Too many leaks to count

A recent Sunday Times front page attention-grabber (that link’s paywalled, but here’s a liberated copy) seemed to suggest that Chinese and Russian governments obtained and/or stole and cracked the encryption of the NSA documents released by Edward Snowden. The evidence cited is that an anonymous 10 Downing Street aide said “It is the case that Russians and Chinese have information.” The rest is a mish-mash. Parts of the article seem to hint that Snowden handed it over to the Russians, and other sections suggest it was hacked into. There appear to be multiple parallel realities that the same article is trying to keep in alignment in spite of their obvious contradictions.

This post isn’t going to take apart each of the article’s points. That’s been done more than well enough by the following:

  1. Journalist Ryan J. Gallagher points out 10 fundemental flaws in the Sunday Times story (some of which the Times have addressed by deleting paragraphs in the online version without notice or explanation).
  2. Glenn Greenwald dismantles every line in the article in his own inimitable style.
  3. The Independent offers some ideas on the possible reason why 10 Downing Street would “leak” such a flawed statement.
  4. Ewen MacAskill asks five questions about the Sunday Times report that the UK government “has an obligation” to answer.
  5. For balance: Here’s one of the reporters sticking up for his work on CNN.

One thing is fairly likely: Chinese, Russian (and likely other intelligence agencies) have some amount of information on British and American — and perhaps other allies — methods and assets. For the sake of argument, let’s take that bit for granted. Does that mean this information came from Snowden’s encrypted disc of PDFs? No.

The burden of proof is on whomever is making the assertion. To discredit a claim, we don’t have to prove something didn’t happen (which can’t really be done), but scrutinise whether the claim is itself the most likely or definitive version of events. Is there evidence? Are there other equally plausible or more likely scenarios? In science, you could call it falsifiability. In journalism, this can be achieved using corroborating sources, verified documents, video, images, source data, etc. Could someone else look at the same information and come up with a different conclusion?

The Sunday Times takes an anonymous Downing Street Official’s Cui bono (who benefits?) approach. The information they cite from a single source goes like this: Our enemies have our secrets and Snowden has been in both those countries, so he must have given the secrets to them.

“The confirmation is the first evidence that Snowden’s disclosures have exacted a human toll. ‘Why do you think Snowden ended up in Russia?’ said a senior Home Office source. ‘Putin didn’t give him asylum for nothing. His documents were encrypted but they weren’t completely secure and we have now seen our agents and assets being targeted.'”
From the article

Cui bono is useful to pursue a line of inquiry, but it’s not evidence itself. Just because you stand it inherit a lot of money doesn’t actually mean you killed your parents, but police may check out where you were on the night and if your fingerprints are on the gun. Two events aren’t necessarily related just because someone has said them together in the same sentence. So, if we’re concerned about massive amounts of this kind of data ending up in the wrong hands, what are some parallel leads to pursue?

Other possible lines of inquiry

Why use a rogue contractor when you can go to the source for better targeted data?

It’s been recently discovered that U.S. Office of Personnel Management data has been hijacked on at least two occasions, allegedly by Chinese hackers. It’s been described by a former counter-intelligence official, Joel Brenner, as as “crown jewels material.” The information could be useful to find leads into any number of agents working for other Western governments. Isn’t that a far more likely source for operative data?

What’s the probability that it could have come from someone else?

Tim Shorrock’s recent article in the Nation is a good reminder of the role played by private contractors, many of them members of the Intelligence and National Security Alliance. This “cyberintelligence-industrial complex,” Shorrock writes, “moves between government and private practice, taking state secrets with them.” These companies work for different, competing corporate employers and various governments, and they’ve got access and clearance for vast amounts of confidential data, which surely has a high value. Privatised spying creates a competitive market for information. How much hacking do you have to do if you’re working for a former client’s rival?

23 years ago, the Daily Dot pointed out, when Edward Snowden was just 7-years old, an internal NSA report predicted  a “rogue systems administrator.” The report warned: “It is their tremendous access to classified information and control of classified computer systems that makes system administrators prime targets for foreign intelligence recruitment. … From an individual’s standpoint … access to electronic versions of classified documents is out of control.”

That was then. What’s the situation, now? Fortune reports, “nearly 2,000 companies work on programs related to counterterrorism, homeland security, and intelligence in about 10,000 locations across the United States, and the industry employs an estimated 854,000 people with top-secret security clearances.” Now add to that figure the firms in other countries working with a variety of different clearance levels. Now add companies such as Finfisher and Hacking Team, who work for anyone from UK spy agencies to brutal dictators. You’re ending up with a constellation of private, unaccountable data harvesting and selling entities that’s beyond any jurisdictional control.

As ZDNet explored here, Booz Allen Hamilton  and other private contractors with Snowden’s clearance level number in the thousands, and poor techniques at controlling and monitoring access to all that data seems to be making it difficult to track down who’s opened or copied it. We know about Snowden because, well, he told everyone. However, if your objective is to trade or sell actionable data to foreign governments, then the key tactic would require you to BE FUCKING QUIET ABOUT IT! How much other data has walked out the door by people who didn’t hand it over to journalists?

And that’s the private contractors. Government employees aren’t magically immune to the same impulses, Consider the Washington Post’s investigation into how background checks are carried out for high security positions. Like everything else, it seems, this too is outsourced. Quotas for the number of interviews carried out and penalties for missing them has meant that “the faster they turned them in, the faster their company got paid — even if the investigations were rushed and incomplete.”

What is known

Any information stored anywhere over a long enough time span will eventually be shared. That’s not an opinion, it’s physics. It could be down to something as simple as leaving files that never should have left the building on a commuter train. It could be an MP with ego issues hiring the wrong aide. Maybe it’s a spy chief with ego issues showing off classified documents to his girlfriend. Occasionally, it’s someone acting on their moral principles. Or maybe someone else is doing it for a bit of cash.

Either way, there are too many leaks in that ship to single out one of them with any certainty in the case of the Sunday Time’s article. And if the world’s leading spy agencies can’t keep this highly sensitive information secure, what hope do the rest of us have that the yottabyte of data about the rest of us will be safe? That’s why we should all be concerned about how much data retention the Home Office (and it’s foreign information swapping partners) wants to enforce. Because you never know where it’s going to end up.

Things added after hitting the “publish” button

This is the only thing the Sunday Times seems to be upset about criticism of its reporting.

“It ended up being perhaps the clearest vindication of Snowden’s work to date.” — Adam Weinster, Gawker

Edits: Spelling, grammar, formatting, making the title fill the space, making the top image funnier.