The Great War of Our Time: The CIA's Fight Against Terrorism--From Al Qa'ida to ISIS (38 page)

Operating from a federal office building on K Street in D.C., I began digging into the issue. The first thing that struck me was that there were a handful of causes of the “Snowden affair,” which I defined as Snowden’s successful theft over time of vast amounts of significant information coupled with the sharp negative reaction at home and abroad to the NSA’s work. The first cause was, ironically, the enormous success of the National Security Agency in collecting information. Government agencies usually get in trouble for failing to do their jobs. In this case the NSA got in trouble, at least in part, for doing its job, as Snowden had in part been motivated by the breadth and depth of the NSA’s collection capabilities.

I would argue that in the decade after 9/11, of all the agencies
that make up the US intelligence community, none was more successful than the National Security Agency. And that is a significant statement for a CIA officer to make, because there is a bit of professional rivalry among intelligence organizations. In fact, I was a little chagrined by how well the NSA was doing relative to the Agency. The amount of critical intelligence the NSA was collecting was staggering, and that agency was—and remains—the collector of some of the most important pieces of the intelligence puzzle presented to the president and national security decision-makers every day.

It is important to note that all of the NSA operations that resulted in this treasure trove of intelligence collection were approved by the executive branch and overseen by Congress. Some of the operations were even overseen by the Foreign Intelligence Surveillance Court, made up of federal judges appointed by the chief justice of the Supreme Court. And the NSA did not disseminate anything to the rest of the intelligence community and to policy-makers that they had not been asked to collect by a rigorous requirement process managed by the director of national intelligence (DNI). In short, the NSA was not in any way acting as a rogue agency. Rather, it was doing the job that the DNI had given it and it was doing that job well.

Another cause of the Snowden affair was that, despite its great success, the NSA had two internal problems—one of which had contributed directly and one indirectly to Snowden’s ability to steal the amount of information he did. The first problem was that the NSA—the world’s most capable signals intelligence organization, an agency immensely skilled in stealing digital data—had had its pocket thoroughly picked. You would have thought that of all the government entities on the planet, the one least vulnerable to such grand theft would have been the NSA. But it turned out that the NSA had left itself vulnerable.

At its facility in Hawaii, where Snowden had gone to work every day, the NSA did not have the audit functions on its computer
network that would have made Snowden’s theft all but impossible. Like the audit function on personal credit cards, such software raises flags when people access information outside their normal pattern of type and volume. In fairness, the NSA had safeguards at its headquarters at Fort Meade—but it was vulnerable at the outer regions of its network, in places like Hawaii, where it had not yet installed the latest security technologies. It was simply an issue of the timetable for which NSA facility received security upgrades at what time. Hawaii was low on the list.

The second internal problem was that the NSA—an organization renowned for its secrecy—was remarkably transparent among its own people. The culture at the NSA was for personnel to freely talk among themselves about issues on which they were working. The NSA had its own wikis where its employees could post, for their colleagues to see, information about their projects—including those on which they worked hand in hand with CIA officers. The idea was to spread knowledge and learn from the successes of others, but it created an enormous security vulnerability, given the always-existing risk of an insider committed to stealing secrets. Snowden took advantage of this vulnerability, scooping up much of the information on these wikis. This kind of internal openness was anathema to the typical attitude in the intelligence community that information should be shared only with those who have a legitimate need to know.

The final cause of the Snowden affair was the failure of some in the media to accurately describe what they were seeing in the Snowden documents. Many of them went to the darkest corner of the room, and it had political impact. This was sloppy reporting. On June 6, CNN led with a story titled “Spying on Your Calls,” and the story contained the following line: “When you call Grandma in Nebraska, the NSA knows.” Fox noted that “NSA knows your calling habits.” MSNBC said that NSA is “screening your calls.” The Associated Press said, “The government knows who you are
calling. Every day. Every call.” Glenn Greenwald, the reporter who broke the initial story, wrote, “Do you want to live with a government that knows everything you are doing?”

All of this was complete nonsense, but you could forgive the average citizen for not knowing that. Such reporting created the impression that NSA surveillance in the United States was much more intrusive than it really was. Media accounts created the impression that the NSA was listening to phone calls and reading e-mails—neither of which it was doing. Polling makes it clear that these inaccurate perceptions were immensely influential in shaping the ensuing political debate.

As I continued to read in our K Street office, the second thing that struck me was that the fundamental problem with which we were dealing was a loss of trust on several fronts—the loss of trust by a significant percentage of Americans in their own government, the loss of trust by some of our allies in the United States, and the loss of trust by overseas customers in a number of US companies—customers who were now concerned that the NSA had secret deals with these companies to compromise their products by placing “back doors” in their software and hardware.

To be clear, I was much less concerned about the loss of trust on the part of our allies than I was in the other two issues. Governments typically act in their own interests, and I was confident that the citizens of friendly nations would get over the temporary insult and that their governments were realistic enough to know that they too collect intelligence on friend and foe alike. Spying is the world’s second-oldest profession and most of our allies have been at it since long before our nation was formed. A little harrumphing would be necessary for domestic political consumption—but this was not a major hurdle. From my time at the Agency, I am not aware of a single spying scandal that has had a long-term impact on a bilateral relationship, and I was convinced that the Snowden disclosures would not do so either.

The Review Group offered forty-six recommendations. Because of the strong public reaction to the Snowden leaks, I became convinced that our panel would have to make a number of strong recommendations if the country was to begin taking the first steps toward restoring public support for our government. If we had conducted a comprehensive review of NSA programs prior to the wholesale dumping out of intelligence secrets, I would have been in favor of just a few changes to the way the NSA was doing business. But in light of the public outcry, modest steps would never work now. We would have to make some dramatic proposals if we were to have any hope of regaining lost support.

Two recommendations stood out to me as much more important than the rest—and I believe we would have made these recommendations with or without Snowden. The first was the group’s recommendation about the 215 metadata program—that the government no longer hold the data and that it be required to obtain a court order prior to querying the data each time, as opposed to the then-current situation in which the NSA was holding the data and could query it at will under a broad court order. This recommendation, and the president’s acceptance of it, was absolutely necessary, I thought, to winning back the trust of the American people and keeping the program alive. Without winning back that trust, I was concerned that Congress would kill the entire program—in essence throwing the baby out with the bathwater.

And it also made sense. While the NSA did nothing illegal and committed no abuses under the 215 program, the group’s law professors, particularly Geof Stone, convinced me that such power in the hands of the government creates the potential for abuse, and that we therefore had to recommend steps that would make it much harder for future administrations—or even rogue elements within administrations—to overstep their bounds.

The second recommendation that made great sense to me was
to put in the hands of senior policy-makers decisions on what intelligence to collect and how to collect it—particularly for collection that carries significant political, economic, or foreign policy risks. The NSA had largely been collecting information because it could, not necessarily in all cases because it should. To be sure, some oversight was already in place, but it was not broad enough to cover all the collection activities that carried special risks, and it rarely dealt with the question of how intelligence would be collected. The best example of such risky activity, of course, is spying on the senior leadership of allies. Only senior policy-makers looking at all the benefits and risks can make decisions on what to collect and how. At the end of the day, only senior policy-makers can decide on the “should.”

There was also a set of recommendations that I thought absolutely critical—not for winning back trust but for making sure that another Edward Snowden does not happen. These recommendations—outlined in a chapter of our report called “Protecting Data”—received no media coverage. In this chapter we recommended two fundamental changes—that the government move from assessing the security risks of its employees every five years to doing it continuously, and that classified computer networks have state-of-the-art security software. It turns out that the best network security is not in the intelligence community—it is on Wall Street. This, of course, should not be surprising, as Wall Street is protecting something very important—your money.

But this chapter also called for another change—a revolutionary change that is not likely to see the light of day. Our Review Group felt that the tightest security practices should apply not only to intelligence community employees and networks but also to any government employees with access to secrets—including political appointees in the White House and elsewhere—and any computer networks that contain classified information. After all, Private Chelsea Manning was not an IC employee and was not operating on an
IC computer network when she stole information and passed it to WikiLeaks. All of these steps are necessary in order to ensure that another Snowden or Manning affair does not happen. And they are essential to ensure that secrets stay secrets. If our recommended changes are not implemented, I fear it will happen again.

I worked hard when we were crafting our recommendations to see that there was language attached that would permit reasonable accommodation for the business of intelligence, albeit generally with more oversight. My colleagues were very supportive of this. After all, the balance we were trying to strike was in winning back trust—and advancing privacy and civil liberties—without doing damage to the intelligence community’s ability to do its critically important job.

The Review Group was surprisingly unified in its recommendations. Very little argument, very little drama.

In the end the president was supportive of a large majority of the Review Group’s recommendations. He accepted 70 percent of the recommendations—including the two that I saw as the most important; he agreed to study 15 percent; and he rejected 15 percent. The ones he rejected had to do with the organizational structure of the NSA. And while I did not disagree with these recommendations, I did not see them as integral to the effort to win back trust. How many of our recommendations ultimately get adopted and the extent to which they help restore public confidence in the NSA, intelligence community, and government remains to be seen.

In the aftermath of the public release of the report, I felt that the media generally mischaracterized both the breadth of the report and our key recommendations regarding the 215 program. A number of media outlets were calling the recommendations “sweeping reforms of the intelligence community,” and they were saying that the Review Group had recommended an end to the 215 program. Neither was true.

While our recommendations were many, they were not sweeping. Where we suggested change, it was most often a recommendation to add layers of scrutiny and review—making certain kinds of operations more cumbersome, but not impossible.

The 215 program was the best example. We saw real value in the program and we recommended to the president a change in approach, not a wholesale rejection of the program. We recommended that the 215 database should be taken out of the hands of the government and each query should require an individual court order.

Although we did not discuss it as a group, I also thought the database should actually be expanded to include all calls made in the United States and should include e-mails as well. Today the database does not contain the metadata from
all
calls and does not contain the metadata from
any
e-mails. It should. Imagine a scenario in which AQAP in Yemen sends multiple operatives to the United States to conduct attacks, and the intelligence community learns of the plot and runs a search of Yemen-based phone numbers against the 215 database. But the search is a dry hole—because AQAP is using a phone system outside the 215 program. Imagine the outrage of the American public when these facts became public following a successful attack.

* * *

Two final thoughts—one on the damage done by Snowden and the other on Snowden as an individual. I believe that the Snowden disclosures will go down in history as the greatest compromise of classified information ever. Period. Full stop. The damage done has already been significant and it will continue to grow. While great attention and angst have been devoted to the loss he created by exposing the 215 telephony metadata program, Snowden damaged a much more important program involving the collection of e-mail
information from foreign-based terrorists, the 702 program mentioned earlier.