Friday, August 30, 2013

Category Archives: Benghazi Attack

What If the Insider Threat Memo Is about David Petraeus?

In a holiday document dump, President Obama transmitted Minimum Standards for Insider Threat Detection Programs. As mere citizens, we don’t get to see those standards. We only get to see the memo accompanying them, which leaves us guessing what–if anything–to make of the timing and content of the memo. In addition to Steven Aftergood’s general overview, Falguni Sheth, Kevin Gosztola, and Jesselyn Radack have some thoughts.
The simplest explanation for the timing of the memo is that’s when the Insider Threat Task Force developing them finished the Standards. The Standards were due a year after Obama ordered the creation of them on October 7, 2011.
Sec. 6.3. The Task Force’s responsibilities shall include the following:
(a) developing, in coordination with the Executive Agent, a Government-wide policy for the deterrence, detection, and mitigation of insider threats, which shall be submitted to the Steering Committee for appropriate review;
(b) in coordination with appropriate agencies, developing minimum standards and guidance for implementation of the insider threat program’s Government-wide policy and, within 1 year of the date of this order, issuing those minimum standards and guidance, which shall be binding on the executive branch;
That would mean they were due 45 days before Obama transmitted them. Perhaps the delay can be explained by either the election or a review within the White House (and I’m wonder whether Obama’s victory influenced how Obama received these Standards).
So it could well be that this memo was released as a holiday dump through sheer chance, Obama finishing up business before taking time with the family.
The timing of the transmittal might also be explained by personnel changes. James Clapper and Eric Holder (or their designees) would be the mandatory co-Chairs of the Task Force. While reports suggest Holder will stick around for another year, it’s unclear whether Clapper will be.
But then there’s the possibility that the Petraeus scandal influenced this release.
As a threshold matter, the EO mandating these Standards includes CIA involvement (by designees of but not the Director himself) on both the Task Force and Steering Committee on Insider Treats. It also reserves the authority of the Director of CIA with regards to security of information systems under an earlier EO and a National Security Directive. What happens where you’re in the middle of rolling out an Insider Threat Detection Program and one of the key players involved in it is embroiled in an insider threat investigation himself?
The EO also allows the Director of National Intelligence to “issue policy directives” to help the agencies of the Intelligence Community comply with this.
With respect to the Intelligence Community, the Director of National Intelligence, after consultation with the heads of affected agencies, may issue such policy directives and guidance as the Director of National Intelligence deems necessary to implement this order.
Perhaps such “policy directives” no longer seem like such a good idea if the CIA Director can’t even limit his threat profile.
Then there’s the possibility that the behavior of one of the players in the scandal demonstrated that the Standards are not yet being met. While reportedly Petraeus and Paula Broadwell only shared a GMail account–and therefore there is no allegation that they used the classified networks addressed in the EO–we have fewer details about what network General Allen was using to exchange sexy-time emails with Jill Kelley. Furthermore, whlie we know Broadwell had classified information on her computer and in her house, we don’t have much detail on this, either. As a Reserve Officer, her behavior may well have demonstrated holes in the program implemented by DOD.
In other words, it may be that the Standards had been languishing for 45 days after they were completed, but the Petraeus scandal identified that the Insider Threat Detection should have but did not identify some of the activities going on. That might have created some urgency for Obama to transmit them, so he could start cracking heads at the agencies where they standards were not being met. Obama’s memo also promises the standards will “provide the workforce with insider threat awareness training,” so it’s possible the Administration believes that if just its top Generals had a bit more training they might not destroy their careers by compromising security. Though, as Marc Ambinder explained, because he was in the chain of command for the nuclear football, Petraeus would have had extensive indoctrination on potential threats.
Or maybe it’s something else entirely.


What If the Insider Threat Memo Is about David Petraeus?

In a holiday document dump, President Obama transmitted Minimum Standards for Insider Threat Detection Programs. As mere citizens, we don’t get to see those standards. We only get to see the memo accompanying them, which leaves us guessing what–if anything–to make of the timing and content of the memo. In addition to Steven Aftergood’s general overview, Falguni Sheth, Kevin Gosztola, and Jesselyn Radack have some thoughts.
The simplest explanation for the timing of the memo is that’s when the Insider Threat Task Force developing them finished the Standards. The Standards were due a year after Obama ordered the creation of them on October 7, 2011.
Sec. 6.3. The Task Force’s responsibilities shall include the following:
(a) developing, in coordination with the Executive Agent, a Government-wide policy for the deterrence, detection, and mitigation of insider threats, which shall be submitted to the Steering Committee for appropriate review;
(b) in coordination with appropriate agencies, developing minimum standards and guidance for implementation of the insider threat program’s Government-wide policy and, within 1 year of the date of this order, issuing those minimum standards and guidance, which shall be binding on the executive branch;
That would mean they were due 45 days before Obama transmitted them. Perhaps the delay can be explained by either the election or a review within the White House (and I’m wonder whether Obama’s victory influenced how Obama received these Standards).
So it could well be that this memo was released as a holiday dump through sheer chance, Obama finishing up business before taking time with the family.
The timing of the transmittal might also be explained by personnel changes. James Clapper and Eric Holder (or their designees) would be the mandatory co-Chairs of the Task Force. While reports suggest Holder will stick around for another year, it’s unclear whether Clapper will be.
But then there’s the possibility that the Petraeus scandal influenced this release.
As a threshold matter, the EO mandating these Standards includes CIA involvement (by designees of but not the Director himself) on both the Task Force and Steering Committee on Insider Treats. It also reserves the authority of the Director of CIA with regards to security of information systems under an earlier EO and a National Security Directive. What happens where you’re in the middle of rolling out an Insider Threat Detection Program and one of the key players involved in it is embroiled in an insider threat investigation himself?
The EO also allows the Director of National Intelligence to “issue policy directives” to help the agencies of the Intelligence Community comply with this.
With respect to the Intelligence Community, the Director of National Intelligence, after consultation with the heads of affected agencies, may issue such policy directives and guidance as the Director of National Intelligence deems necessary to implement this order.
Perhaps such “policy directives” no longer seem like such a good idea if the CIA Director can’t even limit his threat profile.
Then there’s the possibility that the behavior of one of the players in the scandal demonstrated that the Standards are not yet being met. While reportedly Petraeus and Paula Broadwell only shared a GMail account–and therefore there is no allegation that they used the classified networks addressed in the EO–we have fewer details about what network General Allen was using to exchange sexy-time emails with Jill Kelley. Furthermore, whlie we know Broadwell had classified information on her computer and in her house, we don’t have much detail on this, either. As a Reserve Officer, her behavior may well have demonstrated holes in the program implemented by DOD.
In other words, it may be that the Standards had been languishing for 45 days after they were completed, but the Petraeus scandal identified that the Insider Threat Detection should have but did not identify some of the activities going on. That might have created some urgency for Obama to transmit them, so he could start cracking heads at the agencies where they standards were not being met. Obama’s memo also promises the standards will “provide the workforce with insider threat awareness training,” so it’s possible the Administration believes that if just its top Generals had a bit more training they might not destroy their careers by compromising security. Though, as Marc Ambinder explained, because he was in the chain of command for the nuclear football, Petraeus would have had extensive indoctrination on potential threats.
Or maybe it’s something else entirely.
The language used in Obama’s memo differs in some interesting ways from the language in the EO on Insider Threats. The latter always refers to agencies, cited back to a 2009 EO
(a) For the purposes of this order, the word “agencies” shall have the meaning set forth in section 6.1(b) of Executive Order 13526 of December 29, 2009.
Which in turn cites back to laws defining both agencies and departments of the military.
Obama’s memo, however, always refers to both agencies and departments:
This Presidential Memorandum transmits the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Minimum Standards) to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security.
[snip]
The Minimum Standards provide departments and agencies with the minimum elements necessary to establish effective insider threat programs. [my emphasis]
Legally, I suspect there is no difference here, given that agencies as used in the EO includes military departments. But the emphasis seems to be different.
In addition, the EO defines the Insider Threat differently. The EO emphasizes unauthorized disclosure of classified information–the threat identified by WikiLeaks.
Sec. 6.1. There is established an interagency Insider Threat Task Force that shall develop a Government-wide program (insider threat program) for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.
But Obama’s memo includes “violent acts against the Government.”
These threats encompass potential espionage, violent acts against the Government or the Nation, and unauthorized disclosure of classified information, including the vast amounts of classified data available on interconnected United States Government computer networks and systems. [my emphasis]
Mind you, violent acts should be included. After all, Nidal Hasan was emailing Anwar al-Awlaki 9 months before he attacked at Fort Hood. And the release of the Webster report provided recommendations that may have been integrated into these Minimum Standards. Plus, given the fearmongering over cyberthreats, Obama may have wanted this out shortly following his EO on cybersecurity.
But again, the emphasis is different.
It may be any of these things: simply the normal timing, the issues others have addressed, real physical threats we may not know about.
But it is, at the very least, ironic that Obama formally implemented these Minimum Standards less than two weeks after two top national security figures were exposed for showing at least bad judgment about their own Insider Threat exposure.http://www.fas.org/sgp/obama/nitp.pdf

Executive Order 13587 of October 7, 2011

Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information By the authority vested in me as President by the Constitution and the laws of the United States of America and in order to ensure the responsible sharing and safeguarding of classified national security information (classified information) on computer networks, it is hereby ordered as follows:
Section 1. Policy. Our Nation's security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely. Computer networks have individual and common vulnerabilities that require coordinated decisions on risk management.
This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals. These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government. These policies and minimum standards will address all agencies that operate or access classified computer networks, all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the Federal Government), and all classified information on those networks.
Sec. 2. General Responsibilities of Agencies.
Sec. 2.1. The heads of agencies that operate or access classified computer networks shall have responsibility for appropriately sharing and safeguarding classified information on computer networks. As part of this responsibility, they shall:
    (a) designate a senior official to be charged with overseeing classified information sharing and safeguarding efforts for the agency; (b) implement an insider threat detection and prevention program consistent with guidance and standards developed by the Insider Threat Task Force established in section 6 of this order;
    (c) perform self-assessments of compliance with policies and standards issued pursuant to sections 3.3, 5.2, and 6.3 of this order, as well as other applicable policies and standards, the results of which shall be reported annually to the Senior Information Sharing and Safeguarding Steering Committee established in section 3 of this order;
    (d) provide information and access, as warranted and consistent with law and section 7(d) of this order, to enable independent assessments by the Executive Agent for Safeguarding Classified Information on Computer Networks and the Insider Threat Task Force of compliance with relevant established policies and standards; and
    (e) detail or assign staff as appropriate and necessary to the Classified Information Sharing and Safeguarding Office and the Insider Threat Task Force on an ongoing basis.
Sec. 3. Senior Information Sharing and Safeguarding Steering Committee. Sec. 3.1. There is established a Senior Information Sharing and Safeguarding Steering Committee (Steering Committee) to exercise overall responsibility and ensure senior-level accountability for the coordinated interagency development and implementation of policies and standards regarding the sharing and safeguarding of classified information on computer networks.
Sec. 3.2. The Steering Committee shall be co-chaired by senior representatives of the Office of Management and Budget and the National Security Staff. Members of the committee shall be officers of the United States as designated by the heads of the Departments of State, Defense, Justice, Energy, and Homeland Security, the Office of the Director of National Intelligence, the Central Intelligence Agency, and the Information Security Oversight Office within the National Archives and Records Administration (ISOO), as well as such additional agencies as the co-chairs of the Steering Committee may designate.
Sec. 3.3. The responsibilities of the Steering Committee shall include:
    (a) establishing Government-wide classified information sharing and safeguarding goals and annually reviewing executive branch successes and shortcomings in achieving those goals; (b) preparing within 90 days of the date of this order and at least annually thereafter, a report for the President assessing the executive branch's successes and shortcomings in sharing and safeguarding classified information on computer networks and discussing potential future vulnerabilities;
    (c) developing program and budget recommendations to achieve Government-wide classified information sharing and safeguarding goals;
    (d) coordinating the interagency development and implementation of priorities, policies, and standards for sharing and safeguarding classified information on computer networks;
    (e) recommending overarching policies, when appropriate, for promulgation by the Office of Management and Budget or the ISOO;
    (f) coordinating efforts by agencies, the Executive Agent, and the Task Force to assess compliance with established policies and standards and recommending corrective actions needed to ensure compliance;
    (g) providing overall mission guidance for the Program Manager-Information Sharing Environment (PM-ISE) with respect to the functions to be performed by the Classified Information Sharing and Safeguarding Office established in section 4 of this order; and
    (h) referring policy and compliance issues that cannot be resolved by the Steering Committee to the Deputies Committee of the National Security Council in accordance with Presidential Policy Directive/PPD-1 of February 13, 2009 (Organization of the National Security Council System).
Sec. 4. Classified Information Sharing and Safeguarding Office. Sec. 4.1. There shall be established a Classified Information Sharing and Safeguarding Office (CISSO) within and subordinate to the office of the PM-ISE to provide expert, fulltime, sustained focus on responsible sharing and safeguarding of classified information on computer networks. Staff of the CISSO shall include detailees, as needed and appropriate, from agencies represented on the Steering Committee.
Sec. 4.2. The responsibilities of CISSO shall include:
    (a) providing staff support for the Steering Committee; (b) advising the Executive Agent for Safeguarding Classified Information on Computer Networks and the Insider Threat Task Force on the development of an effective program to monitor compliance with established policies and standards needed to achieve classified information sharing and safeguarding goals; and
    (c) consulting with the Departments of State, Defense, and Homeland Security, the ISOO, the Office of the Director of National Intelligence, and others, as appropriate, to ensure consistency with policies and standards under Executive Order 13526 of December 29, 2009, Executive Order 12829 of January 6, 1993, as amended, Executive Order 13549 of August 18, 2010, and Executive Order 13556 of November 4, 2010.
Sec. 5. Executive Agent for Safeguarding Classified Information on Computer Networks. Sec. 5.1. The Secretary of Defense and the Director, National Security Agency, shall jointly act as the Executive Agent for Safeguarding Classified Information on Computer Networks (the "Executive Agent"), exercising the existing authorities of the Executive Agent and National Manager for national security systems, respectively, under National Security Directive/NSD-42 of July 5, 1990, as supplemented by and subject to this order.
Sec. 5.2. The Executive Agent's responsibilities, in addition to those specified by NSD-42, shall include the following:
    (a) developing effective technical safeguarding policies and standards in coordination with the Committee on National Security Systems (CNSS), as re-designated by Executive Orders 13286 of February 28, 2003, and 13231 of October 16, 2001, that address the safeguarding of classified information within national security systems, as well as the safeguarding of national security systems themselves; (b) referring to the Steering Committee for resolution any unresolved issues delaying the Executive Agent's timely development and issuance of technical policies and standards;
    (c) reporting at least annually to the Steering Committee on the work of CNSS, including recommendations for any changes needed to improve the timeliness and effectiveness of that work; and
    (d) conducting independent assessments of agency compliance with established safeguarding policies and standards, and reporting the results of such assessments to the Steering Committee.
Sec. 6. Insider Threat Task Force. Sec. 6.1. There is established an interagency Insider Threat Task Force that shall develop a Government-wide program (insider threat program) for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies. This program shall include development of policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities and practices within agencies.
Sec. 6.2. The Task Force shall be co-chaired by the Attorney General and the Director of National Intelligence, or their designees. Membership on the Task Force shall be composed of officers of the United States from, and designated by the heads of, the Departments of State, Defense, Justice, Energy, and Homeland Security, the Office of the Director of National Intelligence, the Central Intelligence Agency, and the ISOO, as well as such additional agencies as the co-chairs of the Task Force may designate. It shall be staffed by personnel from the Federal Bureau of Investigation and the Office of the National Counterintelligence Executive (ONCIX), and other agencies, as determined by the co-chairs for their respective agencies and to the extent permitted by law. Such personnel must be officers or full-time or permanent part-time employees of the United States. To the extent permitted by law, ONCIX shall provide an appropriate work site and administrative support for the Task Force.
Sec. 6.3. The Task Force's responsibilities shall include the following:
    (a) developing, in coordination with the Executive Agent, a Government-wide policy for the deterrence, detection, and mitigation of insider threats, which shall be submitted to the Steering Committee for appropriate review; (b) in coordination with appropriate agencies, developing minimum standards and guidance for implementation of the insider threat program's Government-wide policy and, within 1 year of the date of this order, issuing those minimum standards and guidance, which shall be binding on the executive branch;
    (c) if sufficient appropriations or authorizations are obtained, continuing in coordination with appropriate agencies after 1 year from the date of this order to add to or modify those minimum standards and guidance, as appropriate;
    (d) if sufficient appropriations or authorizations are not obtained, recommending for promulgation by the Office of Management and Budget or the ISOO any additional or modified minimum standards and guidance developed more than 1 year after the date of this order; (e) referring to the Steering Committee for resolution any unresolved issues delaying the timely development and issuance of minimum standards;
    (f) conducting, in accordance with procedures to be developed by the Task Force, independent assessments of the adequacy of agency programs to implement established policies and minimum standards, and reporting the results of such assessments to the Steering Committee;
    (g) providing assistance to agencies, as requested, including through the dissemination of best practices; and
    (h) providing analysis of new and continuing insider threat challenges facing the United States Government.
Sec. 7. General Provisions.
    (a) For the purposes of this order, the word "agencies" shall have the meaning set forth in section 6.1(b) of Executive Order 13526 of December 29, 2009. (b) Nothing in this order shall be construed to change the requirements of Executive Orders 12333 of December 4, 1981, 12829 of January 6, 1993, 12968 of August 2, 1995, 13388 of October 25, 2005, 13467 of June 30, 2008, 13526 of December 29, 2009, 13549 of August 18, 2010, and their successor orders and directives.
    (c) Nothing in this order shall be construed to supersede or change the authorities of the Secretary of Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended; the Secretary of Defense under Executive Order 12829, as amended; the Secretary of Homeland Security under Executive Order 13549; the Secretary of State under title 22, United States Code, and the Omnibus Diplomatic Security and Antiterrorism Act of 1986; the Director of ISOO under Executive Orders 13526 and 12829, as amended; the PM-ISE under Executive Order 13388 or the Intelligence Reform and Terrorism Prevention Act of 2004, as amended; the Director, Central Intelligence Agency under NSD-42 and Executive Order 13286, as amended; the National Counterintelligence Executive, under the Counterintelligence Enhancement Act of 2002; or the Director of National Intelligence under the National Security Act of 1947, as amended, the Intelligence Reform and Terrorism Prevention Act of 2004, as amended, NSD-42, and Executive Orders 12333, as amended, 12968, as amended, 13286, as amended, 13467, and 13526.
    (d) Nothing in this order shall authorize the Steering Committee, CISSO, CNSS, or the Task Force to examine the facilities or systems of other agencies, without advance consultation with the head of such agency, nor to collect information for any purpose not provided herein.
    (e) The entities created and the activities directed by this order shall not seek to deter, detect, or mitigate disclosures of information by Government employees or contractors that are lawful under and protected by the Intelligence Community Whistleblower Protection Act of 1998, Whistleblower Protection Act of 1989, Inspector General Act of 1978, or similar statutes, regulations, or policies.
    (f) With respect to the Intelligence Community, the Director of National Intelligence, after consultation with the heads of affected agencies, may issue such policy directives and guidance as the Director of National Intelligence deems necessary to implement this order.
    (g) Nothing in this order shall be construed to impair or otherwise affect:
      (1) the authority granted by law to an agency, or the head thereof; or (2) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals
    (h) This order shall be implemented consistent with applicable law and appropriate protections for privacy and civil liberties, and subject to the availability of appropriations. (i) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
    [signed:] Barack Obama
THE WHITE HOUSE, October 7, 2011.

No comments:

Post a Comment