Archive for the ‘NSA’ Category

Even Rep. LaHood Likely Can’t Sue the NSA or FBI to Protect His Rights – EFF

In a stunning revelation, a sitting U.S. Congressman has publicly identified himself as the subject of likely illegal surveillance by the NSA and FBI. During a hearing on the question of renewal the controversial mass NSA spying authorities known as FISA Amendments Act section 702, Rep. Darin LaHood of Illinois revealed: the member of Congress who was wrongly queried multiple times solely by his name was in fact me. It seems Rep. LaHood was one of the Congresspersons identified in a footnote (footnote 92) in a recent government report about the mass spying program which stated that an intelligence analyst improperly repeatedly searched 702 data using only the name of a U.S. congressman.

Whats equally stunning is that despite absolutely knowing that he was spied upon something that is extremely rare given the level of secrecy around 702 neither Rep. LaHood nor anyone else illegally spied upon will likely get a chance to seek a remedy in a court. Thats not just because 702 is poorly drafted and has been even more poorly executed. Its because of how governmental secrecy has now metastasized to completely prevent anyone from stopping illegal NSA spying of them, much less get any other legal remedy.

Quite simply, governmental secrecy now renders moot many of the accountability and oversight mechanisms for national security surveillance that exist on paper in FISA as well as in the U.S. constitution.

One of EFFs highest priorities for nearly two decades is making sure you can have a private conversation online. And specifically, we want to ensure that individuals can seek judicial accountability for violations of their constitutional and statutory rights committed through the governments warrantless foreign intelligence surveillance inside the United States.

EFFs work on this issue predates the passage of Section 702 itself. Our 2006 lawsuit, Hepting v. AT&T, relied on first-hand evidence from whistleblower Mark Klein to show that the telecommunications companies were copying the contents of Internet traffic at the behest of the NSA. Congress essentially mooted this lawsuit in 2008 by granting the companies retroactive immunity as part of the FISA Amendments Act, which also instituted Section 702. Not to be deterred, and at the specific suggestion of key members of Congress, EFF again sued on behalf of AT&T customers, this time seeking to hold the government itself accountable. That lawsuit, Jewel v. NSA, powered on for 14 years, bolstered by the Snowden revelations and the flood of additional public information about the NSAs mass spying programs.

The Jewel lawsuit came to an end last year, not because the judiciary disagreed with our arguments about the unconstitutionality or illegality of the governments surveillance. It ended but because the courts validated the governments claims that a program known and debated across the world is somehow too secret to be challenged in open court by members of the public affected by it. Specifically, the Supreme Court refused to grant certiorari and reconsider a Ninth Circuit decision (and an underlying district court ruling) that held that the common law state secrets privilege blocked our clients efforts to prove that their data was intercepted, such that they had standing to sue. A similar case brought by the ACLU on behalf of Wikimedia was also rejected.

As Jewel illustrates, the judiciary has used secrecy to create a broad national-security exception to the Constitution, FISA, and 702 itself that allows all Americans to be spied upon by their government and denying them any viable means of challenging that spying. And now that impacts a sitting member of Congress directly.

This exception rests on a pair of misinterpretations of common law and statutory procedures for dealing with supposedly secret evidence. First, courts have allowed the government to invoke the state secrets privilege in Section 702 cases, despite Congress express creation of a statutory method for a federal court to secretly review evidence of claimed illegal surveillance, 50 U.S.C. 1806(f). Second, the courts have expanded the scope of that privilege to effectively allow the government to claim secrecy over widely known facts, and end litigation involving these facts, based on little more than its own say-so.

With the upcoming sunset of Section 702, Congress has the opportunity to correct these mistakes. Congress can and should reaffirm its intention to create actual, useable accountability measures for the inevitable circumstances when individuals are wrongly surveilled or impacted by surveillance, and reopen the courthouse doors to individuals trying to protect their rights.

First, Congress can expressly override the Supreme Courts mistaken statutory interpretation of FISA Section 1806 in FBI v. Fazaga, 142 S. Ct. 1051 (2022). Contrary to the Courts holding in Fazaga, Congress clearly intended for individuals to be able to seek redress when they were wrongfully surveilled and, to do that, intended Section 1806(f) to displace the state secrets privilege in lawsuits in which evidence relating to electronic surveillance is relevant. The Supreme Courts ruling essentially makes FISAs promise of individual redress for violations of surveillance law a dead letter. Congress should reaffirm the rightful interpretation of the statute and correct the Supreme Courts mistake.

Second, even when the state secrets privilege can apply, Congress can make clear that the case should not be dismissed. As far back as 2009, Congress debated the State Secrets Protection Act, H.R. 984, 110th Cong. (2009), which would have created procedures for courts to securely review evidence that the government claims is secret, and prevent cases from being dismissed based on state secrecy until plaintiffs have had an opportunity to discover all non-privileged evidence. Congress should revive these reforms and consider including them as part of any renewal or reform to Section 702.

In short, the courts have effectively blocked individuals from seeking the judicial accountability that Congress intended. Representative LaHood is just the latest in a long line of people who know they were surveilled but cannot do anything about it. Its good that he has a position of authority over the NSAits unlikely they will do that specific surveillance again. But the rest of us deserve to access the courts to protect our constitutional rights too.

These are just a small subsection of the needed reforms to ensure accountability and oversight of Section 702. Spying on the whole world is a bad idea because everyone deserves privacy of their communications. But as the now two decades of NSA mass spying demonstrates, spying on the whole world while protecting the constitutional rights of Americans just cannot be done. Its time to stop the charade and let this authority expire.

View original post here:
Even Rep. LaHood Likely Can't Sue the NSA or FBI to Protect His Rights - EFF

NSA offers new tips on zero trust and identity – FCW.com

The National Security Agency has new recommendations on identity, credential and access management security controls and their role in zero trust architecture.

The cybersecurity information sheet, released Tuesday, builds on previous NSA guidance on zero trust with more specifics for what it calls the user pillar focused on managing access.

Although the information is intended for owners and operators of national security systems including defense and intelligence agencies, but also contractors in the space zero trust has been a cybersecurity focus for federal agencies since at least the beginning of the Biden administration.

Government agencies were called to make plans for zero trust architecture in an executive order released by President Biden in May 2021. National security systems also got zero trust orders via a 2022 memo.

The White House defined zero trust as an architecture that requires continuous verification of the operational picture via real-time information in the order, meaning establishing IT systems that both monitor user behavior on networks and segment access in an effort to mitigate potential cyber attacks.

NSAs model delineates zero trust into seven pillars: user, devices, applications & workloads, data, network & environment, automation & orchestration and visibility & analytics.

Within the user pillar, the information sheet details the capabilities needed for zero trust, including identity management, credential management, access management, federation to ensure system interoperability and governance around continuous improvement.

The report goes through capabilities and maturity levels for identity, credential and access management, as well as identity federation, in what it says is a maturation of existing ICAM architecture for federal agencies in line with the zero trust model.

The new information sheet points to recent breaches and cyber attacks done by exploiting weaknesses in identity and access controls. In 2021, the Colonial Pipeline ransomware attack was perpetrated via a compromised password for a virtual private network that didnt have multi-factor authentication in place. The 2015 data breach of personnel records at the Office of Personnel Management occurred via compromised credentials.

Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nations most critical systems, said Kevin Bingham, NSAs zero trust lead said in a statement. Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises.

NSA is also planning to release more information sheets meant to help organize, guide and simplify incorporating zero trust principles and designs into enterprise networks, according to the new cybersecurity information sheet.

View post:
NSA offers new tips on zero trust and identity - FCW.com

NSA Report Suggests Ways to Help National Security System … – Executive Gov

The National Security Agency has issued a cybersecurity information sheet offering recommendations to help system operators and owners mature identity, credential and access management capabilities to prevent cyberattacks.

Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nations most critical systems, Kevin Bingham, critical government systems, zero trust lead at NSA, said in a statement published Tuesday.

Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises, added Bingham.

The CSI titled Advancing Zero Trust Maturity throughout the User Pillar discusses how ICAM capabilities integrate into a comprehensive zero trust framework and outlines steps national security system operators should take to further develop access and identity security controls and operational practices when it comes to authorizing users to access key resources and establishing digital identities.

NSA said it will release additional guidance to help system operators streamline the integration of zero trust principles into enterprise networks.

Read the original here:
NSA Report Suggests Ways to Help National Security System ... - Executive Gov

NSA Hiring Efforts Go West to the 2023 Women in Cybersecurity … – National Security Agency

FORT MEADE, Md. - The National Security Agency (NSA) has recently ramped up its hiring efforts to bring more skilled personnel into its cybersecurity mission. This week, leaders from the Cybersecurity Collaboration Center (CCC) will participate in the Women in Cybersecurity Conference in Denver, CO. Their focus is to inform conference participants of the NSA cybersecurity mission and recruit diverse talent to join us in defending the nation's most critical systems.

The 10th annual Women in Cybersecurity (WiCyS) Conference will take place at the Gaylord Rockies Resort and Convention Center in Denver from March 16-18.

WiCyS is the premier conference for women and allies in cybersecurity across industry, academia, and the government.

NSA's presence will be highlighted at booth #300 in the conference career fair. Private mentoring sessions will be available, and speakers Molly Moore, Deputy Director of NSA's Workforce Support Activity, and Morgan Adamski, Director of the Cybersecurity Collaboration Center, will highlight NSA's mission and opportunities.

NSA Speakers at WiCyS 2023:

Be Both, Have Both - Molly Moore will share lessons she has learned throughout her career at NSA, including how to thrive without compromise.

Intel-Driven Cyber Defense: How the IC Helps Drive Collective Defense - Bailey Bickley will moderate a fireside chat with Morgan Adamski, CCC Director, and Lauren Goldman, Director of Analytic Integration at the Cyber Threat Intelligence Integration Center (CTIIC) for the Office of the Director of National Intelligence (ODNI)

Conference participants can learn more about NSA's mission and how it addresses cyber threats facing the nation, as well as meet some of the people who drive the mission and make it happen.

Bring your resume! If you're looking for a rewarding career in the fast-paced world of cyber, and you're passionate about federal service, stop by booth #300 for more information; we'll have folks ready to talk about our compelling and rewarding employment opportunities. Mentoring sessions with Molly Moore and Morgan Adamski will be available on a first-come first-served basis on Friday, March 17, from 10am-11am MDT in Maple 3A. Sign up by emailing CCC_Hiring@uwe.nsa.gov.

NSA Media RelationsMediaRelations@nsa.gov443-634-0721

View post:
NSA Hiring Efforts Go West to the 2023 Women in Cybersecurity ... - National Security Agency

Kerry Howley Excerpt: How Not to Infiltrate an NSA uilding. – New York Magazine

Photo-Illustration: Intelligencer; Photos: Getty Images

Its too late, of course; you are already known, though the you that is known is not the you that you are. Willingly you have surrendered many bits of information that, taken together, form a sclerotic social identity with a strange relation to the real. Surveillance finds truths, and surveillance serves the creation of elaborate untruths. In our time we have cast disappearance as suspect ghosted, we say, as if its a bad thing while we celebrate the keeping of a kind of terrible track: I have the receipts. A paper receipt might get trashed or lost or misfiled, out of reach of digital discovery. But it is our fate to live in the age of the indelible. We all have to have the receipts, receipts for everything, receipts for texts and one-line emails and Facebook messages, an ageless record of the time I made a bad joke in a group thread and my friends twice-tapped haha! so as not to leave me hanging. To study surveillance is to learn, over and over, that we cannot escape ourselves.

On a trip with some of my dearest friends, undertaken largely but not exclusively for the reason of capturing flattering group selfies, every one of us had used up all the storage on our phones before we took a single photo. To take one selfie we had to delete, say three. By the time we went on our next trip together, everyone had upgraded phones. Now nothing would constrain us from taking pictures, all of which still exist, somewhere, because there is no incentive to delete them.

How much of the burden is in the way we watch ourselves? In the early years of the twenty-first century, everyone is amassing digital information but no one knows how to sort through it. Closets are stacked with old computers. It would be better, of course, to go through all of ones photos and keep only those worth keeping, but the thought of this induces paralyzing exhaustion. This would involve decision-making, which is cognitively taxing. This would involve delving deep into our personal histories, our pasts, which may involve feelings we dont feel like feeling. Its best to just take another photograph. Keep building up the database. Throw it into the cloud, whatever that is. Its slightly stressful to know that ones personal database is bloated and disorganized, but you cant see my cloud. Its my burden to bear, my weight to carry; luckily, since Im physically small, its only a cloud.

In the United States in the early years of the twenty-first century, this has been the approach intelligence agencies take toward information: Absorb everything, all of it, at once. Stash it somewhere. Worry about it later.

I wanted to know what surveillance was. I wanted to know what it was made of. More data has been created and stored since the year 2000 than in the entire previous course of humanity. The NSAs upgraded phone is a giant warehouse, the size of six city blocks, sucking in water in the middle of a Utah desert. Inside are racks the size of refrigerators, and on the racks, more metal boxes, these the size of dinner plates. Inside those boxes are magnetic switches zero one, zero one, one zero the computers translation of all the words it is possible to whisper. A server farm is our ages answer to the industrial factory: row upon row upon row of racks, ten thousand of them, autonomous, whirring, sucking in a small citys worth of electricity and pouring out heat. This one cost two billion dollars to build; maintaining it and its generators costs millions more per year. Around it the NSA builds a fence, and on the fence they mount cameras. The sum total of human knowledge from the dawn of man to 2003 could be contained in 5 exabytes. The warehouse can probably hold twelve.

As you can imagine, you are not welcome on this piece of desert. But in the blueprints, one can see room for a kennel, where guard dogs must sleep, because American surveillance is partly made of electrons and partly made of tubes and partly made of dogs. The true enemy of data is not something against which dogs can protect. The enemy of all of this data, of all data, is heat. To cool the whirring racks, the NSA must pump in 1.2 million gallons of water per day, in the desert, in drought conditions. Data is physical. It can therefore be confronted.

In the early years of the twenty-first century, a Japanese woman promises to declutter our homes. She teaches us to prioritize space over things. She counsels us to clear our countertops. We throw out everything. Thrifters report that it is a glorious time to thrift; the shops are full of treasure. We take photos of our decluttered homes and save them in an increasingly anarchic digital space. The photos dont take up any room. They dont require sacrifice.

Most of us are good at not looking. Some people are very, very bad at it, which is perhaps a kind of evolutionary variance youd want to have around. People who feel they must confront the nature of reality, whom we call whistleblowers or traitors, tend to feel that the rest of us should do the same, which makes those people annoying, because not looking is a skill, and after a while you too might lose the ability to not look. You might feel drawn to, say, NSA Georgia, because you wanted to understand the life of someone for whom the secret had become mundane. These pages are a strange history of a world burying itself in isolated fragments, information, data, the products of surveillance, and the twenty years in which these fragments come to be confused for fact. It is a polemic against memory cast into print.

My first real job was at a newspaper in Myanmar, which is and was a military dictatorship closed to most foreigners. I was twenty-one and never more visible; the state was watching, and so were the neighbors. The newspaper was called The Myanmar Times and Business Review, and it was run by a vulgar portly Australian. Before we could publish anything, we faxed what we had written to a censor, who faxed back the copy with big black Xs across it. You could then call the censor, whose name was Way Lin, and argue with him, at which point he would give reasons that your fluff piece on Halloween was inadmissible (ghost stories were illegal), or your profile of a rickshaw driver was axed (a driver with a degree in history suggested economic stagnation). Once, I met Way Lin at a party. He was friendly and eager to be liked. From this early experience I took a lesson in tonal complexity. What was ominous in the abstract was likely to be, in its specificities, absurd.

Being a woman is a way of being unseen, and this invisibility renders a certain confidence, a certain obliviousness to boundaries. To get to the NSAs Whitelaw Building, I needed access to Fort Gordon, an army base. I parked at a visitors center. I explained that I was a professor doing research, which was true, and received a pass. Fort Gordon is a bleak, overgrown, dated brick affair. The architecture is sometimes brick riot-proof high school and sometimes socialist-cheap and occasionally horror-movie funhouse, as with the weathered Bingo Palace I passed as I circled and circled and searched for something that resembled the drawings I had seen. I felt the dirt road beneath my tires as I pulled behind some temporary buildings and passed a green scrubby field on which I may have seen some horses. There were massive satellite dishes surrounded by barbed wire. There were uniformed troops in formation. I saw noth- ing to contradict the idea that it was 1975. And then, in the distance, the $286 million, 604,000-square-foot Whitelaw Building, more concert hall than facility, gleaming and white and gently, expensively curved. It looked like a giant piece of consumer technology newly unwrapped. It did not look like it had been built. It looked like it had landed.

I walked up to some equally designed outdoor turnstiles, sleek metal detectors on which were posted signs: no cell phones. no thumb drives. An SUV pulled up with a police officer inside; she demanded my license and as I handed it to her I saw her notepad read woman in a burgundy top. I hadnt thought of it as burgundy. As I sat on a patch of grass in the sun, increasingly hot, I worried about sun damage to my face, which is to say I was thinking about wrinkles as a second SUV pulled up. They wanted my phone. I asked if I could refuse, and they said no. The police officer called these new men special agents, though when I asked a guy for his title, he declined to say. There were two officials, then three, then six, and they were just trying to figure out whats going on. I asked a few times if I could leave and was told I could not in fact leave; I asked if I was under arrest and told no, this was investigatory detention.

They asked me whether I would talk to the media and I said I didnt know. They asked me who I was writing for and I said I didnt know, who could say where this would end up, maybe Glimmer Train, a literary journal. I do not know why, when stressed, my instinct is to become more annoying. Glimmer Train, wrote the special agent on his special pad. They conferred away from me. The sun beat down and I continued to think about fine lines. Who in the media will you speak to? an agent asked for the third time. I am the media, I said grandly. To my surprise, they liked this answer; it involved a definable category. I was then turned over to a third jurisdictional authority, military police. I do not know how much time all of this took. I only know that in that thirty minutes or hour or two hours something shifted, because as I sat on that patch of grass I looked not at the building but at the parking lot. I looked at the cars: Jettas and Camrys. Thousands of regular people worked here. Thousands of middle-class people drove from their homes every day and parked here and went home and never told their mothers where theyd been. The eye is not always a metaphor. Surveillance, of course, is made of us.

View original post here:
Kerry Howley Excerpt: How Not to Infiltrate an NSA uilding. - New York Magazine