- Washington DC 12/16/2013 by Spencer Ackerman (The Guardian)
Spencer Ackerman of The Guardian reflected on the NSA's recent '60 Minutes' appearance. Below are some of the key points from his argument.
1. Surveillance is just about what you say and what you write
If there’s a consistent thread to the NSA’s public defense of itself, it’s that the stuff NSA collects from Americans in bulk doesn’t actually impact their privacy. After all, as Keith Alexander told Miller, it’s just metadata – data about your phone calls, not what you said on the phone.
“There's no reason that we would listen to the phone calls of Americans,” Alexander told Miller. "There’s no intelligence value in that. There's no reason that we'd want to read their email. There is no intelligence value in that … How do you know when the bad guy who's using those same communications that my daughters use, is in the United States trying to do something bad? The least intrusive way of doing that is metadata.”
When Miller said the bulk metadata collection “sounds like spying on Americans”, Alexander replied: “Right, and that’s wrong. That’s absolutely wrong.”
Notice the tension here. It’s the metadata – who you called, who called you, for how long, how frequently you communicate – that has intelligence value, not, in Alexander’s telling, what you actually say on the phone. The NSA is relying for its defense on a public conception of surveillance as the interception of the content of your communications, even while it’s saying that what’s actually important is your network of connections – which the agency is very, very interested in collecting.
2. Snowden and the NSA’s hiring boom
The NSA, for obvious reasons, isn’t fond of whistleblower Edward Snowden. It portrayed him to 60 Minutes as a weirdo. He wore “a hood that covered the computer screen and covered his head and shoulders”, NSA official Richard Ledgett said. He allegedly stole answers to a test to gain NSA employment and boasted about its hires of young geniuses ready to tackle NSA’s persistent intelligence and data challenges.
The obvious question here is why the NSA considers it exculpatory to say an obvious eccentric was able to abscond with an unprecedented amount of data. That sounds uncomfortably like an admission that the NSA is less able to safeguard its vast storehouses of information than it lets on. Let’s also pause to savor the irony of a spy agency complaining that one of its employees cheated on an employment test. (Meanwhile, for an alternative take on Snowden, an anonymous NSA colleague told Forbes that Snowden was a “genius among geniuses” and said the NSA offered him a job at its elite Tailored Access Operations directorate.)
Then there are all the smart codebreakers, analysts, officials and contractors that make up the NSA’s estimated workforce of 35,000 people. An intelligence agency that large, with a workforce that’s only grown since 9/11, is going to find it increasingly hard to keep data secure from future Edward Snowdens in the next cubicle. The NSA says it’s implementing new measures post-Snowden to limit data access. But even after Snowden, the NSA told the New York Times this weekend it has yet to fully understand the depths of its vulnerabilities.
3. The Chinese financial sector kill-switch
Among the more eye-opening claims made by NSA is that it detected what CBS terms the “BIOS Plot” – an attempt by China to launch malicious code in the guise of a firmware update that would have targeted computers apparently linked to the US financial system, rendering them pieces of junk.
“Think about the impact of that across the entire globe,” NSA cyber-defense official Debora Plunkett told 60 Minutes. “It could literally take down the US economy.”
There are as many red flags surrounding the BIOS Plot as there are in all of China. First, the vast majority of cyber-intrusions in the US, particularly from China, are espionage operations, in which the culprits exfiltrate data rather than destroy computers. Second, the US economy is too vast, diversified, and chaotic to have a single point of cyber-failure. Third, China’s economy is so tied to the US’s that Beijing would ultimately damage itself by mass-bricking US computers.
Fourth, while malware can indeed turn a computer into scrap metal, no one has ever developed a cyber-weapon with the destructive capability of Plunkett’s scenario [...] Matt Blaze, a computer and information sciences professor at the University of Pennsylvania, said that BIOS could be overwritten by malware, bricking an unsuspecting computer. But the vagueness of the description of the “BIOS Plot” made him suspicious.
“It would take significant resources – and an extraordinary bit of co-ordination and luck – to actually deploy malware that could do this at scale,” Blaze said [...] The lack of specificity made cybersecurity expert Robert David Graham dubious that the plot NSA claimed to discover matched the one it described on TV. “All they are doing is repeating what Wikipedia says about BIOS,” Graham blogged, “acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.”
4. NSA isn’t collecting data transiting between Google and Yahoo data centers, except when it is
Since it doesn’t own or operate any of the world’s telecommunications infrastructure, the NSA is significantly dependent on tech and telecommunications companies, such as Google and Yahoo. So when the Washington Post reported, based on Snowden documents, that the NSA intercepts data transiting between Google and Yahoo’s foreign data centers, the companies reacted with horror at what they considered a breach of trust – one that occurred without any court orders.
Alexander pushed back against the Post’s story to 60 Minutes. “That's not correct. We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are. But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network.”
If you take away Alexander’s “that’s not correct” line, the rest of his answer sounds remarkably like a confirmation of what the Post reported. “I think he confirmed it, feigning denial,” reporter Barton Gellman tweeted.
Indeed, the Post didn't say the NSA went into a Google data facility or organized an operation going after Yahoo “as an entity”. Instead, it reported that NSA takes advantage of security vulnerabilities on data from Google and Yahoo customers as the data transits between its centers. The documents published by the Post indicate NSA got 181m records in a single month that way. How many of those were from “terrorists” remains unknown.
5. The NSA wasn’t trying to break the law that got broken
Give Miller credit for at least mentioning that “a judge on the Fisa court” overseeing US surveillance was alarmed that the NSA “systematically transgressed” the agreed-upon limitations on its abilities to query its databases. Alexander’s response: “There was nobody willfully or knowingly trying to break the law.”
Actually, two different Fisa court judges – John Bates and Reggie Walton, the current presiding judge – raised major concerns about the way the NSA searches through its vast data troves on multiple occasions. Bates found that “virtually every” record generated under a now-defunct NSA program that collected Americans’ internet metadata in bulk included information that “was not authorized for collection”.
In a different case, in 2011, Bates assessed that the discovery of thousands of American emails in NSA content databases designed to collect foreign data meant the “volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe”.
And for most of 2009, Walton prevented the NSA from searching through its domestic phone data hives because it found “daily” violations of its restrictions.
In other words, it can be simultaneously true that NSA doesn't intend to break the law and that NSA’s significant technical capabilities break the law anyway. Malice isn’t the real issue. Overbroad tools are. But that’s not something that NSA had to address during its prime-time spotlight inaugurating its publicity tour.
Read the full article at http://www.theguardian.com/world/2013/dec/16/nsa-surveillance-60-minutes-cbs-facts.
NSA director Keith Alexander testifies during the Senate judiciary committee hearing earlier this month. Photograph: Michael Reynolds/EPA