NSA Audit Engagement Planning
While the Grand Jury reviews the illegal NSA activity, another prong of the investigation is underway: Planning a Congressional audit of the illegal NSA activity.
This will give you an idea of the scope of NSA issues facing the auditors.
Ref: Using FOIA rejections to recalibrate DoD audits.
NSA: Systemic Management Problems Within DoD
One of the problems with working with a classified program, and illegal activity, is the degree to which conduct/practices deviate from [a] lawful requirements; and [b] minimum training standards. There’s a right way to do things, but within NSA this approach has been rejected in a systematic way.
JCS and NSC planning and reporting problems are entrenched within NSA. While preparing for the audit engagement and transition to more credible management, Iraq will prove to be a useful model.
A key problem with the FISA violations has been they delay in providing useful oversight and management. Just as the Iraq-status reporting has proven to be wholly disconnected from reality, so too is the NSA senior management out of touch with the day to day problems under their control.
The key area of concern is the oversight of the illegal NSA activity. By delaying oversight and discussions over problems, NSA management has unnecessarily delayed needed adjustment, staff visits, and management assistance. By insulating the process from both Congress and the Judiciary, the President has effectively made the case for having no confidence the activity – as implemented – meets any reasonable management performance. In light of Iraq and the vacuum of outside reviews, t is unlikely that any reported self-certification reviews for the illegal NSA activity is actually implemented as reported.
Auditors should expect to find other mismanaged NSA audit compliance programs. These are related to the to-be-discovered illegally-classified NSA programs. The same problems with Iraq are expected inside the NSA:
JCS Combat Support
Putting aside for the moment the management and auditing problems, there are technical management issues which are likely to surface.
Targeting an electronic signal is not the same as [a] complying with the law; or [b] lawfully monitoring compliance with those legal requirements. NSA signals information is unlikely to be effectively integrated with constraints confronting combat forces. It remains to be understood to what degree the advertised NSA capabilities fail to meet requirements:
Funds have been likely diverted out of key areas, to back-fund cost overruns; and there are likely known problems in the budgeting areas with funding traces, and change tracking.
Political statements related to what the NSA may or may not have detected are a poor indicator of what signals intelligence the NSA has actually intercepted; is capable of receiving; or can actually receive. It is impossible to receive signals intelligence for events the White House has fabricated.
Had these foreign events occurred as the White House said they did, the Signals intelligence is not there to address any auditing. It is likely there will be gaps between [a] the expected signals received; [b] the actual received; and [c] the stored signals analysis. This conclusion is supported by the ongoing problems NSA has with its modernization programs, and electric power contraints in Baltimore, MD.
Technical Flaws As Indicators For Congressional Audits
Current SIGINT combat support for Israel has proven wholly inadequate. The core reasons behind this problem are likely related to the management problems at the heart of the NSA-FISA violations:
It is one thing to have a (defective) modernization program that hopes to introduce technical modernizations. Quite another for NSA management to be honest with themselves about the NSA defects, and candor with the combatant commanders when technology solutions prove wholly unsuitable. There appears to be an inadequate reconciliation process within JCS to timely transition to non-technological approaches when NSA capabilities fall well short of combat requirements.
Existing Audit Reports
The DCAA reports related to Iraq should serve as a useful template to understand the problems inside the NSA. Stating the obvious NSA, by using non-lawful procedures, has insulated itself from public oversight; the same problem exists in Iraq. Rather, the current flawed approach has been to pretend that the Iraq lessons/results were one thing; and insulate the oversight of the NSA from any outside analysis. Auditors will find similar problems in Iraq and the NSA: Problems with oversight, poor experience, standards compliance, and failure to implement the president’s advertised oversight procedures.
As a caution, the GAO and DCAA reports related to Iraq need attention. The President and Congress have been ineffective in publicly commenting on the Iraqi audit reports; and have not competently ensured that the GAO reports related to Iraq have been adequately studied to apply the lessons to the NSA.
JAG
The preliminary reviews in the wake of the NSA-FISA violations will likely reveal problems with NSA military personnel non-compliance with the UCMJ. Senior Judge Advocate General [JAG] officers with experience with prosecuting war crimes need to be on hand to identify, manage, and successfully prosecute the violations of the UCMJ.
Any claim that things will “take time” is a meaningless excuse. A new military commander at NSA could quickly set a new tone and courts martial for NSA military personnel could begin apace. These courts martials will likely lead to other lines of evidence related to problems within the NSA General Counsels office, NSA auditing, the NSA-JCS reporting process, and problems within the JCS compliance areas.
By refusing to follow the law, NSA managers have sent the message to ignore “smaller” problems. This has translated into management supervision problems, as evidenced by the documentation, procedural violations, and staff acceptance of unacceptable deviations. With time, the nation will understand the perverse logic NSA and JCS managers were using to [a] violate the law; [b] reconcile the disconnects between procedures and actual practices; [c] explain away the lack of information related to the illegal activity; and [d] reconcile why despite no information on audit results of the President’s program, managers were assured there was no problem.
Other Indictments
A byproduct of the Congressional audits will be a second round of indictments. Auditors and prosecutors will likely soon gather evidence of the following problems, and leading to other indictments:
[a] Delegations
Delegated authority, oversight, and decision making wholly at odds with personnel experience, or lawful authority to exercise;
[b] Deficiencies
Deviations from FISA not reported as required; and failure to document, or resolve these deviations in a timely way;
[c] Discussion
Inadequate communication with senior management of how to incorporate (1) technology modernization goals within (2) the illegal statutory regime; and (3) how to hide the deviations.
[d] Detection
Awareness of problems, but failing to take action to legalize the issue; or ensure that the problem was adequately understood and placed on a watch board for reconciliation.
It is likely that the procedural violations will be explained away as “we were not able to put that data on the computer” or “we were overwhelmed with the data and modernization effort to adequately document and monitor problems.” These are unacceptable excuses; nothing stopped for NSA management from using non-technical solutions to monitor, track, and resolve management problems.
Audit Indicators
Auditors and investigators will find ample evidence within NSA of the following problems in non-FISA-related areas:
Dubious NSA-DoJ Compliance With Presidential Assertions To Congress
The illegal practices are not simply transitory, but well entrenched. The illegal NSA activity has lasted a long time, for at least 5 years.
Without adequate oversight, NSA has not been forced to address the disconnect between [a] requirements; and [b] practices. This has killed novelty. It is not likely that in such a climate the President or anyone one else would innovatively address issues. Rather the opposite is more likely: The illegal activity served as a bar to novel solutions to adjust, solve, and otherwise comply with procurement requirements.
In turn, because there insufficient catalysts for novel solutions, it is unlikely there was in place within the “40-45 day review” any novel procedures to adequately oversee this illegal activity. By failing to comply with FISA, the President failed to gather or share lessons learned; or comply with industry standards and legal requirements. Rather, had the “40-45 day review” process been effective, this would have been something that the President and Attorney General would have communicated with Congress, triggering modernization of FISA. This did not occur.
This President's NSA-DoJ reviews were at best a whitewash. Any documentation related to these reviews has likely been retroactively fabricated once the New York Times began asking questions. It is not likely that the initial “40-45 day reviews” in 2001-2005 are adequately documented; nor have the lessons, findings, and other problems adequately triggered Senior management interest or monitoring.
We judge the President’s “40-45 day review” does not have sufficient DoJ-NSA-NSC oversight to ensure that the lessons, problems, and other feedback were adequately implemented; nor did these reviews trigger bonafide documentation and feedback within the President's self-described illegal program.
National Security Council
The problems are traceable to the flawed national security council (NSC). We need only look at the results of Iraq and Katrina to see the central problem within NSC-NSA-DoD-JCS management. The President's Iraq programs remain abysmally managed. There is no reason to believe something within NSA, that otherwise has no public oversight, is any better managed.
NSC Problems: Reported in 9-11 Commission Report
There needs to be a broader view taken with respect to the NSC role in failing to adequately oversee and manage the illegal NSA activity. Of concern are not only are the inherent problems of NSC oversight, but the failure of the NSC Staff to adequately report, manage, and correct the illegal activity.
NSC has systemic internal control problems. These are not new problems. It will take some time to review the 9-11 findings related to the NSC, then explore to what extent the 9-11 Commission report – as it relates to flaws within NSC-JCS-NSA – are correctly reported; then review to what extent these flawed NSC management practices have been understood and are on a path to resolution.
It is not possible for the experts outside the system to do credible reviews until the President is lawfully denied the ability to hide, prevent, and continue to thwart unfettered access to the NSC e-mail and other management products.
We judge the 45 day reviews of the FISA-NSA activities are meaningless:
It is likely that the scope of the mismanagement problems will be on the same order of magnitude and severity as was seen in KBR, Halliburton, and the Iraq-related contracts. Despite indicators of these problems, NSA IG has ineffectively demonstrated that they have timely ensured that these problems were appropriately reported to Congress as required under Title 50.
Dubious Certifications To Congress
The core problem with the NSA-FISA violations is that the activities are illegal; and the illegal activity has required illusory oversight. Those at the lower management reporting levels within NSA have had to explain deviations from something that was never credibly justified, implemented, or baselined.
We judge the following:
A. NSA and DoJ staff in conjunction with the NSC and Joint Staff have well known that the public statements to Congress were not lawful; and have failed to remove themselves from reports that otherwise mislead Congress. The NSA personnel involved will have to justify confidence that the reviews albeit illegal were actually done; and that the documentation unrelated to these sham-illegal reviews were really recorded when the reviews were done, and not retroactively created; and
B. There is no basis for the NSA-NSC-JCS statements related to these periodic reviews: The assertion of compliance and legality of the activity is not linked with any credible documentation; and Hayden’s comments during testimony should not be relied upon as a credible assertion or status of NSA oversight and management.
Litigation Liability: Human Resources
NSA auditors and management will have to develop a timeline and transition effort to resolve the environment of abuse. It remains to be understood how blacklisted NSA personnel, once identified as not cooperating with the illegal activity, were subsequently denied promotions and other civilian employment they were otherwise entitled.
Civilian contracting management and NSA Senior Executive Service know the names of NSA employees who voiced concerns. These formerly-assigned NSA employees have faced difficult post-NSA-employment working conditions at the NSA subcontractors. It remains to be understood whether these formerly-assigned NSA personnel would be interested in providing to Members of Congress information related to these experiences.
It remains to be understood which specific Q2 personnel were hired, employed, and placed within the NSA to directly target NSA personnel to impose silence about these illegal activities. It is likely that after the 2001 events, that Q2 hired personnel who were fully aware or should have been aware the NSA activities were not legal.
It is likely the United States has a financial liability on the scale of billions of dollars related to unlawful retaliation; on-duty harassment; and other illegal retaliation by Q2 against NSA personnel. Q2 personnel implied objectives while working for internal security was not to simply protect NSA secrets, but also dissuade and eliminate any chance that the illegal activity would be detected.
Innovation Not Demonstrated With FISA Reforms
One of the President’s claims was that the FISA court was too slow. In theory, if the President had innovatively addressed national security issues and solved a difficult management problem, he would have quickly reported to Congress the better system.
It remains to be understood which novel procedures he created that were more efficient; and why, despite these asserted “efficiencies,” he did not go to Congress to outline a better approach. However, the results are the opposite: Despite the advertised claims that the President’s approach was more effective than the FISA court, Congress was not involved with the modernization of FISA that would accommodate these “proven” modernizations.
We judge the President’s assertions that the oversight system were not what has been advertised; and that the efficiencies were illusory, not documented, and have not been credibly demonstrated using any rigorous management analysis.
In turn, it is likely that all other requirements and activities related to this self-certification are illusory, fabricated, and there is no evidence that the IT, meetings, and reviews have been adequately tracked. In an environment that has entrenched illegal activity, there is no reason to believe that the self-certification has any meaning. It remains to be understood:
Iraq Model
The lesson of Iraq is simple. By not facing reality, the NSC and JCS have lived in denial. Systemic procedures, that otherwise would have timely reported problems, have been ignored, not developed, or never imagined. Alternate methods and procedures have not been implemented that might have been modernized to support timely reporting of problems in Iraq. This has likely manifested itself in the JCS-JROC process of overseeing the NSA modernization process.
Although the precedent of illegal activity in the FISA-NSA violations does not trump the Constitution, these illegal methods have become a crutch. Auditors are likely to find an attitude of “it’s hard to change” as an excuse to ignore the law. This is not acceptable, and should be noted. Staff assistance visits, better supervision and more handholding will have to be targeted at these areas.
The President compounds the untenable situation. Even when NSA-NSC-JCS senior managers do pay attention, they still do not listen. The President's illegal activity has not supported credible plans to meet lawful military objectives. The issue to be understood will be to understand what things NSA should have done that they failed to do because they were relying on illegal NSA-FISA violations:
Transitioning NSA Operations To Lawful Authority
NSA will have to be recertified as an independent agency. This doesn’t simply mean Congress reviewing the budget and approving it. Rather, it means a detailed Congressional audit that has been appropriately increased in audit scope and size using SAS99. The NSA recertification needs to take a broad approach to the problem:
These are issues of integrity. The White House, JCS, DoD, NSA, and DoJ credibility problem can only be remedied by complying with and implementing a credible oversight system that will monitor progress to meet statutory obligations.
NSA management has already hired outside consultants to being the house cleaning. The auditors will need to review the initial working papers of these outside consultants; and get access to their working papers, e-mail, and other pre-visit notes. These notes can be compared with the GCHQ intercepts. Remind the NSA consultants that if they mislead the investigators, or otherwise fabricate notes this can be entered before the Grand Jury for war crimes indictments.
NSA Audit Checklist
Here are the audit indicators auditors should expect and be able to make opinions on once the final report is provided to Congress.
Expectation 1: Inadequate Documentation
[…] Inconsistent documentation of procedures
[…] No demonstrated compliance with irregular procedures
[…] Ineffective internal audits, evaluations, and documentation to detect non-compliance
[…] Inadequate supervision, training, and oversight
Expectation 2: Inadequate Problem Resolution Process
[…] Extra-judicial oversight lends itself to ineffective regulatory regime
[…] Inadequate problem-resolution program in place
[…] Deficiencies, even if recognized, not adequately tracked or resolved
[…] Likelihood of multiple violations, non compliance within the President’s illegal procedures
Expectation 3: Ineffective Trend Tracking
[…] Inadequate communication within NSA translated into ineffective monitoring and inadequate plans to resolve procurement and modernization efforts
[…] Had Congress and others been publicly involved, there might have been catalyst to discuss real infrastructure-modernization requirements, and address long-known trends and show-stoppers.
[…] NSA managers have likely constructed new facilities in violation of mandatory 3020 reporting-notification requirements; subsequent violations are likely at these new locations; these are not appropriately documented, nor part of the NSA reported budget to the Senate intelligence Committee; the construction has violated the law; NSA senior managers should be in a position to discuss their reasons for not complying with the notification requirements.
Expectation 4: Non-standard Training
[…] Ineffective personnel management, training, document, and discipline
[…] Gaps in personnel management files
[…] Illegal activity: Risks of exposing illegal activity if discipline problems were documented
[…] Illegal activity: Training and supervisory problems inadequately documented: To avoid warning others that the training, discipline, or management problems were related to unlawful objectives, or having retained supervisors who had no interest in following procedures.
[…] Litigation liability risk: Had the NSA followed the required personnel procedures, the subsequent violations would have been more quickly detected, reported, and identified within NSA. NSA did not fully comply with its own procedures. This raises the prospect for Federal Tort Claims by current and former NSA employees and losing contractors.
[…] Evidence Junior NSA managers retaliated against
[…] Ineffective DoD/NSA IG in identifying and reviewing the problems: Failing to integrate notes and information to audits; audits never completed as reported.
Expectation 5: Unresponsive Senior Management
Entrenched senior management illegalities prevented flawed management practices from being remedied. Rather than address the flawed management practices and defective supervision, NSA managers were scattered to other government agencies
Even when well know problems are identified, the entrenched senior supervisory deficiencies led to
[…] Continued non-compliance
[…] Ineffective problem resolution
[…] Well known reporting errors to JCS and NSC
[…] Repeated illegal retaliation
Exercitation 6: NSA Procurement Fraud
[…] Likely kickbacks from contractors to assigned NSA managers
[…] NSA contractors well know the problems and have taken advantage of the flawed NSA practices to commit fraud and engage in insider bidding, and illegal association with contract fee determining officials
[…] NSA culture in need of attention. Contractors have offered workarounds that are unneeded; had NSA management complied with FISA, the contractor-generated workarounds would never have been considered, much less awarded.
[…] NSA management not in a position to effectively oversee or monitor the unusual contractor efforts
[…] Actual results of Contractors are no better than the original NSA procedures
[…] Contractors blame NSA mangers who are “not on the team”
[…] Procurement fraud
[…] Violations of competitive bidding [FAR, Federal Court of Claims]
[…] NSA litigation liability: Protests are likely from the losing contractors
Expectation 7: Procurement Practices Inconsistent With FAR/Ft. Belvoir Standards
[…] Pre-contact budget, cost estimates suppressed
[…] Independent government data not reconciled with initial and successful contractor performance reports
[…] DPRO/DCAA experts denied access to key technical meetings
[…] NSA IG destruction of audit working papers and notes
[…] Senior and Mid-level NSA procurement management have largely ignored Ft. Belvoir acquisition lessons
[…] Newly hired personnel are in a no win situation: If they implement experience, they clash with management; if they work with management they violate the law.
[…] Continued justifications to Congress at odds with engineering data
[…] NSA programs have been redefined/reworded to appear to fall within the legal parameters; actual activity is at odds with state requirements’ and performance
[…] Entrenched acquisition mentality within NSA at odds with FT Belvoir
[…] Indicators of non-compliance across all data, budget, and technical reports
Expectation 8: Ineffective NSA IG
[…] Untimely cooperation with investigators, lead to subsequent charges of obstruction of justice
[…] Inadequate demonstration IG has successfully complied with statutory requirements
[…] Poor trace within NSA IG between ongoing audits and the statutory guidelines
[…] Poor trace between (a) FISA requirements; (b) audit reports to Congress; and (c) NSA actual practices; (d) NSA IG knowledge of illegal activity
[…] Failure to demonstrate compliance with Generally Accepted Government Accounting Standards [GAGAS]
[…] Poor showing that SAS99 indicators have been satisfactorily incorporated into pre-audit engagement visits to remote locations
[…] AICPA guidance ignored
[…] Reasonable basis to question auditor credentials
[…] No satisfactory demonstration by NSA IG that investigators have adequately scoped current violations within the area of interest.
[…] IG ignored along all lines of management
[…] Unwilling to cooperate with public discussion of NSA IG compliance problems
[…] Inadequate manpower
[…] Insufficient reviews
[…] Lack of credibility
[…] Poor information storage, access, reviews, documentation
[…] No credible showing that IG able to repot or adjust in environment hat is illegal
[…] Unreasonable assumption that IG can do the right thing in a criminal environment
[…] Inadequate explanations for NSA IG failing to remove themselves from the illegal activity
[…] NSA IG reviews, self-certifications, and other audits are not consistent with the procedures that are otherwise illegal
Outside investigators need to provide to the Committee the range of expected audit problems and likely findings. The witnesses need to demonstrate they have a system in place that will likely detect and adequately capture these management flaws. Congress needs to have assurances that the auditors have a materially high chance of finding and detecting these problems.
SAS99 fraud indicators within NSA are widespread:
The solutions and plan going forward needs to outline the range of SES retraining required; and review the Ft. Belvoir acquisition classes related to how to effectively oversee a dysfunctional agency and transform it.
[…] Lessons learned have been ignored [despite access to Intel Link]
[…] Inexperienced managers to supervise transition from illegal to legal operations
[…] Contractor processes are not consistent with acquisition requirements
[…] Staff assistance requirements inadequate: Must be justified, and explained
[…] Disconnect between [a] original contract bids; and [b] actual programs in place
[…] Meaningless contract performance reports and status
[…] Worthless metrics: Disconnected from [a] program progress; [b] legal requirements; and [c] contract objectives
[…] Entrenched contractor parameters are at odds with minimum legal-mandatory requirements
The key will be to look for the common management-supervisory issues across the NSC, JSC, and NSA. The way forward needs to be something that:
[…] A. Continuity of operations
[…] B. Support legal discovery
[…] C. Support off-site questions, audits, and trial
[…] D. Transition from current illegal activity to the final resolution, prosecution, then subsequent assurances/demonstrations to the Court and Congress of compliance with legal requirements
The final plan will have to support the prosecutors:
[…] Demonstrate changes in procedures, and compliance
[…] Certification of new leadership
[…] Complete fact finding and final grand jury indictments
[…] Transition plan from current personnel to legal oversight
Classification
The NSA evidence related to the illegal activity is not lawfully classified. This is evidence of illegal activity, and there is no basis to classify any of the data. The data shall be presented in open court and made available to Members of Congress, the media, and Grand Jury.
Cooperation With Prosecutors
Full access shall be afforded to the criminal investigators. They may be given access to any and all documents. All equipment, working documents, and NSA program documentation may be seized.
Access to Data
Information may ultimately be presented before an international war crimes tribunal. NSA personnel will not be given access to any archived material; or able to access any electronic evidence during the discovery period
Budget
NSA has the responsibility to assign personnel who will identify which work products require immediate copying. NSA will have the responsibility to budget for the transition from existing unlawful modernization programs to those that are lawful.
Contractor Impacts
Stop work orders shall be issued. The illegal activity cannot be reimbursed. These will be matters for the federal court of claims to address.
posted by Constant @ 11:23 AM
<< Home