N.S.A.: “Not (So) Secret Anymore”
The National Security Agency is down in the dumps. It’s used to being heralded for brilliance. It can’t understand how millions of Americans, not to mention foreigners, think it’s engaged in voracious, useless, and unlawful eavesdropping around the world, and dangerous to liberty at home. Past intelligence scandals have always involved the failure to collect or understand critical information – the attack on Pearl Harbor in 1941, for example – or unlawful spying on Americans for political reasons, like in 1976. This one is different. NSA is being criticized for collecting too much foreign intelligence, or the wrong foreign intelligence, and for collecting of U.S. telephony metadata that it does under an act of Congress and repeated orders of the Foreign Intelligence Surveillance Court. Congress knew when it amended the Foreign Intelligence Surveillance Act law how it was being used, and more than a dozen judges have approved the specific uses of this authority. Nor has there been a whiff of intelligence abuse for political purposes. We’re in the midst of the only intelligence scandal in history involving practices approved by Congress and the federal courts and subject to heavy and effective oversight. How did this happen, and what should be done?
Strategy and Tactics in Intelligence Policy
Soon after I arrived at NSA as the inspector general in April 2002, I learned about the White House’s surveillance program that was being run outside FISA. NSA was intercepting the communications of terrorists and their allies overseas with people inside the country. It was also collecting a limited universe of metadata relating to those calls. Any President who didn’t authorize that collection in the wake of 9/11 would have been derelict. What I wanted to know was, why didn’t we just amend FISA and do it under statute? It would’ve been easy at that time.
The true answer was that the Busy-Cheney administration hated FISA. They thought it impinged on Executive authority, and they were intent on exercising untrammeled Presidential power under Article II of the Constitution – as if Congress didn’t also have power to regulate interstate and foreign commerce under Article I. But the answer I got from intelligence professionals was that we could not amend FISA without a public debate on why we needed to do it, and the public debate would’ve tipped off some of our targets. This was true, but assuring the broad support of the American people for intelligence activities is a strategic goal. Avoiding a marginal and probably temporary loss of intelligence is a tactical goal. Subordinating strategy to tactics is as foolish in politics as it is in military operations, but that’s what happened. Worse, when the story broke in late 2005 – nothing stays secret very long any more – the resulting attention to the leaked program was far more damaging both to collection and to NSA’s reputation than any debate over FISA would have been.
The Obama administration has now repeated the same mistake, egged on by certain intelligence professionals who remain deluded about their ability to keep secrets and confused about the trade-off between political strategy and intelligence tactics. The current metadata program is lawful, but let’s face it: Permitting NSA to collect in bulk the metadata of virtually all telephonic communications in the United States is a watershed political event. It could not possibly be kept secret indefinitely. The publicity attendant on the eventual disclosure and the resulting damage to foreign intelligence collection, NSA’s reputation, and American foreign relations is far greater than any damage that would have occurred if the program, and the reasons for it, had been publicly discussed at the outset.
Metadata does not include the content of communications, but it shows who’s talking to whom, how, when, and for how long. It is less sensitive than content collection but nevertheless extremely useful in illuminating networks and patterns – whether among terrorists or members of your book club. The authorization to collect all of it is exactly the kind of thing the public should know about. To my friends in government who still squirm at this proposition, I give the same advice I gave clients during my years as a trial lawyer: You must embrace facts you cannot avoid. If the other guy drags them out of you, they’ll look worse, so get it over with on your own terms. Intelligence agencies are powerful, secret organizations in a democratic culture that is deeply hostile to power and secrecy. The only way to square this circle is to make the rules public and to demonstrate to the public that the rules are obeyed. This is a strategic proposition. Subordinating it to transient tactical advantage is foolish. This is the root problem – but by no means the only aspect of the current furor worth illuminating.
Allies, Friends, and Interests
There are no friends among nations, only convergences of interest. This is especially true among intelligence services. It’s well known, for example, that the NSA and Britain’s GCHQ have uniquely close relations in signals intelligence, or Sigint, but the relationship between certain other agencies is stand-offish. (My friends in the business would put it more colorfully.) Our intelligence relationship with the French services has been mostly excellent when it comes to dealing with terrorism, but our Sigint services have historically not got along well. That may be starting to change, and it should. Our interests and those of the French coincide much more than they diverge, and both countries have wasted resources in mutual distrust. Germany is not as aggressive in collecting intelligence as either Britain or France – the Nazi period left Germans with an abiding distaste for all manner of surveillance – but German leaders know better than the German public that as a result of German legal restrictions, German security services have been unable to prevent major terrorist attacks in Germany without American help. That’s why the German government is likely to become more measured in seeking changes in U.S. collection practices.
It’s time to get closer to both the Germans and the French, but that will require substantial movement on all sides, not just ours. Some have suggested the way to do it is to bring these nations into the “Five Eyes” treaty under which the United States, Britain, Canada, Australia, and New Zealand share intelligence and do not collect against one another. That’s a non-starter. The Five Eyes nations share a common language, common legal traditions, and united wartime experiences. They also work side-by-side in in one another’s agencies. These arrangements have no parallel and are based on a century of deep trust and experience. It is unrealistic to imagine that Germany and France would suddenly be admitted to the club. A deal with these nations, and perhaps also with the Netherlands and Denmark, should move in stages and begin more modestly, but it is in the interest of all sides that it begin.
The reported collection of Chancellor Merkle’s communications was counterproductive, but this is a question of policy, not manners. In any case, NSA would not engage in such collection on a lark. It has been directed to learn about the leadership intentions of foreign governments. To do that, it collects against leaders – not low-level functionaries. With the possible exception of Germany, nations collect intelligence on foreign leaders if they can. Even the Brazilians, who complained so loudly about it, have belatedly admitted doing it themselves. Our allies don’t always tell us the truth, and this is doubly so of a country like Brazil, which is cozy with Iran, Venezuela, and Cuba. How those relationships are developing is important to the United States. Brazil also takes positions adverse to us on trade and other economic issues. If our intelligence agencies were not collecting against high-level Brazilian targets, the politicians who task them would be asleep at the switch. Expressions of high dudgeon are nevertheless gleefully encouraged by European competitors of U.S. cloud service providers, who are probably losing about $20 billion in business to their E.U. competitors based on the incomprehensibly silly idea that European security services do not collect data on EU citizens. Indeed they do so with virtually no accountability and, in most countries, no oversight whatever.
The Revolution in Commercial Technology
The technology revolution has changed the intelligence business in ways the public has yet to grasp. During the Cold War our enemies were few and we knew who they were. The technologies used by Soviet military and intelligence agencies were invented by those agencies. Today our adversaries are less awesomely powerful than the Soviet Union, but they are many and often hidden. That means we must find them before we can listen to them. Equally important, virtually every government on Earth, including our own, has abandoned the practice of relying on government-developed technologies. Instead they rely on commercial off-the-shelf, or COTS, technologies. They do it because no government can compete with the head-spinning advances emerging from the private sector, and no government can afford to try. When NSA wanted to collect intelligence on the Soviet government and military, the agency had to steal or break the encryption used by them and nobody else. The migration to COTS changed that. If NSA now wants to collect against a foreign general’s or terrorist’s communications, it must break the same encryption you and I can use on our own devices. President Obama carries a Blackberry. Terrorists and heads of state use iPhones, Samsungs, and Blackberries too. And they communicate over commercial networks such as Vodaphone, AT&T, Google, and Yahoo!. That’s why NSA would want to break the encryption used on every one of those media. If it couldn’t, any terrorist in Chicago, Kabul, or Cologne would simply use a Blackberry or send messages on Yahoo!. But therein lies a policy dilemma, because NSA could decrypt almost any private conversation. The distinction between capabilities and actual practices is therefore more critical than ever. NSA did not create this dilemma, however, and it cannot be resolved by pushing the agency out of the business of cryptanalysis, because we would then go truly deaf. Like it or not, the dilemma can be resolved only through oversight mechanisms that are publicly understood and trusted – but are not themselves entirely transparent.
The Shock of Transparency
Your family’s difficulties with electronic privacy, the electronic theft of cutting-edge technology from the companies that create jobs and generate wealth, and our governments’ loss of secrets are fundamentally alike. Yet the public on both sides of the Atlantic are under the impression that privacy has gone down the tubes while secrecy has gone through the roof. It’s not true. Privacy is to persons what secrecy is to governments and organizations, and both have gone down the tubes. We distrust secrecy, which creates power. But secrecy is not a different thing than privacy. It is the same thing asserted by different actors – and that is, the right and the ability to keep other people from knowing things. This is not to say that governmental secrecy, corporate secrecy, and personal secrecy should be governed by the same rules. The point, rather, is that the revolution in transparency has made secrets hard to keep at all levels. For good and for ill, you, your employer, and your government all create, store, and communicate information using the same imperfect commercial hardware and software and the same commercial networks. Those networks are porous, insecure, and vulnerable. Besides, we enjoy giving away information about ourselves, and we do it with abandon at home and at work.
The public appears to like privacy and transparency in equal measure and hasn’t yet figured out yet that it cannot have unlimited amounts of both. Privacy says: This you may not see, may not hear, may not know. Its fundamental principles are reticence, boundaries, and modesty. Transparency insists on seeing, hearing, and knowing everything. As the most exhibitionist culture in history we are struggling with this. In the meantime the transparency revolution means that your children are making decisions about sharing information that should make your hair curl; your own personal information is liable to be hijacked in bulk; and your employer’s trade secrets, which create corporate value and very possibly your job, are probably being stolen remotely and carried abroad. The government’s secrets are enjoying the same fate. Very little can be kept secret any longer, and that which can be kept secret will not stay secret for long. As massive leaks demonstrate, policy makers who cannot come to grips with this sea change will continue to make serious errors of judgment.
Disclosures, Useful and Otherwise
Whatever you think about metadata collection, the disclosures have gone far beyond anything to do with civil liberties and have compromised the government’s ability to collect valuable foreign intelligence. If you tell the Russians that NSA collects their diplomatic communications, for example, they conclude immediately NSA has either stolen or broken their codes. That kind of operation can take ten years to pull off. It probably took the Russians twenty minutes to shut it down. Collection against terrorist networks has reportedly also fallen off significantly. “Al-Qaida is lapping it up,” says a senior British official.
This is not entirely the fault of the press, which has mostly been doing what a free press is supposed to do: informing the public about what its government is up to. But there have been stunning exceptions. The Guardian’s decision, followed by the Washington Post, to wait more than a week after the initial revelations before publishing the FISA Court’s extensive restrictions on NSA’s ability to examine the very data it had collected. By that time the brushfires were out of control. That result appears to have been intentional.
Many of the released documents have also been misrepresented. On October 21, for example, The Guardian reported that NSA had intercepted 70 million phone calls within France in one 30-day period. This breathless account was based on a document that neither the leaker nor many reporters understood. In fact, as later reported, the information had been collected by French intelligence and shared with NSA, and all of it had been collected outside France. Corrections were made, but the corrections did nothing to alter the prevailing narrative of a lawless agency. The French prime minister, Jean-Marc Ayrault, theatrically claimed to have been “deeply shocked” by the original story, whereupon his former intelligence chief said, “I am amazed by such disconcerting naiveté. You’d almost think our politicians don’t bother to read the reports they get from the [our own] intelligence services.”
Some of the reporting has also been appallingly innumerate. On August 15, for example, The Post trumpeted, “NSA broke privacy rules thousands of times per year, audit finds” – 2,776 times, to be exact. That sounds like a lot. But about 75% of these events involved validly tasked foreign cell phone numbers that roamed into the United States and were then dropped from coverage. Let’s say our people are tracking a terrorist’s cell phone from Karachi to Tunisia to Frankfurt. Suddenly that phone shows up at the Newark Airport. NSA then drops the collection or gets a specific warrant to continue it. That’s good compliance, but you wouldn’t have known it from reading the Post. In fact, if you compare the number of actual compliance incidents at NSA against the number of queries reportedly made over the same period, you get a compliance rate of 99.9995%. Most of the other 0.0005% result from errors like typos. Few organizations come close to that record, and it results from a multi-layered, robust, effective compliance and oversight regime. But the Post gave the opposite impression.
More recently the so-called targeting of traffic between Google and Yahoo servers overseas was widely reported as if NSA were targeting the companies themselves. That was nonsense. “NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say” – again according to The Washington Post. You had to read down to paragraph 33 to discover that the paper had no idea “how much data from Americans is collected and how much of that is retained.” In fact, they had no idea whether any such data had been collected and retained. What was really going on? Google and Yahoo are service providers. Terrorists use them. It was foreign intelligence targets using those services whose communications were being targeted, as we should hope. Most readers could not have figured this out from such coverage, which has been poisonous.
American diplomats are in for rough sledding on at least two fronts as a result of the NSA furor. The first is the coming negotiation over a North American free trade zone (for which the Canadian-EU negotiations are a warm-up) and related talks over reciprocal rules on privacy and, by implication, spying. Whether the trade talks are actually held hostage to the privacy issue remains to be seen. If not they will proceed in parallel, with a strong European push to subject American companies as well as government agencies to EU increasingly complex and costly privacy regulations that are spottily enforced against European companies and heavily enforced against American companies. Other countries including Indonesia and (again) Brazil are threatening to require American service providers to locate their servers in those countries as a condition of serving their markets. The NSA story is making these discussions more difficult for the American side. Just last month Brazil and Germany introduced a U.N. General Assembly resolution urging all countries to extend internationally guaranteed privacy rights (whatever that means) to electronic communications.
Intelligence agencies steal secrets. They have always done it by breaking the laws of other countries – at the risk of being hanged, shot, or expelled. But now the world economy is being stitched together like never before. This means that nations increasingly share norms of behavior and laws, and they expect their closest trading partners and political allies to obey them. Together with stunning transparency and the COTS revolution, this development is bound to constrain electronic intelligence collection, at least between the United States and parts of Europe. It’s easy to dismiss this trend as the result of a conspiracy of Lilliputians to tie down the American Gulliver. There’s truth in that, but no useful policy results from thinking so. Adjustments in intelligence practices are coming, and negotiations over those adjustments must be kept out of the trade talks and the U.N. General Assembly, which is the home court of Lilliput.
The second front where the NSA story will create hard work for American diplomats will be the negotiations over the role of the International Telecommunication Union in regulating the Internet. The ITU is a United Nations agency, and so far it has no such role. China, Russia, and a growing group of countries (including, again, Brazil) would like to change that. Their goal is to strip control over Internet governance from American companies and the American government (which has almost none). In the process they would “re-sovereign” the Internet; which is to say, subject the free flow of information to government control. They would also make it far less attractive to invest in the communications infrastructure. Our European allies, Japan, and India oppose this move. The technicalities are arcane, but the stakes are enormous. The United States was poorly prepared for the last negotiating round in Dubai last December, however. The next round will be in Korea in October 2014, and I fear we will again be poorly prepared. Our diplomatic adversaries point to the NSA revelations as evidence that the American government and companies cannot be trusted. This is ironic since their own goal is to exert more, not less, government control over communications. This is a battle over ideas with strategic implications for American companies and American power, but the White House cannot win it if it does not begin to fight.
NSA faces two strategic choices apart from possible adjustments to targeting practices. The first is that a decade of war has twisted its priorities out of shape in inevitable but undesirable ways. Signals intelligence has shifted heavily to tactical military targeting at the expense of NSA’s strategic, national mission to support political and diplomatic decision-makers. That balance must be rectified.
The second choice is structural. The NSA director is also the commander the Cyber Command. The dual role unifies signals intelligence with network defense and attack capabilities that must move at Internet speed. This is a huge advantage. But the dual position is awesomely powerful – perhaps too powerful – and very few people have the bandwidth to handle it. The structure should be re-thought – including the possibility that the NSA director should be a civilian. But making changes now in the heat of the current agony over the NSA disclosures would be a mistake. This is a matter the Congressional intelligence and armed services committees should study and be prepared to resolve during the transition to the next administration.
The United States is the only nation in history that has turned intelligence into a regulated industry. We have the most severe laws governing its conduct, and we enforce them. We have active, well-staffed Congressional committees that conduct broad oversight. We have a National Security Division in the Justice Department that scrubs all of NSA’s collection activities that touch the United States. We have inspectors general at NSA, the Office of the Director of National Intelligence, and the Justice Department who all play an active oversight role in a much more granular way than the legislative committees could possibly do. No other nation has such a leash on its intelligence services.
Adjustments are in order, however, and they go beyond NSA. The nation wants more disclosure from the FISA Court and should have it. The court should not make fundamental legal interpretations without the benefit of a court-appointed advocate for the public. We classify far too much information. Auditing requirements for key electronic collection systems should be written into regulation. Understandings that increase intelligence cooperation and limit leadership targeting should be negotiated with Germany and France and possibly Denmark and the Netherlands. The dual-hatting of the NSA director should be studied. The personnel clearance process is utterly broken and should be reformed from top to bottom.
In 1954, in the most frigid days of the Cold War, plans were made to move NSA to then-rural Anne Arundel County, 35 miles from the Capitol, because 35 miles was just beyond the radius of the blast zone of an atomic bomb. NSA was isolated on purpose, and in cultural terms it remains isolated. The agency’s workforce is talented and overwhelmingly law-abiding, but few of them have any idea how the agency looks from Washington, let alone the heartland, New York, or Silicon Valley, and they give little thought to the political implications of the astounding stuff they invent. In 2014, NSA will have a new director. The director will inherit superb compliance and legal departments and a distinguished Scientific Advisory Board. He should supplement it with a board with a much broader policy remit.
When intelligence reform comes, it’s usually done with a meat axe, not a scalpel. In 1929, Secretary of State Henry Stimson angrily shut down the nation’s fledgling code breaking effort, saying that “gentlemen don’t read each other’s mail.” His naïveté put American intelligence miles behind the British and Germans on the eve of World War II. After the scandalous abuses that came to light in 1976, we punished the agencies severely in way that took years to repair. After the collapse of the Soviet Union in 1989, we slashed our intelligence capabilities – then wondered why we had no ability to collect against Saddam Hussein’s regime. Let’s calm down, think hard, and be more careful this time.
This blog was cross-posted on Lawfare.