The controversy over the National Security Agency’s surveillance programs has exposed a problem in the oversight of those programs: The development of the relevant technology has outpaced the laws and policies that govern its use.
“The technology is moving very fast,” says Joel Brenner, a former NSA general counsel. “Legislation moves very slowly. Policy moves pretty slowly. The people who write policy don’t always understand technology, and the people who write legislation almost never understand technology. And so in an era when the technology is moving quickly, it’s really hard for the policy to keep up with it.”
Examples of that mismatch arise from the NSA’s main responsibility, which is to gather signal intelligence. Since the Sept. 11 attacks, its paramount mission has been to listen in when terrorists communicate. Anne Neuberger, a special assistant to NSA Director Keith Alexander, says the challenge can be summed up in a single sentence: “Our duty,” she says, “requires us to attempt to collect terrorist communications wherever they traverse global infrastructure.”
A key word there is “wherever.” If a terrorist is using a particular communications system the NSA will go there to intercept it, even if means breaking an encrypted communication. Inevitably, this can raise privacy concerns.
“If the NSA wants to collect the emails or phone calls of a terrorist or a foreign diplomat, that target is probably using … a BlackBerry or an iPhone,” Brenner says. “That means that in order to collect that person’s communication, the NSA has to be able to break the encryption that you or I might use.”
And there may be no way around that fact, says Neuberger, whose job at the NSA is to work with the private tech companies that carry those communications.
“We’d love to magically segregate bad guys’ ‘comms,’ as we call them, and good guys’ ‘comms,’ ” she says. “You can’t technically do it. They’re intermixed. Communications are fundamentally intermixed today.”
Privacy Versus Security
If the NSA is going to intercept terrorist communications, it has to be capable of intercepting everyone’s communications. This raises a conflict between ensuring privacy and ensuring national security. It’s one of the problems that need to be sorted out as the country considers new surveillance rules.
Another conflict arises from NSA’s efforts to break into the computer systems that foreign intelligence targets may use. To do that, NSA technicians may look for a software flaw in that computer system; a flaw, for example, in some commercial product used in that system. It’s called a “vulnerability,” and the NSA can take advantage of it to penetrate the system.
Christopher Soghoian, a technologist at the American Civil Liberties Union, says NSA officials therefore have an interest in not telling the commercial provider of that software about any flaw they find in the product.
“When they learn about those vulnerabilities, they have to sit on them and exploit them rather than telling Microsoft or Google or Apple or Facebook,” Soghoian says.
In Soghoian’s view, this means another conflict between the government’s interest in ensuring the security of our networks against cyberattacks and the government’s interest in being able to go into those networks to gather intelligence.
“If cybersecurity is, in fact, a big threat, then our government should be doing everything in its power to make sure that systems are as safe and secure as possible against all adversaries,” Soghoian argues. “But what we’ve learned is that the NSA is willing to weaken the security of systems and software used by U.S. companies because it gives them an edge in surveillance.”
NSA officials insist that whatever they’re doing with U.S. companies is within the law. And Neuberger says her boss, Alexander, says protecting U.S. computer systems is the priority.
“Gen. Alexander has given clear guidance,” she says. “Defense wins.”
But there is a tension. Right now, the agency with the cybersecurity mission — the U.S. military’s Cyber Command — is co-located with the NSA. Alexander oversees both agencies. The NSA surveillance controversy has raised the question of whether the two should be separate. It’s one of the many surveillance issues currently under debate by policymakers and legislators.
President Obama himself has welcomed the debate. In a recent interview with NBC News, Obama said the NSA’s technology, budget and capacity have “outstripped the constraints. And we’ve got to rebuild those.”