Tag Archives: Edward Snowden

No Protection for IC Whistle Blower Contractors

Standard

edward-snowden-whistleblower-575

(Photo: Mike Mozart / Flickr)

“POGO”

“The restoration of Intelligence Community (IC) contractor whistle blower rights would help safeguard billions of taxpayer dollars in government contracts, grants, and reimbursements annually.

“Snowden:  “I had read the laws. I knew that there were no whistle blower protections.”

Snowden’s disclosure to the media is a perfect example of why intelligence contractors need a mechanism to safely disclose suspected waste, fraud, and abuse.

Three years after Edward Snowden’s leaks, it appears that everyone has an opinion about him—traitor, hero, or somewhere in between. However, there is one undeniable fact surrounding Snowden’s circumstances that has been misreported by Congress and the Executive Branch far too many times: the Intelligence Community (IC) contractor would have had almost no protections had he come forward through proper channels.

Sure, Snowden could have gone to his supervisors and disclosed his concerns. However, had that supervisor retaliated against Snowden by firing him or demoting him, he would have had no protections because he was an IC contractor. In the absence of adequate protections, IC contractors have only two alternatives to almost certain retaliation: 1) remain silent observers of wrongdoing, or 2) make anonymous leaks.

This has not always been the case though. In fact, IC contractors enjoyed the gold standard of whistleblower protections for four years, between 2008 and 2012.

The NDAA for fiscal year 2008 contained temporary provisions that allowed all Department of Defense (DoD) contractors, including those at the National Security Agency (NSA), to enforce their whistleblower rights through district court jury trials. Additionally, in 2009, comprehensive whistleblower protections were enacted for all government contract employees paid with stimulus funds, including other IC agencies like the Central Intelligence Agency. Contrary to predictions that contractor whistleblowers would flood the courts, only 25 cases were filed from 2008 through 2012 under the DoD contractor provision (including from the intelligence community).

This whistleblower shield was so successful in deterring contractor waste and abuse that the Council of Inspectors General for Integrity and Efficiency proposed a permanent expansion for all government contractors. In 2012, McCaskill introduced a whistleblower protection amendment for all government contractors that won bipartisan Senate approval in the fiscal year 2013 NDAA.

However, during that NDAA’s closing conference committee negotiations, whistleblower rights were extended only to contractors outside of the intelligence community. Preexisting rights for IC contractors were also removed, despite a proven track record that the law was working as intended and no evidence that the law had any adverse impacts on national security during its five-year lifespan.

To better protect taxpayer dollars, our country and Americans’ privacy, Congress must restore whistleblower protections for intelligence contractors and stop feeding the false narrative that such protections exist.”

http://www.pogo.org/blog/2016/09/protect-whistleblowers-ic-contractors.html

 

 

United Nations Report: Whistleblowers Need Protection

Standard

whistleblower-whistle_575

“POGO”

The report highlights key elements of protections for whistle blowers.

Daniel Kaye, the United Nations’ Special Rapporteur for Freedom of Expression, recently submitted a report to the General Assembly on the protection of whistle blowers and sources [and includes] participation by 28 states and non-governmental organizations (NGO’s).

A defense for blowing the whistle in the national security field would be a welcome one, as  whistle blowers often face prosecution under the Espionage Act, which could mean years of costly litigation for simply trying to expose practices that make us less secure.

Among a host of best-practice protections featured in the report, the Special Rapporteur focuses particular attention on national security whistle blowers and sources, those whistle blowers who are often subject to criminal prosecution for exposing serious problems.

Notably, the report recommended a public interest balancing test for disclosures in the national security field that could be used to claim protection from retaliation or as a defense when facing prosecution. This balancing test would promote disclosures where the public interest in the information outweighs any identifiable harm to a legitimate national security interest, and requires that the whistle blower disclose no more information than reasonably necessary to expose wrongdoing.

This balancing test is similar to one proposed last year by Yochai Benkler, a law professor and co-founder of the Berkman Center for Internet and Society, and supported by the Project On Government Oversight.

The full report contains many best-practice recommendations that our Congress should consider to strengthen whistle blower protections domestically.”

http://www.pogo.org/blog/2015/10/united-nations-says-whistleblowers-need-protection.html

CIA Has Tried for Years to Break Into Apple Gear

Standard

BGNNews“WIRED”

“The CIA has been working with security researchers to hack into Apple’s technology since long before we all carried Apple devices around in our pockets.

That’s according to a new report from The Intercept, based on documents supplied by National Security Agency whistleblower Edward Snowden. The story lays out in detail how, for nearly a decade now, the CIA has been working on ways to penetrate Apple’s iPhones and iPads, in order to collect data on Apple customers, which Apple CEO Tim Cook has publicly and repeatedly vowed to protect.

According to the report, researchers have been targeting Apple’s security keys, which encrypt user data, as well as working on their own version of Xcode, Apple’s software development tool, which would give the intelligence community access to any apps developed using the modified tool—access which Apple does not otherwise allow. One document cited in the report notes that this tool could “force all iOS applications to send embedded data to a listening post.” These and other findings have been presented annually at the CIA’s Trusted Computing Base Jamboree conference.

The goal of this research, according to the documents, was to make the CIA less dependent on “a very small number of security flaws, many of which are public, which Apple eventually patches.” The new methods researchers have been pursuing were designed to go undetected. And yet, The Intercept reports that none of the documents indicate whether or not these methods have been proven to work.

If successful, however, the implications of such breaches would be immense, because, as Matthew Green, a cryptography expert at Johns Hopkins University’s Information Security Institute told The Intercept, “Every other manufacturer looks to Apple. If the CIA can undermine Apple’s systems, it’s likely they’ll be able to deploy the same capabilities against everyone else.”

This report comes less than a year after Apple launched a new website, detailing the lengths the company goes to to protect user data. In an open letter, CEO Tim Cook wrote that Apple had never allowed government agencies access to a “backdoor” to its products and services. “And we never will,” he added. The site also noted that on iOS 8, all user data is protected by users’ own passwords, which Apple cannot bypass. These default encryption settings earned high praise from privacy advocates but spurred widespread criticism from government officials, including U.S. Attorney General Eric Holder and FBI Director James Comey, who said such protections could cripple law enforcement investigations.

According to one American Civil Liberties Union technologist quoted in The Intercept, these changes have only served to fuel the intelligence community’s desire to seek out vulnerabilities in Apple’s encryption technology. It’s an effort that is well funded, and not limited to Apple’s products. According to one classified budget, a 2012 project designed to infiltrate “strong commercial data security systems” received $35 million in funding.

The projects are part of an overarching shift at the CIA toward cyberespionage. Just last week, CIA director John Brennan issued a memo stating that digital technology must be “at the very center of all our mission endeavors.” Brennan’s memo seemed to suggest that this shift was a reaction to intelligence officers’ dwindling involvement in armed conflict in Iraq and Afghanistan. “Now they have to go back to old-school spying, recruiting agents, getting people to tell you secrets in a peaceful environment,” he wrote. And yet, the Agency’s heightened interest in infiltrating American companies on American soil seems to tell a different story.

It’s a strategy that Green believes could not only threaten American privacy, but also the US economy. “US tech companies have already suffered overseas due to foreign concerns about our products’ security,” he told The Intercept. “The last thing any of us need is for the US government to actively undermine our own technology industry.”

http://www.wired.com/2015/03/cia-apple/

NSA, Britain’s GCHQ allegedly seized encryption keys for millions of phones

Standard

The Hacker NewsImage: “The Hacker News” http://thehackernews.com/2015/02/nsa-hacks-sim-encryption-keys.html

“WASHINGTON POST”

“British and American spy agencies allegedly hacked into a Dutch company that makes SIM cards to obtain encryption keys used to shield the cellphone communications of millions of customers around the world, according to a report in the Intercept.

Citing documents obtained by former intelligence contractor Edward Snowden, the online publication reported Thursday that Britain’s GCHQ and the National Security Agency targeted Gemalto, the world’s largest manufacturer of SIM cards.

The multinational firm’s clients include AT&T, T-Mobile, Verizon and Sprint, as well as hundreds of wireless network providers around the world. It produces 2 billion SIM cards a year, the Intercept reported.

The cards, which are chips barely larger than a thumbnail, are inserted into cellphones. Each card stores contacts, text messages, the user’s phone number and an encryption key to keep the data private.

Gemalto produces the SIM cards for cellphone companies, burns an encryption key onto each and sends a copy of the key to the provider so its network can recognize an individual’s phone.

According to the Intercept, GCHQ targeted Gemalto employees, scouring their e-mails to find individuals who might have access to the company’s core networks and systems that generate the encryption keys. The goal, the publication said, was to steal large quantities of keys as they were being transmitted between Gemalto and its wireless network providers.

The NSA did not immediately respond to a request for comment.

Stealing the encryption keys makes it possible to eavesdrop on otherwise-encrypted communications without undertaking the more difficult challenge of cracking the encryption. It also avoids alerting the wireless company or the person using the phone.

The NSA’s interception of phone calls and other content is bound by different legal standards. A warrant is required to target an American’s calls and e-mails. In general, targeting a foreigner’s communications for collection overseas does not require a warrant.

The publication cited one 2010 GCHQ document that said that agency personnel developed “an automated technique with the aim of increasing the volume of keys that can be harvested.”

The document acknowledged that in searching for keys, operatives would harvest “a large number of unrelated items” from targeted employees’ private communications. However, it said, “an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches” of keys.

The GCHQ documents also described operations targeting other major makers of SIM cards, the Intercept said.”

http://www.washingtonpost.com/world/national-security/nsa-britains-gchq-allegedly-seized-encryption-keys-for-millions-of-phones/2015/02/19/369cc8b0-b883-11e4-9423-f3d0a1ec335c_story.html

 

Terrorist Strategy – Paranoia & Western Economic Degradation on Intelligence Gathering

Standard

terror-cartoon“DEFENSE ONE”

“Every American suspected of traveling abroad to join ISIS is the subject of an active FBI investigation, according to Michael Steinbach, assistant director of counterterrorism for the FBI. Steinbach called on Congress to stop companies like Google and Apple from offering data encryption solutions to their customers, arguing that encryption makes it impossible for law enforcement to monitor terrorist or extremist talk.

Security experts and even some Navy SEALs argue that encryption keeps the nation safer from cyber attacks by keeping user information more secure.

Compared to the summer of 2013, U.S. intelligence professionals have seen a “pendulum swing” in the willingness of European law enforcement to share information with the United States on European citizens, said Nicholas J. Rasmussen, director
 of the National Counterterrorism Center, or NCTC, on Wednesday.

Things have turned around since summer 2013, when NSA contractor Edward Snowden first disclosed some of the nation’s most closely kept secrets on surveillance capabilities. Rasmussen said that “the politics are difficult for some of our European partners” but tracking Islamic State fighters, or ISIS, has become a priority.

Rasmussen, before the House Committee on Homeland Security, said that European partners continue to differ form U.S. counterparts on the issue of bulk metadata collection. But European reservations about data sharing in more targeted investigations had “seen a dramatic improvement,” particularly in populating the NCTC’s database, called the Terrorist Identities Datamart Environment, or TIDE. It is one of the key person-of-interest watch lists that the U.S. and other countries use to track potential or suspected terrorists.

Thanks in part to better collaboration, he said, the Turkish “banned from entry list” now includes 10,000 individuals who are primarily European citizens. Turkey is seen as the most direct route that foreign fighters in Europe use to join ISIS in Iraq and Syria.

Some of that intelligence sharing comes from tracking people in transit through new, expanded DHS powers to screen people seeking entry into the U.S., particularly those hailing from one of the 38 countries participating in the Visa Waiver Program. People attempting to enter the country without a visa have to submit information to the Electronic System for Travel Authorization, a computer system that can automatically grant visa waivers and entry.

Apple in September announced changes to their newest operating system to better encrypt user data, as previously reported by Defense One. “On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes and reminders is placed under the protection of your passcode … Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data … So it’s not technically feasible for us to respond to government warrants,” they say in a statement on their Website.

Google similarly announced that it would begin to encrypt data by default on future versions of the Android phone.

Steinbach said that the ability to track communications on devices was essential to current investigations of individuals related to ISIS, especially in the United States. “Without that lawful tool, we risk an attack,” he said.

He further offered that several subjects the FBI was targeting have begun to use encryption to avoid detection and thwart investigation, but would not reveal in the open hearing the number of subjects that had “gone dark.”

It is “frankly irresponsible,” he said, for companies to offer software updates that allow no lawful means for law enforcement to intercept data.”

http://www.defenseone.com/technology/2015/02/dramatic-improvement-us-and-european-intel-sharing-because-isis/105120/?oref=defenseone_today_nl

 

USIS Loses Federal Background Check Business

Standard

Image: Whistleblower Insider

“THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)”

“This move was somewhat expected, given the government’s suspension of USIS’s work last month after a cybersecurity attack on the company compromised the personal data of thousands of government employees. In addition, the Justice Department is asserting in a False Claims Act lawsuit that USIS fraudulently submitted 665,000 background checks between 2008 and 2012 that were either incomplete or not properly reviewed. Among the individuals USIS screened during that time was NSA whistleblower Edward Snowden. USIS also performed a 2007 background check on Navy Yard shooter Aaron Alexis.

It was reported last week that background check contractor U.S. Investigations Services LLC (USIS) will lose a large chunk of its federal business starting next month. The Office of Personnel Management (OPM) will not renew USIS’s $2.5 billion Background Investigation Fieldwork contract and its $288 million Background Investigation Support Services contract.

USIS issued the following statement regarding its reversal of fortune at the OPM:

“We are deeply disappointed with OPM’s decision, particularly given the excellent work our 3,000 employees have delivered on these contracts. While we disagree with the decision and are reviewing it, we intend to fulfill our obligations to ensure an orderly transition. The Company continues to provide high quality service to its many other valued government customers.”

As noted in the statement, USIS still has contracts with other federal agencies—a situation that has become a matter of concern in both the House and Senate. The OPM is still making up its mind on whether to impose a government-wide contracting ban on USIS. Given the impact on USIS’s bottom line, however, the loss of its OPM contracts arguably has as much impact as a suspension or debarment.”

http://www.pogo.org/blog/2014/09/20140916-usis-loses-federal-background-check-business.html