Mediaboss Marketing

White House

The NSA's onetime top hacker is going to work in the White House.

Rob Joyce, who once ran the National Security Agency's office of Tailored Access Operations -- the hacking division -- is taking on the role of White House cybersecurity coordinator.

Tom Bossert, President Trump's homeland security advisor, told the audience at a Center for Strategic and International Studies event on March 15 that Joyce is officially taking the position last held by Michael Daniel during the Obama administration.

Daniel praised Joyce and the Trump administration for selecting him, saying he is a strong pick and that Joyce will make an excellent cybersecurity coordinator.

"He has long experience in the cyber realm, knows the interagency process very well, and has proven himself as a leader at NSA," Daniel told FCW.

Daniel stressed that Joyce is well versed in both offensive and defensive cyber, having worked both in the TAO as well as the former Information Assurance Directorate, which was focused on protecting U.S. systems and networks from cyberthreats.

Joyce worked with Curt Dukes, who is former head of the now defunct Information Assurance Directorate.

"He brings instant credibility to the position," said Dukes who also stressed Joyce's knowledge of cyber offense and defense.

"Two things I think he should prioritize out of the gate," Dukes added, "review of the administration's insider threat program and review of the vulnerability equity process."

Both of those topics came into the spotlight with the WikiLeaks Vault 7 release of CIA hacking data. It is believed that the information was provided to WikiLeaks by an insider, and the release exposed the extent to which the CIA has hoarded zero-day vulnerabilities, which many believe should be disclosed to vendors and the public to increase cybersecurity.

Daniel said that Joyce should focus on "raising the level of cybersecurity across the entire ecosystem, better integrating cyber capabilities into our foreign policy [and] national security tool set, and improving incident response capabilities will be necessities."

Daniel said that on the defensive side Joyce should focus on boosting the security of federal civilian networks.

While Joyce is receiving high praise from current and former government officials, the question is whether the tech sector will warm to a former NSA hacking chief as the new White House cybersecurity advisor.

In the wake of the Edward Snowden leaks about NSA surveillance programs, many in industry became more wary about the NSA and even questioned the information assurance mission and guidance.

Amit Yoran, CEO of Tenable said in a press statement that he feels Joyce has the respect of the security industry. "I'm confident in his ability to work both within the government and with the private sector to improve national cybersecurity," he said.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Excerpt from:
NSA vet Rob Joyce to lead cyber at White House - FCW.com

Boston Business Journal

NSA-born Sqrrl to grow staff after finding its big data niche Boston Business Journal Cambridge-based Sqrrl has made the transition from one hot segment of the Greater Boston tech scene to another, and now the startup says it's ready to double down on its new market by hiring salespeople and looking for more funding in 2017. When Sqrrl ...

See the rest here:
NSA-born Sqrrl to grow staff after finding its big data niche - Boston Business Journal

The National Security Agency is proposing to expand and modernize its headquarters site at Fort Meade, Maryland.

For NSA/CSS to continue leading the Intelligence Community into the next 50 years with state-of-the-art technologies and productivity, its mission elements require new, centralized facilities and infrastructure, according to a newly released Final Environmental Impact Statement for the site.

Under the proposed action, The NSA would consolidate mission elements, which would enable grouping services and support services across the NSA Campus based on function; facilitate a more collaborative environment and optimal adjacencies; and provide administrative capacity for up to 13,300 personnel, including 6,100 personnel who currently work on the existing NSA Campus and 7,200 personnel currently located off site.

The proposal envisions the construction and operation of approximately 2,880,000 square feet of operational complex and headquarters space consisting of five buildings. If approved, construction would take place over a period of approximately 10 years (FY 2019 to 2029).

See Final Environmental Impact Statement for the East Campus Integration Program, Fort Meade, Maryland, March 2017 (large pdf).

See the rest here:
Proposed NSA Headquarters Expansion Under Review - Secrecy News (blog)

On Sundays Face the Nation, Sen. Rand Paul was asked about President Trumps accusation that President Obama ordered the NSA to wiretap his calls. The Kentucky senator expressed skepticism about the mechanics of Trumps specific charge, saying: I doubt that Trump was a target directly of any kind of eavesdropping. But he thenmade a broader and more crucialpoint about how the U.S. government spies on Americans communications a pointthat is deliberately obscured and concealed by U.S.government defenders.

Paul explained how the NSA routinely and deliberately spies on Americans communications listens to their calls and reads their emails without a judicial warrant of any kind:

The way it works is, the FISA court, through Section 702, wiretaps foreigners and then [NSA] listens to Americans. It is a backdoor search of Americans. And because they have so much data, they can tap type Donald Trump into their vast resources of people they are tapping overseas, and they get all of his phone calls.

And so they did this to President Obama. They 1,227 times eavesdrops on President Obamas phone calls. Then they mask him. But here is the problem. And General Hayden said this the other day. He said even low-level employees can unmask the caller. That is probably what happened to Flynn.

They are not targeting Americans. They are targeting foreigners. But they are doing it purposefully to get to Americans.

Pauls explanationis absolutely correct. That the NSA is empowered to spy on Americans communications without a warrant in direct contravention of the core Fourth Amendment guarantee that the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause is the dirty little secret of the U.S. Surveillance State.

As I documented at the height of the controversy over the Snowden reporting, top government officials including President Obama constantly deceived (and still deceive) the public by falsely telling them that their communications cannot be monitored without a warrant. Responding to the furor created over the first set of Snowden reports about domestic spying, Obama sought to reassure Americans by tellingCharlie Rose: What I can say unequivocally is that if you are a U.S. person, the NSA cannot listen to your telephone calls by law and by rule, and unless they go to a court, and obtain a warrant, and seek probable cause.

Theright-wing chairman of the House Intelligence Committee at the time, GOP Rep. Mike Rogers, echoed Obama, telling CNNthe NSA is not listening to Americans phone calls. If it did, it is illegal. It is breaking the law.

Those statements arecategoricallyfalse. A key purpose of the new 2008 FISA law which then-Senator Obama voted for during the 2008 general election after breaking his primary-race promise to filibuster it was to legalize the once-controversial Bush/Cheney warrantless eavesdropping program, which the New York Times won a Pulitzer Prize for exposing in 2005. The crux of the Bush/Cheney controversywas that they ordered NSA tolisten toAmericans international telephone callswithout warrants which was illegal at the time and the 2008 lawpurported to make that type of domestic warrantless spying legal.

Because warrantless spying on Americans is so anathema to how citizens are taught to think about their government thats what Obama was invoking when he falsely told Rose thatits the same way when we were growing up and we were watching movies, you want to go set up a wiretap, you got to go to a judge, show probable cause the U.S. government has long been desperate to hide from Americans the truth about NSAs warrantless powers. U.S. officials and their media spokespeople reflexively misleadthe U.S. public on this critical point.

Its no surprise, then, that as soon as Rand Paul was done uttering the unpleasant, usually hidden truth aboutNSAs domestic warrantless eavesdropping, the cavalcade of ex-intelligence-community officials who are now heavily embedded in American punditry rushed forward to attack him. One former NSA lawyer, who now writes for the ICsmost loyal online platform, Lawfare, expressed grave offense at what she claimed was Sen. Pauls false and irresponsible claim.

The only thinghere thats false and irresponsible is Hennesseys attempt to deceive the public about the domestic spying powers of her former employer. And many other people beyondRand Paul have long made clear just how misleadingHennesseys claim is.

Ted Lieu, the liberal congressman from California, has made it one of his priorities to stop the very power Hennessey and her IC colleagues pretend does not exist: warrantless spying on Americans. The 2008 FISA law that authorized it is set to expire this year, and this is what Lieu tweeted last week about his efforts to repeal that portion of it:

And in response to the IC attacks on Paul on Sunday, Lieu explained:

As Lieu says, the 2008 FISA law explicitly allows NSA without a warrant to listen to Americans calls or read their emails with foreign nationals as long as their intent is to target the foreigner, not the American. Hennesseys defense istrue only in the narrowest and emptiest theoretical sense: that the statutebars the practice of reverse targeting, where the real intent of targeting a foreign national is to monitor what Americans are saying. But the law was designed, and is now routinely used, forexactly that outcome.

How do we know that a key purpose of the 2008 law is to allow the NSA to purposelymonitor Americans communications without a warrant? Because NSA and other national security officials said so explicitly. This is how Jameel Jaffer, then of the ACLU, put it in 2013:

On its face, the 2008 law gives the government authority to engage in surveillance directed at people outside the United States. In the course of conducting that surveillance, though, the government inevitably sweeps up the communications of many Americans. The government often says that this surveillance of Americans communications is incidental, which makes it sound like the NSAs surveillance of Americans phone calls and emails is inadvertent and, even from the governments perspective, regrettable.

But when Bush administration officials asked Congress for this new surveillance power, they said quite explicitly that Americans communications were the communications of most interest to them. See, for example, FISAfor the 21st Century, Hearing Before the S. Comm. on the Judiciary, 109th Cong. (2006) (statement of Michael Hayden) (stating, in debate preceding passage of FAAs predecessor statute, that certain communications with one end in the United States are the ones that are most important to us).

The principal purpose of the 2008 law was to make it possible for the government to collect Americans international communications and to collect those communications without reference to whether any party to those communications was doing anything illegal. And a lot of the governments advocacy is meant to obscure this fact, but its a crucial one: The government doesnt need to target Americans in order to collect huge volumes of their communications.

During debate over that 2008 law, the White House repeatedly issued veto threats over proposed amendments from then-Sen. Russ Feingold and others to weaken NSAs ability to use the law to monitor Americans communications without warrants because enabling such warrantless eavesdropping powers was, as they themselves said,a prime objective of the new law.

When the ACLUs Jaffer appeared in 2014 before the Privacy and Civil Liberties Oversight Board to argue that the 2008 FISA law was unconstitutional in terms of how it was written and how NSA exploits it, he made clear exactly how NSA conducts backdoor warrantless searches of Americans communications despite the bar on reverse targeting:

Those who actually work to protect Americans privacy rights and other civil liberties have been warning for years that NSA is able to purposely monitor Americans communications without warrants. Human Rights Watch has warnedthat in reality the law allows the agency to capture potentially vast numbers of Americans communications with people overseas and thus currently underpins some of the most sweeping warrantless NSA surveillance programs that affect Americans and people across the globe. And Marcy Wheeler, in response to Hennesseys misleading claim on Sunday, correctly said: I can point to court docs and congressional claims that entire point of 702 [of the 2008 FISA law] is to ID convos involving Americans.

Elizabeth Goitein, the co-director of the Liberty and National Security Program at the Brennan Center for Justice, warned in the Boston Reviewthat the ban on reverse targeting was a farce. In fact, the program tolerates and even contemplates a massive amount of collection of Americans telephone calls, emails, and other electronic communications. Thus, she explains, it is likely that Americans communications comprise a significant portion of the 250 million internet transactions (and undisclosed number of telephone conversations) intercepted each year without a warrant or showing of probable cause.

Even more alarming is the power NSA now has to search the immense amount of Americans communications data it routinely collects without a warrant. As Goitein explained: The government may intentionally search for this information even though it would have been illegal, under section 702s reverse targeting prohibition, for the government to have such intent at the time of collection.

In the wake of the controversy triggered by Trumps accusations about Obamas tapping his phones, Goitein wrote a new article explaining that there are numerous ways the government could have spied on the communications of Trump (or any American) without a warrant. She emphasized that there have long been concerns, on both the right and left, that the legal constraints on foreign intelligence surveillance contain too many loopholes that can be exploited to access information about Americans without judicial oversight or evidence of wrongdoing.

This is what Rand Paul meant when he said on Sunday that because [NSA analysts]have so much data, they can tap type Donald Trump into their vast resources of people they are tapping overseas, and they get all of his phone calls. And while as Ive argued previously anyleaks that reveal lying by officials are criminal yet justified even if they come from the CIA or NSA, Paul is also correct that these domestic warrantless eavesdropping powers vestthe Deep State or, if you navely prefer, our noble civil servants with menacing powers against even the highest elected officials.

The warrantless gathering and searching of vast amounts of communications dataessentially becomes a dossier that can be used even against domestic opponents. This is what Snowden meant in his much-maligned but absolutely true statement in his first interview with us back in 2013 that I, sitting at my desk, could wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email. As Paul put it on Face the Nation: It is very dangerous, because they are revealing that now to the public. Thats a serious concern no matter how happy one might beto see Donald Trump damaged or how much one now adores the intelligence agencies.

Congress has now begun debating whether to allow these provisions of the 2008 law to expire at the end of the year, whether to meaningfully reform them, or whether to let them be renewed again. The post-9/11 history has been that once even temporary measures (such as the Patriot Act) are enacted, they become permanent fixtures of our political landscape.

Perhaps the growing recognition that nobody is immune from such abusive powers will finally reverse that tide. Those eager to preserve these domestic surveillance powers in their maximalist state rely on the same tactic that has worked so well for them for 15 years now: rank disinformation.

If nothing else, this debate ought to finally obliterate that pleasing though utterly false myth that the U.S. government does not and cannot spy on Americans communications without warrants. It does so constantly, easily, deliberately, and by design.

See the rest here:
Rand Paul Is Right: NSA Routinely Monitors Americans ... - The Intercept

Machine learning is one of the biggest buzzwords in cybersecurity in 2017. But a sufficiently smart adversary can exploit what the machine learning algorithm does, and reduce the quality of decision-making.

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

"The concern about this is that one might find that an adversary is able to control, in a big-data environment, enough of that data that they can feed you in misdirection," said Dr Deborah Frincke, head of the Research Directorate (RD) of the US National Security Agency/Central Security Service (NSA/CSS).

Adversarial machine learning, as Frincke called it, is "a thing that we're starting to see emerge, a bit, in the wild". It's a path that we might reasonably believe will continue, she said.

As one example, an organisation may decide to use machine learning to develop a so-called "sense of self" of its own networks, and build a self-healing capability on top of that. But what if an attacker gets inside the network or perhaps was even inside the network before the machine learning process started?

"Their behaviour now becomes part of the norm. So in a sense, then, what I'm doing is that I'm protecting the insider. That's a problem," Frincke said.

"What's also interesting in the data science, is that if you are using a data-driven algorithm, [that algorithm] is what feeds the machine learning technique that you disseminate. Unless you keep that original data, you are not going to know what biases you built into your machine learning approach.

"You would have no way of that needle in the haystack, because you threw away the haystack, and all that's left are the weightings and the neural networks and so on."

Machine learning has other limitations too.

In 2016, for example, Monash University professor Tom Drummond pointed out that neural networks, one of the fundamental approaches to machine learning, can be led astray unless they're told why they're wrong.

The classic example of this problem dates back to the 1980s. Neil Fraser tells the story in his article Neural Network Follies from 1998.

The Pentagon was trying to teach a neural network to spot possible threats, such as an enemy tank hiding behind a tree. They trained the neural network with a set of photographs of tanks hiding behind trees, and another set of photographs of trees but no tanks.

But when asked to apply this knowledge, the system failed dismally.

"Eventually someone noticed that in the original set of 200 photos, all the images with tanks had been taken on a cloudy day, while all the images without tanks had been taken on a sunny day," Fraser wrote.

"The military was now the proud owner of a multi-million dollar mainframe computer that could tell you if it was sunny or not."

Frincke was speaking at the Australian Cyber Security Centre (ACSC) conference in Canberra on Wednesday. While she did point out the limits of machine learning, she also outlined some defensive strategies that the NSA has found to be effective.

Organisations can tip the cybersecurity balance of power more in their favour by learning to deceive or hide from the adversary, for example.

By its very nature, network defence is asymmetric. That imbalance is usually expressed as the defender having to close off every security vulnerability, while the attacker only has to be right once.

"On the face of it there should be something we should be able to do about that. You'd think there'd be some home-court advantage," Frincke said.

Traditionally, organisations have tried to make their data systems as efficient as possible. It makes the network more manageable. But from an attacker's point of view, it's easy to predict what's going on in any given system at any given time.

Taking a defensive deception approach, however, means building an excess capacity, and then finding ways to leverage that excess capacity to design in a deceptive or a changing approach. That way, an attacker can't really tell where the data is.

If you process data in the cloud, then one simple example might be to duplicate your data across many more nodes than you'd normally use, and switch between them.

"If you're trying to do an integrity attack, changing that data out from under me, you don't know which of, say, those hundred nodes I'm using. Or I might be looking at a subset of those nodes, say three, and you don't know which ones I'm using. So you could try to change them all at once [but] that's a lot harder," Frincke said.

The RD's research has shown that this approach increases the attacker's cognitive load and plays on their cognitive biases.

"We can try to lead them into wrong conclusions. In other words, we're frustrating them. We're trying to make them work too hard, to gain ground that they don't need. And that will make it easier for us to find them," Frincke said.

"It's a little bit like the old honeypot [or] honeynet writ large, but designed into the system as an integral part of the way that it works, and not an add-on."

The downside to defensive deception is that it's harder to manage.

"Now I have to do more work as a system manager, and as a designer, to be sure I know which one of those three of the hundred I should use, otherwise I could end up shooting myself in the foot, especially if I've [been] deploying some kind of misleading changes for the adversary," Frincke said.

More here:
Machine learning can also aid the cyber enemy: NSA research head - ZDNet