Latest in NSA
Friday morning, the White House announced it will elevate Cyber Command to a full unified combatant command. Within 60 days, the Secretary of Defense will recommend whether Cyber Command should also be split from the National Security Agency.
The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons of the NSA/CYBERCOM “dual-hat” system (pursuant to which the director of the NSA/CSS and commander of CYBERCOM are the same person). The report deserves attention but also some criticism and context. Here’s a bit of all three.
1. What is the “dual-hat” issue?
In light of Michael Sulmeyer’s excellent recent piece on splitting NSA and CYBERCOM, which ran at War on the Rocks last week, I want to pull together some of the key legal and policy developments of the past year in a single narrative. My aim is to put them in context with each other in a way that will provide useful background for those new to this issue, while also putting a spotlight on the deconfliction-of-equities issue that the split proposal raises.
The New York Times has published a declassified version of a 2016 report from the Defense Department Inspector General that assesses the reforms implemented to improve security of the NSA's most sensitive systems after the Snowden disclosures.
Reality Leigh Winner, a recently separated Air Force linguist and a new hire by Pluribus International Corporation as a support contractor with a Top Secret clearance, allegedly searched for and printed out a Top Secret government report, folded it up, and dropped it in the mail to an online news outlet. Yesterday, the U.S. Attorney’s office revealed her arrest in an unsealed indictment.
The most important policy question raised by the WannaCry ransomware fiasco is not the most obvious one.
In this surveillance-heavy episode [Please use that link; we're still having trouble with the embed code], Professors Chesney and Vladeck dig into a raft of news about foreign-intelligence collection authorities. They open with an overview of how Section 702 collection authority works, and then unpack the recent news that NSA is dropping the “about” collection component of Upstream collection under 702.
What Is the "Right" Number of Call Detail Records for 42 Targets under FISA's Business Records Authority?
ODNI's transparency report contains loads of interesting information (see, e.g., Adam's post here on FBI queries of the fruits of 702 collection).
The mystery as to why there was no Section 702 application or certification reported for 2016 has now been solved (I'm assuming readers know today's big 702 news, flagged by Quinta here, and as explored in detail by Charlie Savage in this article): NSA has been struggling to resolve a problem with "about" collection under the Upstream heading, including in particular a problem with analysts quering the fruits of that c