By Michael Elgart.
On June 6, 2013, documents published simultaneously by The Guardian and The Washington Post revealed the extent and ability of the United States intelligence agencies, chief among them the National Security Agency (NSA), to gather data and information, even on domestic targets. I had just begun a summer long internship in a large software company, and I was eager to gauge the reaction from programmers who had spent years designing and building the internet that most only interact with superficially.
The responses were varied. Some certainly were concerned about the NSA’s far-reaching powers, but the most common response was a pointed lack of surprise. This sentiment stemmed partly from the pride of correctly held suspicions finally coming to fruition and partly from the expectation that the US intelligence community should, after all, be at the cutting edge. This attitude is not unique to the technology sector; many Americans have expressed similar feelings. If communications can be monitored, shouldn’t we be doing the monitoring before the bad guys threaten us? Now that we have allowed several months to pass and the dust to settle, it is vital that we analyze these documents and address this national security concern.
Inherent in this belief are several complicated assumptions, about what today’s technology is capable of, which overlook profound policy implications. When we assert that the intelligence community’s actions reflect changing technological capabilities, we implicitly convey the idea that communications in the digital age are not secure. This logically leads to the conclusion that the NSA and malicious attackers alike could gain access to this information. Moreover, legal restrictions we place on the government create a disadvantage for our intelligence agencies since attackers do not have to follow these legal requirements. To be clear, this situation would be disastrous for our intelligence capabilities and make most vulnerable those societies that value freedom and individual rights.
However, this is, emphatically, an incorrect assumption to make. Digital communications, data and authentication are, by and large, secure or able to be secured today. We know this intuitively because the vast majority of us use online applications to engage in banking, make purchases online or communicate with our employer or school, even after the revelations regarding the NSA’s mass surveillance program. Perhaps more tellingly, corporations with multi-billion dollar revenue streams are able to communicate securely without strategies being leaked or money being stolen. This has become so commonplace that most of us do not realize the incredible convenience advanced cryptographic systems have allowed us to attain. Of course, many people will engage in unsecured communication on the internet or publicly post things which should never have been posted, but if one needs to purchase books from Amazon, there is virtually no risk of his or her credit card being stolen. As security expert Bruce Schneier says: trust the math.
Once we realize that there is no reason communications should be unsecured, the full impact of the Snowden revelations becomes apparent: How does the intelligence community have access to these communications if they were secure? The short answer is because they didn’t have to break the encryption under the FISA Amendments Act of 2008. This act codified the ability of intelligence agencies to gather information on individuals as long as there was a 51% chance he or she was a foreigner, and has been used as the basis for the bulk collection of metadata from telecoms companies. Any security expert will tell you that the most vulnerable attack point of a system is always the human who interfaces with the computer. One of the most common data theft schemes involves duping humans into giving up their secure access or information, called phishing, and then bypassing the security system completely with the stolen information. Another point of attack involves the threat of economic harm to force administrators to compromise their system. Using economic threats under the legal system, the NSA was able to force Verizon,Google, Facebook,Microsoft and others to hand over information about their users. This dramatically changes the way in which we think about security, but not because of the technology involved.
It is likely that the NSA, specifically, and the intelligence community, more generally, have access to a vast amount of internet traffic. In fact, a government owned direct feed into the internet backbone was found in AT&T’s San Francisco office back in 2006. However, that access alone is not incredibly concerning, as most of our digital communications should be fairly secure from attack, especially with secure website connections—known as HTTPS—becoming ubiquitous on the web. Email, which is still largely unsecured, is one glaring hole in today’s digital communications network, but this can be easily remedied through use encryption technology, the most common being PGP protocol used by most corporate email servers. However, due to the policy decisions made by Congress, secretly interpreted by the FISA Court and secretly implemented — sometimes with the objection of the court, and sometimes ignoring it outright – by civilian and military intelligence groups, we are left with a vulnerable system where security could easily be achieved.
The policy decision to give the NSA such broad reaching authority has important implications that are not immediately obvious. For instance, a significant problem arises when national security letters or general warrants are used to retrieve vast amounts of data, as the NSA breaches a hole in security systems we rely on for both commercial and private interests. While we hope the NSA is largely secure, it would be naive to believe malicious attackers, whether foreign or criminal, could not penetrate it, especially with the knowledge that some four million people in the intelligence community have been granted “top secret” clearance.
Without dwelling on the legal and constitutional challenges this intelligence regime must face, it cannot be overlooked that its existence has created difficult political obstacles for the intelligence community and, if voters do not trust their political institutions, it may make the government’s goals of keeping Americans safe that much more difficult. More concretely, international political repercussions have already been felt, and the economic harm from international consumers moving away from American internet giants could be even more devastating. A loss of American hegemony in the software space is a very real consequence of the intelligence agencies’ increased authority.
The debate over the authority granted to government intelligence agencies going forward should not make the mistake of dismissing the NSA’s capabilities as a mere evolution of technology. Rather, these capabilities are consequences of concrete steps taken by all branches of the US government to create a surveillance regime of incredible magnitude. Effectually, that regime exists at the sole discretion of policymakers. The debate is decidedly not about whether our intelligence community has better tools than the bad guys; rather, it should confront whether the authority granted to the intelligence community for improved information gathering, and the resulting trade off of reduced security, has increased the potential for abuse, and whether the loss of business interest in American technology ultimately serves our economic and national security interests.