Cybersecurity: Legislation

Part III: The Diamond Buried Deep in the Surveillance Review Group Report

By Carrie Cordero
Friday, January 3, 2014, 2:00 PM

What follows is the last in a short, three-post assessment of selected aspects of the surveillance review group report. In this post, I highlight what is, in my view, the most productive of the review group’s many observations, from a national security perspective.

Not surprisingly, given the composition and expertise of the review group members, its strongest contribution may very well be in the area of information security. It turns out that the report saved its best advice for last. In my view, here is the diamond of this report, buried deep in the middle of p. 250:

the government’s classified networks require immediate internal hardening.”

I wonder what fact-finding led to that conclusion.

Throughout the recent surveillance debate, what has struck me consistently has been that the issue of security of the information collected, and classified systems in particular, has been such an afterthought.  It was over an hour into the December 11, 2013, Senate Judiciary Committee hearing before Chairman Leahy asked the NSA Director if, had private sector best practices been applied at NSA (as the NSA Director suggested would happen in the future), a 29 year-old subcontractor would have “been able to walk away with all your secrets…” The review group is right when it says that “[p]olicy officials are ultimately responsible for the IT networks of their organizations.” (at p.249).

In this case, the most important contribution the President can make to lasting national security for the nation is relegated to Chapter VIII in the report. The report counsels, “the security of classified networks is, in the age of cyber war, one of the highest priorities in national security,” (at p.249). In addition, protecting networks and information collected may very well be the most significant contribution to protecting privacy of collected information that can be implemented, including the content of incidentally acquired communications. The review group provides a number of detailed suggestions for how to accomplish upgrading the security of classified networks and information. Leaving the “how” to the technologists, the national security policy takeaway is simple: it must be done.

Although reasonable minds will continue to disagree about the appropriate scale of national security surveillance, now that the smoke is clearing and the rhetoric is dying down, I hope that some, at least, start to see that the scandal isn’t the NSA’s foreign intelligence collection activities. While far from perfect, and certainly appropriately subject to continuing review and ongoing adjustment, those were and are on solid legal footing, consistent with existing precedent, done with detailed oversight and lots of accountability.

The scandal is that Snowden walked out the door with it all.