The National Security Agency is telling its story like never before. Never mind whether that story is, well, true.
On Sunday night, CBS’s 60 Minutes ran a remarkable piece that provided NSA officials, from director Keith Alexander to junior analysts, with a long, televised forum to push back against criticism of the powerful spy agency. It’s an opening salvo in an unprecedented push from the agency to win public confidence at a time when both White House reviews and pending legislation would restrict the NSA’s powers.
But mixed in among the dramatic footage of Alexander receiving threat briefings and junior analysts solving Rubik’s cubes in 90 seconds were a number of dubious claims: from the extent of surveillance to collecting on Google and Yahoo data centers to an online “kill-switch” for the global financial system developed by China.
Reporter John Miller, a former official with the Office of the Director of National Intelligence and an ex-FBI spokesman, allowed these claims to go unchallenged. The Guardian, not so much. Here’s our take:
Surveillance is just about what you say and what you write
If there’s a consistent thread to the NSA’s public defense of itself, it’s that the stuff NSA collects from Americans in bulk doesn’t actually impact their privacy. After all, as Keith Alexander told Miller, it’s just metadata – data about your phone calls, not what you said on the phone.
“There's no reason that we would listen to the phone calls of Americans,” Alexander told Miller. "There’s no intelligence value in that. There's no reason that we'd want to read their email. There is no intelligence value in that … How do you know when the bad guy who's using those same communications that my daughters use, is in the United States trying to do something bad? The least intrusive way of doing that is metadata.”
When Miller said the bulk metadata collection “sounds like spying on Americans”, Alexander replied: “Right, and that’s wrong. That’s absolutely wrong.”
Notice the tension here. It’s the metadata – who you called, who called you, for how long, how frequently you communicate – that has intelligence value, not, in Alexander’s telling, what you actually say on the phone. The NSA is relying for its defense on a public conception of surveillance as the interception of the content of your communications, even while it’s saying that what’s actually important is your network of connections – which the agency is very, very interested in collecting.
Senator Ron Wyden, an intelligence committee member who has emerged as a leading opponent of bulk collection, says the metadata provides NSA with a “human relations database”. For many, surveillance occurs when someone else collects anything on their interactions, movements, or communications, rather than when that other party collects certain kinds of information. And it hardly makes sense to say, as Alexander did, that surveillance on Americans doesn’t occur when NSA collects the sort of information that it believes actually has intelligence value.
Snowden and the NSA’s hiring boom
The NSA, for obvious reasons, isn’t fond of whistleblower Edward Snowden. It portrayed him to 60 Minutes as a weirdo. He wore “a hood that covered the computer screen and covered his head and shoulders”, NSA official Richard Ledgett said. He allegedly stole answers to a test to gain NSA employment and boasted about its hires of young geniuses ready to tackle NSA’s persistent intelligence and data challenges.
The obvious question here is why the NSA considers it exculpatory to say an obvious eccentric was able to abscond with an unprecedented amount of data. That sounds uncomfortably like an admission that the NSA is less able to safeguard its vast storehouses of information than it lets on. Let’s also pause to savor the irony of a spy agency complaining that one of its employees cheated on an employment test. (Meanwhile, for an alternative take on Snowden, an anonymous NSA colleague told Forbes that Snowden was a “genius among geniuses” and said the NSA offered him a job at its elite Tailored Access Operations directorate.)
Then there are all the smart codebreakers, analysts, officials and contractors that make up the NSA’s estimated workforce of 35,000 people. An intelligence agency that large, with a workforce that’s only grown since 9/11, is going to find it increasingly hard to keep data secure from future Edward Snowdens in the next cubicle. The NSA says it’s implementing new measures post-Snowden to limit data access. But even after Snowden, the NSA told the New York Times this weekend it has yet to fully understand the depths of its vulnerabilities.
The Chinese financial sector kill-switch
Among the more eye-opening claims made by NSA is that it detected what CBS terms the “BIOS Plot” – an attempt by China to launch malicious code in the guise of a firmware update that would have targeted computers apparently linked to the US financial system, rendering them pieces of junk.
“Think about the impact of that across the entire globe,” NSA cyber-defense official Debora Plunkett told 60 Minutes. “It could literally take down the US economy.”
There are as many red flags surrounding the BIOS Plot as there are in all of China. First, the vast majority of cyber-intrusions in the US, particularly from China, are espionage operations, in which the culprits exfiltrate data rather than destroy computers. Second, the US economy is too vast, diversified, and chaotic to have a single point of cyber-failure. Third, China’s economy is so tied to the US’s that Beijing would ultimately damage itself by mass-bricking US computers.
Fourth, while malware can indeed turn a computer into scrap metal, no one has ever developed a cyber-weapon with the destructive capability of Plunkett’s scenario.
In 2004, for instance, Berkeley computer-science researcher Nicholas Weaver analyzed vulnerabilities to self-replicating malicious network attacks, including BIOS vulnerabilities, and concluded that a “worst-case worm” could cause “$50bn or more in direct economic damage”. That’s a lot, but not enough to “literally take down” the US economy.
Matt Blaze, a computer and information sciences professor at the University of Pennsylvania, said that BIOS could be overwritten by malware, bricking an unsuspecting computer. But the vagueness of the description of the “BIOS Plot” made him suspicious.
“It would take significant resources – and an extraordinary bit of co-ordination and luck – to actually deploy malware that could do this at scale,” Blaze said.
“And it's not clear how you'd ‘thwart’ such a scheme if you found out about it if you were NSA, since it's basically a combination of a large number of vulnerabilities spread among a zillion computers rather than one big problem that can be fixed with a single patch.”
The lack of specificity made cybersecurity expert Robert David Graham dubious that the plot NSA claimed to discover matched the one it described on TV. “All they are doing is repeating what Wikipedia says about BIOS,” Graham blogged, “acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.”
NSA isn’t collecting data transiting between Google and Yahoo data centers, except when it is
Since it doesn’t own or operate any of the world’s telecommunications infrastructure, the NSA is significantly dependent on tech and telecommunications companies, such as Google and Yahoo. So when the Washington Post reported, based on Snowden documents, that the NSA intercepts data transiting between Google and Yahoo’s foreign data centers, the companies reacted with horror at what they considered a breach of trust – one that occurred without any court orders.
Alexander pushed back against the Post’s story to 60 Minutes. “That's not correct. We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are. But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network.”
If you take away Alexander’s “that’s not correct” line, the rest of his answer sounds remarkably like a confirmation of what the Post reported. “I think he confirmed it, feigning denial,” reporter Barton Gellman tweeted.
Indeed, the Post didn't say the NSA went into a Google data facility or organized an operation going after Yahoo “as an entity”. Instead, it reported that NSA takes advantage of security vulnerabilities on data from Google and Yahoo customers as the data transits between its centers. The documents published by the Post indicate NSA got 181m records in a single month that way. How many of those were from “terrorists” remains unknown.
The disclosure created a major tension between the two tech giants and NSA, since both companies are involved in the NSA’s Prism effort at collecting foreign online communications, and all sides have said that court orders compel that collection. Google and Yahoo are unhappy about giving NSA data through the front door while the agency collects more through the back. And NSA lawyers have stated publicly that US companies like Google and Yahoo are “US persons”, meaning they have fourth amendment protections that may be implicated in the data-center transit collection.
The NSA wasn’t trying to break the law that got broken
Give Miller credit for at least mentioning that “a judge on the Fisa court” overseeing US surveillance was alarmed that the NSA “systematically transgressed” the agreed-upon limitations on its abilities to query its databases. Alexander’s response: “There was nobody willfully or knowingly trying to break the law.”
Actually, two different Fisa court judges – John Bates and Reggie Walton, the current presiding judge – raised major concerns about the way the NSA searches through its vast data troves on multiple occasions. Bates found that “virtually every” record generated under a now-defunct NSA program that collected Americans’ internet metadata in bulk included information that “was not authorized for collection”.
In a different case, in 2011, Bates assessed that the discovery of thousands of American emails in NSA content databases designed to collect foreign data meant the “volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe”.
And for most of 2009, Walton prevented the NSA from searching through its domestic phone data hives because it found “daily” violations of its restrictions.
Very few people think the NSA is staffed by mustache-twirling villains who view the law as an obstacle to be overcome. The real concern is two-fold.
First, even if NSA doesn’t mean to break the law, the way its data dragnets work in practice incline toward overcollection. During a damage-control conference call in August, an anonymous US intelligence official told reporters that the technical problem bothering Bates in 2011 persists today. The NSA even conceded to Walton in 2009 that “from a technical standpoint, there was no single person who had a complete understanding” of the technical “architecture” of NSA’s phone data collection.
Second, there is a fundamental discrepancy in power between the Fisa court and the NSA. The court’s judges have lamented that they possess an inability to independently determine how the NSA’s programs work, and if they’re in compliance with the limits the judges secretly impose. That leaves them at the mercy of NSA, the director of national intelligence, and the Justice Department to self-report violations. When the facts of the collection and the querying are sufficiently divergent from what the court understands – something the court only learns about when it is told – that can become a matter of law.
In other words, it can be simultaneously true that NSA doesn’t intend to break the law and that NSA’s significant technical capabilities break the law anyway. Malice isn’t the real issue. Overbroad tools are. But that’s not something that NSA had to address during its prime-time spotlight inaugurating its publicity tour.