Cyber attacks are no longer a matter of “if.” They’re here, they’re growing more frequent, and we need to be prepared.
However, in journalist Shane Harris’ enlightening, call to action book, @ War – The Rise of the Military-Internet Complex (2014), questions continue to arise, not only about the legality, but the ethics of such far-reaching programs utilized by the NSA. One such program, brought to light by NSA leaker Edward Snowden, is the so-called metadata program. Most Americans were surprised and troubled to find that the NSA has been collecting phone records since the attacks of 9/11.
LICHTMAN: Metadata is data that describes other data. Should I be concerned with the NSA collecting massive amounts metadata?
HARRIS: Let me give you a scenario. The NSA goes through metadata that’s been collected and sees that you have called a phone number in, let’s say, Yemen that is associated with a known or suspected member of al-Qaeda in Yemen. They probably don’t have a recording of the call in question. They want to listen to your future calls. If they want to do that, and you are an American citizen, they have to go to the FISA [Foreign Intelligence Surveillance Act] court to get a warrant to do that. However, if they want to tap the Yemeni guy’s phone, they don’t need a warrant to do that.
The question then becomes: can they listen in on your communication by getting a wiretap on his phone? They’re not supposed to do that. And they are allowed to use the metadata in such cases.
They don’t need warrants to listen to non-U.S. persons’ communications, and if in the course of doing that they discover a potential connection to an American, they need to get a warrant to do that.
But there are other ways in here that are trickier, more controversial. If in the course of monitoring, let’s say, five-hundred e-mail addresses in Yemen, they inadvertently scoop up information on Americans in that database, they are allowed, under certain circumstances, to go back through the database and search for what are known as “selectors” or keywords. And if they come across something that tips them off to your information, and makes you kind of a person of interest, they don’t have to stop. They can keep investigating, because the data that’s been collected is going to be presumed to be lawfully collected in the first place.
Some people view this as a backdoor to surveillance. Others say, no, no, no. It’s not exactly that, but there is some controversy around that. The bottom line is, if they target you, in other words, if they wake up and say, we’re going to get your phone, your e-mail, we’re going after you, they have to have a warrant to do that. Not the metadata, the actual content of the communications.
However, metadata can frequently be more revealing than the content of the communication. They use metadata to establish things like pattern of life, and associations. Pattern of life being how you go about your daily basis: who you contact, where you move about.
Presumably, terrorists are going to know that their conversations are going to be monitored, so they’re going to be very careful about what they say on the phone or put in an e-mail, but they can’t as easily find who they’re in contact with, and that road map [metadata] or descriptions of their communications connections can be very illuminating, just as it could be for an innocent person.
It’s not so much that I have a problem with the NSA collecting metadata. The NSA has a very strong and strict compliance culture and structure within the agency that governs what it can look at, when it can look at it, what rules it has to follow. I know the people in charge of this and I think that they’re honest and committed to trying to protect people’s privacy, but the capability to abuse that power is so great. That is what gives me real concern about the collection of metadata.
The Supreme Court, at least some of the justices, has indicated that they would like to consider this question, because metadata is so pervasive, and potentially illuminating, that it deserves some protection under the fourth amendment.
LICHTMAN: How do we balance our privacy concerns with our expectation of security from future attacks?
HARRIS: I think the way you get that balance is through more transparency. Why shouldn’t we know how many times the NSA or the FBI goes to Yahoo or Google or to Twitter? Why shouldn’t we know if the law allows this tool to be used and how often it needs to be used? I understand that people within the government will say, hold on, if you reveal too much you might tip off sources and methods, and that’s fine. But we should be able to come to some happy agreement on how much information and transparency we can have without jeopardizing security operations.
LICHTMAN: On page 43, you write, “Most lawmakers didn’t know about the cyber warfare operations…” Shouldn’t the Senate and House Intelligence Committee have known about these programs and capabilities?
HARRIS: Well, the Senate Intelligence Committee likely knows a lot of things. So does the House Intelligence Committee. In fact, when former Congressman Michael Rogers was in charge of the House Committee, he got into this publicly with his membership saying, “Some of these things that you’re reading about in the newspaper are documented in binders at the NSA in a secure facility. You’re welcome to go read them any time you want, as a member of this committee.”
I don’t think that lawmakers, as a body of Congress, fundamentally understand or understood everything that was happening with regards to surveillance and cyber operations. No disrespect, but I don’t think that most members of Congress fundamentally understand technology all that well. With that said, there’s a lot of oversight power in a body of people that I don’t really think have the most nuanced understanding of how technology works and how you need to craft policy around it, which is not to say that there aren’t some really smart members and staff up there that do. There are, but we’re asking a lot of our elected officials to understand and get up to speed very quickly on highly technical operational kinds of things.
LICHTMAN: Agreed, but shouldn’t there be an individual(s) at the NSA or any intelligence agency whose job it is to explain to Congressional members what’s in these binders and what it means?
HARRIS: The people at NSA feel that they have done a good job of trying to explain this to the membership. It’s also incumbent on the members to avail themselves of the opportunity to learn about it.
One of the more illuminating things that I heard is the frustration from the Executive Branch over this. A former senior official was involved in helping to provide a briefing on what was later called the metadata program to all members of Congress; effectively allowing all members of Congress into a secure facility and get more up to speed on how the Administration was interpreting The Patriot Act. And, much to this official’s disappointment, he said that very few members availed themselves of that opportunity.
I don’t think that the oversight mechanisms are great, but one of the reasons for that is that there are many lawmakers who engage in a level of willful ignorance.
I think we need to recognize that the public plays a vital role in these programs. The authority to conduct these operations ultimately comes from the people. You have to have more and clearer explanations of what these capabilities and authorities are. How they’re being used, and I think also that the NSA and other agencies should be honest about what they can’t say. We need to have a very grown-up conversation explaining to the American how they try and evaluate the efficacy of these programs. And I have to say, that has been happening. It hasn’t gotten as much attention in the press, but it has been happening.
What I’m hoping for, with the sort of call to action part of the book, is that we recognize the ways in which this merging together of two very powerful sectors — this high-tech Internet, corporate component with the military and intelligence component — and that their coming together is new in the American experience. It creates all kinds of ethical and legal and technical challenges.
There is an instinct that you sort of assume that things are being run appropriately or that they’re too secretive to talk about, or that, don’t worry, the smart people are in charge. They’ll figure it all out. And what’s so fascinating about cyberspace and cyber defense is that it is bringing up all kinds of issues of law and ethics that even the experts will confess, they don’t fully understand. We don’t even have an agreement about whether the law of war applies to cyberwar. It’s a terrain where the lawyers and the technologists and the philosophers have, by no means, reached a consensus. People need to recognize that this is something new and that we are at a point where the military and our intelligence agencies are increasingly seeing cyberspace as a battlefield, to use their words, and it is a domain where we are spending much of our lives, and we need to become much more savvy about the operational Internet space that we all occupy at the same time.
While Harris’ book provides the first step in the essential education to the public, so much more remains to be done.