Analysis | The Cybersecurity 202: Intelligence community faces an uphill battle combating leaks after mistrial in Schulte case

By Joseph Marks

12-15 minutes - Source: The Washington Post

---

The floor of the main lobby of the CIA in Langley, Va. (Andrew Harnik/AP)

THE KEY
Federal prosecutors’ failure to convict an accused CIA leaker on the most serious charges is going to make it a lot harder for intelligence agencies to punish employees and contractors who spill their secrets
Joshua Schulte was charged in what CIA officials called the largest leak in the agency's history, which they said caused “catastrophic” damage to national security. He allegedly passed a trove of digital tools the agency used to hack into smartphones, televisions and other household electronics to WikiLeaks, which the group published in 2017 and dubbed “Vault 7." 
But jurors in a Manhattan courtroom deadlocked on the most serious charges, convicting him only of making false statements to investigators and contempt of court, as my colleagues Shayna Jacobs and Shane Harris report. The judge in the case, Paul Crotty, declared a mistrial on the remaining eight charges and the government is expected to try again for a conviction. A conference is set for March 26 to discuss next steps in the case.
The failure to convict Schulte was especially damaging because the intelligence community has made substantial efforts to protect its data from leaks since NSA contractor Edward Snowden released reams of sensitive data in 2013. Agencies have also developed new methods to track who is accessing specific pieces of classified information so they can quickly identify and punish the culprit.
And yet there wasn’t enough of a digital trail to convince jurors that Schulte was guilty beyond a reasonable doubt. 
“Basically, a lot of jurors came in assuming that classified networks have all this great auditing and this case shows that — at least in some cases — they don’t,” Jake Williams, a former NSA hacker and founder of the cybersecurity firm Rendition Infosec, told me.
The verdict should raise serious questions for the public about how well the intelligence community is protecting the rest of its secrets, Williams told me. “It’s certainly not inspiring for public confidence,” he said.
The verdict could also be damaging to the government’s argument in the encryption debate, Williams said. The Justice Department is arguing it should have special access to otherwise encrypted communications on digital messaging services to track terrorists and child predators. But cybersecurity experts fear any backdoor used by law enforcement could also be exploited by criminals.
“The government is saying ‘Don’t worry, we can keep this stuff safe.' And this really damages their claims,” he said.
Prosecutors are far from finished with Schulte, however, and just because this jury couldn’t agree on a verdict doesn’t mean the next one won’t. 
“The mistrial on the counts at issue here was more likely attributable to the jury’s specific assessment of the evidence as a whole than it was to the particular characteristics of a leaks case,” David Laufman, who previously oversaw leak investigations and prosecutions at chief of DOJ's counterintelligence and export control section, told me.
Laufman, who’s now a partner at law firm Wiggin and Dana, declined to discuss the specifics of the Schulte case. But he doubted "this particular outcome will have any meaningful impact on the government’s willingness to bring leak prosecutions in the future where it believes the admissible evidence warrants prosecution.”
Prosecutors will be able to retool their case during a second trial to make it more convincing.
“A trial in front of a jury is a complex thing and there are many factors at play,”  Marcus Christian, a former federal prosecutor who now focuses on cybersecurity and data privacy cases with the law firm Mayer Brown, told me. “Sometimes you have a case that ends in a mistrial, and you try again and can get a fairly quick verdict.”
Prosecutors portrayed Schulte as a disgruntled former employee and presented extensive evidence — including testimony from former co-workers who appeared under pseudonyms and with limited media coverage of their testimony.
Schulte’s attorneys, however, argued the government could never prove he gave the hacking tools to WikiLeaks because other CIA employees had access to the same network the tools were allegedly stolen from.
“The bottom line is this … because the system was insecure, because the system was poorly monitored, the government cannot know, and it certainly cannot prove to you which of the many people with access to this information committed this crime, when they committed it, or how they did it,” Sabrina Shroff, Schulte’s lead defense attorney, said in her closing argument.
The case was also something of a test for the government because Schulte was the only one of several high-profile leakers during the past several years to face a civilian jury.
DOJ charged Snowden with crimes –  including violating the Espionage Act and theft of government property. But he’s living in Russia where he won’t face extradition. Another NSA contractor, Reality Winner, pleaded guilty to unauthorized transmission of national defense information and was sentenced in 2018 to five years in prison. Former Army intelligence analyst Chelsea Manning was convicted at a court-martial in 2013 for disclosing data to WikiLeaks, but President Obama commuted her sentence in 2017 after she served seven years.
Schulte had left the CIA for a job in New York City by the time WikiLeaks began publishing the trove of hacking tools in March 2017. But investigators traced the breach to when he was still employed in the agency’s Engineering Development Group.
He was arrested after FBI investigators found evidence of child pornography on his computer, including more than 10,000 photos and videos, prosecutors alleged. It was more than nine months later that Schulte was formally charged in the leak case. He’s awaiting a separate trial on the child pornography charges, to which he has pleaded not guilty.
Laufman, meanwhile, said he’s not concerned the failure to convict Schulte will make other intelligence community employees likely to leak more of the government’s secrets.
“I doubt the mistrial on the pertinent counts here will meaningfully erode future deterrence against leaks, as few leakers relish the prospect of criminal prosecution,” he said.

PINGED, PATCHED, PWNED

Two teenagers on smartphones. (istock)

PINGED: Whisper, a once-popular app that promised users they could share their secrets anonymously to a network of other users, left the intimate confessions of hundreds of millions of people exposed online, my colleague Drew Harwell reports. The data included users’ ages, precise location coordinates and other details that cybersecurity researchers worry could lead to them being publicly humiliated, targeted for harassment or blackmailed. 
Millions of the records found by researchers belonged to children. The data included location coordinates from users’ last posts, many of which traced to specific schools, workplaces, military bases and residential neighborhoods. The confessions included deeply personal information, such as users' sexual orientation, confessions of adultery and posts about suicide. 
“This has very much violated the societal and ethical norms we have around the protection of children online,” researcher Dan Ehrlich told Drew. “No matter what happens from here on out, the data has been exposed for years. [People could] have their lives ruined and their families blackmailed because of this.”
Researchers found the exposed data on a non-password-protected database open to the public, which they shared with Drew. They also alerted federal law enforcement officials and the company about the vulnerability. The researchers said theyshared their findings with human rights groups for fear the exposed data could have been abused by government officials or spies.
Shortly after researchers and The Post contacted Whisper on Monday, access to the data was removed. The company did not respond to multiple requests for comment.

Facebook logo. (Gabby Jones/Bloomberg News)

PATCHED: Australia's top privacy watchdog is suing Facebook for violating the privacy of more than 300,000 Australians by sharing their personal data with the political profiling firm Cambridge Analytica, Maggie Miller at the Hill reports.
“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement.
The case is now pending in Australian court, where the government is seeking a monetary penalty. Facebook told the Hill that the company had “actively engaged” with the Australian government on improving privacy protections for the past two years.
Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission in July for the Cambridge Analytica scandal. The social media company agreed to overhaul its consumer privacy practices as part of the agreement.

WhatsApp is displayed in the App Store. (Andrew Harrer/Bloomberg News)

PWNED: The Israeli spyware company NSO Group is finally responding to a lawsuit from Facebook after a federal judge in California entered a default judgment against the company for allegedly helping its government clients hack Facebook’s WhatsApp service to spy on their citizens. 
NSO, which previously hadn’t shown up at court, is asking the judge to vacate that ruling and is asking for an additional 120 days to respond to Facebook's lawsuit, according to court documents.
The case marks the most significant effort to date to hold companies that sell hacking tools accountable for how those tools are used by government clients. NSO’s client list included numerous autocratic states that researchers say used the tools to spy on journalists, dissidents and members of civil society.

PUBLIC KEY

— Cybersecurity news from the public sector:

A senior U.S. envoy on Monday pressed Canada about Ottawa’s forthcoming decision on whether to allow China’s Huawei Technologies to take part in its 5G network, a move Washington opposes, officials said.
Reuters

The Department of Health and Human Services (HHS) introduced two new rules on Monday that are aimed at giving patients more secure access to and control over their health data.
The Hill

Edward Raff allegedly subscribed to a database of leaked and hacked personal information to forward himself sexual photos of women.
The Daily Beast

PRIVATE KEY

— Cybersecurity news from the private sector:

The U.S. semiconductor industry is pressing to get out of the firing line between the U.S. and China, warning its position as the global market leader could become a casualty of the trade spat.
The Wall Street Journal

The therapy app sent the security researcher a cease and desist letter for his blog post describing a website bug.
TechCrunch

THE NEW WILD WEST

— Cybersecurity news from abroad:

Tory doubters invited to meeting with senior security expert in effort to allay fears
The Guardian

ENTSO-E, which ensures coordination of European electricity markets said Monday that its IT network had been compromised in a “cyber intrusion.”
CyberScoop