I'm going to have plenty to say on Shane Harris' story revealing that the NSA used hackers and foreign cyberhacks as their excuse for illegally accessing customer data prior to 9/11. First, though, I'd like to remind readers of this earlier Shane Harris story (with Tim Naftali)--to my mind the best reporting on this topic outside of the Risen-Lichtblau early scoop.
A former telecom executive told us that efforts to obtain call details go back to early 2001, predating the 9/11 attacks and the president's now celebrated secret executive order. The source, who asked not to be identified so as not to out his former company, reports that the NSA approached U.S. carriers and asked for their cooperation in a "data-mining" operation, which might eventually cull "millions" of individual calls and e-mails.
In other words, nearly two years ago, Harris (with Naftali) quoted a telecom executive saying that something had gone on earlier than 9/11. And now, he's providing details about Qwest's refusal to cooperate.
So, returning to this story after Nacchio's appeal has raised a lot of questions about the earlier request, Harris reveals the rationale the Administration offered for its earlier data mining.
However, in February 2001, the NSA's primary purpose in seeking access to Qwest's network apparently was not to search for terrorists but to watch for computer hackers and foreign-government forces trying to penetrate and compromise U.S. government information systems, particularly within the Defense Department, sources said. Government officials have long feared a "digital Pearl Harbor" if intruders were to seize control of these systems or other key U.S. infrastructures through the Internet.
[former NSA Director] Minihan singled out Russia and China; the latter, he said, had already incorporated cyber-warfare into its military training. He also pointed to the emergence of "transnational security challenges," including terrorism, drug trafficking, and international organized crime. "These opportunists, enabled by the explosion of technology and the availability of inexpensive, secure means of communication, pose a significant threat to the interests of the United States and its allies," Minihan said.
Harris also gives a general sense of how the program was justified as legal.
A former senior NSA official said that the agency also worried that because these groups understood privacy laws so well, they knew how to avoid detection and could predict what the NSA would, and wouldn't, do to track them. "There was such a nuanced understanding of how to tie us in knots and use American law against us, that there were certainly pockets of people saying, 'We've got to be assertive; we've got to be more aggressive on this,' " the former official said.
Hayden, who ran the NSA from 1999 to 2005, was well known for his willingness to push operations to the legal edge. "We're pretty aggressive within the law," Hayden said in public remarks after 9/11. "As a professional, I'm troubled if I'm not using the full authority allowed by law."
Hayden has repeated that refrain since the attacks. But former intelligence officials doubted that he would have authorized any request to Qwest, or other companies, that he believed violated the law. They noted, however, that many in the agency had long thought that monitoring "metadata," such as a phone number, the length of a call, or a series of calls placed from a particular phone, didn't implicate privacy because such information didn't constitute the "content" of a message -- its written or spoken words. [my emphasis]
This excuse sounds precisely like public denials about the program Hayden made after the NYT revealed the problem with the program involved data mining (this quote is a riff on a Glenn Greenwald quote).
In January, 2006, Gen. Michael Hayden -- the NSA Director during the implementation of the "TSP" and the current CIA Director -- gave a press briefing at the National Press Club in which he emphatically denied that the NSA had been engaging in the type of "data mining" which this morning's articles describe. During his opening remarks, Hayden said:
Let me talk for a few minutes also about what this program is not. It is not a driftnet over Dearborn or Lackawanna or Freemont grabbing conversations that we then sort out by these alleged keyword searches or data-mining tools or other devices that so-called experts keep talking about.
This is targeted and focused. This is not about intercepting conversations between people in the United States. This is hot pursuit of communications entering or leaving America involving someone we believe is associated with al Qaeda.
He then made clear that the NSA could not and would not engage in such data mining because of the "ethical" and "practical" considerations involved:QUESTION: Are you spying on or intercepting our communications, e-mails and telephone conversations of those of us who are organizing The World Can't Wait to Drive Out the Bush Regime?
GEN. HAYDEN: You know, I tried to make this as clear as I could in prepared remarks. I said this isn't a drift net, all right? I said we're not there sucking up coms and then using some of these magically alleged keyword searches -- "Did he say 'jihad'?
[bold Glenn's; italics mine]
In other words, faced with the anonymous description that the problem with the warrantless wiretap program had to do with data mining, Hayden neatly parsed that it couldn't be data mining because they didn't "[suck] up coms and then [use] some of those magically alleged keyword searches." Hayden denied that they had mined content, but he stopped well short of saying that they hadn't mined metadata.
Which strongly suggests that Michael Hayden was well aware that the NSA was mining metadata, long before 9/11.
Hackers, Russians, Chinese, mafia, and drug traffickers, those are the threats described in Harris' article. Frankly, it's a real threat--the Chinese, in particular, have proven very adept at hacking our networks, even six years after 9/11--and after this surveillance program started. In June of this year, for example, the Chinese allegedly hacked into Defense Secretary Robert Gates' own computer.
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.
“The PLA has demonstrated the ability to conduct attacks that disable our system...and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated the networks of US defence companies and think-tanks.
Hackers from numerous locations in China spent several months probing the Pentagon system before overcoming its defences, according to people familiar with the matter.
The reality of this threat really does need to be part of this discussion. I'm not saying it warrants domestic surveillance--but I do suspect that our Toobz and our satellite system are two of our greatest vulnerabilities, particularly when you're talking about threats from the Chinese.
The Revolving Door of Cyber-Security Czars
That said, consider a couple other details about our efforts on cyber-security under the Bush Administration. As I pointed out in an earlier post, the position of cyber-security czar has been a veritable revolving door since Bush's inauguration.
Bush has already been through about 5 or 6 cybersecurity czars: Richard Clarke from 2001 to 2003, Howard Schmidt for just three months after that, Rand Beers for a month, Amit Yoran from later in 2003 to 2004, I'm missing one from 2004 to 2005, it went vacant for a year, then Greg Garcia for the last year. One after another one quits because Bush won't force private companies to cooperate, which makes cybersecurity difficult if not pointless.
There's one other, related, reason why these guys have bolted from the position so quickly: because, from shortly after Clarke took the position until several weeks ago, the Department of Homeland Security had taken the lead in cyber-security. Not only is DHS hopelessly incompetent, but it also didn't have the authority (read, the legal vehicles) to do what it needed to do on the Toobz (and also, I suspect, to require corporations with strong ties to the government to exercise certain levels of security on their own networks).
Yet underlying this entire revolving door is the accusation from the former cyber-czars that cyber-security just wasn't a priority for the Bush Administration.
So here's some irresponsible speculation on these issues. The urgency for the FISA amendment accelerated during the summer. Mike McConnell claimed it related to two FISC rulings, in March and May; Trent Lott and other Republican propagandists said it was because of chatter related to an attack on DC. But I wonder whether that Chinese hack in June wasn't the real driving force behind the urgency? After all, the new language on requiring telecoms to cooperate with the government in the FISA amendment would give the NSA vast new powers as it watched for Chinese hackers. And the Chinese attack was likely more urgent than any of the other claimed threats.
I will need to return to the language of the new amended FISA and proposed further amendments, but I also strongly suspect that this is why the Bush Administration has been so reluctant to allow FISC to review whether it complies with its own minimization requirements. If the FISC amendment is about data mining metadata believed to be related to foreign individuals, and not actually wiretapping them (and that explains the need for blanket warrants, rather than specific ones), then the process of collecting enough data to make data mining metadata meaningful is going to suck up a lot of information on US persons. The Administration is willing to claim they're minimizing US person data, but they're unwilling to allow anyone to really check whether they're fulfilling their claims. I suspect that means the US data information is in the universe of that data being mined, and they're just hoping they get away with it.
How Much Does Richard Clarke Know?
There's one more detail I'd like to point out. Richard Clarke (or one of his aides) could easily be this source for Harris:
A former White House official, who at the time was involved in network defense and other intelligence programs, said that the early 2001 NSA proposal to Qwest was, "Can you build a private version of Echelon and tell us what you see?"
In his book, Against All Enemies, Clarke describes pitching the creation of a cyber-security czar position to Condi in spring 2001, and they agreed he would take on the position starting October 1, 2001 (his assumption of the position was delayed by 9/11).
But if we return to the Qwest documents, we see that Clarke wasn't in on the February 2001 meeting with Qwest, though he was aware of Qwest's deals with the military, unbeknownst to Qwest executive James Payne.
At the meeting, Mr. Clarke asked the group if it was possible to create a network, then proceeded to describe [redacted]. Mr. Payne hadn't known that Clarke had the "need to know" that would have allowed him to know the details of this project.
After describing this "hypothetical" network, Mr. Clarke asked the group what kind of company could do this. Everyone said no one could, it couldn't be done. Mr. Nacchio, instead of saying "I already built this network twice, once for [redacted] and once for DISA," instead simply described how it could be done. Later, Paul Kurtz (a NSC staffer) told Mr. Payne that Mr. Clarke did this because he wanted to see Mr. Nacchio's response.
... what Mr.Clarke had in mind for GovNet was an "airgap network," impervious to outside attack.
GovNet sounds like a prophylactic fix on cyber-security--setting up a network that will be relative immune from outside threats. But that doesn't mean Richard Clarke wasn't in on the earlier data mining program (which might explain why he had the "need to know" all about what Qwest was doing). Was he?
Update: Gates hack quote fixed per PJ Evans.