On June 5, a British newspaper, The Guardian, reported the existence of a National Security Agency program active in collecting data on telephone calls made within the United States. The report was based on documents and information provided by one Edward Snowden who also furnished information and documents for a story in The Washington Post the following day on a second NSA program, PRISM, that intercepts communications of overseas internet users. The stories created sufficient uproar that on June 7, that President Obama felt obliged to address the matter while attending a healthcare conference in California.President Obama explained that:
When it comes to telephone calls, nobody is listening to your telephone calls. That’s not what this program’s about. As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism. If these folks — if the intelligence community then actually wants to listen to a phone call, they’ve got to go back to a federal judge, just like they would in a criminal investigation….. Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States.
The President emphasized that both programs operated with oversight by Congress and the FISA court (established under the Foreign Intelligence Surveillance Act).
Despite the sudden furor, the existence of the program of collecting domestic telephone metadata was hardly a secret. For example, a comment by Hendrik Hertzberg, in The New Yorker quoted a front page in USA Today on May 10, 2006 that accurately described the nature and purpose of the program:
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY. The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans—most of whom aren’t suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.
And, as Hertzberg also noted, an extensive report on the same program had appeared in The Washington Post in 2010.
Without referring to the previous disclosure, the President offered an explanation that was, on its face, persuasive. Nevertheless, while it seemed to satisfy most political figures of the center-left and center-right, as well as a majority of the American public, press coverage abounded and fulminations from various voices on both left and right continued. Litigation was commenced by the ACLU and threatened by Senator Rand Paul. And several measures were introduced in the Senate that would limit or restrict the NSA programs in some fashion. One point raised by critics was whether the oversight by Congress and the FISA Court is sufficiently rigorous, and whether the public has sufficient information to appraise their rigor. For example, all applications to the FISA Court are done on an ex parte basis, i.e., no one appears before the Court to challenge the assertions made by the government in support of its application and their determinations themselves are secret. Those are issues that may well merit further consideration by Congress.
In any case, there is an even more serious aspect to the matter that the President did not address and has not yet addressed. Even if the oversight by Congress and the FISA Court appear adequate, they are adequate only so long as NSA—and all of its employees and all of its subcontractors’ employees—follow those rules. And the obvious risk that some of them will not is the elephant in the room. The Snowden disclosures reflect a vulnerability that threatens not only the personal privacy of American citizens, but vital interests of national security. Yet that fact, and the question of how to protect NSA’s vast trove of top secret information has not only gone unmentioned by the President but has received only modest attention from the media and Congress.
The gravest aspect of Snowden’s breach of security did not lie in revealing programs that, as previously noted, were in major part already known to those who were paying attention. Nor did it lie in the subsequent revelation that British and American intelligence had eavesdropped on parties to a 2009 conference in London (which is the kind of thing governments seem to assume is going on). Rather, it lay in the fact that the revelations were accompanied by the release of hundreds of classified documents. Most notably, the initial story in The Guardian included a copy of a sealed order of the FISA Court to which only a very few NSA officials, perhaps thirty or forty by one estimate, should have had access. Government officials were at a loss to explain how a relatively low-level employee of a subcontractor, located in Hawaii, could have obtained that particular document. It was also reported in the South China Morning Post that Snowden had provided that paper with documents showing specific computers in mainland China and Hong Kong that had been penetrated by NSA.
In addition to the published documents and information, press reports suggest that Snowden has additional information that he carried with him and that may be released in the days to come. Snowden claimed that he had “full access to the rosters of everyone working at the NSA, the entire intelligence community, and undercover assets all around the world, the locations of every station we have, what their missions are and so forth.” He further asserted that he could have “shut down the surveillance system in an afternoon.” Several current and former intelligence officials have insisted that Snowden’s claims of access and power are exaggerated or fabricated, and so they may be. But, whatever the case, the information to which he did have access and has already disclosed is ample cause for alarm.It underscores two areas that require intense scrutiny and remedial action: vetting of employees and controlling their access to highly classified information.
Snowden was not a NSA official. Rather, he was a relatively low-level (albeit well-paid) employee of a NSA contractor, Booz Allen Hamilton. Snowden, it turned out, was a high-school dropout with a somewhat checkered employment history who had been employed by Booz Allen for only three months. Booz Allen is a corporation that works almost exclusively for the government and nearly a quarter of its revenue, $1.3 Billion in its most recent fiscal year, came from work for NSA and other intelligence agencies. It has approximately 25,000 employees, almost half of whom have top secret security clearances. Obviously, the vetting of such a large number is a daunting task and that too is outsourced. The largest supplier of that service, and the one that provided the background check on Snowden, is USIS—a company that has now been reported to be under criminal investigation for matters unrelated to Snowden.
The questions of who is hired and how well they are vetted is compounded by issues such as how such employees are supervised and monitored once they are on the job. Sensitive information is supposedly “compartmented” with access allowed only with those who have a need to know. But some reports suggest that technical personnel, “systems administrators,” have very wide access that may represent gaping holes in the compartments. The Director of NSA, Keith Alexander, recently testified that NSA’s response to the Snowden debacle has been to institute a “buddy system,” whereby anyone copying data from a secure network can do so only with a second person to ensure the propriety of the copying. That appears to be a constructive step and one wonders why it was not taken long ago, or at least after the publicized episode involving Bradley Manning. And it is also reasonable to question whether that step alone is a safeguard that cannot be circumvented by the technical ingenuity of the very computer experts it is attempting to police.
Some have called for the creation of a commission the weigh the risks to personal privacy inherent in the collection of NSA reservoir of data, and perhaps that is a good idea. But such a commission, or perhaps a separate commission, should examine not only whether the collection of personal data is warranted, but how that and other classified information can be protected from misuse, unofficial, as well as official. With or without a commission, the issue is one that deserves the urgent consideration of both Democrats and Republicans. And it is an issue to which Republicans could more profitably devote their attention than the social issues that many find so fascinating.