’s State of the Union Address, President Obama briefly reiterated the point that Congress has an obligation to pass some sort of legislation that would enable cybersecurity to protect “our networks”, our intellectual property and “our kids.” The proposal appears to be a reiteration that companies share more information with the government in real time about hacks they are suffering. Yet, there is something a bit odd about the President Obama’s cybersecurity call to arms: the Sony hack.

The public attention given over to the Sony hack, from the embarrassing emails about movie stars, to the almost immediate claims from the Federal Bureau of Investigation (FBI) that the attack came from North Korea, to the handwringing over what kind of “proportional” response to launch against the Kim regime, we have watched the cybersecurity soap opera unfold. In what appears as the finale, we now have reports that the National Security Agency (NSA) watched the attack unfold, and that it was really the NSA’s evidence and not that of the FBI that supported President Obama’s certainty that North Korea, and not some disgruntled Sony employee, was behind the attack. Where does this leave us with the SOTU?

First, if we believe that the NSA watched the Sony attack unfold—and did not warn Sony—then no amount of information sharing from Sony would have mattered.   Sony was de facto sharing information with the government whether they permitted it or not. This raises concerns about the extent to which monitoring foreign attacks violates the privacy rights of individuals and corporations.   Was the NSA watching traffic, or was it inside Sony networks too?

Second, the NSA did not stop the attack from happening. Rather, it and the Obama administration let the political drama unfold, and took the opportunity to issue a “proportionate” response through targeted sanctions against some of the ruling North Korean elite. The sanctions are merely additions to already sanctioned agencies and individuals, and so functionally, they are little more than show.   The only sense that I can make of this is that the administration desired to signal publicly to the Kim regime and all other potential cyber attackers that the US will respond to attacks in some manner. This supports Erik Gartzke’s argument that states do not require 100% certainty about who launched an attack to retaliate. If states punish the “right” actor, then all the better, if they do not, then they still send a deterrent signal to those watching. However, if this is so, it is immediately apparent that Sony was scarified to the cyber-foreign-policy gods, and there was a different cost-benefit calculation going on in the White House.

Finally, let’s get back to the Sony hack and the SOTU address. If the US was taking the Sony hack as an opportunity in deterrence, then this means that it allowed Sony to suffer a series of attacks and did nothing to protect them. If this is the case, then the notion that we need more information sharing with the government may be false.   What the government wants is really more permission, more consent, from the companies it is already watching. Protecting the citizens and corporations of the US requires a delicate balance between privacy and security. However, attempting to corrupt ways of maintaining security, such as outlawing encryption only makes citizens and corporations more unsafe and insecure. If the US government really wants to protect the “kids” from cyber criminals, then they should equip those kids with the strongest encryption there is, and teach good cyber practices.

Share

Privacy, Secrecy & War: Emperor Rogers and the Failure of NSA Reform

On November 3, Britain’s head of the Government Communications Headquarters (GCHQ) published an opinion piece in the Financial Times, noting that technology companies, such as Twitter, Facebook, WhatsApp, (and implying Google and Apple), ought to comply with governments to a greater extent to combat terrorism. When tech companies further encrypt their devices or software, such as what Apple has recently released with the iPhone 6, or what WhatsApp has accomplished with its software, GCHQ chief Hannigan argues that this is tantamount to aiding and abetting terrorists. GCHQ is the sister equivalent of the US’s National Security Agency (NSA), as both are charged with Signals Intelligence and information assurance.

Interestingly, Hannigan’s opinion piece comes only weeks before the US Senate voted on whether to limit the NSA’s ability to conduct bulk telephony meta-data collection, as well as reform aspects of the NSA’s activities. Two days ago, this bill, known as the “USA Freedom Act,” failed to pass by two votes. While Hannigan stressed that companies ought to be more open to compliance with governments’ requests to hand over data, the failure of the USA Freedom Act strengthened at least the US government’s position to continue is mass surveillance of foreign and US citizens.  It remains to be seen how the tech giants will react.

In the meantime, the bill also sought, amongst other things, to make transparent the amount of requests from governments to tech companies, to force the NSA to seek a court order from the Foreign Intelligence Surveillance Court (FISC) to query the (telecom held) data, and to require the NSA to list the “specific selection term” to be used while searching the data. Moreover, the bill would have also mandated an amicus curiae, or “friend of the court,” in the FISC to offer arguments against government requests for searches, data collection and the like, which it currently lacks. Much of these reforms were welcomed by tech companies like Google and Apple and also were suggested in a 2013 report for the White House on NSA and intelligence reform.

Many of the disagreements over the bill arose on two lines: that the bill hamstringed the US’s ability to “fight terrorists,” and that the bill failed to go far enough in protecting the civil liberties of US citizens. This was because the bill would have reauthorized Section 215 of the PATRIOT Act (set to end in 2015) to 2017. Section 215 permits government agents, such as the FBI and the NSA to compel third parties to hand over business records and any “other tangible objects” whenever the government requests them in the pursuance of an “authorized investigation” against international terrorism or clandestine intelligence activities. In particular, Section 215 merely requires the government to present specific facts that would support a “reasonable suspicion” that the person under investigation is in fact an agent of a foreign power or a terrorist. It does not require a showing of probable cause, only a general test of reasonableness, and this concept of reasonableness is stretched to quite a limit.   The democratic support for the bill comes most strongly from Senator Dianne Feinstein (D- Calif), who is reported to have said, “I do not want to end the program [215 bulk collection],” so “I’m prepared to make the compromise, which is that the metadata will be kept by the telecoms.”

Where, then does the failure of this bill leave us? In two places, actually. First, it permits the NSA to run along on with the status quo. Edward Snowden’s revelations of mass surveillance appear to have fallen off of the American people’s radar, and with it, permitted Congress to punt on the issue until its next session. Moreover, given that the next session is a Republican dominated House and Senate, there is high probability that any bill passed will either reaffirm the status quo (i.e. reauthorize Section 215) or potentially strengthen the NSA’s abilities to collect data.

Second, this state of affairs will undoubtedly strengthen the position of Emperor Mike Rogers. Admiral Mike Rogers is the recent replacement of General Keith Alexander, the head of both the NSA and US Cyber Command (Cybercom). I refer to the post holder as “Emperor” not merely due to the vast array of power at the hands of the head of NSA/Cybercom, but also because such an alliance is antithetical to a transparent and vibrant democracy that believes in separations between its intelligence gathering and war making functions.  (For more on former Emperor Alexander’s conflicts of interests and misdeeds see here.)

The US Code separates the authorities and roles for intelligence gathering (Title 50) from US military operations (Title 10). In other words, it was once believed that intelligence and military operations were separate but complementary in function, and were also limited by different sets of rules and regulations. These may be as mundane as reporting requirements, to more obvious ones about the permissibility of engaging in violent activities. However, with the creation of the NSA/Cybercom Emperor, we have married Title 10 and Title 50 in a rather incestuous way. While it is certainly true that Cybercom and the NSA are both in charge of Signals Intelligence, Cybercom is actively tasked with offensive cyber operations. What this means is that there is serious risk of conflicts of interest between the NSA and Cybercom, as well as a latent identity crises for the Emperor. For instance, if one is constantly putting on and taking off a Title 10 hat for a Title 50 hat, or viewing operations as military operations or intelligence gathering, there will eventually be a merging of both. That both post holders are high ranking military officers means that it is most likely that the character of NSA/Cybercom will be more militaristic, but with the potential for him to issue ex post justifications for various “operations” as intelligence gathering under Title 50, and thus subject to less transparent oversight and reporting.

One might think this fear mongering, but I think not. For example, if the Emperor deems it necessary to engage in an offensive cyber operation that might, say, change the financial transactions or statements of a target, and that part of this operation  is for the US’s role to remain secret. This operation would be tantamount to a covert action as defined under Section 413b(e) of Title 50.   Covert actions have a tumultuous history, but suffice to say, the President can order them directly, and they have rather limited reporting requirements to Congress.   What, however, would be the difference if the same action were ordered by Admiral Rogers in the course of an offensive cyber operation?   The same operation, the same person giving the order, but the difference in international legal regulations and domestic legal regulations is drastic. How could one possibly limit any ex post justification for secrecy if something were to come to light or if harm were inflicted?   The answer is there is no way to do this with the current system. This is because the post holder is simultaneously a military commander and an intelligence authority.

That the Senate has refused to pass a watered down version of NSA reform only further strengthens this position. The NSA is free to collect bulk telephony meta-data, and, moreover, it is free to hold that data for up to five years. It can also query the data without requiring a court order to do so, and is not compelled to make transparent any of its requests to telecom companies. Furthermore, one of the largest reforms necessary—that of separating the functions of the NSA and Cybercom—continues to go unaddressed.  The Emperor, it would seem, is still free to do what he desires.

Share

Monstermind or the Doomsday Machine? Autonomous Cyberwarfare

Today in Wired magazine, James Bamford published a seven-page story and interview with Edward Snowden. The interview is another unique look into the life and motivations of one of America’s most (in)famous whistleblowers; it is also another step in revealing the depth and technological capacity of the National Security Agency (NSA) to wage cyberwar. What is most disturbing about today’s revelations is not merely what it entails from a privacy perspective, which is certainly important, but from an international legal and moral perspective.   Snowden tells us that the NSA is utilizing a program called “Monstermind.” Monstermind automatically hunts “for the beginnings of a foreign cyberattack. [… And then] would automatically block it from entering the country – a “kill” in cyber terminology.” While this seems particularly useful, and morally and legally unproblematic, as it is a defensive asset, Monstermind adds another not so unproblematic capability: autonomously “firing back” at the attacker.

Snowden cites two problems with this new tactic. First, he claims that it would require access to “all [Internet] traffic flows” coming in and outside of the US. This means in turn that the NSA is “violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.” Second, he thinks it could accidentally start a war. More than this, it could accidentally start a war with an innocent third party because an attacking party could spoof the origin of the attack to make it look like another country is responsible. In cyber jargon, this is the “attribution problem” where one cannot with certainty attribute an attack to a particular party.

I however would like to raise another set of concerns in addition to Snowden’s: that the US is knowingly violating international humanitarian law (IHL) and acting against just war principles. First, through automated or autonomous responses, the US cannot by definition consider or uphold Article 52 of Additional Protocol I of the Geneva Conventions. It will violate Article 52 on at least two grounds. First, it will violate Article 52(2), which requires states to limit their attacks to military objectives. These include “those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.” While one might object that the US has not ratified Additional Protocol I, it is still widely held as a customary rule. Even if one still holds this is not enough, we can still claim that autonomous cyber attacks violate US targeting doctrine (and thus Article 52(2)) because this doctrine requires that any military objective be created by a military commander and vetted by a Judge Advocate General, ensuring that targeting is compliant with (IHL). That a computer system strikes “back” without direction from a human being undermines the entire targeting process. Given that the defensive capacity to “kill” the attack is present, there seems no good reason to counter-strike without human oversight. Second, striking back at an ostensibly “guilty” network will more than likely have significant effect on civilian networks, property and functionality. This would violate the principle of distinction, laid down in Article 52(1).

If one still wanted to claim that the NSA is not a military unit, and any “strike back” cyber attack is not one taken under hostilities (thereby not being governed under IHL), then we would still require an entire theory (and body of law) of what constitutes a legitimate use of force in international law that does not violate the United Nations charter, particularly Article 2(4), which prohibits states from using or threatening to use force. One might object that a cyber attack that does not result in property damage or the loss of life is not subject to this prohibition. However, taking the view that such an attack does not rise to the level of an armed attack in international law (see for instance the Tallinn Manual), does not mean that such an attack is not a use of force, and thus still prohibited. Furthermore, defensive uses of force in international law are permissible only if they rise to the level of an armed attack (Article 51).

Second, autonomous cyber attacks cannot satisfy the just war principles of proportionality. The first proportionality principle has to do with ad bellum considerations of whether or not it is permissible to go to war. While we may view the “strike” as not engaging in war, or that it is a different kind of war, is another question for another day. Today, however, all we ought to consider is that a computer program automatically responds in some manner (which we do not know) to an attack (presumably preemptively). That response may trigger an additional response from the initial attacker – either automatically or not. (This is Snowden’s fear of accidental war.) Jus ad bellum proportionality requires a balancing of all the harms to be weighed against the benefits of engaging in hostilities. Yet, this program vitiates the very difficult considerations required. In fact, it removes the capacity for such deliberation.

The second proportionality principle that Monstermind violates is the in bello version. This version requires that one use the least amount of force necessary to achieve one’s goals. One wants to temper the violence used in the course of war, to minimize destruction, death and harm.   The issue with Monstermind is that prior to any identification of attack, and any “kill” of an incoming attack, someone has to create and set into motion the second step of “striking back.” However, it is very difficult, even in times of kinetic war, to proportionately respond to an attack. Is x amount of force enough? Is it too much? How can one preprogram a “strike back attack” to a situation that may or may not fit the proportionality envisioned by an NSA programmer at any given time? Can a programmer put herself into a position to envision how she would act at a given time to a particular threat (this is what Danks and Danks (2013) identify as the “future self-projection bias). Moreover, if this is a “one-size-fits-all” model of a “strike back” then that entails that it cannot by definition satisfy in bello proportionality because each situation will require a different type of response to ensure that one is using the minimal amount of force possible.

What all of this tells us, is that the NSA is engaging in cyberwar, autonomously, automatically and without our or our adversaries’ knowledge. In essence it has created not Monstermind, but the Doomsday Machine. It has created a machine that possesses an “automated and irrevocable decision making process which rules out human meddling” and thus “is terrifying, simple to understand, and completely credible and convincing” now that we know about it.

Share

The Cost of Spying

As my first official post as a guest contributor to the Duck, I would like to take a moment to thank Charli, Jon, and the gang. This really is an honor and a privilege for me, and hopefully my posts will live up to the Duck’s high standard!

There has been no lack of coverage in the United States regarding the National Security Agency’s spying activities. My sense, however, is that the focus in the media and by politicians has largely been on the domestic political implications of the NSA dragnet. The Obama administration has gone to great pains to communicate that the NSA only targets non-Americans. That makes sense, as there are important laws governing surveillance on Americans, and few if any pertaining to espionage against foreign targets.

But the United States does not exist in an international vacuum, and the NSA revelations as well as the political treatment have effects overseas. This summer I had the great privilege of working with my colleague Vicki Birchfield as she directed the Nunn School’s 10-week study abroad in the EU, and in that context I was able to observe some of the international implications of NSA spying up close. In some of the places we went, NSA spying hardly registered. In Athens, for example, we very much got the sense that surviving the economic crisis and damming the flood of undocumented immigrants occupied most of the attention of policymakers and the public.

But NSA surveillance clearly had a significant impact in France and Germany, albeit in very different ways. In France, the response seemed to be the same as many foreign policy analysts in the U.S.: everyone does it. At the French foreign ministry, briefers specifically argued that, because the French public knows France has an expansive intelligence establishment, the revelations about American spying were seen as part of what modern state does in international affairs today. That may be part of why the French government has said relatively little about the subject.

However, the briefers at the French foreign ministry did not argue that all Europeans see the issue the same way. Indeed, they specifically highlighted that Germany saw the surveillance in a very different light. Owing to the WWII experience with the Nazi state and the postwar position at the heart of the Cold War, Germans understand wiretapping and other forms of surveillance in different way. Rather than being just something the modern state does, NSA-style espionage is a sign of enmity and oppression. US targeting of Chancellor Angela Merkel, turning of intelligence and defense officials, and repeated reassurances by US officials to the American public that the spying was aimed at foreign nationals all feed into a narrative that the US-German relationship is not a friendship and alliance between states of shared identity and values, but rather something more contingent and darker.

I think it is difficult for Americans to understand the importance of these issues. During the Cold War, the West and specifically the US were the guarantors of West German survival and in later years served as a beacon for a new generation of East Germans. At a deeper, perhaps collectively unconscious, level I think a strong relationship and friendship with the US as the ‘leader of the free world’ serves as an indicator that Germany has truly left the first half of the 20th century behind. Friendship and trust is the key here. The US has alliances with all sorts of unsavory regimes (Saudi Arabia) but only true friendships with fellow democracies. At the same time, US spying contributes to German disillusionment in the idea that the US really represents freedom and liberty in the world—because spying on friends embodies neither. In all cases, the issue of spying is an emotional one for Germans, linked to their history, identity, and sense of place in the world.

There are indications of this interpretation. Merkel and German President Joachim Gauck have both come out strongly against the NSA spying—in contrast to relative silence in France. That suggests that the revelations about the NSA have a political power in Germany that they do not in France. Merkel also recently expelled the CIA station chief in Berlin, an unprecedented move by an ally. At a briefing at a NGO in Berlin, an interlocutor who deals with German federal officials on a regular basis told us that German transatlanticist foreign policymakers were in tears over NSA spying. Given the nature of the NGO and the briefer’s background, I belief the claim is not hyperbole. Many Germans feel personally betrayed by the United States. That in turn undermines the bonds of shared trust and identity that are critically important for maintaining international peace and stability. This happens not just at the level of policymakers, but also within the broader public. It is here that NSA spying helps fuel the establishment of new systems and narratives through which Germans make sense of the world. These are not kind to the United States, and that has real ramifications. On a range of issues, from the Transatlantic Trade and Investment Partnership (TTIP) to events in Ukraine and beyond, the United States relies a great deal on generally shared systems of meaning with its close allies like Germany. As those systems come into greater disjuncture, relations and in turn the means for managing issues will come under greater pressure. To exemplify, it is worth asking ourselves what the German response toward Russia’s bad behavior in Ukraine and US demands on Europe would have been had the NSA revelations not occurred. Would Germany see more merit in the US position? Would it in turn be more willing to make the sacrifices US policy demands?

The negative impact of NSA spying is not limited to Germany. In Brussels we heard from Commission officials resentment toward the United States. In the context of TTIP negotiations, some officials wondering aloud as to the point of a negotiating when the Europeans suspect that the United States already knows everything the EU has to offer. Anti-TTIP graffiti in Brussels also suggests an underlying anti-American resentment, exacerbated no doubt by the NSA revelations and the subsequent handling by US officials. Indicators like these are small, but they betray a fraying between the US and Europe that American officials and the public should be very concerned about. No other region on the planet shares as much cultural and political history with the US as Europe. Nor does any other region have as many states that broadly share the US vision of peaceful, liberal, and humanitarian global system. America damages these relationships at its own risk.

Share

Get Ready to Rumble….. NSA vs. State

images-1
OK, so it’s not exactly Ali vs. Frazier, but NSA and the State Department are not happy with each other. From this morning’s Cable at Foreign Policy, Yochi Dreazen reports:

Secretary of State John Kerry touched off the furor when he said some of the NSA’s overseas surveillance efforts — which also included tapping into tens of millions of calls in France and Spain — had been carried out without the Obama administration’s knowledge or explicit approval. The remarks highlighted what appears to the White House’s emerging strategy for dealing with widespread public fury over the programs: blame it on the NSA. Continue reading

Share

Why the US Spies on Its Allies

images

The Guardian article this week that disclosed the story of U.S. eavesdropping on the leaders of several US allies said that the surveillance  produced “little reportable intelligence.”  This isn’t really a surprise — I can’t really imagine that listening to German Chancellor Merkel’s phone conversations are going to give US analysts and policymakers a whole lot more than they get from open source and normal diplomatic channels. So why does the US do it?  The cheap answer to this question is that it comes from that sinister NSA organization. From this morning’s NYTimes:

In Washington, the reaction has set off a debate over whether it is time to put the brakes on the N.S.A., whose capabilities, Mr. Obama has hinted, have expanded faster than its judgment. There are now two groups looking at the N.S.A.’s activities: one inside the National Security Council, another with outside advisers. The president all but told Ms. Merkel that “we don’t have the balance right,” according to one official.

“Sure, everyone does it, but that’s been an N.S.A. excuse for too long,” one former senior official who talks to Mr. Obama often on intelligence matters said Friday. “Obama has said, publicly and privately, that just because we can do something doesn’t mean we should do it. But everyone has moved too slowly in moving that from a slogan to a policy.”

But, is there something more here? Why does the US eavesdrop on its allies?  The problem here isn’t simply the NSA run amok and NSA “excuses.”   Continue reading

Share

Does Snowden Pass the Test?

As you’ve probably noticed, I’m working through two competing concerns: (1) the legal and ethical obligations that come with holding a security clearance and (2) the ethical and moral obligation to bring deeply problematic government action to light. In comments elsewhere, I’ve put forth two examples of what I think are relatively straightforward kinds of cases:

  • Publicizing war crimes that the state is covering up; and
  • Indiscriminately dumping government diplomatic cables.

The first provides a justification for disclosing classified information, the second is completely without justification. Without in any way denying that the US government’s treatment of Bradley Manning has been horrific and outrageous, I think it is clear that Manning crossed the line when he downloaded every government cable he could get his hands on and turned them over to Julian Assange.

I probably shouldn’t have used Jeffrey Toobin’s New Yorker piece as an excuse to initiate discussion, because, well, it was a piece by Jeffrey Toobin. But, thankfully, Josh Marshall and Josh Barron have both written thoughtful pieces on these issues. Continue reading

Share

© 2019 Duck of Minerva

Theme by Anders NorenUp ↑