DHS Counterterror Centers Produce ‘A Bunch of Crap,’ Senate Finds

DHS Secretary Janet Napolitano tours a Tennessee fusion center. Photo: TN.gov

They’re supposed to be “one of the centerpieces of our counterterrorism strategy,” according to Janet Napolitano, the Secretary of the Department of Homeland Security. In practice, not so much.

The Senate’s bipartisan Permanent Subcommittee on Investigations found no evidence that DHS’ 70-plus fusion centers — places where state, local and federal law enforcement analyze and share information — uncovered a single terrorist threat between April 1, 2009 and April 30, 2010. Terrorism is thankfully rare within the United States. But during that time, the FBI discovered would-be New York subway attacker Najibullah Zazi; U.S. Army Major Nidal Malik Hasan killed 13 people at Fort Hood; Umar Farouk Abdulmutallab tried to blow up a Detroit-bound airplane; and, in early May 2010, Faisal Shahzad attempted to detonate an SUV in Times Square. DHS has praised the fusion centers’ work in helping on the Zazi and Shahzad cases. The Senate found fusion centers played little, if any, role in either case.

“Nor,” the Senate panel writes in its just-released report, analyzing more than 80,000 fusion center documents, “could [the inquiry] identify a contribution such fusion center reporting made to disrupt an active terrorist plot.” Unnamed DHS officials told the panel the fusion centers produce “predominantly useless information” and “a bunch of crap.” An internal 2010 assessment, which DHS did not share with Congress, found that a third of all fusion centers don’t have defined procedures for sharing intelligence — “one of the prime reasons for their existence.” At least four fusion centers identified by DHS “do not exist,” the Senate found.

DHS Issued False ‘Water Pump Hack’ Report; Called It a ‘Success’

Photo: Matthew Burpee/Flickr

When an Illinois fusion center distributed a report last year stating that hackers from Russia had broken into a water district’s SCADA system and sabotaged a water pump, the Department of Homeland Security stepped in publicly to denounce the report as false, blaming the regional fusion center for spreading unsubstantiated claims and sowing panic in the industrial control system community.

But while DHS was busy pointing a finger at the fusion center, its own Office of Intelligence and Analysis had been irresponsibly spreading the same false information privately in a report to Congress and the intelligence community, according to a Senate subcommittee investigation released late Tuesday. The DHS report was issued five days after the fusion center report was issued.

Even after the FBI and other investigators concluded a few days later that there was no merit to the hacking claims and that the reports were false, the DHS intelligence unit did not issue a correction to its report or notify Congress or the intelligence community that the information it spread was incorrect.

Officials behind the false claims told Senate investigators that such reports weren’t meant to be “finished intelligence” and that despite their report’s inaccuracies and sloppy wording they considered it to be a “success.”

“[It did] exactly what it’s supposed to do – generate interest,” DHS officials told Senate investigators.

The revelation is buried in a lengthy report released by the Senate’s bipartisan Permanent Subcommittee on Investigations, which examines the many failings of state fusion centers, which were set up in the wake of the 9/11 terrorist attacks in an effort to improve intelligence collection and dissemination for state, local and federal law enforcement and counter-terrorism agencies.

The water pump hack report spawned dozens of sensational news stories when it was leaked to reporters in November 2011. The fusion center report, which was titled “Public Water District Cyber Intrusion,” was distributed by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 and given to state and federal law enforcement agencies, utilities and other groups.

The report, which was meant to be confidential, claimed that attackers from Russia had hacked into the network of a software vendor that made the SCADA system used by a water district in Illinois and stolen usernames and passwords that the vendor maintained for its customers. The hackers then supposedly used the credentials to gain remote access to the utility’s network and cause a water pump to burn out. The report was leaked to the media by an industrial control systems expert who had gained access to it.

The report was significant at the time because it represented the first known attack of this kind involving hackers breaking into an industrial control system in the U.S. and sabotaging equipment. As the Senate investigators point out in their report, earlier that year Defense Department officials had stated that the U.S. would treat such attacks on critical infrastructure systems as an act of war if they caused widespread casualties.

But none of the information was true, and the authors of the fusion center report could have easily discovered this had they bothered to investigate the matter even a little.

Someone did access the water district’s SCADA system from Russia, but it was a water district contractor who was asked to access the system by water district employees, as Wired first reported. They had called him to seek his opinion on something while he was on vacation in Russia, and he had logged into the system remotely to check on some data for them.

When the pump broke five months later and someone examined the network logs to determine the cause, they found an IP address from Russia listed in the logs next to the username and password of the contractor. No one ever bothered to call the contractor to see if he had logged in from Russia; they just assumed someone in Russia had stolen his credentials.

The assertion by the fusion center that the pump was sabotaged by intruders from Russia was all the more perplexing since the contractor had logged in from Russia five months before the pump broke, the Senate investigators point out.

Nonetheless, five days after the fusion center issued its report on Nov. 10, officials from DHS’s Office of Intelligence & Analysis issued their own report, inexplicably repeating the same claims that the fusion center had made.

“Like the fusion center report, DHS stated the allegations as fact, not as theory, claim or hunch,” the Senate report says, noting that DHS guidelines forbid the department from reporting on information if it’s just a theory, claim or hunch.

The author of the DHS report, a senior reports officer in the Intelligence and Analysis branch, claimed in his report that the information was based on “first and secondhand knowledge of information” that was “deemed reliable.” The report never indicated that the information was based on conjecture.

A slide that the I&A office prepared for an intelligence briefing stated emphatically that the Illinois water district’s SCADA system had “experienced a network intrusion from a Russian IP address” and said that the perpetrator hijacked an “authorized user account” and that “system controls were manipulated resulting in a pump burnout.” The information was included in a daily intelligence briefing that went to Congress and the intelligence community.

A week after the DHS intelligence report was released, investigators from DHS’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) arrived in Illinois to investigate the apparent intrusion. They quickly determined, after speaking with the contractor whose name had shown up in the logs, that the fusion center and the DHS intelligence reports were wrong and that the failed pump was not the result of a hack attack at all.

“Almost no part of the initial reports of the incident had been accurate – not the fusion center report, or DHS’s own intelligence report, or its intelligence briefing,” write the Senate investigators in their report. “The only fact that they got right was that a water pump in a small illinois water district had burned out.”

On Nov. 22, the DHS released a statement saying that there was no evidence to back the fusion center claims that the utility had suffered a cyber intrusion, that credentials were stolen or that any malicious activity was behind the failed water pump.

On Nov. 30, after Wired published a story identifying the contractor who had logged into the system from Russia and revealed the true facts behind the “cyber intrusion”, DHS pointed the finger at the fusion center for releasing information that had not been verified.

A spokeswoman for the Illinois State Police, which is responsible for the fusion center, pointed the finger at local representatives of DHS, FBI and other agencies who she said were responsible for compiling information that gets released by the fusion center.

And then DHS pointed another finger back at the fusion center, saying if the report had been DHS-approved, six different offices would have had to sign off on it.

“Because this was an Illinois [fusion center] product, it did not undergo such a review,” a DHS official told Wired at the time.

But according to the Senate report, DHS had indeed released its own separate report that restated the same false claims that the fusion center report had stated.

When Senate investigators asked officials from the I&A office about their report, the officials acknowledged that they had not included caveats in the report to indicate that the information was uncorroborated and based on hypotheses, but they defended their hurried reporting by saying there was “a premium for getting [intelligence reports] out.”

And despite the fact that their office is called the Office of Intelligence & Analysis, they told investigators that “analytical judgements are saved” – that is, analysis is not included in such reports.

California Governor Vetoes Landmark Location-Privacy Law

Tracking a Sprint Nextel cellphone. Image: U.S. District Court — Southern District of Ohio

California Gov. Jerry Brown has vetoed legislation that would have required the state’s authorities to get a probable-cause warrant signed by a judge to obtain location information from electronic devices such as tablets, mobile phones and laptops.

The measure passed the state Senate in May and the Assembly approved the plan in August.

The veto of the first-of-its-kind legislation was no surprise.

Brown, a Democrat, last year vetoed a measure requiring police officers to obtain a warrant before searching someone’s cellphone after arresting them. That leaves California police officers free to search through the mobile phones of persons arrested for any crime.

California Gov. Jerry Brown. Credit: Phil Konstantin

This year, Brown again caved to law enforcement.

“It may be that legislative action is needed to keep the law current in our rapidly evolving electronic age,” Brown wrote in his veto message Sunday. “But I am not convinced that this bill strikes the right balance between the operational needs of law enforcement and the individual expectation of privacy.”

The legislation said that, if there was insufficient time to obtain a warrant due to a threat of serious danger or bodily harm — for example, in the case of a missing child — no warrant would be required.

The veto comes as prosecutors are increasingly using warrantless cell-tower locational tracking of suspects in the wake of a Supreme Court ruling that law enforcement should acquire probable-cause warrants from judges to affix GPS devices to vehicles and monitor their every move, according to court records.

Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, which helped craft the legislation along with the American Civil Liberties Union, said the governor’s veto continues a “dangerous trend” of “allowing law enforcement to gorge itself on as much data and information they can eat without a warrant.”

The package was intended to clear up the legal mess surrounding police acquiring location information that can be used to track citizens. Sometimes warrants are required and sometimes the signature of a law enforcement officer is all that is needed to obtain sensitive data of somebody’s whereabouts.

The California District Attorneys Association and the California State Sheriff’s Association opposed the measure, saying it was preempted by federal law.

The Obama administration maintains that Americans have no privacy in their public movements, and that their locational data from their mobile phone, for example, can be obtained without a warrant since it is held by a third party.

The California legislation would have only affected non-federal law enforcement officials conducting business in California.

Similar federal legislation has been stalled for more than a year, and is likely dead.

Meanwhile, the nation’s major cellphone companies objected to the bill because it would have forced them to publicly report the number of times they turn over cellphone location information to police and federal agents. They argued that it would be too burdensome, and would take time away from the important work of sharing customer data with cops “day and night.”

That part of the bill was subsequently deleted.

As it turns out, mobile carriers responded to 1.3 million law enforcement requests, by the states and federal government, for customer data last year alone for everything from text messages to location data to calling records, according to the carriers’ responses to a congressional inquiry. The data did not break down how many of those requests included a court warrant.

Hackers Break Into White House Military Network

It’s been a while, but hey I’m back! So here’s a news story that caught my eye today – it’s been a while since we’ve reported on a Spear Phishing attack, and guess what? Yes, last time it was also perpetrated by Chinese, but it was targeting Google’s Gmail. Targeted Phishing Attacks Carried Out On...

Read the full post at darknet.org.uk