CIA Wanted To Throw The CFAA At Senate Staffers For Unauthorized Googling

from the stop-accessing-documents-we-couldn't-be-bothered-to-properly-secure! dept

Marcy Wheeler has picked up on an interesting claim made in the CIA's "We Did Nothing Wrong" report. This report -- an in-house investigation of the CIA's snooping on/hacking Senate staffers during the compilation of the Torture Report -- tossed out the Inspector General's findings and cleared the agency of any misconduct. It then went on to disingenuously claim that it was the Senate, not the CIA, that broke the rules.

According to the CIA's investigators, Senate staffers accessed documents they weren't supposed to see, apparently by "abusing" the shared network set up explicitly for the Torture Report compilation. What Wheeler spotted -- in a very thorough fisking of the CIA investigative report by Katherine Hawkins of Just Security -- is the attempted criminalization of Google searches.
As Hawkins summarizes, the crime report was based off a flaw in the Google search that CIA’s own contractor had built into the system.

"On February 7, 2014, the CIA’s Acting General Counsel Robert Eatinger (whose name is redacted from the OIG report) filed a crimes report against Senate staff with the Department of Justice. The OIG report found that the crimes report “was unfounded,” in part because Eatinger “had been provided inaccurate information on which the letter was based.” In particular, the OIG wrote:

[T]he crimes report stated that SSCI staffers might have exploited a software vulnerability on RDINet to obtain access to the [Panetta Review documents], in violation of the Computer Fraud and Abuse Act … The report was solely based on inaccurate information provided by the two [Office of the General Counsel] attorneys [to the Office of Security].

The OIG report found that there was indeed “a vulnerability” with the Google search tool that the CIA provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings” from 2009 to April 2013. But contrary to the CIA lawyer’s memorandum and the crimes report to DOJ, OIG found no evidence that Senate staff had deliberately “exploited” this flaw until CIA personnel “confronted them” with inappropriately accessed documents. Rather, it was SSCI staff who brought the vulnerability to the CIA’s attention. On November 1, 2012, a SSCI staff member alerted CIA staff that the search tool “was indexing the Majority staff work product on a shared drive,” and asked them to make it stop. The CIA did not act on this request for months. Then in 2013, a SSCI staff member requested “a number of detainee videos not provided to the SSCI by the CIA,” based on a spreadsheet that a CIA employee recognized as being from the Panetta Review. After this incident, in April 2013, CIA IT staff finally discovered and repaired the flaw with the Google search tool."
So, the CIA deployed an insecure system, was warned about it, but never bothered to do anything about it until it came across documents the Senate supposedly wasn't allowed to have.

As Hawkins points out in her Just Security post, the ongoing accusation that the Senate "hacked" the CIA's servers is pure BS. None other than Senator Feinstein addressed this bogus claim on the Senate floor in March of 2014:
[C]ommittee staff did not “hack” into CIA computers to obtain these documents as has been suggested in the press. The documents were identified using the search tool provided by the CIA to search the documents provided to the committee.
It was no hack, but the CIA attempted to hurl a Senate staffer into the jaws of the CFAA -- a law that magically turns those who discover security flaws into felons. In its February 2014 letter to Eric Holder, the CIA's counsel describes the alleged hacking as nefarious exploitation of its (admittedly insecure) search function.
The information made available to me indicates that in the November 2010 timeframe, the non-employee conducted a search that appeared intended to reach into part of the computer system to which the non-employee did not have authorized access. In such a circumstance, the system was designed to bring up on the workstation screen a page that advised the non-employee was not authorized to access that document. This page, however, had the security vulnerability that has since been discovered and remedied. The security vulnerability was that the page also contained a "URL" that indicated where the document was located on the system and if an individual copied the URL and pasted it into the browser's address bar, the individual could gain access to the document, copy it, bring that copy across the firewall, and paste it into a folder on his or her side of the firewall. The information made available to me indicates the non-employee copied the URL, pasted it directly into the browser's bar, and accessed the document.
That's incredibly poor security for a bunch of documents the CIA clearly didn't want the Senate to access. And it wasn't cheap, either. This custom Google search and server set-up was apparently a large portion of the $40 million spent to compile the Torture Report. And let's not forget that this vulnerability was undiscovered for over two years and not immediately patched when it eventually was discovered.

A staffer finding a flaw in a system isn't hacking, no matter how much the CIA wants it to be. But the CFAA allows the government to use the law's most charitable readings when prosecuting "hackers." The CIA finds wrongdoing everywhere but never in its own backyard. Its management, employees and contractors who presided over its illegal torture program will not be held accountable for their actions. But the CIA wanted the Senate to be held accountable for… holding the CIA accountable.

Hawkins again:
I know some of the staffers who wrote the torture report, including the probable subject of the crimes report to the DOJ. They do not leak and have never been credibly been accused of leaking. They do not confirm or deny information that is officially classified, no matter how obvious it is or how many years it has been in the public domain. They scrupulously continue to follow the classification restrictions that the CIA and the committee placed on them, no matter how absurd those restrictions are or how severe the crimes they conceal.

Nevertheless, the CIA searched their computer drives and their emails, and referred them to the DOJ for prosecution. Why? Because, in the course of an official Senate investigation into the torture program, they used a CIA-installed Google search tool to find CIA documents about the torture program. They read the documents, despite the fact that they contained a questionable stamp of “privilege,” and preserved them when they thought they were in danger of destruction. The staffers’ actions were not crimes or a security breach justifying a search of Senate computers. Their actions were oversight of an agency in sore need of it.
The CIA is a rogue agency, much like its counterparts, the FBI and NSA. It may be publicly embarrassed or wince at the criticism and condemnation thrown its way, but it ultimately answers to no one -- not even after its worst behavior has been exposed. It walks away from a damning report pretty much intact and has the gall to suggest Senate staffers be punished for walking in and out of its firesieve with damaging documents in their hands.

Filed Under: cfaa, cia, doj, misconfigured tool, searching, senate, senate intelligence committee, torture report


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Feb 2015 @ 11:41am

    "A staffer finding a flaw in a system isn't hacking, no matter how much the CIA wants it to be"


    Unless your name is Aaron Swartz, or any myriad other poor fools who had the misfortune of exposing security holes in corporate software.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2015 @ 1:58pm

      Re:

      You just have to accept that there are no security holes because there can't be because the security is perfect and noone could ever obtain information without evil hax done by devilish haxors. If said haxorosauros exist they don't for long...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 11:46am

    NAIL THEM TO THE WALLL!!!

    Once no one wants to work for these cretins then they will change their tunes.

    Or worse... get their ilk exempted, which provides a sort of catch-22 situation.

    But I vote... NAIL THEM ALL TO THE WALL! Let their stupidity burn them for once!

    reply to this | link to this | view in chronology ]

  • identicon
    michael, 9 Feb 2015 @ 11:47am

    To quote Smokey & the Bandit ...

    "You assholes couldn't close an umbrella!"

    reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 9 Feb 2015 @ 11:51am

    subcontractor error?

    >>And let's not forget that this vulnerability was
    >>undiscovered for over two years and not immediately
    >>patched when it eventually was discovered.

    Hmmm...sounds like they're subcontracting their security maintenance out to Microsoft.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 9 Feb 2015 @ 11:51am

    PROOF GOOG IS EVIL!1!!!!one!
    -What bob will say.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 11:55am

    reply to this | link to this | view in chronology ]

    • identicon
      David, 9 Feb 2015 @ 12:07pm

      Re:

      Note in those cases, the user was identified and told to stop accessing the site (the users were considered in violations of T&C's and such). In this case, it really should be considered a case a common trespass, not some "hacking". After all, they could have similarly gone to the public library or a Starbucks hotspot and done the same thing.

      reply to this | link to this | view in chronology ]

  • identicon
    Agonistes, 9 Feb 2015 @ 11:58am

    Don't forget the DEA and bATFe.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 12:01pm

    as has been said so many times now, when a country is run by it's security forces, that country is in deep trouble, bordering on wiping democracy completely off the agenda! such is the case with the USA now. even the President has no say in what these agencies do. even when caught out by it's own doings, there is never any punishment handed out, and it would never be taken any notice of anyway! unlike the whistle blower John Kiriakou, who has been in prison for leaking the very acts that the head of the CIA himself admitted to having taken place. Leon Panetta got absolutely nothing, not even a telling off! the reason? there is no one above him who can do so!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2015 @ 12:16pm

      Re:

      Based on the voting history of congress over the past 40 years, it is already being run by the alphabets.

      reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 10 Feb 2015 @ 10:12am

      Re:

      when the president can leak military secrets that gets an entire seal team killed for political gain, and get away with it.

      Seal team 6 if anyone was curious.

      corruption starts at the top and trickles down. those underlings notice the top men get away with treason, and figure they can too. Since charging them for their crimes would then get themselves arrested for their crimes everyone ignores what everyone else does.

      The average citizen wakes up to find he has no rights anymore, because the people he trusted to look out for him discovered overwatch is nonexistent at this point

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Feb 2015 @ 10:29am

        Re: Re:

        "The average citizen wakes up to find he has no rights anymore, because the people he trusted to look out for him discovered overwatch is nonexistent at this point"

        The mistake is in trusting others to look out for your rights in the first place. That's always a really terrible idea, since in doing so you are in effect handing your rights over to someone else.

        The only person you can trust to look out for your rights is yourself. Such is as it has always been.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 12:14pm

    "even the President has no say in what these agencies do"

    Let's not forget that the current president made it a centerpiece of his campaign that if elected, he would reverse the unconstitutional "national security" policies of his predecessor.

    Instead, he did the exact opposite of what he promised and expanded the government's war against its own people.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 9 Feb 2015 @ 1:50pm

      Re:

      Instead, he did the exact opposite of what he promised and expanded the government's war against its own people.

      It was probably pointed out to him that the FBI had so many mentally deranged "solitary" assassins apply for doing a JFK job on him that they had to enter them in a lottery.

      Perhaps he wanted to be the first black president of the United States also finishing his elected terms.

      Arguably JFK has been more of a president in the time he lived to serve than Obama.

      reply to this | link to this | view in chronology ]

    • identicon
      screwd again, 9 Feb 2015 @ 3:05pm

      reality is a scam

      You are Correct. He has taken brazen, in your face lying to a whole new level

      reply to this | link to this | view in chronology ]

      • icon
        Padpaw (profile), 10 Feb 2015 @ 10:15am

        Re: reality is a scam

        sadly some people still feel guilty over that whole slavery nonsense their ancestors did. So they give Obama a free reign because he is black.

        As a disclaimer I do not judge a person by what they look like only what actions they take. Since I have never owned slaves or supported slavery I feel no guilt over what my ancestors may have done. Otherwise I would feel guilty for every war and atrocity done in the past several centuries

        reply to this | link to this | view in chronology ]

        • icon
          Seegras (profile), 12 Feb 2015 @ 2:51am

          Re: Re: reality is a scam

          sadly some people still feel guilty over that whole slavery nonsense their ancestors did

          Surveillance is the spiritual successor of slavery. They should feel guilty about it.

          reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 9 Feb 2015 @ 1:01pm

    "The CIA is a rogue agency,"

    I don't think that this is true at all. Instead, I believe that the CIA is massively incompetent at its core mission.

    Its leaders want to hide that incompetence.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 9 Feb 2015 @ 4:31pm

      Re: "The CIA is a rogue agency,"

      As I've noted on another article, incompetence would be an improvement, most of the government agencies show downright malicious intent in their actions, actively making things worse.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 1:09pm

    The OIG report found that there was indeed “a vulnerability” with the Google search tool that the CIA provided to the committee, which was “not configured to enforce access rights or search permissions within RDINet and its holdings” from 2009 to April 2013.

    So rather than bitch-slap the fucktard who allowed this vulnerability to get through they go after the folks who used the tool?

    Well, I guess it's easier than admitting you're at best inept, and at worst incompetent.
    Can anyone say "entrapment?"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Feb 2015 @ 2:01pm

    Goggle

    I'm not an expert but maybe, just maybe, if you can't distinguish between SE"O" and SE"CURE" maybe you shouldn't do the job.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 9 Feb 2015 @ 2:15pm

    In other words

    The security vulnerability was that the page also contained a "URL" that indicated where the document was located on the system and if an individual copied the URL and pasted it into the browser's address bar, the individual could gain access to the document


    In other words, the security was nonexistent? Because copying and pasting links like that is a very, very common thing to do -- I do it almost daily (mostly to bypass terrible user interfaces).

    The truly scary thing is that this is the freaking CIA, using systems that are so insecure that any 10 year old could have stumbled into the breach without even noticing.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2015 @ 2:56pm

      Re: In other words

      "The truly scary thing is that this is the freaking CIA, using systems that are so insecure that any 10 year old could have stumbled into the breach without even noticing."

      But isn't jaw-dropping incompetence the central component of any government work? Consider the 'Obamacare' website, which any (private-sector) web developer would say could have been done (bug-free) for a tiny fraction of the cost. The IRS's missing emails is another example.

      So by typical government standards, the CIA actually didn't do too badly.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Feb 2015 @ 7:41pm

      Re: In other words

      This doesn't even seem like exploiting a vulnerability. If I'd run into the URL & had to c&p it, I'd have assumed that it was because of poor user interface design, not that I was working around the system's defenses.

      It seems weird to me that the CIA is so willing to admit to its own idiocy and lack of security.

      reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 9 Feb 2015 @ 11:22pm

    "If you are not for us you are a terrorist"

    Sums up how things work among the CIA and all those other terror causing alphabet agencies

    reply to this | link to this | view in chronology ]

  • identicon
    me, 10 Feb 2015 @ 5:06am

    The Senate is the government, not the CIA

    They've gone rogue, negating any legitimacy.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.