A rogue SCIF at a law firm? Examining the latest report about the FBI and Perkins Coie; UPDATE: FBI weighs in

The more tangled the web, the more law firms there’ll be.

[See update at the bottom – J.E.]

On Tuesday, Tucker Carlson had a brief segment with Rep. Matt Gaetz to discuss information Gaetz and Rep. Jim Jordan received recently from a “whistleblower.”  The gist of the information is that since 2012, the FBI has maintained a “secure work environment” at the Perkins Coie law firm. (H/t: Conservative Treehouse; video below.)

From Gaetz’s comments, it sounds as if Michael Sussmann, formerly a partner at Perkins Coie (before his indictment in the Durham investigation, for which charge Sussmann was acquitted by a jury on Tuesday), administered the secure work environment until he left the firm in 2021.

Sundance speculates at CTH that the secure work environment at Perkins Coie is where (or perhaps one of the “wheres”) people were gaining unauthorized access to unminimized (i.e., not “masked”) U.S. person identifying information (USPI), as described in the FISA court summary by Judge Rosemary Collyer released in 2017.

As noted by sundance, the onset of both conditions was in 2012:  the unauthorized access, and the creation of the FBI secure work environment.  Sundance points out the potential opportunity for FISA section 702 queries to be run from Perkins Coie.

At a minimum, I would highlight the opportunity for classified information to course through the secure work environment at the law firm.

But let’s parse this situation a bit more closely.  The purpose is to put the new information from the whistleblower in context.  There’s larger context, and I’ve written about one aspect of it numerous times.

That will be discussed in the second break-out further below.  First, “secure work environments.”

The programmatic baffles

Keying on Matt Gaetz’s carefully repeated references to the phrase “secure work environment,” I take the whistleblower’s alert to be about a work environment created as part of the FBI’s Secure Work Environment program.  We can go ahead and just call it SWE, because that’s what the FBI calls it, and the program line for which funds are obtained.

The SWE program was inaugurated prior to 2007, as part of the FBI response to the Intelligence Reform and Terrorism Prevention Act of 2004.  A review of FBI spending since 2017 indicates the program is still going strong.

FBI spending on SWE program 2017-2022 as reflected at USASpending.com. See link in text. Click to enlarge for legibility.

Obviously, the prior existence of the program doesn’t make the 2012 data point meaningless.  We can observe up front that when you’ve got an existing federal program that you’re routinely soliciting funds for, you can slip things into it that no one will take much notice of – especially if it’s an administrative program for which the dollar figures are chump change by federal budget standards.

It’s quite probable, in fact, that the SWE at Perkins Coie wasn’t visible at all to program analysts on congressional staffs.  All it would have required to pay for the set-up was using FBI Headquarters funds for the SWE program (or perhaps Washington Field Office funds) to make the arrangements and install whatever equipment is necessary.  A SWE at one location doesn’t appear to cost that much, if you take a stroll through the smaller awards listed in SWE spending from 2017 to now.

The purpose of SWEs was to “provide the physical infrastructure and IT connectivity to enable FBI personnel to execute their mission of protecting national security.”

Further clarification in this 2007 testimony to Congress indicates that the FBI compiled a “prioritized list of 100 field office headquarters and resident agencies … to facilitate the construction of SCIF space and the deployment of SCION [SCI Operational Network] connectivity. In fiscal 2006, retrofits of existing SWE facilities were begun in 48 of the top 100 locations.”

The testimony continued:  “We also are working to provide SCION access to as many locations as quickly as possible so we have a baseline level of connectivity in every field office and resident agency.”

Excerpt from FBI testimony in 2007 describing Secure Work Environment program. See link in text.

Note the tally of resident agencies and off-sites in the screen cap.  The off-sites would have included Joint Terrorism Task Force (JTTF) sites set up for co-working with local law enforcement – a reality reflected in this 2009 proposal to put a SWE in the Police Administration Building of the Los Angeles Police Department.

So off-sites weren’t all facilities being used solely by the FBI.  We can assume the JTTF at the LAPD PAB has a continuous FBI presence alongside LAPD representatives.  But the security constraints of the information distribution system were inherently relaxed by this move.  Its purpose was to ease the conditions for sharing classified information, presumably up to the TS/SCI level, with the LAPD.

That purpose was stated again in 2011 testimony to Congress (by Robert Mueller, in fact) on the SWE program.  “[T]he FBI’s Secure Work Environment program … enables the FBI’s national security workforce the ability to access and share Top Secret information within the FBI and with intelligence community partners.”

It’s interesting that testimony to Congress doesn’t typically seem to clarify that some of the SWEs are being established at “off-sites.”  That may or may not mean much, depending on how aware Congress has been of the SWE program’s scope.  Congress obviously had a general awareness that secure arrangements were being made for joint task forces with state and local law enforcement.

At any rate, we can register two points here.  One, the SWE program is a declared and active program, initiated as a measure for homeland security and combatting terrorism.  Two, its purpose is repeatedly affirmed to be providing secure environments in which TS/SCI information can be accessed for FBI purposes.

Again, the existence of the program would make it easy to bury a SWE at one law firm in it.  My guess – assuming the whistleblower is telling the truth – would be that Perkins Coie paid the entire cost of hardening any infrastructure necessary to host a SWE (apparently in the firm’s Washington, D.C. offices on 13th Street N.W.), and the balance of the cost – move-in arrangements made by the FBI – isn’t even visible to normal accounting for the expenditure of SWE funds.  They’re just SWE funds spent by the FBI.

As for Michael Sussmann administering the SWE at Perkins Coie, we noted in the last couple of days that he has been maintained in-status with a national security clearance since he left the Department of Justice prior to joining Perkins Coie in 2005.

It’s certainly possible, under this condition, that Sussmann was indeed the on-site “administrator” of the SWE, in the sense of being the FBI’s point of contact for it within Perkins Coie.  It seems doubtful he was the only one with a supervisory role for the SWE, as that would be a considerable waste of a partner’s time.

What we don’t know is what kinds of intelligence access and applications were available, and who was using them.  The superficial implication, if we took this as a good-faith move, would be that a SWE at Perkins Coie, however unusual, would be a convenience for active-duty FBI or DOJ personnel.  That doesn’t parse out very far without falling apart, of course.  If Perkins Coie counsel had a need to know on national security matters, it would presumably be in the course of representing clients whose interactions with DOJ and FBI were adversarial.

Comfort and convenience for working conditions doesn’t really add up as an excuse – for either the federal agency or the law firm.  If Perkins Coie had a need to know, I’d expect that need to be met using designated facilities at DOJ, FBI, or the Washington Field Office, with the law firm’s personnel being escorted the entire time.  What the G-men and women need to know, they can just access as usual in their own conveniently located SCIFs.

There are major questions about this alleged arrangement.  Frankly, I can’t see a good-faith use for it.

Video screen capture, YouTube

The conundrum of the unauthorized access starting in 2012

Let me start this segment by saying that, if there’s been a SWE at Perkins Coie with SCION connectivity, it’s pretty darn sure SCI information has been accessed through it.  We don’t know for certain, without seeing the letter sent to Gaetz and Jordan, what kind of access was being used in the Perkins Coie SWE.

So the balance of this article doesn’t imply that Perkins Coie hasn’t had unauthorized access to SCI material, potentially including USPI.

But it was already evident that there were excellent (indeed, virtually certain) candidates for the unauthorized access by “contractor” personnel noted in the Collyer document.  That’s what I’ve written about several times in the last few years, and continue to assume is a factor in the NSC’s, DOJ’s and FBI’s roles in Spygate.  (Note:  the last link is from May 2020, but it links to earlier articles going back to 2017.  Rather than dump a batch of links here, I’ll ask readers to pursue the links in the 2020 article, which account for all the assertions in this section.  One additional link is here:  it noted a 2020 development that strongly indicated the analysis about Brennan’s company, and the FBI-NCTC connection outlined below, was correct.)

The following conditions set the stage.  One, DOJ and FBI have representatives on the National Security Council.  If their personnel were involved in running backdoor 702 queries that revealed USPI, the literal keyboard activity need not have taken place in the managerial offices of the Justice agencies.  Such an arrangement could have involved recipients of information on the NSC, and watch-floor level workers in the agencies (particularly the FBI).  (It also could have involved queries being run from terminals at the NSC.)

Indeed, such an arrangement was especially likely to involve contract workers.  USPI is supposed to be off-limits to contractors, even those with SCI access.  But that’s where 2012 comes in.

Two exceptionally important conditions changed in 2012.  One was the implementation of a memorandum of understanding (MOU) on sensitive data sharing between the FBI and the National Counterterrorism Center (NCTC), an MOU that facilitated the exchange of identifying information on U.S. persons.

Entrance to IC Campus in McLean VA, where ODNI offices are located along with other agencies like NCTC. Google Street View image

These are the two federal agencies authorized to retain the most personally identifying information on Americans.  Going in either direction, Section 702 queries could be tailored more “smartly” in one agency using information from the other.

The second condition was implementation of what’s called the Intelligence Community Information Technology Enterprise, or ICITE.  The pioneering installations for this were done in 2011, but began to mushroom exponentially in 2012.  From 2011 to 2016, ICITE put a common desktop environment on 50,000 desktops across the intelligence community, including at the FBI, NCTC, NSC, CIA, and so forth.

Crucially, ICITE automated access across agencies to formerly stovepiped information.  Old air-gap and permission-slip obstacles were removed.  As James Clapper described it in 2015, the approach was to “tag the people, tag the data” – meaning that data would be protected in classified cells in a structured database, and only users who had authorized access to those cells could retrieve it.

But the important aspect here is that access was automated.

Here, once again, is the well-known ODNI graphic showing how non-contents Section 702 queries exploded across the intel community between 2013 and 2016.  Implementing ICITE is what made this possible.

Now let’s take one step back further in time for the kicker.  Starting in FY 2009, the company John Brennan was president of in the mid-2000s, The Analysis Corporation (TAC), obtained long-term, high-dollar contracts for analytical and database maintenance workers at the FBI and NCTC.  (The citations on this are in my previous articles.)

Those workers are exactly the ones who would have access to communications information retrievable from NSA.

TAC workers were in place at both agencies when the data-sharing MOU was implemented in 2012.

The Obama administration’s lead on adopting that interagency MOU was Obama’s homeland security and counterterrorism advisor:  John Brennan.

The DNI who was implementing ICITE at the same time, tagging people and tagging data, was James Clapper.

So, yes, 2012 matters – as a former POTUS would say, big league.

The brain trust, briefing Congress in 2014. (Image: Defense Intelligence Agency)

Rather than perceiving a SWE at Perkins Coie as “the” event of 2012, however, I would characterize it as one of several events that probably all had a common meaning.  Let’s say that if Perkins Coie were going to get a SWE, 2012 is the year it would have happened in.

A couple of other contextual observations.

I do think that if Admiral Rogers and the FISA court learned, in 2016, of an FBI-sponsored SWE facilitating SCI access at a law firm, the institutional reaction would have been stronger.  If the SWE remained in operation at that point (not entirely clear, but from the tone of Gaetz’s comments it sounds as if it did), that suggests to me that the SWE’s operations, per se, had not come to light with the discovery of unauthorized access to USPI.

The other observation is that there are a number of situations in which government contractors maintain SCIFs at their own commercial locations.  Certified SCIFs can and do exist outside government facilities.  That itself is not the oddity of the Perkins Coie SWE.  What’s odd is that it would be a SWE, apparently under the FBI program, but at a law firm:  where it’s hard to imagine the FBI needs to facilitate the kind of business contractors’ SCIFs are normally set up for.

A coda to that observation is that technology has subtly shifted the meaning of concepts like “secure work environment,” away from the old-style re-creation of permanent security infrastructure and toward a lighter-footprint profile of moving SWEs around to where they’re needed.  That fudges the administrative detectability of SWE-funding and SWE-creating on the margins – if someone wants it to.

Addendum

If there’s been a SWE at Perkins Coie, I’m quite prepared to learn that it was being used for improper purposes.  As Gaetz said, Perkins Coie representing the DNC is enough to make that a non-starter, even aside from the point that the FBI would seem to have no valid use for such an arrangement.

That, plus the richer contextual history of 2012, make a well-timed frame for yet another disclosure from Tuesday, 31 May 2022.   If you remember the investigation entrusted a few years ago to the U.S. Attorney for the District of West Texas – an investigation of the unmasking activities by the Obama administration during the 2016 election cycle – the report from U.S. Attorney John Bash has been released in response to a FOIA suit from BuzzFeed.

I haven’t had time to read it all yet, but the main conclusion stands out – and is really no surprise.  Bash didn’t find that unmasking requests were being done improperly.

I could have predicted that, and in fact did.  The formal unmasking requests, although the numbers of them were eyebrow-raising, were not the main method of performing surveillance of Trump and his associates.  The main method was 702 queries.  I’ve been saying that for five years.

Bash didn’t look into 702 queries.  (He discusses Section 702 at length because it’s the authority under which the basic collection is done.  But his focus was on the procedures for data-handling by the user agencies, an Executive Order 12333 issue, and formal unmasking requests.  He wasn’t investigating the improper use of search-term queries called out by Admiral Rogers and rebuked by the FISA court.)

Americans ought to take seriously how routine it has become for their identities to be revealed in, of all things, the President’s Daily Briefing (PDB), which circulates among quite a few officials of the federal government.  I’d like to see that reined in.

But that wasn’t the method for compiling spreadsheets for Susan Rice, and it isn’t reflected at all in the ODNI graphic depicting the drastic increase between 2013 and 2016 in search-term queries executed by automated means against the NSA database.  The ODNI graphic is about non-contents 702 queries.

It’s useful to have the Bash inquiry accounted for; we can check that block now.  But that was never where the payoff would be in profiling the surveillance of the Trump campaign.  We’re still waiting on that.

*UPDATE*:  Mark Wauck at Meaning in History (he’s moved to Substack) noted a response from the FBI on this, reported on by RedState

As @LanceAoyama says, Wauck is a retired FBI agent.  We have frequently written on the same Spygate-related topics; Wauck always has cogent, useful observations.

My response in the tweet pretty much sums it up.  The FBI’s response indicates they’re talking about national security letters (the general, periodically-renewed FISA authority instruments), on the topic of which law firms may need to represent clients.

It still sounds as if the SWE at Perkins Coie involves an IT portal.  That presumably makes it a two-way cyber operation, and I continue to question the need for that.  It’s a moral hazard, at the very least, especially  with Perkins Coie representing the Democratic Party and having been the broker for the Fusion GPS contract in 2016 — along with who knows how many other partisan operations.  It opens the door to abuse of opportunity.

Anyone who has to deal with client-related NSLs at Perkins Coie requires the clearance for the material substance of the issues, and the U.S. federal government is the cognizant authority for that.  If the line of work is much of an area of effort for the firm, I assume there are employees other than Michael Sussmann who hold clearances and can gain access to agencies like the FBI, NSA, ODNI, and CIA.

The whole enterprise of FISA means that x number of private-practice lawyers will, for various reasons, need clearances to deal with its ramifications.  (Recall that Neustar’s Legal Compliance Service, which it sold to Subsentio in June 2015, had a brigade of “lawyers with clearances” within its ranks.  It’s even conceivable that Neustar and some of its LCS clients were represented in this role by Perkins Coie, which would instantly raise additional questions about what was going on before the 5 June 2015 sale date, the timing of the sale, and who at Neustar and Perkins Coie was involved.)

At any rate, especially for routine representation of telecom providers, it would be clunky and nonsensical to make the lawyers sign one-off defensive briefings every time the subject needed attention.

So while Sussmann, as a partner and senior employee (with background as a U.S. attorney), makes sense as the principal point of contact, he may or may not have been the main user of the SWE.

That factor tends to make appearances worse, however, rather than better.  The appearance of impropriety is legitimately concerning if the Perkins Coie lawyer who shopped oppo-research narrative material to government agencies also happens to be the one who administers an SCI SWE outlet at the firm.  SCI access and abuse have been such major features of Spygate that this has to raise eyebrows, and for good reason.

I haven’t asserted at all that Sussmann was running 702 queries from Perkins Coie, and that’s because I very much doubt that he was.  He wouldn’t have the first idea what to do with them, for one thing.  Keyboard-jockey analysts are the ones with those skills.  Someone who was looking out for him would also be aware that even if the FBI’s baseline SCION isn’t keeping good IT records of user activities, the cloud is.  Avoiding an audit trail for unquestionably illegal 702 queries, especially from a one-off account in an unusual category, would require extensive cyber know-how.

I consider it extremely doubtful that anyone at Perkins Coie has user access that allows such operations.  More likely users can exchange emails and access files and forums in a cloud.

But we don’t actually know.  Congress still needs to find out exactly what the arrangement is at Perkins Coie.  And in general, I tend to doubt its necessity.  Accountable security is more important than convenience for this situation.  If “legal compliance” representation is much of an issue in the Washington, D.C. area (and it may be), DOJ or FBI should probably set up a SCIF space in their own facilities for area attorneys to visit and work in when necessary. Sign-in/sign-out, with a commensurate record of all access by individuals (e.g., badge-swipe), which at need could later be correlated to the record of user log-ons.

Many active-duty military and other federal employees have to frequently jump through just such hoops, if they have clearance and need to know for their jobs but don’t actually work inside a SCIF.  This is hardly asking too much of the attorneys, and/or their cleared staff.

Feature image:  The Eisenhower Executive Office Building in the White House complex.  Wikipedia

5 thoughts on “A rogue SCIF at a law firm? Examining the latest report about the FBI and Perkins Coie; UPDATE: FBI weighs in”

  1. Crickets are chirping – either that or the overwhelming nature of your excellent work has left them all dumbfounded. I am really leaning toward the latter formation.

    For the truly unaware Secure Level 2 Gateway connections to secure network (of which there are several that I will not mention) outside of government facilities built and secured specifically to house them, are exceedingly difficult -not impossible- but at stratospheric levels of hard to get installed. There are efforts to make such access less odious, but it keeps running into the reality that such access is DANGEROUS to the secure function of the network, zero trust or not.

    In general, the non-government facility access points tend to be with folks like general/flag officers needing secure communications from home offices, corporations with specific needs to perform specific functions on those networks and cannot do the work co-located on a government facility. While there are law firms and courts that specialize in secure functions and case management, those access requirements are usually met by access being granted to local facilities, not level 2 connectivity.

    The net effect is that someone somewhere for some reason authorized a known partisan political service law firm to have a level 2 pipeline into a secure special access government network. This should have set off every alarm bell and red flag available – with security people screaming “NO!” from the high heavens.

    That means it was authorized outside of normal channels by an authority outside of the normal chain of command, or that chain of command was operating outside of normal parameters, essentially illegally. (See Hillary’s private email server for reference).

    The upshot is that it was done with the understanding that nothing was going to come of the discovery of the capability. See: Sussman “acquittal” for Deep State coverage and Trump Derangement Syndrome driven soft coup attempts.

    This was all about the Democrat political machine/Organized Crime Syndicate and its various branches and clients organizing every possible means to drive Donald J. Trump from office and install an establishment drone who shall remain nameless, caretaker until they could install their chosen phony president.

    It all seems to flow through Perkins-Coie and a thoroughly corrupt bureaucracy enabled by equally corrupt Establishment Progressives. Every time you write one of these things, JE, the picture becomes darker and more lurid. The Augean Stables at least only suffered from endless seas of manure. This mess makes the Senators of the late Roman Republic and early Empire seem like rank amateurs.

    -OAB

  2. The NSA captures all electronic communications?

    The capture involves not only the addresses of the communications but the contents?

    The NSA gate keeps access to those communications?

    Other federal intelligence agencies are required to report their electronic intercepts to the NSA?

    Those federal agencies running their own intercept operations might choose to NOT report those activities to the NSA to avoid NSA gatekeeping? (FBI and stingray?)

    Are there gaps in NSA domestic coverage?

    Is there a National Ornithological Agency to track pigeons?

  3. A SWE with the LAPD makes sense, they probably have them with the NYPD and Boston PD as well.

    But last I looked, the FBI was headquartered in DC, they don’t need to have an offsite SWE. And especially not with a political party connected well heeled law firm.

    So how are they defining “national security?” Does national mean the average American or does it mean the deep state?

  4. No, the update doesn’t make it any better for the FBI. If Perkins Coie is representing subjects of NSLs, why give the fox a secure room in the hen house?

Comments are closed.

%d bloggers like this: