A FOIA request made ten months ago (Case 60495C) has just released a 1998 “Unknown Author, draft history of COMPUSEC” from the NSA

Example of the kind of details to be found:

ON THE POLITICAL FRONT… in 1966, a Democratic Congressman from New Jersey, Cornelius Gallagher, chaired a special subcommittee of the House of Representatives Government Operations on the invasion of privacy. The hearings were the first of their kind regarding computer technology and the need to establish ethical and legal protection as well as technological safeguards for certain computer applications. They would not be the last!

The purpose of the hearings were to establish a “climate of concern” in regard to the Bureau of the Budget proposal for establishment of a data bank. The bank would combine all personnel and business files that were maintained by different government agencies.

The document then makes reference to one such result of the “climate of concern”: a February 1970 publication by the Department of Defense called Security Controls for Computer Systems.

Gallagher’s Invasion of Privacy Subcommittee was meant to ensure “that the Government computers do not provide the means by which federal officials can intrude improperly into our lives.” He then tried in 1969 to create a Select Committee on Privacy, Human Values, and Democratic Institutions, which failed in a 1972 political power struggle.

House committees and their chairmen do not react lightly to potential incursions on their jurisdiction, Mr. Gallagher of New Jersey discovered last Tuesday when the House defeated his resolution that would have created a select committee on privacy, human values and democratic institutions to look into potential invasions of privacy by government and industry. Mr. Gallagher’s resolution drew the opposition of Representative Emanuel Celler, Democrat of Brooklyn and chairman of the House Judiciary Committee, who argued on the House floor that his committee already was dealing with the issues that would have been handled by the new committee. Mr. Celler’s view prevailed, and Mr. Gallagher’s proposed committee was rejected, 216 to 168, with 20 New York Representatives voting with Mr. Gallagher and 18 New Yorkers siding with Mr. Celer, the dean of their delegation, and voting against the proposed committee.

In reality the committee on privacy was torpedoed by the FBI. Equifax (then known as the Retail Credit Corporation) was a staunch ally of J. Edgar Hoover. The FBI mined the data bank for background checks on their agents.

More importantly, however, Hoover or the Treasury department blackmailed and destroyed political careers of anyone who dared attempt to investigate either commercial or political privacy problems in America.

Indeed, Gallagher faced a barrage of false allegations and fraudulent claims from Hoover to block any attempts to investigate government privacy abuses. In one infamous case Hoover tried to pressure Gallagher to frame the FBI’s illegal bugging of MLK as a Kennedy plot.

Mr. Gallagher said his troubles with the F.B.I. began in June, 1966, when as chairman of a House subcommittee on invasion of privacy, he refused to sign a letter to then Attorney General Nicholas Katzenbuch demanding copies of “the authorizations for the illegal bugging” of the late Rev. Dr. Martin Luther King Jr. “and of the casinos in Las Vegas.” He said Mr. Cohn, a personal friend, had dictated the letter for his signature and had urged that it be forwarded.

[…]

“He told me that Mr. Hoover was very upset about the statements being made by Mr. Kennedy about widespread illegal wiretapping, eavesdropping and bugging and that Mr. Hoover was sick and tired of being made the sole brunt of that kind of criticism. He stated that Robert Kennedy had authorized those two activities by the [F.B.I.] and that Mr. Hoover was furious with Senator Kennedy, who was blaming it on Mr. Hoover.”

The core of this debate really was civil rights when you look at who experiencing privacy violations by the FBI. Consider that Gallagher’s concerns were being aired just as FBI wiretaps and bugs targeting MLK were believed to have violated the privacy rights of over 6,000 people by 1968.

In case you haven’t heard the story, here’s a brief recap:

Hoping to prove the Rev. Martin Luther King Jr. was under the influence of Communists, the FBI kept the civil rights leader under constant surveillance. The agency’s hidden tape recorders turned up almost nothing about communism.

In fact, recordings turned bore the opposite truth, that MLK privately referred to communism as…

…an alien philosophy contrary to us.

It probably is important here to mention, therefore, that this very secret NSA history of Computer Security document made no mention anywhere of these core issues of American civil rights or the surveillance of black political leaders. And there’s only one mention of the FBI:

…the FBI file contained unsubstantiated gossip against many individuals…

Ok to be fair there are two mentions, but the other one is about the Soviets controlling an asset inside the NSA to expose intelligence information (an early Edward Snowden).

See also:

• My post about a $180K Grant in 1966 to setup Automated License Plate Readers (ALPR) for New York Surveillance
• My post about the 1971 federal government plotting IoT/Drone surveillance of Americans and planting devices around the White House and Nixon’s Florida home.

The following “other considerations” are mentioned in a passage on how to choose a “containing force” leader for regions dealing with terrorism. It’s on page 9 of Readings in Counter-Guerrilla Operations, US Army Special Warfare School, April 1961:

The local commander may be overfamilar with his surroundings and somewhat contemptuous of the emergency. He may be reluctant to adopt “face-losing” precautions, and he will tend to underrate the terrorists. In company with some members of the administration and the police he may resent the emergency as a personal setback and the arrival of reinforcements as a slur on his own capabilities. So the appointment of commanders must be balanced between the qualities of the “new broom” and the “old hand,” and it is important that a right choice should be made.

An anti-semitic journalist named Paul Ferdonnet exiled himself in the late 1930s to Nazi Germany and was believed by French intelligence to be the broadcast voice of Radio-Stuttgart.

Ferdonnet had risen to fame by fraudulently boasting in French that Hitler was interested in peace and that Britain was no ally of France.

He typically tried to start propagandist campaigns with catchy fraudulent phrases like “Britain provides the machines, France provides the bodies”.

After WWII ended he was tried, convicted and executed by France as a war criminal. His allegiance was with personal power and hate, not his own country, population or its democratic institutions. Getty image from court:

Embed from Getty Images

I made reference to Radio-Stuttgart in my surprisingly popular earlier post about modern hidden symbols of racism.

A news story breaking today titled “Russian operation masqueraded as right-wing news site to target U.S. voters” reminded me of Ferdonnet:

NAEBC has been active since late June and built a small network of personas on Twitter and LinkedIn – some of which used computer-generated photographs of non-existent people – to solicit articles from followers and freelance journalists, according to the Graphika analysis here.

Nimmo said the accounts failed to attract any significant following with many posts only receiving a handful of shares, but got more traction on Gab and Parler – two social media platforms favoured by right-wing users for their lax approach to content moderation.

Paul Rockwell, head of trust and safety at LinkedIn, said his company had previously suspended three NAEBC accounts. “This is part of our regular work to actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors,” he said.

Facebook said it had stopped one attempt to create an NAEBC account and blocked the website from being shared on its platforms.

Twitter declined to comment. Before being contacted by Reuters, the company had already suspended NAEBC’s main account and an account in the name of Nora Berka, as well as blocking the NAEBC website address as a “potentially harmful” link.

A spokeswoman for Parler said the company was not aware of NAEBC and had not discussed the activity with law enforcement. Gab did not respond to a request for comment.

There undoubtedly have been deaths in the past caused by computer attacks. I once made a list of physical impact from network and system attacks going back to 1992.

What has just changed is someone is willing to go on the record saying a death happened and was directly related to computer security.

We know, for example, that hospital outages and patient deaths have been in warnings posted to American mainstream news since at least 1983:

By comparison, the latest news coming from Europe is that a delay in care due to ransomware has caused a particular patient’s death and that it should be treated as negligent homicide.

…ransomware attack crippled a nearby hospital in Düsseldorf, Germany, and forced her to obtain services from a more distant facility…

That’s is less news to me and more a chilling reminder of the talk I gave in 2017 in London about preventing ransomware attacks in healthcare.

As someone who parachuted into the front-lines of solving this burning problem at massive scale (personally leading significant security enhancements for the database company most affected by ransomware attacks — infamously insecure MongoDB) I have many thoughts.

Many, many thoughts.

Suffice it to say here, however, when I was building and running hospital infrastructure in the 1990s my mindset about this risk wasn’t much different than it is today.

If anything, it seems to me we’re seeing healthcare industry becoming more honest with the public about its hidden operational risks.

Reading news that an arsonist burned a hospital down — forcing a fatal diversion of patients — should prompt people to ask if failing to install sprinklers is negligence.

And then people should ask if a hospital construction company was building them with sprinklers that were optional or even non-operational, and whether THAT was negligent.

Those are the deeper questions here.

While there are cases of people driving around in circles intentionally to kill the person they’re supposed to be taking to the hospital (e.g. assassination, even more than negligence), they seem a targeted exception risk rather than the pattern.

It is a hospital’s burden of high availability (let alone a region or network of hospitals like the NHS) to plan for intentional low capacity (and their vendors’ responsibility) that should remain the focus.

Update Sep 28: A reader has emailed me an important reference to the case United States v. Carroll Towing Co., 159 F.2d 169 (2d. Cir. 1947), which formed a test to determine negligence (Burden greater than Loss multiplied by Probability).

It appears from the foregoing review that there is no general rule to determine when the absence of a bargee or other attendant will make the owner of the barge liable for injuries to other vessels if she breaks away from her moorings. However, in any cases where he would be so liable for injuries to others, obviously he must reduce his damages proportionately, if the injury is to his own barge. It becomes apparent why there can be no such general rule, when we consider the grounds for such a liability. Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner’s duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i. e., whether B > PL.