Archive for the ‘.gov’ Category
Artificial Intelligence Ethics and Responsibility Act (AIERA) of 2023
Hey Congress, I had the A.I. do your work for you…
This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.
Title: Artificial Intelligence Ethics and Responsibility Act (AIERA) of 2023
Section 1. Short Title
This Act may be cited as the “Artificial Intelligence Ethics and Responsibility Act of 2023.”
Section 2. Purpose
The purpose of this Act is to create a robust ethical and regulatory framework for the development, implementation, and utilization of artificial intelligence (AI) technologies, with the aim of safeguarding individual rights, enhancing transparency, ensuring accountability, and stimulating innovation.
Section 3. Definitions
In this Act:
(a) “Artificial Intelligence (AI)” refers to computational systems capable of performing tasks that typically require human intelligence, including but not limited to machine learning, natural language processing, computer vision, and robotics.
(b) “AI System” refers to an assembly of hardware, software, and data that employs AI technologies.
(c) “AI Developer” refers to any individual, organization, or entity engaged in designing, creating, or modifying AI systems.
(d) “AI Operator” refers to any individual, organization, or entity that deploys, manages, or interacts with AI systems.
Section 4. Ethical Principles for AI Development and Utilization
AI Developers and AI Operators shall adhere to the following ethical principles:
(a) Transparency: Ensure that AI systems are transparent and comprehensible, providing clear information about their purpose, capabilities, limitations, and potential biases.
(b) Accountability: Establish mechanisms to hold AI Developers and AI Operators accountable for the consequences of their AI systems, including compliance with existing laws and regulations.
(c) Privacy and Data Protection: Uphold and safeguard the privacy rights of individuals, complying with relevant data protection laws and minimizing the collection, use, and dissemination of personal data.
(d) Fairness and Non-discrimination: Develop and utilize AI systems in a manner that promotes fairness and non-discrimination, preventing biases and fostering equal opportunities for all individuals.
(e) Safety and Security: Design, create, and employ AI systems with appropriate safety measures to mitigate risks to individuals and society, including potential harm and misuse.
(f) Human Centricity: Prioritize human values, rights, and interests in AI systems, incorporating suitable human oversight mechanisms to monitor and regulate AI systems.
(g) Social and Environmental Responsibility: Encourage the positive impact of AI on society and the environment, while minimizing adverse consequences.
Section 5. AI Developer Responsibilities
AI Developers shall:
(a) Regularly assess AI systems to ensure adherence to the ethical principles outlined in Section 4.
(b) Establish methods for identifying, reporting, and rectifying biases, inaccuracies, and unintended consequences in AI systems.
(c) Engage with stakeholders, including affected communities and experts in relevant fields, to determine potential risks and develop mitigation strategies.
(d) Document the development process of AI systems, including design, training, and evaluation methodologies, to facilitate auditing and accountability.
(e) Disseminate AI research findings, subject to privacy and security considerations, to advance the collective knowledge and development of ethical AI practices.
Section 6. AI Operator Responsibilities
AI Operators shall:
(a) Assess the ethical implications of deploying and utilizing AI systems, considering potential risks and benefits for individuals, communities, and society.
(b) Implement suitable governance structures and processes to ensure the ethical operation of AI systems, incorporating human oversight and regular monitoring.
(c) Educate employees and other relevant stakeholders about the ethical use of AI systems and provide resources for addressing potential ethical concerns.
(d) Establish channels for receiving, investigating, and addressing complaints related to the operation of AI systems.
(e) Disclose the utilization of AI systems transparently, including their purpose, limitations, and potential biases, to foster trust and understanding among stakeholders.
Section 7. AI Governance and Oversight
(a) Establishment of the National AI Ethics and Responsibility Commission (NAIERC):
A federal agency responsible for the development, enforcement, and oversight of ethical and security standards for AI systems, as well as the promotion of public awareness and education on AI ethics and security.
(b) Duties of the NAIERC shall include:
- Developing and updating guidelines and best practices for ethical and secure AI development and operation.
- Establishing a certification process for AI systems that comply with the ethical and security standards set forth in this Act.
- Conducting regular audits and inspections of AI Developers and AI Operators to ensure adherence to ethical and security standards.
- Investigating and resolving complaints related to ethical and security concerns in AI systems.
- Collaborating with international organizations and governments to harmonize AI ethics and security standards globally.
- Promoting public awareness and education on AI ethics and security, as well as fostering dialogue among stakeholders.
- Facilitating research and development on AI ethics, security, and related technologies.
Section 8. Security Considerations
AI Developers and AI Operators shall:
(a) Implement robust security measures to protect AI systems against unauthorized access, tampering, and cyberattacks, ensuring the integrity, confidentiality, and availability of AI systems and the data they process.
(b) Conduct regular security assessments, including vulnerability and risk assessments, to identify potential threats and weaknesses in AI systems and implement appropriate mitigation strategies.
(c) Develop and maintain incident response plans for addressing security breaches or incidents involving AI systems, ensuring timely notification, investigation, and remediation of such incidents.
(d) Share information on security threats, vulnerabilities, and best practices with the NAIERC and other relevant stakeholders, subject to privacy and confidentiality considerations, to promote collective security and resilience in the AI ecosystem.
(e) Ensure that AI systems are designed with “security by design” principles, incorporating security measures and best practices throughout the development life cycle.
(f) Provide appropriate training and resources to employees and stakeholders to raise awareness of AI security risks, best practices, and incident response procedures.
Section 9. Penalties and Enforcement
(a) The NAIERC shall have the authority to impose penalties, including fines and suspension or revocation of certifications, on AI Developers and AI Operators found to be in violation of the ethical and security standards set forth in this Act.
(b) AI Developers and AI Operators shall have the right to appeal the imposition of penalties by the NAIERC through established legal channels.
Section 10. Effective Date
This Act shall take effect 180 days after its enactment.
Section 11. Severability
If any provision of this Act is found to be unconstitutional or otherwise invalid, the remaining provisions shall remain in full force and effect.
Section 12. Periodic Review and Amendments
(a) The NAIERC shall periodically review and update the ethical and security standards set forth in this Act to ensure that they remain relevant and responsive to the rapidly evolving AI landscape.
(b) The NAIERC shall consult with relevant stakeholders, including AI Developers, AI Operators, affected communities, experts in the field of AI, ethics, and security, as well as the general public, during the review and amendment process.
(c) Any proposed amendments to the ethical and security standards in this Act shall be submitted to the appropriate legislative body for approval, in accordance with established legal procedures.
Section 13. International Collaboration and Harmonization
(a) The NAIERC shall actively engage with international organizations, foreign governments, and other relevant stakeholders to promote global cooperation and harmonization of AI ethics and security standards.
(b) The NAIERC shall participate in the development of international guidelines, agreements, and treaties related to AI ethics and security, ensuring that the principles and standards set forth in this Act are represented and respected in the global AI community.
Section 14. Public Awareness and Education
(a) The NAIERC shall develop and implement public awareness campaigns to inform and educate the general public about AI ethics and security, as well as their rights and responsibilities in relation to AI systems.
(b) The NAIERC shall collaborate with educational institutions, industry partners, and other relevant stakeholders to develop and promote AI ethics and security education programs, targeting students, professionals, and the general public.
Section 15. Research and Development Support
(a) The NAIERC shall facilitate and support research and development initiatives in the areas of AI ethics, security, and related technologies, with the aim of advancing knowledge and fostering innovation.
(b) The NAIERC shall establish partnerships with academic institutions, research organizations, industry partners, and other relevant stakeholders to promote collaborative research efforts and the sharing of knowledge and resources.
(c) The NAIERC shall provide funding and other forms of support, subject to budgetary and legal constraints, to eligible research projects and initiatives that align with the objectives and priorities set forth in this Act.
Section 16. AI Ethics and Security Advisory Board
(a) The NAIERC shall establish an AI Ethics and Security Advisory Board, comprising experts from various disciplines, including but not limited to AI, ethics, security, law, sociology, and psychology.
(b) The AI Ethics and Security Advisory Board shall:
- Provide expert advice and guidance to the NAIERC in the development and enforcement of ethical and security standards for AI systems.
- Evaluate emerging AI technologies and applications, and assess their ethical and security implications.
- Recommend updates and amendments to the ethical and security standards set forth in this Act, based on the latest research and technological advancements.
- Assist in the development of public awareness campaigns, educational programs, and research initiatives related to AI ethics and security.
Section 17. Reporting Requirements
(a) The NAIERC shall submit an annual report to the appropriate legislative body, detailing its activities, accomplishments, and challenges during the preceding year.
(b) The annual report shall include:
- A summary of the audits, inspections, and investigations conducted by the NAIERC, as well as any penalties imposed on AI Developers and AI Operators for violations of this Act.
- An assessment of the effectiveness of the ethical and security standards set forth in this Act, including any proposed updates or amendments.
- A summary of the public awareness campaigns, educational programs, and research initiatives supported or implemented by the NAIERC.
- A review of international collaboration efforts and the status of global harmonization of AI ethics and security standards.
- Any other relevant information, as determined by the NAIERC.
Section 18. AI Ethics and Security Training Programs
(a) The NAIERC shall develop and promote AI ethics and security training programs for AI Developers, AI Operators, and other relevant stakeholders.
(b) The training programs shall cover topics such as:
- The ethical principles and security considerations set forth in this Act.
- Best practices for AI development and operation that align with ethical and security standards.
- Methods for identifying, assessing, and mitigating ethical and security risks in AI systems.
- Strategies for incorporating human oversight and values in AI systems.
- Legal and regulatory compliance requirements related to AI ethics and security.
Section 19. Public Input and Consultation
(a) The NAIERC shall establish mechanisms for soliciting public input and consultation on AI ethics and security matters, ensuring that diverse perspectives are considered in the development and enforcement of the standards set forth in this Act.
(b) Such mechanisms may include, but are not limited to, public hearings, online platforms for submitting comments and feedback, and stakeholder engagement events.
Section 20. Funding
(a) The NAIERC shall receive funding from the federal government, subject to budgetary and legal constraints, to carry out its mandate as outlined in this Act.
(b) The NAIERC may also seek and accept funding from other sources, including grants, donations, and partnerships with private entities, subject to ethical and legal considerations.
Section 21. AI Impact Assessments
(a) AI Developers and AI Operators shall conduct AI Impact Assessments (AIIAs) prior to the development, deployment, or significant modification of AI systems.
(b) The AIIAs shall evaluate the potential ethical, security, social, and environmental impacts of AI systems, as well as identify measures to mitigate risks and promote positive outcomes.
(c) The NAIERC shall develop guidelines and templates for conducting AIIAs, ensuring that AI Developers and AI Operators have a clear and standardized framework for assessing AI systems.
(d) AI Developers and AI Operators shall submit completed AIIAs to the NAIERC for review and approval, in accordance with established procedures and timelines.
Section 22. Whistleblower Protection
(a) The NAIERC shall establish mechanisms for individuals to report potential violations of this Act, or other ethical and security concerns related to AI systems, while maintaining their anonymity and protecting them from retaliation.
(b) The NAIERC shall investigate reported concerns in a timely and thorough manner, taking appropriate enforcement actions when necessary.
(c) Employers shall not retaliate against employees or other stakeholders who, in good faith, report potential violations of this Act or other AI-related ethical and security concerns.
Section 23. Public-Private Partnerships
(a) The NAIERC shall actively engage with private sector entities, including AI Developers, AI Operators, and other relevant stakeholders, to foster collaboration and information sharing on AI ethics and security matters.
(b) Such public-private partnerships may include, but are not limited to, joint research projects, information sharing agreements, capacity-building initiatives, and the development of best practices and guidelines.
Section 24. AI Ethics and Security Awareness Month
(a) The NAIERC shall designate one month each year as “AI Ethics and Security Awareness Month,” with the aim of raising public awareness and promoting education on AI ethics and security issues.
(b) During AI Ethics and Security Awareness Month, the NAIERC shall organize and support various events and initiatives, such as workshops, seminars, panel discussions, and online campaigns, to engage the public and various stakeholders in discussions about AI ethics and security.
Section 25. Future Amendments and Sunset Clause
(a) This Act shall be subject to review and potential amendment every five years, to ensure its continued relevance and effectiveness in addressing the ethical and security challenges posed by AI technologies.
(b) If, upon review, the legislative body determines that this Act is no longer necessary or effective, it may enact a sunset clause, causing the Act to expire on a specified date.
Section 26. Implementation
The provisions of this Act shall be implemented by the relevant federal agencies, in coordination with the NAIERC and other stakeholders, in accordance with established legal procedures and timelines.
Section 27. AI Liability and Insurance
(a) AI Developers and AI Operators shall be held responsible for any harm or damages caused by the AI systems they develop or operate, subject to the principles of liability established by applicable laws and regulations.
(b) The NAIERC, in consultation with relevant stakeholders, shall develop guidelines for determining liability in cases involving AI systems, taking into consideration factors such as the level of human involvement, the foreseeability of the harm, and the extent to which the AI system deviated from its intended purpose.
(c) AI Developers and AI Operators shall maintain appropriate liability insurance coverage for the AI systems they develop or operate, to ensure that affected parties can be adequately compensated for any harm or damages caused by the AI systems.
Section 28. AI in Critical Infrastructure
(a) The NAIERC shall develop specific guidelines and standards for the use of AI systems in critical infrastructure sectors, such as energy, transportation, healthcare, and telecommunications, taking into account the heightened risks and potential consequences of AI-related failures or attacks in these sectors.
(b) AI Developers and AI Operators involved in critical infrastructure sectors shall adhere to the additional guidelines and standards established by the NAIERC, in addition to the general ethical and security standards set forth in this Act.
Section 29. AI Workforce Development
(a) The NAIERC shall collaborate with educational institutions, industry partners, and other relevant stakeholders to develop and promote workforce development programs that address the growing demand for AI professionals with expertise in ethics, security, and related fields.
(b) Such workforce development programs may include, but are not limited to, specialized degree programs, vocational training, internships, apprenticeships, and continuing education opportunities.
Section 30. AI in Public Services
(a) The NAIERC shall develop guidelines and best practices for the ethical and secure use of AI systems in the delivery of public services, ensuring that AI technologies are deployed in a manner that is transparent, accountable, and respects the rights and interests of the public.
(b) Government agencies that utilize AI systems in the delivery of public services shall adhere to the guidelines and best practices established by the NAIERC, in addition to the general ethical and security standards set forth in this Act.
Section 31. AI and Human Rights
(a) The NAIERC shall ensure that the ethical and security standards set forth in this Act are consistent with and promote the protection of human rights, as enshrined in national and international human rights laws and instruments.
(b) The NAIERC shall collaborate with human rights organizations, experts, and other relevant stakeholders to monitor the impact of AI technologies on human rights and develop strategies for addressing and preventing human rights violations related to AI systems.
Section 32. AI and Children
(a) The NAIERC shall develop specific guidelines and standards for the ethical and secure use of AI systems that involve or affect children, taking into account the unique vulnerabilities and needs of children in relation to AI technologies.
(b) AI Developers and AI Operators that develop or operate AI systems involving or affecting children shall adhere to the additional guidelines and standards established by the NAIERC, in addition to the general ethical and security standards set forth in this Act.
Section 33. AI and Accessibility
(a) The NAIERC shall develop guidelines and best practices to ensure that AI systems are designed, developed, and operated in a manner that is accessible to individuals with disabilities, promoting digital inclusion and equitable access to AI technologies.
(b) AI Developers and AI Operators shall adhere to the accessibility guidelines and best practices established by the NAIERC, ensuring that AI systems are compatible with assistive technologies and can be used by individuals with diverse abilities and needs.
Section 34. AI and Data Privacy
(a) The NAIERC shall collaborate with relevant data protection authorities to ensure that the ethical and security standards set forth in this Act are consistent with and promote the protection of data privacy rights, as enshrined in applicable data protection laws and regulations.
(b) AI Developers and AI Operators shall adhere to applicable data protection laws and regulations, ensuring that AI systems process personal data in a manner that respects individuals’ privacy rights and complies with legal requirements related to data collection, processing, storage, and sharing.
Section 35. AI and the Environment
(a) The NAIERC shall develop guidelines and best practices for minimizing the environmental impact of AI systems, including energy consumption, resource use, and waste generation.
(b) AI Developers and AI Operators shall adhere to the environmental guidelines and best practices established by the NAIERC, implementing strategies and technologies to reduce the environmental footprint of AI systems and promote sustainability.
Section 36. AI and Intellectual Property Rights
(a) The NAIERC shall collaborate with relevant intellectual property authorities to address the unique challenges and opportunities presented by AI technologies in the context of intellectual property rights, such as copyright, patents, and trade secrets.
(b) AI Developers and AI Operators shall respect and protect the intellectual property rights of others when developing and operating AI systems, ensuring that AI technologies do not infringe upon the rights of creators, inventors, and other stakeholders.
Section 37. AI and Inclusivity
(a) The NAIERC shall promote the development and use of AI systems that are inclusive, representative, and respectful of diverse cultures, languages, and perspectives, ensuring that AI technologies do not perpetuate discrimination, bias, or marginalization.
(b) AI Developers and AI Operators shall adopt strategies and practices to ensure that AI systems are developed and operated in a manner that is inclusive and representative, such as by utilizing diverse training data, engaging with diverse stakeholders, and incorporating diverse perspectives in the design and evaluation of AI systems.
Section 38. AI and Disinformation
(a) The NAIERC shall develop guidelines and best practices for addressing the risks and challenges posed by AI-enabled disinformation and misinformation, such as deepfakes and synthetic media.
(b) AI Developers and AI Operators shall adhere to the guidelines and best practices established by the NAIERC, ensuring that AI technologies are not used to create, disseminate, or amplify disinformation or misinformation that may undermine public trust, compromise safety, or violate legal and ethical standards.
Section 39. AI and Public Safety
(a) The NAIERC shall develop guidelines and best practices for ensuring that AI systems are developed and operated in a manner that prioritizes public safety, taking into consideration the potential risks and unintended consequences of AI technologies.
(b) AI Developers and AI Operators shall adhere to the public safety guidelines and best practices established by the NAIERC, ensuring that AI systems do not pose unnecessary risks or hazards to individuals, communities, or the environment.
Section 40. AI and Employment
(a) The NAIERC shall collaborate with relevant labor authorities, industry partners, and other stakeholders to assess and address the potential impacts of AI technologies on employment, such as job displacement, skill gaps, and changes in labor market demands.
(b) The NAIERC shall develop and promote strategies for mitigating the negative impacts of AI technologies on employment, such as reskilling programs, workforce development initiatives, and social safety nets.
Section 41. AI and Fair Competition
(a) The NAIERC shall collaborate with relevant competition authorities to ensure that the development, deployment, and operation of AI systems are consistent with the principles of fair competition and do not result in anticompetitive practices, market concentration, or other negative economic outcomes.
(b) AI Developers and AI Operators shall adhere to applicable competition laws and regulations, ensuring that AI technologies do not undermine fair competition or compromise the integrity of markets and industries.
Section 42. AI and National Security
(a) The NAIERC shall collaborate with relevant national security agencies to assess and address the potential risks and challenges posed by AI technologies in the context of national security, such as cybersecurity threats, autonomous weapons, and espionage.
(b) The NAIERC shall develop guidelines and best practices for the ethical and secure use of AI technologies in national security contexts, ensuring that AI systems are developed, deployed, and operated in a manner that is consistent with national security interests and respects international norms and agreements.
Section 43. AI and Democracy
(a) The NAIERC shall collaborate with relevant stakeholders, including election authorities, political institutions, and civil society organizations, to assess and address the potential impacts of AI technologies on democratic processes, such as voting, political campaigns, and public discourse.
(b) The NAIERC shall develop guidelines and best practices for the ethical and secure use of AI technologies in democratic contexts, ensuring that AI systems do not undermine democratic values, compromise electoral integrity, or violate the rights and interests of citizens.
Section 44. AI and Transparency
(a) The NAIERC shall promote transparency in the development, deployment, and operation of AI systems, ensuring that AI Developers and AI Operators provide clear, accessible, and meaningful information about the AI technologies they use, the data they process, and the decisions they make.
(b) AI Developers and AI Operators shall adhere to the transparency guidelines and best practices established by the NAIERC, implementing strategies and technologies to make AI systems more understandable, explainable, and accountable to users and affected parties.
Section 45. AI and Accountability
(a) The NAIERC shall develop guidelines and best practices for ensuring that AI Developers and AI Operators are held accountable for the ethical and security performance of the AI systems they develop or operate, as well as for any harm or damages caused by the AI systems.
(b) AI Developers and AI Operators shall implement mechanisms for monitoring, evaluating, and reporting on the ethical and security performance of AI systems, ensuring that they take responsibility for their AI systems and address any issues or concerns that may arise.
Section 46. Effective Date
This Act shall take effect on [Date], providing sufficient time for relevant federal agencies, AI Developers, AI Operators, and other stakeholders to prepare for and implement the provisions of this Act.
Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this publication.
Supply Chain Attacks and Nation State Pwnage: A Primer
Last Sunday night, while I was lounging on the couch watching some British Bake Off, I got word of the Solar Winds supply chain hack. After kicking back the last of my whiskey, I immediately got on the phone to start IR at work, cuz, yep, we have Solar Winds too.
Who’da thunk it?
Anyway, three days of IR stuff later, I am here to blog on the meanings for the muggles out there after having a conversation with a reporter on what it all meant. The reporter asked me about a tweet that was put out by Richard Blumenthal about needing to know more about this evolving hack and fallout thereof.
While I think that Dick is being a bit hyperbolic here, I also can tell you, gentle reader, that there is a lot to in fact be worried about regarding this instance of adversarial activity (most likely Russia’s APT29 Sluzhba vneshney razvedki Rossiyskoy /SVR group) which managed to break into a system application that many in the government, military, and corporations still run to manage their network.
This system is so prevalent in the space, that even in my environment, we still had it running and man, I thought we had made it go away long ago. So, you might be wondering what does Solar Winds really do? Well, glad you asked, it is a series of applications that help you maintain your large networks.
As you can see from the graphic from their site, the companies software performs a lot of management and monitoring capabilities within a network of individual systems. Servers, routers, databases, service desk applications, resource monitoring, network configuration, and security management. Now, you might be saying; “Ok, well, those are a lot of things that this stuff does, but, what does that mean security wise if the application (Orion) is compromised?” and that is a good question, the primary one I want you to comprehend if you are not in tech or security of the tech. What this means, is that this program suite by SolarWinds, is the ‘skeleton key’ now to a host of around 33k companies/networks that downloaded the tampered with update. This could affect around 300k clients in all, should there be more tampering or vulnerabilities exploited by the adversary now that they have the code base (assuming here) after they spent all that time inside SolarWinds systems.
So, we have a rather prevalent application suite that usually functions on a level of administrative access to do the very things it is bought to do. This means, that the Orion system contains ALL of your admin passwords up to and including domain administrator and enterprise administrator. What does this mean? It means that once the adversary had control over the Orion system, they had control over EVERYTHING that that system touched as well as now, if it did not have direct control, the passwords that would allow access within a network running this compromised system, are in the hands of the enemy.
Put simply, the adversary, has control over pretty much everything you own. They can log in, take data, manipulate data, and in the most extreme, burn your network down using other malware like a wiper or ransomware to do it. All of this, while you may not see the activity because everything is using credentials that are admin level and authenticated on your network. This is why it was so hard to detect this attack and to stop it and why they were inside the systems for so long.
Ok, so, what does that mean from the perspective of damage and about what groups the adversary hit? Well, so far, we know that the following entities were hit in this supply chain attack(s)
- Department of Homeland Security
- FireEye
- Treasury
- Commerce
- The National Security Council
These are all either government agencies or companies that handle a lot of government contracts, so you can kind of get a sense of what it means. However, let me expand on this, DHS and the NSC alone is a treasure trove for the Russians to gather all kinds of unclassified/classified data that they would want. Not only that, but, if you own the Orion systems in places like that, and that systems is in fact running in the CLASSIFIED space, then you have broached into the CLASSIFIED networks of things like NIPRNET and SIPRNET as well probably JWICS.
What does this mean? Lemme put it into internet vernacular for you;
This could be spectacularly bad. This is why so many are freaked out about this supply chain attack and the incident responses are all going on 24×7 now. It has yet to really be determined (at least publicly) how long the adversaries were inside these networks, but, I am going to assume that it was a long time, and a lot of damage has been done. Now all these places have to clean up the mess, re-set their networks and rebuild so that this cannot happen again. Then they have to assess the real damage to our security and perhaps someday give testimony in congress about it.
Now, about the other entities, these are the reasons that this hack is bad;
- FireEye: They do all the pentesting and security work for many of the same orgs as well as incident response. If they were owned as hard as we think, well, there is a lot of data that the adversaries could use on top of using all the tools they stole from them.
- Treasury, well, money right? Plans? Routes? All things monetary that the adversaries could use to mess with the united states up to and including theft of large sums of money potentially.
- Commerce as well, plans and other details that they could use against the US financially internally as well as globally.
Time will tell just how many other orgs got hit and may in fact have had data lost to the attackers. Also, do not forget the potential for further logic bombs out there that might be placed by the actor as well for future fun. Of course I have been hearing stories about power and water companies and systems being affected by this as well. All in all, it could be very bad for us all, and places us in our back foot most solidly globally.
One other aspect here, and this is highly speculative, but, what other secret orgs had connections to others with Orion? What orgs themselves in the secret spaces like FireEye, had the same software as well? What classified intelligence has been lost here?
Let that sink in…
Also, on the critical infrastructure end, I am not worried that the power will go off nationally, but, the Russians could mount more, and working attacks against regions with the right kind of access vis a vis this kind of hack.
Think about that too.
Gotta hand it to the Russians man, they play a good long game. Expect to be hearing about fallout on this for quite a long time. If you want to kind of get a sense of the scope of this, I would recommend watching “Sneakers” the whole McGuffin of the movie is the little black box that the mathematician created that decrypts all the things. This hack is kinda like that. With one box, the Russians decrypted EVERYTHING and then, like the Grinch, took it all up the chimney.
K.
Here’s a reading list too for you all to follow along with:
https://triblive.com/news/world/cyberattack-may-have-exposed-deep-u-s-secrets-damage-yet-unknown/
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/theft-fireeye-red-team-tools
https://www.solarwinds.com/securityadvisory/faq
https://www.solarwinds.com/securityadvisory
Post Script:
Someone put out a tweet earlier that is very prescient;
This is an important context to have. Russia has used Ukraine as their down range test bed. If you remember back to NotPetya, you can see this exact supply chain attack cycle being leveraged there first, and tested. The Russians are old hands at this now.
SOFWERX Presentation: Your Algorithms Won’t Save You: Why We Need More Sociology and Psychology in The Fight Against Online Disinformation & Propaganda
Here is the deck from yesterday’s presentation at the SOFWERX Radial Speakers Series on Information Warfare:
Your Algorithms Won’t Save You
Video will be available from SOFWERX
The Widening Gyre: Putin’s Asset Sets Multinational Norms On Fire and Begets Global Negative Actions
We are beginning to reap the whirlwind in the news cycle from the election of Trump and his breaking of norms that this country and the world have come to rely on. This is exactly what Putin wanted, a country in the midst of a political and social rift that takes our eye off the global ball and allows for negative actions to be carried out without sanction. We have seen Trump set the constitution on fire, the Judicial body of the United States, the Economic norms, and generally break up the balance of power in the world. This has allowed Putin to have greater freedom to act and in turn now others feel empowered. China, North Korea, Syria, and most recently Saudi Arabia have taken actions that would in normal times, possibly not been acted on were the nations not at odds generally due to America’s abdication of its role.
Let’s cover some of the things going on…
RUSSIA:
Putin is still working the levers of power and in so doing he is still making moves on Ukraine all the while leveraging the problems in Syria as well. His actions are two fold, first to annex Ukraine altogether if he can. If he can’t then he will continue to fight with disinformation and active measures campaigns until he has more control over the area even if he cannot all out annex them back into Russia proper. Meanwhile, in Syria, Putin is leveraging Erdrogan and the battle there with da’esh to gain a foothold in the region and have a friendly dictator he can someday use as a proxy against others in the world.
Meanwhile, Putin keeps having his enemies killed off in interesting ways. The list has been topped off as of yesterday with an oligarch who ran afoul of him being found in a park choked to death by a dog leash.
…. A dog leash….
Now that is a metaphor huh? Putin will continue on liquidating his problems with impunity because the norms have all been broken because of Trump. The U.N. NATO, all of the normative bodies have been rebuffed by Trump and weakened. All that is lacking now is an assassination of a Putin enemy on American soil for his win to be complete. Putin pulled a master stroke in helping Trump win. Even so, don’t believe for a second that Putin isn’t also waiting to not only use Trump more, but if Trump begins to fail him he will continue to perform flyovers in our air space like he has been with the BEAR FOXTROTS over Alaska and likely will become more aggressive. I have yet to hear anything about SSN activity but be assured they are there… Waiting.
CHINA:
China has upped it’s espionage games since Trump started his little trade war with them. Recent events have shown a rise in hacking and phishing campaigns that had slowed down since the Xi and Obama agreement. That’s over now though and with the trade war heating things up, and rankles the core ideal of China to be an economic superpower, we are going to see not only more hacking and phishing with a side of theft of IP but also now classical espionage tradecraft to carry out the same goals. All of this will only escalate against the US as we move forward and likely set more things on fire by Trumps economic disaster plan.
MEANWHILE…. China feels empowered too because of all the fractiousness in the world’s governing bodies and has made the ex INTERPOL chief disappear while in China. Gee, China is now feeling like they can just disappear the head of an international investigative body.
Nice.
As all of this is going on we also have coincidentally, the arrest of an MSS asset in Belgium for economic espionage against the US aerospace community. Hmmmm gee, what a coincidence that this happens as the INTERPOL chief is disappeared. As you can see, and perhaps make the connections yourselves, it may be that the MSS is reacting to the impending arrest and or extradition of their asset by grabbing another as a warning?
Hmmm….
Yes, expect more to come out of China with the worsening of the trade wars as well as the eroding of the worlds norms on illegality.
Thanks Putin and Trump!
Oh yeah, and I forgot to mention the whole South China sea thing too…
SAUDI ARABIA:
Next up, Saudi Arabia seems to have lured a Washington Post reporter to Saudi only to kill and perhaps dismember him in an embassy there. Saudi has never before been as bold and I directly point toward the breaking of all the norms and groups for this action too. It’s been pretty blatant and I suspect there will be no sanction over this. I mean, look, it’s Saudi right? OPEC, oil? Not to mention that Trump was basically setting himself up to be their stooge since the beginning. Nope, nothing will come of this and now the Saudi’s have killed an Saudi journalist working for an American news org.
I also want to mention the whole glossy magazine that was put out by Trump’s friend David Pecker back last summer. What was this all about? Well, it seems that that was a PR move to make the house of Saud more accessible to the US consumer? Put another way, the new crown prince wanted to look progressive and hip and with the help of Pecker they tried real hard. It’s just that this mark was missed with this publication. In fact it only made an already wary populace start asking questions as to why this happened and what kind of conspiracy was afoot. Expect more to come out of this Saudi reporters death and it will likely not be pretty. If they get away with this, and I think they will, then expect Saudi to pull some more stunts in the future as the crown prince get’s more bold.
TRUMP REPUBLICANS:
Finally, the TRUMP party, I really don’t consider them Republicans anymore, will continue to push the limits of the nations norms and laws until they are just removed from power. The events around the recent SCOTUS nomination and confirmation of Kavanaugh are a clear example of how the Trump party is abusing their control over the house and senate to get whatever they want over what the governed wants. The Kavanaugh thing is just the most naked misuse of their power though to date and I am sure more will be coming once Trump replaces Sessions with a minion under his control. This will set the trifecta into play; DOJ under his control, SCOTUS under his control, and Mueller with a new target painted on his back.
I fully expect that when this happens the Russia investigation will be liquidated and the Trump party will lock arms and say that this is not a constitutional crisis. Of course then the DOJ will agree and SCOTUS will concur. It will all disappear at least legally right? This is Trump’s greatest desire and it seems more and more likely that this can happen because of the Kavanaugh ascension. An alternate timeline to this would be that Trump allows the investigation to finish but then has Kavanaugh in his pocket to be the deciding vote on whether or not a sitting president can be indicted.
Either way, it seems that if Trump can replace Sessions with a partisan minion, we are all doomed.
Even more worrying is the upcoming mid term elections. If the Trump party continues to be in contol, expect to look fondly at the times of outrage over Trump’s mild bad actions because he will feel empowered to do even more bad things if he has total control.
Once again, thanks Putin.
We are at a tipping point here and not just with regard to climate change kids.
K.
Bellingcat: OSINT Playing Games Where People Tend To Get Burned and Dead
Recently there has been a lot of hubbub about Bellingcat pivoting from tracking military movements and downed planes to exposing GRU operatives who have carried out poisoning operations in the UK. Personally I have watched with a mix of trepidation and angst over what they have been doing recently with the liquidators they have fingered for the Skripal poisonings. I have mixed feelings on all this because while I think they may in fact be right, they could also be being used by their “sources” in Russia as well as possibly be used in future to their detriment by Russia and other nation state services for disinformation operations. Even worse, this group and their OSINT could in fact get in the way of real operations by those same services of friendly nations and could endanger themselves if not others in the field by dropping these bits of intel.
OSINT is a new flavor of the day in the information security world but it has been a long standing practice in certain circles in the other community. The difference here is that the OSINT carried out before was by trained individuals within the intelligence community and not put out for general consumption for the world at large. Today, we have Bellingcat dropping all kinds of data that may or may not be correct that is messing directly with operations by a rogue nation (Russia) and a dictator (Putin) that has no compunction about just killing off the people who oppose him enough to cause him heartburn. This is the big difference here and I just want Bellingcat to take that into account as they do what they seem to be doing with regard to GRU ops. As far as I know, the people who work for Bellingcat are not former intel community, maybe there are some, someone can let me know, but you have to consider that the majority of the people there are not spooks and might be out of their depth in this regard.
Additionally, I would like to reiterate that these discoveries could be actually disinformation provided to you all by services like the SVR to hurt the GRU too. In the world of espionage you are forced to live in the wilderness of mirrors kids. Intelligence analysis is a real art and I am just not so sure your carrying it out completely with these dumps on the GRU carefully considering that fact. Just please consider that you are being played now and if not now, you will be in the future to your detriment by nation state actors for their own goals. That said, please take everything some group gives you so handily, even if the data is in fact correct, as a possible dangle or disinformation operation before you just dump it to the BBC.
Lastly, let me just say again in rather plain language, playing this game can get you dead. Russia is at a point with Putin that they just don’t give a fuck and if you are in their way, and enough of a problem, they will destroy you or kill you. Just look at Sergei and his daughter! Or for that matter, look at Anna Politkovskaya, Alexander Litvinenko, and more than a few other impediments that Putin got rid of. It may not happen now, but I can assure you if you piss them off too much, you will get their unwanted attention.
Just a caution….
Oh, and while I am talking about deaths, it seems that a relative of one of the assassins has been perhaps made missing or killed in Russia as well. So, you all have to consider the possibilities of your hubris in what you do in the form of innocent collateral damage to others.
Just sayin…
K.
Defeating Disinformation
This tweet came up in my feed this morning and it got me thinking. There has been a lot of talk about how disrupting or denying the sources of disinformation could put a stop to it altogether. I for one have not been a proponent of strictly technical solutions to this because they never will work fully and while you can play whack a mole with fake news or disinfo operations, it will always propagate with those who have the cognitive bias and dissonance. What I mean by that is that the mind virus that is fake news or disinformation is just that, those who are disposed to it will propagate it if not create it out of whole cloth for their own reasons be they financial, cultural, or psychological.
While it has been shown that if you give those predisposed to these narratives, the truth once or twice they do not come to the conclusion that they are in fact falsehoods. In fact, the studies thus far have shown that you must repeatedly bombard those individuals with the truth (truth bombs heh) until they actually accept the truth. So, unless you can force these individuals to accept “truth” via other channels than the disinformation feeds, you will have little luck in stopping the disinformation from doing it’s harm and being magnified by those predisposed to their belief in them.
So, what I am saying here is that once again, the technology will not be able to stop the false narratives. The technologies today short of a truly Turing compliant AI that is plugged into the internet as a whole, will not be stopping the disinformation never mind those campaigns of falsehoods by the likes of an Alex Jones because they will be passing them in email, news sites, comments in sites, texts, tweets, over the phone, over the air, …everywhere possible. The reliance or thought of reliance on technologies alone to save us from all this kind of warfare is patently naive. The psychology of why disinformation works and how these things propagate WITH the technology is where we need to focus. More so we need to focus on the psychological aspects in relation to how we might leverage technologies to get the truth into the right minds with repeated viewings is key. Alas though, I fear that this is not what many in the technology space are considering and are relying on algorithms instead of focusing on the animal behind the keyboard. Until we do this I am afraid we are quite doomed to failure.
I also began to parse this tweet out a bit as well on the hacking versus the disinformation campaign. It is quite clear that the hacking and the dumps of information were at some level laced with disinformation but not as a whole was the hack a part of the disinformation campaigns by the GRU. While “not getting hacked” is a good start, the real problems came from other sources and in fact when I looked at the DC leaks stuff and the claims I did come up with some gold that the data did not come from the Clinton Foundation, but instead was DCCC and DNC only to the contrary of what Guccifer 2.0 wanted people to believe.
So yeah, the information being hacked surely added to the mix of disinformation out there but it was not a main contributor to it. Overall, the problems of disinformation rely much more on the psychology of the tribes at play now and the cognitive issues we have within them than the hacking ever did. It turned out at least in the Clinton campaign there was no real “there” there to latch on and make her look even worse with an expose of wrongdoings. The most we got was that they were treating Bernie poorly but really, that was it.
Where were the Benghazi revelations?
Where where the revelations that she and others were running a pedophile ring out of a pizza parlor in DC?
Where was the absolute proof that Clinton had ordered the murders of a number of US citizens and in fact was funneling monies around to places like Panama?
Oh yeah, there were none and this is the reason why the others out there including the GRU and the SVR were creating those narratives on Twitter, Reddit, and elsewhere for those predisposed to those mental virus were living and ready to echo the message to others. When the day comes that we see a dump of information that has been tampered with well enough to detect forensically, then we can parse that out a bit and prove out that a hacked dbase was the cause of disinformation like some of the DC leaks stuff tried to be. Other than that, the two roads do not meet in my book.
The technology is the amplifier but the humans behind the keyboard are the real engines here.
K.
Burning Sources
Of late I have been working on my keynote for Circle City Con and as such been preoccupied with espionage in the digital age. As it turns out the keynote got me thinking about classical espionage quite a bit so the actual burning of an asset (in this case a CI Cooperating Informant working for the FBI) is unfortunately timely. The use of HUMINT in this case to collect information is a key part of the investigation and having this kind of asset burned by demands of the President is extraordinary. Of course others have been burned like Valery Plame, but she was an actual NOC agent! This though sets a bad precedent for the intelligence community and bodes ill for those other sources out there who might want to help us in future.
This is what happens when investigations and agencies are attacked for political gains by those actors who are adept at obfuscations. Of late all of the goings on surrounding the clear attack by Russia against this country and our electoral system have become so politically charged and muddled by active measures on the part of Republican supporters of Trump and his other minions has made me just turn off the news and walk away. It is my hope that this does not escalate further into a full blown constitutional crisis but it is kinda looking that way right now.
As we move forward though, I want you all to realize that these events concerning this source are extraordinary and not the norm for certain. It is only the ability of the president with a will to do so, to break every norm and attempt to subvert the very things that make America “Great” that we have an asset like this burned and likely feeling the pressure of attacks by Trump Nationalists and even perhaps now on the radar of the Russians. Any other circumstance where someone might be a source though on the FBI side may be a bit more safe than this particular instance.
However…
IF you are an asset for the US and you are currently working against any other countries interest, and perhaps particularly Russia, you may be in more danger as it seems that if Trump and his minions have their way, they could leverage this attack against others in thrall to their financial and kompromat masters. It may be time to get your bugout bags and your exfil plans ready…
Just sayin.
K.
Cambridge Analytica And Psychographics Versus Facebook Algorithms and Targeting
Last week I came across some tasty data out on the net concerning the clients that Cambridge Analytica had been serving in the last election cycle other than Trump. Within that data dump I also came across some python scripts for harvesting data on Twitter as well from a developer at CA which ties them also to mining and using potentially, Twitter as well as Facebook to create pscyhographic profiles and to target those people out there who had the same sentiments and desires around electing Trump as president. What I found in looking at the data and doing some research has brought me to the notion that Analytica’s part in this whole thing was just one sliver of a larger whole. That together with the Russian active measures campaigns, disinformation, propaganda, and echo chamber incitement thereof, Analytica helped target some of the people that Russia needed to target as well as the Trump campaign itself.
In fact, after really digging in here, it has become clear to me that Facebook may have a larger part of the problem with their algorithms that commoditize their user base and allowed for weaponizing of that data to be used in the propaganda campaigns by the Trump campaign and the GRU’s operations. Cambridge Analytica is not the big bad here in essence but a part of a larger whole that the news media seems to be unable to grok because it is not as sexy as having a new Bond style villain to get clicks on. No, the larger and more subtle story here is that the people were manipulated by the Mercer’s, the Bannon’s and the GRU using the tools given to them by Facebook and Facebook as well as the media, to synergize the propaganda with the help of all that information the people have chosen (wittingly or otherwise) to give up by using these platforms.
While the truth keeps coming out in drips and drabs on Cambridge Analytica, one has to also take note of the Channel 4 undercover video’s as well where CA’s Alexander Nix offers up age old kompromat style operations to their would be client. This all likely is second nature to the SCL group, the company that is tied to the MOD and DOD as offering tools for propaganda and manipulation in the past and of which CA is a spin-off company. Once you understand this, then you can see how Nix might just be offering things off of the menu from SCL and happily so to make a sale here.
What Nix is offering though might in fact be the modus operandi for the “whole package” in the case of political manipulation. Think about it, you target the people you want to vote, you then set up the opponent with kompromat and then you leak that judiciously. It would destroy the candidate and prop up their opponent pretty well don’t you think? Overall, what you have to realize here is that Cambridge Analytica was selling itself not just as an analytics company with a side of advertising for political campaigns, but instead a one stop shop in black propaganda and dirty tricks using analytics and psychology to target the voter. Of course now you have to ask yourselves just how effective CA’s pscyhographics and operations really were, how they may have learned from past experience, and what may have been their pivot from just analytics and psychology to propaganda and dirty tricks to pay the bills. First though, let’s look at the data I found and run through some of the premises that CA puts forth to see where fact meets Phrenology.
The Data:
I was Google dorking around the other day and came across someone’s git repo that had an Excel sheet in it concerning Cambridge Analytica’s clients in 2016. When I opened this up I was amazed to see just who else was using CA’s psychometrics for their campaigns other than Trump. What I saw was that Ben Carson, John Bolton, Ted Cruz, and a host of other orgs had been using CA’s offerings as far back as 2014, in the case of Bolton’s super PAC. Carson and Cruz both had limited dalliances with CA but Trump spent considerably on Analytica in 2016. In fact you can see from the sheet, the campaign slogans or catch phrases that they tried too, using them as code names for projects.
All of this data was obtained through the fec.gov website where they have to give up the information as part of the law. So no secrets here really but interesting information to be gleaned on who was using CA’s services and just how long this has been going on. In the case of John Bolton, you can see that he was attempting to use CA to further the candidacy of someone he was supporting back in 2014. In total, the sum for all this work shown here is over four million dollars between all the campaigns and entities.
Notice though, no charges for Ukrainian hookers and blow for kompromat though. *snerk*
Of note as well are the ancillary campaign strategies or slogans that they had for Trump before they came up with the MAGA (Make America Great Again) claptrap, a slogan though that for those of a certain mind, worked wonders for Trump and his particular brand of populism no? You had “Make America Number 1” which is just not as catchy as “Make America GREAT Again” which they refined from the number one phrase. Of course the whole mode here is to say that America is no longer ‘great’ and it can only be made ‘great’ again by Trump. This is a clever little psychological trick in that it pastes everyone else as part of the pool of people that made America lose it’s greatness and is a phrase that those of a mind, can latch onto as a dog whistle.
While I was dorking, I also located a bunch of FARA statements that SCL-Social filled out and gee, who was funneling money to CA to work as a foreign agent? Why Dubai and the UAE of course! You can see the FARA statements made by Andreae and Associates (a political intelligence and risk group in the US) that is working for SCL-Social, a sub division of SCL-Group, and parent to Cambridge Analytica. What a tangled web we weave when we practice to deceive… Or at last manipulate.
Anyway, there is a lot out there and you can play the home game here.
As a side note, if you look at the original filings on the FEC site you can see more information on the who and the what and the how. In one case I have looked at so far, the LLC that was created to spend the money on “Make America Number 1” is called “GLITTERING STEEL” which to me sounds like one of those derpy names given to APT actors or bad spy novels. Well, once you Google that name though you can see even more about this, that it was a Bannon run entity and that there is at least one law suit pending over their illegal actions in California.
This shit is deep folks… Like “deep state” deep. Anyway, I will continue Googling but you can too! Let me know if you find good stuff out there that maybe I can further write about.
Python Scripts:
While I was Googling up that spreadsheet, I also came across some .py scripts that were on a github for a Michael Phillips, who works for Cambridge Analytica. His creations were for harvesting data from Twitter and pulled geolocation data in one and sentiments in the other. In his geolocation script he was looking to pull addresses with accurate lat and long too! Now, you and I know that Twitter allows this kind of thing and others like me have used different tools to pull OSINT on characters like da’eshbags and the like over the years. It is of note though, that Twitter has to my knowledge, not been mentioned that much with regard to targeting and psychometrics mining by CA in the press. So, this is interesting and makes me wonder if perhaps CA has had more inside access to other features of Twitter as well?
Twitter is notoriously not that helpful to the government and others so I have to wonder if access was given was it bought? What kind of data would Twitter have sold? What do we really know here? Do we know anything about this? Anyone have any insight here for me? I for one would like to know if Twitter was working with CA and to what extent if any they where. This becomes really important just like access to Facebook data because Twitter was the second tool du jour that the GRU used to sow all the chaos and push the propaganda in the 2016 election cycle as well as in other areas such as Brexit and other attacks on Ukraine and the like.
But I digress… Let’s look at the real value of Cambridge Analytica’s potential versus the tools afforded by the likes of Twitter and Facebook themselves.
Psychographics Versus Custom Audiences and Lookalike Audiences:
A lot of the news cycle has been taken up with Analytica of late but what are they offering and just how effective could psyhcometric profiles be of users on Facebook? CA claims to have the ability to target people by the OCEAN profiling system of analytics. This is how they managed to make an application that then stole others data in the form of a personality test that they leveraged on Facebook. While this testing can lead to some valuable information, it is not as accurate or the right tool in my book to micro target a voter as opposed to someone buying something that they like or want. While this was the bread and butter of CA’s claims the reality is that this tool is not enough to hone in on people that well to be a real factor in electing Donald Trump and you all have to realize this.
What’s more, if you look at the toolbox of Facebook alone, they have some algorithms and applications alone that could have been a major factor in Trumps win. The primary two tools are ‘Custom Audiences‘ and ‘Lookalike Audiences‘ which Facebook uses to target people for advertising and the like. Both of these tools take outside data, in the case of this last election cycle that data would be voter rolls. Uploading those rolls (which you can access) you then are targeting your audience to push feeds to. In the case of Trump, then you are using the Republican rolls and targeting en mas your message to them. Now, consider this, those same rolls were used by the GRU to push content to those feeds as well. That’s right, ad buys by the GRU, remember all the talk about that in the news?
Ok so where does that leave us? Well, with CA and Facebook, you could be targeting those people who are outside the rolls and magnifying your efforts with the likes and the comments by stealing the 50 million people’s data as well. This basically becomes an amplification attack kinda like a DoS if you think about it. In the scheme of things it seems CA was just another cog but when you look at it all as a whole you have to ask yourselves these questions;
1) Was CA able to target more people outside the norm?
2) Was CA then able to take ancillary data (other people’s) that also had the same “sentiments” as their core psychometric profile because they were friends of those core friendly users?
3) Was this data then given to the Russians either by insiders at CA or by the Trump campaign itself to help target users and spread the propaganda and active measures to greater effect?
These are the questions the Senate and House should be asking and I am sure that these are Questions the FBI and the Mueller probe are asking. Also, one should consider this more macro targeting than micro but meh, either way it seems that Facebook has a larger share of the blame that they certainly don’t want to take. This is especially true now that they have lost so much value on the stock market as well as losing clients like Space-X and Tesla recently in a backlash that continues.
Was, and Is Cambridge Analytica an Arm of SCL’s Propaganda and Psyops Operations?:
This leaves us at the point where Alexander Nix and his compatriot are seen on hidden video offering kompromat style operations as well as targeted psychographics. If you start looking into SCL, it’s mother org, you can see that they have a history of this kind of black propaganda offerings for the military and governments of the world. It would not be a stretch to see CA using SCL to do some dirty work if not doing it in house so to speak. So when Nix was caught on camera and later made some excuses that he was just “going with what the client wanted” I feel that this is closer to what he wanted to offer because it made money as opposed to the straight analytics package CA offers. Perhaps even more so, Nix knew that analytics was just not enough and that psychographics should really only be used in micro targeted ads for shoes.
If the targeting works, and psychometrics/psychographics do up to a point, then they can be a part of a larger package of tools to target a macro audience with micro tools. I think we have seen, and I have pointed out above that this is likely to work better as a larger package of many tools and operations to influence an audience but it is not the make all be all. I think they discovered that and went back to the old ways to make money with SCL’s cache and tools that have been in use for many years with great effect. Where the rubber meets the road in the 2016 election is that the Russians then possibly leveraged SCL and CA with or without their knowledge to even greater effect and that is what led us to where we are today.
How that actually happened is something for the investigators at the special counsel to tell us later on.
SCL’s Domains:
While I am on the subject of SCL and looking at future possibilities, I looked up everything that SCL owns domain wise. There are many domains that they own and we should keep an eye out for them in future being spun up. In fact, I kind of wonder if they have other domains hidden under other LLC’s etc that we have not seen that may have been part and party to some of the 2016 psyops and propaganda operations on behalf of the Trump campaign. Looking at these domains they have many plans and we should all be paying attention.
| Domain Name | Create Date | Registrar |
|---|---|---|
| behaviouralanalytics.io | 2016-09-17 | GANDI SAS |
| behaviouralanalytics.org | 2016-08-13 | GANDI SAS |
| ca-affiliates.com | 2017-08-23 | GANDI SAS |
| ca-commercial.com | 2017-04-07 | GANDI SAS |
| ca-commercial.org | 2015-05-06 | GODADDY.COM, LLC |
| ca-commerical.com | 2017-01-27 | GANDI SAS |
| ca-commerical.net | 2017-01-27 | GANDI |
| ca-commerical.org | 2017-01-27 | GANDI |
| ca-commerical.us | 2017-01-27 | GANDI |
| ca-connect.net | 2015-05-22 | GANDI |
| ca-political.net | 2017-01-27 | GANDI SAS |
| ca-political.org | 2015-05-06 | GANDI SAS |
| ca-research.org | 2015-05-06 | GODADDY.COM, LLC |
| ca-worldwide.com | 2017-08-25 | GANDI SAS |
| cacommerical.com | 2017-01-27 | GANDI |
| cacommerical.org | 2017-01-27 | GANDI |
| caconnect.net | 2015-05-22 | GANDI SAS |
| caconnect.org | 2015-05-22 | Gandi SAS |
| cambridgeanalytica.co.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| cambridgeanalytica.net | 2015-04-21 | GANDI SAS |
| cambridgeanalytica.org | 2014-04-01 | Gandi SAS |
| cambridgeanalytica.org.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| cambridgeanalytica.tv | 2015-10-22 | — |
| cambridgeanalytica.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| cambridgeanalyticaresearch.com | 2014-12-31 | GODADDY.COM, LLC |
| capolitical.co.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| capolitical.net | 2017-01-27 | GANDI SAS |
| capolitical.org | 2017-01-27 | GANDI |
| capolitical.org.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| capolitical.party | 2017-01-27 | GANDI SAS |
| capolitical.tech | 2017-01-27 | — |
| capolitical.uk | 2015-07-08 | GANDI [TAG = GANDI] |
| capolitical.us | 2017-01-27 | GANDI SAS |
| carchargeruk.co.uk | 2017-02-16 | — |
| daymate.com | 2001-05-31 | TIERRANET INC. DBA DOMAINDISCOVER |
| dclisten.com | 2015-03-09 | GANDI SAS |
| floridaediblesandextracts.com | 2017-07-22 | GODADDY.COM, LLC |
| free2teach.net | 2009-05-22 | TUCOWS, INC |
| ripon.global | 2015-01-21 | GANDI SAS |
| ripon.us | 2014-08-13 | GANDI SAS |
| riponplatform.com | 2014-04-07 | GANDI SAS |
| scl-connect.com | 2014-12-11 | GANDI SAS |
| scl.cc | 2004-09-16 | SCHLUND.DE |
| scl.group | 2016-06-15 | GANDI SAS |
| sclbehavioural.com | 2010-05-27 | GANDI |
| sclcommercial.co.uk | 2015-06-21 | GANDI [TAG = GANDI] |
| sclcommercial.com | 2010-03-15 | GANDI SAS |
| sclcommercial.uk | 2015-06-21 | — |
| sclconnect.cc | 2014-12-11 | GO DADDY SOFTWARE INC |
| sclcorporate.cc | 2014-01-02 | GO DADDY SOFTWARE INC |
| Domain Name | Create Date | Registrar |
|---|---|---|
| sclcorporate.com | 2014-01-02 | GANDI |
| scldata.co.uk | 2015-06-20 | GANDI [TAG = GANDI] |
| scldata.org | 2014-04-07 | GANDI SAS |
| scldata.org.uk | 2015-06-20 | GANDI [TAG = GANDI] |
| scldata.uk | 2015-06-20 | GANDI [TAG = GANDI] |
| scldefence.cc | 2014-01-02 | GO DADDY SOFTWARE INC |
| scldefence.com | 2010-03-15 | GANDI SAS |
| scldefense.com | 2010-03-15 | GANDI SAS |
| scldigital.com | 2015-01-16 | GO DADDY SOFTWARE INC |
| sclelections.cc | 2008-08-04 | GO DADDY SOFTWARE INC |
| sclelections.co.uk | 2015-06-21 | GANDI [TAG = GANDI] |
| sclelections.com | 2008-08-04 | GANDI SAS |
| sclelections.net | 2015-07-07 | GANDI SAS |
| sclelections.org | 2008-08-04 | GANDI SAS |
| sclelections.org.uk | 2015-07-07 | GANDI [TAG = GANDI] |
| sclelections.uk | 2015-06-21 | — |
| sclgroup.cc | 2013-08-29 | GO DADDY SOFTWARE INC |
| sclgroup.net | 2016-05-02 | GANDI |
| sclgroup.org | 2016-05-04 | GANDI SAS |
| sclgroup.org.uk | 2015-06-21 | GANDI [TAG = GANDI] |
| sclsocial.cc | 2014-01-02 | GO DADDY SOFTWARE INC |
| sclsocial.com | 2010-03-15 | GANDI SAS |
| sclsocial.net | 2015-07-07 | GANDI SAS |
| sclsocial.org.uk | 2015-07-07 | GANDI [TAG = GANDI] |
| sclstrategy.com | 2012-11-14 | GANDI |
| scluk.cc | 2014-01-02 | GO DADDY SOFTWARE INC |
| sclworldwide.cc | 2014-01-02 | GO DADDY SOFTWARE INC |
| solventlessextracts.net | 2017-07-22 | GODADDY.COM, LLC |
| thesclgroup.com | 2016-04-25 | GODADDY.COM, LLC |
| thetealgroup.org | 2015-09-21 | GODADDY.COM, LLC |
Conclusions:
So here are my conclusions looking at all of this stuff. First off, CA is not the big bad here but Facebook and maybe Twitter are. Ask yourselves and ask them just how much data they sold or gave access to other entities in the 2016 election cycle. Who were they? Were they connected to CA? SCL? GRU? Also be asking yourselves just how much do you want Facebook to have of your privacy? In posts recently I have seen people saying that phone calls and other private data were in the data dumps they downloaded. How did that data all get into their hands? Well, you let it happen! If you have Facebook on your phone, well, then they have everything and unless you read the fine print, you are boned.
Secondly, I for one believe that Facebook and Twitter and other social media entities sold data to GRU cutouts and they should be taking more responsibility henceforth. I know that Facebook has made efforts to control ad buys and such but really, they hold the keys and unless they vet every application and client, well, it could happen easily again. Zuck needs to grow up and stop the fuckery. His platform is now a weapon and our privacy is the ammunition. I also think that everyone should consider leaving the platform because they hold too much of your data that can be abused. Until such a time as they take this seriously I would not invest the time on them.
Thirdly, I have to wonder just how much information was being passed between CA and Trump/Bannon/etc that made it to the GRU. There are more than a few Russians in the CA constellation that could have been leveraged by the Russians but until some thorough investigation is done it is hard to tell what happened here and at what scale. I do find it interesting though that at least the Facebook data and tools were leveraged and wonder how much was direct buy from GRU cutouts as opposed to passed on perhaps by assets within the Trump campaign itself.
Time will tell but in the meantime here is some data for you all to Mueller.
K.
2018: Active Measures and Hybrid Warfare Possibilities
With 2018 just hours away I thought I would add to the cacophony of posts on what you might see in the year to come, but in my case this is the black swan edition of NATSEC for the new year. There will be in my opinion no way that the Russian’s up the ante on active measures and hybrid warfare on the United States in the next year especially since there will be elections for Congress. Elections that will likely lessen Russia’s grip on the country if the Democrats can actually be a majority and control the possible investigations that are ongoing today.
Of course even if there weren’t an election coming the Russians and possibly others would still continue to stoke the active measure fires because it serves their ultimate purpose of making the US inert politically on the world stage. The whole point of these actions is to divide us and to lessen our ability to counter Russia in their global machinations. Overall, it is likely to be a wild ride next year and this primer may help you comprehend what might actually be happening.
Definitions
Active Measures Definition: (Russian: активные мероприятия) is a Soviet term for the actions of political warfare conducted by the Soviet and Russian security services (Cheka, OGPU, NKVD, KGB, FSB) to influence the course of world events, in addition to collecting intelligence and producing “politically correct” assessment of it.
Information Warfare Definition: Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology in pursuit of a competitive advantage over an opponent.
Propaganda: Information, especially of a biased or misleading nature, used to promote or publicize a particular political cause or point of view.
Kompromat: kompromat. Literal meaning. compromising materials. In Russian politics, Kompromat, literally “compromising material”, is damaging information about a politician or other public figure used to create negative publicity, for blackmail, or for ensuring loyalty.
Hybrid Warfare Definition: Hybrid warfare is a military strategy that blends conventional warfare, irregular warfare and cyberwarfare. … There are a variety of terms used to refer to the hybrid war concept: hybrid war, hybrid warfare, hybrid threat, or hybrid adversary (as well as non-linear war, non-traditional war or special war).
The Players:
I want you all to consider that it will not only be Russia playing “Patriot Games” *wink wink* with us all in 2018, but also the other players who likely will be part of the larger picture here. Russia is a given, but as we have seen of late, the GOP seems to be playing much of the same cards that the Russians have against us in the last couple years. The GOP has taken their playbook and augmented it with Trump’s particular brand of crazy as well. Ultimately we have gone through the looking glass because the Russian’s active measures worked. We are now in a “post truth” and “alternative facts” universe which has caused many unable to parse out the reality of things to just either shut down or buy into their narratives whole hog.
- Russia: will continue to attack reality and cause more fissures within our people and our government.
- GOP: Will adapt the Russian and Trumpian playbook as well. They have done plenty of dirty tricks in the past, but now, they are armed with a tactical info nuke.
- Third Parties: China, Iran, others, all will have their reasons to continue and extend the fissures and use them to their advantage.
There are many players who may want to get in on this game to serve their own purposes. Remember this as you try to sort all of it out as it happens.
Attacks
So I am going to throw out some scenarios or attack models here for you to consider. Some or all of these may happen in 2018. Maybe none will happen… Who am I trying to kid here! In any case, consider these as possible attacks and you may even see variations on these themes.
Sub Operations: HYBRID WAR
As we have seen a recent uptick in this activity already, and I am not sure of our SOSUS capabilities anymore, we have to consider that attacks may come from these little sub visits. Now, if you are up on your sub history, the Jimmy Carter (SSN-23) was one of the subs that tapped RU comms. As we have tapped post SORM traffic, the Russians are likely doing the same with the fiber that is on the bottom of the ocean as well. These kinds of listening operations are pretty standard, but consider now that the Russians have stepped this up might signal more possible scenarios. By shaping traffic, cutting traffic, or injecting things into it, the Russians could have quite the little advantage.
- Subs intercepting (tapping) traffic
- Subs ability to leave a dead mans switch or active kinetic measures to cut cable
- Subs tapping allowing to add data to streams and or advance hacks
Hacks and Disinformation Operations: INFOWAR
The hack on the DNC servers was a pretty standard affair using phishing mails and then exploitation of the systems therein once they got a foothold. What data was exfiltrated though, and how it was parsed out and weaponized was the old new trick the US could not foresee evidently. The Russians have been carrying out this kind of warfare for years on Estonia and Ukraine as well as other countries that they feel the need to destabilize. We saw a fair amount of this in our election cycle in 2016 and you should expect more in 2018. In fact I would hazard to say that the operations are already in progress and data is being collected even as I type this.
- Hacks on news systems
- Insert fake stories to cause chaos and to delegitimize the org
- Cause chaos and uncertainty (broadcast primarily but also news sites like CNN’s page)
- Hacks on EAM systems (Emergency Action Message) There have been recent hacks on these systems by hackers but imagine a nation wide alert set by Russia?
- Cause panic
- Cause DoS on telco and other systems
- Spur over action by government and populace
- BGP re-routes
- Ability to disrupt news
- Ability to disrupt C&C
- Ability to insert data into C&C
- Leaks
- More governmental leaks
- Personal leaks (kompromat)
- Leaks of doctored documents (Disinformation Operations)
- Trolls armies
- News sites
- Comments sections
- As we saw on the Net Neutrality comment site, these attacks can be leveraged against any public comment topic. So imagine it being used on the White House site (that is if the Trump admin hadn’t basically killed that function already)
- Radio commenters
- AM/SW radio broadcasts
HUMINT/Asset Recruitment
Ah yes, one of my favorite categories… As an old school guy who was around before the computer was so ubiquitous, this form of espionage was the thing. Of course the NSA had signals intel, radio, bugging, etc, but good old human assets can do quite a bit and should still be a thing. Today I would say that in tandem with the active measures attacks that we have seen and will see in 2018, you can count on more human assets being activated. These can be trolls that are real people who take on personae online as well as players within the system who have been recruited or turned.
- Asset recruitment of GOP players
- Asset recruitment of proxy group individuals
- Kompromat use
Kinetic Attacks by Proxy Operations
Kinetic attacks are not as likely but given that things are getting out of hand, and may get even more out of control, I thought it prudent to add this. What I mean by kinetic attacks by proxies is simply that the actors could incite groups and individuals to violent action. We saw in 2017 the Nazi (alt-right) movement’s rise and in that, we saw violence perpetrated as well as at least one death by a Nazi running down a protester. This type of activity is standard operations really in the history of espionage and active measures both by Russia and by the US. If you doubt the US has done such things you should look up our interventions in South America in the past.
- Insert proxy actors to actualize physical attacks
- Use groups like KKK and others to initiate more kinetic actions like bombings and confrontations
- Cause over reaction on populace part
- Cause over reaction by local and federal governments
- Over reactions like martial law or other types of crack downs
- Likely to cause further surveillance tactics and programs
Digital Attacks That Lead To Kinetic Results
And the attack du jour of late, the cyber attacks that cause kinetic effects! Honestly there is no evidence of there being a possible wide scale attack being carried out successfully on the US grid, but, there is always a chance. Of course smaller scale attacks in regions could be possible and carried out to great effect. The effect I speak of would be to perhaps hinder voting, but more so to sow chaos and uncertainty in the population. If you strike the right balance, you could even tailor an attack to lead people to a certain political actor as they run a narrative that gives assurance of reciprocity etc.
I know, now it’s sounding all Manchurian Candidate huh? Well, look at Trump and what happened and then think about it again. He has been pretty much using the Russians playbook that he was given by Putin so it’s not so inconceivable.
- Power: Power goes down
- Water: Water stops flowing or becomes tainted
- Telco: Cells go down
- Media: No news in an emergency with any of the other situations people will freak
- Internet Infrastructure (as mentioned above in attacks on cables) No communications, freaking populace
Well, those are some of the scenarios I can foresee. I am sure there will be plenty of others that I could not even imagine today. Suffice to say that we will be under attack again with more vigor specifically by the Russians and the GOP in hopes that they will keep their seats. All of us just need to strap in for the Krazy Ivan to come. Just remember to be judicious in your consuming of media and always think before you freak.
Happy New Year!
K.
Blackberry Forward of Emails and Excuses for Firing the FBI Director
Given the events yesterday I am feeling like unburdening a little bit on the subject of the emails being forwarded by Huma Abedeen to the laptop at home in the custody of Anthony (Carlos Danger) Weiner. One of the reasons for Comey’s firing ostensibly was about his mis-statements over the emails being sent to the Weiner laptop that he opened the can of worms on and helped lose the election for Hillary (not the only reason people!) as they say. The fact of the matter is now everyone is saying that Huma’s emails were auto backed up and that the term “sending” them is a misnomer in a way because the then director had said she was forwarding them for printing out by Anthony or her at home. Let me stop you all right there and say there is no difference. The intent of forwarding the emails or backing them up to an email address accessed by or directed to that personal laptop is the key here. Someone had to set that up right? It was something that did not evolve by itself and just came into being!
The issue here is the semantics of language and perhaps comprehension of how things work in the cyber. Comey made a mistake in wording but the basis of the argument stands. Why was she forwarding or backing up all data to that laptop or account outside of the government systems appropriate for this series of email? This is the question you all should be asking and once again it was against protocol and yes there were emails in there that later were deemed to contain classified information. This makes it an issue and it was something that needed to be looked at. Now, as to how it was announced, well that is a judgement call on the part of the director and perhaps a bad one. I honestly listened to his testimony and saw both sides of the issue as well and there was no good answer here.
Now though the director has been fired in a most unceremonious way and all of this smells bad with regard to the RussiaGate investigation and abuse of power. Let’s not allow Trump to skew this one thing amongst all the others into a reason for his firing a direct threat to his presidency. The real truth is that Huma was sending email to a non secure site/system and that was the crux of the issue. Director Comey’s description of this incident has little do to in my opinion with his summary dismissal of the director.
K.
Krypt3ia 