Posts from December, 2011

Army Red Teams Test Communications Security

A newly revised Army regulation prescribes the use of “red teams” that are assigned to try and penetrate the security of military communications, as if they were hackers or opposition forces.

“Red Team operations expose vulnerabilities by challenging an organization’s readiness and ability to protect information. Red Team activities focus on identifying an organization’s critical and classified information to show the operational impact of physical, information and operations security shortcomings,” the regulation explains. “To replicate a true adversary, certified Red Teams have the authority to access .mil networks from public domains through the use of remote operations.”

See “Communications Security Monitoring,” Army Regulation 380-53, December 23, 2011.

Among other changes to the previous edition of the regulation, the new revision “removes the requirement to obtain permission from the Assistant Secretary of Defense for Networks and Information Integration to conduct communications security monitoring in the National Capital Region.”

JASON on Severe Space Weather and the Electric Grid

Updated below

The U.S. electric power grid is vulnerable to damage from severe electromagnetic solar storms and remedial measures should be taken to reduce that vulnerability, a new study (large pdf) from the JASON scientific advisory panel concluded.

On the other hand, the JASONs said, catastrophic worst-case scenarios advanced by some are not plausible, and they should not serve as a basis for policy making.

Public disclosure of the new JASON study was blocked by the Department of Homeland Security, which sponsored the analysis.  But a copy was obtained by Secrecy News.

“Concerns about the vulnerabilities of technical infrastructure to space weather have been growing since the sun entered the early stages of the current sunspot cycle in 2009, increasing prospects for severe solar storms,” the report said.

“We agree that the U.S. electric grid remains vulnerable,” the JASONs concluded.  “Mitigation should be undertaken as soon as possible to reduce the vulnerability of the U.S. grid.  The cost appears modest compared to just the economic impact of a single storm,” they added.

But the panel declined to endorse a worst-case scenario proposed in 2010 by J. Kappenman (large pdf), who envisioned “the possibility of catastrophic damage to the U.S. electric grid, leaving millions without power for months to years.”

“We are not convinced that the worst case scenario… is plausible.  Nor is the analysis it is based on, using proprietary algorithms, suitable for deciding national policy,” the JASON report said.

Instead, “a rigorous and fully transparent risk analysis should be done of the U.S. grid.”  See “Impacts of Severe Space Weather on the Electric Grid,” JASON report JSR-11-320, November 2011.

Ironically, the Department of Homeland Security, which requested the JASON study, refused to make it publicly available.  In a November 20 letter to the Federation of American Scientists, DHS said that no portion of the study would be released under the Freedom of Information Act because it was subject to the “deliberative process privilege.”  A copy of the report was obtained independently.

Update: By letter dated December 27, DHS amended its denial of our FOIA request and released the report.

Congress Approves 2012 Intelligence Authorization

Congress last week enacted the Intelligence Authorization Act for Fiscal Year 2012.

“The legislation we are approving today keeps funding for intelligence essentially flat from fiscal year 2011, representing the a meaningful reduction from the President’s request,” said Senate Intelligence Committee chair Sen. Dianne Feinstein (D-CA) on December 14.

Curiously, Rep. Mike Rogers (R-MI), the chair of the House Intelligence Committee, described the outcome somewhat differently on December 16:  “The bill is significantly below the President’s budget request for fiscal year 2012 and further still below the levels authorized and appropriated in fiscal year 2011.”

In both the House and the Senate action on the bill there was a conspicuous absence of public debate on any issue of intelligence policy.  No dissenting views were expressed.  Nor was there any discussion of or insight into current intelligence controversies.  For that, one must turn to other venues, such as “Secrecy defines Obama’s drone war” by Karen DeYoung in today’s Washington Post.

Libya and War Powers

The U.S. government acknowledges that U.S. military forces were involved in “armed conflict” this year in Libya, but it does not acknowledge that they were engaged in “hostilities.”

Earlier this year, State Department legal advisor Harold H. Koh attempted to parse these distinctions, which have significant legal consequences, and to deflect some pointed questions from members of the Senate Foreign Relations Committee.  His responses to Senators’ questions for the record (pdf) from a June 28 Committee hearing were published last month.  The full hearing volume is here (pdf).

Congress Authorizes Offensive Military Action in Cyberspace

Congress has given the U.S. military a green light to conduct offensive military activities in cyberspace.

“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests,” said the FY 2012 defense authorization act that was adopted in conference this week (section 954).

The blanket authorization for offensive cyber operations is conditional on compliance with the law of armed conflict, and the War Powers Resolution, which mandated congressional consultation in decisions to go to war.

“The conferees recognize that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations and that it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles, and legal regimes that pertain to kinetic capabilities,” the conference report on the defense authorization act said.

“The conferees also recognize that in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged.”

“The conferees stress that, as with any use of force, the War Powers Resolution may apply.”

This is an odd formulation which suggests that the War Powers Resolution may also not apply.  In any case, the Resolution is a weak reed that has rarely been used by Congress to constrain executive action.

According to the Congressional Research Service, “Debate continues on whether using the War Powers Resolution is effective as a means of assuring congressional participation in decisions that might get the United States involved in a significant military conflict.”

Update: There’s more from Wired Threat Level and Lawfare.

Congress Enacts Insider Threat Detection Program

Congress ordered the Secretary of Defense to establish an information security program for detecting “unauthorized access to, use of, or transmission of classified or controlled unclassified information.”  The provision was included by the FY2012 defense authorization act that was approved in conference this week (section 922).

The insider threat detection program, conceived as a response to WikiLeaks, is intended to “allow for centralized monitoring and detection of unauthorized activities.”  Among other things, it is supposed to employ technology solutions “to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information.”

The Congressional action was partially anticipated by President Obama’s executive order 13587 of October 7, 2011, which established new governance procedures for improving the security of classified information.

The new legislation adds some further detail and imposes deadlines for compliance.

CIA Will Process Request on Open Source Works

In an abrupt reversal, the Central Intelligence Agency said that it will process a Freedom of Information Act request for documents pertaining to the establishment of Open Source Works, the CIA’s in-house open source intelligence organization.

Intelligence historian Jeffrey Richelson had requested the charter of Open Source Works under the Freedom of Information Act, only to be told that the CIA could not confirm or deny the existence (or non-existence) of responsive records.  See “Charter of Open Source Org is Classified, CIA Says,” Secrecy News, December 12.

But Dr. Richelson said that CIA Information and Privacy Coordinator Susan Viscuso called him yesterday to inform him that the request would be processed after all.  The earlier response, she said, was “an administrative error.”

DoD Says Military Intel Budget Request is Classified

The amount of money that the Pentagon requested for the Military Intelligence Program (MIP) in FY2012 — around $25 billion — is classified and will not be disclosed, the Department of Defense said last week in response to a Freedom of Information Act request for the figure.

The MIP budget request number “is currently and properly classified in accordance with Executive Order 13526 Section 1.4(g) concerning vulnerabilities or capability of systems, installations, infrastructures, projects, plans or protection services relating to the national security,” the December 7 denial letter stated.

The decision to withhold the MIP budget request number is incongruous, considering that the MIP appropriation is unclassified ($24 billion in FY2011).

Not only that, but the amount of money that was requested for the National Intelligence Program (NIP) is unclassified and has been released by the Director of National Intelligence ($55 billion for FY2012).

“No identifiable damage to national security was caused by the release of the NIP budget request figure,” we noted yesterday in an appeal of the initial FOIA denial.

“From a classification policy perspective, there is no substantive difference between the NIP and the MIP.  Each Program involves intelligence sources and methods requiring protection, classified acquisition programs, and other sensitive and properly classified activities.”

“Just as disclosure of the NIP budget request caused no damage to national security, it is clear that disclosure of the MIP budget request would be likewise harmless,” we wrote in the December 13 appeal.

Like other questionable classification choices, the decision to classify the MIP budget request is ripe for reconsideration and correction in the ongoing Fundamental Classification Guidance Review.

Support Secrecy News

We hope that all Secrecy News readers will give generously to charitable causes that help relieve those who are in distress.  After you have done that, we hope you may also contribute to Secrecy News and the work of the FAS Project on Government Secrecy.

As readers know, we do not charge anyone for subscriptions to Secrecy News or for access to the records we collect.  We want to make our work available even to those who can’t or don’t want to pay for it.

But one way or another, we need to pay our bills like everyone else.  And so– this appeal.

If your situation permits, please consider making a tax deductible contribution to the Federation of American Scientists to support Secrecy News.  (Thanks to those who have already done so!)

Donations can be made online here (specify that your donation should be directed to “government secrecy”).  If contributing via Paypal, send us a separate email to let us know you want your contribution allocated to the FAS Project on Government Secrecy.  Checks payable to FAS may also be mailed to:

Secrecy News
Federation of American Scientists
1725 DeSales Street N.W.
6th Floor
Washington D.C. 20036