CIA Wanted To Throw The CFAA At Senate Staffers For Unauthorized Googling
from the stop-accessing-documents-we-couldn't-be-bothered-to-properly-secure! dept
Marcy Wheeler has picked up on an interesting claim made in the CIA’s “We Did Nothing Wrong” report. This report — an in-house investigation of the CIA’s snooping on/hacking Senate staffers during the compilation of the Torture Report — tossed out the Inspector General’s findings and cleared the agency of any misconduct. It then went on to disingenuously claim that it was the Senate, not the CIA, that broke the rules.
According to the CIA’s investigators, Senate staffers accessed documents they weren’t supposed to see, apparently by “abusing” the shared network set up explicitly for the Torture Report compilation. What Wheeler spotted — in a very thorough fisking of the CIA investigative report by Katherine Hawkins of Just Security — is the attempted criminalization of Google searches.
As Hawkins summarizes, the crime report was based off a flaw in the Google search that CIA’s own contractor had built into the system.
“On February 7, 2014, the CIA’s Acting General Counsel Robert Eatinger (whose name is redacted from the OIG report) filed a crimes report against Senate staff with the Department of Justice. The OIG report found that the crimes report “was unfounded,” in part because Eatinger “had been provided inaccurate information on which the letter was based.” In particular, the OIG wrote:
[T]he crimes report stated that SSCI staffers might have exploited a software vulnerability on RDINet to obtain access to the [Panetta Review documents], in violation of the Computer Fraud and Abuse Act … The report was solely based on inaccurate information provided by the two [Office of the General Counsel] attorneys [to the Office of Security].
The OIG report found that there was indeed “a vulnerability” with the Google search tool that the CIA provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings” from 2009 to April 2013. But contrary to the CIA lawyer’s memorandum and the crimes report to DOJ, OIG found no evidence that Senate staff had deliberately “exploited” this flaw until CIA personnel “confronted them” with inappropriately accessed documents. Rather, it was SSCI staff who brought the vulnerability to the CIA’s attention. On November 1, 2012, a SSCI staff member alerted CIA staff that the search tool “was indexing the Majority staff work product on a shared drive,” and asked them to make it stop. The CIA did not act on this request for months. Then in 2013, a SSCI staff member requested “a number of detainee videos not provided to the SSCI by the CIA,” based on a spreadsheet that a CIA employee recognized as being from the Panetta Review. After this incident, in April 2013, CIA IT staff finally discovered and repaired the flaw with the Google search tool.”
So, the CIA deployed an insecure system, was warned about it, but never bothered to do anything about it until it came across documents the Senate supposedly wasn’t allowed to have.
As Hawkins points out in her Just Security post, the ongoing accusation that the Senate “hacked” the CIA’s servers is pure BS. None other than Senator Feinstein addressed this bogus claim on the Senate floor in March of 2014:
[C]ommittee staff did not “hack” into CIA computers to obtain these documents as has been suggested in the press. The documents were identified using the search tool provided by the CIA to search the documents provided to the committee.
It was no hack, but the CIA attempted to hurl a Senate staffer into the jaws of the CFAA — a law that magically turns those who discover security flaws into felons. In its February 2014 letter to Eric Holder, the CIA’s counsel describes the alleged hacking as nefarious exploitation of its (admittedly insecure) search function.
The information made available to me indicates that in the November 2010 timeframe, the non-employee conducted a search that appeared intended to reach into part of the computer system to which the non-employee did not have authorized access. In such a circumstance, the system was designed to bring up on the workstation screen a page that advised the non-employee was not authorized to access that document. This page, however, had the security vulnerability that has since been discovered and remedied. The security vulnerability was that the page also contained a “URL” that indicated where the document was located on the system and if an individual copied the URL and pasted it into the browser’s address bar, the individual could gain access to the document, copy it, bring that copy across the firewall, and paste it into a folder on his or her side of the firewall. The information made available to me indicates the non-employee copied the URL, pasted it directly into the browser’s bar, and accessed the document.
That’s incredibly poor security for a bunch of documents the CIA clearly didn’t want the Senate to access. And it wasn’t cheap, either. This custom Google search and server set-up was apparently a large portion of the $40 million spent to compile the Torture Report. And let’s not forget that this vulnerability was undiscovered for over two years and not immediately patched when it eventually was discovered.
A staffer finding a flaw in a system isn’t hacking, no matter how much the CIA wants it to be. But the CFAA allows the government to use the law’s most charitable readings when prosecuting “hackers.” The CIA finds wrongdoing everywhere but never in its own backyard. Its management, employees and contractors who presided over its illegal torture program will not be held accountable for their actions. But the CIA wanted the Senate to be held accountable for… holding the CIA accountable.
I know some of the staffers who wrote the torture report, including the probable subject of the crimes report to the DOJ. They do not leak and have never been credibly been accused of leaking. They do not confirm or deny information that is officially classified, no matter how obvious it is or how many years it has been in the public domain. They scrupulously continue to follow the classification restrictions that the CIA and the committee placed on them, no matter how absurd those restrictions are or how severe the crimes they conceal.
Nevertheless, the CIA searched their computer drives and their emails, and referred them to the DOJ for prosecution. Why? Because, in the course of an official Senate investigation into the torture program, they used a CIA-installed Google search tool to find CIA documents about the torture program. They read the documents, despite the fact that they contained a questionable stamp of “privilege,” and preserved them when they thought they were in danger of destruction. The staffers’ actions were not crimes or a security breach justifying a search of Senate computers. Their actions were oversight of an agency in sore need of it.
The CIA is a rogue agency, much like its counterparts, the FBI and NSA. It may be publicly embarrassed or wince at the criticism and condemnation thrown its way, but it ultimately answers to no one — not even after its worst behavior has been exposed. It walks away from a damning report pretty much intact and has the gall to suggest Senate staffers be punished for walking in and out of its firesieve with damaging documents in their hands.