The NSA’s Surveillance Order — Legal, But Unwise?

The revelation that the National Security Agency (NSA) has secured a court order directing Verizon to provide it with call data has sparked controversy. And, rightly so. If the order is genuine (and nobody has denied that it is), it reflects a significant expansion of America’s surveillance apparatus – one that should at a minimum be closely examined.

First, some details. The order applies only to “meta-data” of calls: the phone numbers called, the location of the cell phone when the call was made, and the time and duration of the call. So the order does not require Verizon to let the NSA monitor the conversations or other content of the calls.

Also, the order applies both to international calls and to calls occurring wholly within the United States. Verizon is required to update its compliance “on a daily basis.”

Finally, though the order disclosed Wednesday applies only to Verizon, the logic of the request supports an inference that similar orders have been issued to other major telecommunications carriers like ATT & Sprint.

In short, the order appears to give NSA blanket access to the records of Verizon customers’ phone calls –foreign and domestic—made between April 25, when the order was signed, and July 19, when it expires.

Of course, if the order is only the latest in a series of orders (as also seems likely), then the access may go back for quite some time.

To a large degree this revelation it is not unexpected. We are a country still at war against Al Qaeda and its affiliates.

As such, we need to have counterterrorism tools, such as Section 215 of the PATRIOT Act, which was apparently used in this case. And, though we don’t yet know the details, it is important to note that since 9/11, the powerful tools have been modified and amended to maximize the protection of civil liberties to the extent possible.

Here, the FISA court issued an order allowing for telephone calling data only, not the content of any calls. Such data are critical for link analysis — connecting the dots between phone numbers in terrorist investigations.

That is constitutional.

Meta-data are not currently protected under the Fourth Amendment, and the large-scale collection of that meta-data remains lawful.

On the other hand, it is uncertain how the NSA was allowed to collect information on U.S. citizens within the United States.

Historically, both law and policy have limited the NSA to collecting signals intelligence only when it involves foreigners. Presumably there is some underlying procedural or legal limitation that insures that the NSA’s actions conform to law – but to date we don’t know what that is.

Finally, whatever its legality, the entire order is remarkably overbroad and quite likely unwise.

It is difficult to imagine a set of facts that would justify collecting all telephony meta-data in America. While we do live in a changed world after 9/11, one would hope it has not that much changed.

Cybersecurity and the Chinese Hacker Problem

Earlier this month, I did a podcast on the Chinese Hacker problem with Richard Bejtlich.  Richard is the Chief Security Officer for Mandiant — the company that published the high-profile report on how Chinese hackers are tied to the Chinese military.  Here is a summary of the podcast:

A few weeks ago Mandiant, a private cybersecurity firm, released an explosive report attributing an epidemic of Chinese cyber espionage to the Chinese army. In light of this report and other intelligence findings, the New York Times reports that the Obama Administration has publicly called on the Chinese government to intervene directly to end such cyber attacks from its own military. Richard Bejtlich, the Chief Security Officer for Mandiant, discusses the content of that report. Our other cyber expert, Paul Rosenzweig, joins to discuss what, if anything, the United States should be doing about this problem. This previously recorded conference call is a part of a new Teleforum series on Cybersecurity and Public Policy.

Taming the Cyber Dragon?

While Ben has often mocked the New York Times for its opinions, the Washington Post has mostly escaped our attention.  To a large degree this reflects the level-headedness of its opinions.  So when it slips into an alternate universe of unreality, that likely reflects something important.  Consider yesterday’s editorial opinion calling for the US to do more to “tame the cyber dragon.”

The Post rightly notes that China is stealing us blind — intellectual property and national security secrets are being exfiltrated through cyberspace on an industrial scale.  And though China denies any responsibility, its denials are the barest fig leaf of an effort.  As the Post says, there is growing evidence that China is behind one of the largest heists in history.  And something must be done.

But what?  Here the Post opinion becomes, well, a bit risible.  Their recommendations?  Wait for it …. “speak more firmly to China’s leadership about the problem, perhaps threatening to deny visas or expel those found to be involved in economic espionage.”  Of course, since those involved in the espionage aren’t here in the first place — they operate from China — the threat of expulsion is an empty one.  And I’m sure that speaking firmly to China will cause them to change their ways …. not!  As for denying visas to, say, students and tourists — that punishes our own domestic industries with little harm to the Chinese government.

To be fair, the Post does say that as a further step an “offensive cyber-assault to preemptively disarm adversaries” might be necessary.  But now we’ve leaped from “speaking firmly” to cyber war.  If we have any sense at all, we’ll find a middle ground — some kind of espionage-based response that causes equivalent pain to Chinese interests and that might get their attention.

Here’s one possibility I recently heard discussed the gives you a flavor:  Since China is interested in maintaining the status quo and uses the Great Firewall to keep destabilizing information out of the hands of its citizens, might we not promote internet freedom and dissuade Chinese intellectual theft by initiating a program to poke holes in the firewall?  Provocative to be sure — but far more likely to get their attention than speaking firmly and a lot less escalatory  than cyber assaults.  If we aren’t thinking about responses in this general vein, we should be.

Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World

With some hesitancy at the sense of shameless self-promotion it necessarily entails, I am very pleased to to announce today that my book Cyber Warfare:  How Conflicts in Cyberspace are Challenging America and Changing the World is now available from Praeger Press.  This labor of love has consumed much of the past two years for me and I’m quite pleased to see it in print.  It is the perfect post-holiday stocking stuffer for the cyber-wonk in your family too!  I should caution those who might read it that the book is about much more than cyber warfare — it includes the entire gamut of conflicts in cyberspace and is intended as an introduction to a host of novel cyber issues for the mythical “educated layman.”  We titled it “Cyber Warfare” honestly because the publisher thinks that will sell more books than “Cyber Conflicts” would have!  For those who want a taste, here is, in essence, the thesis statement from Chapter 1:

The beauty of cyberspace and its genius lies in recognizing the universal power of these simple 1s and 0s.  The rapidity with which they can be manipulated has, over the past decades, increased exponentially.  And that explosion in computing power has fostered a wild explosion of new technology.  Hardly a day goes by without the development of some new computer application that is intended to enhance our lives; indeed, they have become so ubiquitous that we now have a short-hand word for them – we call them “apps.”  America’s increasing utilization of, reliance on, and dependence upon technology for our social infrastructure is changing how we live our lives. The pervasiveness of technological advances has significant implications for how individuals interact, for how the economy functions, for how the government and the private sector conduct business, and – ultimately – for how we protect our national interests and provide for our common defense.

This book is about those changes.  It is about how cyberspace has come to pervade our every-day activities.  More importantly, it is about the vulnerabilities that arise from how we use cyberspace; and it is about what America, and the world, are doing (or could do) to respond to those vulnerabilities.  If you want a short-hand way of thinking about this book, it is about our struggle to have our cake and eat it too – about how we try to reap the benefits in productivity and information sharing that come from a globalized web of cyber connections while somehow managing to avoid (or at least reduce) the damage done by malfeasant actors who seek to take advantage of that globalized web for their own reasons.

Like most efforts to eat cake without gaining weight, our labors cannot reasonably be expected to be fully successful.  Our struggle can only be to minimize the threats as best we can, while maximizing the benefits.  That struggle is, in a phrase, the great conflict of the current generation.  The nature of that conflict changes on a daily basis but unless something deeply surprising happens the specter of cyber warfare and the reality of a broader cyber conflict (including espionage, terrorism, and crime) are with us for the foreseeable future.

And here is how the publisher describes the book:

This book provides an up-to-date, accessible guide to the growing threats in cyberspace that affects everyone from private individuals to businesses to national governments.

The Internet enables limitless sharing of information around the globe, resulting in an effectively near-infinite security threat to governments and organizations as well as to individuals’ personal privacy. While estimates vary, it is possible that $1 trillion in theft occurs via cyberspace every year.

Cyber Warfare: How Conflicts In Cyberspace Are Challenging America and Changing The World is a comprehensive and highly topical one-stop source for cyber conflict issues that provides scholarly treatment of the subject in a readable format. The book provides a level-headed, concrete analytical foundation for thinking about cybersecurity law and policy questions, covering the entire range of cyber issues in the 21st century, including topics such as malicious software, encryption, hardware intrusions, privacy and civil liberties concerns, and other interesting aspects of the problem.

In Part I, the author describes the nature of cyber threats, including the threat of cyber warfare. Part II describes the policies and practices currently in place, while Part III proposes optimal responses to the challenges we face. The work should be considered essential reading for national and homeland security professionals as well as students and lay readers wanting to understand of the scope of our shared cybersecurity problem.

Finally, for those who are enamored of endorsements, here are what others are saying about the book:

“Paul was a tremendous resource for the House Intelligence Committee as we crafted our Cyber legislation, and his expertise shows through in this excellent book. His book clearly describes the tangled web of technical, legal, and policy issues that complicate our nation’s response to the daunting, advanced cyber threats we face today. It will serve as a vital resource for anyone trying to understand this critical issue.”—Representative Mike Rogers, Chairman, U.S. House Permanent Select Committee on

“Paul Rosenzweig is uniquely qualified to write about our need for the better use of data. Cyber Warfare asks critically important questions about how we can best optimize both security and privacy in a world of increasing threats and information availability.”—David A. Hoffman, Director of Security Policy and Global Privacy Officer at Intel Corporation

“From his extensive experience in legal policy and homeland security, Paul Rosenzweig is in a unique position to explain the immediate challenge that cyber warfare presents to America and our allies. In his book on this subject, he provides a comprehensive analysis of the imminent challenge and an incisive commentary on what must be done to protect the nation against this increasing threat.”—Edwin Meese III, Former U.S. Attorney General

“Paul Rosenzweig’s Cyber Warfare is a comprehensive, insightful, and clear explanation of how the world of cyber has evolved from a simple tool of communication and data storage into a fundamental domain of global security. Policy makers and citizens alike will find this volume stimulating and startling.”—Michael Chertoff, U.S. Secretary of Homeland Security, 2005-2009

As anyone who has ever written a book knows, it is an almost insane effort to make.  You have to be a little crazy to want to do it.  I only hope that those who read this book will appreciate the effort and enjoy learning about the fascinating world of cyber security with me.