The head of the National Security Agency (NSA) on Tuesday admitted that government surveillance programs contributed to but were not fully responsible for preventing terrorist plots.

Since their revelation, the programs — which involve the collection of metadata of every phone call in the United States and monitoring Internet content of foreign nationals outside of the U.S. — have sparked a massive debate over the scope of the programs, their initial secrecy, the manner in which they were revealed, and particularly whether they’re the most effective way to discover potential terrorist attacks before they occur.

To counter these critiques, NSA Director Gen. Keith Alexander told the House Permanent Select Committee on Intelligence that more than 50 potential terrorist plots were foiled, of which “just over ten” were within the United States, through the use of the controversial data-gathering projects. While promising to bring forward documents detailing those plots to the committee in a later classified hearing, Alexander and his colleagues gave new details about four plots they say were halted through the surveillance. These include a previously disclosed plot to conduct an attack on the New York City subway system and a newly revealed plan to bomb the New York Stock Exchange.

The officials’ testimony gave the clearest picture yet how the NSA’s surveillence operates, but not all of the committee members were willing to accept vague guarantees that the metadata collection was vital in halting these plots. “I don’t think its adequate to say that 702 and 215 authorities ‘contributed to’ our preventing fifty episodes,” Rep. Jim Himes (D-CT) told Alexander, referring to the sections of the Foreign Intelligence Surveillance Act (FISA) and PATRIOT Act that greenlight the NSA programs under scrutiny. “I think it’s really essential that you grade the importance of that contribution,” he went on, before directly asking how many of the fifty plots would not have been stopped were it not for the NSA’s surveillance.

In response, Gen. Alexander clarified that only the slightly more than ten plots that had a “domestic nexus” would have been able to be targeted using the metadata program Hines asked about. Of the other plots, the ability to view Internet content under the FISA’s ‘contributed’ to 90 percent of the cases, according to Alexander, without providing the grade Himes requested. The general was also unable to pin down just how critical the NSA’s ability to gain access to business records under the PATRIOT Act, such as the metadata gathering from Verizon that set off the whole scandal, to preventing those attacks. “If we now look at those [domestic cases], the vast majority of those had a contribution by business records FISA,” Alexander said.

Himes tried to press further for a clear answer on which plots the data gather was essential to stopping, but was rebuffed by Deputy FBI Director Sean Joyce. “I would just add to Gen. Alexander’s comments and I think you ask an almost impossible question, to say how important each dot was,” Joyce said, claiming that every tool covered during the hearing is essential and vital. “You ask ‘How can you put the value on American life?’ and I can tell you it’s priceless,” Joyce concluded.

Two weeks ago, the first leaks regarding the National Security Agency’s troubling spying programs’ became public, leading to calls for increased scrutiny in how these actions affect the American public. In the intervening weeks, however, the focus has shifted away from the potential violation of civil liberties and towards the functions of the NSA in general — and that’s a problem.

The revelations to the Guardian of the NSA’s secret court orders to siphon metadata from the majority of Americans’ cell phone conversations launched wide-ranging concern over the program. That only increased with the disclosure of further programs from the agency — with codenames like PRISM and BLARNEY — that allow access to the content of information sent across some of the Internet’s most popular platforms. The response from privacy advocates across the political spectrum has been condemnation of the programs’ secrecy and overarching intrusiveness on the part of the federal government.

However, that focus on the potential violations of civil liberties is being undercut the more former NSA contractor Edward Snowden reveals. The shift began with the news that President Obama had signed off on a directive to begin planning for how the United States could bring to bear offensive capabilities in cyberspace and against whom. A summary of the directive had been made public months earlier, but the directive itself had remained classified and secret until it was first reported in the Guardian. While the previous leaks had been related to the public’s right to know about what actions the government was taking against U.S. citizens, the cyberwar document could not be considered the same.

Likewise, the next scoop featured what was touted as an all-seeing system through which the NSA could easily sort through where the communications data it collects came from — including the United States. Its existence has caused no small amount of trouble for Director of National Intelligence James Clapper, who had previously indicated to Congress that the NSA did not collect this type of information from Americans without a warrant. “Not wittingly, there are cases where they could inadvertently perhaps collect, but not wittingly,” Clapper told Congress at the time. What the program — known as Boundless Informant — revealed, however, went beyond the information collected on U.S. citizens, instead also detailing the NSA’s collection work from networks in Iran, India, and Pakistan.
Read more

The Washington Post reported earlier this week that Chinese hackers gained access to Google’s surveillance database –- potentially obtaining years worth of data related to search warrants and Foreign Intelligence Surveillance Act (FISA) orders — in a counterintelligence operation several years ago known as Operation Aurora. While this recent revelation is troubling in and of itself, the fact that this sensitive, and presumably well-secured, information was breached may also serve to validate concerns about the security risks of a proposed update to a wiretapping law.

According to the Post, Google discovered the surveillance database had been compromised in the course of investigating the 2009 Aurora hackings and the company alerted the FBI. Although Google publicly disclosed a breach and identified China as the source of the assault in 2010, it was identified then as an attempt to spy on Chinese human rights activists.

The new revelations suggest Aurora was a Chinese counterintelligence operation, similar to the one exposed in a report from cybersecurity firm Mandiant earlier this year, and one of its goals was to discover which Chinese agents were under surveillance by U.S. law enforcement. Aurora reportedly targeted at least 34 companies, including other major tech companies that likely maintain similar databases such as Yahoo. A Microsoft official speaking at a conference this April suggested they were facing attacks in the same time period, and identified the Chinese as “trolling” for information about surveillance orders.

Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, declined to comment on either the Microsoft or Google cases to the Washington Post, but said these type of intrusions should serve as “a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector” which “clearly need strengthening.” But despite those concerns, the government continues to pursue policies that put a great deal of responsibility in the the hands of private sector actors.

For instance, proposed updates to the Communications Assistance for Law Enforcement Act (CALEA) would charge companies like Google with the creation and security of secret backdoor access points in communications software. CALEA is a wiretapping law that requires telecommunications companies to provide a way for law enforcement to snoop on communications as it happens. It was originally passed in 1994 to ensure that law enforcement maintained access to wiretapping capabilities as the telephone infrastructure went digital, and has since been expanded to include VoIP and broadband internet traffic. But the law currently doesn’t apply to third party non-telecom companies, like Google and Facebook. Officials say that when those companies started using end-to-end encryption (ironically, after Google’s systems were compromised during Operation Aurora) it became prohibitively difficult to carry out real-time snooping on some targets. That’s because end-to-end encryption basically creates a protected tunnel information can flow through without being directly accessed by the telecom companies that are required to have intercept capabilities.

Read more

China and Iran have shared a position as cyber-bogeymen over the past year, but a new report from the Wall Street Journal about Iranian infiltration of U.S. energy firms shows why their cyber-assaults could pose a greater immediate threat to U.S. national security.

While China pursues aggressive cyber-espionage campaigns against major U.S. companies and news sources, Iranian-backed hackers are more overtly hostile — targeting critical infrastructure vulnerable to sabotage or engaging in disruptive economic actions, like when Iranian-backed hackers leveraged data centers to wage a massive distributed denial of service (DDoS) attack against financial institutions.

From a strategic standpoint, the differences between the Chinese and Iranian strategies make sense. The Chinese government is interested in the long game and is a key player in the global market, while as Tom Kellerman, Vice President of cybersecurity firm Trend Micro, told the Wall Street Journal, “Iran has been successfully ostracized from global economics” so destructive cyber attacks serve “not only empower themselves but to signal to the Western world they are capable in cyberspace.” Proving that capability may be especially important to Iran because its nuclear program was the target of Stuxnet malware, reportedly jointly developed by U.S. and Israeli cyber-forces.

The more recent Iranian-backed attacks go a step further than outside disruptions like the DDoS attacks according to U.S. officials, showing that hackers penetrated the computer networks running energy companies and gained access to the software controlling oil and gas pipelines. With access to that control-system software, hackers could potentially manipulate the flow of fuel, possibly even trigger power outages — something that could have truly devastating national security implications, especially considering that about 85 percent of the energy infrastructure the Department of Defense depends on is commercially owned.

In a March worldwide threat assessment statement to the Senate Select Committee on Intelligence, the Director of National Intelligence identified cybersecurity threats as the top threat facing the United States, specifically noting while “advanced cyber actors” like Russia or China were unlikely to launch a devastating attack on our power grid, but “less advanced but highly motivated actors could access some poorly protected U.S. networks that control core functions, such as power generation, during the next two years.”

A report on the vulnerability of the electric grid released by the offices of Congressman Edward Markey (D-MA) and Henry Waxman (D-CA) last week suggests a substantial number of those networks are poorly protected, with many only implementing mandatory cybersecurity measures from the North American Electric Reliability Corporation (NERC) that are often several years behind the current cyber-threat landscape.

Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.

According to Bloomberg, documents released in the Anonymous Stratfor hack reveal QinetiQ was compromised as part of a cyber-espionage attack originating in China — and notes the breach was part of a much broader campaign targetting U.S. contractors:

“QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed [...]

QinetiQ was only one target in a broader cyberpillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.“

U.S. intelligence reports ranked cyber threats as the top danger facing the country for the first time in April, but tensions have been running high about the government’s ability to protect digital assets and intelligence for years. A 2011 Department of Justice report noted that only 64 percent of FBI agents assigned to national security-related cyber investigations had the appropriate skills and expertise to handle those types of cases.

Government cybersecurity contracting exploded during the Bush Administration, with many roles traditionally filled by government employees or resources outsourced to external companies over whom the government has less oversight. The Obama Administration has made efforts to curb that trend, but that expansion, combined with a lack of cybersecurity expertise in the military and federal agencies, resulted in many cybersecurity defense operations being outsourced or completed under the heavy supervision of outside contractors. This has sometimes led to much much less than ideal results”>less than ideal outcomes, despite a 2011 General Services Administration (GSA) rule requiring all contractors and subcontractors that provide federal agencies with IT services, systems, or supplies to submit a cybersecurity plan that matches government regulations.

Read more

While tensions in Syria dominate headlines about the Middle East, a quiet digital battle is brewing in Iran as the June 14 presidential election approaches.

Yesterday, the Basij force of the Iranian Revolutionary Guard claimed its websites were being targeted in a wave of cyberattacks:

“Due to the impending vote, elements of the global arrogance have launched a new round of cyberattacks against Basij websites, particularly Basij.ir.”

According to local Iranian news sources, the Basij.ir site was down for part of the day on Wednesday (May 1) and a spokesman for the group claimed its sites faced many attacks in the past three years. However, the Basij is more well known for being the aggressors in cyberattacks. In 2011 it launched a cyberattack against the “enemies” of Iran and has actively recruited hackers to boost its ranks.

Iran had over 8 million internet users in 2009 and online communications including social media and email was key to galvanizing and organizing opposition in the last Iranian Presidential election and the protests that followed. Since then, the regime has cracked down harder than ever on online communications with aggressive surveillance and filtering in what President Obama decried as an “Electronic Curtain” in 2012. Internet access was disrupted before the 2012 parliamentary elections and at other times Iranian authorities have blocked specific web services, such as Google.

While the regime cracked down on tools like virtual private networks (VPNs) many Iranians use to avoid government internet controls in March, hacktivists outside the country are helping provide alternatives to further keep online communications channels open. One group, ASL19 — an interdisciplinary lab named after Article 19 of the Universal Declaration of Human Rights that upholds the right to freedom of expression and access to information — specifically aims to “empower Iranians to communicate freely and engage in dialogue with minimal threat to personal safety.” The group reportedly helps a million Iranians a day avoid network censorship by distributing open source evasion program Psiphon.

But the regime has even been working on an internal intranet, often dubbed the “halalternet” that would be completely closed off from the larger global internet system, and is reportedly very close to being deployed on a broad scale. Chinese technology company Huawei reportedly provided the Iranian government the technological infrastructure for the intranet, and according to Reuters, attempted to sell Iranian internet providers “lawful interception” surveillance tech that they later “acquired.”

Political activists and dissidents are increasingly being targeted for digital surveillance, turning the democratizing power of innovations in communications technology against them –- and all too often it appears Western tech companies may be the ones selling that technology to countries with poor human rights records.

A new report released on Wednesday by Citizen Lab at the University of Toronto shows how the commercialization of digital spying has made it easier than ever for repressive regimes to get their hands on technology that helps authorities monitor and crack down on opposition groups:

“Companies selling surveillance and intrusion software commonly claim that their tools are only used to track criminals and terrorists. FinFisher, VUPEN and Hacking Team have all used similar language.

Yet a growing body of evidence suggests that these tools are regularly obtained by countries where dissenting political activity and speech is
criminalized. Our findings highlight the increasing dissonance between [United Kingdom-based Gamma International's] public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists.”

FinSpy, the most prominent technology detailed in the report, is malware that is part of the commercial FinFisher intrusion kit distributed by Gamma. The malware is often distributed through email phishing scams with the installer for the program disguised as a different type of file attached to an email. Once a target is infected, the malware provides broad ranging digital surveillance, from spying via webcams and microphones and monitoring of video and email communications to keylogging and harvesting files from the hard drive. The program can also hide itself from antivirus scans. It delivers this intelligence and receives orders by connecting with remote command and control (C&C) servers. Today’s report reveals that FinSpy C&C servers have been observed operating in 36 countries since initially being discovered by security researchers in 2012 — including in many with suspect human rights records like Bahrain, Vietnam and Ethiopia.

While Gamma says on its website that the surveillance suite is solely offered to Law Enforcement and Intelligence Agencies, because some regimes criminalize dissent or broadly categorize criminal activity to include organizing political opposition, the concept of distributing surveillance packages for “lawful interception capabilities” to those countries is effectively moot. Although Gamma is tight lipped about who it sells to and no nations are willing to acknowledge using the package, FinSpy continues to show up again and again being used to target activists and other political dissidents.

Last year, the New York Times reported that FinSpy was being deployed against Bahraini activists without criminal histories. Gamma blamed that incident on demonstration copies of FinSpy being stolen, despite previous denials that its product had been identified at all. FinSpy also recently surfaced in Ethiopia, where it was being distributed disguised as images of an Ethiopian opposition group and in Malaysia disguised as a list of political candidates targeting native Malay speakers. After the fall of Egyptian President Hosni Mubarak, an invoice for the FinFisher platform was found in the Egyptian State Security Headquarters, although it is unclear if a sale was completed.

Privacy International has made repeated inquiries to the United Kingdom questioning if the distribution of Gamma’s technology violates export laws, but as of yet the relevant agencies have “categorically refused to provide any details regarding any investigation into Gamma’s export practices.”

Gamma and other Western tech companies mentioned in the Citizen Lab report are not the only groups reportedly helping states with questionable human rights records establish digital surveillance. Last year it was revealed that Chinese company Huawei offered to a sell a “lawful interception solution” to an Iranian telecommunications company and supplied the technological infrastructure behind the closed intranet system Iran is currently developing.

Opponents of the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) are challenging sponsor Rep. Mike Rogers (R-MI) to debate a 14-year-old about the merits of the proposal. The site, TheMikeRogersChallenge.com, was recently launched by Fight for the Future in response to Rogers’ claim that opponents of CISPA are 14-year-old “tweeters” in their basements.

Watch the video:

The site claims it is “confident that even a 14-year-old in a basement could demolish Rogers’ weak arguments for CISPA” and is also seeking an appropriate teen challenger, who must be prepared to send videos of themselves explaining CISPA and pictures of their basement as part of the application process. Fight for the Future also launched the CispaIsBack.org petition shortly after the proposal was reintroduced this year.

In March, Rep. Rogers accidentally tweeted and deleted a link to a story about how Members of the House Intelligence Committee, which Rogers chairs, “received 15 times more from pro-CISPA groups than anti-CISPA orgs.” He also used #CISPAalert in a series of pro-CISPA tweets, apparently unaware that the hashtag was set up by the Electronic Frontier Foundation and helps fund the fight against CISPA. Data released by MapLight yesterday shows House Members as a whole “have received 16 times as much money ($67,665,694) from interests supporting CISPA than from interests opposing ($4,164,596).”

CISPA is aimed at creating a functional information sharing structure for cyber threat intelligence, but civil liberties organizations, the White House, and a number of security experts and academics believe the privacy protections and regulatory definitions are seriously flawed. The bill passed the House yesterday, but is facing a presidential veto threat similar to the one that killed a 2012 proposal of the same name.

While civil liberties groups have presented a number of fixes for areas of critical concern in the legislation, amendments to resolve privacy issues were largely unsuccessful in the closed House Intelligence committee hearing and opponents remain unimpressed by the version that passed the House. Rep. Mike McCaul (R-TX) invoked the tragic bombings in Boston during the House debate over CISPA amendments yesterday, claiming that the legislation needed to be rushed through “in the name” of Boston because cyber attacks represented “digital bombs [...] bombs are on their way.”

(Photo: AP/NBC)

The House started considering the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) on Wednesday and is expected to vote today — just two days since the White House threatened to veto the bill after it passed out of the House Intelligence Committee by an 18-2 vote in a closed session last week. Now a passionate policy debate is taking place about the importance of protecting civil liberties while solving a very real problem: How to allow government to provide threat intelligence information to victims of cyber attacks.

CISPA was reintroduced in February to immediate backlash from civil liberties groups, with the petition site cispaisback.org warning “the bill that would end our online privacy — is back in Congress despite public outrage and warnings from experts.” Only Reps. Jan Schakowsky (D-IL) and Adam Schiff (D-CA) voted against the proposal in committee citing the same privacy concerns and issues related to maintaining civilian control over private sector data that led the White House kill a similar proposal after it passed the House in 2012 with a veto threat much like the one currently employed.

By most assessments, privacy protections and regulatory definitions in CISPA have some gaping holes — even many security experts agree. And given the track record of government transparency surrounding surveillance tech, privacy and civil liberty advocates are understandably suspicious. The relationship between the civil liberties community, government, and telecommunications companies remains tainted by the Bush-era National Security Agency warrantless wiretapping program which led to legislation giving retroactive immunity to companies that cooperated. Clapper v. Amnesty, a case questioning the constitutionality of the wiretaps, was dismissed earlier this year due to lack of proper standing — leaving the question of their legality unresolved. So when faced with a broadly written law that could involve the NSA, it was no surprise that progressive and libertarian groups alike came out in opposition to CISPA after it was reintroduced this legislative cycle. And it looks like their concerns have have not been mitigated.

Read more