Cybersecurity – Obama’s Trojan Horse

Trojan horse: internet virus, internet worm, internet malware.  A sneak attack disguised as a gift or peace offering.

A very scary horse is at the gate.  Right now.  Built by Bush, supersized for Web 2.0 by Barack Obama.  How ironic that the biggest threat to your internet freedom is the cybersecurity protections your government is building with your money. The internet will be yours as long as the government feels it’s safe for you to have it. And by safe, I mean safe for those who own the government.  And that’s not you.

At the end of May, Barack Obama announced his plan to protect “America’s digital infrastructure”.  Like the trained lawyer that he is, Obama delivered persuasive opening remarks, reminding us that our economy and our government rely on the internet.

It’s about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets. … This is a matter, as well, of America’s economic competitiveness. …

Then he unveiled his new and improved Trojan Horse:

I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator.  … To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.

New promise: the giant horse will not trample our privacy rights and civil liberties.

Remember his track record on other values and goals which the left holds dear?   Lady Boomer NYC listed some of them over at The Widdershins.  And speaking of broken promises, the day after Lady Boomer nailed her list of grievances to the fortress door, the New York Times ran an article titled E-Mail Surveillance Renews Concerns in Congress:

The National Security Agency is facing renewed scrutiny over the extent of its domestic surveillance program, with critics in Congress saying its recent intercepts of the private telephone calls and e-mail messages of Americans are broader than previously acknowledged, current and former officials said.

Kenneth L. Wainstein testified about surveillance in Fall 2007 at a Senate committee hearing.

The N.S.A. is believed to have gone beyond legal boundaries designed to protect Americans in about 8 to 10 separate court orders issued by the Foreign Intelligence Surveillance Court, according to three intelligence officials who spoke anonymously because disclosing such information is illegal.

The NSA characterized it’s privacy protection failure as a simple case of “overcollection”. Representative Rush Holt’s opinion was otherwise: “Some actions are so flagrant that they can’t be accidental”. But those transgressions were under the old president, you say. Our New President promised Change.  Specifically, at the same time that he announced the cybersecurity program, Obama said:

Let me also be clear about what we will not do. Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.

This from someone who many believe is from a family of spooks.  As in intelligence operative.  As in Was Obama’s Mama a Spook? Joe Cannon wonders the same thing, as does Cinie.

So far so not-good: a liar in the White House promises us he will protect America’s digital infrastructure as well as our privacy and civil rights.  I’m betting he might keep half that promise – and you can guess which half.

But it gets worse. Much worse.

The New York Times ran an article titled New Military Command for Cyberspace, in which we see a new twisty promise:

“I can’t reiterate enough that this is not about the militarization of cyber,” said Bryan Whitman, a Pentagon spokesman, in discussing Mr. Gates’s order on Tuesday.

“This is an internal Department of Defense reorganization,” Mr. Whitman said. “It is focused only on military networks to better consolidate and streamline Department of Defense capabilities into a single command.”

Emphasis mine.  So the Department of Defense will protect the military digital infrastructure (.mil domains).  Homeland Security will do the same to protect the government’s digital infrastructure ( .gov domains) according to this article from yesterday’s Washington Post:

Cybersecurity Plan to Involve NSA, Telecoms – DHS Officials Debating The Privacy Implications

The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.

President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems.

… Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.

the new & improved Bush cybersecurity plan

Have you ever visited a “dot-gov” website?  Like, IRS.GOV or WHITEHOUSE.GOV?  Ever complained on the FCC website? You and me both – meaning our contact info is in the database. What I don’t get is why a telecom such as AT&T has to be part of this plan.  Can’t they just install the cybersecurity guard on the government’s computers and websites?  Maybe this is how Obama plans to protect our economy?  How else can he protect the economic non-governmental interests unless the program monitors non-governmental internet service providers like AT&T?

Hidden in the above article is a clue to the value of our government’s promises about privacy protection and non-militarization of cyberspace:

“To be clear, Einstein 3 development is proceeding,” DHS spokeswoman Amy Kudwa said. “We are moving forward in a way that protects privacy and civil liberties.”

Ummmm, is she saying that Einstein 3 is about protecting privacy and civil liberties while protecting .gov websites? As far as I can tell, the answer is no.  Here is what Wikipedia says about the Einstein program:

Einstein also known as the EINSTEIN Program is an intrusion detection system that monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. … When it was created, Einstein was “an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government.” Einstein does not protect the network infrastructure of the private sector. …

The new version, called EINSTEIN 2, will have a “system to automatically detect malicious network activity, creating alerts when it is triggered”. …

Version 3.0 of Einstein has been discussed to prevent attacks by “shoot[ing] down an attack before it hits its target”. …

As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration and until it does, has no “disposition schedule”—its “records must be considered permanent and nothing may be deleted”.

Nothing in there about specifically protecting privacy, but there is a hint about the offensive component of the program. Defense Secretary Gates gave his order to the military in June, and we’re assured that this is not a militarization of cyberspace.  The month before Mr. Gates gave his order, an article titled Carpet bombing in cyberspace – Why America needs a military botnet was posted in the Armed Forces Journal. In this article Col. Charles Williamson III exults over the offensive opportunities of cybersecurity:

America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.

That capability in cyberspace can exist in an af.mil botnet. A botnet is a collection of widely distributed computers controlled from one or more points.

their real strength lies in their ability to generate massive amounts of Internet traffic and direct it against a small number of targets. This is called a distributed denial of service (DDOS) attack. The effect is that the target computers are cut off from the Internet.

the Air Force could add botnet code to all its desktop computers attached to the Nonsecret Internet Protocol Network (NIPRNet). Once the system reaches a level of maturity, it can add other .mil computers, then .gov machines.

To generate the right amount of power for offense, all the available computers must be under the control of a single commander

If the enemy is using civilian computers in his country so as to cause us harm, then we may attack them.

Emphasis mine.  Time out: what is denial of service and why do we care?  It’s when the volume of internet traffic is so huge that it overwhelms an internet site.  Imagine a city street trying to accomodate the traffic of a 5-lane highway.  And what if those offensive civilian computers are inside the US? Or what if there are people inside the US (like war veterans maybe?) whom the government deems as potential internal terrorists?

Generally, the U.S. military is not going to attack a U.S. private computer. Harm coming from one of those machines will first be treated as a crime, and military forces should stay out of the situation in accordance with the Posse Comitatus Act. However, Title 10 of the United States Code, Section 333, allows the president to order use of the military in the U.S. under tightly controlled conditions when civil authorities are overborne.

Time out #2: what is the Posse Comitatus Act and why do we care? It’s the law which prohibits the federal government from using the military to perform law enforcement. End time out.  Here is a bit of background on Keith Alexander (beware this is a .gov link), the general who is being proposed to lead the non-militarized cybersecurity program:

Keith Alexander

He holds a Master of Science degree in Systems Technology (Electronic Warfare) and a Master of Science degree in Physics from the Naval Post Graduate School. He also holds a Master of Science degree in National Security Strategy from the National Defense University.

How difficult would it be the military (or president) to create an “attack” virus launched into US civilian computers, then claim that they must defend us by launching a botnet denial of service?  Or, just claim that such an attack occurred but details must be classified?

Like Iraq’s weapons of mass destruction.

h/t to Global Research and Antifacist for alerting us to this threat.

Happy Independence Day, everyone.

It’s about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets.