Tillerson: Child Soldiers Conscription Violations

Image result for child soldiers

photo

The United Nations has a list of shame, fine but it is merely a list and a gesture.

Child soldiers are children (under 18) who are used for military purposes.

Some child soldiers are used for fighting – they’re forced to take part in wars and conflicts, forced to kill, and commit other acts of violence. Some are forced to act as suicide bombers. Some join ‘voluntarily’, driven by poverty, sense of duty, or circumstance.

Other children are used as cooks, porters, messengers, informants, spies or anything their commanders want them to do. Child soldiers are sometimes sexually abused.

Afghanistan, Central African Republic, Democratic Republic of Congo, India, Myanmar, the Occupied Palestinian Territory, Thailand, the UK and Yemen all use child soldiers, meaning on person under the age of 18. 

Image result for child soldiers afghanistan photo (attribution for photo removed due to malware alert)

Exclusive – State Dept. revolt: Tillerson accused of violating U.S. law on child soldiers

WASHINGTON (Reuters) – A group of about a dozen U.S. State Department officials have taken the unusual step of formally accusing Secretary of State Rex Tillerson of violating a federal law designed to stop foreign militaries from enlisting child soldiers, according to internal government documents reviewed by Reuters.

A confidential State Department “dissent” memo not previously reported said Tillerson breached the Child Soldiers Prevention Act when he decided in June to exclude Iraq, Myanmar, and Afghanistan from a U.S. list of offenders in the use of child soldiers. This was despite the department publicly acknowledging that children were being conscripted in those countries.[tmsnrt.rs/2jJ7pav]

Keeping the countries off the annual list makes it easier to provide them with U.S. military assistance. Iraq and Afghanistan are close allies in the fight against Islamist militants, while Myanmar is an emerging ally to offset China’s influence in Southeast Asia.

Documents reviewed by Reuters also show Tillerson’s decision was at odds with a unanimous recommendation by the heads of the State Department’s regional bureaus overseeing embassies in the Middle East and Asia, the U.S. envoy on Afghanistan and Pakistan, the department’s human rights office and its own in-house lawyers. [tmsnrt.rs/2Ah6tB4]

“Beyond contravening U.S. law, this decision risks marring the credibility of a broad range of State Department reports and analyses and has weakened one of the U.S. government’s primary diplomatic tools to deter governmental armed forces and government-supported armed groups from recruiting and using children in combat and support roles around the world,” said the July 28 memo.

Reuters reported in June that Tillerson had disregarded internal recommendations on Iraq, Myanmar and Afghanistan. The new documents reveal the scale of the opposition in the State Department, including the rare use of what is known as the “dissent channel,” which allows officials to object to policies without fear of reprisals.

The views expressed by the U.S. officials illustrate ongoing tensions between career diplomats and the former chief of Exxon Mobil Corp appointed by President Donald Trump to pursue an “America First” approach to diplomacy.

INTERPRETING THE LAW

The child soldiers law passed in 2008 states that the U.S. government must be satisfied that no children under the age of 18 “are recruited, conscripted or otherwise compelled to serve as child soldiers” for a country to be removed from the list. It currently includes the Democratic Republic of Congo, Nigeria, Somalia, South Sudan, Mali, Sudan, Syria and Yemen.

”The Secretary thoroughly reviewed all of the information presented to him and made a determination about whether the facts presented justified a listing pursuant to the law,” a State Department spokesperson said when asked about the officials’ allegation that he had violated the law.

In a written response to the dissent memo on Sept. 1, Tillerson adviser Brian Hook acknowledged that the three countries did use child soldiers. He said, however, it was necessary to distinguish between governments “making little or no effort to correct their child soldier violations … and those which are making sincere – if as yet incomplete – efforts.”

Hook made clear that America’s top diplomat used what he sees as his discretion to interpret the law.

‘A POWERFUL MESSAGE’

Foreign militaries on the list are prohibited from receiving aid, training and weapons from Washington unless the White House issues a waiver based on U.S. “national interest.” In 2016, under the Obama administration, both Iraq and Myanmar, as well as others such as Nigeria and Somalia, received waivers.

At times, the human rights community chided President Barack Obama for being too willing to issue waivers and exemptions, especially for governments that had security ties with Washington, instead of sanctioning more of those countries.

“Human Rights Watch frequently criticized President Barack Obama for giving too many countries waivers, but the law has made a real difference,” Jo Becker, advocacy director for the children’s rights division of Human Rights Watch, wrote in June in a critique of Tillerson’s decision.

The dissenting U.S. officials stressed that Tillerson’s decision to exclude Iraq, Afghanistan and Myanmar went a step further than the Obama administration’s waiver policy by contravening the law and effectively easing pressure on the countries to eradicate the use of child soldiers.

The officials acknowledged in the documents reviewed by Reuters that those three countries had made progress. But in their reading of the law, they said that was not enough to be kept off a list that has been used to shame governments into completely eradicating the use of child soldiers.

‘UNCONSCIONABLE ACTIONS’

Ben Cardin, ranking Democrat on the U.S. Senate Foreign Relations Committee, wrote to Tillerson on Friday saying there were “serious concerns that the State Department may not be complying” with the law and that the secretary’s decision “sent a powerful message to these countries that they were receiving a pass on their unconscionable actions.”

The memo was among a series of previously unreported documents sent this month to the Senate Foreign Relations Committee and the State Department’s independent inspector general’s office that relate to allegations that Tillerson violated the child soldiers law.

Legal scholars say that because of the executive branch’s latitude in foreign policy there is little legal recourse to counter Tillerson’s decision.

Herman Schwartz, a constitutional law professor at American University in Washington, said U.S. courts would be unlikely to accept any challenge to Tillerson’s interpretation of the child soldiers law as allowing him to remove a country from the list on his own discretion.

The signatories to the document were largely senior policy experts with years of involvement in the issues, said an official familiar with the matter. Reuters saw a copy of the document that did not include the names of those who signed it.

Tillerson’s decision to remove Iraq and Myanmar, formerly known as Burma, from the list and reject a recommendation by U.S. officials to add Afghanistan was announced in the release of the government’s annual human trafficking report on June 27.

Six days earlier, a previously unreported memo emailed to Tillerson from a range of senior diplomats said the three countries violated the law based on evidence gathered by U.S. officials in 2016 and recommended that he approve them for the new list.

It noted that in Iraq, the United Nations and non-governmental organizations “reported that some Sunni tribal forces … recruited and used persons younger than the age of 18, including instances of children taking a direct part in hostilities.”

Ali Kareem, who heads Iraq’s High Committee for Human Rights, denied the country’s military or state-backed militias use child soldiers. ”We can say today with full confidence that we have a clean slate on child recruitment issues,” he said.

The memo also said “two confirmed cases of child recruitment” by the Myanmar military “were documented during the reporting period.” Human rights advocates have estimated that dozens of children are still conscripted there.

Myanmar government spokesman Zaw Htay challenged accusers to provide details of where and how child soldiers are being used. He noted that in the latest State Department report on human trafficking, “they already recognized (Myanmar) for reducing of child soldiers” – though the report also made clear some children were still conscripted.

The memo said further there was “credible evidence” that a government-supported militia in Afghanistan “recruited and used a child,” meeting the minimum threshold of a single confirmed case that the State Department had previously used as the legal basis for putting a country on the list.

The Afghan defense and interior ministries both denied there were any child soldiers in Afghan national security forces, an assertion that contradicts the State Department’s reports and human rights activists.

A Wide Look at North Korea’s WMD Operations

Image result for north korea defector shot

photo

Primer:

South Korean surgeons operating on a North Korean defector who escaped across the Demilitarized Zone between the two countries under a hail of gunfire on Nov. 13 have found a parasite in the man’s stomach unlike any other they had seen.

The defector, who was shot five times, remained in critical condition after hours in two rounds of surgery, according to an article in the Korea Biomedical Review published on Nov. 15.

North Korean Cyber Operations: Weapons of Mass Disruption

Over the past 10 years, the escapades of various nation-state actors in the cyber realm have exploded onto the pages of top-tier media, and into prime time network news.

Russian espionage against political targets during the 2016 US presidential election, wide reaching Chinese espionage against Western commercial targets, disruptive attacks against the US financial sector associated with Iran, and the destructive attacks against Sony Pictures Entertainment (SPE) are some of the premier examples of mainstream coverage of ‘cyber.’

Behind every single offensive cyber action conducted in the interest of the capable nation-states is a doctrine,[1] and North Korea, like many other nation-states, has incorporated cyber operations within their own broader military doctrine and has conducted numerous offensive operations in the furtherance of their national agenda. What is particularly alarming about DPRK operations is their willingness to initiate escalatory actions, such as their likely connections to the now infamous WannaCry ransomware, and their targeting of the global financial system.

North Korea’s disregard for the consequences of its actions sets them apart from other nation-states, and is particularly dangerous.

North Korean offensive cyber operations have been conducted to collect sensitive political and military intelligence information, to lash out at enemies who threaten their beliefs and interests, and most interestingly, to generate revenue.

This revenue generation aspect of North Korean operations was thrust into the international spotlight when, in early 2016, unauthorized transfers of funds from the Bangladesh Central Bank were issued using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network for global banking. The attempted transfers amounting to over $950 million USD sought to move funds to entities in locations such as Sri Lanka and the Philippines; ultimately $81 million USD in funds disappeared into the ether.

The subsequent investigation revealed that the perpetrators of the attack used tools to securely delete records from the SWIFT terminals that would alert Bangladesh Central Bank employees of the transfers. Commonly referred to as a “wiper,” this secure deletion tool contained code that was linked by many in the computer security industry to one used in attacks associated with North Korea, notably the attack on SPE through a US Computer Emergency Response Team (USCERT) alert. The revelation that a state would engage in such a flagrant violation of international norms came as a surprise to many in the information security arena. North Korea watchers were, of course, not surprised as the currency generation activities benefiting the Kim family and their isolated nation have been well understood for some time.

The 2016 SWIFT attacks associated with North Korea are part of the broader currency generation operations of DPRK cyber actors and intelligence organizations. Botnets associated with espionage activity targeting South Korea have been used to generate revenue through a variety of schemes for almost 10 years. Recent DPRK activity suggests an interest in obtaining cryptocurrency, such as bitcoin, through extortion and targeting of cryptocurrency exchanges.

In the third quarter of 2017, for instance, malicious emails containing weaponized documents were used to target international financial organizations, as well as bitcoin exchanges. The ultimate goal of these attacks, which were tracked by the information security community under names such as Stardust Chollima and BlueNoroff, is yet unknown, however theft and sabotage are likely.

Bitcoin provides attractive benefits to the isolated nation due to a lack of regulation and the ability to subvert international sanctions. In May 2017, ‘WannaCry’ exploded across the internet, encrypting sensitive material and holding the keys to decrypt the files for a ransom to be paid in bitcoin. This attack, too, had North Korean fingerprints embedded in the code used to execute the attack, as did the tools that were used to develop that code.

Attribution is a particularly sensitive subject in the cyber domain. Technical artifacts from the executable code that was used to conduct the WannaCry attack overlaps with code used in attacks against South Korean nuclear power plants and the SPE attack of 2014. While the technical artifacts can provide some measurable connections between the attacks, they require deep technical understanding to interpret. Other linkages, such as targeting and operational procedures, are the product of intelligence assessments and have been disputed by various parties muddying the water surrounding the assigning of attribution.

North Korea is an exception to the classical understanding of how most nations implement offensive cyber operations in that they incorporate espionage, disruptive/destructive attacks and financially motivated operations using the same computer code and infrastructure.

The value of cyber operations is likely recognized by North Korea’s most senior leadership through the State Affairs Commission (SAC), the General Staff of the Korean People’s Army, and Kim Jong Un himself. Subordinate units, notably the Reconnaissance General Bureau (RGB), Bureau 121, and the Command Automation Bureau (CAB), are likely responsible for executing the specific operations. The individual units may have a charter to self- finance their operations, or to contribute financial gains back to the regime, but it seems clear that various offensive operations are conducted by differing groups with their own approach and missions. For example, one group may have a primary focus on revenue generation, targeting South Korean banks and SWIFT and conducting extortive attacks, while another group might focus on intelligence collection, while a third conducts sabotage and destructive attacks.

Finally, the maturity of North Korean offensive cyber operations has been demonstrated through the integration of destructive attacks by cyber units during military exercises executed in the midst of escalating tension with South Korea. For instance, following the December 2012 launch of the Kwangmyongsong-3 satellite via the Unha-3 satellite launch vehicle, tensions on the Korean peninsula were high. That March, following the passing of UN Security Council Resolution (UNSCR 2087) and B-52 strategic bomber overflights in South Korea, North Korea responded with a particularly aggressive disruptive attack against South Korea.

This massive wiper attack targeted South Korea’s financial and media sectors and coincided with provocations by North Korean military and escalating political rhetoric. This pairing allowed for maximum psychological impact, while demonstrating North Korea’s ability to integrate offensive cyber activities into well-developed military doctrine. During these attacks, the Korea Broadcasting System (KBS), Munhwa Broadcasting Corporation (MBC), Yonhap Television News (YTN) and several Korean financial institutions reported disruptions. With the threat of military escalation on the table, many in South Korea would have depended on the media outlets for breaking news. Disruption of ATM networks and financial institutions would further add to the chaos as word of media disruptions began to spread.

As tensions are once again escalating between North Korea and the international community, more attacks perpetrated by DPRK cyber actors are likely. The recent increase in financial sector targeting associated with these actors may illustrate the potential for disruptive attacks to demonstrate both the capability of the North Korean actors, as well to achieve objectives in line with their broader military doctrine. While North Korea’s isolation may be detrimental to its economy and international relations, it is an effective shield from which to launch offensive cyber operations against a connected and delicate global system.


  1. [1]

    In order to establish some common definitions, we can look to the United States Department of Defense, who established Computer Network Operations (CNO) as a component of the broader Information Operations (Information Warfare) arena. CNO is further categorized into Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defense (CND). Offensive cyber operations conducted by nation-states using this model would be considered CNE and CNA. The use of CNE can be roughly characterized as espionage, whereas CNA would be used to degrade, deny, disrupt, or destroy the network based systems of an adversary. This model can help provide a clear delineation of how various military, intelligence community, and law enforcement agencies with their authorities are able to conduct operations. China, Russia, Iran and virtually every nation-state in the world conduct CNE/CNA operations in accordance with their legal authorities and national interests.

    ***

    There are other weapons few discuss.

    Pyongyang has already achieved partial coverage of US territories. Last June, in a hearing before the US House Armed Services Committee, the head of the US Missile Defense Agency, Vice Admiral James Syring, said: “The advancement and demonstration of technology of ballistic missiles from North Korea in the last six months have caused great concern to me and others. It is incumbent on us to assume that North Korea today can range the US with an ICBM carrying a nuclear warhead.”

    This particular endeavor was likely assisted by Tehran. A February 2016 report by the Congressional Research Service concluded, “Iran has likely exceeded North Korea’s ability to develop, test, and build ballistic missiles.” Tehran might be, and probably is, helpful to Pyongyang with respect to technological aspects of the nuclear sphere as well.

    The nuclear component within the spectrum of North Korea’s weapons of mass destruction (WMDs) is evidently growing. The big question is whether the country’s despot, Kim Jong-un, will be the first person to use nuclear weapons since 1945.

    Quite recently, Kim elected to employ a highly lethal chemical weapon, the nerve agent VX, for a political assassination. This weapon was used last February by two female operatives, one Indonesian and the other Vietnamese, to murder Kim Jong-un’s estranged half-brother, Kim Jong-nam, in Malaysia. The victim died shortly after being assaulted by the two women, who wiped VX on his face as he prepared to board a flight to the Chinese territory of Macau. Traces of VX were revealed on swabs taken from his eyes and face.

    This deadly chemical agent was probably smuggled from North Korea to Malaysia, which in and of itself was an intriguing and risky move. Six of eight potential suspects were from Pyongyang’s Ministries of State Security and Foreign Affairs. The suspects flew from Kuala Lumpur on the day of the assassination, passing through Vladivostok on their way back to Pyongyang. South Korea’s request to detain four of the suspects was rejected by Russian officials on the grounds of lack of evidence.

    It can be assumed that Kim Jong-un was in on the plot from its inception. Symbolically, at least, this political assassination by VX can be regarded as an indication of Pyongyang’s chemical weapons (CW) capabilities. Whether the regime intended it to or not, the assassination signaled the readiness, usability, and deployability of North Korea’s VX, which can be used for guerrilla warfare, chemical terrorism, or wide-scale chemical attack.

    VX is also weaponized within warheads carried by ballistic missiles in Pyongyang’s  vast CW arsenal. The North Korean ballistic program constitutes the principal, though not the only, vehicle for all three WMD programs. The CW and biological weapons (BW) programs are fully matured and have marked operational offensive capabilities. Inadequate attention is being paid to Pyongyang’s large-scale offensive capacities in terms of CW and BW, but the VX political assassination incident was a wake-up call (if unintentional). More here.

Former KGB Officer Hired for US Embassy Moscow Security

Image result for u.s. embassy moscow

photo

Added: Oct 27, 2017 1:51 pm

Local Guard Services for US Mission Russia.  Contract was awarded in accordance with FAR 6.302-2, Unusual and compelling urgency.

Contract is in accordance with 52.216-25 CONTRACT DEFINITIZATION.

The 4 page contract is here, it appears it was an emergency choice and hire.
Are there any people left in the contract office that have any brains? Is there anyone at the State Department providing guidance or final approvals with brains?

US embassy hires security firm of former Russian spy who worked with Putin

The US embassy in Moscow is to be guarded by a company owned by a former head of KGB counter-intelligence who worked with British double agent Kim Philby and young Vladimir Putin, after cuts to US staff demanded by Russia.

Elite Security Holdings was awarded a $2.83 million contract to provide “local guard services for US mission Russia,” which includes the Moscow embassy and consulates in St Petersburg, Yekaterinburg and Vladivostok, according to a post on a US state procurement website.

The contract and background of the firm came to light in a Kommersant newspaper report on Friday.

Elite Security, a private company and the oldest part of the eponymous holding, was founded in 1997 by Viktor Budanov and his son Dmitry, according to a Russian business registry.

A 2002 article posted on the site of Russia’s foreign intelligence service identified Mr Budanov as a major general in the agency who became a Soviet spy in 1966 and retired a year after the collapse of the USSR.

His long work in Soviet and Russian intelligence could raise questions about whether the guard services contract poses a security or intelligence risk to the US mission.

The US embassy referred The Telegraph to the state department, which did not respond to requests for comment.

Moscow forced Washington to cut its diplomatic staff in Russia from more than 1,200 to 455 in response to sanctions adopted against Russia in August.

Before his work in foreign intelligence Mr Budanov was the director of the KGB’s counter-intelligence division, he has told Russian media.

He also was head of the KGB branch in East Germany in the late 1980s, where a young Mr Putin served under him. In a 2007 interview, Mr Budanov lamented the collapse of the USSR, praised Mr Putin’s leadership and warned that Russia “can’t constantly act as (the Americans) want” or it would be destroyed.

He has also said he worked with Britain’s most infamous Soviet double agent after Philby defected to the USSR in 1963 and was once a guest at a private lunch given in Philby’s honour by Yury Andropov, the KGB head who became leader of the Soviet Union.

In the 1990s, Mr Budanov became acquainted with high-level US intelligence officials while providing business intelligence and security to foreign companies.

He formed a joint venture with the former assistant director of the National Security Agency and said in 2007 he personally knew the head of security at the US embassy in Moscow.

International Risk and Information Services, a company Mr Budanov founded in 1992 that later became part of Elite Security Holdings, says on its website it employs staff with experience in “state security organs”.

In testimony before a UK court in 1993, Oleg Gordievsky, a KGB bureau chief in London who became a British agent, said ​Mr Budanov had drugged and interrogated him after he was recalled to Moscow under suspicion.

Mr Budanov also handled sensitive operations like teaching Bulgarian agents how to use a poisonous umbrella to kill dissidents, Mr Gordievsky said.

Hacking Public Schools, 757’s and the Defense Dept

Hack-O-Matic…some good ones and others not so much.

800 Schools

“Unless we have irrefutable evidence to suggest otherwise, we need to assume confidential data has been compromised,” Hamid Karimi, vice president of business development and the security expert at Beyond Security. “That should be a cause for concern. To remedy the situation, all schools and institutions that serve minors must submit to (a) stricter set of cybersecurity rules.”

photo

The breached school websites, which spanned nationwide from New Jersey to Arizona and Virginia to Connecticut, are all powered by a company called SchoolDesk. The company since has handed over its server —  which runs out of Georgia —  to the FBI for investigation and also has hired external security firms to trace the hackers. The Atlanta-based company said after the hack that technicians detected that a small file had been injected into the root of one of its websites.

“The websites were redirected to an iframed YouTube video. No data was lost or altered in any way. Because we’re currently working with the FBI in an active investigation of this incident, as well as forensic team from Microsoft, we cannot yet discuss any technical details or exact methods of access to SchoolDesk’s network or software,” a spokesperson for SchoolDesk told Fox News.

The company has insisted that no personal or student information was exposed, but some security experts say the matter should be closely monitored, especially as minors are involved.

“In most hacks, organizations do not have full visibility into what happened or what information was compromised,” surmised Eric Cole, who served as commissioner on cyber security for President Barack Obama, and was formally a senior vice president at MacAfee and the chief scientist at Lockheed Martin. “In almost every breach, what is initially reported is usually extremely conservative and over the weeks following a breach, it is always worse than what was originally reported.”

The proud culprits of the hack? A shadowy pro-ISIS hacktivist outfit known as “Team System DZ.” Barely reported by Fox News, while other media outlets did nothing about about.

***

Pentagon Hackers for Hire

Just over a year ago, following the success of the pilot, we announced the U.S. Department of Defense was expanding its “Hack the Pentagon,” initiatives. To date, HackerOne and DoD have run bug bounty challenges for Hack the Pentagon, Hack the Army and Hack the Air Force.

The success of these programs has been undeniable and our amazing community of hackers continues to impress even us!

DoD has resolved nearly 500 vulnerabilities in public facing systems with bug bounty challenges and hackers have earned over $300,000 in bounties for their contributions — exceeding expectations and saving the DoD millions of dollars. You can read more in our recent case study “Defending the Federal Government from Cyber Attacks.”

htp

2,837 Bugs Resolved With DoD’s Vulnerability Disclosure Policy

The DoD’s Vulnerability Disclosure Policy (VDP) is another essential, likely less talked about, part of the Hack the Pentagon initiative pioneered by DoD’s Defense Digital Service team.

A VDP is the, “see something say something of the internet”. DoD’s policy, and others like it, provide clear guidance for any hacker anywhere in the world to safely report a potential vulnerability so it can be resolved. Maintaining the security of the DoD’s networks is a top priority and their VDP is another proven way to resolve unknown security issues.

While a bounty or cash incentives are not awarded for vulnerabilities reported through the VDP, that has not stopped hackers eager to do their part to help protect the DoD’s assets. Nearly 650 hackers from more than 50 countries have successfully reported valid vulnerabilities through the VDP.

Thanks to these hackers and the pioneering team at DoD, 2,837 security vulnerabilities have been resolved in nearly 40 DoD components. Of these vulnerabilities, over 100 have been high or critical severity issues, including remote code executions, SQL injections, and ways to bypass authentication.

While the majority of participating hackers have been from United States, the top contributing countries include India, Great Britain, Pakistan, Philippines, Egypt, Russia, France, Australia and Canada. More here, at least this was a positive objective, we think.

*** Related reading: Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says

Hacking Through Aircraft Wi-Fi

A Department of Homeland Security official admitted that a team of experts remotely hacked a Boeing 757 parked at an airport.

During a keynote address on Nov. 8 at the 2017 CyberSat Summit, a Department of Homeland Security (DHS) official admitted that he and his team of experts remotely hacked into a Boeing 757.

This hack was not conducted in a laboratory, but on a 757 parked at the airport in Atlantic City, N.J. And the actual hack occurred over a year ago. We are only now hearing about it thanks to a keynote delivered by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” Hickey said in an article in Avionics Today. “[That] means I didn’t have anybody touching the airplane; I didn’t have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft.”

While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “radio frequency communications.”

We’ve been hearing about how commercial airliners could be hacked for years.

You might remember when a governmental watchdog admitted that the interconnectedness of modern commercial airliners could “potentially provide unauthorized remote access to aircraft avionics systems.” The concern was that a hacker could go through the Wi-Fi passenger network to hijack a plane while it was in flight.

And in a 2015 report by the U.S. Government Accountability Office (pdf), the agency warned, “Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”

At the time, U.S. Rep. Peter DeFazio (D-Ore.) said, the “FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system.”

The same year, security researcher Chris Roberts ended up in hot water with the feds after tweeting about hacking the United Airlines plane he was traveling on. The FBI claimed Roberts said he took control of the navigation.

A Hack In The Box presentation by Hugo Teso in 2013 suggested that thanks to the lack of authentication features in the protocol Aircraft Communications Addressing and Report System (ACARS), an airliner could be controlled via an Android app. Flight management software companies, as well as the FAA, disputed Teso’s claims.

All of that means that airline pilots have heard of those vulnerabilities before, too. Yet at a technical meeting in March 2017, several shocked airline pilot captains from American Airlines and Delta were briefed on the 2016 Boeing 757 hack. Hickey said, “All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible.’”

As CBS News pointed out, Boeing stopped producing 757s in 2004, but that aircraft is still used by major airlines, such as American, Delta and United. President Trump has a 757, and Vice President Pence also uses one. In fact, Avionics Today claimed 90 percent of commercial planes in the sky are legacy aircraft that were not designed with security in mind.

Boeing told CBS that it firmly believes the test “did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.”

Furthermore, an unnamed official briefed on the test told CBS the results of the hack on an older aircraft was good information to have, adding, “but I’m not afraid to fly.” (Not feeling good about this aircraft hack at all, dont we have a missing plane or one that crashed where it was suspected there may have been a hack involved?)

Trifecta of Intel Chaos, Shadow Brokers, Wikileaks, NSA

photo

WikiLeaks announces “Vault 8”

Those releases were part of a series of leaks WikiLeaks called Vault 7. Now, WikiLeaks says Hive is just the first of a long string of similar releases, a series WikiLeaks calls Vault 8, which will consist of source code for tools previously released in the Vault 7 series.

The WikiLeaks announcement has sent shivers up the spines of infosec experts everywhere, as it reminded them of April this year when a hacking group named The Shadow Brokers published cyber-weapons allegedly stolen from the NSA.

Some of the tools included in that release have been incorporated in many malware families and have been at the center of all three major ransomware outbreaks that have taken place n 2017 — WannaCry, NotPetya, and Bad Rabbit. More here.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide

 

WASHINGTON — Jake Williams awoke last April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, the cybersecurity expert was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall American intelligence.

Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.

America’s largest and most secretive intelligence agency had been deeply infiltrated.

“They had operational insight that even most of my fellow operators at T.A.O. did not have,” said Mr. Williams, now with Rendition Infosec, a cybersecurity firm he founded. “I felt like I’d been kicked in the gut. Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.”

The jolt to Mr. Williams from the Shadow Brokers’ riposte was part of a much broader earthquake that has shaken the N.S.A. to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the N.S.A., calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.

“These leaks have been incredibly damaging to our intelligence and cyber capabilities,” said Leon E. Panetta, the former defense secretary and director of the Central Intelligence Agency. “The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected.”

With a leak of intelligence methods like the N.S.A. tools, Mr. Panetta said, “Every time it happens, you essentially have to start over.”

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

A screenshot taken as ransomware affected systems worldwide last summer. The Ukrainian government posted the picture to its official Facebook page.

Millions of people saw their computers shut down by ransomware, with demands for payments in digital currency to have their access restored. Tens of thousands of employees at Mondelez International, the Oreo cookie maker, had their data completely wiped. FedEx reported that an attack on a European subsidiary had halted deliveries and cost $300 million. Hospitals in Pennsylvania, Britain and Indonesia had to turn away patients. The attacks disrupted production at a car plant in France, an oil company in Brazil and a chocolate factory in Tasmania, among thousands of enterprises affected worldwide.

American officials had to explain to close allies — and to business leaders in the United States — how cyberweapons developed at Fort Meade in Maryland, came to be used against them. Experts believe more attacks using the stolen N.S.A. tools are all but certain.

Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s cyberarsenal is still being replaced, curtailing operations. Morale has plunged, and experienced cyberspecialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the N.S.A.’s leaked tools.

“It’s a disaster on multiple levels,” Mr. Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”

In response to detailed questions, an N.S.A. spokesman, Michael T. Halbig, said the agency “cannot comment on Shadow Brokers.” He denied that the episode had hurt morale. “N.S.A. continues to be viewed as a great place to work; we receive more than 140,000 applications each year for our hiring program,” he said.

Compounding the pain for the N.S.A. is the attackers’ regular online public taunts, written in ersatz broken English. Their posts are a peculiar mash-up of immaturity and sophistication, laced with profane jokes but also savvy cultural and political references. They suggest that their author — if not an American — knows the United States well.

“Is NSA chasing shadowses?” the Shadow Brokers asked in a post on Oct. 16, mocking the agency’s inability to understand the leaks and announcing a price cut for subscriptions to its “monthly dump service” of stolen N.S.A. tools. It was a typically wide-ranging screed, touching on George Orwell’s “1984”; the end of the federal government’s fiscal year on Sept. 30; Russia’s creation of bogus accounts on Facebook and Twitter; and the phenomenon of American intelligence officers going to work for contractors who pay higher salaries.

The Shadow Brokers have mocked the N.S.A. in regular online posts and released its stolen hacking tools in a “monthly dump service.”

One passage, possibly hinting at the Shadow Brokers’ identity, underscored the close relationship of Russian intelligence to criminal hackers. “Russian security peoples,” it said, “is becoming Russian hackeres at nights, but only full moons.”

Russia is the prime suspect in a parallel hemorrhage of hacking tools and secret documents from the C.I.A.’s Center for Cyber Intelligence, posted week after week since March to the WikiLeaks website under the names Vault7 and Vault8. That breach, too, is unsolved. Together, the flood of digital secrets from agencies that invest huge resources in preventing such breaches is raising profound questions.

Have hackers and leakers made secrecy obsolete? Has Russian intelligence simply outplayed the United States, penetrating the most closely guarded corners of its government? Can a work force of thousands of young, tech-savvy spies ever be immune to leaks?

Some veteran intelligence officials believe a lopsided focus on offensive cyberweapons and hacking tools has, for years, left American cyberdefense dangerously porous.

“We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.”

America’s Cyber Special Forces

At the heart of the N.S.A. crisis is Tailored Access Operations, the group where Mr. Williams worked, which was absorbed last year into the agency’s new Directorate of Operations.

The N.S.A.’s headquarters at Fort Meade in Maryland. Cybertools the agency developed have been picked up by hackers from North Korea to Russia and shot back at the United States and its allies. Jim Lo Scalzo/European Pressphoto Agency

T.A.O. — the outdated name is still used informally — began years ago as a side project at the agency’s research and engineering building at Fort Meade. It was a cyber Skunk Works, akin to the special units that once built stealth aircraft and drones. As Washington’s need for hacking capabilities grew, T.A.O. expanded into a separate office park in Laurel, Md., with additional teams at facilities in Colorado, Georgia, Hawaii and Texas.

The hacking unit attracts many of the agency’s young stars, who like the thrill of internet break-ins in the name of national security, according to a dozen former government officials who agreed to describe its work on the condition of anonymity. T.A.O. analysts start with a shopping list of desired information and likely sources — say, a Chinese official’s home computer or a Russian oil company’s network. Much of T.A.O.’s work is labeled E.C.I., for “exceptionally controlled information,” material so sensitive it was initially stored only in safes. When the cumulative weight of the safes threatened the integrity of N.S.A.’s engineering building a few years ago, one agency veteran said, the rules were changed to allow locked file cabinets.

The more experienced T.A.O. operators devise ways to break into foreign networks; junior operators take over to extract information. Mr. Williams, 40, a former paramedic who served in military intelligence in the Army before joining the N.S.A., worked in T.A.O. from 2008 to 2013, which he described as an especially long tenure. He called the work “challenging and sometimes exciting.”

T.A.O. operators must constantly renew their arsenal to stay abreast of changing software and hardware, examining every Windows update and new iPhone for vulnerabilities. “The nature of the business is to move with the technology,” a former T.A.O. hacker said.

Long known mainly as an eavesdropping agency, the N.S.A. has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the N.S.A.

The same implant can be used for many purposes: to steal documents, tap into email, subtly change data or become the launching pad for an attack. T.A.O.’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz nuclear plant caused centrifuges enriching uranium to self-destruct. The T.A.O. was also critical to attacks on the Islamic State and North Korea.

It was this cyberarsenal that the Shadow Brokers got hold of, and then began to release.

Like cops studying a burglar’s operating style and stash of stolen goods, N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called “ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.

Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.

But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows. There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.

After 15 months of investigation, officials still do not know what was behind the Shadow Brokers disclosures — a hack, with Russia as the most likely perpetrator, an insider’s leak, or both.

Some officials doubt that the Shadow Brokers got it all by hacking the most secure of American government agencies — hence the search for insiders. But some T.A.O. hackers think that skilled, persistent attackers might have been able to get through the N.S.A.’s defenses — because, as one put it, “I know we’ve done it to other countries.”

The Shadow Brokers have verbally attacked certain cyberexperts, including Mr. Williams. When he concluded from their Twitter hints that they knew about some of his hacks while at the N.S.A., he canceled a business trip to Singapore. The United States had named and criminally charged hackers from the intelligence agencies of China, Iran and Russia. He feared he could be similarly charged by a country he had targeted and arrested on an international warrant.

He has since resumed traveling abroad. But he says no one from the N.S.A. has contacted him about being singled out publicly by the Shadow Brokers.

“That feels like a betrayal,” he said. “I was targeted by the Shadow Brokers because of that work. I do not feel the government has my back.”

The Hunt for an Insider

For decades after its creation in 1952, the N.S.A. — No Such Agency, in the old joke — was seen as all but leakproof. But since Mr. Snowden flew away with hundreds of thousands of documents in 2013, that notion has been shattered.

The Snowden trauma led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

Mr. Martin’s gargantuan collection of stolen files included much of what the Shadow Brokers have, and he has been scrutinized by investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.

But according to former N.S.A. employees who are still in touch with active workers, investigators of the Shadow Brokers thefts are clearly worried that one or more leakers may still be inside the agency. Some T.A.O. employees have been asked to turn over their passports, take time off their jobs and submit to questioning. The small number of cyberspecialists who have worked both at T.A.O. and at the C.I.A. have come in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the C.I.A.’s Vault7 breaches.

Then there are the Shadow Brokers’ writings, which betray a seeming immersion in American culture. Last April, about the time Mr. Williams was discovering their inside knowledge of T.A.O. operations, the Shadow Brokers posted an appeal to President Trump: “Don’t Forget Your Base.” With the ease of a seasoned pundit, they tossed around details about Stephen K. Bannon, the president’s now departed adviser; the Freedom Caucus in Congress; the “deep state”; the Alien and Sedition Acts; and white privilege.

“TheShadowBrokers is wanting to see you succeed,” the post said, addressing Mr. Trump. “TheShadowBrokers is wanting America to be great again.”

The mole hunt is inevitably creating an atmosphere of suspicion and anxiety, former employees say. While the attraction of the N.S.A. for skilled cyberoperators is unique — nowhere else can they hack without getting into legal trouble — the boom in cybersecurity hiring by private companies gives T.A.O. veterans lucrative exit options.

Got a confidential news tip?

The New York Times would like to hear from readers who want to share messages and materials with our journalists.

Young T.A.O. hackers are lucky to make $80,000 a year, while those who leave routinely find jobs paying well over $100,000, cybersecurity specialists say. For many workers, the appeal of the N.S.A’s mission has been more than enough to make up the difference. But over the past year, former T.A.O. employees say an increasing number of former colleagues have called them looking for private-sector work, including “graybeards” they thought would be N.S.A. lifers.

“Snowden killed morale,” another T.A.O. analyst said. “But at least we knew who he was. Now you have a situation where the agency is questioning people who have been 100 percent mission-oriented, telling them they’re liars.”

Because the N.S.A. hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit.

Some agency veterans have seen projects they worked on for a decade shut down because implants they relied on were dumped online by the Shadow Brokers. The number of new operations has declined because the malware tools must be rebuilt. And no end is in sight.

“How much longer are the releases going to come?” a former T.A.O. employee asked. “The agency doesn’t know how to stop it — or even what ‘it’ is.”

One N.S.A. official who almost saw his career ended by the Shadow Brokers is at the very top of the organization: Adm. Michael S. Rogers, director of the N.S.A. and commander of its sister military organization, United States Cyber Command. President Barack Obama’s director of national intelligence, James R. Clapper Jr., and defense secretary, Ashton B. Carter, recommended removing Admiral Rogers from his post to create accountability for the breaches.

But Mr. Obama did not act on the advice, in part because Admiral Rogers’ agency was at the center of the investigation into Russia’s interference in the 2016 election. Mr. Trump, who again on Saturday disputed his intelligence agencies’ findings on Russia and the election, extended the admiral’s time in office. Some former intelligence officials say they are flabbergasted that he has been able to hold on to his job.

A Shadow War With Russia?

Lurking in the background of the Shadow Brokers investigation is American officials’ strong belief that it is a Russian operation. The pattern of dribbling out stolen documents over many months, they say, echoes the slow release of Democratic emails purloined by Russian hackers last year.

But there is a more specific back story to the United States-Russia cyber rivalry.

Starting in 2014, American cybersecurity researchers who had been tracking Russia’s state-sponsored hacking groups for years began to expose them in a series of research reports. American firms, including Symantec, CrowdStrike and FireEye, reported that Moscow was behind certain cyberattacks and identified government-sponsored Russian hacking groups.

The Moscow headquarters of Kaspersky Lab, a Russian cybersecurity firm that hunted for N.S.A. malware. Kirill Kudryavtsev/Agence France-Presse — Getty Images

In the meantime, Russia’s most prominent cybersecurity firm, Kaspersky Lab, had started work on a report that would turn the tables on the United States. Kaspersky hunted for the spying malware planted by N.S.A. hackers, guided in part by the keywords and code names in the files taken by Mr. Snowden and published by journalists, officials said.

Kaspersky was, in a sense, simply doing to the N.S.A. what the American companies had just done to Russian intelligence: Expose their operations. And American officials believe Russian intelligence was piggybacking on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wherever they could be found. The T.A.O. hackers knew that when Kaspersky updated its popular antivirus software to find and block the N.S.A. malware, it could thwart spying operations around the world.

So T.A.O. personnel rushed to replace implants in many countries with new malware they did not believe the Russian company could detect.

In February 2015, Kaspersky published its report on the Equation Group — the company’s name for T.A.O. hackers — and updated its antivirus software to uproot the N.S.A. malware wherever it had not been replaced. The agency temporarily lost access to a considerable flow of intelligence. By some accounts, however, N.S.A. officials were relieved that the Kaspersky report did not include certain tools they feared the Russian company had found.

As it would turn out, any celebration was premature.

On Aug. 13 last year, a new Twitter account using the Shadow Brokers’ name announced with fanfare an online auction of stolen N.S.A. hacking tools.

“We hack Equation Group,” the Shadow Brokers wrote. “We find many many Equation Group cyber weapons.”

Inside the N.S.A., the declaration was like a bomb exploding. A zip file posted online contained the first free sample of the agency’s hacking tools. It was immediately evident that the Shadow Brokers were not hoaxsters, and that the agency was in trouble.

The leaks have renewed a debate over whether the N.S.A. should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying — rather than immediately alert software makers so the holes can be plugged. The agency claims it has shared with the industry more than 90 percent of flaws it has found, reserving only the most valuable for its own hackers. But if it can’t keep those from leaking, as the last year has demonstrated, the resulting damage to businesses and ordinary computer users around the world can be colossal. The Trump administration says it will soon announce revisions to the system, making it more transparent.

Mr. Williams said it may be years before the “full fallout” of the Shadow Brokers breach is understood. Even the arrest of whoever is responsible for the leaks may not end them, he said — because the sophisticated perpetrators may have built a “dead man’s switch” to release all remaining files automatically upon their arrest.

“We’re obviously dealing with people who have operational security knowledge,” he said. “They have the whole law enforcement system and intelligence system after them. And they haven’t been caught.”