A classified intelligence assessment shows the United States is “the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness,” according to the Washington Post.
In the story, Ellen Nakashima reports the “National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions.” She highlights how it “describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives.” And the story notess that “individuals familiar with the report” spoke with her on “condition of anonymity” because the report is a “classified document.”
Trevor Timm, an Electronic Frontier Foundation (EFF) privacy advocate and co-founder of the Freedom of the Press Foundation (FPF), drew attention to the purpose this leak could serve:
Oh, look. The govt's leaking classified info to push its own narrative: the great cyber-threat, just in time for CISPA. wapo.st/Z4fu8f— Trevor Timm (@trevortimm) February 11, 2013
In fact, as the ACLU’s Michelle Richardson wrote about on February 10, the “cybersecurity bill” widely thought to pose risks to people’s privacy if passed will be introduced again in Congress:
The House cybersecurity bill that allows the National Security Agency (NSA) and the military to collect your private internet records is scheduled for an encore appearance on Wednesday. House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) will reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA), which news reports say will be the same bill that passed the House of Representatives last year.
That’s right, the same bill that allows companies to turn over your sensitive internet records directly to the NSA and the Department of Defense without requiring them to make even a reasonable effort to protect your privacy. The same bill that lets the government use the information it collects for cybersecurity purposes “to protect the national security of the United States”—a concept that is, of course, undefined and incredibly expansive. Here we are, ten months later, with a much-deserved veto threat from the administration, a smarter Senate alternative, and an Executive Order that will address part of the information-sharing issue—yet the House starts with the same old privacy-busting bill as before. [emphasis added]
When CISPA was up for consideration last year, it was pointed out by EFF that “using an anonymizing service like Tor or even encrypting your emails” might lead companies to think you were a “threat.” More than port scans or DDoS traffic could lead one’s activity to be flagged as a “threat.” And a company could hand over a person’s communications to the government without a warrant or judicial oversight if the companies concluded the communications contained “cyber threat information.”
Now, can anyone prove that individuals showed the Post the report for the purpose of generating support for immediate action on “cybersecurity”? No. What one can do is show how this is an approved leak in the sense that members of Congress are not behaving hysterically and calling for a witch-hunt to be launched to find out who showed Nakashima or others at the Post the report.
Rogers in June of last year suggested leaks on cyber warfare against Iran, a CIA underwear bomb plot sting operation in Yemen and Obama’s “kill list” were “probably the most damaging in US history.” Rogers and Sen. Dianne Feinstein pushed for anti-leaks proposals that could be passed and were very vocal in their opposition to the fact that information on national security operations had been disclosed.
In this instance, Rogers has not reacted at all to the story on details in a classified report. He was on CBS’s “Face the Nation” yesterday calling for lawmakers to revive CISPA.
The report shows what 16 spy agencies consider to be most vulnerable to cyber attacks or threats. Normally, officials would frown upon revealing such vulnerabilities, but since this creates an opportunity to push back against privacy advocates, lawmakers like Rogers are not likely to say a word about the release of information from the report.
The point is not that the information should not have been shared with the Post. Any time officials are willing to talk about what government is doing with journalists or reporters is ultimately good. Any time they want to feed an official document to a media organization is good too. However, it is up to the journalist to determine if he or she is being used and whether he or she is comfortable with being used in order to publish the scoop. (Note: The reintroduction of CISPA is not mentioned in the Post story.)
Furthermore, leaks are mostly good in that they promote discussion around the subject or topic of the leak, especially when leaks on national security matters occur. The leak of the Justice Department “white paper” on President Barack Obama’s targeted killing program sparked discussion in news media on a vast expansion of executive power that had mostly gone ignored up until last week. That “leak”—which may or may not have come from someone within the Obama administration—has not sparked calls for a “leaks” investigation because lawmakers wanted to know this information and were tired of the administration’s efforts to keep it concealed. (It also contained no classified information.)