Archive for the ‘NSA’ Category

Covert NSA Listening Stations in Every Major City? – Telepresence Options

Story and images by Aaron and Melissa Dykes

Hi everyone. This piece is a bit more personal. While driving through the South, we happened upon an odd AT&T building in downtown Birmingham, Alabama when we stopped for lunch. After seeing a creepy and very serious security/surveillance man waiting at the parking garage, watching us with some sort of long telephoto lens, it struck us that this was no ordinary building.

Just like the TitanPointe "long-lines building" in New York - an AT&T front where the NSA monitors huge volumes of communications that was exposed by The Intercept and a team of bloggers they worked with - this building in Birmingham, and similar ones in major cities anywhere and everywhere across the country, was not just there to reach out and touch someone.

No, you can get goosebumps just from being near it

Read the rest here:
Covert NSA Listening Stations in Every Major City? - Telepresence Options

I FOIA’d the NSA’s Recycling Mascot, and Now I Have More Questions Than Answers – New York Magazine

Move over, Pixar theres a new CGI creature in town, and he comes from the most unlikely of places, the National Security Agency. Of the federal government agencies that youd expect to have an anthropomorphic mascot dedicated to reducing environmental waste, the NSA is probably near the bottom of the list.

The mascot, Dunk, became public knowledge in 2015, thanks to a menacing NSA tweet the agency sent to publicize its green efforts.

That effort included a school initiative teaching children how to conduct awaste audit, categorize trash, and figure out how effective they were at properly disposing of trash. Yes, the NSA wanted children to go snooping through trash, which seems almost too on the nose to be true. So youre asking me, hey Dunk, what is a waste audit? Well, youre going to dig through all of the trash in your school and then youre going to analyze it, the blue beastintonedin his nasal voice. Youll need to identify the types of trash making up the waste stream of your school and the amounts of each type of trash, by weight and volume.

Upon learning of Dunk, I submitted a Freedom of Information Act request for any communication and documents related to the development of Dunk. More than two years later, the NSA came through with a handful of unclassified documents.

On August 22, 2008, a graphic-design coordinator sent an email with the subject line, (U) Quick Idea. Attached was a file called recycle idea.pdf, which contained preliminary sketches for two waste-disposal bins with faces and arms. One is a round, green recycling bin, for soda cans and such; the other is an orange dumpster labeled WOOD ONLY thats disposing of a pallet. The slogan: Think Before You Throw.

The initiative was put on hold until the graphic-design coordinator returned from leave in early September. The next email exchange that the NSA included begins on October 1, when a waste-and-recycling manager inquires about the Dunk program. Just wanted to know if weve made any further progress Let me know

Two days later, the Dunk we all know and love appears in a file simply titled dunk.pdf, courtesy of the same graphic-design coordinator. Hes now a blue, rectangular recycling bin, who throws trash through a hole in the top of his head, rather than eating it via his mouth. Does the trash give him energy? What happened to his dumpster friend? Why is he called Dunk when hes clearly lobbing the trash?

The final page included in the NSAs response is the final Dunk, now with fancy purple shorts. The picture is not dated, but its presumably the type of office posting that is placed right over the trash bins. Years before Dunk was telling kids to dig through the trash, he was telling NSA workers to be mindful of their waste habits.

Think before you throw! the NSA warns. I mean, thatd be crazy, right? Imagine if your stuff ended up in the wrong place, and someone you didnt intend got ahold of it and used it improperly. Thatd be so embarrassing!

Commonly held best practices for password safety are going out the window.

Nothing (rose) gold can stay.

Including sweatproof, noise-canceling, and foldable versions several under $50.

How an actual person became a bot overnight.

Weve got your John Tucker Must Die sequel right here, folks.

Think before you throw.

We finally know who wrote the infamous document.

Because what the world needs right now is obviously another way to leave your friends on read.

The one about the media wanting him in a noose is really something.

A leaked internal document called the wage gap a myth and laid out all the reasons men are treated unfairly.

Weve heard this argument before.

How to eke a few more minutes out of your battery before everything goes dark.

Its called Stamp.

Including one for $250.

We might be getting a frowning poop emoji to go with the smiling one.

Robbie Tripp is getting owned on Twitter after posting a gushing Instagram about how much he loves his wifes curvy body.

The CMS wasnt cutting it.

It was only after a drivers dashboard went up in spontaneous flames that the company decided to do something.

Original post:
I FOIA'd the NSA's Recycling Mascot, and Now I Have More Questions Than Answers - New York Magazine

Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report – Lawfare (blog)

The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons the NSA/CYBERCOM dual-hat system (pursuant to which the Director of NSA/CSS and Commander of CYBERCOM are the same person). The report deserves attention, but also some criticism and context. Heres a bit of all three.

1. What is the dual-hat issue?

If you are new to the dual-hat issue, or in any event if youve not closely followed the developments of the past year, please read this recent post for an introduction and overview.

2. What was GAOs bottom line? Did they recommend keeping or abolishing the dual-hat?

Neither. The report does not purport to answer that question. It is, instead, no more no less than an attempt to convey the DOD perspective (and only the DOD perspective) on the pros and cons of keeping the dual-hat structure (as well as identifying some mitigation steps).

3. What method did GAO use to determine DODs perspective?

GAO did three things:

a. It reviewed documents previously generated by CYBERCOM and by the Joint Staff to educate their own leadership on the pros and cons.

b. It sent out questionnaires to various DOD components (with relevant responses received from CYBERCOM, 6 combatant commands, 4 combat support agencies, and 3 OSD offices, plus a collective response for DOD produced by DODs CIO); and

c. It conducted interviews with personnel from CYBERCOM, DOD CIO, and NSA/CSS.

4. Anything wrong with that methodology?

Not if your goal is to convey only DODs perspective. And to be fair, that was GAOs stated goal. But this approach is problematic.

One of the issues driving the dual-hat debate involves the tension that arises between intelligence-collection equities (which NSA would be inclined to favor) and disruption equities (which CYBERCOM would be inclined to favor), in the scenario in which access to enemy-controlled system could be used for either purpose. As a result, the Intelligence Community has a stake in this question. GAO should have reached out for input from ODNI in particular (and it also is odd that GAO only included NSA in one of the three methods mentioned above).

GAO might respond that its terms of reference were DOD-specific. Thats clearly true for certain other parts of the GAO report in question, dealing with other topics. Its less clearly the case with the dual-hat portion of the report. But even if it is, it does not follow that GAO could not include in its report any reference to possibly-competing perspectives from the IC. Indeed, I would go further and say it was a big mistake not to do so, for it was perfectly foreseeable that this report would be taken by many (especially the media) as conveying a general assessment of the dual-hat issue rather than just a DOD-specific summary of opinions, no matter how many caveats are given.

5. Fine, but it is what it is. So lets look at what GAO actually reported, starting with the three pros favoring preservation of the dual-hat arrangement. The first one asserts that the dual-hat promotes coordination and collaboration between NSA and CYBERCOM. Comments?

At bottom, this is a claim that having a common boss makes it relatively easy to collaborate when it comes to developing exploits and sorting out when and how they are used. That makes sense, and is consistent with conventional wisdom on the dual-hat situation.

6. The second pro is about how the dual-hat solves the deconfliction challenge mentioned above, but whats really interesting here is what the report implies about how that challenge would otherwise have to be managed.

As noted above, the need to deconflict when collection and disruption equities compete is a big part of this story. Here, GAO acknowledges that the status quo provides a ready-made solution. So far, so good. What is really interesting, though, is the comment GAO then makes regarding what would happen in such cases of tension in the absence of the dual-hat.

Tellingly, the report observes that, in that case, deconfliction issues would have to be taken to the Secretary of Defense and/or Director of National Intelligence for resolution (emphasis added). I love the use of and/or in that sentence. It perfectly captures a critical point: absent a dual-hat, there has to be a new deconfliction system, and yet the lead contenders for that role each have a dog in the fight. Let me expand on that a bit.

Assume we decide to end the dual-hat system, without first settling on a new deconfliction system. What then? In that case, CYBERCOM usually will win over NSA. Why? Think about it. NSA wants to use existing access to keep collecting, but CYBERCOM wants to use it to disrupt the platform. If NSA barrels ahead with its preference, nothing really changes; the target remains operational and the enemy is none the wiser, hopefully. But if CYBERCOM barrels ahead with its preference, in most instances that will shut down the target (or at least make it clear to the enemy that the target has been penetrated); no more collection at that point. NSA will lose such battles, except when DIRNSA manages to see the issue coming and gets someone over CYBERCOMs head to make them back off.

Sounds like we would need a formal system to replace the dual-hat for deconfliction then. But what would that look like? If the solution is to charge the DNI with making the call, CYBERCOM wont likely be happy. If the solution instead is to charge SecDef (or USD(I) or the like), NSA (and DNI) wont likely be happy. If the solution instead is to convene a committee of some kind with stakeholders from both sidesand that committee works by majority votethen the same problem arises (unless you find some third-party player, like the National Security Adviser, to ensure there is not a tie and that the IC and military have equal voting power).

The point being: this issue needs serious attention. I dont doubt a decent solution can be developed, but care must be taken lest we stumble into the default scenario mentioned above.

7. The third pro involves the efficient allocation of resources, but its really about the idea that NSA makes CYBERCOM possibleand that reminds us that the dual-hat isnt going away soon.

The third pro noted by GAO is that the dual-hat facilitates NSA and CYBERCOM sharing operational infrastructure (translated: hacking tools, accesses, staging servers, personnel, etc.), as well as the infrastructure for training. Of course, its pretty much a one-way street; this traditionally is all about NSA sharing its expertise with CYBERCOM as it has stood up. Legislation currently forbids separation of the dual hat until DOD can certify that CYBERCOM is truly ready to operate independently. Thats supposed to be the case by September next year, but of course its one thing to say it and quite another to achieve it.

8. Turning now to the cons, GAO introduces the idea that the dual-hat may give CYBERCOM an unfair advantage over other commands.

This one was phrased very carefully. Without saying that this problem already exists, GAO says that CYBERCOM thinks that other commands are worried that the dual-hat may in the future unduly favor CYBERCOM requests for NSA support over the requests that come from other military commands. This is an interesting twist on the more-familiar concern that military equities in general will trump collection equities. This is military-vs-military instead. At any rate, again note that it is framed as speculation rather than a current observation. That might be politeness, or it might really be purely speculative. You really cant tell from the GAO report (see my last point below, on whether any of the reports observations have strong evidentiary foundations).

9. The second con GAO lists is a bombshell: The dual-hat creates [i]ncreased potential for exposure of NSA/CSS tools and operations.

Wow. In an almost cavalier way, the GAO report links the dual-hat issue directly to the fierce, ongoing debate over the security of NSAs tools, a topic that goes to the very heart of NSAs mission. Because of the importance of that latter debate, GAOs assertion will constitute a heavy thumb on the scale in favor of separating the dual-hat, if it catches on. Time will tell if it will. For now, lets just take a closer look at the claim.

First, here is what GAO says on the subject:

The dual-hat command structure has led to a high-level of CYBERCOM dependence on NSA/CSS tools and infrastructure. According to NSA/CSS officials, the agency shares its tools and tactics for gaining access to networks with a number of U.S. government agencies, but CYBERCOMs dependence on and use of the tools and accesses is particularly prevalent. CYBERCOMs dependence on NSA/CSS tolls increases the potential that the tools could be exposed.

Lets parse the two claims here.

Does the dual-hat create CYBERCOM dependence on NSA, as the first sentence indicates? I think that has things backwards. As noted in the prior con, CYBERCOM badly needed NSA at first, and still needs it to no small extent. Thats not caused by the dual-hat. It is caused by lack of capacity. The dual-hat has been part of the solution to that need. Perhaps DOD meant to convey a different point: that keeping the status quo has become a crutch that prevents CYBERCOM from pressing faster to build its own capacities. That makes more sense.

Does CYBERCOM use of NSA tools and accesses (i.e., exploits and penetrations) increase the risk of their exposure? Put that way, the answer must be yes. Every instance of use of any exploit or access creates a new opportunity for others to discover it, and so the risk must go up each time (you might say each use increases the exposure surface). But note that weve just put the question in a non-nuanced way, without any attempt to quantify the degree of increase in the risk, let alone to place it in context with offsetting benefits or with reference to mitigation strategies for this problem. All that emerges from the GAO Report is the bottom line: CYBERCOM relies on NSA tools ostensibly because of the dual-hat, and therefore the dual-hat increases the risk of those tools getting loose. And any suggestion that a policy exacerbates that risk is bound to draw attention.

The possibility of loose NSA tools has become a flashpoint for debate, in a manner that threatens for better or worse to create new limits on the ability of NSA to develop or keep certain capacities (particularly knowledge of zero-day vulnerabilities). NSA received a substantial black eye when a Russian intelligence agency the mysterious entity identifying itself as the Shadowbrokers somehow acquired a cache of NSA-created exploits and then began dumping them publiclyespecially after one of those exploits was used in connection with WannaCry and NotPetya. Both WannaCry and NotPetya received a vast amount of media attention, much of it pinning the blame in large part on NSA. This fueled arguments to the effect that NSA should not be allowed to create or preserve such tools (or at least that current procedures for balancing the competing equities involved (building NSAs collection capacity, vs improving the security of commercially-available products) should be altered significantly so as to reduce NSAs capacities in this area).

That argument was out there before WannaCry and NotPetya broke, in fact, but once those stories broke it received a strong boost from Microsoft. As this June piece in the New York Times from Nicole Perlroth and David Sanger underscores, this perspective has gained considerable momentum with some in private industry, Congress, and foreign governments. Just this morning, former NSA Deputy Director Rick Ledgett wrote a post here at Lawfare fighting back against this argument, highlighting how important the issue is.

Whether you agree or disagree with this argument, you no doubt can appreciate how it has made the government acutely sensitive to questions about the security of NSAs tools. As a result, the argument that the dual-hat creates significant security risks for those tools has the potential to have an outsized impact on the dual-hat debate. Which is a good thing, if the argument is a persuasive one. Unfortunately, the GAO report does not come anywhere close to giving us enough information to judge the matter. And yet this part of the report grabbed headlines in some quarters (see this piece in NextGov, titled GAO: Keeping NSA and CyberCom Together Makes Hacking Tool Leaks More Likely).

10. The next con listed by GAO: NSA and CYBERCOM are too much for any one person to manage.

Thats a familiar and serious concern, and it is unsurprising that it arose here. It is entangled to some extent with the deconfliction issue, of course, but at the end of the day being Director of NSA and Commander of CYBERCOM both concern vastly more than deconfliction.

11. The next con on the list? Strangely, its the deconfliction issue, which we already discussed above as a pro for the dual-hat. What gives?

It is telling that the deconfliction issue pops up both as a pro and a con. As noted above, the dual-hat is a good thing for deconfliction insofar as one thinks there ought to be a single decision-maker who takes both collection and disruption equities seriously. But here we now see the flip-side of the argument, as GAO reports that personnel from both NSA and CYBERCOM (including a senior-level official) told GAO that the dual-hat leads to increased tension between NSA and CYBERCOM staffs, because their respective collection and disruption missions may not always be mutually achievable.

You know what Im going to say, I suspect. The tension is caused by the combination of incompatible missions and shared tools/accesses. Thats not the dual-hats fault. The dual-hat is one solution to resolving the tension. As I have noted here, there clearly is a view in some circles that the fix is in with the dual-hat, in favor of NSAs collection mission. Maybe thats right, maybe its not. But at any rate, listing the dual-hat as a con here seems to be a reflection of that perspective.

12. The last con on the list has to do with difficulties in tracking expenditures the NSA makes on behalf of CYBERCOM

This may well be a very important issue, but it seems to me the sort of thing to be addressed through improved procedures, and should not matter much in deciding whether to keep the dual-hat.

13. How strong is the evidence supporting the various pro and con claims?

I recommend caution. We get a description of GAOs methods, as noted above, but of course we do not also get the underlying documents, interview notes, etc. And the reports narrative on each point is exceedingly thin, no longer really than what Im providing here. Note, too, my earlier observation that GAO does not appear to have sought the views of ODNI, and only sought NSA views to a limited extent. None of which is to say that any of the observations are incorrect, of course.

Read the original here:
Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report - Lawfare (blog)

NSA whistleblower discusses ‘How the NSA tracks you’ – CSO Online – CSO Online

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

At the outdoor hacker camp and conference SHA2017, which is taking place in the Netherlands, NSA whistleblower William Binney gave the talk, How the NSA tracks you.

As a former insider, Binney knew about this long before Snowden dropped the documents to prove it is happening. Although he didnt say anything new, Binney is certainly no fan of the NSAs spying he calls the NSA the New Stasi Agency. If you are no fan of surveillance, then his perspective from the inside about the total invasion of the privacy rights of everybody on the planet will fuel your fury at the NSA all over again.

In todays cable program, according to Binney, the NSA uses corporations that run fiber lines to get taps on the lines. If that fails, they use foreign governments to get taps on the lines. And if that doesnt work, theyll tap the line anywhere that they can get to it meaning corporations or governments wont even know about the taps.

The companies are involved at the next step the PRISM program, which includes collection directly from the servers of U.S. service providers. However, Binney said PRISM is the minor program when compared to Upstream, which includes collecting data from the taps on fiber-optic cables in hundreds of places around the world. Thats where they are collecting off the fiber lines all the data and storing it.

PRISM was for show-and-tell purposes, to show Congress and courts what the NSA was doing and to say we have warrants and are abiding by the laws. Upstream was the one that allowed the NSA to take everything off the line.

Regarding worldwide SIGINT, CNE (computer network exploitation) was the big one. Implants in hardware or software, lets say switches or servers, make them do anything they want because the NSA pwned them.

That feeds the NSAs Treasure Map, which provides a map of the entire internet in near real-time; any device, anywhere, all the time every minute of every day. As Binney put it, So its not just collecting what youre saying encrypted or not but its also monitoring where you are when you do it.

Treasure Map is also how intelligence agencies use GPS from cell phones to target drone attack victims. Binney noted there are at least 1.2 million people on the drone hit list.

He also mentioned the programs that include the input of all phone data, fixed, mobile, satellite any kind of phone which both the FBI and CIA can directly access so that when they want to see who did what, they have an index, all, to everything they ever said in their database.

All the data is collected without warrants so its a basic violation of the rights of every human, Binney said.

He also covered how other agencies can directly access the NSAs data, Five Eyes, CIA, FBI, DEA and DIA. The police can access it via the FBIs system.

The NSA could choose to look at the right targets, but doesnt. The NSA may collect it all, but thats not the same as intelligence, as understanding all of what was collected. If you use one of the hot keywords in an email, for example, it will get flagged for review. But planned attacks happen because analysts are so buried beneath the data they cant see the attacks coming. Binney previously tried to convince the U.K. that bulk data kills people.

While all this data isnt helping to stop attacks, having all the data gives the intelligence community the power to manipulate anyone they want. Its like J. Edgar Hoover on super steroids all the collected data gives intelligence agencies the means to target anyone. Then parallel construction is used after the fact to go back and build a separate basis for an investigation to cover up the fact that the data was obtained unconstitutionally.

Before taking questions from conference attendees, Binney pointed out an icon on a slide as a teaser to his startup, which will advise on ways you can do privacy and security by design. He came to Europe, since they cant get anything done in the U.S. The U.S. and U.K. are too dense to realize it can be done it also goes against their agenda for more money, power and control.

Can we expect more NSA employees to blow the whistle? Perhaps, but the people in power there are corrupt, Binney said. During the portion of the talk when attendees could ask questions, he talked about how the NSA has employed a lot of introverts, people with ISTJ personalities, making them easy to threaten. Binney added that the See Something, Say Something (about your fellow workers) program inside the NSA is what the Stasi did. Theyre picking up all the techniques from the Stasi and the KGB and the Gestapo and the SS; they just arent getting violent yet that we know of internally in the U.S.; outside is another story.

Read the rest here:
NSA whistleblower discusses 'How the NSA tracks you' - CSO Online - CSO Online

The Curious Case Of Ex-NSA Inspector General George Ellard – Cato Institute (blog)

On August 3, The American Conservative ran a lengthy piece of mine dealing with the whistleblower protection nightmare that is the Department of Defense. One of the subjects of that piece is now former NSA IG George Ellard, and because I had even more on his case than I could fit into the TAC piece, I wanted to share the rest of what I knowand dont knowabout the allegations against Ellard, the final disposition of the case, why the Obama administrations whistleblower retaliation fix is itself broken, and what might be done to actually provide meaningful protections for would-be national security whistleblowers in the Pentagon and elsewhere in the national security establishment.

Regarding what little we know about the specifics of Ellards case, I had this to say in the TAC piece:

As the Project on Government Oversight firstreportedin December 2016, a three-member interagency Inspector General External Review Panel concluded in May 2016 that the then-Inspector General of the National Security Agency (NSA), George Ellard, had, according to POGO, himself had previously retaliated against an NSA whistleblower[.] This apparently occurred during the very same period that Ellard hadclaimedthatSnowden could have come to me. The panel that reviewed Ellards case recommended he be fired, a decision affirmed by NSA Director Mike Rogers.

But there was a catch: the Secretary of Defense had the final word on Ellards fate. Outgoing Obama administration Defense Secretary Ash Carter, apparently indifferent to the magnitude of the Ellard case, left office without making a decision.

In the months after Donald Trump became president, rumors swirled inside Washington that Ellard had, in fact, escaped termination. One source, who requested anonymity, reported that Ellard had been seen recently on the NSA campus at Ft. Meade, Maryland. That report, it turns out, was accurate.

On July 21, in response to the authors inquiry, the Pentagon public affairs office provided the following statement:

NSA followed the appropriate procedures following a whistleblower retaliation claim against former NSA Inspector General George Ellard. Following thorough adjudication procedures, Mr. Ellard continues to be employed by NSA.

After Id finished the TAC piece, Ellards attorney, Terrence ODonnell of the Washington mega law firm of Williams & Connolly, sent me the following statement about his client, George Ellard:

The Office of the Assistant Secretary of Defense (ASD) examined and rejected an allegation that former NSA Inspector General, George Ellard, had retaliated against an NSA employee by not selecting that employee to fill a vacancy in the OIGs Office of Investigations.

In a lengthy, detailed, and well-reasoned memorandum, the ASD concluded that Dr. Ellard had not played a role in that personnel decision or, in the terms of the applicable laws and regulations the ASD cited, Dr. Ellard did not take, fail to take, or threaten to take or fail to take any action associated with the personnel decision.

This judgment echoes the conclusion reached by the Department of Defenses Office of the Inspector General. An External Review Panel (ERP) later came to the opposite conclusion, leading to the ASD review. The ASD concluded that the evidence cited in the ERP report as reflective of [Dr. Ellards] alleged retaliatory animus toward Complainant is of a character so circumstantial and speculative that it lacks probity.

In assessing Dr. Ellards credibility and in rendering its decision, the ASD also considered Dr. Ellards distinguished career of public service, spanning more than 21 years of service across the executive, legislative, and judicial branches, culminating in almost 10 years of service as the NSA IG. Dr. Ellard, the ASD noted, has been entrusted to address some of our nations most challenging national security issues; successive NSA Directors have consistently rated Dr. Ellards performance as Exceptional Results and Outstanding; and he has been commended by well-respected senior officials with whom [he has] worked closely over the years for [his] ability and integrity.

Dr. Ellard is serving as the NSA Chair on the faculty of the National War College, a position he held prior to the ERP review.

Quite a bit to unpack in that statement. Lets start with the ASDs decision to overrule the External Review Panel (ERP), a key component of the Obama-era PPD-19, the directive designed to prevent in all government departments or agencies the very kind of thing Ellard allegedly did. Here are the key paragraphs of PPD-19 with respect to ERP recommendations:

If the External Review Panel determines that the individual was the subject of a Personnel Action prohibited by Section A while an employee of a Covered Agency or an action affecting his or her Eligibility for Access to Classified Information prohibited by Section B, the panel may recommend that the agency head take corrective action to return the employee, as nearly aspracticable and reasonable, to the position such employee would have held had the reprisal not occurred and that the agency head reconsider the employees Eligibility for Access to Classified Information consistent with the national security and with Executive Order 12968. (emphasis added)

An agency head shall carefully consider the recommendation of the External Review Panel pursuant to the above paragraph and within 90 days, inform the panel and the DNI of what action he or she has taken. If the head of any agency fails to so inform the DNI, the DNI shall notify the President. (emphasis added)

Taking the ERPs recommendations is strictly optional.

Whats so significant about the ERP recommendation in Ellards case was that the ERP not only apparently believed that the whistleblower in question should be given a fair chance at getting the position he or she originally applied for within the IG itself, but that Ellards actions werein the view of three non-DoD IGs who examined the caseso severe that they recommended he be terminated.

ODonnell quoted from a Pentagon memo clearing Ellard that is not public. The ERPs findings, along with their record of investigation, are not public. Nor do we know how thoroughor cursorythe ASDs review of the Ellard case was prior to the decision to clear Ellard. Given all of that, who are we to believe?

There are some key facts we do know that lead me to believe that the ERPs recommendations were not only likely soundly based, but that the whistleblower retaliation problem inside the Pentagon is deeply entrenched.

ODonnells statement also claimed that the ASDs decision to reverse the ERP and clear Ellard of wrongdoing echoes the conclusion reached by the Department of Defenses Office of the Inspector General. But its the DoD IG itself, as an institution, that is also under a major cloud because of other whistleblower retaliation claims coming from former NSA or DoD IG employeesspecifically former NSA senior executive service member Thomas Drake and for DoD Assistant Inspector General John Crane. As Ive noted previously, the independent Office of Special Counsel found adequate evidence of whistleblower retaliation and document destruction to refer the matter to the Justice Departments own IG; Cranes case is getting a look from the Government Accountability Office (GAO), Congresss own executive branch watchdog.

The DoD and NSA IGs have clear conflicts of interest when employees from within their own ranks are implicated in potential criminal wrongdoing. PPD-19 was supposed to be the answer to such conflicts of interest, but its lack of teeth from an enforcement standpoint renders it a badly flawed remedy for an extremely serious integrity problem.

And what about Congress? PPD-19 speaks to that as well:

On an annual basis, the Inspector General of the Intelligence Community shall report the determinations and recommendations and department and agency head responses to the DNI and, as appropriate, to the relevant congressional committees.

But Congress doesnt need to wait for the IC IG to tell it what is already publicly known about the Ellard, Drake, and Crane cases. It has ample cause to not only investigate these cases, but to take action to replace PPD-19 with a whistleblower protection system that actually protects those reporting waste, fraud, abuse, or criminal conduct and punishes those who attempt to block such reporting. Two options that deserve consideration are 1) empowering OSC to examine these kinds of cases and issue unreviewable summary judgments itself or 2) revive the expired Independent Counsel statute, rewritten with a focus on whistleblower reprisal case investigations.

One thing is beyond dispute. The PPD-19 process is not the answer for protecting whistleblower and punishing those who retaliate against them. We need a credible system that will do both. The only question now is whether anybody in the House or Senate will step up to the task of building a new one.

More:
The Curious Case Of Ex-NSA Inspector General George Ellard - Cato Institute (blog)