MAGA's NSA Purge Will Get Messy

MAGA's NSA Purge Will Get Messy

The politically motivated dismissal of the head of both the National Security Agency (NSA) and U.S. Cyber Command will be extremely damaging to the agencies, their relationships with allies, and U.S. national security.

Gen. Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council staff. Per the Washington Post:

Far-right activist Laura Loomer advocated for the firings during a meeting with President Donald Trump on Wednesday, she confirmed to The Washington Post on Thursday evening.
In the meeting, Loomer, a fervent Trump supporter, pressed for the dismissals of a number of officials besides Haugh and Noble—in particular, National Security Council staff whose views she saw as disloyal to the president.

On X, Loomer claimed Trump responded to her call for the firings:

NSA Director Tim Haugh and his deputy Wendy Noble have been disloyal to President Trump. That is why they have been fired.
…
Thank you President Trump for being receptive to the vetting materials provided to you and thank you for firing these Biden holdovers.

Apparently Trump invited Loomer to meet him in the Oval Office, but we have no idea why.

The justification Loomer cited in her post was that Haugh was "HAND PICKED" by Gen. Mark Milley. Now retired, Milley was chairman of the Joint Chiefs of Staff during Trump's first term. He has since become a Trump critic, calling him "a fascist to the core."

Loomer described NSA Deputy Director Wendy Noble as Haugh's "Obama loving protege" and a "Trump hater who was nominated by JOE BIDEN."

Haugh has had a 34-year career in the Air Force and held several previous roles that made him well qualified for his dual-hat role as head of NSA and Cyber Command. These included director of intelligence at Cyber Command, commander of the Cyber National Mission Force, and head of the Air Force's information warfare and cyber unit.

Sources tell Risky Business that potential replacements as NSA director are Ezra Cohen and Trae Stephens.

During Trump's first term, Cohen worked in various defence and intelligence roles, including in the National Security Council, the Pentagon, and the Office of the Director of National Intelligence. In 2020, the New York Times described Cohen as "a hero figure to anti-establishment Republicans and believers that a so-called deep state in United States intelligence agencies was out to topple Mr. Trump." Cohen now works at Oracle.

Stephens is a general partner in Peter Thiel's Founders Fund and is a co-founder of defense technology startup Anduril. In 2016, Stephens was on Trump's Defense Department transition team. He was reportedly considered for the deputy secretary of defense position in this Trump administration.

In contrast to Haugh, these potential replacements are sorely underqualified. Of course, when it comes to selecting people to serve in his administration, Trump counts personal loyalty as far more important than domain expertise or competence.

Significantly, neither candidate is a military officer. This suggests the administration will end what is known as the "dual-hat" arrangement where the military head of U.S. Cyber Command also serves as the head of NSA.

Debate about whether to end the dual-hat leadership structure has been ongoing since 2017, and there are reasonable arguments on both sides.

But we suspect the finer nuances of these arguments are irrelevant to this administration's decision-making. It will endorse the split because it will allow Trump to install a political appointee as director of NSA: a civilian who is personally loyal to Trump rather than a uniformed military officer who has sworn an oath to the U.S. Constitution.

That would undermine NSA and Cyber Command's effectiveness in multiple ways.

Parachuting in a political appointee from private industry to replace Haugh, who has decades of military and intelligence experience, will result in a leadership gap.

An abrupt split between NSA and Cyber Command will also create problems. Having a single shared leader meant a single decision-maker could assess and manage competing requirements for intelligence (NSA) and disruption (Cyber Command) operations. Haugh was in favor of the dual-hat arrangement, and our piece from December 2024 explains the trade-offs between these different types of operations.

In the long term, with the right structures in place, Cyber Command and NSA probably could be effective with separate leaders. However, that would require a plan, rather than an ad hoc transition to new leadership arrangements, kicked off by the appearance of an activist in the Oval Office.

Haugh and Noble's firing will also affect personnel retention and recruitment. The intelligence community is traditionally nonpartisan. People join to protect the United States, not to support one political party over another. Even the perception that the organization's mission has been compromised for political gain will diminish its appeal as an employer.

Finally, Haugh and his predecessors Gen. Paul Nakasone and Gen. Mike Rogers acted as a buffer between the Trump administration and NSA's Five Eyes intelligence partners. They tried to reassure overseas partners about the strength of the special relationship despite U.S. policies that strained broader relationships. The replacement of Haugh will be seen as a turning point in the Five Eyes partnership.

Until now, NSA and Cyber Command had avoided being pulled into the revolving door of Trump personnel changes. It's a bummer that all it took for that to end was a meeting with a conspiracy theorist.

The EU Is Losing Faith in America's Intelligence Promises

The Trump administration has signaled a walk-back of a Biden-era executive order that sought to reassure the EU that the United States would collect intelligence within Europe only when strictly necessary. This will have big implications for American technology companies.

There's a long history of the U.S. and EU building frameworks to permit transatlantic data flows to enable commerce. These frameworks also lay out expectations around U.S. intelligence community practices, with the U.S. making commitments that the EU takes on faith. That faith is now eroding.

Part of the current privacy framework, the EU-U.S. Data Privacy Framework was implemented by a 2022 Biden-era executive order: "Enhancing Safeguards for United States Signals Intelligence Activities."

At the time, we wrote that the goal of the executive order was to "square the circle and balance US national security requirements for signals intelligence (SIGINT) against European Union human rights protections."

Two previous privacy frameworks, Safe Harbor and Privacy Shield, were struck down by the European Court of Justice in 2015 and 2020, respectively, for failing to adequately protect users from U.S. intelligence collection practices.

The executive order added new safeguards for U.S. SIGINT activities and also set up a review and redress mechanism for EU citizens. It also created a Data Protection Review Court to which citizens from specific European states could complain if they felt their personal information was collected in violation of U.S. law.

The actual visible effect of the executive order for EU citizens was limited. For example, responses from the the Data Protection Review Court were classified, so complainants couldn't hope for much more than a boilerplate response saying that their issue had been resolved.

At the time, we wrote that the "US intelligence community (IC) doesn't spy on foreigners for funsies, and the entire point of the IC is to lawfully satisfy validated intelligence priorities."

For these reasons, we described the executive order as "a farce," but a good one. Both the EU and U.S. wanted transatlantic data flows to be easy and clearly regulated. At the time, they had more in common than what set them apart. The U.S. government and, to some extent, the European Commission were both bending over backward to agree on explicit safeguards that were then accepted at face value.

In other words, the arrangement relied on trust.

A Foreign Affairs article last week on "The Brewing Transatlantic Tech War" describes how the situation has evolved since the executive order was issued. It also points out the Trump administration has taken a chainsaw to the Privacy and Civil Liberties Oversight Board (PCLOB), which oversees the intelligence community and the EU-U.S. Data Privacy Framework:

This arrangement made nobody happy but provided legal and political cover for flows of data across the Atlantic. Meta continued to operate Facebook in Europe, and companies such as Amazon, Google, and Microsoft were able to host Europeans' personal data on their cloud-computing platforms. For those companies, the stakes couldn't be higher. Google alone makes over $100 billion in sales in Europe.
That arrangement is now on the verge of disintegrating, with the operations of U.S. tech companies in Europe in serious jeopardy. The Trump administration has not only fired most of the PCLOB's members; it has also made clear in multiple ways that it will not comply with those legal rules that it finds inconvenient. The executive order is under review—but even if it formally stays on the books, no one trusts the Trump administration to abide by it.

We couldn't agree more. The executive order has not formally been rescinded. But it may as well have been.

Three Reasons to Be Cheerful This Week:

1. Australia shuts 95 scam companies: The Australian Securities and Investment Commission (ASIC) has obtained court orders to shut down 95 companies after it found that they'd been incorporated with false information. ASIC thinks many of them were associated with online investment or romance scams and were set up to provide a "veneer of credibility."
2. Bulletproof hosting hack and leaks: Persons unknown have hacked Media Land, one of the largest bulletproof web hosting providers, and leaked internal data. The leaks include information on the company's customers, the services they used, and what was hosted on the platform. Prodaft, a threat intelligence firm, believes the same actor is responsible for the February hack and leak of internal chats from the BlackBasta ransomware group. Chaos among criminal service providers is good news. Risky Bulletin has more coverage.
3. Spain arrests deepfake scammers: Spain's National Police arrested six suspects for allegedly stealing over 19 million euros in cryptocurrency investment scams. The police say the group used ads with deepfake celebrity endorsements to lure victims.

Shorts

Anti-Spyware Efforts Continue Without U.S.

Last week, in a continuation of what is known as the Pall Mall Process, 21 countries signed up to a voluntary code of practice to combat the irresponsible use of commercially available spyware. It's easy to be cynical about voluntary codes of practice, but this is nice, we guess?

For us, the most significant thing is that the U.S. is no longer a signatory, despite having signed up at the first meeting.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq look at the idea of "false scarcities" in cyber security. Are bugs and talent rare? Or is our thinking blinkered?

From Risky Bulletin:

Chinese info-op targeting Canadian elections: A Chinese info-op is trying to influence the political views of Chinese communities in Canada ahead of the country's upcoming federal election. The campaign is taking place on WeChat, an app used by Canadian Chinese citizens to keep in contact with family members at home. The info-op is attacking Mark Carney, the prime minister candidate for Canada's Liberal Party. Canada's election task force has linked the campaign to the Chinese Communist Party's Central Political and Legal Affairs Commission (CPLAC).

Hackers hit Australia's superannuation pension funds: A wave of credential-stuffing attacks targeted Australian pension funds last week, resulting in the theft of some customer retirement funds.

The attacks targeted superannuation accounts, a private pension fund system used in Australia where employees store money that is made available to them when they retire.

Five major superannuation pension funds confirmed the attacks.

The Australian Retirement Trust, AustralianSuper, Hostplus, Insignia Financial [PDF], and Rest said they saw attacks on their online customer portals.

Not all organizations provided technical details about what happened, but AustralianSuper said the attackers used "stolen passwords to log into [customer] accounts" and attempted to steal funds.

[more on Risky Bulletin]

Android looks set to get its own Lockdown Mode: Google has been secretly working on a new super-secure mode for Android that's inspired by Apple's iPhone Lockdown Mode.

According to a placeholder documentation page and based on analysis of Android beta images, the new feature is named the Android Advanced Protection Mode (AAPM).

Just like Lockdown Mode, the AAPM is not intended for regular Android users and was specifically designed for high-risk individuals who may face threats from oppressive regimes, advanced spyware, and rogue network surveillance attacks.

[more on Risky Bulletin]