Google news searches:
Chinese+hackers+spied+on+g20 : 3 results
NSA+spied+on+g20: 2,330 results
Google news searches:
Chinese+hackers+spied+on+g20 : 3 results
NSA+spied+on+g20: 2,330 results
The old Cold War export control alliance, now known as the Wassenaar Arrangement, hasn’t exactly been a hotbed of new controls since Russia joined the club. But according to the Financial Times, the 41-nation group is preparing a broad new set of controls on complex surveillance and hacking software and cryptography. I suspect that the move is a response to concerns about the use of such tools — from deep packet inspection to zero-day attacks — by rogue states like Syria and Iran.
It’s an unusual step in several respects. First, the European Union seems to be at least as enthusiastic as the United States about the controls. Usually, Europeans have let the US take the lead (and the economic hit) when it comes to controlling exports. Second, it is not clear that these controls will work. Wassenaar doesn’t include China or Israel, both major producers of surveillance and hacking tools. So the new control regime could turn out to be an exercise in moral preening, as Europe and the United States sacrifice technology sales to China and Israel for the sake of political correctness. [...]
The latest Snowden leak story is in the Huffington Post. It says that NSA thought about exposing the hypocrisy of Islamic extremist recruiters by revealing their financial greed or predatory sexual habits. I’m quoted in support of considering such tactics, but the backstory of the interview may be more interesting.
When one of the authors, Ryan Grim, called me for comment, he said that while Glenn Greenwald was transitioning to his new Omidyar-funded venture he was temporarily publishing his Snowden leaks with HuffPo. So when he asked for my take on the NSA story, pretty much the first words out of my mouth were, “Why wouldn’t we consider doing to Islamic extremists what Glenn Greenwald does routinely to Republicans?” The story quotes practically everything I said to Grim except that remark, even though I returned to the point a couple of times and emphasized that it summed up my view.
I don’t think HuffPo cut the quote because they ran out of electrons. The article itself is so tediously long that I defy anyone to read every word in a single go.
Nor because my remark was inaccurate. It turns out that Glenn Greenwald has written an entire book devoted to exposing the contradiction between Republicans’ ideology and their private lives. In Greenwald’s words, “While the right wing endlessly exploits claims of moral superiority … virtually its entire top leadership have lives characterized by the most decadent, hedonistic, and morally unrestrained behavior imaginable …[including] a string of shattered marriages, active out-of-wedlock sex lives, and highly ‘untraditional’ and ‘un-Christian’ personal lives [endless detail omitted].” His book certainly makes the NSA memo sound restrained and cautious, but both are motivated by the same idea.
Grim and Greenwald very likely cut the quote because it would have undermined the narrative of the [...]
The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources they want to discover, and companies whose secrets they want to steal, all without (gasp!) court orders or Jim Sensenbrenner’s consent.
Perhaps even more interesting, the Commission offers moral support and an open Overton window to those who advocate much more active defenses than the Justice Department has been willing to countenance under the Computer Fraud and Abuse Act. Among the policy options it treats seriously are watermarking and beaconing of documents for evidentiary purposes as well as authorizing private victims to conduct a host of active responses to intrusions:
Encourage the U.S. government, military, and cleared defense contractors to implement measures to reduce the effectiveness of Chinese cyber operations and increase the risk of conducting such operations for Chinese organizations. For example, the IP Commission recommends measures such as ‘‘meta-tagging, watermarking, and beaconing,’’ because they can help identify sensitive information and code a digital signature within a file to better detect intrusion and removal. These tags also might be used as evidence in criminal, civil, or trade proceedings to prove data was stolen.
Clarify the legal rights of companies, and the types of action that are prohibited, regarding finding and recovering intellectual property that is stolen through cyber intrusions. Mr. Kamphausen said U.S. companies ‘‘need the right tools that afford them the protections, legal and otherwise, so that they can do what’s in their own interest.’’
Pass legislation permitting U.S. companies to conduct offensive cyber operations in retaliation against intrusions into their networks. Such
The Administration has set a goal in its effort to fix the troubled Obamacare website, healthcare.gov. By November 30, according to the Washington Post, the government’s goal is that 80% of users will be able to buy healthcare policies online. The 80% target moves the goalposts back from the President’s more confident statement earlier this month: “By the end of this month, we anticipate that it is going to be working the way it is supposed to.”
But it is a concrete, measurable goal.
Unfortunately, everyone involved in that measurement, from the contractors to HHS to the White House, has a strong interest in reporting success. And a track record of handling data in a way that masks failure. The administration refused to provide any numbers about enrollments for more than a month and then released numbers that mix actual enrollments with a consumer’s decision to simply put a plan in an online “shopping cart.”
You don’t have to be very cynical to think that we’ll only hear about enrollment statistics on November 30 if the 80% goal is met, or can be spun.
Which leads me to the point of this post: We don’t actually have to wait for the administration to release the numbers. Because the government has chosen a target that can be measured by the public.
All we need is for a large enough group of consumers to go through the enrollment process on November 30 and report whether they succeeded or failed in choosing a plan and getting it into their shopping cart. Call it crowd auditing, or crowditing for short. In fact, done right, it’s a better measure of success or failure than anything accessible to site administrators. And it will be available in something close to real time.
There are obviously some problems with [...]
The Leahy-Sensenbrenner USA FREEDOM Act puts the Foreign Intelligence Surveillance (FIS) court in charge of shaping, overseeing, and enforcing minimization guidelines in connection with section 215, pen/trap orders, and section 702, largely taking the Attorney General out of the process of writing minimization guidelines. I’m appalled, because the FIS court has taken control of minimization before, with disastrous consequences; it built a “wall” between intelligence and law enforcement without any legal basis for doing so, and enforced the wall so aggressively that the FBI couldn’t use its best counterterrorism assets to track down the hijackers in late August and early September 2001. In a very real sense, it was the FIS court’s legal error combined with a self-righteous use of its contempt power that thwarted the country’s last, best chance to stop the attacks.
That the court made terrible errors in 2001 is perhaps understandable. Repeating those errors is not. But the more closely I observe the FIS court the more concerned I become that the peculiar role that we have created for the FIS court makes a repetition all too likely. I’m testifying to the Judiciary Committee tomorrow on the USA FREEDOM Act, and I took the opportunity to do a bit more thinking in this post about why the FIS court seems to have learned so little from its discreditable performance in 2001.
It may be that the problem is best seen as a constitutional failure. That is, practical politics are pushing the FIS court out of an article III role and into article I. And the FIS court’s failings may be best seen as a problem in separation of powers.
At the outset, the separation of powers issue isn’t obvious. The FIS court’s principal statutory role is to approve or deny intercept and discovery orders involving foreign intelligence. [...]
I reviewed Juan Zarate’s Treasury’s War for the Wall Street Journal. If you have a subscription, here’s the paywalled link. For cheapskates, here’s the gist:
Treasury has attacked money laundering by big banks, imposing fines up to $2 billion on institutions around the world. As a result, banks have toughened their compliance regimes. Under the slogan “know your customer,” they now feel obliged to run checks on their customers’ reputations and to shun even faintly suspicious transactions.
In such a climate, it’s easy to become a customer no one wants to know. And the easiest way of all is to be officially labeled a “primary money laundering concern.” A bank that has been tarred with that brush quickly becomes a pariah to every bank with a compliance program. Because a pariah can’t perform normal financial transactions under such conditions, its solvency is immediately drawn into question. And, boom, within 24 hours, even a bank with no direct ties to the United States is effectively out of business, brought down by a Treasury-induced run. Treasury’s designation turns out to be a remarkably effective weapon—the Predator drone of financial sanctions—killing instantly, without warning, far from home.
In one of his better stories, Mr. Zarate shows how Treasury’s new weapon struck even North Korea, a veteran sanctions-buster that had sheltered comfortably in China’s lee for decades.
China’s diplomats stood by their client as usual, but not its banks. Rather than risk its access to world financial markets, even the state-owned Bank of China in Macau froze North Korean accounts. Later, after many ceremonial toasts at a session of the international talks on nuclear proliferation, one inebriated North Korean negotiator leaned in to his American counterparts and admitted: “You Americans have finally have found a way to hurt us.”
Mr. Zarate brings verve
I’ll be testifying tomorrow before the House Intelligence Committee. This post is an excerpt from that testimony. The full document is here: Baker – HPSCI testimony – Oct. 29 2013.
I fear that the campaign by Glenn Greenwald and others who control the Snowden documents has forced the executive branch into a defensive crouch. Other nations are taking advantage of the moment to demand concessions that the White House is already halfway to granting. If so, we will regret them as a country long after the embarrassment of fielding angry phone calls from national leaders has faded into a short passage in President Obama’s memoirs.
European and other nations see the prospect for enormous gains at the expense of the U.S., in part because President Obama seems genuinely embarrassed and unwilling to defend the National Security Agency. Instead, he is offering assurances to select world leaders that they are not targets, and his homeland security adviser is declaring that “the president has directed us to review our surveillance capabilities, including with respect to our foreign partners. We want to ensure we are collecting information because we need it and not just because we can [and that] we are balancing our security needs with the privacy concerns all people share.”
Administration sources have begun criticizing the NSA for putting the President in this bind, and they are hinting at the possibility of negotiating reciprocal deals with other countries that will bar espionage directed at each other while sharing intelligence….
In short, we face the prospect that foreign nations will capitalize on President Obama’s defensive crouch to extract diplomatic and intelligence concessions that would have been unthinkable a year ago.
At the same time, I note, these nations have asked China, which is subjecting them to the most notorious and noisy computer [...]
I contributed a short piece today to the New York Times on the latest Snowden-generated flap over allegations that NSA targeted Angela Merkel’s mobile phone. Excerpts:
To play the role it has played in the world for the last 70 years, the United States must be able to gather intelligence anywhere in the world with little or no notice. We never know where the next crisis will erupt, where the next unhappy surprise is coming from. It’s the intelligence community’s job to respond to today’s crises, but its agencies live in a world where intelligence operations take years to yield success. That makes it a little hard – and very dangerous — to create “intelligence-free zones.”
…Even the countries we usually see as friends sometimes take actions that quite deliberately harm the United States and its interests. Ten years ago, when the U.S. went to war with Iraq, France and Germany were not our allies. They were not even neutral. They actively worked with Russia and China to thwart the U.S. military’s mission. Could they act against U.S. interests again in the future – in trade or climate change negotiations, in Syria, Libya or Iran?
…That’s just life and international politics. As German Chancellor Angela Merkel too knows quite well. She visited China right after public disclosures that the Chinese had penetrated her computer network, yet she managed to be “all smiles” while praising relations between the two countries as “open and constructive.”
…The United States can’t stop gathering intelligence without running the risk of terrible surprises. So it won’t.
Note: I welcome comments and may publish some of them as updates, with your name unless you ask me to leave it out. Send them to firstname.lastname@example.org.
UPDATE: One commenter takes issue with the core of the piece:
NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February.
I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms. The result is a mixed bag, but the document is still a net loss for security.
What’s improved? First, in an effort to introduce flexibility into the document, NIST deleted all the “should” language from the privacy standards. Second, it added a paragraph that asserts the “flexibility” that organizations have to implement the privacy provisions:
Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.
Third, NIST responded to my concern that the “governance” section of the appendix would smuggle into the rules governing private companies all of the fair information practice principles, or FIPPs, that govern federal agencies. NIST narrowed the scope of the governance section by tying it to the actual PII being used for cybersecurity. See the bold language below..
Old version: Organizations should identify policies and procedures that address privacy or PII management practices. Organizations should assess whether or under which circumstances such policies and procedures : [followed by a list of FIPPs, many with dubious relationship
There’s a lot of talk in the press these days about how hard it is for the federal government to do IT right and how the blame for the failures of the healthcare.gov website should fall on the federal procurement system, not the federal managers. As someone who advocated enthusiastically for federal use of relatively advanced IT while in government, I agree that the procurement process makes it hard to produce IT that works on budget and on time. There have been plenty of expensive IT failures in recent administrations.
That said, it isn’t impossible, even with stiff political opposition, to manage big public-facing federal IT projects successfully. I can think of three fairly complex IT projects that my old department delivered despite substantial public/Congressional opposition in the second half of George W. Bush’s administration. They weren’t quite as hard as the healthcare problem, but they were pretty hard and the time pressure was often just as great. Putting together the list from memory, which may be faulty on some details, they are:
I’m a much bigger fan of Girl Talk, whom I’ve blogged about before, than of current copyright law, so it’s hard to resist a chance to talk about both. Girl Talk (actually a fellow named Greg Gillis) produces delightful mashups of hip-hop and classic rock that shed new light on both. Since Girl Talk relies on a claim of fair use for his sampling and doesn’t seek the original label’s authorization, he has trouble selling his albums through the usual channels. (His stuff is available here.)
Now Michael Schuster, another Girl Talk lawyer-fan, has produced a law-review study of All Day, Girl Talk’s latest album, arguing that the songs it samples actually had higher sales in the year after the sampling than in the year before. For those of us who think copyright law is too protective of plaintiffs, the article is comforting. It suggests that current law may actually be hurting the authors it purports to help by discouraging musicians from introducing their fans to our pop-cultural heritage. That’s how it’s being covered in the press and blogosphere.
Actually, though, I think the article is a little too comforting. I am always skeptical of scholarly research that reinforces academic prejudices, since scholars tend adjust their standards of proof to fit their prejudices. Hostility to copyright is pretty much the norm in academic circles, and if you read the article skeptically, it loses much of its persuasiveness. Schuster achieves his results by playing with the sample, dropping nine songs from a sample of about 200 because they completely wreck his argument. His reason for dropping the songs is that they were hits in the 30 months prior to the release of Girl Talk’s album, and hits by definition suffer declining sales after topping out. If he [...]
I’ve been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.
His tale of disillusionment revealed three privacy deficits in European law that even I hadn’t noticed when I trashed the myth of European privacy superiority.
First, unlike their US counterparts, German email providers are unable to issue transparency reports of the sort that US companies have been publishing:
“German law forbids providers to talk about inquiries for user data or handing over user data,” Löhr added. “We are currently investigating a possible way with our lawyer to issue a transparency report about questions from police like Google, Microsoft, and [many] other US providers do, but we can not promise we will be able to do so. We try hard.”
Indeed, the German Telecommunications Act of 2004 (PDF) states very clearly, “The person with obligations shall maintain silence vis-à-vis his customers and third parties about the provision of information.” In other words, German communications services would be under a gag order by default.
Of course, given their other disadvantages on the government-privacy front, maybe European providers aren’t exactly eager to issue transparency reports. For example, in the US, authorities have to get a specific “gag” order to prevent subscribers from getting notice that their mail has been seized; while gag orders are common, they often expire after a time and can usually be challenged. It appears that Europe simply doesn’t make disclosure an option. Silence, not disclosure, is the law’s default.
[A]n American provider could notify its customer that he or she is the target of a judicial investigation. Google has a user notification policy
I’d like to offer readers a short quiz on judicial independence.
Imagine a field where liability is common but damages vary widely — patent law, perhaps, or disability claims. In this field, there is a specialized court that has attracted Congressional and press criticism because it rules for the plaintiff 99% of the time. Stung by relentless criticism based on this statistic, the chief judge of the court finally writes a public letter to Congress, saying, in essence,
“You don’t understand how this court works. The court conducts detailed pretrial settlement negotiations and in at least 25% of its cases, the judge tells the plaintiff that he is likely to lose unless he reduces his claim to an amount the court considers more reasonable, and the plaintiff almost always does. The court on occasion tells the plaintiff that his chances are so poor that the case should be dropped, and it usually is. In order to correct the misimpression created by the 99% success rate figure, from now on this court will keep track of every case in which we force the plaintiff to reduce or abandon his claim and will publish those statistics regularly.”
Based on those facts, I offer two multiple-choice questions:
1. The court’s letter is (choose one):
a. A breach of the tradition that courts do not enter the political arena to justify their decisions.
b. A prudent and factual response to public misunderstandings about the court’s decisions and role.
2. Which statement about the court’s collection of statistics is most accurate?
a. It improperly encourages the court’s judges to “improve” their track record by negotiating for reductions and withdrawals of plaintiffs’ claims even when those reductions and withdrawals are not required by law.
b. It is a valuable public service countering an inaccurate public impression; no reasonable person could believe that the publication of such statistics would [...]
From Foreign Policy:
Recently, Heritage refused to publish two papers about the National Security Agency’s surveillance programs written by a prominent conservative attorney. Why? Because he concluded that the programs were legal and constitutional, according to sources familiar with the matter. It was a surprising move for a think tank that has supported extension of the Patriot Act — which authorizes some of NSA’s activities — and has long been associated with right-of-center positions on national security and foreign policy.
But the paper’s conclusions did not sit well with DeMint, the sources said, who worried about offending or alienating more libertarian lawmakers such Sen. Rand Paul, a DeMint ally and leadingcritic of NSA’s collection of Americans’ phone records, as well as Tea Partiers, who according to a recent poll think that government counterterrorism policies have gone “too far” in restricting civil liberties. It’s those groups that brought DeMint his greatest influence as a lawmaker and made him a national political heavyweight.