The FBI’s Role in Cybersecurity

Today, Richard P. Quinn, National Security Special Agent in Charge for the FBI’s Philadelphia Field Office, gave a statement before the House Homeland Security Committee, Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies.  In the statement, Quinn outlined the FBI’s role in cybersecurity.  Here are the takeaways:

  • The Cyber Threat and the FBI Response.  Recognizing the broad range of entities that present a cyber threat–state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists–the FBI is: (1) “prioritizing high-level intrusions”; (2) working in cooperation with federal, state, and local Cyber Task Forces and through the National Cyber Investigative Joint Task Force (NCIJTF); (3) partnering with the private sector; and, (4) coordinating overseas cyber investigations and supporting key partners, such as The Hague.
  • Recent Successes.  To name a few:
    • By “targeting infrastructure [the FBI] believe[s] has been used in distributed denial of service (DDoS) attacks[,]” the FBI has enabled “foreign partners to take action” and reduced the “effectiveness of the botnets and the DDos attacks[]“;
    • Operation Clean Slate–an FBI Cyber Division initiative to disrupt and dismantle botnets threatening US security–”to date . . . has resulted in several successes[,]” including the disruption of Citadel Botnet and ZeroAccess Botnet;
    • Aleksandry Andreevich Panin pled guilty in January of this year to conspiracy to commit wire and bank fraud, charges arising from his role in developing Spyeye, which is “malicious software” that “infected more than 1.4 million computers.”
  • Next Generation Cyber Initiative.  Briefly, “[t]he FBI’s Next Generation Cyber Initiative, which [it] launched in 2012, entails a wide range of measures, including focusing the Cyber Division on intrusions into computers and networks–as opposed to crimes committed with a computer as a modality; establishing Cyber Task Forces in each of [the FBI's] 56 field offices to conduct cyber intrusion investigations and respond to significant cyber incidents; hiring additional computer scientists to assist with technical investigations in the field; and expanding partnerships and collaboration at the NCITJF.”
  • Private Sector Outreach.  “The FBI’s newly established Key Partnership Engagement Unit (KPEU) manages a targeted outreach program focused on building relationships with senior executives of key private sector corporations.  Through utilizing a tiered approach, the FBI is able to prioritize our efforts to better correlate potential national security threat levels with specific critical infrastructure sectors.”

 

You can read the full statement here.

Share:

Tags: , ,

Cyber Round Up: SCOTUS Denies Klayman’s Request; China Concerned About Growing Number of Cyber Warriors; Vanity Fair Exclusive with Snowden

  • Presiding Foreign Intelligence Surveillance Court Judge Reggie Walton was misled by Department of Justice officials resulting in an erroneous ruling on March 7 that the government should not be permitted to store phone records longer than five years, U.S. News reports.  Specifically, DOJ officials failed to inform the Court of preservation of evidence orders issued against the NSA.  Without this information, Judge Walton deemed the government’s fear of penalties for deleting older records “far-fetched.”  Judge Walton has ordered an apology and explanation from the DOJ, the article further explains.

 

  • According to the New York Times, in an attempt to relieve some of China’s concerns over the U.S.’s intent to triple the number of cyberwarriors it employs by 2016, the Obama Administration has “quietly held an extraordinary briefing for the Chinese military leadership on . . . the Pentagon’s emerging doctrine for defending against cyberattacks against the United States—and for using its cyber technology against adversaries, including the Chinese.”  The Times further reports that Defense Secretary Chuck Hagel is concerned about “the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China.”

 

  • Jamshid Muhtorov, a Colorado resident charged with providing material support to a terrorist organization, has become the first defendant to challenge the constitutionality of the law authorizing foreign intelligence surveillance without a warrant, the Los Angeles Times reports.  Although Mr. Muhtorov’s defense team has thus far not been allowed to see classified evidence in the case, the team believes Mr. Muhtorov’s phones were secretly tapped and emails read pursuant to this law.

 

 

 

  • The U.S. Army Military Academy at West Point has established a cyber warfare reasearch institute and plans to build “a cyber brain trust unprecedented within the service academies,” according to USA Today.  Through these programs, elite cybertroops will betrained, with seventy-five positions available to scholars of technology, psychology, history and the law, and other relevant areas of expertise over the next three years.

 

  • According to Ars Technica and an FCC filing, in-flight WiFi provider, GoGo has voluntarily exceded the information sharing requirements imposed by the government, a choice that has been criticized by the ACLU.  GoGo claims its decision was born out of a desire to thwart spammers and protect against other network vulnerabilities.

 

Share:

Tags: , ,

Cyber Round Up: Reactions to NSA Reform Proposal

As promised, here is a mini round up detailing the public’s response, generally, to President Obama’s NSA reform proposal:

  • The Hill reports that Obama’s proposal is “sure to come under fire as it heads to Congress.”  The report notes several possible reasons.  Here are a few:

(1) Although lawmakers have generally expressed support for the idea of ending collection and storage of metadata, there is disagreement over the proper manner in which government agents should be permitted to search for records.

(2) Some have expressed concern over the proposal’s failure to address other “symptom[s] of the NSA’s overreach.”  As Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute reportedly put it, “Any proposal to address the problem of bulk data is fatally incomplete if it doesn’t prohibit bulk collection of any kind of record under any of the NSA’s different legal authorities.”

(3) “A big factor affecting the outcome of the president’s proposal is who gets authority.”  This is because, as the article explains, the Judiciary Committee would traditionally have jurisdiction over matters concerning foreign intelligence.  But, the House Intelligence Committee “was given primary authority over its leaders’ bill[.]”

This last point brings me to the next article I want to highlight.

  • Politico reports that Bob Goodlatte (R-Va), House Judiciary Committee Chairman, declared his intent to “fight any effort to move [NSA] surveillance reform legislation to the House floor without going through his panel.”  Goodlatte further indicated that, although input from the House Intelligence Committee is welcomed, the Judiciary Committee should be the central venue in charge.
  • In a separate article, Politico identifies an additional hurdle—“no major force pushing for the changes.”  As the report explains, the NSA’s Section 215 authority is set to expire in June of next year; however, “rank-and-file lawmakers . . . caution that there’s no serious pressure coming from home to support the kinds of changes Obama wants.”
  • Alex Jones’ Info Wars has also come out and criticized private companies for failing to take a more active approach in order to force legislation on this issue.  Trevor Timm of the London Guardian stated, Facebook and others are “holding fire” when it comes to pushing reform on the hill.  But, “[t]he keepers of the everyday [I]nternet seem to care more about PR than helping their users.  The truth is, if the major tech companies really wanted to force meaningful surveillance reform, they could do so tomorrow.”
  • The Brennan Center’s Elizabeth Goitein has also identified what some believe is a hole in the President’s proposal, MSNBC reports.  “The problem is there are no meaningful limits on what [the government] can do with [the] data, the only limits are on what they have to do to get the data,” Goitein reportedly said.
Share:

Tags:

How Snowden Divides the German NSA Inquiry Panel

On March 20, 2014, the German Bundestag, the country’s federal parliament, formed a parliamentary investigative commission to probe the surveillance activities of the 5-eyes states, in particular of the National Security Agency (NSA) and the British Government Communication Headquarters (GCHQ), that targeted and involved Germany. The inquiry panel has taken up work, as the German Attorney General has filed charges neither against the NSA, nor against the German government. In February, the Chaos Computer Club and the International Federation for Human Rights filed a criminal complaint against the German government (we blogged about that matter 8 weeks ago).

Germany’s international news outlet Deutsche Welle (DW) covers the investigation in English. As the commission has not been able yet to agree on what role Edward Snowden should play in the process, DW reported two days ago about the resignation of its chairman Clemens Binninger. “A parliamentary inquiry’s first order of business should not be to serve party-political profiling,” Binninger said according to DW, referring to the unresolved question if Snowden should be heard as a whiteness or not. The oppositional Green and Left Party representatives are pressing to summon Snowden as a crucial whiteness. In contrast, the representatives of the ruling Christian and Social Democrat party factions delayed the decision and will, so DW, not take it until after Chancellor Merkel’s visit to the United States in 3 weeks.

It is worth following the happenings on the inquiry panel, as, to me, they reflect the dilemma of German politics to resolve the contradicting interests of a flawless examination of the 5-eyes’ invasive intelligence collection and keeping the diplomatic relationship with the United States in good terms.

 

Share:

Tags: , ,

The Heartbleed Bug and the Political Implications of Vulnerability Management

Today, the Canadian Broadcasting Corporation (CBC) recounted the happenings around the Heartbleed Bug, a pervasively occurring vulnerability of the widespread OpenSSL cryptographic software that was revealed by Google and a Finnish security firm on Monday. Along with the public notification, the information website heartbleed.com was established, explaining that “[t]he Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software[,]” allowing attackers to eavesdrop on communications and steal sensitive data among others. On his security blog, cryptography guru Bruce Schneier mentioned 500K sites to be vulnerable, classifying the level of how catastrophic the event is on a scale from 1 to 10 as 11.

I found that the coverage of the incident gained another momentum just a few hours ago, when Bloomberg reported that the National Security Agency (NSA) had exploited the vulnerability for “at least two years [...] and regularly used it to gather critical intelligence,” according to “two people familiar with the matter.” USA today cited an official statement of the NSA denying knowledge of the Heartbleed Bug.

 

Reviewing the news of this week, two major implications in terms of cyber security policy seem to be represented by the Heartbleed Bug:

  1. As CBC mentioned: “Disclosing a web problem also means alerting hackers.” The more widespread the vulnerability, the less co-ordinated the patch. This can lead to differing times of exposure to the alerted hackers. On the one hand, the many users of the vulnerable systems (e.g. different banks, or the website of the Canadian Revenue Agency, which has been compromised) patch the vulnerability at different times. On the other hand,  user notification about potential compromises happens at varying paces.  As a result of the Heartbleed disclosure, so CBC, “there has been confusion among consumers about what they should be doing, including whether they should be altering their passwords.” For more on the issue of breach notification on Crossroads, follow this link.
  2. Regardless if the NSA knew about Heartbleed and exploited it or not, intelligence collection does use exploits to accomplish its mission (see also our coverage of exploits in cyber security). The dilemma is as obvious to me: national security interests confront those of millions of users who rely on a system which is known to be insecure to those who are tasked to guard them.

 

Share:

Tags: , ,

Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program”

Western State University’s Law Review is hosting a symposium tomorrow entitled, “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program.”  Dean at University of California–Irvine School of Law, Erwin Chemerinsky, will be the keynote speaker.  The symposium, moderated in part by Professor Ryan T. Williams, will also feature two distinguished panels. The first panel is on the lethal use and legality of unmanned aerial vehicles and, later, there will be a panel on the NSA surveillance programs.

The latter panel, on which this blog’s administrator, Professor William C. Snyder, will sit as a contributor, will analyze the current NSA surveillance programs through the lens of constitutional law, the proper scope of the public’s knowledge on NSA and other government surveillance programs, and the hot and ever-controversial issue of whether Edward Snowden is a patriot or a villain.

The symposium tomorrow, April 12, will run from approximately 8:30am until 5pm at Western State University College of Law.

Share:

Tags:

Joint Statement by AG Holder and DNI Clapper on Section 215

I just wanted to make available to you the following statement, which was released jointly by Attorney General Eric Holder and Director of National Intelligence James Clapper on March 28.

 

Joint Statement by Attorney General Eric Holder and Director of National Intelligence

James Clapper on the Declassification of Renewal of Collection
Under Section 215 of the USA PATRIOT Act (50 U.S.C. Sec. 1861))
“Earlier this year in a speech at the Department of Justice, President Obama announced a transition that would end the Section 215 bulk telephony metadata program as it existed, and that the government would establish a mechanism that preserves the capabilities we need without the government holding this bulk data. As a first step in that transition, the President directed the Attorney General to work with the Foreign Intelligence Surveillance Court (FISC) to ensure that, absent a true emergency, the telephony metadata can only be queried after a judicial finding that there is a reasonable, articulable suspicion that the selection term is associated with an approved international terrorist organization. The President also directed that the query results must be limited to metadata within two hops of the selection term instead of three.  These two changes were put into effect on Feb. 5, 2014, when the FISC granted the government’s motion to amend its Jan. 3, 2014, primary order approving the production of telephony metadata collection under Section 215. Following a review for declassification the Jan. 3 primary order, the government’s motion to amend that order, and the order granting the motion were posted to the FISC’s website, as well as the Office of the Director of National Intelligence website and icontherecord.tumblr.com.
 
“In addition to directing those immediate changes to the program, the President also directed the Intelligence Community and the Attorney General to develop options for a new approach to match the capabilities and fill gaps that the Section 215 program was designed to address without the government holding this metadata.  He instructed us to report back to him with options for alternative approaches before the program came up for reauthorization on March 28. Consistent with the President’s direction, we provided him with alternative approaches for consideration.
 
“After carefully considering the available options, the President announced yesterday that the best path forward is that the government should not collect or hold this data in bulk, and that it should remain at the telephone companies with a legal mechanism in place that would allow the government to obtain data pursuant to individual orders from the FISC approving the use of specific numbers for such queries. The President also noted that legislation would be required to implement this option. 
 
“Given that this legislation is not yet in place, and given the importance of maintaining this capability, the President directed the Department of Justice to seek a 90-day reauthorization of the existing program, which includes the modifications that he directed in January. Consistent with both the President’s direction, and with prior declassification decisions, in light of the significant and continuing public interest in the telephony metadata collection program, DNI Clapper declassified the fact that the United States filed an application with the FISC to reauthorize the existing program as previously modified for 90 days, and that today the FISC issued an order approving the government’s application. The order issued today expires on June 20, 2014. The Administration is undertaking a declassification review of this most recent court order. When the review is complete the ODNI will post the documents to its website and icontherecord.tumblr.com.”
Share:

Tags: , , ,

Cyber Round Up: DOJ Pushes for Increased Hacking Abilities; Google Appeals Turkish YouTube Blackout; Microsoft Ends “Snooping” Practices

  • The DOJ is advocating for less stringent standards to obtain warrants to hack the computers of criminal suspects, the Wall Street Journal Blog reports.  “The Justice Department effort is raising questions among some technology advocates, who say the government should focus on fixing the holes in computer software that allow such hacking rather than exploiting them.”  DOJ investigators, however, say increased flexibility is necessary in this regard “especially when multiple computers are involved or the government doesn’t know where the suspect’s computer is physically located[,]“  according to WSJ.
  • Shortly after the Turkish government blocked citizen access to Twitter, officials made a similar play against YouTube, according to AP reports.  (Here’s the link to the “Cyber Round Up” on the initial social media block). Again, these actions came just days before crucial local elections were held, the results of which have still not been released.  (Although, as the WSJ reports, “[O]ne thing is clear: the secularist opposition suffered a walloping by Prime Minister Recep Tayyip Erdogan, failing to capitalize on corruption allegations, bans on social media and ongoing dissent.”)  WSJ also reports that Google, Inc. has appealed the YouTube blackout in the Turkish courts.
  • A perspective piece by columnist Hiawatha Bray published in the Boston Globe argues that, although we may seem doomed to become a “surveillance state,” “by combining anonymizing technology with tougher legal limits on access to location data, each of us might be able to preserve a cocoon of location privacy.”  As an interesting side note, this piece reveals the results of location data research that shows, “if you track someone’s cellphone-usage patterns over a three-month period, you could probably predict where this person will be with an accuracy of 93 percent.”
  • Wired reports that the cyber attack on Target, Neiman Marcus, and others just months ago has resulted in a class action lawsuit that calls into question whether third-party companies responsible for certifying the security of credit card-accepting entities, like Target, should be held liable in the event of a breach.
  • A New York Times blog reports that Microsoft recently announced an end to its policy permitting “snooping” on private customer communications during the course of an investigation into stolen property.  Here’s the announcement by Microsoft general counsel, Brad Smith.
  • According to K&L Gates’ “European Regulatory Watch,” the outcome of a current debate over whether to overhaul the privacy protection framework in place in the EU “could shape the future of the digital economy, particularly with privacy and cyber sovereignty becoming key talking points in transatlantic diplomacy since the Snowden/NSA case.”
Share:

Tags: , ,

DC Judge Denies Government’s Request to Seize Email Account

Today, Magistrate Judge John Facciola for the United States District Court for the District of Columbia denied the government’s request for a warrant to seize an entire email account, search it, and disclose certain emails and contents of communications discovered therein.  This was the government’s third application for a warrant in connection with this email account although it has not yet provided the specific address or owner of the account it wishes to seize.  Rather, the government states that it is pursuing the account in connection with its investigation into a possible solicitation and receipt of kickbacks scandal “involving a defense contractor.”

Screen Shot 2014-04-08 at 12.01.40 AM

The Court denied the government’s second application for failure to disclose with specificity which emails it would seize and, moreover, its failure to establish the probable cause to do so.  In denying the government’s third attempt, the Court stated that it failed “to address these concerns and ignore[d] the substance of th[e] Court’s prior rulings.”

One of the prior rulings to which the Court refers is that rendered in the application for a warrant to search and seize the Facebook account of Navy Yard shooter Aaron Alexis.  There the Court considered the proper scope of the warrant and suggested that the government permit the service provider to conduct the search under the guidance of key terms provided by the government.  The service provider would then be required to turn over information it discovered that was relevant to the government’s request.  This, the Court explained in that case, would assist the government in “minimize[ing] the amount of information that its search warrant applications seek to be disclosed[.]”

Even in response to the government’s second request to seize the Apple email, the Court ultimately could “see no reasonable alternative other than to require the provider of an electronic communications service to perform the searches”  (emphasis added).  However, perhaps out of concern for revealing too much about the nature of an investigation, “the government did not take any steps to modify their search warrant applications” upon submission of the third application in the Apple email case.

Upon this foundation, the Court explained its rationale for denying the government’s warrant request yet again.

First, the Court established that the government’s desired actions constituted a “seizure” for purposes of the Fourth Amendment.

Although the Supreme Court has never specifically defined what constitutes a seizure in the electronic world, . . . [i]n this Court’s view, a seizure of property occurs when e-mails are copied and taken by the government without the owner’s consent because an individual’s ‘possessory interest [in the e-mails] extends to both the original and any copies made from it.’

(Note that the Court is quoting Orin Kerr’s publication, “Fourth Amendment Seizures of Computer Data,” published in the Yale Law Journal.)

Because the government sought to “seize” the emails, yet it “fail[ed] to specify with particularity what it intend[ed] to seize,” the government’s application, in the Court’s view, failed.

Here, the warrant describes only certain e-mails that are to be seized—and the government has only established probable cause for those e-mails.  Yet, it seeks to seize all e-mails by having them ‘disclosed’ by Apple.  This is unconstitutional because “[t]he government simply has not shown probable cause to search the contents of all emails ever sent to or from the account.

Even taking into consideration that a two-step procedure has been codified in Federal Rule of Criminal Procedure 41(e)(2)(B) and operates as a limited exception to otherwise unconstitutional overly broad searches (specifically, “seize a large quantity of data and perform the specific search later at an offsite location”), the Court found the “government [was] ‘abusing the two-step procedure . . .’ by requiring Apple to disclose the entire contents of an e-mail account.”

I invite you to explore the Court’s full rationale in support of this ruling and have linked the publicly available opinion here for your convenience.

 

Share:

Tags:

CRS: “Overview of Constitutional Challenges to NSA Collection Activities and Recent Developments”

On the first of the month, the Congressional Research Service (CRS) published “Overview of Constitutional Challenges to NSA Collection Activities and Recent Developments.”  The report reviews the two main NSA programs that have come under public scrutiny since the Snowden leaks–the bulk metadata collection program and the interception of Internet-based foreign communications–and, as the title suggests, explores the most predominate constitutional challenges to these programs.

Screen Shot 2014-04-06 at 3.55.48 PM

Constitutional challenges . . . have arisen in the [Foreign Intelligence Surveillance Court (FISC)] and [Foreign Intelligence Surveillance Court of Review (FISCR)] as part of those courts’ roles in approving the parameters of these collection activities. . . . [C]hallenges have [also] been brought in traditional federal courts as civil actions by plaintiffs asserting an injury or in criminal proceedings by defendants who have been notified that evidence against them was obtained or derived from collection under Section 702 [of the Foreign Intelligence Surveillance Act (FISA).]

The fairly brief report uses cases such as Clapper v. Amnesty International (see also here) and, to a lesser extent, ACLU v. Clapper and Klayman v. Obama to review the legal issues presented by these programs.

Share:

Tags:

Next Page »

Authors

Untitled Document
Tara J. PistoreseTara J. Pistorese

is completing her Juris Doctor and Masters of Public Administration degrees at the Maxwell School of Citizenship and Public Affairs and the College of Law of Syracuse University. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Categories