The National Security Agency’s top lawyer said the disclosures from former contractor Edward Snowden not only hurt U.S. intelligence gathering capabilities, but they also created a gap in the trust relationship between the agency and Congress.
Speaking at the Aspen Security Forum, Raj De, the NSA’s general counsel, argued strenuously that each of the programs Snowden disclosed in his leaks to reporters was legal and that the agency has done nothing improper. But he said aside from the damage the disclosures did to the NSA’s ability to collect signals intelligence on legitimate overseas targets, they also may have damaged the nation’s ability to move the ball forward on improving its own cybersecurity posture.
“Over the last few years, we’ve had senior officials ringing the alarm bell as significantly as possible,” he said. “You have the secretary of Defense warning of a potential cyber Pearl Harbor. You have the Director of National Intelligence testifying at least two years ago with cyber at the top of the worldwide threat assessment. That discussion is so dependent on public-private cooperation, and if that discussion is set back because of misinformed and ill-informed dialogue on some of the Snowden issues, that would be an unfortunate consequence. I would characterize that as harm.”
Legal changes that officials say are needed in order to let the government and the private sector share more information with each other about cyber threats already have been a tough sell in Congress. But one fear among industry and government officials is that the Snowden revelations created a perception that U.S. intelligence agencies and U.S. IT companies already are engaged in unsavory relationships, such as agreements to install backdoors into software or allow intelligence agencies access into private data centers.
Beliefs such as those are completely unfounded, said Scott Charney, the corporate vice president for trustworthy computing at Microsoft, but nonetheless, they’re widely held, including among his company’s foreign government customers.
“Suddenly you have most of the world saying, ‘We don’t know if we can trust you with our data because you’re in bed with the government,'” Charney told the same Aspen audience. “We have customers — Germany is a good case in point — where they’re going, ‘We were thinking about signing up for your cloud services, but we’re slowing down that train.’ You open markets for foreign competitors that way. Deutsche Telekom has already said they’re going to create a German-only cloud. They see it as a wedge opportunity. Those government and large customers have account managers, and they talk to us, so when they slow down a deal because of these allegations, we know about it. But we have a consumer business too. We have 450 million Hotmail and Outlook users. How many of those people are moving away from American products because of these allegations? Do you think they’re calling me up to discuss it first?”
For those problems, Charney said he faults U.S. intelligence agencies, inasmuch as they did not, in his view, consider the consequences of a breakdown in trust when they designed the spying programs Snowden revealed.
“When you listen to how the process can be improved, never do you hear the government say that as part of the calculus, the competitiveness of American industry is part of national security,” he said. “When the government says they followed all the rules and that Americans have been protected, you have to understand that the American IT industry is globally dominant, more than half our revenue comes from overseas, and it has a huge impact on whether 5, 10, 15 years from now, we will still be dominant. If you believe our ability to compete effectively is important to national security, where was that built into the calculus? It wasn’t. I suspect the reason is that the government thought it didn’t need to build it into the calculus because these programs would never be exposed. But they have been.”
Charney said the current environment of distrust has created some other problems for his industry. He said there’s a very consistent meme among foreign customers that even if American companies aren’t voluntarily operating hand-in-glove with U.S. intelligence agencies, those agencies can nonetheless compel American firms to secretly do their bidding via court orders.
New thinking about risk needed
And he suggested the government’s behavior in some recent cases isn’t helping to help dispel that notion.
“We are now in litigation in the southern district of New York contesting a government order that would require us to turn over customer data from an Irish data center,” he said. “The U.S. government says, ‘You’re a U.S. company, so if we give you an order here, you need to pull the data from wherever in the world it is.’ Ok, that’s a U.S. perspective. So let’s say the U.S. wins. Doesn’t that mean that in every country where we do business, a foreign government can give us an order to pull the mail of American citizens into their country? Reciprocity is hell in foreign affairs.”
The NSA’s De said he agreed with Charney that the damage of the Snowden leaks extends beyond intelligence capabilities and well into the realm of trust. And while he said everything his agency has done was above-board, he acknowledged there’s room for improvement within its programs.
“Like any agency, we’re not perfect, and I wouldn’t suggest our legal and policy framework is either,” he said. “I think we need to have a wider aperture on how we think about risk, specifically the risk of indiscriminate, illegal exposure. I think we also need to think hard about how to bring the American people into the dialogue about digital privacy. The system, the compromise that’s been in place since 1978 clearly seems to be insufficient in terms of public involvement in how we think about these issues.”
De insisted the impact of the Snowden leaks to U.S. intelligence gathering capabilities was substantial, even if the intelligence community hasn’t been able to clearly and specifically articulate in what ways their abilities were degraded. The reason they haven’t, De said, is that to reveal what the NSA has lost would only compound the damage, and because of that, he’s counseled intelligence officials not to talk in detail about the specific effects of the leaks.
But Robert Litt, the general counsel for the office of the Director of National Intelligence said one main consequence is that foreign intelligence targets have begun to change their behavior.
“A week or so ago, I was getting briefed about the activities of a seriously dangerous terrorist group, and the briefer from the CIA mentioned that this group used to communicate using a particular form of communications — one of the ones that had been disclosed — but after the disclosures, they said to each other, ‘We have to stop using this, it’s too dangerous.’ And now we don’t know what they’re saying to each other,” Litt said. “It is simply inaccurate to say there’s not an impact. Will this result in dead bodies? I don’t know. We’ll probably be able to tell. But it is definitely true that there are people who we want to know what they’re saying, and we don’t because of these disclosures.”