Themis: Looking at the aftermath of the HBGary Federal scandal

In the aftermath of the HBGary Federal hack, there are still questions and concerns surrounding the actions taken by the government intelligence firms, collectively known as Team Themis, and the law firm Hunton & Williams. While examining current events, and looking back at Team Themis, it’s clear that politics can be a dirty game to play.

In February, two major stories developed in the wake of Anonymous’ attack on HBGary Federal. The common thread between them was Hunton & Williams, a large law firm with strong political connections, and Team Themis.

First there was the story The Tech Herald broke concerning WikiLeaks, where Team Themis created plans to stop WikiLeaks by targeting supporters and journalists. The second story, broken by ThinkProgress, centered on a plot to target unions and political opponents, including families, by the U.S. Chamber of Commerce.

Team Themis consists of HBGary Federal, Palantir Technologies, and Berico Technologies. Both Berico and Palantir have distanced themselves from the plots, and denounced their implications. Aaron Barr resigned his post as CEO of HBGary Federal to focus on family and rebuilding his reputation.

However, those actions did little to placate critics, and House Democrats called for hearings on Team Themis. Earlier this month, Rep. Hank Johnson (D-Georgia 4th District), as well as 19 others, called for a Congressional investigation into the actions of Team Themis to determine if the contractors violated any federal laws.

The request by Rep. Johnson and the others resulted in a hearing for the Armed Services Committee, where General Keith Alexander, the director of the NSA, and Dr. James Miller, Jr., the deputy under secretary of defense for policy, were asked to hand over copies of any contracts that may have been signed with the three Themis companies.

Hunton & Williams has remained silent when it comes to their involvement with Team Themis. However, some of their intended victims have been rather vocal, including StopTheChamber and VelvetRevolution, who filed a disciplinary complaint against the law firm’s top talent.

The complaint charged Hunton & Williams with conspiracy, noting that the firm “…counseled three of its investigative private security firms to engage in domestic spying, fraud, forgery, extortion, cyber stalking, defamation, harassment, destruction of property, spear phishing… identity theft, computer scraping, cyber attacks, interference with business, civil rights violations, harassment, and theft...”

Corporate Information Reconnaissance Cell (CIRC)

As reported by ThinkProgress, in October of 2010 Team Themis was approached by Hunton & Williams to develop a “complete intelligence solution” that would help them deal with legal investigations. Given the business opportunity, Team Themis developed a plan called CIRC. Emails leaked to the public have established that the U.S. Chamber of Commerce was part of the CIRC plan. However, other information lends evidence that Hunton & Williams had an additional client that could benefit form the group’s efforts.

In an email to Team Themis, it was disclosed that Hunton & Williams had a client that was being targeted by a labor union in order to “extract some kind of concession or favorable outcome.”

“They suspect that this entity is running a public campaign against their client by coordinating the actions of hundreds of seemingly separate entities to create a negative public impression of the client. The ultimate goal would be to extract the concession under duress – essentially extortion in their view. They haven’t told us the name or nature of the client, so I can only guess at what this means,” the leaked Team Themis email explains.

The communication goes on to detail what the law firm expected of the three intelligence contractors. In short, they wanted to trace the labor union’s actions from the board of directors all the way down to the individuals taking part in any campaign.

“They seek to understand the true nature of the campaign and its command and control structure in order to expose the fact that the client is dealing with a single entity rather than a true “grassroots” campaign. They further suspect that most of the actions and coordination take place through online means - forums, blogs, message boards, social networking, and other parts of the [Web]...”

Team Themis proposed that they could develop “a corporate information reconnaissance service” that would aid Hunton & Williams’ investigations with the “collection of information on target groups and individuals that appear organized to extort specific concessions through online slander campaigns.”

Hunton & Williams has a Cyber-Investigations Group, which according to the firm, is staffed by attorneys with substantial experience with information security and internal investigations. Moreover, Hunton & Williams has the subsidiary TurnStone Investigative Group, filled with investigators “who detect and unearth critical information”.

It looks as if Team Themis was not actually developing intelligence on their own; they were augmenting the data collected by other departments within Hunton & Williams. Based on the email records, it’s clear that Team Themis was able to gather more raw intelligence than the law firm could. The idea was to combine the two data sources into something larger and easier to manage.

Again, while the U.S. Chamber of Commerce was part of the CIRC design, a recent lawsuit filed by Hunton & Williams suggests that another client of theirs was also going to benefit from Team Themis’ work.

RICO - A tool for employers to use when faced with corporate campaigns

In 2009, Hunton & Williams attorney Greg Robertson published a paper on using the Racketeer Influenced and Corrupt Organizations Act (RICO) to combat campaigns organized by unions.

“While large-scale RICO litigation can be draining, the alternative of doing nothing, or simply responding with a traditional public relations strategy, can often be worse…RICO can be an answer for [employers] facing similar union campaigns…” Robertson’s paper explained.

Union struggles can turn into a messy ordeal, but there is no denying that unions have their place in the workforce. Often what happens is that a union might place pressure on a company to get it to allow their workers the right to unionize.

Usually, if pressure is applied, it is because the company has moved to prevent workers from organizing. The pressure can come from several areas, and these days the most common platform is social media and word of mouth.

Recently, the Service Employees International Union (SEIU) was hit with a RICO suit filed by Robertson on behalf of Sodexo, a services and catering organization based out of France.

Tom Mackall, Sodexo's VP of employee relations, who has taken a public role in fighting the SEIU organizing drive, is a former Hunton & Williams partner. Considering this, it is possible that Sodexo, an existing client of Hunton & Williams, was a second and unknown client that benefited from Team Themis’ work.

Responding to the suit filed by Hunton & Williams, the SEIU said the legal move was bogus litigation meant to deprive workers.

“It is not about which union represents Sodexo workers, but about whether Sodexo workers can bargain collectively at all,” a SEIU statement explained.

Around the time that Team Themis was working on plans for legal investigations, Hunton & Williams logged several hours online researching information on the Sodexo campaign. In November, when Team Themis’ project was heating up, the law firm spent nearly 20 hours crawling domains maintained by SEIU.

Sodexo’s RICO complaint aims to stop the SEIU from running their campaign, which has raised questions over health code violations and employee benefit problems. They accuse the SEIU of trespass, extortion, making threats against company executives, hacking a Sodexo website, and vandalism.

In a statement, Sodexo said that they recognize the value of union activity and has built positive relationships with more than 30 different unions.

“Despite this positive record, the SEIU has engaged in a vicious campaign to force the Company into broadly recognizing the SEIU to the exclusion of other unions without allowing its employees in the U.S. to exercise their right to vote for or against the SEIU in a federally supervised secret ballot election.”

Interestingly, a 2010 Human Rights Watch report said that despite claims of adherence to international standards on workers’ freedom of association, Sodexo has launched aggressive campaigns against some of its US employees’ efforts to form unions and bargain collectively. Sodexo managers have used many tactics that, while legal under US law, violate international standards requiring non-interference with workers’ organizing rights.

Emails show that Aaron Barr was feeding details to Hunton & Williams, in order to prove he was able to collect information. He included details on rivals to the U.S. Chamber of Commerce, but showed links between them and SEIU. Given that SEIU was already in Hunton & Williams’ crosshairs because of Sodexo, there is little doubt this information was viewed as helpful and used in this recent lawsuit.

Moreover, Change to Win is listed in the suit. This is noteworthy as Barr was researching them when he was looking into the U.S. Chamber of Commerce links.

In the court documents themselves, the listing of SEIU employees, their connections, and even links to social media profiles, paints a detailed picture of the union and their representatives. The supporting information on the people and actions involved in the case compiled by Hunton & Williams is eerily similar to the information Team Themis was able to organize.

To be fair, given the size of Hunton & Williams, and the fact they have two separate investigations groups internally, it’s likely they were mirroring Team Themis’ initial plans and developed the RICO case data on their own. Email records of the meetings to be held after February 14 do not exist.

Data intelligence and analytics

Palantir Technologies is the main workhorse when it comes to Team Themis’ activities. In proposals sent to Hunton & Williams, Team Themis said they would “leverage their extensive knowledge of Palantir’s development and data integration environments” allowing all of the data collected to be “seamlessly integrated into the Palantir analysis framework to enhance link and artifact analysis.”

In 2005, Palantir was one of countless startups funded by the CIA, thanks to their venture funding arm, In-Q-Tel. By 2006, In-Q-Tel had invested nearly $200 million in various startups since it was created in 1999. Most of In-Q-Tel’s investments center on companies that specialize in automatic collection and processing of information.

So powerful is the Palantir software, that the company turned a book of 700 biographical sketches of Al-Qaida fighters in Iraq into a treasure trove of information on the terrorists and the organization’s recruitment efforts. This data was used by the Combating Terrorism Center at West Point for two reports in 2007 and 2008.

Palantir has said that the actions of their employee, Matthew Steckman, who was central to the Themis operations, were not approved by the company. Matt Long, Palantir’s General Counsel, explained in an interview with Ars Technica that their internal investigations showed a junior engineer who “…allowed offensive material authored by HBGary to end up on a slide deck with Palantir's logo.”

“The stolen emails conclusively show that Aaron Barr from HBGary authored the content which was collated well past midnight for an early morning presentation the next day. This doesn't excuse the incident, but hopefully it brings much needed context to a context-less email dump.”

Yet, In-Q-Tel has other investments that companies like Hunton & Williams and the U.S. Chamber of Commerce would love to tap into. It’s just not clear if they would be able to. Some contracts with the government would block a contractor from offering their services to the public sector, and there are others where the contractor is free to offer them to anyone.

In-Q-Tel funded System Research and Development (SRD), a company acquired by IBM in 2005. SRD created NORA (Non-Obvious Relationship Awareness), a technology with a solid reputation in Las Vegas. Casinos would use the software for discovering the little connections between people. For example, NORA would tell casino management that a dealer is connected to someone currently winning big, say by sharing a phone number or address with them in the past.

Another example of intelligence software that is both in the government and public sectors is persona management. HBGary Federal has been linked to development plans for such technology, but it’s already in use.

In June of 2010, the Office of Air Mobility Command, within the U.S. Air Force, posted a proposal for 50 user licenses for software that would allow 10 personas per user. In all, this is a virtual army of 500 personas, who can be centrally controlled by a small group of people.

Emails from Aaron Barr say that the RFI for the persona software was written for Anonymizer, a company acquired in 2008 by intelligence contractor Abraxas Corporation. In 2010, Abraxas was purchased by another intelligence contractor, Cubic for the tidy sum of $124 million in cash.

Some of the top talent at Anonymizer, who later went to Abraxas, left the Cubic umbrella to start another intelligence firm. They are now listed as organizational leaders for Ntrepid, the ultimate winner of the $2.7 million dollar government contract.

U.S. Central Command spokesperson, Commander Bill Speaks, has confirmed the existence and usage of Ntrepid’s persona management software, dubbed MetalGear in some circles.

He told the Washington Post and other media that the software supports, “classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.”

Records indicate that the persona management software used by CENTCOM is part of a larger operation codenamed Earnest Voice. Operation Earnest Voice hopes to “counter extremist ideology and propaganda, and to ensure that credible voices in the region are heard,” according to a statement made by General Petraeus last March.

The problem is that if you use fake voices - or sock puppets as they are sometimes called - then there is no real credibility, and the truth turns into nothing more than matching propaganda with alternative propaganda.

There is a fear that this software could be used domestically as well as internationally. In statements to the media, Commander Speaks was quick to point out that the persona software’s usage would be foreign only, and would not be directed at Americans without qualification. Yet, what qualification means in this regard is unknown.

Each member of Team Themis is an organization that works with the government in the Intelligence Community. This is why the U.S. Chamber of Commerce plot and the WikiLeaks plot raised such concern.

It isn’t news to learn that the CIA funds private intelligence and technology companies like Palantir through In-Q-Tel. SafeWeb (now owned by Symantec), ArcSight, Keyhole (Google Earth), and FireEye are all In-Q-Tel benefactors. Each of them provided something with value to the government and the public sector.

What is news is that one of In-Q-Tel’s investments actively participated in plans that would use government funded technology against private citizens. While the other In-Q-Tel investments have a positive public image, Palantir has seen theirs overshadowed by the HBGary Federal incident.

Until the HBGary and HBGary Federal emails were leaked to the public, data intelligence software was known only to a select few in the business world. Now the public is fully aware of the technology, from how it can help with actual security issues, to how it can be abused.

When it comes to data intelligence software and technology, the key is trust.

The public has to trust that the government and private sector will use it responsibly. Trust is assumed for the most part, but when business deals such as the ones proposed by Team Themis toe the line of legal and illegal, it’s shaken severely.

In some cases, trust is given a visible black eye.

Case in point is evidence turned over by a whistleblower in 2007, which shows that the NSA was given access by AT&T to make copies of all email, web browsing, and other Internet traffic sent to and by their customers. If you ever contacted an AT&T customer by phone or Web, the NSA knows about it. Likewise, if you’re an AT&T customer, then you might want to consider breaking out the tinfoil hats.

Since 2008, when Congress passed the FISA Amendments Act (FAA), the NSA has had total freedom to eavesdrop on American’s international email and phone communications.

There was plenty of press coverage before and after the FAA was signed into law. However, it seems that with the passing of time, the public isn’t aware that technically the NSA program was never halted by Congress. The Obama administration hasn’t done much about the NSA either.

That could all change soon however, as the American Civil Liberties Union (ACLU) has won an appeal that would allow them to challenge the law.

Not 24-hours after the FAA was official in 2008, the ACLU, the SEIU, Human Rights Watch, Amnesty International, and several others, filed a lawsuit challenging the statute. The reason, according to the ACLU, was that the coalition’s very existence in some cases requires them “…to engage in sensitive and sometimes privileged telephone and e-mail communications…outside the United States.”

Originally, the courts dismissed the lawsuit. They did so because the plaintiffs could not prove that their own communications had been monitored under the FISA Amendments Act .

On Monday, the appeals court reversed the lower court decision. The court noted that the ACLU and the others were in a “lose-lose situation”.

“…either they can continue to communicate sensitive information electronically and bear a substantial risk of being monitored under a statute they allege to be unconstitutional, or they can incur financial and professional costs to avoid being monitored. Either way, the FAA directly affects them…”

In a statement, Christopher Dunn, Associate Legal Director of the NYCLU and co-counsel on the case, said:

“Americans shouldn’t have to accept as a fact of life that the government may be monitoring their international e-mails and phone calls and they can do nothing about it. This landmark ruling allows people to defend their right to privacy from unwarranted and illegal government surveillance.”

It's clear that the scandal surrounding Team Themis isn't the only possible threat to individual privacy.

How many more companies are out there working with persona or intelligence gathering technology, furthering their own agendas at the cost of the individual freedoms? Where is the line drawn, between government involvement and the private sector when it comes to civil liberties and privacy?

In some ways, no matter how you spin it, you simply have to trust that those with the tools are not abusing them. If they do, you’ll have to trust the system to punish them appropriately.

Like this article? Please share on Facebook and give The Tech Herald a Like too!