Platt Perspective on Business and Technology

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 4

Posted in business and convergent technologies, in the News by Timothy Platt on February 13, 2015

This is my 23rd installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and that directory’s Page 2, posting 296 and following for Parts 16-22.) This is also my eighth installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

I have, in this subseries, been working my way through a progression of issues that relate operationally to United States cybersecurity doctrine and practice, and ended Part 21 by stating that I would finish that part of this overall discussion in this installment, addressing two final points:

1. The specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.
2. And China and their cybersecurity and intelligence gathering activities, as viewed from the perspective of this context and as a special case in point.

I have not explicitly discussed the USA PATRIOT Act all that often in my discussions of US cybersecurity doctrine and practice, and whether viewed from a more strategic or a more operational perspective. But I do explicitly note here that this law has come to serve as a foundation for much, if not most all of what has followed it in establishing and carrying through on US cyber-policy, and certainly where issues of government access to private information and communications are involved.

I initially wrote Part 21 of this series in October, 2014 where I did mention this law by name. And I add that I have been thinking about US national cybersecurity in terms of this law since it was first enacted. And then between the day that I finished writing and uploading Part 21 to this series and today when I write this next series installment (November 22, 2014), events have developed that make explicit reference to this law both topically germane and essential for explicit discussion.

The PATRIOT Act was initially signed into law by then president George W. Bush on October 26, 2001. The timing there is crucially important; this law was initially conceived, drafted in all of its complexity, reviewed and argued in Congress, passed by both the US House of Representatives and by the US Senate and brought to the White House Oval Office for signing, and all within a very tight timeframe with that beginning as the immediate initial shock of the September 11, 2001 attacks began to wear off. And the complexity and scope of this law created openings for, and legal justification for what rapidly came to be essentially open-ended online and telephonic surveillance and without need for review or warrant issuance from a standard court of law as organized and run under the US Department of Justice. In practice, all implementation decisions made pursuant to this law were, and have continued to be turned over to a special secret court: the United States Foreign Intelligence Surveillance Court (FISA Court) as initially set up in 1978 under the Foreign Intelligence Surveillance Act (FISA).

The September 11 attacks by forces of Al-Qaeda were seen by many, and certainly in Congress and the White House as representing the first direct blow on American soil from a fanatical terrorist organization that sought to become an existential threat to the United States and to all that it stands for. And very importantly, this attack was acknowledged as representing simply one more large-scale and significant event in a series of attacks that this organization had already launched and both against the United States interests and against that those of its allies. Al-Qaeda had already developed a track record of carrying out large-scale, carefully planned terrorist attacks and in that regard I would cite their:

• Bombing of American and other embassies (e.g. the all but simultaneous August 7, 1998 truck bombings of the US embassies in Dar es Salaam and Nairobi), and their
• Attack on a US naval vessel with loss of life there too (the October 12, 2000 attack on the USS Cole: an Arleigh Burke-class Aegis-equipped guided missile destroyer and one of the US Navy’s most advanced combat-capable vessels).

When Al-Qaeda launched their attacks on September 11, 2001 they already had an established track record that showed both their capability for causing harm, and their willingness to do so. 9/11 served as a wakeup call, and one of the key lessons learned was that Al-Qaeda was able to carry out so many attacks, including that day’s attacks, in large part because of systematic, ongoing US intelligence gathering failures. Information that was necessary for insuring national security was not being gathered by the appropriate agencies of the United States federal government and when it was, it was not being shared or even looked at. Critically, in that regard, an after the fact review of what had been known about the Al-Qaeda team and its members who carried out the 9/11 attacks found that enough was known about them in advance so that if this raw intelligence data could have been assembled together, this attack with its thousands of lives lost might have been avoided. I have already discussed the issue of how realistic that conclusion was, in earlier series postings and simply repeat this point here as one that was accepted by the US government as if absolute and irrefutable truth.

• The Department of Homeland Security was put in place as a response to the 9/11 attacks, as an overarching national security entity to facilitate bringing information that is gathered, together in one place so it can be more effectively identified for its value and connectedness and used.
• The USA PATRIOT Act, with that acronym standing for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, was drafted and enacted with a goal of increasing the overall reach and completeness of critical national intelligence information gathering.

And with that background in place, which I admit here, consists largely of points and details that I have noted before in this blog, point by point through a succession of other postings, I come to the news of this specific posting, and more specifically to Title II of the PATRIOT Act which covers legally defined and legally approved use of “enhanced surveillance procedures.”

The US PATRIOT Act was initially drafted and enacted with a tight focus on enabling more effective surveillance of, and action with regard to foreign and foreign-based threats to United States national security and to the US public. This came to include a wide ranging ensemble of open-ended online and internet-based, and telephone systems surveillance programs that under FISA Court approval came to include open-ended sweeps of data from and concerning both foreign nationals and American citizens; quite simply, the PATRIOT Act was drafted with an explicit foreign threat charter but it was determined that in practice, that distinction was impossible to always cleanly and clearly make. So while the express goal of these surveillance programs was and has been on foreign-based threats and on surveillance of direct participants in them, this has operationally led to open ended surveillance on essentially everyone.

Title II of this Act was set up with a sunset provision (in its Section 224) that set an initial expiration date of December 21, 2005 for most all of the provisions of the 25 surveillance-related Sections in it. That expiration date has been moved forward by subsequent legislation several times now and is currently set to occur on June 1, 2015. And that brings me directly to news events that are transpiring as I write this and that are bound to continue to develop over the coming months from now.

• Congressional challenges to further extending the expiration date for Title II-specified enhanced surveillance procedures, as spelled out by the US PATRIOT Act and sequentially approved by the FISA Court have been put in serious doubt,
• With a wide range of ongoing massively large-scale open-ended surveillance programs currently in place, facing distinct danger of losing their legal basis for continuance.

This most overtly means a much more likely closure of programs that have been used to vacuum up vast amounts of telephone system caller-metadata – about who calls whom, and from where and to where and for how long and when and how often. This also directly threatens the continuance of a wide range of other, less publically known surveillance programs as well. And high ranking spokesperson representatives of the Obama administration have already started at least floating the prospect that President Obama might continue these programs anyway, citing a separate section in the PATRIOT Act for legal justification: Section 215 of the PATRIOT Act, or rather a note appended to it that has remained in place through a series of updates and revisions to this law.

This same law that mandates a sunset provision expiration date for surveillance programs that are not terminated earlier from their completion, also contains provisions for continuing ongoing investigations until they are completed with the programs and resources that have already been approved for them and until those investigations are formally deemed completed. Al-Qaeda still exists and is still the subject of numerous ongoing investigations, and both against individual members of that organization and against the organization as a whole. What proponents of this aspect of the operational side of the Obama cybersecurity doctrine would argue, is that legally set expiration dates notwithstanding, these surveillance programs are grandfathered in, at least until all already ongoing Al-Qaeda investigations are concluded, and whether individual or organizational in nature. And they are grandfathered in, according to this logic for any and all other still-ongoing operations too, as long as those operations are formally in place before June 1, 2015 – to cite the current sunset provision date in place.

As noted above, my goal for this posting was to address the last two numbered discussion points that I repeated at the top of this posting. Then developing events intervened. I will address them in my next series installment, citing this posting as well as earlier ones in this series as background for that discussion to come. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: