Wednesday, January 14, 2015

Notes on the CIA spying case

The CIA announced it wasn't going to punish those responsible for spying/hacking on Senate computers. Since journalists widely get this story wrong, I thought I'd write up some notes getting it right. That's because while the CIA organization is guilty of gross misconduct, it's actually likely that no individual employees did anything wrong. The organization is guilty, but (possibly) the people aren't.

The first thing to note is that no hacking happened. These were CIA computers, at a CIA facility, managed by CIA sysadmins, who had the admin passwords.

That's the complicated bit. In 2009 when the Intelligence committee demanded to look at the torture/interrogation documents, the CIA balked about the security issues of staffers taking documents offsite. Therefore, they came to an agreement with the Senate: the CIA would set up a special secured network at their building, disconnected from the rest of the CIA network. The Senate staffers would go there to work. Documents would be transferred from the CIA's main network onto this special network by hand (probably USB flash drive or something).

The Senate committee didn't have to agree to this. By law, they have oversight, and can make decisions that screw the CIA. But the Senate committee recognized this was a legitimate concern, and agreed to the compromise. However, they demanded concessions from the CIA, such as not "spying" on their staffers.

I say "spying" here because that's the word used in the press, but it was more complex than that. Spying on employees is routine within the CIA. There's always compliance officers running around checking computers to make sure they don't have documents on them they shouldn't. So "compliance" is the better word than "spying", it sounds much nicer.

But the agreement was specifically that only IT techies would have access to the computers purely for the purposes of IT techy stuff, and that nobody else at the CIA would have access -- not even for compliance purposes.

Well, in the course of events, other people at the CIA did access these computers, did do compliance checks. Judging from Dianne Feinstein's comments, it appears that most of these incidents were just honest mistakes, at least, she's not concerned by them. The one incident she's concerned about involves the Panetta report -- the internal CIA investigation that found gross misconduct in the torturing/interrogation.

The Panetta report wasn't one of the documents the Senate staffers were supposed to see. Nobody knows how it got onto these special computers. The staffers just found it there accidentally. At least, that's the information we have publicly. The CIA accuses the staffers of doing nefarious things, but we outsiders can't know really what happened. (Maybe somebody at the CIA leaked it to the staffers).

When the CIA heard the staffers had the Panetta document, they did what they always do when things like this happen: their normal compliance checks and investigation. Among the things they would do in such situations is thoroughly scan the computers they'd given the Senate staffers, read their emails, search their files, and so forth. Yes, at the top level, the head of the CIA agreed that this would not happen -- but the employees didn't necessarily know this. Apparently, nobody told them about the agreement -- they didn't get the memo.

The problem is ultimately this: that while the CIA as an organization broke the rules here, it's possible that no individual person did anything intentionally bad.

Personally, I think this is bullshit. I think lower level flunkies knew what they were doing was wrong, that high-level managers gave them direction, and that many at the CIA deliberately pushed the rules as much as they could in order to interfere with the Senate investigation. But I don't have proof of this, and no such proof has been made public.

I don't like the CIA. I think their torture is a stain on our national honor. I think it's a travesty that the torturers aren't punished. It's clear I don't support the CIA, and that I have no wish to defend them. But I still defend truth, and the truth is this: the CIA did not "hack senate computer" as many claim.

These notes where compiled mostly from Dianne Feinstein's description of events


Alex B. said...

To claim that the CIA "tortured" someone is to lower the bar on the definition of torture. Just an FYI, if a fat, middle aged reporter VOLUNTEERS for a procedure (the way Christopher Hitchens did), just to see what it's like, it's absurd to call that procedure torture. To define what seen in the Abu Ghraib pictures as "torture" is obscene distortion of the definition of torture. And a grand total of ... THREE people had the procedures, you laughably call torture, applied to them.

You can dislike the CIA all you want, but you should try to be honest about why, rather than manufacturing reasons or displaying faux outrage at reasonable steps taken against men are are incredibly violent and extremely dangerous.

There is a REAL difference between the CIA and our adversaries. That people like you seem to think the only difference is on which side these people fight is the actual stain on our national honor.

Matt H said...

I agree that the concept that the techies at CIA didn't know this was a special air-gapped network with special ROE is pretty absurd. I've set up a number of such "special" networks for very similar special projects, and I can't imagine this was a simple oversight. I am confident that CIA has dozens of networks that are segmented in various different ways, with special requirements as to who can access them, when, and how. It's not like these CIA techs would be unfamiliar with the concept of a special network on which they had no business following their normal SOPs.