Tag Archives: NSA

NSA/Penn State Free Online Cyber Security Course

Standard

FEDERAL NEWS NETWORK

You don’t have to be a professor, or even a cyber security, legal or policy expert.

Anyone from educators to federal employees to private sector managers can use the materials provided and educate others about this topic.

_____________________________________________________________________________

Audio

“Plenty of colleges have popular cybersecurity courses for young students looking to find a career, but even employees who don’t work in IT need to have knowledge of basic cybersecurity principles these days. There aren’t many such educational resources for people not looking to go into the cyber field, or who are already in the workforce.

That’s where the National Security Agency comes in.

They worked with Penn State University, as part of a broader initiative from the Department of Homeland Security, to develop a free online course to educate people on cybersecurity operations, law and policy.

“The NSA asked us to design a law course about cyber operations that can be taught to non lawyers, and really no requirement of any technical background or expertise,” Ann Toomey McKenna, a professor at Penn State’s Institute for CyberScience and one of the three professors who wrote the course, said on Agency in Focus: Intelligence Community. “They wanted a course that can be designed to be taught as a whole comprehensively, or in modules; smaller units of the course could be taken and taught independently. So in a very unusual way we went about this and we created a course designed to be taught in whole or part, and designed to be taught by anyone who might be interested.”

The course is offered for free through the Clark Center, operated by Towson University in Maryland. And Toomey’s isn’t the only course offered there; there’s a whole range of cybersecurity offerings as part of this program.

The course starts with a quick, introductory overview of how the U.S. government and legal system operate, so that everyone understands the legal framework around cyber operations and cybersecurity.

“I think folks need to be aware when they’re engaged in something that involves U.S. law, when are they engaged in something that could be considered a problem under the Computer Fraud and Abuse Act? When are we engaged in operations that implicate national security?” Toomey said.

The course does the same for technology concepts, such as the fundamentals of communications and cellular technologies. And then it goes into the legal foundations for modern cyber law and policy. That focuses on the Constitution and Bill of Rights, and how they’re applied to these concepts. For example, how does the Fourth Amendment and the right to privacy inform the Electronic Communications Privacy Act, or electronic surveillance?

“And then really the final module is where we get into cyber operations, and that’s sort of the meat of this from the standpoint of what we consider today an offensive operation and defensive operations,” Toomey said. “And we did it through sort of a cyber threat response framework, where we looked at operations by and against private actors, and how our domestic law comes into play and that intersection with international law and international norms in cyber operations. And then we really went through the international right to conduct cyber operations. And one thing we did to keep students engaged is use real-world case examples. So we talked about Estonia, we talked about different situations that folks can look at and read about in real news articles and think ‘okay, here’s how this played out. Here’s how the law works.’ And here’s how we intersect that technology, domestic law and national security.”

NSA-Approved Cybersecurity Law And Policy Course Now Available Online

Standard
Image: (CyberScoop / Chris Bing)

The course goes beyond those with a technical background: It’s available to undergraduates, law students, national security professionals, and anyone who is interested in brushing up on the technical, legal, and policy context.

“People are going to be looking at this who have no idea how an app functions or a phone functions down to people who know how to code,” [ Anne McKenna – Penn State professor who organized the course].

______________________________________________________________________________

“Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

The course, which can be accessed through the CLARK Center, a curriculum management platform hosted at Towson University, touches on international and domestic cybersecurity law, cyber risk and technical details like how smartphones function, according to Anne McKenna, a Penn State professor who organized the course.

James Houck, director of Penn State’s Center for Security Research and Education, told CyberScoop that program will serve as a primer to the legal and technical details of offensive and defensive cyber-operations.

“What we’re trying to do … is create a framework for people who are trying to be introduced to cyber law, to offensive, defensive cyber operations, and for them to learn the fundamentals, the framework — and in our case legal authorities for how these work,” Houck said.

Houck clarified that although the NSA put out a Call for Proposal for the course’s creation, the course is unclassified and is not intended to cover internal NSA policy or business.

“The concept is: We create curriculum for the NSA, the NSA then, without centering it or trying to modify it, makes this curriculum available to professors around the country,” Houck said.

Although the course is not necessarily about NSA operations, taking the course could help future government employment applications stand out. The course description notes it may prepare students for “potential future employment with the U.S. Government in the cybersecurity field.”

The federal government has acknowledged it has particular challenges when it comes to hiring and retaining cybersecurity talent; the departments of Commerce and Homeland Security noted just last year the government “needs immediate and sustained improvements in its cybersecurity workforce situation.”

“Employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations,” the 2018 report notes. “Globally, projections suggest a cybersecurity workforce shortage of 1.8 million by 2022.”

A coordinated effort

Aside from the NSA’s involvement, the course aligns with the National Institute of Standards and Technology’s National Initiatives in Cybersecurity Education (NICE) by meeting a 2018 recommendation that more educational resources address government employers’ cybersecurity needs.

“So often in education we see someone studies technology or somebody studies domestic law or somebody studies international law and national security and there’s policy folks,” McKenna said. “But we are really trapped in those buckets of education even though everybody talks about interdisciplinary education, you don’t see very many programs that really make it a concerted effort.”

While the professors that designed the course are not representatives of the NSA, the NSA did contribute to developing the course, according to McKenna.

“We did work pretty directly with the NSA on the content,” McKenna said. “The NSA reviewed the content and said, ‘hey we want a little more of this a little less of this.’”

The NSA did not immediately provide comment on the process.

The curriculum


McKenna, Houck, and Scott Sigmund Gartner, the director of Penn State’s School of International Affairs, each contributed different parts of the thirty modules, namely the legal, policy, and technical portions respectively.

“If you want someone to not be able to be manipulated through cyber influence through false posting on social media, if you want to make somebody understand why we need to use two-factor authentication … encryption … we really need to understand broadly how systems function,” McKenna said.

The course, for instance, includes a technical overview of internet of things technologies and encryption, but also provides case examples of online disinformation, how social media platforms work, and details on the European Union’s General Data Protection Regulation (GDPR), the Clarifying Lawful Overseas Use of Data (CLOUD) Act, wiretapping laws, and international human rights laws.

International norms on cybersecurity are still developing and in flux, which creates a particular gap in the course, McKenna said. For instance, the State Department is still working with other nations at the United Nations to hammer out international norms of accepted behavior in cyberspace, such as not attacking civilian infrastructure in times of peace. The latest round of these conversations begin again this fall.

“There was no goal of, ‘this is what it should be and this is what it needs to be,’” McKenna said, noting the course does not advocate for any particular action or policy. “But it clearly identifies we need to be more educated and [have a more] integrated knowledge base.”

Chinese Hackers Found And Repurposed Elite NSA-Linked Tools

Standard
Image: Istock

CYBERSCOOP

A hacking group with ties to Chinese intelligence has been using tools linked to the National Security Agency as far back as March 2016, according to research from security firm Symantec.

_____________________________________________________________________________

“The tools include some released by the Shadow Brokers, a mysterious group that dumped computer exploits once used by the NSA on the open internet in April 2017. Symantec’s research suggests that the Chinese-linked group, which the company calls “Buckeye,” was using the same NSA-linked tools at least a year before they were publicly leaked.

According to Symantec, one of the tools used by Buckeye was DoublePulsar, a backdoor implant that allows attackers to stealthily collect information and run malicious code on a target’s machine. DoublePulsar was used in conjunction with another tool, which Symantec calls Trojan.Bemstour, that took advantage of various Microsoft Windows vulnerabilities in order to secretly siphon information off targeted computers.

The Trojan.Bemstour exploit allowed attackers to remotely manipulate a machine’s kernel, the core part of a computer’s operating system that manages resources such as memory. When put into action, the exploit can pull sensitive information from a targeted machine or can be combined in conjunction with other vulnerabilities to take control of the kernel.

One of the vulnerabilities was patched in March 2017. The other was reported by Symantec to Microsoft in September 2018 and patched in March 2019.

Buckeye used the tools in attacks that hit telecommunications companies, firms dedicated to scientific research and education institutions from March 2016 to the middle of 2017, according to Symantec. The group hit organizations in Belgium, Hong Kong, Luxembourg, the Philippines and Vietnam.

NSA china hacking tools
An inforgraphic that shows the timeline of Buckeye’s use of NSA tools. (Symantec)

DoublePulsar has been linked to the Equation Group, an elite hacking team that the cybersecurity community has long attached to the NSA. One of the vulnerabilities leveraged by Trojan.Bemstour was also used by two other Equation Group exploits — EternalRomance and EternalSynergy — that were included in the Shadow Brokers’ April 2017 dump.

“How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown,” a blog post from Symantec reads.

The company does state there’s a possibility that Buckeye may have developed its own version of the tools after possibly observing an Equation Group attack and reverse-engineering the malware it caught by monitoring network traffic.

Buckeye — also known as APT3, Boyusec or Gothic Panda — has not been active since 2017, researchers said. Symantec found, however, that development of Trojan.Bemstour continued into 2019. The company said the most recent version of the exploit was complied on March 23 — 11 days after Microsoft patched the last associated vulnerability. It is unclear who continued to use the tools in 2018 and 2019, according to Symantec.

Three alleged members of Buckeye were indicted in the U.S. in November 2017. At the time of the indictments, numerous cybersecurity researchers told CyberScoop there was a high probability that APT3 was linked with China’s Ministry of State Security (MSS). Serving as China’s civilian intelligence agency, analysts say the MSS has become Beijing’s preferred arm for conducting economic espionage.

The research comes days after the Department of Defense issued a report stating that China’s cyber-theft and cyber-espionage operations are accelerating to the point that they can “degrade core U.S. operational and technological advantages.”

“The threat and the challenge is persistent. The Chinese remain very aggressive in their use of cyber,” Assistant Secretary of Defense Randall G. Schriver said during a press briefing on the report.

The NSA did not return a request for comment.”

It’s Time to End the National Security Agency’s Metadata Collection Program

Standard
Image: “POGO”

“THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)”

“When the issues are taken together—severe costs to privacy, no evidence of security value, technical flaws—they indicate that we are better off without the NSA’s metadata collection program.”

______________________________________________________________________________

“This piece originally appeared on Wired.

“If it ain’t broke, don’t fix it,” the adage goes. But for the sunset of Patriot Act authorities later this year—including Section 215, a controversial provision that allows the National Security Agency to collect records, including those about Americans’ phone calls—the more applicable phrase may be “If it keeps breaking, throw it out.”

In 2015, Congress passed the USA Freedom Act to reform Section 215 and prohibit the nationwide bulk collection of communications metadata, like who we make calls to and receive them from, when, and the call duration. The provision was replaced with a significantly slimmed-down call detail record program, known as CDR. Rather than collecting information in bulk, CDR collects communications metadata of surveillance targets as well as those of individuals up to two degrees of separation (commonly called “two hops”) from the surveillance target. But this newer system appears to be no more effective than its predecessor and is highly damaging to constitutional rights. Given this combination, it’s time for Congress to pull the plug and end the authority for the CDR program.

It’s unsurprising that just last week a bipartisan group in Congress introduced a bill to do so. Last month, the New York Times reported that a highly placed congressional staffer had stated the CDR program has been out of operation for months, and several days later, NSA Director Paul Nakasone issued comments responding to questions about the Times story by saying the NSA was deliberating the future of the program. If accurate, this news is major but not shocking; this large-scale-collection program has been fraught with problems. Last year, the NSA announced that technical problems had caused it to collect information it wasn’t legally authorized to, and that in response, the agency had voluntarily deleted all the call detail records it had previously acquired through the CDR program—without even waiting for a court order or trying to save some of the data—indicating that the system was unwieldy and the data being collected was not important to the agency.

Since its inception, we have not seen a single publicized instance of the program providing any unique security value—and in fact, the program has damaged privacy significantly. In its most recent transparency report, the NSA announced that it collected a staggering 534,396,285 call detail records during the 2017 calendar year; the NSA states the number includes duplicates, but we have no way of knowing if this is a frequent issue. Without knowing scale of duplicates issues or average number of CDRs per person, it’s difficult to say how many Americans this affects—the NSA claims it is unable to determine this, despite statutory requirement to do so and publicly disclose it—but the number is certainly enormous. Our communications metadata can be highly sensitive and can reveal intimate details of our lives. Americans should not be subject to this type of surveillance absent suspicion, particularly if the program conducting it has not yielded any demonstrated value in preventing or investigating terrorism.

When the issues are taken together—severe costs to privacy, no evidence of security value, technical flaws, the NSA’s willingness to broadly discard data it has collected, and a recent media report that the program has been shut down—they indicate that we are better off without this program.

But it’s important that Congress does more than just end the CDR program. Many in the privacy and civil liberties community worry that if the Section 215 metadata collection authority is no longer in use, the CDR program could still be active but justified with a different legal provision, and out of the public’s view. The public can only have confidence that congressional reforms are effective and not a meaningless game of whack-a-mole if lawmakers and the Privacy and Civil Liberties Oversight Board conduct rigorous oversight to find out whether such a shift happened with the CDR program. And if Congress does end the program, it should build in legal restrictions to ensure that the program cannot be restarted under a different authority.

The problems with the CDR program seem to be a continuation of the government’s misplaced faith in the nationwide bulk collection program that the CDR program replaced. After the government’s vehement defense of the need for bulk collection, the President’s Review Group on Surveillance, the Privacy and Civil Liberties Oversight Board, and eventually even the intelligence community’s top-ranking official stated that it had not provided unique value and was not necessary to fulfill counterterrorism goals.

As the December sunset approaches for several PATRIOT Act authorities, including Section 215, it is clear that the failed experiment of large-scale metadata collection needs to end. Prohibiting nationwide bulk collection received strong bipartisan support in 2015 during the USA FREEDOM Act debate. In the House, 196 Republicans and 142 Democrats voted for the bill—and most of those who voted against it did so because they felt the bill’s reforms did not go far enough—while over two-thirds of Senators also supported the bill. Further limiting mass surveillance of communications metadata is likely to receive bipartisan support again, especially given the lack of evidence that it aids security.

Congress should go farther than ending the CDR authority, to take on additional critical reforms. In the wake of the Snowden disclosures, public faith in the intelligence community and the Foreign Intelligence Surveillance Court that rules on data-collection efforts under Section 215 has degraded. And more recent inaccurate and unsubstantiated criticisms of these entities have harmed trust further. The USA FREEDOM Act took important steps toward restoring that faith by requiring that significant FISA court opinions be declassified, and creating a special advocate to represent privacy concerns in the court’s proceedings. But these provisions should be strengthened. For years, The Constitution Project has advocated for creating a more robust special advocate; strengthening provisions for FISA court declassifications would be a critical change as well.

Congress should also consider a range of other reforms during this year’s PATRIOT Act debate, relating to minimizing data retention of non-targets, civil rights, and transparency. But the first problem to address, and the one with the clearest solution, is authority for the CDR. It’s long past time to pull the plug. “

https://www.pogo.org/analysis/2019/04/its-time-to-end-the-nsas-metadata-collection-program/

NSA Makes Powerful Reverse Engineering Cyber Security Tool Open Source

Standard

Image: NSA – Ghidra, a Powerful Cybersecurity Tool, Open Source

“WIRED”

“Reverse engineering is a crucial process for malware threat intelligence researchers working backward from malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from.

Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.”

_____________________________________________________________________________

“THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does.

“If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.

Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool’s customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn’t as much of a priority in other platforms.

Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce’s personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn’t pan out.

The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn’t a concern.

“Malware authors already know how to make it annoying to reverse their code,” Aitel said. “There’s really no downside” to releasing Ghidra.

No matter what comes next for the NSA’s powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. “There’s no backdoor in Ghidra,” he said. “Come on, no backdoor. On the record. Scout’s honor.”

https://www.wired.com/story/nsa-ghidra-open-source-tool/

Booze Allen Contractor to Plead Guilty in 23-Year-Long Largest Ever Theft of Classified Data

Standard

Booze Allen - Here we go again

“WASHINGTON TECHNOLOGY”

“The saga of a government contractor who allegedly stole more classified data than anyone else in history might be coming to a close.

Harold Martin III, who is accused of stealing terabytes of information, has told the U.S. District Court in Baltimore that he will plead guilty to a single charge of willful retention of national defense information on Jan. 22.”


“A plea agreement has not been filed yet, so it is not clear what punishment is being proposed or what will happen to the other 19 counts that were filed against him.

Court filings state that Martin will not be sentenced until all the other counts are resolved.

That single charge carries a maximum of 10 years in prison and three years of probation. He also could be fined up to $250,000.

Over a 23-year period, Martin worked for a series of contractors serving customers in the intelligence field. His security clearances gave him access to a broad range of information.

During that period, Martin took copies of documents and software programs home. This includes data from the National Security Agency, U.S. Cyber Command, the National Reconnaissance Office and the CIA.

When the FBI searched his home in August 2016, the bureau said they found the biggest stash of classified documents ever uncovered. Computers and storage devices were found in his home, his car and a shed in his yard. There were boxes and boxes of paper documents as well.

Still not clear is what Martin did with the data he allegedly stole. There is no allegation that he sold the information or distributed it.

At the time of his August arrest, Martin worked for Booz Allen Hamilton. But he worked for at least seven companies over the 23 years he had taken government secrets, according to the indictment.”

https://washingtontechnology.com/blogs/editors-notebook/2018/01/harold-martin-guilty-plea.aspx

 

 

 

NSA Leak Vindicates AT&T Whistle Blower

Standard

Whistle Blower Vindicaation

WHISTLEBLOWER MARK KLEIN PROVIDED THIS PHOTO OF A SECRET ROOM IN A SAN FRANCISCO AT&T SWITCHING CENTER, WHICH HE CLAIMED HOUSED DATA-MINING EQUIPMENT THAT FORWARDED INTERNET TRAFFIC TO THE NSA.

“WIRED”

“AT&T was forwarding global internet traffic to the government from secret rooms inside its offices.

The collection program, which lasted from 2001 to 2011, involved email metadata — the “enveloped” information for email that reveals the sender’s address and recipient, as well as IP addresses and websites visited, the Guardiannewspaper reported today.”


“Today’s revelations that the National Security Agency collected bulk data on the email traffic of millions of Americans provides startling evidence for the first time to support a whistle blower’s longstanding claims that AT&T was forwarding global internet traffic to the government from secret rooms inside its offices.

Mark Klein, a retired AT&T communications technician, revealed in 2006 that his job duties included connecting internet circuits to a splitting cabinet that led to a secret room in AT&T’s San Francisco office. During the course of that work, he learned from a co-worker that similar cabins were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego, he said.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, Klein said.

That’s how the data was being vacuumed to the government, Klein said today.

“This is a complete vindication,” Klein, a San Francisco Bay area retired man, said in a telephone interview.

WIRED was leaked and subsequently published Klein’s documents detailing the spying equipment in 2006, when he said an NSA agent showed up years before to interview a management-level technician for a special job.

Klein’s documents were lodged under seal in an Electronic Frontier Foundation lawsuit accusing the government of siphoning Americans’ communications to the NSA.

“This is exactly what we’ve been arguing in court for years,” Trevor Timm, an EFF digital-rights analyst, said in a telephone interview.

The documents, in part, fueled the lawsuit that so scared Congress that lawmakers passed legislation immunizing AT&T and any other telecommunications companies from being sued for assisting the NSA’s dragnet surveillance program.

“They are collecting everything on everybody,” Klein said.

After Congress killed the litigation, the EFF sued the government instead. That case is pending in a San Francisco federal courtroom.”

https://www.wired.com/2013/06/nsa-whistleblower-klein/

Hacks Raise Fear Over National Security Agency (NSA) Hold on Cyberweapons

Standard

NSA Hacking Tools

Image  Patrick Semansky/Associated Press

“NEW YORK TIMES”

“The N.S.A. has kept quiet, not acknowledging its role in developing the weapons.

But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyber weapons have hit hospitals, a nuclear site and American businesses.

Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.

Twice in the past month, National Security Agency cyber weapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine.

On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

In an email on Wednesday evening, Michael Anton, a spokesman for the National Security Council at the White House, noted that the government “employs a disciplined, high-level interagency decision-making process for disclosure of known vulnerabilities” in software, “unlike any other country in the world.”

Mr. Anton said the administration “is committed to responsibly balancing national security interests and public safety and security,” but declined to comment “on the origin of any of the code making up this malware.”

Beyond that, the government has blamed others. Two weeks ago, the United States — through the Department of Homeland Security — said it had evidence North Korea was responsible for a wave of attacks in May using ransomware called WannaCry that shut down hospitals, rail traffic and production lines. The attacks on Tuesday against targets in Ukraine, which spread worldwide, appeared more likely to be the work of Russian hackers, though no culprit has been formally identified.

In both cases, the attackers used hacking tools that exploited vulnerabilities in Microsoft software. The tools were stolen from the N.S.A., and a group called the Shadow Brokers made them public in April. The group first started offering N.S.A. weapons for sale in August, and recently even offered to provide N.S.A. exploits to paid monthly subscribers.

Though the identities of the Shadow Brokers remain a mystery, former intelligence officials say there is no question from where the weapons came: a unit deep within the agency that was until recently called “Tailored Access Operations.”

While the government has remained quiet, private industry has not. Brad Smith, the president of Microsoft, said outright that the National Security Agency was the source of the “vulnerabilities” now wreaking havoc and called on the agency to “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

For the American spy agency, which has invested billions of dollars developing an arsenal of weapons that have been used against the Iranian nuclear program, North Korea’s missile launches and Islamic State militants, what is unfolding across the world amounts to a digital nightmare. It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies — yet refused to respond, or even to acknowledge that the missiles were built for American use.

Officials fret that the potential damage from the Shadow Brokers leakscould go much further, and the agency’s own weaponry could be used to destroy critical infrastructure in allied nations or in the United States.

“Whether it’s North Korea, Russia, China, Iran or ISIS, almost all of the flash points out there now involve a cyber element,” Leon E. Panetta, the former defense secretary and Central Intelligence Agency chief said in a recent interview, before the weapons were turned against American interests.

“I’m not sure we understand the full capability of what can happen, that these sophisticated viruses can suddenly mutate into other areas you didn’t intend, more and more,” Mr. Panetta said. “That’s the threat we’re going to face in the near future.”

Using the remnants of American weapons is not entirely new. Elements of Stuxnet, the computer worm that disabled the centrifuges used in Iran’s nuclear weapons program seven years ago, have been incorporated in some attacks.

In the past two months, attackers have retrofitted the agency’s more recent weapons to steal credentials from American companies. Cybercriminals have used them to pilfer digital currency. North Korean hackers are believed to have used them to obtain badly needed currency from easy hacking targets like hospitals in England and manufacturing plants in Japan.

And on Tuesday, on the eve of Ukraine’s Constitution Day — which commemorates the country’s first constitution after breaking away from the Soviet Union — attackers used N.S.A.-developed techniques to freeze computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.

The so-called ransomware that gained the most attention in the Ukraine attack is believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely. And while WannaCry had a kill switch that was used to contain it, the attackers hitting Ukraine made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.

“You’re seeing a refinement of these capabilities, and it only heads in one direction,” said Robert Silvers, the former assistant secretary of cyber policy at the Department of Homeland Security, now a partner at the law firm Paul Hastings.

Though the original targets of Tuesday’s attacks appear to have been government agencies and businesses in Ukraine, the attacks inflicted enormous collateral damage, taking down some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted for FedEx stock.

“When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have — and the greatest fear is one of miscalculation, that something unintended can happen,” Mr. Panetta said.

Mr. Panetta was among the officials warning years ago of a “cyber Pearl Harbor” that could bring down the American power grid. But he and others never imagined that those same enemies might use the N.S.A.’s own cyberweapons.

For the past six years, government officials were comforted by the fact that their most fervent adversaries — North Korea, Iran, extremist groups — did not have the skills or digital tools to inflict major damage. The bigger cyberpowers, Russia and China in particular, seemed to exercise some restraint, though Russia’s meddling in the 2016 presidential election added a new, more subtle threa

But armed with the N.S.A.’s own tools, the limits are gone.“We now have actors, like North Korea and segments of the Islamic State, who have access to N.S.A. tools who don’t care about economic and other ties between nation states,” said Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission.

So long as flaws in computer code exist to create openings for digital weapons and spy tools, security experts say, the N.S.A. is not likely to stop hoarding software vulnerabilities any time soon.”

 

 

NSA Watchdog Removed for Whistleblower Retaliation

Standard

nsa_night_575

National Security Agency photo by Flickr user CreativeTime Reports

“THE PROJECT ON GOVERNMENT OVERSIGHT

“George Ellard occupied a position of trust as top watchdog of the National Security Agency, America’s principal collector of signals intelligence.

Photo of George Ellard

Dr. George Ellard

A high-level Intelligence Community panel found that Ellard  had retaliated against an NSA whistleblower. NSA’s Director, Admiral Michael Rogers, promptly issued  Ellard a notice of proposed termination.

Photo of Admiral Michael Rogers

Admiral Michael Rogers, Director of NSA, photo by Flickr user U.S. Naval War College

Ellard was not only NSA’s Inspector General, but an outspoken critic of Edward Snowden, the former contract employee who leaked hundreds of thousands of classified emails to publicly expose the agency’s domestic surveillance program. Snowden claimed, among other things, that his concerns about NSA’s domestic eavesdropping were ignored by the agency, and that he feared retaliation. Ellard publicly argued in 2014 that Snowden could have safely reported the allegations of NSA’s domestic surveillance directly to him.

The closely held but unclassified finding against Ellard is not public. It was reached by following new whistleblower protections set forth by President Obama in an executive order, Presidential Policy Directive 19. (A President Trump could, in theory, eliminate the order.) Following PPD-19 procedures, a  first-ever External Review Panel (ERP) composed of three of the most experienced watchdogs in the US government was convened to examine the  issue.  The trio — IG’s of the Justice Department, Treasury, and CIA – overturned an earlier finding of the Department of Defense IG, which investigated Ellard but was unable to substantiate his alleged retaliation.

“The finding against Ellard is extraordinary and unprecedented,” notes Stephen Aftergood, Director of the Secrecy Program at the Federation of American Scientists. “This is the first real test drive for a new process of protecting intelligence whistleblowers. Until now, they’ve been at the mercy of their own agencies, and dependent on the whims of their superiors. This process is supposed to provide them security and a procedural foothold.”

“The case, which is still in progress, offers hopeful signs that the new framework may be working,” Aftergood added.

POGO learned of the decision against Ellard from sources who spoke on condition of anonymity. The information was later confirmed by government officials. POGO has been told that mention of the finding will appear in a semiannual report (SAR) of the Intelligence Community IG (ICIG) that should be released in the near future. It makes brief mention of the case without citing Ellard by name.

Neither Ellard, his lawyer, nor the NSA provided any comment, despite POGO’s numerous attempts to offer them the opportunity.

POGO also reached out to the NSA employee and victim of Ellard’s retaliation, posing a detailed series of questions about what happened through an official intermediary. POGO has been told that the whistleblower composed answers to at least some of those queries, and was seeking NSA approval before releasing them. So far, there is no sign that such approval has been granted.

The DODIG told POGO it would have no immediate comment.

THE RETALIATOR

Ellard, a Yale-trained lawyer and former prosecutor with a doctorate in philosophy, was for nine years the top oversight official keeping tabs on NSA, an agency fraught with controversy over its handling of Edward Snowden and other prominent whistleblowers. Ellard in particular chose to enter that debate along with other critics who faulted Snowden for his alleged unwillingness to report his concerns about NSA domestic surveillance through channels inside the agency set up for that purpose.

IG Ellard’s criticism of Snowden first stirred controversy during a 2014 panel discussion at Georgetown University Law Center in Washington. “Snowden could have come to me,” Ellard declared, arguing that the leaker, now a fugitive in Russia, would have received the same protections as other NSA employees, who file some one thousand reports annually to the agency’s hotline. “We have surprising success in resolving the complaints that are brought to us,” Ellard said, adding, “Perhaps it’s the case that we could have shown, we could have explained to Mr. Snowden his misperceptions, his lack of understanding of what we do.”

Snowden himself has explicitly contended that he feared retaliation and that  he had no other option but to go public if he wished to expose NSA domestic eavesdropping. Among the cases of retaliation that Snowden has pointed to is that of  former senior NSA employee Thomas Drake, who after reporting alleged wrongdoing through authorized channels, was arrested at dawn by the FBI, stripped of his security clearance, charged with crimes under the Espionage Act, all of which were later dropped, leaving him to find work  in an Apple store. Snowden’s related contention is that in his own case,  he did, in fact, report his concerns in emails to NSA superiors at the time, a contention which NBC has said  it verified.

Now, given the official finding that Ellard retaliated against an NSA whistleblower, the credibility of Ellard’s argument that Snowden could have come to him is gravely undermined. More generally, there are few if any incentives for intelligence whistleblowers to report problems through designated authorities when the IG of NSA is found to have retaliated against such an individual.

PPD-19 IS WORKING

Meanwhile, the ICIG’s handling of what began as a whistleblower complaint against Ellard sends an encouraging signal to those who may report wrongdoing at 17 US intelligence agencies and all executive-branch federal offices where employees hold security clearances, according to the ICIG, which oversees the directive.

Obama proposed the  PPD-19 process in 2012, though implementation did not begin until in mid-2013.  Some 18 appeals for review of a retaliation charge, or the convening of an  ERP , have made their way to the office of Intelligence Community IG Charles McCullough, III, who oversees the directive.

Dan Meyer, the ICIG’s Executive Director for Intelligence Community Whistleblower & Source Protection told POGO, “The purpose of PPD-19 is to offer intelligence and national security whistleblowers an effective and safe means to report problems without being forced to confront the fear of reprisal.”

As such, the Ellard case is groundbreaking not only because it represents the most extensive use of PPD-19 procedures to date, but also because of Ellard’s high-ranking position in a national security environment where few, if any top officials are known to have been held accountable. A variety of reprisal accusations have been made against senior officials over the years. Rightly or wrongly, very few have been ever been substantiated.

Under the PPD-19 procedures used in Ellard’s case, the allegations were first reviewed by the DoD IG, but that office was unable to substantiate retaliation. The victim who had made the allegations then appealed to ICIG McCullough. He, in turn, decided to convene a first-ever high-ranking, three-person ERP to further examine the matter.

McCullough would normally have chaired the group, but opted to recuse himself, mindful of a conflict of interest. Indeed, McCullough previously worked at the NSA IG himself as its chief of investigations. Ellard was his boss.

Filling in for McCullough as chairman of the panel was DOJ IG Michael Horowitz, who selected the CIA and Treasury watchdogs to serve with him.

According to ERP procedures, the panel had the option to approve the earlier DoD IG findings, which did not substantiate retaliation; to ask  the DoD IG to redo all or part of its probe; or to redo the investigation itself, using the record of the previous probe as a baseline.

The ERP opted to conduct its own inquiry, including witness interviews and the evaluation of evidence.

Once the panel found that Ellard had retaliated against a whistleblower, the finding went to Admiral Michael Rogers who, as NSA director, had 90 days to take action on two fronts: what remedy to offer the victim of retaliation, and what discipline to impose on Ellard, the retaliator.

POGO has been unable to determine exactly what remedy Rogers prescribed, if any, for the victim, but he promptly moved against Ellard. The highly unusual outcome marks the first time a PPD-19 review panel has ever been convened and the first time that a prior investigation was reversed under the process set forth in the directive.”

http://www.pogo.org/blog/2016/12/intelligence-community-landmark.html?referrer=https://outlook.live.com/

Intelligence Watchdog Finds Contractor Abuses

Standard

contractor-waste-fraud-and-abuse

“POGO”

“Dozens of instances when contractor employees fudged their timesheets, billing the government for time they were not at work or when they engaged in activities either personal in nature or outside the scope of the contract.

38 substantiated cases  – loss to the government of more than $2.5 million.

Last week brought news that another Booz Allen Hamilton employee was accused of improperly removing sensitive material from the National Security Agency (NSA). Harold Thomas Martin III was charged with theft of government property and unauthorized removal and retention of classified materials. The government alleges Martin took documents and digital files containing information that, if disclosed, “reasonably could be expected to cause exceptionally grave damage to the national security of the United States.”

It was another black eye for Booz Allen, which was NSA surveillance program whistleblower Edward Snowden’s employer. It was equally embarrassing for the U.S. intelligence community, which pays contractors like Booz Allen billions of dollars each year to help run its global operations and keep a tight lid on our country’s more sensitive secrets.

Just days after the Harold Martin story broke, U.S. intelligence contractors were again in the spotlight. On Sunday, VICE News reporter Jason Leopold posted hundreds of pages of Intelligence Community Inspector General (ICIG) investigative reports. The documents contain the juicy—and occasionally disturbing—details of misconduct investigations conducted by the ICIG, the watchdog office that oversees the federal intelligence agencies. Most of the cases involved employees of Booz Allen and other prominent contractors.

Specifically, the documents contain dozens of instances when contractor employees fudged their timesheets, billing the government for time they were not at work or when they engaged in activities either personal in nature or outside the scope of the contract.

The ICIG also found that some contractor employees, while working on extremely sensitive intelligence programs and operations, risked exposing classified information by using non-secure networks and computers. They did so while working for some of the government’s most trusted private sector partners: Booz Allen and SAIC are among only a handful of private firms that collectively employ nearly all of the intelligence community’s contractor workforce.

The implications of the VICE News revelations are enormous. Not only did the contractor employees rip off taxpayers, they also compromised national security. The ICIG reports bolster POGO’s concern that contractor timesheet fraud is especially rampant among intelligence programs due to a lack of transparency and insufficient contract oversight. However, they also give us a reason to be optimistic: they show that the intelligence watchdog takes its role seriously and doggedly pursues allegations of wrongdoing.”

http://www.pogo.org/blog/2016/10/intelligence-watchdog-finds-contractor-abuses.html