Thursday, July 31, 2014

No, the CIA didn't spy on other computers

The computer's the CIA spied on were owned and operated by the CIA.

I thought I'd mention this detail that is usually missing from today's news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA's torture program, reviewing classified documents. The CIA didn't trust the staffers, so they setup a special computer network just for the staffers to use -- a network secured and run by the CIA itself, in a CIA building, maintained by CIA sysadmins. Dianne Feinstein describes this as background information in her complaint:
I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”
The CIA, though, spied on what the staffers did on the system. This allowed the CIA to manipulate investigation. When the staffers found some particularly juicy bit of information, the CIA was able to yank it from the system and re-classify it so that the staffers couldn't use it. Before the final report was ready, the CIA was already able to set the political machine in motion to defend itself from the report.

Thus, what the CIA did was clearly corrupt and wrong, and counter to their agreement with the Senate. It's just that it isn't what most people understand when they read today's headlines. It wasn't a case of the CIA hacking into other people's computers. You can't "hack" a computer you own using your own password.

Many stories quote CIA director Brennan who said earlier this year:
I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrong
Many stories (like this one) claim that it's Brennan who was proven wrong, but instead, he was proven right. The investigation showed that at no time did the CIA hack anybody else's computer.

In pointing out the truth many people assume that I'm defending the CIA. I'm not. The torture program was morally wrong and beneath us as a country. Surreptitiously spying on the investigators into the program is clearly corrupt, and all involved need to be fired -- even if it turns out no law was broken (since it was the CIA's own computers).

I'm outraged, but believe we should be outraged by the right things, not the distorted story in the news. Seriously, I can't be more outraged at how the CIA revoked the declassification of things the staffers found useful to their investigation. It's not the spying (of their own computer) that angers me so much as their corrupt actions the spying enabled.

Update: @grayrisk points to this Lawfare blogpost with specifics. As you can see, CIA sysadmins had access to the system to administer it, but otherwise the system was supposed to be segregated from the rest of the CIA.

1 comment:

Chris Sternal-Johnson said...

If I'm the DBA at a bank and I use that access to siphon off SSNs, I'm going to get charged with unauthorized access even though my privileges were legitimately obtained.

Same thing here. They weren't supposed to be accessing those computers in that manner, making it unauthorized access.