MAGA's NSA Purge Will Get Messy

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by RunZero.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The politically-motivated dismissal of the head of both NSA and US Cyber Command will be extremely damaging to the agencies, their relationships with allies and for US national security.

General Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Donald Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council Staff. Per The Washington Post:

Far-right activist Laura Loomer advocated for the firings during a meeting with President Donald Trump on Wednesday, she confirmed to The Washington Post on Thursday evening.

In the meeting, Loomer, a fervent Trump supporter, pressed for the dismissals of a number of officials besides Haugh and Noble — in particular, National Security Council staff whose views she saw as disloyal to the president.

On X, Loomer claimed Trump responded to her call for the firings:

NSA Director Tim Haugh and his deputy Wendy Noble have been disloyal to President Trump. That is why they have been fired. 

…

Thank you President Trump for being receptive to the vetting materials provided to you and thank you for firing these Biden holdovers. 

Apparently Trump invited Loomer to meet him in the Oval Office, but we have no idea why. 

The justification Loomer cited in her post was that Haugh was "HAND PICKED" by General Mark Milley. Now retired, Milley was chairman of the joint chiefs of staff during Trump's first term. He has since become a Trump critic, calling him "a fascist to the core".  

Loomer described NSA deputy director Wendy Noble as "his [Haugh's] Obama loving protege" and a "Trump hater who was nominated by JOE BIDEN". 

Haugh has had a 34-year career in the Air Force and held several previous roles that made him well-qualified for his dual-hat role as head of NSA and Cyber Command. These included director of intelligence at Cyber Command, commander of the Cyber National Mission Force and head of the Air Force's information warfare and cyber unit.  

Sources tell Risky Business that potential replacements as NSA director are Ezra Cohen and Trae Stephens. 

During Trump's first term, Cohen worked in various defence and intelligence roles, including in the National Security Council, the Pentagon, and the Office of the Director of National Intelligence. In 2020, The New York Times described Cohen as "a hero figure to anti-establishment Republicans and believers that a so-called deep state in United States intelligence agencies was out to topple Mr. Trump". Cohen now works at Oracle. 

Stephens is a general partner in Peter Thiel's Founders Fund and is a co-founder of defence technology startup, Anduril. In 2016 Stephens was in Trump's defense department transition team. He was reportedly considered for the deputy secretary of defense position in this Trump administration.   

In contrast to Haugh, these potential replacements are sorely underqualified. Of course, when it comes to selecting people to serve in his administration, personal loyalty to Trump is far more important than domain expertise or competence. 

Significantly, neither candidates are military officers. This suggests the administration will end what is known as the 'dual-hat' arrangement where the military head of US Cyber Command also serves as the head of the NSA.

Debate about whether to end the dual-hat leadership structure has been ongoing since 2017 and there are reasonable arguments on both sides. 

But we suspect the finer nuances of these arguments are irrelevant to this administration's decision-making. It will endorse the split because it will allow Trump to install a political appointee as Director of NSA. A civilian who is personally loyal to Trump rather than a uniformed military officer who has sworn an oath to the constitution. 

That would undermine NSA and Cyber Command's effectiveness in multiple ways. 

Parachuting in a political appointee from private industry to replace Haugh, who has decades of military and intelligence experience, will result in a leadership gap.

An abrupt split between the NSA and Cyber Command will also create problems. Having a single shared leader meant a single decision-maker could assess and manage competing requirements for intelligence (NSA) and disruption (Cyber Command) operations. Haugh was in favor of the dual-hat arrangement and our piece from December last year explains the trade-offs between these different types of operations.

In the long term, with the right structures in place, Cyber Command and NSA probably could be effective with separate leaders. However, that would require a plan, rather than an ad hoc transition to new leadership arrangements, kicked off by the appearance of an activist in the Oval Office. 

Haugh and Noble's firing will also affect personnel retention and recruitment. The intelligence community is traditionally nonpartisan. People join to protect the United States, not to support one political party over another. Even the perception that the organisation's mission has been compromised for political gain will diminish its appeal as an employer.

Finally, Haugh and his predecessors General Paul Nakasone and General Mike Rogers acted as a buffer between the Trump Administration and NSA's Five Eyes intelligence partners. They tried to reassure overseas partners about the strength of the special relationship despite US policies that strained broader relationships. The replacement of Haugh will be seen as a turning point in the Five Eyes partnership. 

Until now, NSA and Cyber Command had avoided being pulled into the revolving door of Trump personnel changes. It's a bummer that all it took for that to end was a meeting with a conspiracy theorist.  

The EU Is Losing Faith in America's Intelligence Promises

The Trump administration has signalled a walk back of a Biden-era Executive Order that sought to reassure the EU that the United States would only collect intelligence within Europe when strictly necessary. This will have big implications for American technology companies.

There's a long history of the US and EU building frameworks to permit transatlantic data flows to enable commerce. These frameworks also lay out expectations around US Intelligence Community (IC) practices, with the US making commitments that the EU takes on faith. That faith is now eroding.

Part of the current privacy framework, the EU-US Data Privacy Framework (or EU-US DPF) was implemented by a 2022 Biden-era Executive Order: "Enhancing Safeguards For United States Signals Intelligence Activities". 

At the time, we wrote that the goal of the Executive Order was to "square the circle and balance US national security requirements for signals intelligence (SIGINT) against European Union human rights protections". 

Two previous privacy frameworks, Safe Harbor and Privacy Shield, were struck down by the European Court of Justice in 2015 and 2020 respectively for failing to adequately protect users from US intelligence collection practices.

The Executive Order added new safeguards for US SIGINT activities and also set up a review and redress mechanism for EU citizens. It also created a Data Protection Review Court to which citizens from specific European states could complain if they felt their personal information was collected in violation of US law. 

The actual visible effect of the EO for EU citizens was limited. For example, responses from the the Data Protection Review Court were classified, so complainants couldn't hope for much more than a boilerplate response saying that their issue had been resolved. 

At the time, we wrote that the "US intelligence community (IC) doesn't spy on foreigners for funsies, and the entire point of the IC is to lawfully satisfy validated intelligence priorities".

For these reasons we described the EO as "a farce", but a good one. Both the EU and US wanted transatlantic data flows to be easy and clearly regulated. At the time they had more in common than set them apart. The US government and, to some extent the European Commission, were both bending over backwards to agree on explicit safeguards that were then accepted at face value.  

In other words, the arrangement relied on trust. 

A Foreign Affairs article last week on "The Brewing Transatlantic Tech War" describes how the situation has evolved since the EO was issued. It also points out the Trump administration has taken a chainsaw to the Privacy and Civil Liberties Oversight Board (PCLOB) which oversees the intelligence community and the EU-US DTF:

This arrangement made nobody happy but provided legal and political cover for flows of data across the Atlantic. Meta continued to operate Facebook in Europe, and companies such as Amazon, Google, and Microsoft were able to host Europeans' personal data on their cloud-computing platforms. For those companies, the stakes couldn't be higher. Google alone makes over $100 billion in sales in Europe.

That arrangement is now on the verge of disintegrating, with the operations of U.S. tech companies in Europe in serious jeopardy. The Trump administration has not only fired most of the PCLOB's members; it has also made clear in multiple ways that it will not comply with those legal rules that it finds inconvenient. The executive order is under review—but even if it formally stays on the books, no one trusts the Trump administration to abide by it.

We couldn't agree more. The EO has not formally been rescinded. But it may as well have been.  

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Australia shuts 95 scam companies: The Australian Securities and Investment Commission (ASIC) has obtained court orders to shut down 95 companies after it found that they'd been incorporated with false information. ASIC thinks many of them were associated with online investment or romance scams and were set up to provide a "veneer of credibility".
2. Bulletproof hosting hack and leaks: Persons unknown have hacked Media Land, one of the largest bulletproof web hosting providers and leaked internal data. The leaks include information on the company's customers, the services they used and what was hosted on the platform. Prodaft, a threat intelligence firm, believes the same actor is responsible for the February hack and leak of internal chats from the BlackBasta ransomware group. Chaos among criminal service providers is good news. Risky Bulletin has more coverage.
3. Spain arrests deepfake scammers: Spain's National Police arrested six suspects for allegedly stealing over €19 million in cryptocurrency investment scams. The police say the group used ads with deepfake celebrity endorsements to lure victims.   

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with runZero founder and CEO HD Moore about the company's latest capability, a feature called Inside-Out Attack Surface Management that takes internal fingerprints and scans the internet to discover possible exposures.

Shorts

Anti-Spyware Efforts Continue Without US

Last week, in a continuation of what is known as the Pall Mall Process, 21 countries signed up to a voluntary code of practice to combat the irresponsible use of commercially available spyware. It's easy to be cynical about voluntary codes of practice, but this is nice, we guess?

For us the most significant thing is that the US is no longer a signatory, despite having signed up at the first meeting. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the idea of ‘false scarcities’ in cyber security. Are bugs and talent rare? Or is our thinking blinkered?

Or watch it on YouTube!

From Risky Bulletin:

Chinese info-op targeting Canadian elections: A Chinese info-op is trying to influence the political views of Chinese communities in Canada ahead of the country's upcoming federal election. The campaign is taking place on WeChat, an app used by Canadian-Chinese citizens to keep in contact with family members at home. The info-op is attacking Mark Carney, the prime minister candidate for Canada's Liberal Party. Canada's election task force has linked the campaign to the Chinese Communist Party's Central Political and Legal Affairs Commission (CPLAC).

Hackers hit Australia's superannuation pension funds: A wave of credential-stuffing attacks targeted Australian pension funds last week, resulting in the theft of some customer retirement funds.

The attacks targeted superannuation accounts, a private pension fund system used in Australia where employees store money that is made available to them when they retire.

Five major superannuation pension funds confirmed the attacks.

The Australian Retirement Trust, AustralianSuper, Hostplus, Insignia Financial [PDF], and Rest said they saw attacks on their online customer portals.

Not all organizations provided technical details about what happened, but AustralianSuper said the attackers used "stolen passwords to log into [customer] accounts" and attempt to steal funds.

[more on Risky Bulletin]

Android looks set to get its own Lockdown Mode: Google has been secretly working on a new super-secure mode for Android that's inspired by Apple's iPhone Lockdown Mode.

According to a placeholder documentation page and based on analysis of Android beta images, the new feature is named the Android Advanced Protection Mode (AAPM).

Just like Lockdown Mode, the AAPM is not intended for regular Android users and was specifically designed for high-risk individuals who may face threats from oppressive regimes, advanced spyware, and rogue network surveillance attacks.

[more on Risky Bulletin]