Last Friday I asked how NSA Director Alexander’s claim that “we can audit the actions of our people 100%” was consistent with USG uncertainty about what Snowden stole and with its claims that it was “putting in place actions” to allow it to track its systems administrators. Former NSA General Counsel Stewart Baker answered that the “NSA does a better job of protecting Americans’ private data than it does protecting its sources and methods,” and that “the systems that protect against [searching the databases of information collected by NSA] are a lot more carefully monitored than the systems from which [Snowden stole classified data about various NSA collection programs].”
These descriptions seem plausible in light of Snowden’s extraordinary leaks, but they raise the question why NSA would do better at preventing abuses of its wiretapping tools than at preventing theft of classified data. Stewart’s answer:
Bureaucracies do more of what they’re rewarded for and less of what they’re punished for. So if NSA has been punished more severely for privacy violations than for security violations, it will put a priority on avoiding privacy violations. And that’s exactly what’s happened. The deluge of overlapping and politically charged oversight triggered by a misuse of NSA’s wiretapping tools is far more painful to NSA than a counterintelligence investigation of leaked secrets.
Which brings me around to a point I’ve made in testimony (here and here). Contrary to the critics, existing oversight mechanisms — from the FISA court to the Justice Department and the inspectors general — are having a big impact on NSA’s behavior. Arguably, existing oversight mechanisms have already led NSA to protect privacy better than it protects national security. Adding more oversight, as Congress seems inclined to do, will shift NSA’s priorities further in the same direction. At some point, I fear, that will lead to a serious national security failure.
These points echo themes in Stewart’s fine book, Skating on Stilts, which I highly recommend. I have a different perspective.
First. I am skeptical of a causal link between increased oversight of NSA related to privacy and a de-emphasis by NSA of its internal security mission. NSA is intimately aware of insider threats, and places a priority on checking them. Why would excessive privacy restrictions impact the mission-intensity of those in NSA responsible for computer security and counterintelligence? Stewart says the mechanism is bureaucratic pain: The NSA prioritizes privacy over security because it is punished more for privacy violations than for internal security. But I don’t see why severe punishment for privacy violations would cause the relevant components of NSA to care or do less about insider threats from systems administrators. And if the theory of bureaucratic pain is right, then NSA has badly miscalculated. For the pain it suffers as a result of the Snowden matter goes far beyond the pain of “a counterintelligence investigation of leaked secrets,” as Stewart puts it. The pain also includes (among others) the exposure of an extraordinary array of sensitive surveillance techniques and programs, which diminishes the efficacy of the programs and the robustness of NSA relationships with private firms and governments around the world. These painful consequences were foreseeable in the event of a massive insider disclosure, and on Stewart’s theory should have led NSA to be much more scrupulous in its internal security practices.
Second. I also have a different view of the relationship between NSA oversight and the NSA’s national security mission (as opposed to its internal security mission – I know they are related, but Stewart separates them and speaks of the former at the end of his post).
I agree with Stewart that NSA is subject to rigorous and intense oversight that can affect its national security mission by preventing NSA operators from collecting intelligence in certain contexts (for example, inside the United States, or against American citizens), and more generally by chilling NSA initiatives for collection and analysis at the margin (though the flip side of this “chill” is called prudence). But whether the oversight and regulations are in these senses harmful, they are still necessary. Here’s why.
Even after the Snowden revelations, few Americans know what the NSA does because so much of what it does remains secret. The public has hints – confirmed by Snowden, and others – that NSA’s technical collection, storage, and analysis capabilities have grown enormously since 9/11. Even these few hints show that, like no other American institution, the NSA represents power, scale, technology secrecy, and intrusiveness – a combination that understandably causes skepticism and concern.
Presumptively in our democracy, important national policies are vetted in public, subject to criticism and analysis in the press and by elected representatives and civil society and courts, and ultimately approved, or not, by the People in elections. The accountability system forces public officials to justify their actions, to address criticisms, to confront new and critical information and arguments, to consider new approaches, and to correct mistakes. This messy process does not always produce optimal policies. But it produces pretty good policies on the whole, allows for pretty robust policy change in light of new information, and in any event is a more legitimate system for executing public policy than one that takes place in secret.
Few of the traditional elements of democratic scrutiny and deliberation apply to the NSA. Even after the Snowden affair, NSA and its oversight bodies remain extraordinarily secretive. Occasionally General Alexander or another top NSA official testifies before Congress. But these officials rarely face tough questions in public and do not reveal more than they want to – that happens, if at all, in classified settings. NSA is governed by publicly enacted laws. But many of the laws are obscure, esoteric, or outdated. The actual governing regime for NSA results from mostly secret interpretations of these laws by executive branch lawyers and judges on the FISC; and the governing regime seems more extensive and more complex – in its authorizations and its restrictions – than the law on the books. This is not unusual, of course. In other contexts law accretes in many directions through interpretation and practice. But when this happens with regard to NSA, citizens and the press and civil society and ordinary federal courts cannot (except to the extent of leaks like Snowden’s) assess these accretions to determine whether they approve of them.
There are good reasons why normal public lawmaking, law interpretation, and review practices do not apply to the NSA. Surveillance techniques are fragile. Full public scrutiny of NSA operations would reveal those operations to our adversaries in ways that would seriously undermine, if not destroy, their effectiveness. We need not be embarrassed about this need for secrecy (though the degree of secrecy almost certainly relates to the abundance of leaks, including those by Snowden). But we should also not deny that the nature, scale, and scope of secret NSA activities are a departure from normal operating procedure in a democracy, a compromise needed to meet modern national security threats that is fraught with the possibility (or appearance) of error, abuse, overreach, non-accountability, closed-mindedness, resistance to change, and other evils that democratic deliberation and review are designed to avoid.
This is the background against which to understand and assess NSA oversight. NSA’s robust oversight system is a substitute for traditional public checks and balances. But it is a dim substitute. The government ramp ups scrutiny behind the wall of secrecy as a replacement for the impossibility of normal public scrutiny. Such secret scrutiny, however robust it may seem to those subject to it, and even accounting for Snowden’s leaks, is less demanding and overall less robust than its normal public counterpart.
Which brings me to the relationship between oversight of NSA and NSA’s national security mission. The right way to think about this relationship at the most general level is that scrupulous oversight and regulation of NSA empowers and enhances its mission. Intensive scrutiny of NSA activities is a vital prerequisite to its political sustainability before Congress and the public, and thus to NSA receiving the authorities it needs to do its job. This was true of the original creation of the FISC (in the 1970s) and the congressional intelligence committees (also in the 1970s), and of the 2008 amendments to FISA, which expanded NSA’s authorities but also significantly ramped up NSA checks and oversight. These constraints are also key to NSA surviving the spate of Snowden revelations – the main reason there has not been a much greater outcry in the United States about the scope of NSA’s surveillance activities is that they are subject to and have been approved by so many adversarial institutions, albeit in secret. (Imagine the reaction to Snowden if the Attorney General and FISC had not approved of its activities, and if the intelligence committees had not been fully informed.)
Stewart thinks that the painful and sometimes politically opportunistic checks on the NSA threaten to defeat its security mission. Even with their warts, I think they are necessary to the security mission. Privacy regulation of NSA is not just about protecting privacy. It is also about enhancing the NSA’s public credibility for acting responsibly and in the public interest – a credibility that is crucial for the NSA to be able to exercise its scary powers in secret. In some instances, of course, regulation and oversight can slow or restrict NSA activities in ways that affect the national security mission. (This was true of the pre-9/11 “wall,” and it is almost certainly true of the geographical and citizenship limits on NSA’s surveillance powers.) The proper balance between NSA oversight and transparency, and NSA’s authorities, must constantly be assessed and updated, in every direction.
But it is unrealistic to think that NSA could carry on its current mission, which involves extraordinary and unprecedented surveillance in secret, without extraordinary and unprecedented checks on its activities. The two go hand in hand. Sometimes, probably often, regulation and oversight that seem to lead to less than optimal security is actually optimal, because the alternative to the oversight and regulation is not more NSA discretion to surveil, but rather less discretion because the authorities will not be granted in the first place without the intrusive oversight. (Again, enhanced restrictions on surveillance of U.S. persons is an example.)
The challenge for the NSA and for the country is to find the level of scrutiny and transparency that allows NSA the greatest freedom to do its security mission that is consistent with the effectiveness of its surveillance methods and public confidence that NSA is acting properly and in the public interest. Many people have different views about how this complex balance should be struck, especially in light of Snowden’s revelations. But here is a prediction. Whatever happens in the short term, in five years the NSA will have much broader authority than today to surveil in the U.S. homeland, not just for counterterrorism purposes, but also (and especially) in order to provide national cybersecurity. It will have broader authority because increasingly diffuse and powerful national security and cybersecurity threats will require it. And that broader authority will be accompanied by greater oversight, review, and auditing than at present, and greater NSA transparency as well – not because this scrutiny will (necessarily) better protect privacy, and not without potential costs to security, but because it will enhance trust in NSA.
Two important lessons of the last dozen years are (1) the government will increase its powers to meet the national security threat fully (because the People demand it), and (2) the enhanced powers will be accompanied by novel systems of review and transparency that seem to those in the Executive branch to be intrusive and antagonistic to the traditional national security mission, but that in the end are key legitimating factors for the expanded authorities. This was true, I argued in Power and Constraint, about habeas review of GTMO detentions, enhanced congressional and judicial oversight of military commissions, the 2008 amendments to FISA, and greater public transparency and congressional oversight of targeted killing by UAV (a process still in flux). And it will be true of expanded NSA authorities as the NSA’s vital capabilities become even more important to our security. In this sense, the Snowden revelations – to the extent that they force NSA to open up, and to get used to greater public scrutiny, and to avoid excesses, and to recalibrate its understanding of the tradeoffs between openness and security – might one day be seen to have paved the way to broader NSA powers.