Get Where+When delivered to your inbox every Monday and Thursday.

And why another tool, known as PRISM, sounds far more troubling. By Shane Harris

We're learning more about how that enormous cache of telephone metadata at the National Security Agency is actually used. According to two sources in the intelligence community who have worked with the system, it's one of many tools available to analysts working on terrorism investigations or providing intelligence for military forces overseas. 

One former defense intelligence employee describes it this way: 

The NSA makes a list of names and/or phone numbers available to analysts who are cleared to use the meta database. These names and/or numbers have been obtained by NSA through other collection programs, presumably legal ones. The analysts input those names and/or numbers to the meta database, which will then show any connections to phone numbers in it. 

The meta database itself doesn't contain any names--it is only phone numbers. If there's a number that's based in the United States, the analyst only sees an "X" mark. If he wants to see the number underneath that X, he has to get clearance from higher authority--in this source's experience that was the general counsel of the organization where he worked. 

The source also said the tool wasn't particularly useful. It's there to help analysts better understand the links between potential terrorists, and to help identify them. But the analyst said that searching for numbers and names on Google often led to better results. 

An intelligence official who has used the meta dabtase confirmed the description of how it works. But he said the presence of so many "innocent" numbers in the system posed a challenge. Analysts have to weed through them to find only the numbers they're allowed to see without permission from a higher authority. 

The meta database is one of dozens of different systems or intelligence streams available across the intelligence agencies. From the sources' descriptions, it sounds relatively mundane compared to the other tools that are available. 

However, one of those other tools, which was revealed yesterday by the Guardian and the Washington Post, called PRISM, appears far more secretive and less widely used. Neither of these source had ever heard of it. The former defense intelligence employee expressed alarm that, according to reports, the system gives the NSA direct access to the central servers of some of the country's biggest Internet companies, including Facebook and Yahoo!, and then lets analysts obtain e-mails, video and audio files, photographs, and documents. 

This individual said he couldn't explain how, based on his training and experience, the PRISM system complies with the law. It doesn't seem to be discriminate enough in separating US person's content--such as their e-mails--from those of foreigners. The government almost always needs a warrant to look at content. 

Reportedly, PRISM sweeps up the information of US persons when analysts tap into those central servers. They're instructed to document these "incidental collections," but are told, according to a training manual reviewed by the Post, that "it's nothing to worry about" if Americans are caught up in the stream. 

The intelligence official said that based on reports, the PRISM system would have to be collecting massive amounts of information, and that NSA was likely the only agency with the computing power and the storage space to handle it all. The agency has been running out of electronic storage at its Ft. Meade, Md., headquarters and has built a new 1-million square foot data center in the Utah desert. 

Posted at 12:37 PM/ET, 06/07/2013 | Permalink | Comments ()
The spy agency has been receiving Americans' phone records for years. By Shane Harris

Multiple officials are now confirming that the National Security Agency's practice of collecting all telephone metadata from Verizon, as first reported by the Guardian, is part of a program that has been active for years. A US intelligence official tells me that orders of the kind delivered to Verizon in April are routine. Sen. Dianne Feinstein said today that the collection of metadata from phone companies is a seven-year-old practice. And an unnamed source told the Washington Post that the order appears to be similar to one first issued by the Foreign Intelligence Surveillance Court in 2006, and that it is “reissued routinely every 90 days” and not related to any particular government investigation. 

Here’s what else we know so far about this massive intelligence collection program, a few things we might infer, and some big unanswered questions. 

What is the government doing with all this phone metadata? 

According to a senior administration official, “Information of the sort described in the Guardian article has been a critical tool in protecting the nation from terrorist threats to the United States, as it allows counterterrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States.” 

This is a description of standard link analysis. Say the government obtains the phone number for a suspected terrorist. It then runs that number against the huge metadatabase. If there’s a match, presumably the government then obtains some other authority to find out who the number in the metadatabase belongs to; according to the court order, and the administration official, the metadata does not contain the names of phone subscribers. It’s just phone numbers, lengths of calls, and other associated data that’s not considered “content.” 

What can you learn with metadata but no content? 

A lot. In fact, telephone metadata can be more useful than the words spoken on the phone call. Starting with just one target’s phone number, analysts construct a social network. They can see who the target talks to most often. They can discern if he’s trying to obscure who he knows in the way he makes a call; the target calls one number, say, hangs up, and then within second someone calls the target from a different number. With metadata, you can also determine someone's location, both through physical landlines or, more often, by collecting cell phone tower data to locate and track him. Metadata is also useful for trying to track suspects that use multiple phones or disposable phones. For more on how instructive metadata can be, read this. 

Where is all that metadata being stored? 

According to the court order, at the National Security Agency. The electronic spying agency is headquartered in Ft. Meade, Md. But it has been running out of digital storage space there, as well as electricity to keep all its systems up and running. The NSA has built a new facility in the Utah desert, called, appropriately, the Utah Data Center. And it recently broke ground on another facility at Ft. Meade. 

How does that data get from the phone companies to the NSA?  

We still know little about the physical infrastructure that transmits the metadata. But we do know, from the order, that Verizon is sending the information to the NSA “on an ongoing daily basis.” That’s an extraordinary amount of information considering it covers millions of customers making multiple calls a day. In simple terms, we’re talking about a lot of pipes and cables leading from Verizon locations—like switching stations—to NSA facilities. We know from a whistleblower at AT&T that surveillance equipment was set up at the company’s offices in San Francisco as part of the NSA’s efforts to monitor terrorists after the 9/11 attacks. 

What else might the NSA or other government agencies be doing with this metadata? 

As I wrote in my book, The Watchers, the NSA has long been interested in trying to find unknown threats in very big data sets. You’ll hear this called “data mining” or “pattern analysis.” This is fundamentally a different kind of analysis than what I described above where the government takes a known suspect’s phone number and looks for connections in the big metadatabase. 

In pattern analysis, the NSA doesn’t know who the bad guy is. Analysts look at that huge body of information and try to establish patterns of activity that are associated with terrorist plotting. Or that they think are associated with terrorist plotting. 

The NSA spent years developing very complicated software to do this, and met with decidedly mixed results. One such invention was a graphing program that plotted thousands upon thousands of pieces of information and looked for relationships among them. Critics called the system the BAG, which stood for “the big ass graph.” For data geeks, this was cutting edge stuff. But for investigators, or for intelligence officials who were trying to target terrorist overseas, it wasn’t very useful. It produced lots of potentially interesting connections, but no definitive answers as to who were the bad guys. As one former high-level CIA officer involved in the agency’s drone program told me, “I don’t need [a big graph]. I just need to know whose ass to put a Hellfire missile on.” 

How big a database do you need to store all this metadata?

A very, very big one. And lots of them. That facility in Utah has 1 million square feet of storage space. 

But just storing the data isn’t enough. The NSA wants a way to manipulate it and analyze it in close to real-time. Back in 2004, the agency began building “in-memory” databases, which were different than traditional databases that stored information on disks. In-memory was built entirely with RAM, which allows a computer to hold data in storage and make it ready for use at an instant. With disks, the computer has to physically go find the data, retrieve it, and then bring it into a program. If you’re trying to analyze entire telephone networks at once—and that is precisely what the NSA wanted to do—a disk-based system will be too slow. But the NSA’s in-memory databases could perform analytical tasks on huge data sets in just a few seconds. 

The NSA poured oceans of telephone metadata into the in-memory systems in the hopes of building a real-time terrorist tracker. It was an unprecedented move for an organization of the NSA’s size, and it was extremely expensive. 

That was 2004. The court orders issued to Verizon, we’re told, go back to as early as 2006. It appears that the NSA has had an uninterrupted stream of metadata for at least seven years. But the agency was getting access almost immediately after 9/11. That could mean there’s more than a decade’s worth of phone records stored at the NSA’s facilities.

Posted at 01:39 PM/ET, 06/06/2013 | Permalink | Comments ()
DOD officials disclosed names of military personnel who helped kill terrorist leader, despite commanders' concerns about their safety. By Shane Harris

From the looks of it, about the only people who were reluctant to help two top filmmakers on their movie about the raid that killed Osama bin Laden were the people who actually planned the raid and pulled it off. 

All the other key players, from the Pentagon to the White House to the CIA were on board and eager to tell the Obama administration’s side of the story to Mark Boal and Kathryn Bigelow, who, the day after the raid in May 2011, set to work on Zero Dark Thirty, trying to get access to top officials at the Defense Department and the CIA, as well as in the secretive confines of special operators who planned and executed the mission.  

The administration's exuberant, occasionally giddy assistance to the filmmakers, who had previously collaborated on an Oscar-winning film about the war in Iraq, is documented in a Defense Department Inspector General report obtained and posted online by the Project on Government Oversight. It finds that Leon Panetta, who at the time of the raid was the CIA Director, revealed names of special operations personnel involved in the raid, as well as other information that was designated Top Secret. 

Pentagon officials were also eager to assist the filmmakers and arrange meetings with people who helped plan the raid. In the course of these discussions, administration officials revealed the names of military special operators who were not supposed to be publicly identified, partly over concerns that they or their families could be targeted for retribution. 

But in contrast to the Obama administration's aggressive pursuit and prosecution of unauthorized disclosures of classified information and other leaks, apparently no action was taken against Panetta or the other officials who freely shared sensitive information with the filmmakers. Military officers thought operational security and protection of their forces should trump all. Political and policy level officials were not exactly indifferent to that concern, but they were keen to tell the administration’s side of this extraordinary story, and to ensure their bosses came off in the best possible light. 

Among those pushing hardest to cooperate with Bigelow and Boal was Douglas Wilson, then the Assistant Secretary of Defense for Public affairs and the Pentagon’s top communications strategist. 

Wilson leaned on Adm. Eric Olson, the Special Operations commander, to cooperate with the filmmakers' research about the raid. Wilson noted that Panetta “wants the [Defense] Department to cooperate fully with the makers of the [bin Laden] movie.” Michael Vickers, the Undersecretary of Defense for Intelligence, was about to meet with the filmmakers and “want[s] to know what [to] say,” Wilson told Olson in an e-mail. 

Olson said Boal and Bigelow could use a set of talking points that had been drawn up “to ensure accuracy and provide context to the movie project.” Then he reminded Wilson that one of his special operations planners, who had been involved in preparations for the raid, should “not be identified by name as having participated in any way.” 

This planner, according to the inspector general report, apparently knew many of the details about the preparations for taking down bin Laden and how the raid unfolded. He was so involved that as negotiations with the filmmakers unfolded, the planner was seen as qualified to speak on behalf of Olson, as well as the commander of the elite Joint Special Operations Command, Adm. Bill McRaven. 

Olson was especially sensitive to protecting the planner’s identity from public disclosure. And McRaven said keeping the names of all those involved in the planning and execution of the raid a “top aspect” of the mission. The Defense Department had provided “inordinate security” to the operators and their families, according to McRaven, and had gone so far as to brief them on whom to call if they noticed anything suspicious at their homes. 

But at an interview in the Pentagon with Bigelow and Boal on July 15, 2011, Vickers gave the filmmakers with the name of that special operations planner. The next day, Boal e-mailed a public affairs desk officer at the Pentagon to “obtain access” to the planner. 

Vickers and Wilson exchanged e-mails. “Very many thanks for this,” Wilson wrote, referring to his meeting with Bigelow and Boal. “Think they came away very happy” from the meeting. Wilson said he’d put the filmmakers in touch with Olson’s “key planner,” and that this “should complete for now their requests of DOD.” 

Wilson exchanged a few excited emails with George Little, the Pentagon press secretary, who had also made himself available to Bigelow and Boal. “We’re going to the premiere of the Boal/Bigelow movie next year,” Little wrote. 

“We’ll be hosting it :-),” Wilson replied. 

Little, who was director of CIA public affairs at the time of the raid, said that Panetta hoped Al Pacino would play him in the movie. “That’s what he wants, no joke!” 

“They will,” Wilson replied. 

Panetta was portrayed in the film by James Gandolfini. 

At the same time, that special operations planner was sending e-mails to Pentagon officials, and speaking with Vickers, about the meeting he was expected to have with Bigelow and Boal. The planner wanted to talk first with a DOD public affairs officer, who noted in an e-mail exchange that press accounts were circulating about administration officials possibly providing the filmmakers with special access as well as classified information about the raid, something the public affairs officer denied. 

“We may want to let the dust settle a little,” the public affairs officer advised the special operations planner. 

According to the planner, this was his last communication with the public affairs officer, and he never met with Bigelow and Boal. 

But Boal did attend an awards ceremony at CIA headquarters on June 24, 2011, that recognized the efforts to track down bin Laden. DOD special operators were present, but not in a “cover status” that would have used a guise to protect where they worked and what they did, the report found. “No precautionary measures” were taken to keep Boal from identifying any of the operators. 

It was at this ceremony that Boal was given another name of a DOD special operator who was involved in the bin Laden mission, the report states. This operator was not in a cover status, but the individual's name was not supposed to be publicly revealed.  

There were conflicting accounts of whether the awards ceremony was a small gathering or a large affair, and whether it was really all that sensitive. According to one attendee, special operators were present in uniform with their names visible on their uniforms. 

But the DOD tried to stop Boal from attending, according to the report. A public affairs officer at the department claimed that Panetta’s chief of staff, Jeremy Bash, intervened and insisted that Boal come. Bash denied this, and said the decision to let Boal attend the ceremony came from discussions between the CIA’s public affairs shop and the filmmakers. (Little was the head of CIA public affairs at the time.) 

At the event, Panetta gave a speech and “specifically recognized the unit that conducted the raid and identified the ground commander by name,” the report says. He also provided information designated Top Secret and Secret--the report doesn’t say what the information was. 

Later, McRaven was personally introduced to Boal. He was “surprised and shocked” that a filmmaker was allowed to the ceremony at CIA headquarters, the report says. The event was closed to the press. 

Ultimately, no classified tactics, techniques, or procedures were revealed in the back and forth between Obama administration officials and the filmmakers, the report found. And McRaven and his subordinates said they weren't concerned that they had been. 

Still, the apparent lack of response by the administration to keep sensitive information from being publicly revealed stands in contrast to the aggressive attempts to staunch leaks of other secrets and details about intelligence and military operations. The episode also underscores the distinction between authorized disclosures--which these all appeared to be--and unauthorized ones. 

Posted at 08:56 AM/ET, 06/05/2013 | Permalink | Comments ()

Alex Gibney's new documentary We Steal Secrets: The Story of WikiLeaks, opens in Washington today at the AFI Silver. In a review last month, I wrote that most struck me about the film is how Army Pfc. Bradley Manning emerges as the surprising hero, since the story of WikiLeaks is generally most associated with its flamboyant founder, the Australian hacker Julian Assange. It turns out this was a surprise for Gibney, too. 

I met Gibney last week while he was in town promoting the movie, and he explained that when he began research for the film, he assumed it would largely be about Assange and the rise of an organization dedicated to exposing government secrets and holding officials accountable. Gibney had watched WikiLeaks' "Collateral Murder" video, which shows a US helicopter firing on a group of people that the pilot believes are Iraqi insurgents, but who were actually unarmed civilians and journalists. 

"It was biased, but I was ok with that," Gibney said. "Because [Assange] also presented the full video" in addition to edited clips and captions, along with the provocative title. Gibney had never met Assange, but he saw him as a "classic whistleblower." 

Gibney hoped Assange would give him access and sit down for on-camera interviews, just as disgraced New York Governor Eliot Spitzer had done for Gibney's movie Client 9, about Spitzer's procurement of prostitutes and the demise of his political career.  But according to Gibney, Assange wanted something in return for his cooperation--money. When Gibney refused to pay, he said, Assange asked whether he would reveal information that he'd gleaned from other sources, in effect spy on people who'd been talking about Assange. 

At this point, Gibney's perception of his would-be leading man seems to have changed. "By the time I got on the story, [Assange] was incredibly famous," Gibney said. "He was surrounded by lawyers, sycophants, and agents. He was used to people doing things for him." 

In the film, Gibney uses Assange's chosen hacker alias, Mendax, or "noble liar," as a thematic touchstone. Gibney asserts that Assange wants to hold the powerful and corrupt to account, but he exempts himself from the same scrutiny. "He thinks the ends justify the means," Gibney told me. As I wrote in my review, Assange's story comes across as a cautionary tale about narcissism, and Gibney concludes that WikiLeaks has become the thing it set out to destroy: An autocratic regime that survives by cult of personality and secrecy. 

This helps explains how Manning came to be the pivotal figure in the film. Gibney came to see the young Army private not as Assange's source, but as the key figure in WikiLeaks' biggest publication, the disclosure of thousands of intelligence reports from combat zones and a trove of diplomatic cables. 

The credit for the biggest exposure of classified documents history, Gibney said, belongs to Manning, not Assange. "Really, the Wikileaks 'war logs' are the 'Manning logs." Without Manning, Assange never would have obtained the material that made him a global celebrity and dramatically enhanced WikiLeaks' influence. 

Manning was a kind of "everyday hero," Gibney said, but with motives that he calls "complicated" and "not pure." 

"There was a huge component of political consciousness" to what Manning did, Gibney said. Manning's state of mind when he gave the information to WikiLeaks, as well as his intentions, are key factors that will help decide how severely he is punished. 

Manning has already pleaded guilty to a number of charges. His court-martial for the remaining alleged offenses is set to begin June 3. 

"I hope the movie will make [him] more sympathetic," Gibney said. 

Posted at 10:30 AM/ET, 05/31/2013 | Permalink | Comments ()

With drones poised for takeoff in US airspace beginning in 2015, questions are mounting over how governments will use remotely-piloted eyes in the sky to monitor everything from traffic patterns to wastewater runoff. 

One association that represents private forest landowners, and whose members include some of the country's largest owners of timberland, says the government has effectively admitted that it's using drones to "spy" on private owners in the name of preventing pollution. The Forest Landowners Association is now polling its members to ask "your thoughts on the government using satellite and drone technology to glean insight about your land." 

The questions the group wants to answer show where future conflicts may erupt between government and private interests over the use of technology that, heretofore, has mainly been used to monitor enemies in combat.  

1. Are you concerned that with advances in satellite and drone technology the government has the ability to take a closer look at your land?

2. What does it have a right to know? 

3. Are there boundaries on your property rights? 

4. Have you ever had an instance where you wondered how the government knew certain things about your property? 

Scott Jones, the association's CEO, said his group is concerned about "our rights as private forest landowners" in light of Senate testimony in April by Bob Perciasepe, the acting administrator of the Environmental Protection Agency. Jones said that under questioning from lawmakers about the EPA's use of drones to monitor animal feedlots for signs of water pollution, the acting chief admitted that the agency "was utilizing drones to 'spy' on private lands." 

At the hearing, Sen. Mike Johanns (R-Neb.) accused the EPA of using the remotely-piloted aircraft to monitor people, not just pollution. "You're flying at low altitudes, you're flying over law-abiding people who are trying to do everything they can to honor your rules and regulations and you're not coming down on the bad actors," Johanns said. "You're checking on everybody and it feels terrible. It feels like there's a federal agency out there spying and on American citizens." 

Perciasepe rejected that characterization and said the drones allowed the EPA "a very efficient way for us to narrow where we go to on the ground, [to] talk to landowners about what they're doing." 

But Sen. Roy Blunt (R-Mo.), who noted that his own parents were dairy farmers, wasn't persuaded. “You said it's not like you were spying on people. What term would you use?"

"We're looking for where there may be animals and their waste in the water. And so, we are not looking at people at all," Perciasepe replied. 

"So you're spying on animals?" Blunt asked. 

“Well, we're looking to see where we would send inspectors to see if there was a problem of water pollution. So I don’t know that the animals are what we're spying on. We're looking at the conditions that could be creating water-quality violations.”

Jones, the association CEO, called the agency's use of drones "heavy handed." 

"We launched a poll to our membership, who own and operate more than 43 million acres of private forestland, so they could weigh in with their concerns, which we intend to share with lawmakers and the administration." The group's members include large companies such as Weyerhaeuser and Georgia-Pacific, as well as owners of small land tracts.  

The EPA has attempted to mollify critics of its drone flights and says it wants to hear about objections. "I understand the perception that you're bringing up," Perciasepe told Johanns. "It's helpful for me to hear the intensity of it and I will bring that back." 

Posted at 02:05 PM/ET, 05/29/2013 | Permalink | Comments ()

Among the most coveted pieces of information in the malware business are so-called zero-day vulnerabilities, weaknesses or flaws in computer software for which there is effectively no defense from exploitation. The market for zero-days has been booming as security companies and researchers sell vulnerabilities they've discovered to government organizations. The US military and intelligence community are believed to be some of the biggest buyers, and they'd prefer that other countries, particularly hostile ones, not acquire these building blocks of cyber weapons. 

But how does a company know that it's not unwittingly selling that information to Iran or North Korea, or to a Chinese spy? Or a terrorist? The Commerce Department has some tips for determining whether the buyer is on the up-and-up (at least as far as US interests are concerned) that may be useful. 

Is the buyer "reluctant to offer information about the end-use of a product"? Does he decline routine services like installation and on-site maintenance that come with the product? Is the customer "willing to pay cash for a very expensive item when the terms of the sale call for financing"? According to the "Know Your Customer" program, which is part of the US export control regime, these are "red flags" that should alert a seller to investigate whom he's actually doing business with. 

The guidelines don't apply specifically to information security or any single product or service.They're meant to prevent sellers from allowing sophisticated or dangerous technology to fall into the hands of adversaries or hostile groups. Zero-days could easily fit on that list. 

One company that sells zero-day exploits to governments, VUPEN, says it won't do business with anyone that doesn't fully comply with with the Know Your Customer guidelines. The company is based in France, but has adopted the US guidelines as a standard practice. American security firms, including anti-virus software manufacturers,  are also covered by export controls on their products. 

The guidelines advise sellers to proceed with caution if "the product's capabilities do not fit the buyer's line of business; for example, a small bakery places an order for several sophisticated lasers." Is the final destination for the product "a freight forwarding firm"? Red flag. Is the customer "unfamiliar with the product's performance characteristics but still wants the product"? (Think learning how to fly a jet aircraft without wanting to know how to land it.) Red flag.  

Here is the full list of 12 warning signs: 

Possible indicators that an unlawful diversion might be planned by your customer include the following:

1. The customer or purchasing agent is reluctant to offer information about the end-use of a product.

2. The product's capabilities do not fit the buyer's line of business; for example, a small bakery places an order for several sophisticated lasers.

3. The product ordered is incompatible with the technical level of the country to which the product is being shipped. For example, semiconductor manufacturing equipment would be of little use in a country without an electronics industry.

4. The customer has little or no business background.

5. The customer is willing to pay cash for a very expensive item when the terms of the sale call for financing.

6. The customer is unfamiliar with the product's performance characteristics but still wants the product.

7. Routine installation, training or maintenance services are declined by the customer.

8. Delivery dates are vague, or deliveries are planned for out-of-the-way destinations.

9. A freight forwarding firm is listed as the product's final destination.

10. The shipping route is abnormal for the product and destination.

11. Packaging is inconsistent with the stated method of shipment or destination.

12. When questioned, the buyer is evasive or unclear about whether the purchased product is for domestic use, export or reexport.

Posted at 11:27 AM/ET, 05/29/2013 | Permalink | Comments ()
In a muddled and confusing speech, signs that some wartime powers won't be withdrawn. By Shane Harris

A number of observers were perplexed by President Obama's grand-strategy speech yesterday at the National Defense University. Was it an apologia or an apology? Did the speech mark a hardening of counterterrorism policies or the beginning of their end? The President seemed to want to do both. He may end up satisfying no one. 

Obama was at once on the side of some of his fiercest critics, particularly with regards to targeted killing. And yet he mounted what is surely the most full-throated defense to date by any president of the commander-in-chief's authority to order lethal drone strikes in the nation's self defense. He insisted that the war on terror, like all wars, must end--"That’s what history advises. That’s what our democracy demands." But there was little to hang onto in the way of commitments, timetables, or markers that will tell us how much closer we are to that end. 

To the list of confusing and often contradictory propositions about the state of US national security, add these lines. 

"Meanwhile, we strengthened our defenses--hardening targets, tightening transportation security, giving law enforcement new tools to prevent terror. Most of these changes were sound. Some caused inconvenience. But some, like expanded surveillance, raised difficult questions about the balance that we strike between our interests in security and our values of privacy." 

This was one of the rare moments of understatement in the President's address. Decisions, often secret ones, to allow agencies of the federal government broader authorities to monitor the communications of Americans are among the most fateful actions undertaken in the war on terror. They have fundamentally transformed that balance of which the President spoke. And yet they have received precious little debate or reconsideration since the attacks of 9/11.

Perhaps it's because the questions raised by expanded surveillance are so difficult that the President spent practically no time answering them. His lengthy speech was devoted to profound matters, namely interrogation, detention, and targeted killing, but those are policies that have directly affected a vastly smaller number of Americans than has broadened monitoring of phone calls, e-mails, and other personal data of millions of people. 

There was no talk of NSA warrantless wiretapping. No mention of the Patriot Act. No discussion of amendments to the Foreign Intelligence Surveillance Act--amendments that Obama once opposed as a presidential candidate, and that have been the subject of a Supreme Court challenge. Nor did the President speak a word about threats to the nation's cyber infrastructure, which has been a top action item for his national security team. Like expanded surveillance, strengthening the nation's cyber defenses through greater monitoring of the Internet, which is what the administration is calling for, is freighted with implications for privacy and civil liberties. 

The only hint the President gave that he might be inclined to reexamine US surveillance policy came in a discussion of homegrown terror plots.

"[I]n the years to come, we will have to keep working hard to strike the appropriate balance between our need for security and preserving those freedoms that make us who we are.  That means reviewing the authorities of law enforcement, so we can intercept new types of communication, but also build in privacy protections to prevent abuse.

"That means that--even after Boston--we do not deport someone or throw somebody in prison in the absence of evidence. That means putting careful constraints on the tools the government uses to protect sensitive information, such as the state secrets doctrine. And that means finally having a strong Privacy and Civil Liberties Board to review those issues where our counterterrorism efforts and our values may come into tension.

Building privacy protections into the fabric of surveillance systems is much easier said than done. Paradoxically, it is the government's deep-rooted obsession with secrecy and applying so many different levels of classification and control to intelligence that makes it hard to build a system that can uniformly protect personal information. Different agencies treat personal information according to different standards and regulations. There's really not a one-size-fits-all proposition, and the government doesn't have a viable plan to find one.  

As for reviewing the authorities of law enforcement, there is no effort underway to repeal or curtail them. However, the administration is looking to expand the powers of law enforcement to monitor communications on the Internet.  

And as for the Privacy and Civil Liberties Oversight Board, it's no secret this has been one of the slowest-going, and to many, one the least effective counterweights to a widening net of digital monitors.   

The President's nod to "the balance that we strike" between security and privacy felt perfunctory. It seemed thrown in for appearances sake, like the also-confused passages about the need to prevent leaks of national security information without chilling journalists and their sources, which is precisely what the administration's clamp down on leaks is designed to do.

On surveillance, there was nothing in the speech that suggested a change of course, a ratcheting down, or a return to pre-wartime footing. Having written at length on the history of this subject, I'd already concluded that the surveillance state was here to stay. I suppose the President's speech makes it official. More or less. 

Posted at 11:30 AM/ET, 05/24/2013 | Permalink | Comments ()
Intelligence agency has "found some appalling things" when examining the security of corporate networks. By Shane Harris

In a rare public appearance, a senior intelligence official who has worked on the front lines of securing Defense Departments computer networks said it would be "almost immoral" for the DOD to focus on protecting itself and not apply that expertise to the commercial sector. 

Speaking at a conference in Washington on Tuesday, Charles Berlin, the Director of the National Security Operations Center at the National Security Agency, said, "The mission of the Department of Defense" is not merely to protect the department. "It's to protect America." 

"I've been on the ramparts pouring boiling oil on the attackers for years," Berlin said, referring to NSA's efforts to repel intrusions into DOD and military networks, which have been broadly successful. But he sounded frustrated that there weren't more ways for his agency to protect the country as a whole. "At the present time, we're unable to defend America," Berlin said. 

The operations center that Berlin runs is the heart of the NSA's efforts to provide early warning about threats, including to information networks. Berlin said the NSA was looking for ways to take the skills it has developed in the government and "apply [them] to the private sector." 

But many executives, as well as lawmakers and privacy advocates, are uneasy about the NSA, which is a military organization that spies on foreign countries and terrorists, taking on a larger role protecting private networks inside the United States. 

Currently, the Homeland Security Department, a civilian agency, has the legal authority to provide companies with warnings about cyber attacks. But much of that intelligence comes from the NSA. The agency does not work directly with all American companies. And yet, it is undoubtedly the reservoir of expertise in government for how to defend networks from potentially devastating assaults. Of particular concern to the Obama administration are threats against critical infrastructure, such as public utilities and the financial sector networks, as well as industrial espionage by hackers in China. 

"There needs to be a team effort" to protect private networks, Berlin said. He noted that the NSA had been invited to examine the networks of some companies and "found some appalling things" in how they were being run. For example, Berlin said he knew of US defense contractors doing business in China and Korea that had not taken relatively easy and practical steps to raise the defenses of their networks and protect proprietary information. That's troubling to the NSA since defense contractors have secret government information on their networks, which makes them a frequent target of cyber spies.   

Berlin spoke at a conference sponsored by SAS, a business analytics software and services company. 


Posted at 03:51 PM/ET, 05/22/2013 | Permalink | Comments ()
The government has been aggressively pursuing those who disclose secrets, and the reporters they talk to, for a decade. By Shane Harris

You’d be forgiven for not believing it, but there was a time when seizing a reporter’s private e-mails and accusing him in court documents of possibly aiding and abetting a criminal conspiracy for doing his job would have been unthinkable. 

By now, were well acquainted with the Obama administration's unprecedented prosecutions of suspected leakers, and how that pursuit has ensnared journalists and jeopardized their ability to protect their sources identities. But this anti-leaking zeal didnt begin in 2009 with the inauguration of Barack Obama. 

The course was set in 2003, when an influential appeals court judge opined that journalists supposedly legal right not to reveal their sources, known as “reporters privilege,” was complete bunk. The privilege—or at least lawyers perception of it—was the constitutional cornerstone that backed up journalists pledges never to reveal the names of people who talked to them in confidence. But now that the legitimacy of the privilege was questioned, prosecutors were emboldened to acquire reporters confidential information using tactics they wouldnt have dared try in a prior era. 

In a piece for the magazine three years ago, I wrote about how federal prosecutors have flexed their legal muscles over the past decade, and how the undermining of the reporters privilege helps explain why the Obama administration is so keen to go after leakers and is willing to turn journalists into unwitting, and unwilling, tools of investigations. Here are the key moments in the timeline. 

July 2003: Judge Richard Posner of the Seventh Circuit writes an opinion explaining why the court had ruled against a group of authors who refused to hand over tape recordings of interviews theyd done with a source. Unexpectedly, Posner argues that the landmark Supreme Court decision in Branzburg v. Hayes that supposedly established reporters privilege actually did no such thing.

Journalists dont have an “absolute” privilege to protect their sources, Posner writes. Instead, courts need to “make sure” that a media subpoena “is reasonable in the circumstances. . . . We do not see why there need to be special criteria merely because the possessor of the documents or other evidence sought is a journalist.” 

Posner lowers a gate separating the government and the press. And within a few years, federal prosecutors are climbing over it. 

December 2003: US Attorney Patrick Fitzgerald, acting as a special prosecutor in the investigation of who may have leaked the name of CIA officer Valerie Plame to news reporters, subpoenas five journalists to testify before a grand jury. Judith Miller of the New York Times refuses to comply and eventually spends 85 days in jail.  

“Plamegate” becomes a watershed for the press, in large part because Miller fought the subpoena and lost. This becomes a precedent that weakens reporters assertion of privilege where the underlying leak, in this case identifying a clandestine CIA officer, might involve a crime. In retrospect, then-Times executive editor Bill Keller wonders whether the paper should have tried to strike a deal with prosecutors that would have prevented Miller from having to fight the subpoena and go to jail. 

February 2006: The Justice Department investigates the source of a New York Times article that revealed a secret program of warrantless surveillance by the National Security Agency. In testimony before a Senate panel, Attorney General Alberto Gonzales is asked whether the administration had considered “any potential violation [by the newspaper] for publishing that information.” Gonzales replies, “Obviously our prosecutors are going to look to see all the laws that have been violated. And if the evidence is there, they’re going to prosecute those violations.” 

This is the first time any administration official has hinted that the government might prosecute journalists under criminal law for reporting on national security information. 

March 2006: A pair of FBI agents shows up at the Bethesda home of Mark Feldstein, a journalism professor and former investigative reporter for CNN. They demand that Feldstein hand over decades-old documents that he’d been researching for a book on investigative columnist Jack Anderson, who’d died a few months earlier. When Feldstein asks what crime the FBI was investigating, an agent replies, “Violations of the Espionage Act.”

The agents say theyre investigating a case involving two lobbyists for the American Israel Public Affairs Committee who’d been indicted for receiving classified information. The FBI wants Feldstein to tell them the names of reporters who’d worked for Anderson and who held pro-Israel views and had pro-Israel sources.

Feldstein doesnt hand over the documents or assist the FBI. He later writes that the agents actions “suggested that the bureau viewed reporters’ notes as the first stop in a criminal investigation rather than as a last step reluctantly taken only after all other avenues have failed.”

May 2006: A federal prosecutor subpoenas two reporters for the San Francisco Chronicle who’d seen transcripts of confidential grand-jury testimony in an investigation of the Bay Area Laboratory Co-Operative (BALCO), which produced performance-enhancing drugs for athletes. The reporters linked well-known players to steroid use, including players who publicly proclaimed that theyd never taken drugs. The government wanted to know who had violated the rules of grand-jury secrecy and shown court documents to the reporters.

The BALCO case tests the limits of internal guidelines that Justice Department lawyers are supposed to follow when subpoenaing members of the media. No national-security issue was at stake, nor was knowing who leaked the grand-jury information, which was a crime, necessary to establish the guilt or innocence of anyone involved in steroid use. The subpoenas were approved by Attorney General Gonzales.

Mark Corallo, the Justice Department spokesman under Gonzales’s predecessor, John Ashcroft, later says the prosecutors had broken the department’s rules. “This was an abuse of power,” Corallo tells the PBS news program Frontline. “. . . The government just did not meet the standards set by their own guidelines. . . . This one doesn’t even come close.”

The reporters, who had once been personally thanked by President George W. Bush, a former baseball team owner, for their public service journalism, ultimately avoid going to jail when their source identifies himself. 

August 2006: A freelance videographer, Joshua Wolf, is sent to jail after he refuses to turn over video footage of a protest in San Francisco in which a police car was burned and an officer was injured. Wolf spends 226 days in prison. He is released when he finally agrees to turn over his uncut footage. 

January 2008: The Justice Department subpoenas New York Times reporter James Risen, demanding to know the source of information for a chapter in his book, State of War, about a botched CIA operation against Iran. The government had been investigating the case for two years, and had considered trying to halt the books publication, in 2006. Risen resists the subpoena, which eventually expires at the end of the Bush administration. 

February 2008: Newspaper reporter Toni Locy is held in contempt of court for refusing to identify her sources for a series of articles in USA Today. Locy had written in 2001 about Steven Hatfill, a virologist who was identified as a “person of interest” in the anthrax attacks, allegations that later proved false. Hatfill sued the government for violating his privacy and subpoenaed several journalists to find out who in the government fingered him as a suspect. 

The Justice Department, which is defending the US government in the civil suit, argues that Judge Reggie Walton “should reject this attempt at expanded discovery” and quash Hatfills subpoena. Walton disagrees, underscoring judges new willingness not to recognize the reporters privilege, even in non-criminal cases. He rules that for every day Locy refuses to testify, she must pay $5,000 in penalties out of her own pocket. The decision is stayed pending appeal, and a court eventually vacates the judges ruling, but only because Hatfill had settled his case with the government, rendering Locys testimony needless. The appeals court did not reach any decision about the reporters privilege. 

April 2010: The Justice Department subpoenas New York Times reporter James Risen a second time. Judge Leonie Brinkema questions why the government needs a subpoena when there appears to be enough evidence of who the leaker is to secure an indictment. She requires prosecutors to get the sign-off of Attorney General Eric Holder. Risen continues to fight the subpoena, and eventually Brinkema limits the questions the government may ask him in court. Risen appeals to keep that decision in place. The case could end up in the Supreme Court. 

May 2010: A federal judge authorizes a search warrant for the personal e-mails of Fox News reporter James Rosen in connection with the suspected leak of classified information about North Korea a year earlier. An FBI agent swears in an affidavit in support of the warrant that “there is probable cause to believe” that Rosen is violating a criminal law on disclosing “national defense information” by acting as “an aider and abettor and/or co-conspirator” with a State Department official suspected of being his source. Rosen is reportedly not informed that the government wants to search his e-mails and has no opportunity to resist the warrant. 

May 2013: The Justice Department informs the Associated Press that it had subpoenaed the phone records of several AP journalists. The records, obtained months earlier, include numbers dialed to and from phone lines in four AP offices, possibly implicating the communications of 100 journalists, over a period around two months. The Justice Department appears to be investigating an AP story on a successful CIA operation to thwart a bombing plot hatched in Yemen. 

Posted at 12:34 PM/ET, 05/21/2013 | Permalink | Comments ()

"To be at war, no matter where one is serving, is to sense palpably the possibility of death; if not to you, then to a friend or relative." That's how author James Charlton begins the third edition The Military Quotation Book (St. Martin's Press), which contains more than 1,100 memorable observations culled from an eclectic range of authors, philosophers, generals, politicians, and dictators. 

Image: Thomas Dunne Books

Charlton has written half a dozen other compendiums of quotes. This one contains a few golden oldies. There's former Director of Central Intelligence Allen Dulles' famous admonishment that "gentlemen do not read each other's mail," which is so demonstrably untrue that one wonders if Dulles said it as a joke. 

There are more than a few colorful quips from America's warrior giants, like Gen. George Patton: "Strategy if finding a sonofabitch whom you rank and telling him to take a place, and relieving him if he doesn't." And Abraham Lincoln, who could take a dim view of his commanders: "General McClellan is an admirable Engineer, but he seems to have a special talent for the stationary engine." 

Charlton traverses the field of pop culture, as well, as when he quotes Ian Fleming's Goldfinger: "They have a saying in Chicago: 'Once is happenstance. Twice is coincidence. The third time is enemy action.'" 

More than a few quotes seem especially instructive today. 

"War is capitalism with the gloves off." --Tom Stoppard 

"Wars are not paid for in wartime, the bill comes later." --Benjamin Franklin 

"To fight for a reason and in a calculating spirit is something your true warrior despises." --George Santayana 

"You will kill ten of our men and we will kill one of yours, and in the end it will be you who tire of it." --Ho Chi Minh 

"It is a very dangerous thing to organize the patriotism of a nation if you are not sincere." --Ernest Hemingway 

"The ability to get to the verge without getting into the war is the necessary art. If you try to run away from it, if you are scared to go to the brink, you are lost." --John Foster Dulles 

Posted at 12:30 PM/ET, 05/20/2013 | Permalink | Comments ()